Analysis
-
max time kernel
151s -
max time network
117s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
26-11-2021 09:30
Static task
static1
Behavioral task
behavioral1
Sample
a784e2fdd1ab991dc8e8be58fd5d6c8f5c1403f92d49661f29309268738cdd8f.dll
Resource
win7-en-20211104
General
-
Target
a784e2fdd1ab991dc8e8be58fd5d6c8f5c1403f92d49661f29309268738cdd8f.dll
-
Size
1.3MB
-
MD5
3e98bb4d39b7a7b9750ba84ec892f61d
-
SHA1
a0fd28e7af024c4a1a7ecf10777744407eb306f7
-
SHA256
a784e2fdd1ab991dc8e8be58fd5d6c8f5c1403f92d49661f29309268738cdd8f
-
SHA512
b2aa963b1d3c7240eab67bc1908fcc82d1be5741e97566a59be353c20e41092eda6c9529899980d432190256f016248a09ebf0c5ec1dd37f2e11359f301d4ba9
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1248-59-0x00000000029E0000-0x00000000029E1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
notepad.exeBdeUISrv.exerecdisc.exepid process 1100 notepad.exe 984 BdeUISrv.exe 1420 recdisc.exe -
Loads dropped DLL 7 IoCs
Processes:
notepad.exeBdeUISrv.exerecdisc.exepid process 1248 1100 notepad.exe 1248 984 BdeUISrv.exe 1248 1420 recdisc.exe 1248 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run\Myzdcwow = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\TVpvyG36U\\BdeUISrv.exe" -
Processes:
rundll32.exenotepad.exeBdeUISrv.exerecdisc.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA notepad.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BdeUISrv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA recdisc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 856 rundll32.exe 856 rundll32.exe 856 rundll32.exe 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 -
Suspicious behavior: GetForegroundWindowSpam 5 IoCs
Processes:
rundll32.exenotepad.exeBdeUISrv.exerecdisc.exepid process 856 rundll32.exe 1248 1100 notepad.exe 984 BdeUISrv.exe 1420 recdisc.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1248 wrote to memory of 2008 1248 notepad.exe PID 1248 wrote to memory of 2008 1248 notepad.exe PID 1248 wrote to memory of 2008 1248 notepad.exe PID 1248 wrote to memory of 1100 1248 notepad.exe PID 1248 wrote to memory of 1100 1248 notepad.exe PID 1248 wrote to memory of 1100 1248 notepad.exe PID 1248 wrote to memory of 988 1248 BdeUISrv.exe PID 1248 wrote to memory of 988 1248 BdeUISrv.exe PID 1248 wrote to memory of 988 1248 BdeUISrv.exe PID 1248 wrote to memory of 984 1248 BdeUISrv.exe PID 1248 wrote to memory of 984 1248 BdeUISrv.exe PID 1248 wrote to memory of 984 1248 BdeUISrv.exe PID 1248 wrote to memory of 1340 1248 recdisc.exe PID 1248 wrote to memory of 1340 1248 recdisc.exe PID 1248 wrote to memory of 1340 1248 recdisc.exe PID 1248 wrote to memory of 1420 1248 recdisc.exe PID 1248 wrote to memory of 1420 1248 recdisc.exe PID 1248 wrote to memory of 1420 1248 recdisc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a784e2fdd1ab991dc8e8be58fd5d6c8f5c1403f92d49661f29309268738cdd8f.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\system32\notepad.exeC:\Windows\system32\notepad.exe1⤵
-
C:\Users\Admin\AppData\Local\MQMyVN\notepad.exeC:\Users\Admin\AppData\Local\MQMyVN\notepad.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\system32\BdeUISrv.exeC:\Windows\system32\BdeUISrv.exe1⤵
-
C:\Users\Admin\AppData\Local\IKSPooG\BdeUISrv.exeC:\Users\Admin\AppData\Local\IKSPooG\BdeUISrv.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\system32\recdisc.exeC:\Windows\system32\recdisc.exe1⤵
-
C:\Users\Admin\AppData\Local\eDh\recdisc.exeC:\Users\Admin\AppData\Local\eDh\recdisc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\IKSPooG\BdeUISrv.exeMD5
1da6b19be5d4949c868a264bc5e74206
SHA1d5ee86ba03a03ef8c93d93accafe40461084c839
SHA25600330a0e0eb1dbb6ee84997963f8e15c7c15c1df787f1c7f109609d7b31bd35c
SHA5129cee858c55eb0852e5bad53a675a094ae591b46b07afe9fb4224cac32e0be577fe36c1ed3e9f6bda4d4eb0c924a773d00e3181cd97f07e24c6c68c70f2b002c6
-
C:\Users\Admin\AppData\Local\IKSPooG\WTSAPI32.dllMD5
69731b58c1aa2a8d423899f2121aa8d2
SHA1d0821e1da98a0309d8e59c375b1b5203278628a9
SHA25670f6dbf63b65b38f92ff2858046a036d2ea0806291c0714b2e5d227d3c7b5860
SHA5122fb3e91b889b801932de0cbfdbe3d4197cec3e5d940e68a8602f463da8b6ade735cdd035ec4f3bf44c0354ad4c739a9f02b46581e67eeaccc91f82182b7c17c4
-
C:\Users\Admin\AppData\Local\MQMyVN\VERSION.dllMD5
30a7e37488482df645276e1ca2ab2367
SHA165c74c8aa5153c8eb32347b69ee64e6311a10867
SHA256f32c65e13141f3e9c76fd9a1aa16ee507abb85a0052530e982116b3af2b12734
SHA5123e71ea24c1ecff223b273623d775c1e4ac4226d415ed00221e0a9d1663e8bbf3b507823346fba5469da7927f73518606a5558ae35ec0335bca03fb1a1c7954c2
-
C:\Users\Admin\AppData\Local\MQMyVN\notepad.exeMD5
f2c7bb8acc97f92e987a2d4087d021b1
SHA17eb0139d2175739b3ccb0d1110067820be6abd29
SHA256142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2
SHA5122f37a2e503cffbd7c05c7d8a125b55368ce11aad5b62f17aaac7aaf3391a6886fa6a0fd73223e9f30072419bf5762a8af7958e805a52d788ba41f61eb084bfe8
-
C:\Users\Admin\AppData\Local\eDh\SPP.dllMD5
83650e8639f305f3a54692261e6b998d
SHA1436d12063037fdd8850807162cb590a694d88008
SHA2561d3a54a9e072a296000fe2b1377583816a33e48a6ca3575f9c14bb7af80f2bd9
SHA5127a8e39ddad6be457818538e1f6c4649ee098177eeb518cd111422878023a1b04420e69d6ae52dd8db03a9ccb7d80b80edfc230455cf5e8b24d391fb06a72d9d4
-
C:\Users\Admin\AppData\Local\eDh\recdisc.exeMD5
f3b306179f1840c0813dc6771b018358
SHA1dec7ce3c13f7a684cb52ae6007c99cf03afef005
SHA256dcaeb590394b42d180e23e3cef4dd135513395b026e0ed489aec49848b85b8f0
SHA5129f9ec4c2ca6373bd738bf415d059f3536390e46e5b0a560e9ee1b190407a6d0f481c38664c51b834a9e72d8878f71c3c19e427e3a6b5ca4ec6b02d1156eb9ef4
-
\Users\Admin\AppData\Local\IKSPooG\BdeUISrv.exeMD5
1da6b19be5d4949c868a264bc5e74206
SHA1d5ee86ba03a03ef8c93d93accafe40461084c839
SHA25600330a0e0eb1dbb6ee84997963f8e15c7c15c1df787f1c7f109609d7b31bd35c
SHA5129cee858c55eb0852e5bad53a675a094ae591b46b07afe9fb4224cac32e0be577fe36c1ed3e9f6bda4d4eb0c924a773d00e3181cd97f07e24c6c68c70f2b002c6
-
\Users\Admin\AppData\Local\IKSPooG\WTSAPI32.dllMD5
69731b58c1aa2a8d423899f2121aa8d2
SHA1d0821e1da98a0309d8e59c375b1b5203278628a9
SHA25670f6dbf63b65b38f92ff2858046a036d2ea0806291c0714b2e5d227d3c7b5860
SHA5122fb3e91b889b801932de0cbfdbe3d4197cec3e5d940e68a8602f463da8b6ade735cdd035ec4f3bf44c0354ad4c739a9f02b46581e67eeaccc91f82182b7c17c4
-
\Users\Admin\AppData\Local\MQMyVN\VERSION.dllMD5
30a7e37488482df645276e1ca2ab2367
SHA165c74c8aa5153c8eb32347b69ee64e6311a10867
SHA256f32c65e13141f3e9c76fd9a1aa16ee507abb85a0052530e982116b3af2b12734
SHA5123e71ea24c1ecff223b273623d775c1e4ac4226d415ed00221e0a9d1663e8bbf3b507823346fba5469da7927f73518606a5558ae35ec0335bca03fb1a1c7954c2
-
\Users\Admin\AppData\Local\MQMyVN\notepad.exeMD5
f2c7bb8acc97f92e987a2d4087d021b1
SHA17eb0139d2175739b3ccb0d1110067820be6abd29
SHA256142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2
SHA5122f37a2e503cffbd7c05c7d8a125b55368ce11aad5b62f17aaac7aaf3391a6886fa6a0fd73223e9f30072419bf5762a8af7958e805a52d788ba41f61eb084bfe8
-
\Users\Admin\AppData\Local\eDh\SPP.dllMD5
83650e8639f305f3a54692261e6b998d
SHA1436d12063037fdd8850807162cb590a694d88008
SHA2561d3a54a9e072a296000fe2b1377583816a33e48a6ca3575f9c14bb7af80f2bd9
SHA5127a8e39ddad6be457818538e1f6c4649ee098177eeb518cd111422878023a1b04420e69d6ae52dd8db03a9ccb7d80b80edfc230455cf5e8b24d391fb06a72d9d4
-
\Users\Admin\AppData\Local\eDh\recdisc.exeMD5
f3b306179f1840c0813dc6771b018358
SHA1dec7ce3c13f7a684cb52ae6007c99cf03afef005
SHA256dcaeb590394b42d180e23e3cef4dd135513395b026e0ed489aec49848b85b8f0
SHA5129f9ec4c2ca6373bd738bf415d059f3536390e46e5b0a560e9ee1b190407a6d0f481c38664c51b834a9e72d8878f71c3c19e427e3a6b5ca4ec6b02d1156eb9ef4
-
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\9PFDwF\recdisc.exeMD5
f3b306179f1840c0813dc6771b018358
SHA1dec7ce3c13f7a684cb52ae6007c99cf03afef005
SHA256dcaeb590394b42d180e23e3cef4dd135513395b026e0ed489aec49848b85b8f0
SHA5129f9ec4c2ca6373bd738bf415d059f3536390e46e5b0a560e9ee1b190407a6d0f481c38664c51b834a9e72d8878f71c3c19e427e3a6b5ca4ec6b02d1156eb9ef4
-
memory/856-58-0x0000000000100000-0x0000000000107000-memory.dmpFilesize
28KB
-
memory/856-55-0x0000000140000000-0x0000000140145000-memory.dmpFilesize
1.3MB
-
memory/984-90-0x0000000000000000-mapping.dmp
-
memory/1100-81-0x0000000000000000-mapping.dmp
-
memory/1100-86-0x0000000140000000-0x0000000140146000-memory.dmpFilesize
1.3MB
-
memory/1100-83-0x000007FEFB761000-0x000007FEFB763000-memory.dmpFilesize
8KB
-
memory/1248-65-0x0000000140000000-0x0000000140145000-memory.dmpFilesize
1.3MB
-
memory/1248-63-0x0000000140000000-0x0000000140145000-memory.dmpFilesize
1.3MB
-
memory/1248-79-0x0000000077090000-0x0000000077092000-memory.dmpFilesize
8KB
-
memory/1248-67-0x0000000140000000-0x0000000140145000-memory.dmpFilesize
1.3MB
-
memory/1248-66-0x0000000140000000-0x0000000140145000-memory.dmpFilesize
1.3MB
-
memory/1248-73-0x0000000140000000-0x0000000140145000-memory.dmpFilesize
1.3MB
-
memory/1248-64-0x0000000140000000-0x0000000140145000-memory.dmpFilesize
1.3MB
-
memory/1248-72-0x0000000140000000-0x0000000140145000-memory.dmpFilesize
1.3MB
-
memory/1248-62-0x0000000140000000-0x0000000140145000-memory.dmpFilesize
1.3MB
-
memory/1248-68-0x0000000140000000-0x0000000140145000-memory.dmpFilesize
1.3MB
-
memory/1248-61-0x0000000140000000-0x0000000140145000-memory.dmpFilesize
1.3MB
-
memory/1248-71-0x0000000140000000-0x0000000140145000-memory.dmpFilesize
1.3MB
-
memory/1248-69-0x0000000140000000-0x0000000140145000-memory.dmpFilesize
1.3MB
-
memory/1248-59-0x00000000029E0000-0x00000000029E1000-memory.dmpFilesize
4KB
-
memory/1248-70-0x0000000140000000-0x0000000140145000-memory.dmpFilesize
1.3MB
-
memory/1248-60-0x0000000140000000-0x0000000140145000-memory.dmpFilesize
1.3MB
-
memory/1420-98-0x0000000000000000-mapping.dmp