Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
30-01-2024 05:15
Static task
static1
Behavioral task
behavioral1
Sample
818f6364c18d61853f5e7875c46b41b7.dll
Resource
win7-20231129-en
General
-
Target
818f6364c18d61853f5e7875c46b41b7.dll
-
Size
2.2MB
-
MD5
818f6364c18d61853f5e7875c46b41b7
-
SHA1
0996afc6bdf46c9714f85894e9501c31573d80d0
-
SHA256
354581ef623c4841ef267fae935ea55b0aa622c1de1aec7c31d3fbfe05005e00
-
SHA512
4d4c4029cc74ea98745a605b7e1bd0cf5cc5aa05c77bb9ec6ff71a01797a5347cc7be07ab2c414e4c23128655f4eb4f30e80d76520e189e359487e30380a5866
-
SSDEEP
12288:DVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:SfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1348-5-0x0000000002E40000-0x0000000002E41000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
PresentationSettings.exevmicsvc.exejavaws.exepid process 2416 PresentationSettings.exe 2720 vmicsvc.exe 1524 javaws.exe -
Loads dropped DLL 7 IoCs
Processes:
PresentationSettings.exevmicsvc.exejavaws.exepid process 1348 2416 PresentationSettings.exe 1348 2720 vmicsvc.exe 1348 1524 javaws.exe 1348 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mjgqrtoi = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\#SHARE~1\\EYSJKQKJ\\SbtN6Xl\\vmicsvc.exe" -
Processes:
rundll32.exePresentationSettings.exevmicsvc.exejavaws.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA PresentationSettings.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vmicsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA javaws.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2380 rundll32.exe 2380 rundll32.exe 2380 rundll32.exe 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1348 wrote to memory of 2524 1348 PresentationSettings.exe PID 1348 wrote to memory of 2524 1348 PresentationSettings.exe PID 1348 wrote to memory of 2524 1348 PresentationSettings.exe PID 1348 wrote to memory of 2416 1348 PresentationSettings.exe PID 1348 wrote to memory of 2416 1348 PresentationSettings.exe PID 1348 wrote to memory of 2416 1348 PresentationSettings.exe PID 1348 wrote to memory of 640 1348 vmicsvc.exe PID 1348 wrote to memory of 640 1348 vmicsvc.exe PID 1348 wrote to memory of 640 1348 vmicsvc.exe PID 1348 wrote to memory of 2720 1348 vmicsvc.exe PID 1348 wrote to memory of 2720 1348 vmicsvc.exe PID 1348 wrote to memory of 2720 1348 vmicsvc.exe PID 1348 wrote to memory of 1620 1348 javaws.exe PID 1348 wrote to memory of 1620 1348 javaws.exe PID 1348 wrote to memory of 1620 1348 javaws.exe PID 1348 wrote to memory of 1524 1348 javaws.exe PID 1348 wrote to memory of 1524 1348 javaws.exe PID 1348 wrote to memory of 1524 1348 javaws.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\818f6364c18d61853f5e7875c46b41b7.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2380
-
C:\Windows\system32\PresentationSettings.exeC:\Windows\system32\PresentationSettings.exe1⤵PID:2524
-
C:\Users\Admin\AppData\Local\zEey2an\PresentationSettings.exeC:\Users\Admin\AppData\Local\zEey2an\PresentationSettings.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2416
-
C:\Users\Admin\AppData\Local\IDn\vmicsvc.exeC:\Users\Admin\AppData\Local\IDn\vmicsvc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2720
-
C:\Windows\system32\vmicsvc.exeC:\Windows\system32\vmicsvc.exe1⤵PID:640
-
C:\Windows\system32\javaws.exeC:\Windows\system32\javaws.exe1⤵PID:1620
-
C:\Users\Admin\AppData\Local\bJLGHX8B\javaws.exeC:\Users\Admin\AppData\Local\bJLGHX8B\javaws.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1524
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
111KB
MD5b70921fd96675c8628f7fa935ea4386e
SHA1a6bec6a71137e5fb6b5164b2a16c43976e575520
SHA2567e55b7699588257e3f4bc1d346f184c1257a643b113d2cf0b1447c8cc7730ec3
SHA51280b57d911f1342fb730e614bdfc0dd9063c227209cbcf43a51881c194b5d8948409174559bc9c09e03fe569fdb03e54420c2d0154d1fe27c8c1854b3cae8bab8
-
Filesize
124KB
MD5ee32b0796020e4557c99e1f4cc5f67b4
SHA127d3058bfa19d7f367cb0ca4254d8fd32aefbf0f
SHA256392073a784de91d6c687706287b5f679764ec87440248160fe6b6413efaec4f0
SHA512624b14381fc919580744e74fe5c855c70033712d98f68f7b99fab9d1ca9e51698b947d19fe9bfb4e3d74766c9d0cc1b8f5cbbc2779d178fd3ce01b52b99077f4
-
Filesize
77KB
MD569423b3d5c58c30fb49ccd2e58ce20eb
SHA1bb990c90c87f67047888f74b3c86b5148450b79b
SHA2566741607482ae7b057679b3f6eebd44ce9d06b72f78724c942c85a147abb88add
SHA51238d775f7f9c67f88ab5fb9b85278e0f3e751e346567ad9ac9b71f443e1ae6843ec96f0f45896e1f2f30744fa40507c73b46c74a7cf8232b481dd5f5a91b410c3
-
Filesize
68KB
MD5d60d2dbd2f9c5d505d0e1049d9dacf14
SHA1fed505730558f9e3d0d023dcd098cfec3a775dc8
SHA25629c32072c11b2df0298332eff50cf141416a35d136cc0ab0a8598616f28def27
SHA512b90e1ab9aad3a07a970c4a637ca306ac426f44cd63e6565d44810e1577f7b8b380439c018784216a6f4ea7a0e4f86c95d16f544eebc95857d3f0cd8184f27e01
-
Filesize
146KB
MD5463ba46e391828dbcdbb542438f8b909
SHA15dd685e9c2b2c64db447a8cd2066368695609752
SHA2563e0aec56c449407530759b86c55a8ab9a73c87324909ed0d6a856f14dadc3393
SHA5126c1e956d6dc24eec6cbad8d2c524b133111bc0c20a49cd47737985a81a8d87d91e6eba684d975bdca91cc2eb424bdfc4858643f174413967e1246cb977af2f24
-
Filesize
153KB
MD5100835591a336be6a9d1728a71763821
SHA1cc71d367fad4a351d2650e1ab0113b96857a7c03
SHA2568870f5a0b2e4a4969874a17a36be07343373b7504fee306b43d967cd7da10414
SHA5128a9e0da69bbcb15f76c4746dcfa339c89813114b5ef73e97521f3a915270b36ad7536458c3ffeea1efe5884504d6f3c72abc03b83d9d6c3189d3df376f2d1a6b
-
Filesize
172KB
MD5a6f8d318f6041334889481b472000081
SHA1b8cf08ec17b30c8811f2514246fcdff62731dd58
SHA256208b94fd66a6ce266c3195f87029a41a0622fff47f2a5112552cb087adbb1258
SHA51260f70fa8a19e6ea6f08f4907dd7fede3665ad3f2e013d49f6649442ea5871a967b9a53ec4d3328a06cb83b69be1b7af1bb14bf122b568bd1f8432ee1d0bfee69
-
Filesize
64KB
MD532f2035674b7d17ff1b7a7fcd6ab20d1
SHA15744604e4edb72c0070edf89c58eadfdd44db347
SHA256a81c646b892cc845e5d9e7ecd9546513df8b3edd406481892121f712bc689f12
SHA512164addc49fdb1a9046931d176535e12dd6ba3e60f98e8b0a182690f41f16aeb0f426bc8e067ec60b5f95c3138bf2a8e2bb6522d3c1d3446f948378eda6fb26e1
-
Filesize
182KB
MD5a4ff18c9c99cf7800ea520b8f80c2157
SHA1eca83f3e80eb4d43bd524dc414b7b01f99501ac4
SHA25639fa28f3860b4c25c2d024b0610005dc14ff9b14c983fb6f9f873b2cca2bbf5a
SHA5124ccb1fe3889863eb2e251f7fb503beffe7cea148c745b1a1f3e9e7186ebb62722a9fde921d85d284df9b573c54990e230a621cf9ced0b4b2f03933d5a708cc98
-
Filesize
2.2MB
MD56848563d823a5d6fb37067326d1bd7a3
SHA15edefd7ddc485cef1deec8851dbb43603831c95f
SHA256222363cc04296e2e981ff247c9b55feb7df51a9dbcbb34df2cdd6026faf9ed9b
SHA5127734e25d6982a69e713d0acc6522f5e9425060ad3ab27323067ed38b23289a5d45c09cb33d9e8aabe762f9de11ed8d8f97bae907bb9fda406666db74810c8afd
-
Filesize
1KB
MD5e56c8071a970ce5cb6be1efe5e0b77ef
SHA106f0b93948447350a98539439c8eacfe868f783f
SHA256d329794f7cfd365772458b9e30e4d662d3008de03ace29fc1be5759dd7fe7c1f
SHA512823b62d8384f8401077897c785436793a6bd9ca1d064ff07772fe979ef6bc7904bd10cfc901322c4774ed2ec0cc58748de02469eb76c95eb7c2f37765b031533
-
Filesize
2.2MB
MD549fdd74456889c3ddda8b496524f3d46
SHA1b64c2f75b263514bfe6797506baa435430cb2d27
SHA256afa34d321e8a4126054f126d9ed439f929d3a290fe4a2c4c51f78710ace8eaa9
SHA512a53afa28240b77f2f78bd5c71c3cbe37acf4539b7265d65dad36e641de9b69fda27c1729a6f2ff7800b10591f51e21d2d0a62e25a370822350a970bc5f3613e8
-
Filesize
2.2MB
MD527c326f08a78c8f97f48b1cab0e02cdd
SHA178558f3b9d5b34bcd42710604f1e7feb42525af3
SHA256638208e5954cce59030067c9b922ab85fda5a39438d720f91a7c3e9f1e621cef
SHA51269767378114edc427f686ca90c6a1dc1851f43dcffe67f9228fa49ac0621fc366e610f2a0f4b65b0764c468dd95fbbd53600322ec9c3f00f0defa94725828cc4
-
Filesize
80KB
MD5ec6f33dc086ada6f9a477f3988fa786b
SHA1e0cd94a71f5b33c3342a532ce0e1ffcf576ed425
SHA2567125df48c10669714a6ffc5da7a98cf31c000d0b41bd1b369f22ef9dd6fcccec
SHA512ff25777a670b955fa14b24d4588956343e8a8dc3d22bfb2c00d0fddf6944e7870c36f9ad5b77ff5dc5ce3f007e23bc645c80b72d04f140f62e93820fa2d32800
-
Filesize
66KB
MD55756cda0f93bc8f707745aaec32a1826
SHA1bb7b507fe43bfb68b3e6306f44f0fbe47f68e341
SHA2566fcf27fdb4aedb24553b55fec8f949d73969ba130e3223c9ce9c20a0e7a0ba64
SHA51203a107b60812e5cc731180dfe07b4d119a796fed96ee85a072ca7cb14d29798ac70391b8d75da9ccac238682006acf39a73cdfeaa8bba4f9c28fd0c12868b3eb
-
Filesize
24KB
MD585aef3c0287d44f28406684d5a7d1271
SHA1eafa51c5d2a5d549b792ea45d1059ee012756844
SHA256315f9a39ff4651346a50ef4e5f82a2cbc73e130271f023139f17f6e01485699d
SHA51238f51181b559c3f73e9ce9959d6372668a663003f914bd73f6e0232be8912f83707efa9843d433877d5bb058ae4c7e2440efaf8c50c78151d3b9fa52cb52d4a2
-
Filesize
24KB
MD5b38b4485e202acdb263e8ad7aa0760a9
SHA117255abbcc2cc4486a0499ee24b88855f4017116
SHA256dcc7ba71d7d0bbd1785713c3bfac7291c4eadf063067475af3cb60ce51fbfb98
SHA512daf9f0a85f9601fefea1450181d9a380fbb8be07a3d3f29a1658e81c6fab48cc716089d30c5d09f4b155d045e64c1f3864e9f8a6100da48c68817bfe196014c5
-
Filesize
177KB
MD5d3ff5172c1b1939c4c5b5f8afc9d5fa3
SHA19eff15e815a238d621aa3adcf7211f15a5536cda
SHA256d0ef50d238627b66b7c47a51a3a673c5825a30c13f837de594cc64e5214507f5
SHA5125d43856dadf30945cb46eb3c604123ab36aee547f2033c097c2a61bfa18083a16637d8002373dcb1727b58cef05e328d3f9b1f93aa646388d72a741038a711f9
-
Filesize
109KB
MD53934d42bd7446ac123a1bd9f615a7cf7
SHA11a22309b2e06d7ecb0a3c80f5d08e21a1b9d7cea
SHA2567e928f5cd61a31f125f555c35a1953ce63e0acc91c45fc7f797c75b66837e071
SHA512f7a460f5222f5f513c5976aa8cdd569bc5933ccd80e6b6cfce715cd3bdab63dfc085d4bb1034ffce88f0a9474245ffdf68b7bfec54164fa1e7182663048cad71