Analysis
-
max time kernel
155s -
max time network
117s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
26-11-2021 09:32
Static task
static1
Behavioral task
behavioral1
Sample
e3a97ee2fa0ea4dc05340e0778674a93e8c95944c519df7ee5f486c08b1df15a.dll
Resource
win7-en-20211104
General
-
Target
e3a97ee2fa0ea4dc05340e0778674a93e8c95944c519df7ee5f486c08b1df15a.dll
-
Size
1.2MB
-
MD5
ea1bfbc91324c0cbb97f17775e653dab
-
SHA1
61c6d875774c9cd59ae56e351a291c2cf9e79284
-
SHA256
e3a97ee2fa0ea4dc05340e0778674a93e8c95944c519df7ee5f486c08b1df15a
-
SHA512
903a180a93cc7ecd2b6e0fd76fc597456bbd1986d28f63993fc00b57dc47afad779fd05ce734f4070d3b16af08aec5e5da1086aefcf85929ba87c7cd1e27dc75
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1212-59-0x0000000002990000-0x0000000002991000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
msinfo32.exesigverif.exeisoburn.exepid process 832 msinfo32.exe 1680 sigverif.exe 1748 isoburn.exe -
Loads dropped DLL 7 IoCs
Processes:
msinfo32.exesigverif.exeisoburn.exepid process 1212 832 msinfo32.exe 1212 1680 sigverif.exe 1212 1748 isoburn.exe 1212 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run\Myzdcwow = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\pPdTpB\\sigverif.exe" -
Processes:
msinfo32.exesigverif.exeisoburn.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msinfo32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sigverif.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA isoburn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 1584 rundll32.exe 1584 rundll32.exe 1584 rundll32.exe 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 -
Suspicious behavior: GetForegroundWindowSpam 5 IoCs
Processes:
rundll32.exemsinfo32.exesigverif.exeisoburn.exepid process 1584 rundll32.exe 1212 832 msinfo32.exe 1680 sigverif.exe 1748 isoburn.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1212 wrote to memory of 1136 1212 msinfo32.exe PID 1212 wrote to memory of 1136 1212 msinfo32.exe PID 1212 wrote to memory of 1136 1212 msinfo32.exe PID 1212 wrote to memory of 832 1212 msinfo32.exe PID 1212 wrote to memory of 832 1212 msinfo32.exe PID 1212 wrote to memory of 832 1212 msinfo32.exe PID 1212 wrote to memory of 1556 1212 sigverif.exe PID 1212 wrote to memory of 1556 1212 sigverif.exe PID 1212 wrote to memory of 1556 1212 sigverif.exe PID 1212 wrote to memory of 1680 1212 sigverif.exe PID 1212 wrote to memory of 1680 1212 sigverif.exe PID 1212 wrote to memory of 1680 1212 sigverif.exe PID 1212 wrote to memory of 1876 1212 isoburn.exe PID 1212 wrote to memory of 1876 1212 isoburn.exe PID 1212 wrote to memory of 1876 1212 isoburn.exe PID 1212 wrote to memory of 1748 1212 isoburn.exe PID 1212 wrote to memory of 1748 1212 isoburn.exe PID 1212 wrote to memory of 1748 1212 isoburn.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e3a97ee2fa0ea4dc05340e0778674a93e8c95944c519df7ee5f486c08b1df15a.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\system32\msinfo32.exeC:\Windows\system32\msinfo32.exe1⤵
-
C:\Users\Admin\AppData\Local\j302\msinfo32.exeC:\Users\Admin\AppData\Local\j302\msinfo32.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\system32\sigverif.exeC:\Windows\system32\sigverif.exe1⤵
-
C:\Users\Admin\AppData\Local\PtO2FyJx\sigverif.exeC:\Users\Admin\AppData\Local\PtO2FyJx\sigverif.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\system32\isoburn.exeC:\Windows\system32\isoburn.exe1⤵
-
C:\Users\Admin\AppData\Local\500mgoORR\isoburn.exeC:\Users\Admin\AppData\Local\500mgoORR\isoburn.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\500mgoORR\UxTheme.dllMD5
d1a004ace8c91eaac73f278f55be0177
SHA1a7b600740639b055e7d26c82fe2a7295bc5fae43
SHA2566be941aaf599e654ceae81b8f1b5943c9c67cfcb947ae202abf51ec8a151c503
SHA5125a057ac65c494074771459aecd19e15b59849e3c88ab061871a92a8871ea95bcf402b3a25a5719694528e9b2dc4f375df246e569487e345cb8b49e7cf452cdd9
-
C:\Users\Admin\AppData\Local\500mgoORR\isoburn.exeMD5
f8051f06e1c4aa3f2efe4402af5919b1
SHA1bbcf3711501dfb22b04b1a6f356d95a6d5998790
SHA25650dcb4be409f50d26c0fc32dd9cdbf96bff4e19bf624221cb566ebeb3e09ce1a
SHA5125f664d937abe4426ee7e0d8491a395f9ef4ffe7a51dba05b54b7ba27e80c9be37833400911c5878d3dec659f4fa1579ec8ba4cfc485fb2ce24dd37c321006daa
-
C:\Users\Admin\AppData\Local\PtO2FyJx\VERSION.dllMD5
c3c7844fe4c031e816242e1fb0cd7531
SHA18b2c95caf1aac7d4735353401b6f1704b2db3166
SHA256c84532e2c149c18a6c806f6dc72911a0468852c5684a58ec6d4f3b75c797f0d8
SHA51236152dd0e9f4bdbc0b2cd18cca79cd98c9cfe0e130378bc3a42c6200792d68e7f9e66b994bf07425eba163bf5e6ff276974dbaecb74c1a3804c05bec3f16d1b1
-
C:\Users\Admin\AppData\Local\PtO2FyJx\sigverif.exeMD5
e8e95ae5534553fc055051cee99a7f55
SHA14e0f668849fd546edd083d5981ed685d02a68df4
SHA2569e107fd99892d08b15c223ac17c49af75a4cbca41b5e939bb91c9dca9f0d0bec
SHA5125d3c32d136a264b6d2cfba4602e4d8f75e55ba0e199e0e81d7a515c34d8b9237db29647c10ab79081173010ff8e2c6a59b652c0a9cfa796433aed2d200f02da6
-
C:\Users\Admin\AppData\Local\j302\MFC42u.dllMD5
224dccf67d219ae76d727b0cf7725d32
SHA1922a210ba35f528433e9cd0dfcfee64dd256162f
SHA256a1659e9531faf1bf6a64f2bf8e150eeff39582af74ed2b6e477ad1861387fbe8
SHA512cca1f29aa30178becf3c2fa9ce42e6029d0277f2fd15a6f20e0a7eccab07df0189dc63b475358f1428facbb91b6cc0ecb0ffa17da248383b540e98f1861eb4b4
-
C:\Users\Admin\AppData\Local\j302\msinfo32.exeMD5
d291620d4c51c5f5ffa62ccdc52c5c13
SHA12081c97f15b1c2a2eadce366baf3c510da553cc7
SHA25676e959dd7db31726c040d46cfa86b681479967aea36db5f625e80bd36422e8ae
SHA51275f9bcce4c596dae1f4d78e13d9d53b0c31988d2170c3d9f5db352b8c8a1c8ca58f4a002b30a4b328b8f4769008b750b8a1c9fda44a582e11c3adc38345c334b
-
\Users\Admin\AppData\Local\500mgoORR\UxTheme.dllMD5
d1a004ace8c91eaac73f278f55be0177
SHA1a7b600740639b055e7d26c82fe2a7295bc5fae43
SHA2566be941aaf599e654ceae81b8f1b5943c9c67cfcb947ae202abf51ec8a151c503
SHA5125a057ac65c494074771459aecd19e15b59849e3c88ab061871a92a8871ea95bcf402b3a25a5719694528e9b2dc4f375df246e569487e345cb8b49e7cf452cdd9
-
\Users\Admin\AppData\Local\500mgoORR\isoburn.exeMD5
f8051f06e1c4aa3f2efe4402af5919b1
SHA1bbcf3711501dfb22b04b1a6f356d95a6d5998790
SHA25650dcb4be409f50d26c0fc32dd9cdbf96bff4e19bf624221cb566ebeb3e09ce1a
SHA5125f664d937abe4426ee7e0d8491a395f9ef4ffe7a51dba05b54b7ba27e80c9be37833400911c5878d3dec659f4fa1579ec8ba4cfc485fb2ce24dd37c321006daa
-
\Users\Admin\AppData\Local\PtO2FyJx\VERSION.dllMD5
c3c7844fe4c031e816242e1fb0cd7531
SHA18b2c95caf1aac7d4735353401b6f1704b2db3166
SHA256c84532e2c149c18a6c806f6dc72911a0468852c5684a58ec6d4f3b75c797f0d8
SHA51236152dd0e9f4bdbc0b2cd18cca79cd98c9cfe0e130378bc3a42c6200792d68e7f9e66b994bf07425eba163bf5e6ff276974dbaecb74c1a3804c05bec3f16d1b1
-
\Users\Admin\AppData\Local\PtO2FyJx\sigverif.exeMD5
e8e95ae5534553fc055051cee99a7f55
SHA14e0f668849fd546edd083d5981ed685d02a68df4
SHA2569e107fd99892d08b15c223ac17c49af75a4cbca41b5e939bb91c9dca9f0d0bec
SHA5125d3c32d136a264b6d2cfba4602e4d8f75e55ba0e199e0e81d7a515c34d8b9237db29647c10ab79081173010ff8e2c6a59b652c0a9cfa796433aed2d200f02da6
-
\Users\Admin\AppData\Local\j302\MFC42u.dllMD5
224dccf67d219ae76d727b0cf7725d32
SHA1922a210ba35f528433e9cd0dfcfee64dd256162f
SHA256a1659e9531faf1bf6a64f2bf8e150eeff39582af74ed2b6e477ad1861387fbe8
SHA512cca1f29aa30178becf3c2fa9ce42e6029d0277f2fd15a6f20e0a7eccab07df0189dc63b475358f1428facbb91b6cc0ecb0ffa17da248383b540e98f1861eb4b4
-
\Users\Admin\AppData\Local\j302\msinfo32.exeMD5
d291620d4c51c5f5ffa62ccdc52c5c13
SHA12081c97f15b1c2a2eadce366baf3c510da553cc7
SHA25676e959dd7db31726c040d46cfa86b681479967aea36db5f625e80bd36422e8ae
SHA51275f9bcce4c596dae1f4d78e13d9d53b0c31988d2170c3d9f5db352b8c8a1c8ca58f4a002b30a4b328b8f4769008b750b8a1c9fda44a582e11c3adc38345c334b
-
\Users\Admin\AppData\Roaming\Adobe\HGv3Hyhc\isoburn.exeMD5
f8051f06e1c4aa3f2efe4402af5919b1
SHA1bbcf3711501dfb22b04b1a6f356d95a6d5998790
SHA25650dcb4be409f50d26c0fc32dd9cdbf96bff4e19bf624221cb566ebeb3e09ce1a
SHA5125f664d937abe4426ee7e0d8491a395f9ef4ffe7a51dba05b54b7ba27e80c9be37833400911c5878d3dec659f4fa1579ec8ba4cfc485fb2ce24dd37c321006daa
-
memory/832-92-0x0000000140000000-0x0000000140134000-memory.dmpFilesize
1.2MB
-
memory/832-91-0x000007FEFBBE1000-0x000007FEFBBE3000-memory.dmpFilesize
8KB
-
memory/832-87-0x0000000000000000-mapping.dmp
-
memory/1212-69-0x0000000140000000-0x000000014012D000-memory.dmpFilesize
1.2MB
-
memory/1212-68-0x0000000140000000-0x000000014012D000-memory.dmpFilesize
1.2MB
-
memory/1212-71-0x0000000140000000-0x000000014012D000-memory.dmpFilesize
1.2MB
-
memory/1212-79-0x0000000140000000-0x000000014012D000-memory.dmpFilesize
1.2MB
-
memory/1212-78-0x0000000140000000-0x000000014012D000-memory.dmpFilesize
1.2MB
-
memory/1212-77-0x0000000140000000-0x000000014012D000-memory.dmpFilesize
1.2MB
-
memory/1212-76-0x0000000140000000-0x000000014012D000-memory.dmpFilesize
1.2MB
-
memory/1212-85-0x0000000077370000-0x0000000077372000-memory.dmpFilesize
8KB
-
memory/1212-73-0x0000000140000000-0x000000014012D000-memory.dmpFilesize
1.2MB
-
memory/1212-74-0x0000000140000000-0x000000014012D000-memory.dmpFilesize
1.2MB
-
memory/1212-75-0x0000000140000000-0x000000014012D000-memory.dmpFilesize
1.2MB
-
memory/1212-70-0x0000000140000000-0x000000014012D000-memory.dmpFilesize
1.2MB
-
memory/1212-67-0x0000000140000000-0x000000014012D000-memory.dmpFilesize
1.2MB
-
memory/1212-72-0x0000000140000000-0x000000014012D000-memory.dmpFilesize
1.2MB
-
memory/1212-59-0x0000000002990000-0x0000000002991000-memory.dmpFilesize
4KB
-
memory/1212-66-0x0000000140000000-0x000000014012D000-memory.dmpFilesize
1.2MB
-
memory/1212-60-0x0000000140000000-0x000000014012D000-memory.dmpFilesize
1.2MB
-
memory/1212-65-0x0000000140000000-0x000000014012D000-memory.dmpFilesize
1.2MB
-
memory/1212-63-0x0000000140000000-0x000000014012D000-memory.dmpFilesize
1.2MB
-
memory/1212-64-0x0000000140000000-0x000000014012D000-memory.dmpFilesize
1.2MB
-
memory/1212-61-0x0000000140000000-0x000000014012D000-memory.dmpFilesize
1.2MB
-
memory/1212-62-0x0000000140000000-0x000000014012D000-memory.dmpFilesize
1.2MB
-
memory/1584-55-0x0000000140000000-0x000000014012D000-memory.dmpFilesize
1.2MB
-
memory/1584-58-0x0000000000090000-0x0000000000097000-memory.dmpFilesize
28KB
-
memory/1680-101-0x0000000140000000-0x000000014012E000-memory.dmpFilesize
1.2MB
-
memory/1680-96-0x0000000000000000-mapping.dmp
-
memory/1748-105-0x0000000000000000-mapping.dmp