Analysis
-
max time kernel
151s -
max time network
121s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
26-11-2021 09:27
Static task
static1
Behavioral task
behavioral1
Sample
3b855a23e994dea8c214afcbb01123d1317ec701166de6b77d8b3f0c1125698e.dll
Resource
win7-en-20211104
General
-
Target
3b855a23e994dea8c214afcbb01123d1317ec701166de6b77d8b3f0c1125698e.dll
-
Size
1.4MB
-
MD5
d69796752faea68d9010a9671045e0b9
-
SHA1
1e24007994f3d530bbf2fb05ecd42e9c4b40a63e
-
SHA256
3b855a23e994dea8c214afcbb01123d1317ec701166de6b77d8b3f0c1125698e
-
SHA512
6f1715ec37f2c4a3a98f18ad9ef30a112b80a61e21a28bdd74d4e5bfbc33c168df2df1f8fb65b83ad045fbefb000c6ae9e60a26523f22e58cb408e70d558b9dc
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1340-60-0x00000000026D0000-0x00000000026D1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
wextract.exejavaws.exemstsc.exepid process 1248 wextract.exe 1168 javaws.exe 2012 mstsc.exe -
Loads dropped DLL 7 IoCs
Processes:
wextract.exejavaws.exemstsc.exepid process 1340 1248 wextract.exe 1340 1168 javaws.exe 1340 2012 mstsc.exe 1340 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run\Myzdcwow = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\XWJF3M~1\\javaws.exe" -
Processes:
rundll32.exewextract.exejavaws.exemstsc.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wextract.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA javaws.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mstsc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exewextract.exejavaws.exepid process 1412 rundll32.exe 1412 rundll32.exe 1412 rundll32.exe 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1248 wextract.exe 1248 wextract.exe 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1168 javaws.exe 1168 javaws.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1340 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1340 wrote to memory of 972 1340 wextract.exe PID 1340 wrote to memory of 972 1340 wextract.exe PID 1340 wrote to memory of 972 1340 wextract.exe PID 1340 wrote to memory of 1248 1340 wextract.exe PID 1340 wrote to memory of 1248 1340 wextract.exe PID 1340 wrote to memory of 1248 1340 wextract.exe PID 1340 wrote to memory of 840 1340 javaws.exe PID 1340 wrote to memory of 840 1340 javaws.exe PID 1340 wrote to memory of 840 1340 javaws.exe PID 1340 wrote to memory of 1168 1340 javaws.exe PID 1340 wrote to memory of 1168 1340 javaws.exe PID 1340 wrote to memory of 1168 1340 javaws.exe PID 1340 wrote to memory of 1824 1340 mstsc.exe PID 1340 wrote to memory of 1824 1340 mstsc.exe PID 1340 wrote to memory of 1824 1340 mstsc.exe PID 1340 wrote to memory of 2012 1340 mstsc.exe PID 1340 wrote to memory of 2012 1340 mstsc.exe PID 1340 wrote to memory of 2012 1340 mstsc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3b855a23e994dea8c214afcbb01123d1317ec701166de6b77d8b3f0c1125698e.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\wextract.exeC:\Windows\system32\wextract.exe1⤵
-
C:\Users\Admin\AppData\Local\PUpSn\wextract.exeC:\Users\Admin\AppData\Local\PUpSn\wextract.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\javaws.exeC:\Windows\system32\javaws.exe1⤵
-
C:\Users\Admin\AppData\Local\bRipW\javaws.exeC:\Users\Admin\AppData\Local\bRipW\javaws.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\mstsc.exeC:\Windows\system32\mstsc.exe1⤵
-
C:\Users\Admin\AppData\Local\l9Q\mstsc.exeC:\Users\Admin\AppData\Local\l9Q\mstsc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\PUpSn\VERSION.dllMD5
73c6b6e5da7c41a3efe10b7c3dc1a1f7
SHA15225f501f439c6c1fdb91e46debc244b6a79793d
SHA2569702cd444793cb1150f506f6d420b5cd9a162c135367b02d5d30edafac4b6eed
SHA51215b471a4f0a8393b44c02214554abe87a7436baaeafd46968d0f0c878c8a58f9f5191bafe7ffcf2f48d63a683df960bf8f90cd6eeaef64e75af7799388cf54b4
-
C:\Users\Admin\AppData\Local\PUpSn\wextract.exeMD5
1ea6500c25a80e8bdb65099c509af993
SHA16a090ef561feb4ae1c6794de5b19c5e893c4aafc
SHA25699123d4e7bf93aa7f3315a432307c8b0cbaf24ad2cfb46edc149edbe24de4ca2
SHA512b8f9f1ab48671e382d1385c34f0f19fc52fc0061e00db53bbbc2cdaee6d8a3f245707329f98e9167c53721aeaddcebfe66632729b6bcc98892031fd9914fb1fb
-
C:\Users\Admin\AppData\Local\bRipW\VERSION.dllMD5
d3dd022fcc3b8dedddf654332a63ef2c
SHA1f0551b26198b6c0a492283182f18ed073fc9bfdd
SHA25655235a8db0cb45731a011a9611d12ce6e3d5178a2d3e93f673cefdc57b610191
SHA512f7ee45ab4e8ce1ef8e2e1bb0ada8f6eab2cb45e360a4ce8416945849fa64eacb3098adb132ab128a9d5308ad90f9896d82c3075814479120e53eafa0c8497cd7
-
C:\Users\Admin\AppData\Local\bRipW\javaws.exeMD5
f94bc1a70c942621c4279236df284e04
SHA18f46d89c7db415a7f48ccd638963028f63df4e4f
SHA256be9f8986a6c86d9f77978105d48b59eebfec3b9732dbf19e0f3d48bf7f20120c
SHA51260edf20ca3cae9802263446af266568d0b5e0692eddcfcfc3b2f9a39327b3184613ca994460b919d17a6edc5936b4da16d9033f5138bcfd9bc0f09d88c8dcd52
-
C:\Users\Admin\AppData\Local\l9Q\WINMM.dllMD5
038ca7e124ab9884713f192a1160642d
SHA1a79f9b04ab0e5220c101307836454af23850c79a
SHA256fcb4ea2753f361780b28d5109deeb7b0ee0af4071ebe77e1363cdfa00c777b6d
SHA5123e31f6712c50299f0d41442807ad75803a1c725aacfd0cb9e037890f25cd54b812f223e927ceee7cb5116413e574a8d8f7615b04c3372c7d680e5c0d510715c6
-
C:\Users\Admin\AppData\Local\l9Q\mstsc.exeMD5
50f739538ef014b2e7ec59431749d838
SHA1b439762b8efe8cfb977e7374c11a7e4d8ed05eb3
SHA25685c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3
SHA51202e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8
-
\Users\Admin\AppData\Local\PUpSn\VERSION.dllMD5
73c6b6e5da7c41a3efe10b7c3dc1a1f7
SHA15225f501f439c6c1fdb91e46debc244b6a79793d
SHA2569702cd444793cb1150f506f6d420b5cd9a162c135367b02d5d30edafac4b6eed
SHA51215b471a4f0a8393b44c02214554abe87a7436baaeafd46968d0f0c878c8a58f9f5191bafe7ffcf2f48d63a683df960bf8f90cd6eeaef64e75af7799388cf54b4
-
\Users\Admin\AppData\Local\PUpSn\wextract.exeMD5
1ea6500c25a80e8bdb65099c509af993
SHA16a090ef561feb4ae1c6794de5b19c5e893c4aafc
SHA25699123d4e7bf93aa7f3315a432307c8b0cbaf24ad2cfb46edc149edbe24de4ca2
SHA512b8f9f1ab48671e382d1385c34f0f19fc52fc0061e00db53bbbc2cdaee6d8a3f245707329f98e9167c53721aeaddcebfe66632729b6bcc98892031fd9914fb1fb
-
\Users\Admin\AppData\Local\bRipW\VERSION.dllMD5
d3dd022fcc3b8dedddf654332a63ef2c
SHA1f0551b26198b6c0a492283182f18ed073fc9bfdd
SHA25655235a8db0cb45731a011a9611d12ce6e3d5178a2d3e93f673cefdc57b610191
SHA512f7ee45ab4e8ce1ef8e2e1bb0ada8f6eab2cb45e360a4ce8416945849fa64eacb3098adb132ab128a9d5308ad90f9896d82c3075814479120e53eafa0c8497cd7
-
\Users\Admin\AppData\Local\bRipW\javaws.exeMD5
f94bc1a70c942621c4279236df284e04
SHA18f46d89c7db415a7f48ccd638963028f63df4e4f
SHA256be9f8986a6c86d9f77978105d48b59eebfec3b9732dbf19e0f3d48bf7f20120c
SHA51260edf20ca3cae9802263446af266568d0b5e0692eddcfcfc3b2f9a39327b3184613ca994460b919d17a6edc5936b4da16d9033f5138bcfd9bc0f09d88c8dcd52
-
\Users\Admin\AppData\Local\l9Q\WINMM.dllMD5
038ca7e124ab9884713f192a1160642d
SHA1a79f9b04ab0e5220c101307836454af23850c79a
SHA256fcb4ea2753f361780b28d5109deeb7b0ee0af4071ebe77e1363cdfa00c777b6d
SHA5123e31f6712c50299f0d41442807ad75803a1c725aacfd0cb9e037890f25cd54b812f223e927ceee7cb5116413e574a8d8f7615b04c3372c7d680e5c0d510715c6
-
\Users\Admin\AppData\Local\l9Q\mstsc.exeMD5
50f739538ef014b2e7ec59431749d838
SHA1b439762b8efe8cfb977e7374c11a7e4d8ed05eb3
SHA25685c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3
SHA51202e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8
-
\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Q7NJb\mstsc.exeMD5
50f739538ef014b2e7ec59431749d838
SHA1b439762b8efe8cfb977e7374c11a7e4d8ed05eb3
SHA25685c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3
SHA51202e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8
-
memory/1168-96-0x0000000000000000-mapping.dmp
-
memory/1248-91-0x000007FEF6390000-0x000007FEF64EF000-memory.dmpFilesize
1.4MB
-
memory/1248-88-0x000007FEFB8D1000-0x000007FEFB8D3000-memory.dmpFilesize
8KB
-
memory/1248-86-0x0000000000000000-mapping.dmp
-
memory/1340-68-0x0000000140000000-0x000000014015E000-memory.dmpFilesize
1.4MB
-
memory/1340-70-0x0000000140000000-0x000000014015E000-memory.dmpFilesize
1.4MB
-
memory/1340-74-0x0000000140000000-0x000000014015E000-memory.dmpFilesize
1.4MB
-
memory/1340-73-0x0000000140000000-0x000000014015E000-memory.dmpFilesize
1.4MB
-
memory/1340-69-0x0000000140000000-0x000000014015E000-memory.dmpFilesize
1.4MB
-
memory/1340-84-0x0000000077200000-0x0000000077202000-memory.dmpFilesize
8KB
-
memory/1340-77-0x0000000140000000-0x000000014015E000-memory.dmpFilesize
1.4MB
-
memory/1340-79-0x0000000140000000-0x000000014015E000-memory.dmpFilesize
1.4MB
-
memory/1340-78-0x0000000140000000-0x000000014015E000-memory.dmpFilesize
1.4MB
-
memory/1340-75-0x0000000140000000-0x000000014015E000-memory.dmpFilesize
1.4MB
-
memory/1340-72-0x0000000140000000-0x000000014015E000-memory.dmpFilesize
1.4MB
-
memory/1340-61-0x0000000140000000-0x000000014015E000-memory.dmpFilesize
1.4MB
-
memory/1340-71-0x0000000140000000-0x000000014015E000-memory.dmpFilesize
1.4MB
-
memory/1340-76-0x0000000140000000-0x000000014015E000-memory.dmpFilesize
1.4MB
-
memory/1340-67-0x0000000140000000-0x000000014015E000-memory.dmpFilesize
1.4MB
-
memory/1340-66-0x0000000140000000-0x000000014015E000-memory.dmpFilesize
1.4MB
-
memory/1340-65-0x0000000140000000-0x000000014015E000-memory.dmpFilesize
1.4MB
-
memory/1340-64-0x0000000140000000-0x000000014015E000-memory.dmpFilesize
1.4MB
-
memory/1340-63-0x0000000140000000-0x000000014015E000-memory.dmpFilesize
1.4MB
-
memory/1340-60-0x00000000026D0000-0x00000000026D1000-memory.dmpFilesize
4KB
-
memory/1340-62-0x0000000140000000-0x000000014015E000-memory.dmpFilesize
1.4MB
-
memory/1412-55-0x000007FEF6390000-0x000007FEF64EE000-memory.dmpFilesize
1.4MB
-
memory/1412-59-0x0000000000380000-0x0000000000387000-memory.dmpFilesize
28KB
-
memory/2012-105-0x0000000000000000-mapping.dmp
-
memory/2012-110-0x000007FEF6350000-0x000007FEF64B0000-memory.dmpFilesize
1.4MB