Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
01-02-2024 04:04
Static task
static1
Behavioral task
behavioral1
Sample
85e07e2192815cfa564f16edf062c8af.dll
Resource
win7-20231215-en
General
-
Target
85e07e2192815cfa564f16edf062c8af.dll
-
Size
2.2MB
-
MD5
85e07e2192815cfa564f16edf062c8af
-
SHA1
843a10890c2c0c2df9d3bf43de2334cf020726d9
-
SHA256
04952d47ce4e62e8f4c7917d557ae78e8d6944b20d050e33444f5dfae68e784c
-
SHA512
45e193918f286b142000ca3a66afbc204262c0d03b88f5e54bf991aa8a5addb15e762a6dfaf9a1ace4ea0ede4a9afdb7297f894d9aa6e2d64f2ae106f21a5396
-
SSDEEP
12288:iVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1oeGf:/fP7fWsK5z9A+WGAW+V5SB6Ct4bnbod
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1384-5-0x00000000025F0000-0x00000000025F1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
WindowsAnytimeUpgradeResults.exesethc.exedwm.exepid process 2484 WindowsAnytimeUpgradeResults.exe 1276 sethc.exe 2640 dwm.exe -
Loads dropped DLL 7 IoCs
Processes:
WindowsAnytimeUpgradeResults.exesethc.exedwm.exepid process 1384 2484 WindowsAnytimeUpgradeResults.exe 1384 1276 sethc.exe 1384 2640 dwm.exe 1384 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\2NW\\sethc.exe" -
Processes:
rundll32.exeWindowsAnytimeUpgradeResults.exesethc.exedwm.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WindowsAnytimeUpgradeResults.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sethc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 1888 rundll32.exe 1888 rundll32.exe 1888 rundll32.exe 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1384 wrote to memory of 2468 1384 WindowsAnytimeUpgradeResults.exe PID 1384 wrote to memory of 2468 1384 WindowsAnytimeUpgradeResults.exe PID 1384 wrote to memory of 2468 1384 WindowsAnytimeUpgradeResults.exe PID 1384 wrote to memory of 2484 1384 WindowsAnytimeUpgradeResults.exe PID 1384 wrote to memory of 2484 1384 WindowsAnytimeUpgradeResults.exe PID 1384 wrote to memory of 2484 1384 WindowsAnytimeUpgradeResults.exe PID 1384 wrote to memory of 888 1384 sethc.exe PID 1384 wrote to memory of 888 1384 sethc.exe PID 1384 wrote to memory of 888 1384 sethc.exe PID 1384 wrote to memory of 1276 1384 sethc.exe PID 1384 wrote to memory of 1276 1384 sethc.exe PID 1384 wrote to memory of 1276 1384 sethc.exe PID 1384 wrote to memory of 2784 1384 dwm.exe PID 1384 wrote to memory of 2784 1384 dwm.exe PID 1384 wrote to memory of 2784 1384 dwm.exe PID 1384 wrote to memory of 2640 1384 dwm.exe PID 1384 wrote to memory of 2640 1384 dwm.exe PID 1384 wrote to memory of 2640 1384 dwm.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\85e07e2192815cfa564f16edf062c8af.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1888
-
C:\Windows\system32\WindowsAnytimeUpgradeResults.exeC:\Windows\system32\WindowsAnytimeUpgradeResults.exe1⤵PID:2468
-
C:\Users\Admin\AppData\Local\jAmCYAP\WindowsAnytimeUpgradeResults.exeC:\Users\Admin\AppData\Local\jAmCYAP\WindowsAnytimeUpgradeResults.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2484
-
C:\Windows\system32\sethc.exeC:\Windows\system32\sethc.exe1⤵PID:888
-
C:\Users\Admin\AppData\Local\4tE\sethc.exeC:\Users\Admin\AppData\Local\4tE\sethc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1276
-
C:\Windows\system32\dwm.exeC:\Windows\system32\dwm.exe1⤵PID:2784
-
C:\Users\Admin\AppData\Local\cBKyOYRb\dwm.exeC:\Users\Admin\AppData\Local\cBKyOYRb\dwm.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2640
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.4MB
MD5ef0b0d8f89e64cb40fdb07cf91af0b68
SHA1425bbc2d953396b877e844a92bba76d69ac22d80
SHA25685ffe28aa02a2efe6152c6f7250550a85e15489bd1c8911d73a6490794d40080
SHA5121da1e70132a1a855c008572d3d4365144c4f72361c02559fb99575d3c2a10a959f4fd9481c94394f99570b7619de6875174ecc10c83bfc1e7d6add9a888e5a48
-
Filesize
1.7MB
MD565f5a84c46844caaad4e7c47e4604d88
SHA138f9e076103e3f04426948df916481b56c14d303
SHA256dbf049d03471c4c8fbf5a7e1de43dc3d49fdc5d2fd7f94e5e69a26c0bf1ae28f
SHA512760ba61764810ee8ba4ffa1f4c62a12f627bff308097727a875bfc36844e536e1cf880c3e137e362e543c3cd7dbf570916000b747ac66c63cc1182ab9b6fbfe0
-
Filesize
2.2MB
MD54f4e54e8ab625db901bd3df5d887b4f8
SHA1710dd287b638a2dc0a975a7bb5cb5775399fbf08
SHA256ec64b706d3bde230d72bffcd868a4d5f2d8a69d2abc4735cd02ff32bf8cd0898
SHA512fa71065885cc355b3e45b1f46c23ae5357a36b9c23954896e0fb2077c60a8c82d3895ad7d8f614fde4ff5c22c727b73408e4d551c41d77968578ef14b080b2cc
-
Filesize
1KB
MD5ea3b27e3c973ec7af3d79fc4c35e96b9
SHA161d6c31ab624afe08557896db0f6d288b52bcd18
SHA256231282b607319060bb9d4ad53aa0725a9dcd3cc19e5ad0367ab75696fb93852d
SHA51224e60e84ab935406b14f41ec83b33562c467b065630a32662f3441e6e51a9f398858ab80b93956c0b23910fa25b72144f093966a1753cbf229c42804c0321b8c
-
Filesize
2.2MB
MD55b21da464ed5994482015690552183ed
SHA1f45fb4d0acddac2eaf82482b2361f04b9810f3fe
SHA256f1ad5596cbe73c9f8cb93190a79435bf32fa212b11b9f4d41c4c40aad42fa93d
SHA512d1367a2aebc7c3aaa81d5e762d6e076d43923cad331dc11d97fb93eb3b058d12e5a9981eda982371ac4112cd871c1e72089bc9db3a3916a13f7f044505ff4e87
-
Filesize
272KB
MD53bcb70da9b5a2011e01e35ed29a3f3f3
SHA19daecb1ee5d7cbcf46ee154dd642fcd993723a9b
SHA256dd94bf73f0e3652b76cfb774b419ceaa2082bc7f30cc34e28dfa51952fa9ccb5
SHA51269d231132f488fd7033349f232db1207f88f1d5cb84f5422adf0dd5fb7b373dada8fdfac7760b8845e5aab00a7ae56f24d66bbb8aa70c3c8de6ec5c31982b4df
-
Filesize
1.1MB
MD5a576490dfd0c9f2b4e21c550c9a2058e
SHA1808c99319e33c295ae72cc5365313a4db91b0a5c
SHA25637a9b11aa8e46214dd67c06a68b673ce161e7601d6c8d6fed02799b75bb552f7
SHA5122bde81d1103a76285701eee281fb892943d9a3103c68b6c79eaecdf9ab72772001541e083638739d1b1c3f5455eb58fcc7519f6f488800b28fb0f43badb76060
-
Filesize
117KB
MD5f162d5f5e845b9dc352dd1bad8cef1bc
SHA135bc294b7e1f062ef5cb5fa1bd3fc942a3e37ae2
SHA2568a7b7528db30ab123b060d8e41954d95913c07bb40cdae32e97f9edb0baf79c7
SHA5127077e800453a4564a24af022636a2f6547bdae2c9c6f4ed080d0c98415ecc4fbf538109cbebd456e321b9b74a00613d647b63998e31925fbd841fc9d4613e851
-
Filesize
288KB
MD56f3f29905f0ec4ce22c1fd8acbf6c6de
SHA168bdfefe549dfa6262ad659f1578f3e87d862773
SHA256e9c4d718d09a28de8a99386b0dd65429f433837c712314e98ec4f01031af595b
SHA51216a9ad3183d7e11d9f0dd3c79363aa9a7af306f4f35a6f1e0cc1e175ef254e8052ec94dfd600dbe882f9ab41254d482cce9190ab7b0c005a34e46c66e8ff5f9e