Resubmissions
Analysis
-
max time kernel
150s -
max time network
19s -
platform
windows7_x64 -
resource
win7 -
submitted
06-08-2020 16:20
Static task
static1
Behavioral task
behavioral1
Sample
DUI70.dll
Resource
win7
General
-
Target
DUI70.dll
-
Size
1.2MB
-
MD5
ca7f847ac49ea5ec058b9455bacbb326
-
SHA1
9ea5760c8d7b2f1a479901677338e487e62aaad0
-
SHA256
1bc4755b2828092f30c53c4099d2a1b118d1a68686a82b7c11ef12c6ae93f8d4
-
SHA512
5e57d36b700f030c977213899b2d5e4421abcaf54a41ccb336067e52f779066916b58ff1c81441be8c4e69240106569d40371b6ba862e6d89cbeda1cc65d6818
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/892-0-0x0000000140000000-0x000000014008D000-memory.dmp dridex_ldr behavioral1/memory/1264-3-0x0000000140000000-0x0000000140138000-memory.dmp dridex_ldr -
Processes:
resource yara_rule behavioral1/memory/892-0-0x0000000140000000-0x000000014008D000-memory.dmp dridex_ldr_dmod behavioral1/memory/1264-3-0x0000000140000000-0x0000000140138000-memory.dmp dridex_ldr_dmod -
Executes dropped EXE 3 IoCs
Processes:
SystemPropertiesHardware.exefvenotify.exespreview.exepid process 112 SystemPropertiesHardware.exe 360 fvenotify.exe 1524 spreview.exe -
Loads dropped DLL 7 IoCs
Processes:
SystemPropertiesHardware.exefvenotify.exespreview.exepid process 1264 112 SystemPropertiesHardware.exe 1264 360 fvenotify.exe 1264 1524 spreview.exe 1264 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\Vpubrqhrepmzp = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\2Wfjp\\fvenotify.exe" -
Processes:
rundll32.exeSystemPropertiesHardware.exefvenotify.exespreview.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesHardware.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fvenotify.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spreview.exe -
Suspicious behavior: EnumeratesProcesses 619 IoCs
Processes:
rundll32.exepid process 892 rundll32.exe 892 rundll32.exe 892 rundll32.exe 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1264 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 1264 Token: SeShutdownPrivilege 1264 -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
pid process 1264 1264 1264 1264 1264 -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
pid process 1264 1264 1264 1264 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1264 wrote to memory of 108 1264 SystemPropertiesHardware.exe PID 1264 wrote to memory of 108 1264 SystemPropertiesHardware.exe PID 1264 wrote to memory of 108 1264 SystemPropertiesHardware.exe PID 1264 wrote to memory of 112 1264 SystemPropertiesHardware.exe PID 1264 wrote to memory of 112 1264 SystemPropertiesHardware.exe PID 1264 wrote to memory of 112 1264 SystemPropertiesHardware.exe PID 1264 wrote to memory of 744 1264 fvenotify.exe PID 1264 wrote to memory of 744 1264 fvenotify.exe PID 1264 wrote to memory of 744 1264 fvenotify.exe PID 1264 wrote to memory of 360 1264 fvenotify.exe PID 1264 wrote to memory of 360 1264 fvenotify.exe PID 1264 wrote to memory of 360 1264 fvenotify.exe PID 1264 wrote to memory of 1528 1264 spreview.exe PID 1264 wrote to memory of 1528 1264 spreview.exe PID 1264 wrote to memory of 1528 1264 spreview.exe PID 1264 wrote to memory of 1524 1264 spreview.exe PID 1264 wrote to memory of 1524 1264 spreview.exe PID 1264 wrote to memory of 1524 1264 spreview.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\DUI70.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\SystemPropertiesHardware.exeC:\Windows\system32\SystemPropertiesHardware.exe1⤵
-
C:\Users\Admin\AppData\Local\zOhyypD\SystemPropertiesHardware.exeC:\Users\Admin\AppData\Local\zOhyypD\SystemPropertiesHardware.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\fvenotify.exeC:\Windows\system32\fvenotify.exe1⤵
-
C:\Users\Admin\AppData\Local\2N0iKa3\fvenotify.exeC:\Users\Admin\AppData\Local\2N0iKa3\fvenotify.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\spreview.exeC:\Windows\system32\spreview.exe1⤵
-
C:\Users\Admin\AppData\Local\2wqLpT9q\spreview.exeC:\Users\Admin\AppData\Local\2wqLpT9q\spreview.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\2N0iKa3\fvenotify.exeMD5
e61d644998e07c02f0999388808ac109
SHA1183130ad81ff4c7997582a484e759bf7769592d6
SHA25615a85cd6fbcb1ec57d78f986d6dd8908bd56231ce0cf65775075512303f7e5fa
SHA512310141b73394ae12a35f8d4f0c097868ee8a8045a62dd402a5dfbe2151980dd4fe18409ae3ca9422e3b88b2fa9afb04c1acbf8ec23a937a0a242b32a9a1e9272
-
C:\Users\Admin\AppData\Local\2N0iKa3\slc.dllMD5
f23f62fff709739a0a5188a244b61910
SHA1e5463b73ed878d23d023a119fb46fcadfc9e1f54
SHA2563c8402c1634c15c851e2de93c0ef0ec89e75a1ab475b89f0daf864e8869cbd69
SHA5121cc82221f088ef3578fe48663cfc3f7a2694fd2188afd3e5a6ee7ffbdb562fca013561211dda051a0af73d04bf8075ac51d54f7ef8b323853414f74c1e579142
-
C:\Users\Admin\AppData\Local\2wqLpT9q\spreview.exeMD5
704cd4cac010e8e6d8de9b778ed17773
SHA181856abf70640f102b8b3defe2cf65669fe8e165
SHA2564307f21d3ec3b51cba6a905a80045314ffccb4c60c11d99a3d77cc8103014208
SHA512b380264276bad01d619a5f1f112791d6bf73dc52cdd5cca0cc1f726a6f66eefc5a78a37646792987c508f9cb5049f0eb86c71fb4c7a2d3e670c0c8623f0522ee
-
C:\Users\Admin\AppData\Local\2wqLpT9q\sqmapi.dllMD5
16dee71e6d230569f23da87d3c6c398b
SHA111adde0454fc755fe1460cfb2b8310fd64d67e28
SHA256441c07bc7c03471939181bd07998b3aeb7c2b265173389fb48a633bbd5198365
SHA51296e5eaf3707897bfb0373df8faf8f24c75493a4b539ee255ebaec44f4ded69b71ccebe2f234b5f1b93e0eb27e22be3343962f386083c5b5bd2bda45b83e48237
-
C:\Users\Admin\AppData\Local\zOhyypD\SYSDM.CPLMD5
f0a252901f76e53c844bc60b0aa86f82
SHA14dec99aaefc5d60afb911e9f5422400e6e33b764
SHA256d213755b08c96005fafb251df3ec56e84f5ebd73f8ae49ccfae6ee8baaa7636d
SHA512b821523c8af9707bb7b63b7a765b24588518f17f5bbed7adf4cac55f7afaf59c28d56e242bf76b47b243d4973051994e34cd8f6f8767812cfb2b7916807808f2
-
C:\Users\Admin\AppData\Local\zOhyypD\SystemPropertiesHardware.exeMD5
c63d722641c417764247f683f9fb43be
SHA1948ec61ebf241c4d80efca3efdfc33fe746e3b98
SHA2564759296b421d60c80db0bb112a30425e04883900374602e13ed97f7c03a49df2
SHA5127223d1c81a4785ed790ec2303d5d9d7ebcae9404d7bf173b3145e51202564de9977e94ac10ab80c6fe49b5f697af3ec70dfd922a891915e8951b5a1b5841c8be
-
\Users\Admin\AppData\Local\2N0iKa3\fvenotify.exeMD5
e61d644998e07c02f0999388808ac109
SHA1183130ad81ff4c7997582a484e759bf7769592d6
SHA25615a85cd6fbcb1ec57d78f986d6dd8908bd56231ce0cf65775075512303f7e5fa
SHA512310141b73394ae12a35f8d4f0c097868ee8a8045a62dd402a5dfbe2151980dd4fe18409ae3ca9422e3b88b2fa9afb04c1acbf8ec23a937a0a242b32a9a1e9272
-
\Users\Admin\AppData\Local\2N0iKa3\slc.dllMD5
f23f62fff709739a0a5188a244b61910
SHA1e5463b73ed878d23d023a119fb46fcadfc9e1f54
SHA2563c8402c1634c15c851e2de93c0ef0ec89e75a1ab475b89f0daf864e8869cbd69
SHA5121cc82221f088ef3578fe48663cfc3f7a2694fd2188afd3e5a6ee7ffbdb562fca013561211dda051a0af73d04bf8075ac51d54f7ef8b323853414f74c1e579142
-
\Users\Admin\AppData\Local\2wqLpT9q\spreview.exeMD5
704cd4cac010e8e6d8de9b778ed17773
SHA181856abf70640f102b8b3defe2cf65669fe8e165
SHA2564307f21d3ec3b51cba6a905a80045314ffccb4c60c11d99a3d77cc8103014208
SHA512b380264276bad01d619a5f1f112791d6bf73dc52cdd5cca0cc1f726a6f66eefc5a78a37646792987c508f9cb5049f0eb86c71fb4c7a2d3e670c0c8623f0522ee
-
\Users\Admin\AppData\Local\2wqLpT9q\sqmapi.dllMD5
16dee71e6d230569f23da87d3c6c398b
SHA111adde0454fc755fe1460cfb2b8310fd64d67e28
SHA256441c07bc7c03471939181bd07998b3aeb7c2b265173389fb48a633bbd5198365
SHA51296e5eaf3707897bfb0373df8faf8f24c75493a4b539ee255ebaec44f4ded69b71ccebe2f234b5f1b93e0eb27e22be3343962f386083c5b5bd2bda45b83e48237
-
\Users\Admin\AppData\Local\zOhyypD\SYSDM.CPLMD5
f0a252901f76e53c844bc60b0aa86f82
SHA14dec99aaefc5d60afb911e9f5422400e6e33b764
SHA256d213755b08c96005fafb251df3ec56e84f5ebd73f8ae49ccfae6ee8baaa7636d
SHA512b821523c8af9707bb7b63b7a765b24588518f17f5bbed7adf4cac55f7afaf59c28d56e242bf76b47b243d4973051994e34cd8f6f8767812cfb2b7916807808f2
-
\Users\Admin\AppData\Local\zOhyypD\SystemPropertiesHardware.exeMD5
c63d722641c417764247f683f9fb43be
SHA1948ec61ebf241c4d80efca3efdfc33fe746e3b98
SHA2564759296b421d60c80db0bb112a30425e04883900374602e13ed97f7c03a49df2
SHA5127223d1c81a4785ed790ec2303d5d9d7ebcae9404d7bf173b3145e51202564de9977e94ac10ab80c6fe49b5f697af3ec70dfd922a891915e8951b5a1b5841c8be
-
\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\P2iMVanG17\spreview.exeMD5
704cd4cac010e8e6d8de9b778ed17773
SHA181856abf70640f102b8b3defe2cf65669fe8e165
SHA2564307f21d3ec3b51cba6a905a80045314ffccb4c60c11d99a3d77cc8103014208
SHA512b380264276bad01d619a5f1f112791d6bf73dc52cdd5cca0cc1f726a6f66eefc5a78a37646792987c508f9cb5049f0eb86c71fb4c7a2d3e670c0c8623f0522ee
-
memory/112-5-0x0000000000000000-mapping.dmp
-
memory/360-11-0x0000000000000000-mapping.dmp
-
memory/892-0-0x0000000140000000-0x000000014008D000-memory.dmpFilesize
564KB
-
memory/1264-3-0x0000000140000000-0x0000000140138000-memory.dmpFilesize
1.2MB
-
memory/1264-2-0x0000000140000000-0x0000000140138000-memory.dmpFilesize
1.2MB
-
memory/1264-1-0x0000000006190000-0x0000000006191000-memory.dmpFilesize
4KB
-
memory/1524-17-0x0000000000000000-mapping.dmp