Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
02-02-2024 03:10
Static task
static1
Behavioral task
behavioral1
Sample
88668b1d3f06f675f928f23dd79da143.dll
Resource
win7-20231129-en
General
-
Target
88668b1d3f06f675f928f23dd79da143.dll
-
Size
2.0MB
-
MD5
88668b1d3f06f675f928f23dd79da143
-
SHA1
c032664de6dc7c1c3380fba695c51cb453ade557
-
SHA256
b211dfe06a94fe21d84592e03c8f26bc8529eccb6b4ee1bcc7784ffa27f1851a
-
SHA512
e7a8d2f5d1ba3ffc35ae4da94c25b7b74b80bad5ade5a749b625e3740e246189f482504a04482cd7a35c7d1ca8f30d4f31b989a95a06562dccea6b38f7e018d6
-
SSDEEP
24576:qfP7fWsK5z9A+WGAW+V5SB6Ct4bnb+sJS:+DW/e+WG0Vo6CtSn
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1204-5-0x0000000002D40000-0x0000000002D41000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
rstrui.exedpnsvr.exemspaint.exepid process 2468 rstrui.exe 592 dpnsvr.exe 1112 mspaint.exe -
Loads dropped DLL 7 IoCs
Processes:
rstrui.exedpnsvr.exemspaint.exepid process 1204 2468 rstrui.exe 1204 592 dpnsvr.exe 1204 1112 mspaint.exe 1204 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Groztcac = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\xyL5TzoK\\dpnsvr.exe" -
Processes:
rstrui.exedpnsvr.exemspaint.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rstrui.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dpnsvr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mspaint.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2988 rundll32.exe 2988 rundll32.exe 2988 rundll32.exe 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1204 wrote to memory of 2704 1204 rstrui.exe PID 1204 wrote to memory of 2704 1204 rstrui.exe PID 1204 wrote to memory of 2704 1204 rstrui.exe PID 1204 wrote to memory of 2468 1204 rstrui.exe PID 1204 wrote to memory of 2468 1204 rstrui.exe PID 1204 wrote to memory of 2468 1204 rstrui.exe PID 1204 wrote to memory of 536 1204 dpnsvr.exe PID 1204 wrote to memory of 536 1204 dpnsvr.exe PID 1204 wrote to memory of 536 1204 dpnsvr.exe PID 1204 wrote to memory of 592 1204 dpnsvr.exe PID 1204 wrote to memory of 592 1204 dpnsvr.exe PID 1204 wrote to memory of 592 1204 dpnsvr.exe PID 1204 wrote to memory of 1684 1204 mspaint.exe PID 1204 wrote to memory of 1684 1204 mspaint.exe PID 1204 wrote to memory of 1684 1204 mspaint.exe PID 1204 wrote to memory of 1112 1204 mspaint.exe PID 1204 wrote to memory of 1112 1204 mspaint.exe PID 1204 wrote to memory of 1112 1204 mspaint.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\88668b1d3f06f675f928f23dd79da143.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2988
-
C:\Windows\system32\rstrui.exeC:\Windows\system32\rstrui.exe1⤵PID:2704
-
C:\Users\Admin\AppData\Local\BWL\rstrui.exeC:\Users\Admin\AppData\Local\BWL\rstrui.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2468
-
C:\Users\Admin\AppData\Local\FQceQPXTt\dpnsvr.exeC:\Users\Admin\AppData\Local\FQceQPXTt\dpnsvr.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:592
-
C:\Windows\system32\dpnsvr.exeC:\Windows\system32\dpnsvr.exe1⤵PID:536
-
C:\Users\Admin\AppData\Local\VBKrWt\mspaint.exeC:\Users\Admin\AppData\Local\VBKrWt\mspaint.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1112
-
C:\Windows\system32\mspaint.exeC:\Windows\system32\mspaint.exe1⤵PID:1684
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
220KB
MD51e09c0c799dd0a321fe979ca408430e2
SHA1f5708194750554e1e7d5ab7ab1b490ff8a4783c2
SHA25643880b322735c3da6b9b5af60e7d975f6c50017103c3a4159d94eb53496dd673
SHA512b4b8e35d2c47cae12d7ea4bdad654ce2743ff0916f2da18fe1f8e129e62c2dda9d98a326db779588a00185ffc56f097e07ffef382f4d6ef5e76c379e0cff2046
-
Filesize
135KB
MD5557efd19c2e8be32e690bf20fb8ac63a
SHA137bd206bc904d6b5d6477ad24a008c92a02f83b1
SHA256011ca24aada7252886b8ffd61d772f7dbd2895f04a0474533755d8559d4046bc
SHA512abfd7cf689502994c90f08a51ddf8b496d1c041e2a6d701d69137685222b7efcee4e99252bcaf8975d1cbbdbc43e3188f670ec03d3ecaff3b1fd756df3a984c6
-
Filesize
290KB
MD53db5a1eace7f3049ecc49fa64461e254
SHA17dc64e4f75741b93804cbae365e10dc70592c6a9
SHA256ba8387d4543b8b11e2202919b9608ee614753fe77f967aad9906702841658b49
SHA512ea81e3233e382f1cf2938785c9ded7c8fbbf11a6a6f5cf4323e3211ae66dad4a2c597cb589ff11f9eae79516043aba77d4b24bfa6eb0aa045d405aabdea4a025
-
Filesize
104KB
MD57d1977b04f9df052a2125625ad126bfe
SHA19ad54cb94586d6704ea5197948acdbc4959a6c3c
SHA25663f7132615149f5a1f3a0f03897c1d657018b5207f445b7f60b474911cfbd044
SHA5125987741f50173c1a6abd538fd6167890ec5f44e9da9f52e43891ae1982960390747caa9e29245b2d18ca1a4f5ca22ea30e3fea3d81b0ac615276ae9a4f72a5ae
-
Filesize
33KB
MD56806b72978f6bd27aef57899be68b93b
SHA1713c246d0b0b8dcc298afaed4f62aed82789951c
SHA2563485ee4159c5f9e4ed9dd06e668d1e04148154ff40327a9ccb591e8c5a79958c
SHA51243c942358b2e949751149ecc4be5ff6cb0634957ff1128ad5e6051e83379fb5643100cae2f6ef3eaf36aff016063c150e93297aa866e780d0e4d51656a251c7b
-
Filesize
152KB
MD5fb112038a8d25a8897f1927d919afcd1
SHA10901c07d17f313cfff6d3465750b64caf4133188
SHA25617a0285d35685c69943df42a8a2f7a0379639f348e4daa6f5aa2a37271b97d29
SHA5129dac478336678468e9c4b62be0edbcedee03971b644f90046e962344bbc577289af0f53532fd6e5d32dd91fe094e4e7e2bd8e640b1c01e8d5759c9ff3453e272
-
Filesize
69KB
MD5d113b2f0567c4a2d8ebe710d58972b93
SHA19d37bd4533d36cab5eb5cb415bffa4680496bfe4
SHA2564c369609cd0ae2823444194adb977a5047a168117a73ddf9c3e06e2b32b21163
SHA512c36d3475826875eae9cc19f559f158696507bf113dce78ccd052a334c2c9847397be641d5e9e169dea0aa84c557733c8b9f5fddc3504bc94da986163707ecc08
-
Filesize
46KB
MD5f02cc80df38e9c2bd2a807e747c3aeae
SHA18ea4f3ace23eabc113fa060a0f7b94b5b9557205
SHA256407894e7425a49d084a8fa65bdbde66d20e649fd7f663353dd489768aa4d1eff
SHA5121561c8e1bf1c2e0e7d749d226862803a7c1f11ecac0318b3953126e71bf90576e11d9af31e436ca6e4c652716d134d21e456408ee8b59912d476b4b14e3182ad
-
Filesize
1KB
MD5ca8b8c433c5982d9e98f97508d64bd88
SHA16f179c170cdd083677e9424086f1a455850e0d0b
SHA2569383a7210fd53d47f475dcd69d9daa7883447e3ee42c0b855406fc3beaec9272
SHA512a5df6cd9463b2f4000c7aa5b2b63bed02ceb27b8ee9f05d1a79eb6013616e1159cefaff0c4daa4a875fa3297050bbe45186f68f6932d4255b33d5ea63fb4422e
-
Filesize
78KB
MD5ac56b0b6c26615b97b5ac05daf6a6a61
SHA10a21621d0ae5a74613988eb977fcb708b8a6690f
SHA256b1bb424ce28b4b58b17987d8081acda618d3ac795797531eb94b01a16a014b32
SHA5122b4635a29a722d9c678dfd4007a5176c2b49a06e86365045a6d21fa56bfc75d6320daf82463471edee97d9d88a779005f8d85770ccf375aca6033fc3b0298de9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\zlGTFd2GI\VERSION.dll
Filesize76KB
MD57737d321af612b966c7e05739caf731b
SHA11e219379bc349180b8e0d218dd36337efb4b4f78
SHA256282a94dc47bfa2bfdb5e2e42ec1df4bf641f5dd140e73b15a8ea60e9991fd0b1
SHA512735747520be333646ad7e3aa4e69eb91d353ec6f1aadeba2b870cc443e39176a8d4c43e673f27ce3f0002791804922b6bdd301021e0f1bdf9318081cb8629452
-
Filesize
45KB
MD5dc00b61505503068e952bda32127ba1e
SHA1dc60475b6e45582ad1ec4a2d3d8bd05c30cc990f
SHA2569b1bbeb53dd6ba04494dcb830c5b472a96561520c99e6c1fcb689b1ae4dc55a6
SHA512563a841d9d8e0be85e585dfb720b53ee10601ea6566b68e16d9349c305abede92651634012c2ccee38a97658be460d9b81c11db476186d5f929fa1725f0d586b
-
Filesize
136KB
MD50cb5abfe22938b30efce6e1021c298b2
SHA17a7a83c6e13ac8109162afa071f7db57bf039a5e
SHA2564081ffb25eef89f3f675792a20c87ab73498fe6c977ba0e70aad087267cf2b15
SHA512cbaf9e73fcbc943c66754e4ae706428ece9b21e311b9670589cdbce42d7b90d08fc6964fd728eed6cbf7bd3dd049d872269840ca174dd6c11a930373d268d3c0
-
Filesize
151KB
MD55023586af7318292809ce967a47861b3
SHA14a8ec9911cf4bec9323e23f6ad144f57b2f0391c
SHA256ca03e0c72a2ca327e23c12d8c58d20c165c22e1f62808e9e94d0f35fb289177a
SHA5123daed622a5de661acef914095ebebf0f78a01315a87684df5e5cce448081bf1bdf39aabfe8f94ed31ca17d46752df337201a5f2cb93b683ac9848d9683e283f4
-
Filesize
194KB
MD5d79212067f1f707c91212a364ce1c40d
SHA155d969321d6d38fe380e7b682651987a7c1c3e1a
SHA256dc99f15f982b6b032d51deca30e3e98d34772c861a1ab86db1256934871365dc
SHA512f14cabbe92ab463ccbd7b6d948b5538970f26b6fd05b3a980de72910e0b3c57dc36d8a22aef54f37402105ae250369f12adaf8688d2db30b208af14c522b5ccd
-
Filesize
92KB
MD5215dc18ac4c009911c7a1c0a9b41b961
SHA1aa679328d89d9849f60cfc212a382d2f420b4247
SHA2566b0efa350f85eb71bf47736fd3676a947b00502482b1eae29ffb280adfb6ed5d
SHA512953c05b5a6d189d8bfbc661c3d5d996793e47b8b11627d16791e45bc58ac4c95ecaf2c85f633becb5f7a66877043b0156a2f7e0acb3622c84dd43851bff4fc6e
-
Filesize
173KB
MD5ebef690903a19e24a03752fe7ad07ea3
SHA1e63e14084454b64224c1bb866c9b4a7d28de88df
SHA2565e860d78ac7b2143cfef41f17c7159b9649e4cb9892fc2e56cb8ad74bf74175c
SHA512e28f0b4aae9dbd2b8f0fe627a67a51e256834afef8fdf29eb8f4a4053e2b0a7ed0c0905dd0c0d521b8e50dffc649b67f84c30c5996b6e5c2279a445c188d32b6
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\zlGTFd2GI\mspaint.exe
Filesize101KB
MD5fad5693684aad24c1591e5c7fbd149a4
SHA14864ce42320c56c3abafe6823b4f32d7c0af1e08
SHA256a3cb4a57edf6e392bfc36a1e87638ad28676ad00ad174de9ca8ad46ab4156d9d
SHA5121050048ce0eac0639353c76bf4153d20f20919c58848b808ba8625b0077e81451544b174257dbd701d1c7499493aea4a3f4f113e487d8ef0f298da33dba68391