Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
28-01-2024 07:43
Static task
static1
Behavioral task
behavioral1
Sample
7c8beaa0420a5e1596bd7da96586b811.dll
Resource
win7-20231129-en
General
-
Target
7c8beaa0420a5e1596bd7da96586b811.dll
-
Size
2.1MB
-
MD5
7c8beaa0420a5e1596bd7da96586b811
-
SHA1
ba39edf8926c0666f12d85ae5cb2dbb4c507bd02
-
SHA256
0f35ac401b512fd1dfd8434325a834942af1b28bd25d7b39dc76e457569cb08d
-
SHA512
ad8ebf3f33240e18c5be247bfcc65d59ca2e46528a66dcd2e768d474c9c2eabe2932b7583c306c75e63cd3ed89aab2bcdd579f89bc5d21ca38b44fc9b94a9799
-
SSDEEP
12288:OVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:TfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1380-5-0x0000000002490000-0x0000000002491000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
StikyNot.exeperfmon.exeperfmon.exepid process 1104 StikyNot.exe 1980 perfmon.exe 1856 perfmon.exe -
Loads dropped DLL 7 IoCs
Processes:
StikyNot.exeperfmon.exeperfmon.exepid process 1380 1104 StikyNot.exe 1380 1980 perfmon.exe 1380 1856 perfmon.exe 1380 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Groztcac = "C:\\Users\\Admin\\AppData\\Roaming\\Identities\\ej9EYyKTGU\\perfmon.exe" -
Processes:
rundll32.exeStikyNot.exeperfmon.exeperfmon.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA StikyNot.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA perfmon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA perfmon.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 3028 rundll32.exe 3028 rundll32.exe 3028 rundll32.exe 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1380 wrote to memory of 2964 1380 StikyNot.exe PID 1380 wrote to memory of 2964 1380 StikyNot.exe PID 1380 wrote to memory of 2964 1380 StikyNot.exe PID 1380 wrote to memory of 1104 1380 StikyNot.exe PID 1380 wrote to memory of 1104 1380 StikyNot.exe PID 1380 wrote to memory of 1104 1380 StikyNot.exe PID 1380 wrote to memory of 1608 1380 perfmon.exe PID 1380 wrote to memory of 1608 1380 perfmon.exe PID 1380 wrote to memory of 1608 1380 perfmon.exe PID 1380 wrote to memory of 1980 1380 perfmon.exe PID 1380 wrote to memory of 1980 1380 perfmon.exe PID 1380 wrote to memory of 1980 1380 perfmon.exe PID 1380 wrote to memory of 2456 1380 perfmon.exe PID 1380 wrote to memory of 2456 1380 perfmon.exe PID 1380 wrote to memory of 2456 1380 perfmon.exe PID 1380 wrote to memory of 1856 1380 perfmon.exe PID 1380 wrote to memory of 1856 1380 perfmon.exe PID 1380 wrote to memory of 1856 1380 perfmon.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7c8beaa0420a5e1596bd7da96586b811.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3028
-
C:\Windows\system32\StikyNot.exeC:\Windows\system32\StikyNot.exe1⤵PID:2964
-
C:\Users\Admin\AppData\Local\95PM4dzT\StikyNot.exeC:\Users\Admin\AppData\Local\95PM4dzT\StikyNot.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1104
-
C:\Users\Admin\AppData\Local\Zt4HpEcKD\perfmon.exeC:\Users\Admin\AppData\Local\Zt4HpEcKD\perfmon.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1980
-
C:\Windows\system32\perfmon.exeC:\Windows\system32\perfmon.exe1⤵PID:1608
-
C:\Users\Admin\AppData\Local\bHD5Y\perfmon.exeC:\Users\Admin\AppData\Local\bHD5Y\perfmon.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1856
-
C:\Windows\system32\perfmon.exeC:\Windows\system32\perfmon.exe1⤵PID:2456
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
59KB
MD563dc867eaf0b0ef8c49fc781c205bbc7
SHA1fac7d73191e53ffd200243bbd51f84b58ef1dd9f
SHA25610dabaa8ad1741d72e97766672a22cd704fe197ce123f3ee7c510d3a85891b36
SHA5122858160e0e5661d122f13e7f9c195cb4f22ddc4761a5a695bb96eab9b471e61f448c6b7591c4a80c227957179daf9555afd54f2cc07e2a66151f89f61d22e320
-
Filesize
16KB
MD50d6e241faa0e94ff5946cead6d4acd47
SHA139efe8274c2e67a30c67966d8ef86e664eac7796
SHA2561390a3102208e1525dcb61191f448b65c4d9ea619b03706d4f4b924d8e402266
SHA51213b84bbdc4cd8cbe448f5631094a659722dfbbbb3a4fe74bf5a5960a6ce85af744e17ba6ce693668cdde9de614a389082073027643e0580adf8fcbc604d7bd38
-
Filesize
49KB
MD5487e0f40f9665bcdef57b7b267f0814a
SHA10d4157a16a223eb1130324748d29d31f569e9a7a
SHA25622d5144d33a0d1bfc5cd8de08c6c54533ec0fdeb489ef2772c7089a421c847fc
SHA512ea0ff9795960e43a4bccd0ede351e6f2b1f68954f87912881f1928b538cc79759bb24e46b1cb2467f83ea874d693f586a790873def3771862af4a3e6cfeb6eb5
-
Filesize
185KB
MD5cfcd924d256f6d4a72ffeace0ff83280
SHA15d10d6a3a28f0d34420d20ffd1940d802fecdb45
SHA256f44142c3c521e8d717b81a88b8c576567b7e0c5d14f2ae70ff7943c3b1011413
SHA512818d1ecbfc4a8591c09c9d23d78b86d573c6c3555a2bda4dfa5ad6af68868a62f6fa644fb0bf535032093245aab55b57dc8554f8d4e9edbe11b3e1117c26b92c
-
Filesize
108KB
MD594e27dd527c12c7cfc0b289ab70459ea
SHA15a86418962e010c4438ac90cecfa093ab6825e59
SHA25623b55d4059f40b37b423ef4f24e5e5d50e82dc6944262832e5fc26bf173d2bfd
SHA5122ba75649533d54b01720c96879c6406a9b9be91aba0b1a4cb962448bbe97b9c2eb40041d3811a07b5fd39fad21a1c0c82a2bc12b7413f7f198885550e1aa7efc
-
Filesize
68KB
MD5d77e04e50acbf596ae610b4c784e0c97
SHA1307d65723a1ef9e22beaae201e1b963ee5cbb724
SHA2561c905c7ad5a34319e346573fd93455bb38bd9e5c5a1de4fb5c1dab9ed5d9243c
SHA512e2eef564a3da32db872b5140b8dc24772bb584daec8cb3ecd342b92833afef40d4d5cbe7ad099976c31b388c8b9d9b671a4302c8954cc07b20cabe1e30280e37
-
Filesize
281KB
MD55af4954be1a7c9ce0bd5aa6dcab6afa4
SHA168f63842135a503796711958e1f3889b2af94272
SHA256d6e1bdcde3ceaf8a440c2dbcc0b5d7518cf66c18dc0ba1a66dedfd7622828b90
SHA512350e8837b012bd0fcbf21bbed90f17dfde14de648bbc213e92e8a831ccfcb8cf132c9bd7a3e23a0e1b21be27ffb3c404b0915b674718cd7dfc55f90a6c487ba9
-
Filesize
168KB
MD53eb98cff1c242167df5fdbc6441ce3c5
SHA1730b27a1c92e8df1e60db5a6fc69ea1b24f68a69
SHA2566d8d5a244bb5a23c95653853fec3d04d2bdd2df5cff8cffb9848bddeb6adb081
SHA512f42be2a52d97fd1db2ed5a1a1a81a186a0aab41204980a103df33a4190632ba03f3cbb88fcea8da7ed9a5e15f60732d49a924b025fe6d3e623195ec1d37dfb35
-
Filesize
2.1MB
MD57d8a47faaa5b6fbf38c9b7bd1cbdb07f
SHA112c120e2f115041c53c60994b477507e7ebc559c
SHA256aa8246949f19fd9963461591183c8ebdbe40dcff7022a89125687aba4fdae79f
SHA51234c1f6af1ed237e9467e9d893c31bb8c82d90a92bfcf3bbd7349f2a95fa35337232d6b4bc2db04a0db490532103f6aedc1023a8e3116d453c6e1b1d0c4931ab3
-
Filesize
1KB
MD5ed5fd88d8eff8cd05e5c57570392773f
SHA168401a26c4ced77d3b9918e4a236ea50cc44864b
SHA2563038cf9ab9fe6727f7bb82b37f0279c0cc04b76be6308c1ba4a1cf8de0c4bec9
SHA51223fa6fe92b0f117a428cdf54f75ca660fdc16286d224b07e7bf4a66461361f58094f9828079ce2b598d83ed84400f019ee95e05a3c2c0fc3d4945fe79effd732
-
Filesize
2.1MB
MD502a6bdbac857ef4aaca518458b162fb7
SHA12132a5c825f8c2a92806ef388538a991167693ff
SHA256ed642a3d9e889215b88712b6c4f90367c308228754bfb71019cb0ed546869ec8
SHA51202dddb41963f52d923913c69f4d544edb772cab0436768578663f0ced46abba94ed60d46c754b6bf1fd6b967bacb5de9fe9628eb0a0ee4584ccce925e4e2cbfc
-
Filesize
2.1MB
MD5310fb471ad0c6e61a606184787d0953f
SHA101f14f72dcbbf57ead7e3ca140da5c4bceb7de83
SHA25669b97168729a9376fe8abc0c6297ba893ce564ecbb5d5d9a4df946c90159d98a
SHA512b13211c824d70f930360c75138a5c8197b89242f708919f03514ae172c4a508c2deacdb1f3372450b4882024a18feac86be51f855b7e41dc716eb449c30db90f
-
Filesize
34KB
MD5522b113898a30aadc107c9a37e5b3ef0
SHA1fa7d5f78dfebd992001f714a8a4a2d548749b9c4
SHA25622ae5d362a8e118a7213edaa1166410c0a65bd90a75c5a5c59615edd86af38fb
SHA51247c46f03f950c304a36886503f68dc92c508cda5be1d7bb667a24d7cf8cab81f61740ae8a1e70633923a5f928511f94c8732a87d39d340aec53a09b40063128e
-
Filesize
92KB
MD5314ad450645ef3de198374454c49ef74
SHA1f059b014912ebb976d2acad4852d49269e36eade
SHA256a076523b152d90c55ad077a1307f1e8f9b09cf698b876394f6efd46de233fd94
SHA5129abde651aa4a03cc36f88e555a656abd07925c5a83b6d2cdd5ee00657f0687522357d82c9d00398326b2652053a03e2bf3fefb1ccd39ef4c7879cbb882cb0e6a
-
Filesize
169KB
MD5f67ea19ce37e0fbda58dcc86bced08c5
SHA120a600bf6ea67418f6bbe7a7464f93925e59771e
SHA256055dc40a98af18e5d9afd2dd93e852b2d89a8f39f6b84a3c6a2e71d3d04dc239
SHA5129a32ef22400e6ac172f81d7b6fdbb3797b8b9f1e8e3ee5c83471b12fc1ac4d7570bffb59383b686382ec56aae0972226d3102c86c3764e68fac30a8e9a60ca37
-
Filesize
19KB
MD5445af7bf9c74bd296eba29b1b00a8fe3
SHA112ffc8223f6b2ad089df5d16a8d921576073dccd
SHA256a4778e3139a4cd550c35e93589bf56f36c60e831d2cb6570dc4fe337955421ec
SHA5124bead441cd5decb0390678f4f04587930ae455d66ee8b856ec0b843ad611726a509f0e0d53ee0be1df197ed32926b115ae6733a05ab69e4288cd54f65a0d3740
-
Filesize
147KB
MD5d90a2c5d6e684d7cf06aed24bb9650c8
SHA12fbfb5b1ed4255b72864e5364c56396a8e81030d
SHA25682e68fc1bef22c81f194b6219852e215ea34268a9ac994f7c12d86b336f97ab9
SHA512bc008a6d343389aa810af71e6095553ff787667c2bbc682be631b7e0324ea74a0ccebb582d52d4a2c67cac277d090dad78275bcaf907f4efe7e4af8f55bea7a1
-
Filesize
136KB
MD529956abd1568da47bfafcdd46d451051
SHA196c90ff0a56727f41a738fff7e13b1dc4fb806f3
SHA256fadc82fd045e1c3896eb51098ba597592a785f790defd54ec28a6fe30004e858
SHA5121e31d0cfd3ad66e2b04187a02f3355412eed7c8aabae33880d33b359dd4eedbb3575793223783ff8c363f6082913cd03aa5c3efbeb70af96823f138530516eb1
-
Filesize
94KB
MD569f3986e03dc8f2627e9480445ad441b
SHA160e294fd5a834435e114e49b84cbcc9ff9f68aaa
SHA256c44b9cd6994319172fcb562e51ff5f563b05c3e659f4518aca4eeaf0d1143425
SHA51254d613de236968f9ad681cf468b6660676ec7baed424abb15712fd72a9568fa72db606d0b15da197892110beae262dc705ff249542abfc27ea8eb23d8ff11b92