Analysis
-
max time kernel
155s -
max time network
122s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
26-11-2021 09:30
Static task
static1
Behavioral task
behavioral1
Sample
402d6617014b320ae65709f7029fd2cf3661f5d69932abfa2e2e770236718d65.dll
Resource
win7-en-20211104
General
-
Target
402d6617014b320ae65709f7029fd2cf3661f5d69932abfa2e2e770236718d65.dll
-
Size
1.2MB
-
MD5
156ccf8324c479a229603a59485b1b68
-
SHA1
bd071acdbd27c66fa091ab07c1a079c57475f9a7
-
SHA256
402d6617014b320ae65709f7029fd2cf3661f5d69932abfa2e2e770236718d65
-
SHA512
b5f138f7e609f461f155e9059cb2dd9852582fcd01145bf85f92e17809a86fe767d3d5b37ddb7789f38bcc9897da2f482152ccf0621ec967dbb613d54c9e86de
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1372-60-0x0000000002200000-0x0000000002201000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
taskmgr.exeeudcedit.exespreview.exepid process 680 taskmgr.exe 1548 eudcedit.exe 1728 spreview.exe -
Loads dropped DLL 7 IoCs
Processes:
taskmgr.exeeudcedit.exespreview.exepid process 1372 680 taskmgr.exe 1372 1548 eudcedit.exe 1372 1728 spreview.exe 1372 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run\Myzdcwow = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\#SHARE~1\\XVSXD4TX\\SZXMVB~1\\eudcedit.exe" -
Processes:
taskmgr.exeeudcedit.exespreview.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskmgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA eudcedit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spreview.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exetaskmgr.exeeudcedit.exepid process 584 rundll32.exe 584 rundll32.exe 584 rundll32.exe 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 680 taskmgr.exe 680 taskmgr.exe 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1548 eudcedit.exe 1548 eudcedit.exe 1372 1372 1372 1372 1372 1372 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1372 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1372 wrote to memory of 964 1372 taskmgr.exe PID 1372 wrote to memory of 964 1372 taskmgr.exe PID 1372 wrote to memory of 964 1372 taskmgr.exe PID 1372 wrote to memory of 680 1372 taskmgr.exe PID 1372 wrote to memory of 680 1372 taskmgr.exe PID 1372 wrote to memory of 680 1372 taskmgr.exe PID 1372 wrote to memory of 2044 1372 eudcedit.exe PID 1372 wrote to memory of 2044 1372 eudcedit.exe PID 1372 wrote to memory of 2044 1372 eudcedit.exe PID 1372 wrote to memory of 1548 1372 eudcedit.exe PID 1372 wrote to memory of 1548 1372 eudcedit.exe PID 1372 wrote to memory of 1548 1372 eudcedit.exe PID 1372 wrote to memory of 1912 1372 spreview.exe PID 1372 wrote to memory of 1912 1372 spreview.exe PID 1372 wrote to memory of 1912 1372 spreview.exe PID 1372 wrote to memory of 1728 1372 spreview.exe PID 1372 wrote to memory of 1728 1372 spreview.exe PID 1372 wrote to memory of 1728 1372 spreview.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\402d6617014b320ae65709f7029fd2cf3661f5d69932abfa2e2e770236718d65.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskmgr.exeC:\Windows\system32\taskmgr.exe1⤵
-
C:\Users\Admin\AppData\Local\leWMn\taskmgr.exeC:\Users\Admin\AppData\Local\leWMn\taskmgr.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\eudcedit.exeC:\Windows\system32\eudcedit.exe1⤵
-
C:\Users\Admin\AppData\Local\7GPsk8xB6\eudcedit.exeC:\Users\Admin\AppData\Local\7GPsk8xB6\eudcedit.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\spreview.exeC:\Windows\system32\spreview.exe1⤵
-
C:\Users\Admin\AppData\Local\aU7m\spreview.exeC:\Users\Admin\AppData\Local\aU7m\spreview.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\7GPsk8xB6\MFC42u.dllMD5
b53ac1421fbcf172ddee77811c786570
SHA1b16e4dc3932f36da01fcde11e476433132a06ec4
SHA2564c287df13bc733c780c97cda558ad0d1b3dafd7688b501ca2aac0433510d2c25
SHA5120e38298aa8bdaebab0c0d568b7a53d9636cc7ed03f68f282920ec43d42268f24efe638a7fd8c836e3df21e3fe67a99a67f4a4fd993a38c4ff500369b43071494
-
C:\Users\Admin\AppData\Local\7GPsk8xB6\eudcedit.exeMD5
35e397d6ca8407b86d8a7972f0c90711
SHA16b39830003906ef82442522d22b80460c03f6082
SHA2561f64118bdc3515e8e9fce6ad182f6d0c8a6528d638fedb4901a6152cde4c7cde
SHA51271b0c4ac120e5841308b0c19718bdc28366b0d79c8177091328ef5421392b9ee5e4758816ffb8c0977f178e1b33ed064f64781eaf7d6952878dc8aea402f035e
-
C:\Users\Admin\AppData\Local\aU7m\WINBRAND.dllMD5
a4d7242ee0f56c32115b913d19f7d7d0
SHA145b989ebff27fd52e4405c088f8eb90adb0ea460
SHA2563b1643903bb598e623a0de55c536aacd7e3033a7fb8173c179d9d441d05986f4
SHA5129cad1cb1d228846c99c1f85cbb28ee9f44719bf1a5182e5d246bbdc81f382fd3b19d7314580858647760b312d2e12324663919dfa61c022e7a8469cd447c11df
-
C:\Users\Admin\AppData\Local\aU7m\spreview.exeMD5
704cd4cac010e8e6d8de9b778ed17773
SHA181856abf70640f102b8b3defe2cf65669fe8e165
SHA2564307f21d3ec3b51cba6a905a80045314ffccb4c60c11d99a3d77cc8103014208
SHA512b380264276bad01d619a5f1f112791d6bf73dc52cdd5cca0cc1f726a6f66eefc5a78a37646792987c508f9cb5049f0eb86c71fb4c7a2d3e670c0c8623f0522ee
-
C:\Users\Admin\AppData\Local\leWMn\Secur32.dllMD5
2e3a6d73a949713e68c510905bd46361
SHA1060694dd45671127a91cbad593bbebce8e11736d
SHA256247db98202f8989948664f80648a8a0757c4ff1ce2c0a13ca976faa41bf9f038
SHA512e4da197aa5ccfd5c065e53a1270d38f82b0e51d3322cf6fd56ade1b42a0b3cf45305cebe98f5d8d6063cabdfda516139d685a2231f607d972fa989c5473f16e1
-
C:\Users\Admin\AppData\Local\leWMn\taskmgr.exeMD5
09f7401d56f2393c6ca534ff0241a590
SHA1e8b4d84a28e5ea17272416ec45726964fdf25883
SHA2566766717b8afafe46b5fd66c7082ccce6b382cbea982c73cb651e35dc8187ace1
SHA5127187a27cd32c1b295c74e36e1b6148a31d602962448b18395a44a721d17daa7271d0cd198edb2ed05ace439746517ffb1bcc11c7f682e09b025c950ea7b83192
-
\Users\Admin\AppData\Local\7GPsk8xB6\MFC42u.dllMD5
b53ac1421fbcf172ddee77811c786570
SHA1b16e4dc3932f36da01fcde11e476433132a06ec4
SHA2564c287df13bc733c780c97cda558ad0d1b3dafd7688b501ca2aac0433510d2c25
SHA5120e38298aa8bdaebab0c0d568b7a53d9636cc7ed03f68f282920ec43d42268f24efe638a7fd8c836e3df21e3fe67a99a67f4a4fd993a38c4ff500369b43071494
-
\Users\Admin\AppData\Local\7GPsk8xB6\eudcedit.exeMD5
35e397d6ca8407b86d8a7972f0c90711
SHA16b39830003906ef82442522d22b80460c03f6082
SHA2561f64118bdc3515e8e9fce6ad182f6d0c8a6528d638fedb4901a6152cde4c7cde
SHA51271b0c4ac120e5841308b0c19718bdc28366b0d79c8177091328ef5421392b9ee5e4758816ffb8c0977f178e1b33ed064f64781eaf7d6952878dc8aea402f035e
-
\Users\Admin\AppData\Local\aU7m\WINBRAND.dllMD5
a4d7242ee0f56c32115b913d19f7d7d0
SHA145b989ebff27fd52e4405c088f8eb90adb0ea460
SHA2563b1643903bb598e623a0de55c536aacd7e3033a7fb8173c179d9d441d05986f4
SHA5129cad1cb1d228846c99c1f85cbb28ee9f44719bf1a5182e5d246bbdc81f382fd3b19d7314580858647760b312d2e12324663919dfa61c022e7a8469cd447c11df
-
\Users\Admin\AppData\Local\aU7m\spreview.exeMD5
704cd4cac010e8e6d8de9b778ed17773
SHA181856abf70640f102b8b3defe2cf65669fe8e165
SHA2564307f21d3ec3b51cba6a905a80045314ffccb4c60c11d99a3d77cc8103014208
SHA512b380264276bad01d619a5f1f112791d6bf73dc52cdd5cca0cc1f726a6f66eefc5a78a37646792987c508f9cb5049f0eb86c71fb4c7a2d3e670c0c8623f0522ee
-
\Users\Admin\AppData\Local\leWMn\Secur32.dllMD5
2e3a6d73a949713e68c510905bd46361
SHA1060694dd45671127a91cbad593bbebce8e11736d
SHA256247db98202f8989948664f80648a8a0757c4ff1ce2c0a13ca976faa41bf9f038
SHA512e4da197aa5ccfd5c065e53a1270d38f82b0e51d3322cf6fd56ade1b42a0b3cf45305cebe98f5d8d6063cabdfda516139d685a2231f607d972fa989c5473f16e1
-
\Users\Admin\AppData\Local\leWMn\taskmgr.exeMD5
09f7401d56f2393c6ca534ff0241a590
SHA1e8b4d84a28e5ea17272416ec45726964fdf25883
SHA2566766717b8afafe46b5fd66c7082ccce6b382cbea982c73cb651e35dc8187ace1
SHA5127187a27cd32c1b295c74e36e1b6148a31d602962448b18395a44a721d17daa7271d0cd198edb2ed05ace439746517ffb1bcc11c7f682e09b025c950ea7b83192
-
\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\0bp76f\spreview.exeMD5
704cd4cac010e8e6d8de9b778ed17773
SHA181856abf70640f102b8b3defe2cf65669fe8e165
SHA2564307f21d3ec3b51cba6a905a80045314ffccb4c60c11d99a3d77cc8103014208
SHA512b380264276bad01d619a5f1f112791d6bf73dc52cdd5cca0cc1f726a6f66eefc5a78a37646792987c508f9cb5049f0eb86c71fb4c7a2d3e670c0c8623f0522ee
-
memory/584-55-0x000007FEF6740000-0x000007FEF6873000-memory.dmpFilesize
1.2MB
-
memory/584-59-0x0000000000100000-0x0000000000107000-memory.dmpFilesize
28KB
-
memory/680-88-0x000007FEFAC10000-0x000007FEFAD44000-memory.dmpFilesize
1.2MB
-
memory/680-85-0x000007FEFB9A1000-0x000007FEFB9A3000-memory.dmpFilesize
8KB
-
memory/680-83-0x0000000000000000-mapping.dmp
-
memory/1372-81-0x00000000772D0000-0x00000000772D2000-memory.dmpFilesize
8KB
-
memory/1372-72-0x0000000140000000-0x0000000140133000-memory.dmpFilesize
1.2MB
-
memory/1372-61-0x0000000140000000-0x0000000140133000-memory.dmpFilesize
1.2MB
-
memory/1372-76-0x0000000140000000-0x0000000140133000-memory.dmpFilesize
1.2MB
-
memory/1372-63-0x0000000140000000-0x0000000140133000-memory.dmpFilesize
1.2MB
-
memory/1372-65-0x0000000140000000-0x0000000140133000-memory.dmpFilesize
1.2MB
-
memory/1372-75-0x0000000140000000-0x0000000140133000-memory.dmpFilesize
1.2MB
-
memory/1372-73-0x0000000140000000-0x0000000140133000-memory.dmpFilesize
1.2MB
-
memory/1372-66-0x0000000140000000-0x0000000140133000-memory.dmpFilesize
1.2MB
-
memory/1372-74-0x0000000140000000-0x0000000140133000-memory.dmpFilesize
1.2MB
-
memory/1372-68-0x0000000140000000-0x0000000140133000-memory.dmpFilesize
1.2MB
-
memory/1372-70-0x0000000140000000-0x0000000140133000-memory.dmpFilesize
1.2MB
-
memory/1372-71-0x0000000140000000-0x0000000140133000-memory.dmpFilesize
1.2MB
-
memory/1372-67-0x0000000140000000-0x0000000140133000-memory.dmpFilesize
1.2MB
-
memory/1372-69-0x0000000140000000-0x0000000140133000-memory.dmpFilesize
1.2MB
-
memory/1372-60-0x0000000002200000-0x0000000002201000-memory.dmpFilesize
4KB
-
memory/1372-64-0x0000000140000000-0x0000000140133000-memory.dmpFilesize
1.2MB
-
memory/1372-62-0x0000000140000000-0x0000000140133000-memory.dmpFilesize
1.2MB
-
memory/1548-99-0x000007FEF6740000-0x000007FEF687A000-memory.dmpFilesize
1.2MB
-
memory/1548-98-0x00000000FF7C1000-0x00000000FF7C3000-memory.dmpFilesize
8KB
-
memory/1548-93-0x0000000000000000-mapping.dmp
-
memory/1728-104-0x0000000000000000-mapping.dmp
-
memory/1728-109-0x000007FEF6740000-0x000007FEF6874000-memory.dmpFilesize
1.2MB