Analysis
-
max time kernel
155s -
max time network
118s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
26-11-2021 09:30
Static task
static1
Behavioral task
behavioral1
Sample
c80a6055c1607efc5254747e5993f4f505da72a7519104e92f2c32189be5ba3d.dll
Resource
win7-en-20211014
General
-
Target
c80a6055c1607efc5254747e5993f4f505da72a7519104e92f2c32189be5ba3d.dll
-
Size
1.3MB
-
MD5
3264df29f9af6fdccad5f6c62793f158
-
SHA1
2901853e6dabaee7a82549952a17997caaacb046
-
SHA256
c80a6055c1607efc5254747e5993f4f505da72a7519104e92f2c32189be5ba3d
-
SHA512
9bd36e375bea27aa5ce154119031343c8157c88f81a871b45b128b28ce6a7494f6e3eb38d83bf0ae207b62ea01ffa8ce13289c76aa0abb2e9a982c098ecc8cab
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1256-59-0x0000000002A80000-0x0000000002A81000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
SystemPropertiesComputerName.exeDeviceDisplayObjectProvider.exedvdupgrd.exepid process 592 SystemPropertiesComputerName.exe 1392 DeviceDisplayObjectProvider.exe 996 dvdupgrd.exe -
Loads dropped DLL 7 IoCs
Processes:
SystemPropertiesComputerName.exeDeviceDisplayObjectProvider.exedvdupgrd.exepid process 1256 592 SystemPropertiesComputerName.exe 1256 1392 DeviceDisplayObjectProvider.exe 1256 996 dvdupgrd.exe 1256 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gpavvclvseucyal = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IEDownloadHistory\\kfqIkp6y\\DeviceDisplayObjectProvider.exe" -
Processes:
SystemPropertiesComputerName.exeDeviceDisplayObjectProvider.exedvdupgrd.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesComputerName.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DeviceDisplayObjectProvider.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dvdupgrd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 472 rundll32.exe 472 rundll32.exe 472 rundll32.exe 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 -
Suspicious behavior: GetForegroundWindowSpam 5 IoCs
Processes:
rundll32.exeSystemPropertiesComputerName.exeDeviceDisplayObjectProvider.exedvdupgrd.exepid process 472 rundll32.exe 1256 592 SystemPropertiesComputerName.exe 1392 DeviceDisplayObjectProvider.exe 996 dvdupgrd.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1256 wrote to memory of 1840 1256 SystemPropertiesComputerName.exe PID 1256 wrote to memory of 1840 1256 SystemPropertiesComputerName.exe PID 1256 wrote to memory of 1840 1256 SystemPropertiesComputerName.exe PID 1256 wrote to memory of 592 1256 SystemPropertiesComputerName.exe PID 1256 wrote to memory of 592 1256 SystemPropertiesComputerName.exe PID 1256 wrote to memory of 592 1256 SystemPropertiesComputerName.exe PID 1256 wrote to memory of 1512 1256 DeviceDisplayObjectProvider.exe PID 1256 wrote to memory of 1512 1256 DeviceDisplayObjectProvider.exe PID 1256 wrote to memory of 1512 1256 DeviceDisplayObjectProvider.exe PID 1256 wrote to memory of 1392 1256 DeviceDisplayObjectProvider.exe PID 1256 wrote to memory of 1392 1256 DeviceDisplayObjectProvider.exe PID 1256 wrote to memory of 1392 1256 DeviceDisplayObjectProvider.exe PID 1256 wrote to memory of 1564 1256 dvdupgrd.exe PID 1256 wrote to memory of 1564 1256 dvdupgrd.exe PID 1256 wrote to memory of 1564 1256 dvdupgrd.exe PID 1256 wrote to memory of 996 1256 dvdupgrd.exe PID 1256 wrote to memory of 996 1256 dvdupgrd.exe PID 1256 wrote to memory of 996 1256 dvdupgrd.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c80a6055c1607efc5254747e5993f4f505da72a7519104e92f2c32189be5ba3d.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\system32\SystemPropertiesComputerName.exeC:\Windows\system32\SystemPropertiesComputerName.exe1⤵
-
C:\Users\Admin\AppData\Local\Zxo1Y\SystemPropertiesComputerName.exeC:\Users\Admin\AppData\Local\Zxo1Y\SystemPropertiesComputerName.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\system32\DeviceDisplayObjectProvider.exeC:\Windows\system32\DeviceDisplayObjectProvider.exe1⤵
-
C:\Users\Admin\AppData\Local\tKA6\DeviceDisplayObjectProvider.exeC:\Users\Admin\AppData\Local\tKA6\DeviceDisplayObjectProvider.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\system32\dvdupgrd.exeC:\Windows\system32\dvdupgrd.exe1⤵
-
C:\Users\Admin\AppData\Local\lUBOVYs\dvdupgrd.exeC:\Users\Admin\AppData\Local\lUBOVYs\dvdupgrd.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Zxo1Y\SYSDM.CPLMD5
d447d76096229f04af2dca485af1f811
SHA18ea8d427b1025f136a29ef11aae65e4d3ea6ac7d
SHA256f698e0e2a18fbf3a19447591a72e94d1fbba56c9d9c86b3c9befeccb0823c72f
SHA512f19f3b4773c2a5cb81dc8faf9a6e7e1d6f87820b7504ed8ad3b8d27e4fbb7a9abfbc0b07b9d174624fa3613f4374842a66986b507284794722619e3aa1764a77
-
C:\Users\Admin\AppData\Local\Zxo1Y\SystemPropertiesComputerName.exeMD5
bd889683916aa93e84e1a75802918acf
SHA15ee66571359178613a4256a7470c2c3e6dd93cfa
SHA2560e22894595891a9ff9706e03b3db31a751541c4a773f82420fce57237d6c47cf
SHA5129d76de848b319f44657fb7fbe5a3b927774ae999362ff811a199002ffa77ad9e1638a65a271388e605ab5e5a7cb6ce5aa7fcabc3ed583ade00eaa4c265552026
-
C:\Users\Admin\AppData\Local\lUBOVYs\VERSION.dllMD5
23300ff69718ceb6b44dc8f1f251cb5c
SHA13a05e0b9f0dab2615a113e5f753a8cd92d104033
SHA2561a47bd6c2158bb1b949891c825059e053862c70b40cb6a091fa5c5361a209fab
SHA512dcedded1458453583ef8955d457819684f38adbb29983a3b815ef6c3848530bcce9fd968620dc6d46cd2dff37d640b55ef847959cf78c0d80d0a3d886d80706f
-
C:\Users\Admin\AppData\Local\lUBOVYs\dvdupgrd.exeMD5
75a9b4172eac01d9648c6d2133af952f
SHA163c7e1af762d2b584e9cc841e8b0100f2a482b81
SHA25618f9f520c7157023b0e7dfe7433a63c4dedd47b04d24aac4038b795893050736
SHA5125a7a2c7f184efd9c84256a1a0a5e7aeb95432d63a567196be54e7a9437a5ada9b922983c5fc0cafb16eab4493665d8e56e2f646f9f6a2d6179986925ffcdf769
-
C:\Users\Admin\AppData\Local\tKA6\DeviceDisplayObjectProvider.exeMD5
7e2eb3a4ae11190ef4c8a9b9a9123234
SHA172e98687a8d28614e2131c300403c2822856e865
SHA2568481a8ec19cb656ce328c877d5817d317203ba34424a2e9d169ddce5bf2cd2b0
SHA51218b1a0637f48929972a463d441182307725ebf1410dd461a1966bd040ac5dcced138155b7c713bfc924ea2f7b39527a084a08b44fa24c3eb9c654871f99caabf
-
C:\Users\Admin\AppData\Local\tKA6\XmlLite.dllMD5
4bdd34264c1e29424c1e5ea92b57faa1
SHA1fc0809ba96be6443ef5850f7f3c90eccd6005d46
SHA25673ff77ee565c7ac7755f2100ad7ae7ddcd88619b881ea6ba73c1b5835a05609d
SHA512505adcb3aaceb761888deaefd308643cc6e12e2a4536581ed09c0765916f9f9d487982183e6568277b9816f4d2ed6d2217ffd92e4d4c1eed6e4d4abe324e64eb
-
\Users\Admin\AppData\Local\Zxo1Y\SYSDM.CPLMD5
d447d76096229f04af2dca485af1f811
SHA18ea8d427b1025f136a29ef11aae65e4d3ea6ac7d
SHA256f698e0e2a18fbf3a19447591a72e94d1fbba56c9d9c86b3c9befeccb0823c72f
SHA512f19f3b4773c2a5cb81dc8faf9a6e7e1d6f87820b7504ed8ad3b8d27e4fbb7a9abfbc0b07b9d174624fa3613f4374842a66986b507284794722619e3aa1764a77
-
\Users\Admin\AppData\Local\Zxo1Y\SystemPropertiesComputerName.exeMD5
bd889683916aa93e84e1a75802918acf
SHA15ee66571359178613a4256a7470c2c3e6dd93cfa
SHA2560e22894595891a9ff9706e03b3db31a751541c4a773f82420fce57237d6c47cf
SHA5129d76de848b319f44657fb7fbe5a3b927774ae999362ff811a199002ffa77ad9e1638a65a271388e605ab5e5a7cb6ce5aa7fcabc3ed583ade00eaa4c265552026
-
\Users\Admin\AppData\Local\lUBOVYs\VERSION.dllMD5
23300ff69718ceb6b44dc8f1f251cb5c
SHA13a05e0b9f0dab2615a113e5f753a8cd92d104033
SHA2561a47bd6c2158bb1b949891c825059e053862c70b40cb6a091fa5c5361a209fab
SHA512dcedded1458453583ef8955d457819684f38adbb29983a3b815ef6c3848530bcce9fd968620dc6d46cd2dff37d640b55ef847959cf78c0d80d0a3d886d80706f
-
\Users\Admin\AppData\Local\lUBOVYs\dvdupgrd.exeMD5
75a9b4172eac01d9648c6d2133af952f
SHA163c7e1af762d2b584e9cc841e8b0100f2a482b81
SHA25618f9f520c7157023b0e7dfe7433a63c4dedd47b04d24aac4038b795893050736
SHA5125a7a2c7f184efd9c84256a1a0a5e7aeb95432d63a567196be54e7a9437a5ada9b922983c5fc0cafb16eab4493665d8e56e2f646f9f6a2d6179986925ffcdf769
-
\Users\Admin\AppData\Local\tKA6\DeviceDisplayObjectProvider.exeMD5
7e2eb3a4ae11190ef4c8a9b9a9123234
SHA172e98687a8d28614e2131c300403c2822856e865
SHA2568481a8ec19cb656ce328c877d5817d317203ba34424a2e9d169ddce5bf2cd2b0
SHA51218b1a0637f48929972a463d441182307725ebf1410dd461a1966bd040ac5dcced138155b7c713bfc924ea2f7b39527a084a08b44fa24c3eb9c654871f99caabf
-
\Users\Admin\AppData\Local\tKA6\XmlLite.dllMD5
4bdd34264c1e29424c1e5ea92b57faa1
SHA1fc0809ba96be6443ef5850f7f3c90eccd6005d46
SHA25673ff77ee565c7ac7755f2100ad7ae7ddcd88619b881ea6ba73c1b5835a05609d
SHA512505adcb3aaceb761888deaefd308643cc6e12e2a4536581ed09c0765916f9f9d487982183e6568277b9816f4d2ed6d2217ffd92e4d4c1eed6e4d4abe324e64eb
-
\Users\Admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-2955169046-2371869340-1800780948-1000\sPU9RYmz\dvdupgrd.exeMD5
75a9b4172eac01d9648c6d2133af952f
SHA163c7e1af762d2b584e9cc841e8b0100f2a482b81
SHA25618f9f520c7157023b0e7dfe7433a63c4dedd47b04d24aac4038b795893050736
SHA5125a7a2c7f184efd9c84256a1a0a5e7aeb95432d63a567196be54e7a9437a5ada9b922983c5fc0cafb16eab4493665d8e56e2f646f9f6a2d6179986925ffcdf769
-
memory/472-55-0x0000000140000000-0x0000000140145000-memory.dmpFilesize
1.3MB
-
memory/472-58-0x0000000000100000-0x0000000000107000-memory.dmpFilesize
28KB
-
memory/592-85-0x0000000140000000-0x0000000140146000-memory.dmpFilesize
1.3MB
-
memory/592-81-0x0000000000000000-mapping.dmp
-
memory/996-97-0x0000000000000000-mapping.dmp
-
memory/1256-61-0x0000000140000000-0x0000000140145000-memory.dmpFilesize
1.3MB
-
memory/1256-68-0x0000000140000000-0x0000000140145000-memory.dmpFilesize
1.3MB
-
memory/1256-73-0x0000000140000000-0x0000000140145000-memory.dmpFilesize
1.3MB
-
memory/1256-72-0x0000000140000000-0x0000000140145000-memory.dmpFilesize
1.3MB
-
memory/1256-71-0x0000000140000000-0x0000000140145000-memory.dmpFilesize
1.3MB
-
memory/1256-70-0x0000000140000000-0x0000000140145000-memory.dmpFilesize
1.3MB
-
memory/1256-69-0x0000000140000000-0x0000000140145000-memory.dmpFilesize
1.3MB
-
memory/1256-59-0x0000000002A80000-0x0000000002A81000-memory.dmpFilesize
4KB
-
memory/1256-67-0x0000000140000000-0x0000000140145000-memory.dmpFilesize
1.3MB
-
memory/1256-79-0x0000000077450000-0x0000000077452000-memory.dmpFilesize
8KB
-
memory/1256-60-0x0000000140000000-0x0000000140145000-memory.dmpFilesize
1.3MB
-
memory/1256-62-0x0000000140000000-0x0000000140145000-memory.dmpFilesize
1.3MB
-
memory/1256-63-0x0000000140000000-0x0000000140145000-memory.dmpFilesize
1.3MB
-
memory/1256-64-0x0000000140000000-0x0000000140145000-memory.dmpFilesize
1.3MB
-
memory/1256-65-0x0000000140000000-0x0000000140145000-memory.dmpFilesize
1.3MB
-
memory/1256-66-0x0000000140000000-0x0000000140145000-memory.dmpFilesize
1.3MB
-
memory/1392-89-0x0000000000000000-mapping.dmp