Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31-01-2024 12:09
Static task
static1
Behavioral task
behavioral1
Sample
8460ca6c008df062af50bb935cad86e0.dll
Resource
win7-20231215-en
General
-
Target
8460ca6c008df062af50bb935cad86e0.dll
-
Size
2.7MB
-
MD5
8460ca6c008df062af50bb935cad86e0
-
SHA1
c7d9a2b3fa86c6f68c1afda5ebcd80fbb52fc42b
-
SHA256
b656eba38e60d3e5cf61d0f7ee76348ec9053509d5c3fe2c3256eee34993cccd
-
SHA512
40ce6d2e128b77057347d484a3549c06441fb132a837956c412efe90e39e4314eaaaf8b7de092acb7d6ffc5ae2e5886016b956ca29c8607b6dbb8665adb92a38
-
SSDEEP
12288:4VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:tfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1140-5-0x00000000025B0000-0x00000000025B1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
wisptis.exeSystemPropertiesComputerName.exeSystemPropertiesProtection.exepid process 2892 wisptis.exe 320 SystemPropertiesComputerName.exe 2800 SystemPropertiesProtection.exe -
Loads dropped DLL 7 IoCs
Processes:
wisptis.exeSystemPropertiesComputerName.exeSystemPropertiesProtection.exepid process 1140 2892 wisptis.exe 1140 320 SystemPropertiesComputerName.exe 1140 2800 SystemPropertiesProtection.exe 1140 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtxtioiynm = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\NATIVE~1\\0IDhvPYU\\SYSTEM~1.EXE" -
Processes:
SystemPropertiesProtection.exerundll32.exewisptis.exeSystemPropertiesComputerName.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesProtection.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wisptis.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesComputerName.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2432 rundll32.exe 2432 rundll32.exe 2432 rundll32.exe 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1140 wrote to memory of 2912 1140 wisptis.exe PID 1140 wrote to memory of 2912 1140 wisptis.exe PID 1140 wrote to memory of 2912 1140 wisptis.exe PID 1140 wrote to memory of 2892 1140 wisptis.exe PID 1140 wrote to memory of 2892 1140 wisptis.exe PID 1140 wrote to memory of 2892 1140 wisptis.exe PID 1140 wrote to memory of 1004 1140 SystemPropertiesComputerName.exe PID 1140 wrote to memory of 1004 1140 SystemPropertiesComputerName.exe PID 1140 wrote to memory of 1004 1140 SystemPropertiesComputerName.exe PID 1140 wrote to memory of 320 1140 SystemPropertiesComputerName.exe PID 1140 wrote to memory of 320 1140 SystemPropertiesComputerName.exe PID 1140 wrote to memory of 320 1140 SystemPropertiesComputerName.exe PID 1140 wrote to memory of 2796 1140 SystemPropertiesProtection.exe PID 1140 wrote to memory of 2796 1140 SystemPropertiesProtection.exe PID 1140 wrote to memory of 2796 1140 SystemPropertiesProtection.exe PID 1140 wrote to memory of 2800 1140 SystemPropertiesProtection.exe PID 1140 wrote to memory of 2800 1140 SystemPropertiesProtection.exe PID 1140 wrote to memory of 2800 1140 SystemPropertiesProtection.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8460ca6c008df062af50bb935cad86e0.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2432
-
C:\Windows\system32\wisptis.exeC:\Windows\system32\wisptis.exe1⤵PID:2912
-
C:\Users\Admin\AppData\Local\00G\wisptis.exeC:\Users\Admin\AppData\Local\00G\wisptis.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2892
-
C:\Windows\system32\SystemPropertiesComputerName.exeC:\Windows\system32\SystemPropertiesComputerName.exe1⤵PID:1004
-
C:\Users\Admin\AppData\Local\SEIo\SystemPropertiesComputerName.exeC:\Users\Admin\AppData\Local\SEIo\SystemPropertiesComputerName.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:320
-
C:\Windows\system32\SystemPropertiesProtection.exeC:\Windows\system32\SystemPropertiesProtection.exe1⤵PID:2796
-
C:\Users\Admin\AppData\Local\rnik5\SystemPropertiesProtection.exeC:\Users\Admin\AppData\Local\rnik5\SystemPropertiesProtection.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2800
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
71KB
MD51d1082f9e179e26536acd46f78daf515
SHA12d794d1781716c7f2a0f0d74ec22233fc3d21454
SHA2562ad22fe2deca594a536fe4a10779123b7d237345aeddb8ccf707548e9320ae2a
SHA5122f8f603381de007d1b3afdb33c09065d6e202534e65f49e6f7866c4baf6aa700adee89a9861dee6e207032c0afbe00cbcab4f97718488a568ef2a48eafb78a14
-
Filesize
206KB
MD5a4a7499a782ed6585f6b8d88ef42f93a
SHA1ed874b807a1567fdd84c8439a81f1df8498fa457
SHA256a7761b3944193dfcbf9a27e4225087ff189ac6e2819fa701ce3dc0e279224b77
SHA512c39444fa58e3fac433e5e1aea708a7ea44ff7488e9a2aff921a7734e32b711877ff6df414fecf26dc5abaa0cf83feaafed5c5bc7151dc09f8831454d6094fa66
-
Filesize
53KB
MD54f659d88e39bc08110095506488088d4
SHA15d2637ad1d2dde6eb374db3299cc3128600eba82
SHA256ed2e0b51d4ab8a0de43b7fd2a8bca70fc739ad0bbadfb721493012d5b8ae0080
SHA51273a091ce1ac346148962f0ab6abfe8963b2421ee6e48ae4fada4133427d12d9f0860ef9c71b1fd2403c456fac74fbc433d21b53d579608e52ca17f077de7c266
-
Filesize
95KB
MD5970258414dc9dd3543aee1aba6d6ebbd
SHA1d4cdef0bd8d5b41485dbdeb61248fb3d80959c22
SHA2565e3dda87c45a978c961a489b5b6932864dbba50afe717676f2d1ed2c1133c00c
SHA51229fa03815342f399d7c6b42fb3caac04870d52bbb67f15ac377355c1f9775aff5b70b328f3fa477dcce95ce6492df04ce8565b02b94f0a2a912ec7626c61e488
-
Filesize
80KB
MD5bd889683916aa93e84e1a75802918acf
SHA15ee66571359178613a4256a7470c2c3e6dd93cfa
SHA2560e22894595891a9ff9706e03b3db31a751541c4a773f82420fce57237d6c47cf
SHA5129d76de848b319f44657fb7fbe5a3b927774ae999362ff811a199002ffa77ad9e1638a65a271388e605ab5e5a7cb6ce5aa7fcabc3ed583ade00eaa4c265552026
-
Filesize
42KB
MD5fd811adff43f700f6c62ed939c72ed15
SHA18180b5e3bbdd98e7ce32d4bbeff3fb1f415841fa
SHA2565bf649678686fe161f8159db7758309f1b9085e3d52304457b205cdee7ec0aba
SHA512a2cdd64e32f70014e408810248544fba0273d2d769e859e9ae13c29c664d12135b7037debbd0a765448dbf28d3f69d45ec8c15d834447a4ec572e3c919c2ac3e
-
Filesize
80KB
MD505138d8f952d3fff1362f7c50158bc38
SHA1780bc59fcddf06a7494d09771b8340acffdcc720
SHA256753a43d8aa74341d06582bd6b3784dc5f8c6f46174c2a306cf284de238a9c6bd
SHA51227fa8c0af3d01f0816852d04693087f3c25d1307d8857a7ea75b0bb3e0ac927d262f5ac5a335afee150142fa3187354d33ebbcf6c3cd5cc33cb4e6cd00c50255
-
Filesize
2.7MB
MD5013d892b2972e197f166a8691af49d79
SHA1c8174ce30cb793308893bfc099271dfdc95b730d
SHA25628b52aee18388bacf4280054cca4d83d51f3fbd686f30394286932572c02909c
SHA51297cf0b4db6cd31321c463de8bae9ca69f20c351f1d7224c2fd0d7c36870bb816a758501009b31b61cba99d7500cfac87b7dcf3f05be20668ab115a116343dac3
-
C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\NativeCache\0IDhvPYU\SystemPropertiesComputerName.exe
Filesize45KB
MD54805483cbda964b5055efb4537c1fd83
SHA11e022ef80d4c09ccf971a5968464942e5ad61783
SHA2566fb20773446a91f1a767372edd428fdf6df1ee04be6fc81aa90b093bfa0e86a2
SHA512ee03ece32fa0f26a2fbb010655ae46bda04087d65dfb853c1eb40912796ef746e1e029aaf0e851d1373883e0166e605ccfe10cec232b4c4fdcd9bd90facc79f3
-
Filesize
1KB
MD5bdbc3979dc1de247aa85858567f0f97f
SHA1b9c578eb9239f1543cd61c87b0a1af0b3c795525
SHA256e084fa9c1082bc1aea625a7f5e44d869ccff3e385d18b52fdf4ddcbab897dcf8
SHA512971d5fdf442cdfe5f8bcd4e09285d6af9ba4f5790cc37c88a74bf6a14a0b1cf20a24e30ee065e8ce058ee630b664f4b300e9b0ea2b1a43dda610627733ba3705
-
Filesize
486KB
MD57db8b11e35aa3bd8ed0fd87bd63ab6da
SHA13b47ff073d8a33685e6a6a073636c7ff85e899a2
SHA25642e3352a84cf2b3ce9890dd3aafd6419e9e74e4c9d30ffa56c6d066b0a333781
SHA512bc10d28de92ba904b5e4cded3e6f889df108a6095ac521f82741bd75c96f31ec682f1ba5e7e6e65ed17199216e447115d0bee11544c412f2e68f09661c5c38e2
-
Filesize
2.7MB
MD51b1be9c45a0ba03c80b2a26c57a3c410
SHA1cf5695f5b59bfd887c99b59c770b3788f90abcf2
SHA2568b11107701bb271586109bf2d62f076208adb6a21e6ce2846bec1b2223fcb542
SHA512a383d51f25456d672e6bbfc1211a3405e292ab12a85e2699573714981ac8f2e56b1cfab1fa0e1b632cb4c634b5bc177be1d2b644a591ce596bcbc37b6b7b7baa
-
Filesize
120KB
MD50a306a5bcedc17525347bd2a170d4f37
SHA1647af58acab81025b36285d1f40f8df24f8ece40
SHA25636d9c4371e952086d3872ce5817cb92e06a9bd5e5a2b75575c0da84f9d16ccc8
SHA512f259063384c8af2d3c76f42428208356c4fae21867619e2add82f3154825f2557afee5f27d52daf70058f6c8a0c05c1140fe7ff2899700b3f4a25972057f4526
-
Filesize
126KB
MD5d6fe05dda45418b5b681df7792b3d3ca
SHA14af7831b5b645bf823acfa8c2cfe77f7062c9d2a
SHA256132de2b1e63cdae8a88e129fb3c6cd25f2dbb51ec7330980241fa501c10ba9be
SHA5120ba8f2d0cfb737e2a2b40ec9b9f4bb0ef5c974e161e527001300b021d9d9c6dc1f4e318530066c0d086390c09fb3d5a8b625a8b19b1ab897c93de63fdee81c21
-
Filesize
304KB
MD54afa442a4eacae826d79d85a2a103eda
SHA1df8ce952520743e13624d1759e3ca99522dabe0a
SHA256d1d3395d55ca00943b75c913589697c7a1f4fd4cadcbe2664c10c9d1eaa9ea25
SHA512c933a6142866a34d9706ca1947af5a598cbf99af1c58d3ef68cdcf79a45df885d547b9cd31e8284e16cc3cb3aaff17b2a5a13a2df343da2f9b92a044273c8d8c
-
Filesize
15KB
MD522d243a413e70a0fbd0bd4fd2d065dbd
SHA1f1ef6a70f503cfc3415b1b241517727388ffb5f9
SHA256115fa91ef2a73a845900503da4ee5a7b6dd90b0bacfe66d8d34e85c6645a1910
SHA512ead88e96f838b128b1d18b9594fe96a857ba9bdfd640855ca3f956e183b72edae2e5e7782dbe35bdec913b469864ecc31d323254716c94ee5275905d8bdffc58
-
Filesize
64KB
MD52759d5e8fb493711b86225cd139aaeaf
SHA16fd55f11b6b2520e240c99e7ba4c5b7ef855b36f
SHA256cab43db2ab832822925b527ebd49e7e82111c677255d5df1e453494314725a23
SHA5127861868eef60ebc026d1c7cf8025ea0b7b8572211aac78df8bd7baf3740d43ee20a51dcce28589851e629e8da107573b8b73b418e7b52d9326f00756bfaf1adc