Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
01-02-2024 09:36
Static task
static1
Behavioral task
behavioral1
Sample
868df0fad643001bb45bb8b38cfd7ec2.dll
Resource
win7-20231129-en
General
-
Target
868df0fad643001bb45bb8b38cfd7ec2.dll
-
Size
2.2MB
-
MD5
868df0fad643001bb45bb8b38cfd7ec2
-
SHA1
3d4d21cfb078c2c8eed5adcef1a16b919f2e3b5b
-
SHA256
35a57a2f4ae0a954f51d0b5da7bbebd60fbd047b7d9dc92da62bc442eb26429e
-
SHA512
58e116d1627baf816257f2eaddcb01617b2d540b310bd3b9f0a34798bf78dd5631b873ad783bb50fb7f76f573c272445f938aeb9ba171f540c69c92cdb4c3f1d
-
SSDEEP
12288:7VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:afP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1340-5-0x0000000002D20000-0x0000000002D21000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
WindowsAnytimeUpgradeResults.exeDisplaySwitch.exeComputerDefaults.exepid process 2752 WindowsAnytimeUpgradeResults.exe 2440 DisplaySwitch.exe 1532 ComputerDefaults.exe -
Loads dropped DLL 7 IoCs
Processes:
WindowsAnytimeUpgradeResults.exeDisplaySwitch.exeComputerDefaults.exepid process 1340 2752 WindowsAnytimeUpgradeResults.exe 1340 2440 DisplaySwitch.exe 1340 1532 ComputerDefaults.exe 1340 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Groztcac = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IECompatUACache\\Low\\HOK47D\\DisplaySwitch.exe" -
Processes:
rundll32.exeWindowsAnytimeUpgradeResults.exeDisplaySwitch.exeComputerDefaults.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WindowsAnytimeUpgradeResults.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DisplaySwitch.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ComputerDefaults.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2372 rundll32.exe 2372 rundll32.exe 2372 rundll32.exe 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1340 wrote to memory of 2540 1340 WindowsAnytimeUpgradeResults.exe PID 1340 wrote to memory of 2540 1340 WindowsAnytimeUpgradeResults.exe PID 1340 wrote to memory of 2540 1340 WindowsAnytimeUpgradeResults.exe PID 1340 wrote to memory of 2752 1340 WindowsAnytimeUpgradeResults.exe PID 1340 wrote to memory of 2752 1340 WindowsAnytimeUpgradeResults.exe PID 1340 wrote to memory of 2752 1340 WindowsAnytimeUpgradeResults.exe PID 1340 wrote to memory of 2804 1340 DisplaySwitch.exe PID 1340 wrote to memory of 2804 1340 DisplaySwitch.exe PID 1340 wrote to memory of 2804 1340 DisplaySwitch.exe PID 1340 wrote to memory of 2440 1340 DisplaySwitch.exe PID 1340 wrote to memory of 2440 1340 DisplaySwitch.exe PID 1340 wrote to memory of 2440 1340 DisplaySwitch.exe PID 1340 wrote to memory of 1640 1340 ComputerDefaults.exe PID 1340 wrote to memory of 1640 1340 ComputerDefaults.exe PID 1340 wrote to memory of 1640 1340 ComputerDefaults.exe PID 1340 wrote to memory of 1532 1340 ComputerDefaults.exe PID 1340 wrote to memory of 1532 1340 ComputerDefaults.exe PID 1340 wrote to memory of 1532 1340 ComputerDefaults.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\868df0fad643001bb45bb8b38cfd7ec2.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2372
-
C:\Users\Admin\AppData\Local\DnWGgH\WindowsAnytimeUpgradeResults.exeC:\Users\Admin\AppData\Local\DnWGgH\WindowsAnytimeUpgradeResults.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2752
-
C:\Windows\system32\WindowsAnytimeUpgradeResults.exeC:\Windows\system32\WindowsAnytimeUpgradeResults.exe1⤵PID:2540
-
C:\Users\Admin\AppData\Local\3clGYl7X\DisplaySwitch.exeC:\Users\Admin\AppData\Local\3clGYl7X\DisplaySwitch.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2440
-
C:\Windows\system32\DisplaySwitch.exeC:\Windows\system32\DisplaySwitch.exe1⤵PID:2804
-
C:\Users\Admin\AppData\Local\4Jv\ComputerDefaults.exeC:\Users\Admin\AppData\Local\4Jv\ComputerDefaults.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1532
-
C:\Windows\system32\ComputerDefaults.exeC:\Windows\system32\ComputerDefaults.exe1⤵PID:1640
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD511d86d4d7425ce220c022e156507c25b
SHA17296aa31ca9beaece281167122f9b82de8fcb1e1
SHA2562d8eb9cf23785f90a89aadefa0eb480131dad0ff1eebf0ea0dc7072394bfda86
SHA51277657cab66ea5c2bf798106937b3827fe8335793e35f85cb2249747cbc5c3a29f33ac798c9c34f0e25695b0110a81b11cdbf52b618c40c8ffb06f678330e8642
-
Filesize
49KB
MD55ed2103185309b94fc0c2b8692fb3997
SHA1e9c026891eafb9b0a54cf761be52204e19b38e1e
SHA2567d83d1c9b2092945fd7308eb921a14bfb796b827e937a7035ad674ff5728f81d
SHA51274421cf4afd8f84516d8045765b04638831b7a5759da5d500fc6d8927962eb323c5f929fb74ef1ab01e439398b4af84a7c8da77b75679f33d1276e45fd4899ca
-
Filesize
65KB
MD58e62a307c83a9543e0de744ffc9d6cbb
SHA18f40e09cc77aa1f315d564d28d7de94726c1ac6b
SHA25689e90fe75ec609307e90cf5fe46ee639debaa63eb7c7d87ff020e4cbd4f13cd8
SHA5126be59f59bb7c4987127f00273c253d8bf28ecd1833a726ba8b67112692e922a1c8824005bc278b858b912320f71eef97368dcc2627986184de5206303ffd7ecb
-
Filesize
13KB
MD50551023b51f71ddc980c910e15fa3dd4
SHA1cbe88079c8f42d18104c5f3d312211a77548ea89
SHA256d86fb375b7ba52974d9f2eb5f09e97736b21ee1ad9b451b03fecff10192e60ae
SHA5128ff4725b169ed6691f2411d5a4727e2e9d1c8d6e53a2dcd0378080a846440c174075af8e0db55a1857e461a014b2a38e2734468ba0479feb19132552b9400882
-
Filesize
36KB
MD586bd981f55341273753ac42ea200a81e
SHA114fe410efc9aeb0a905b984ac27719ff0dd10ea7
SHA25640b194be2bad2d3d4d1b69f9aec2853c8b663130810a11607ff72a9e3a06d5b3
SHA51249bb6d4bf7a9356fadde7f6165af6973630827d28b69db10ad477a84d98b08fb82e4daae777166e1ddddb5b5efcdf634e4e9bd34b255dae87462ba32e8bba143
-
Filesize
78KB
MD5060ac1669a10ea750aa266ca5e8ef86d
SHA1da5c83b212cadecf28c9c7125038a60ad933f477
SHA25664a292109bfad018e355c5ada730843949d4bb0f6f579506cf0565bf57a33159
SHA51218a2d2a1bf0800a8be8116466052d9d1985dda9db4d98c1a1ec7640485961a1b5ac11a1ecba6df660b60a9d5647898558b80a523d79da1b73cff68fc09036a69
-
Filesize
69KB
MD5d031fb5ee9e6951cf6fb11c4a6ebc4cd
SHA1be7f43f92221007444aad5f894f96557d7a6b12f
SHA256fbf80714def3f7a4c667a096130dc3b67be07467b64c6defae6bf259d3faa6ed
SHA5120c9b394b00d37ec535fdcd4571d3cf495ef480b9e8497a0d904aef44033fe0f80d18b19a551dc436cf8b742c84028c5f48dd6b92a3be35aa8db499d4f3557e0d
-
Filesize
32KB
MD520e60cf11b90f4eddeaa366bc24c5bb2
SHA137da21e9a1869a702f9d236ec0050891b5ce4607
SHA2561a62a3ada4bf83fd8ecfab574f6682ef772188e58f48dbedcffd339deb3cf1b6
SHA512977cf46bf206da5ec0e5907e20f9a676579b6d60c1ea78599b261a64eb34d7ce5f85c21e1de730fe878b144b4b69ba951e24a65b302bb950bb1807ae35880156
-
Filesize
111KB
MD58cd690b45937427b6b5e21e3061d28d4
SHA1c12c6d1bbac7cb6e4cef50b7168c4d8dccaa47d6
SHA2562cb91010998e51e0b3ca08e0a5d1af6c2ad89063d5ac801f6bdca7d899af13f2
SHA512e2290f7c1627db80547b9f125e676e8210d4853af854dff7cdf3dd2dec494cdba9ebad0c57e46ce07a21db6dccec13d4ce26ca666171365521d56edbfbca2d64
-
Filesize
2.2MB
MD5682e1fea84d3fc6e0090791254ecb398
SHA102364698c4255b98bc75645f9c02d377fb9b967d
SHA25630ac1676610e66e167b2b8e41397a20945c974c075869c790989b8e218fc7a76
SHA5123d292073f35070622d24d346fffbb6d8753495369c5a080c40853e5642ba60da65e247bb47c4306313e698eb550a22de72fb6c43f2c25a07f68c68f3b10ba04c
-
Filesize
1KB
MD54848138dc93e8a65814b698ca8322627
SHA1ba9b30bc23971429c41aca93746c7d315ec1336e
SHA256933b6805327a91455086f0ef4d51782e0aef403bddae3a51b80da245f6684101
SHA5120ee3e0d9bcb14c19068312f1c2d41eda2545b2c04e48b81cc0810fe2585185decc0bb18d0d78538c7f4eb753a95523c9ac6f3ad8a6d196aa6b0efd1e6c8637d7
-
Filesize
398KB
MD5bb3a50cca8d525bf8a7420b7240669c5
SHA1f44e505e03dfc014a62bb97cd5d9cf2d61856c3b
SHA256a6244fae4fecbc7532efdf4037d839cc624b04ff4768215cc6077c09bb97587c
SHA5127a88d00b17a40a246ea2266653e9b948065696fd07cd199712480847f4175007b0b32b0aceca671c2ad706103a6228c1655361ae239f8e52a967e73213933bb5
-
Filesize
64KB
MD5da15cc19cd66cdbc39614d0294bd6c4c
SHA1bce06039a7e8ea875f9e09a30d12b5baa295dc1a
SHA25634002f55b3d769f153aba81be2584823e9fac91c3692fc6bfe64db7bc347e9ed
SHA512900313e7fb8a6d2650e1f4f0e07ea4a61b7d784ca7835f2b13a92295bae96422c09333861c69f8f74301fb25c41911ee1120a688309f43c3bffc026db0c53d6e
-
Filesize
188KB
MD5045640cfa4317b88c65a3cea3e99f6fd
SHA1f547e40c04f14c2dc8ca88ddfda28cc4c8c311a3
SHA256b7f132285b26f6df1909087002eaef7bceab5cb9ed7f15c71d1e7e7138d1f195
SHA512943bf7a1544f5a353cf34cc59981f85aa43f83ab4a378d7cebd563f873a0224fbf83619bd871ceb21dd0cb71f12972c22fb84186ad8a9c313b8d3d5d3b57fd00
-
Filesize
236KB
MD5cbf66a15bf1039503d092dab1abe0436
SHA12135fce96d3457c3f5ccd8a8c751a495a8a0812e
SHA25655a462acb269a02eb025be05554f45eb3786fb2d472d1eba48ecbd457f22fa23
SHA512c5d720e96146da21f2f9aebab16270cbe6bf91106b1397fbe099f69d195d5308d505d43372cde538a533734934670b2ec4dfa521ce765bace211852e764b889b
-
Filesize
57KB
MD5ce267730c6482a667bb3f97d425ff622
SHA1710a5896e652ed9d30e443a82213effc5af076cf
SHA2565afe4d86a3f60b4055de742ce5181f060ed59f531c66c68e3bbcddf19d2dfe39
SHA5120104d59fce5c525c9af9e71bd23b430850113f5278cf50abec955e180cd93e87784107f5caf5cadf90a2c562c06334620234f769de655541e21d925dba4bc98f
-
Filesize
76KB
MD575a1ff996cd67c62aa82e7819f163764
SHA1a07c0a8f60fb1c622e0a1c37afd0cd2bbaa20744
SHA25600431b028d95739d1d3a870caed364954a3c2e9510e5f970c238ca0c5435fbc0
SHA512a0ee062da0ad521d331043b5576ab9c934f41af778c5e5e56df0380f8904a480c11517fcfc16883c7022a32e61229187caa844af50e90350114506b6bbb30492
-
Filesize
208KB
MD5bf51290cf3b61042e2a96f7b7d1eb155
SHA1ee6101dbe9e0c85bb93cb33bbdcdadfef1fcf0d7
SHA25696c3e3ecf3e7486401b24d94d4a17bcf0176edf0d4e218feebb8d9f02e3e93b2
SHA5121d963b9e9d5caf39f9521d85f6f698dcb2bcb05987e1047b565d0208070aed898386747d2e97d6d17579fdf01167c94268974e44f073ad869a0693519227cfed