Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
02-02-2024 11:03
Static task
static1
Behavioral task
behavioral1
Sample
8958de5c2bf9701d5a7d93d25444c447.dll
Resource
win7-20231215-en
General
-
Target
8958de5c2bf9701d5a7d93d25444c447.dll
-
Size
1.7MB
-
MD5
8958de5c2bf9701d5a7d93d25444c447
-
SHA1
a7ce13895a1f347b2efb1b028041e78376a8193d
-
SHA256
f07f4994e0fb57cc2f550e7cc7059b2eb27470c13df7ff76e488626d7e8c5efb
-
SHA512
5dee19a23e54b34acd0a7eca69ebdac3f9c5c0b124d07640a075013f3610263172a7ea804bb1176294e4e800ce2d16e5670fec4455fef21a67c68f8f0183fbbf
-
SSDEEP
12288:rVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:qfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1244-5-0x0000000002510000-0x0000000002511000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 4 IoCs
Processes:
SnippingTool.execttune.exePresentationSettings.exePresentationSettings.exepid process 2648 SnippingTool.exe 1808 cttune.exe 2592 PresentationSettings.exe 912 PresentationSettings.exe -
Loads dropped DLL 9 IoCs
Processes:
SnippingTool.execttune.exePresentationSettings.exePresentationSettings.exepid process 1244 2648 SnippingTool.exe 1244 1808 cttune.exe 1244 2592 PresentationSettings.exe 1244 912 PresentationSettings.exe 1244 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtxtioiynm = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\bZKo\\PresentationSettings.exe" -
Processes:
rundll32.exeSnippingTool.execttune.exePresentationSettings.exePresentationSettings.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SnippingTool.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cttune.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA PresentationSettings.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA PresentationSettings.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2236 rundll32.exe 2236 rundll32.exe 2236 rundll32.exe 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
description pid process target process PID 1244 wrote to memory of 2616 1244 SnippingTool.exe PID 1244 wrote to memory of 2616 1244 SnippingTool.exe PID 1244 wrote to memory of 2616 1244 SnippingTool.exe PID 1244 wrote to memory of 2648 1244 SnippingTool.exe PID 1244 wrote to memory of 2648 1244 SnippingTool.exe PID 1244 wrote to memory of 2648 1244 SnippingTool.exe PID 1244 wrote to memory of 1220 1244 cttune.exe PID 1244 wrote to memory of 1220 1244 cttune.exe PID 1244 wrote to memory of 1220 1244 cttune.exe PID 1244 wrote to memory of 1808 1244 cttune.exe PID 1244 wrote to memory of 1808 1244 cttune.exe PID 1244 wrote to memory of 1808 1244 cttune.exe PID 1244 wrote to memory of 2272 1244 PresentationSettings.exe PID 1244 wrote to memory of 2272 1244 PresentationSettings.exe PID 1244 wrote to memory of 2272 1244 PresentationSettings.exe PID 1244 wrote to memory of 2592 1244 PresentationSettings.exe PID 1244 wrote to memory of 2592 1244 PresentationSettings.exe PID 1244 wrote to memory of 2592 1244 PresentationSettings.exe PID 1244 wrote to memory of 1588 1244 PresentationSettings.exe PID 1244 wrote to memory of 1588 1244 PresentationSettings.exe PID 1244 wrote to memory of 1588 1244 PresentationSettings.exe PID 1244 wrote to memory of 912 1244 PresentationSettings.exe PID 1244 wrote to memory of 912 1244 PresentationSettings.exe PID 1244 wrote to memory of 912 1244 PresentationSettings.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8958de5c2bf9701d5a7d93d25444c447.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2236
-
C:\Users\Admin\AppData\Local\SRXzyi\SnippingTool.exeC:\Users\Admin\AppData\Local\SRXzyi\SnippingTool.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2648
-
C:\Windows\system32\SnippingTool.exeC:\Windows\system32\SnippingTool.exe1⤵PID:2616
-
C:\Windows\system32\cttune.exeC:\Windows\system32\cttune.exe1⤵PID:1220
-
C:\Users\Admin\AppData\Local\iOCdW\cttune.exeC:\Users\Admin\AppData\Local\iOCdW\cttune.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1808
-
C:\Users\Admin\AppData\Local\LHMKz\PresentationSettings.exeC:\Users\Admin\AppData\Local\LHMKz\PresentationSettings.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2592
-
C:\Windows\system32\PresentationSettings.exeC:\Windows\system32\PresentationSettings.exe1⤵PID:2272
-
C:\Users\Admin\AppData\Local\ItBpr\PresentationSettings.exeC:\Users\Admin\AppData\Local\ItBpr\PresentationSettings.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:912
-
C:\Windows\system32\PresentationSettings.exeC:\Windows\system32\PresentationSettings.exe1⤵PID:1588
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD59109253d7a17c74b4c8d495fe395ee35
SHA17b978e24e770a9e409c62905e8c8f79ab9626ae8
SHA25635d341826652c18776cc1f42901d3bc599cdb4adf36e30b2938a5d44931daff2
SHA512a067136ee4ab2c0f651ecf29f7b41026f3c97f4eb89547363486d0b9165994e15977680f79ed29bb613e960194bd204505e2ad84e9fedab93bf16629aa117048
-
Filesize
172KB
MD5a6f8d318f6041334889481b472000081
SHA1b8cf08ec17b30c8811f2514246fcdff62731dd58
SHA256208b94fd66a6ce266c3195f87029a41a0622fff47f2a5112552cb087adbb1258
SHA51260f70fa8a19e6ea6f08f4907dd7fede3665ad3f2e013d49f6649442ea5871a967b9a53ec4d3328a06cb83b69be1b7af1bb14bf122b568bd1f8432ee1d0bfee69
-
Filesize
465KB
MD575846ccddb80ea6219f2f3761ef6c4b0
SHA157b6cba57d4124f133d1bdb1414268915df2fc30
SHA2561066234f2d72cd39694c61eb23912df0f4ec44de76eaa0f29101d92e63aa692f
SHA512709dd35f6165f1662f46034ad3319cafd4a750ec0f5f8335cd37668087921c0c22cabf70e01038fb835e151785832a460f57308953d495b8a07900daf1094a5c
-
Filesize
421KB
MD57633f554eeafde7f144b41c2fcaf5f63
SHA144497c3d6fada0066598a6170b90c53e28ddf96c
SHA256890884c7fe7d037e6debd21d1877e9c9c5e7790cdba007ddb219ae6a55667f78
SHA5127b61b6736c2c4f49d80f53c839914ad845f86a7d921fee1557e49aa7b4e9713e3483417d6c717eca155229bb6a90fc2253e1543cf05192aaf08262dc761fa203
-
Filesize
245KB
MD5f0616031e2d92405428e1523381bf0a8
SHA178584949e898fc5764c7ff30577db3e0925cf2f9
SHA256430538534d2d679924f7096c60573acc2d907f71f11aa740a0e7568461702658
SHA512871fa01e5e40b8673da1ca9982593a71435c1731de0b4d2b2b5d01607756408bdd755f1c342e82f2249804cf8a20f48a47354c5dd2db05fea53befebdf48c88a
-
Filesize
532KB
MD5cea085ff91e448542f035bc304707252
SHA1d883a79665760cebe251b5165f966c0a8d64117c
SHA256c132717af6bd7a3d737ab75a54bf4159bf13a84f8e5b0f473dfeb6ae22055794
SHA51276e5134473dd55d46a47c1b2023c76e25dd85f3620f831d4a3d95311a13d89ad2cf487c90d7d5523aff80cba475e9305fbd574be1c4f53e8075924e903e96a16
-
Filesize
314KB
MD57116848fd23e6195fcbbccdf83ce9af4
SHA135fb16a0b68f8a84d5dfac8c110ef5972f1bee93
SHA25639937665f72725bdb3b82389a5dbd906c63f4c14208312d7f7a59d6067e1cfa6
SHA512e38bf57eee5836b8598dd88dc3d266f497d911419a8426f73df6dcaa503611a965aabbd746181cb19bc38eebdb48db778a17f781a8f9e706cbd7a6ebec38f894
-
Filesize
1.7MB
MD5609c45031adcc93aa84a3f9e8acd434e
SHA150ad1b535bbf913c5e8302e2ec6de49f3902b7b8
SHA256d8df96b78b1481b47bfa397d29d5b3383e563f77411761adf30185e80f47e691
SHA512d67439ec84342dd90eb40ca1ae184ee6efd2b95cf778089f8e11039017647f706d1c7076a37976df769caf828698ec0d5eca84011d80067fbc30b0d12d57c964
-
Filesize
935B
MD5a7e4921c4025c4750be2ca5347bb18eb
SHA10a2f442c62738af7047b8d7d9f157bab2b5e5726
SHA256ddf9ec42d1765e2654c85241a43bf151800169ee4440c2a056e4a27a58fe8dc2
SHA512e2142415956d0efbbd222191f80172db947418f873b6625a8d464accdecd5f47b76ca60f57d0e770b0c6848670c2af450bf32e8fc58af4e313a6e4c8dd85f53e
-
Filesize
1.7MB
MD5a86fcd14ec7889a26e9b6d14bb7f9db5
SHA1a7df96408ab58a155abb3605729795a2fa633de1
SHA25649054dbec85fe42cdb55c7d6163d98b3f5ff7aabcbd09984b19828e4214a1d00
SHA5129517a1fe6da5f6c68a00495543e2b6ba158d248581e6c42e578a0ad35df14a98cf89e0e3960ae956fa1998f50922dee0a1e45ec6ab662fd1b45fb2e3edd231b9
-
Filesize
310KB
MD5995393aebc86e588c5f1287e76fe171e
SHA15e097f11268e8d27644ea1edbd3a7d5a05dd32ce
SHA25646862b904d9ae4131ddd4e70a9e00555987de22951a0616d0e919b9b5c4e0bf4
SHA512f10b321bab62d98cd9154ab094c9e59a5979aeb21093165df8ec884fba975527136ff9ab65ef295bb22a29f9c76c7280ce64ae5316b020dff7c1c57b4960b230
-
Filesize
1.7MB
MD5a9cd7939aea0cf330d5cf8739ed6cca5
SHA1d31903d5544a99d1e9f6ee439dbeb005e613f7c4
SHA2560b959521bf34b5ac5e8b6cdf73233f191c5d6dbbc46d391705b6c23386592bd4
SHA5129bc5fc84ca585a45d77991e8daddca5b1440a15b873d5585e1b6c68845f413ec78074d0262dc0def0db15626cf6e8e993893681639bca2dd69ce966663d66983
-
Filesize
1.3MB
MD5929597a589a62794bd5a22b0dea738a2
SHA18314f48d5c029fcc6820b271f51333a07e685bd3
SHA2566d540b0dbe29c0c131b7e2ac6f991d932a5636358202fc29e80f756a9a772fee
SHA51244fb628a72f16cc9bf7360e1b10e4e90b2273449d7fdba0c060c1b091490711ab0772a37ffa2b43918e6e327b0cf93ca996d83632e6e56b6c10545f0542c19ab
-
Filesize
377KB
MD5baedcfb72b0fa00d8d9256a644f9a893
SHA1b4d411c4a936cd9715740937d6a80f15d117873b
SHA256fc9a484cd0811ffd600ed437e354e37e3b858d2e66a269bd98caf8871c0b09a4
SHA5122e56c0c0927c2f3854bc3e7a6c3a94780281746b2e4b1de7311f071e34ff3e2cb768aa2738bc58f0fc24649425f233f5e218c52180d32130094005384051d558
-
Filesize
367KB
MD5dd4f039e9de5256b3bb7344c8519d54e
SHA10cf0200c334520ac68c5abb38b24d5059a73da53
SHA256896028cbba224bd203b1fb408ffe540ac271871c5aff224c48dfbc68e07840ef
SHA512078f8d1c31351897a198b7fe7765bc5eca6440f1e0b8d8821467790ed63e697baa7bffea585e7d2e41d8d70d4dbb91fb6bb796a21aec87b2824432fb20fe7bac
-
Filesize
560KB
MD504cfa1254ef862a22e4ad5df281a34a1
SHA19a3d8a99870dae4b1c1d6e231ee8aed521e8251c
SHA2567e2d328a063c4ffb99e0537e6ebb5a1c4576c79155729230888c99359c1c75ff
SHA512444db194f6548d57fd2a4f26768bad78026b9a707bd2cc94a3f1ad83524ef510ae63e6f679ae481e66492c5b73f8ebd7a8f76df52e7a97c596ca179206f471ed