Analysis
-
max time kernel
45s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22-12-2023 15:44
Static task
static1
Behavioral task
behavioral1
Sample
deac37150b94c6871f020007e2d20de8.dll
Resource
win7-20231215-en
General
-
Target
deac37150b94c6871f020007e2d20de8.dll
-
Size
2.0MB
-
MD5
deac37150b94c6871f020007e2d20de8
-
SHA1
3b89d6d3afb9fc1111676be750b79ee563e0b51c
-
SHA256
b9a2afe692a14758fe22e04ec1d379839fcee981e7c82d4c884af960394ccf9a
-
SHA512
d511b778312473f7987fe3d69b419350a6acf096e3cab9a45b9320e944493bc694da073d502249c2c5f0e4b6452d5c5cdf808f8f12530b4cedd16b8e402ac87f
-
SSDEEP
12288:gVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:FfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1264-5-0x00000000029A0000-0x00000000029A1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
winlogon.exesigverif.exeSoundRecorder.exepid Process 2300 winlogon.exe 1908 sigverif.exe 1388 SoundRecorder.exe -
Loads dropped DLL 7 IoCs
Processes:
winlogon.exesigverif.exeSoundRecorder.exepid Process 1264 2300 winlogon.exe 1264 1908 sigverif.exe 1264 1388 SoundRecorder.exe 1264 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pfoxtyecp = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\IMPLIC~1\\FQ\\C2EZWT~1\\sigverif.exe" -
Processes:
rundll32.exewinlogon.exesigverif.exeSoundRecorder.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA winlogon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sigverif.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SoundRecorder.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 2664 rundll32.exe 2664 rundll32.exe 2664 rundll32.exe 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid Process procid_target PID 1264 wrote to memory of 2644 1264 28 PID 1264 wrote to memory of 2644 1264 28 PID 1264 wrote to memory of 2644 1264 28 PID 1264 wrote to memory of 2300 1264 29 PID 1264 wrote to memory of 2300 1264 29 PID 1264 wrote to memory of 2300 1264 29 PID 1264 wrote to memory of 1936 1264 30 PID 1264 wrote to memory of 1936 1264 30 PID 1264 wrote to memory of 1936 1264 30 PID 1264 wrote to memory of 1908 1264 31 PID 1264 wrote to memory of 1908 1264 31 PID 1264 wrote to memory of 1908 1264 31 PID 1264 wrote to memory of 1716 1264 32 PID 1264 wrote to memory of 1716 1264 32 PID 1264 wrote to memory of 1716 1264 32 PID 1264 wrote to memory of 1388 1264 33 PID 1264 wrote to memory of 1388 1264 33 PID 1264 wrote to memory of 1388 1264 33 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\deac37150b94c6871f020007e2d20de8.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2664
-
C:\Windows\system32\winlogon.exeC:\Windows\system32\winlogon.exe1⤵PID:2644
-
C:\Users\Admin\AppData\Local\BrtoXMCfP\winlogon.exeC:\Users\Admin\AppData\Local\BrtoXMCfP\winlogon.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2300
-
C:\Windows\system32\sigverif.exeC:\Windows\system32\sigverif.exe1⤵PID:1936
-
C:\Users\Admin\AppData\Local\ueZuSbV\sigverif.exeC:\Users\Admin\AppData\Local\ueZuSbV\sigverif.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1908
-
C:\Windows\system32\SoundRecorder.exeC:\Windows\system32\SoundRecorder.exe1⤵PID:1716
-
C:\Users\Admin\AppData\Local\jeKL\SoundRecorder.exeC:\Users\Admin\AppData\Local\jeKL\SoundRecorder.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1388
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
62KB
MD5db7c1b84548aca9d303b28dd2c2e0d17
SHA10a6559e35d73c1f47e5197ad640478a2ccc62ea3
SHA256fa6ecd0fc3541bc48f12a59c5a42a6f4af69f29071c0b1a29a7f698654e0f219
SHA512a48a8a929488ebb64781b478dec43028dd988b5713c9e805b6ff861195ed4f12ffb7b41a3c72e9fc1d5516dcbf57690ab8f099fb2a59bb0907cabef59dbd3e55
-
Filesize
377B
MD52a946d11466ddc75e1c74a3d569505cf
SHA1291def04fe1bb2340483592b4a0c6f0430c77498
SHA256d7b372133c284a3ac1eb2db7b7ecc7ad4beefc06d046bba64f0f377951f86156
SHA512ad0f8e4c49ab44a1b2db1a2b10df498feb353d7feb197ca91b845e2a3030c5acb7f261a5ed3b6302a930028d03aa1e4328b4616f4769ba8642c9803be6579c8d
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
73KB
MD5e8e95ae5534553fc055051cee99a7f55
SHA14e0f668849fd546edd083d5981ed685d02a68df4
SHA2569e107fd99892d08b15c223ac17c49af75a4cbca41b5e939bb91c9dca9f0d0bec
SHA5125d3c32d136a264b6d2cfba4602e4d8f75e55ba0e199e0e81d7a515c34d8b9237db29647c10ab79081173010ff8e2c6a59b652c0a9cfa796433aed2d200f02da6
-
Filesize
31KB
MD5b9717042f141308df5f7f3c7d4d4ed07
SHA1210ec93a0c81d09d8052e63ec66ae357d482a31b
SHA25633be45b91bac6e9d43754ee7f5cb0f466ded5490578ea6f1e8c953850f4c70c0
SHA512d7bb31274145906049e05bef1722c78a9a50e8150c6cc4eb844568db4267b864e6a120a03af663a20a9c46fb794eba0f27ea237bbb5d91ed14093598c5f863d0
-
Filesize
77KB
MD56efb6e82714e11b7e67865bf814ece93
SHA131c2613b26793daee4d97f34aaebc58a31b9253d
SHA256c948313f4d6969b0a212577b4af8e4ebaeb0d3fea1fb1a9f1f2f45a8b4493f95
SHA512acaad443df07b1d7be19b80b93a0cd14d2d9bc8246fe475d4aee040e11eea22e0bd42610eff58bc2d81d2d5ba55ee9b6c2973d4ecde9d4f313f1ca9816528531
-
Filesize
92KB
MD5175f946cbf9d5d83935954661602a1f8
SHA18882840b914444fc072da44b8236a22699566f94
SHA2560ab87944f4a2ebb2381f71a06c9d60180c37d2c467620b6a967c3a9e0bcab8bb
SHA5126537f656ca41ae9efcda89227f1d24d91f28491758db5947232cb9b3cbf21668d0408f8ccd5c293aa6c872e1a62467927ab88552788bb1301bdd4a63d0b5c281
-
Filesize
32KB
MD50c9601edb5c26d816a4ade92604aeb30
SHA1505ddffb06f07e8f7ce193e86204f4b6f15a1728
SHA256e425496039ac6d193fd71b75f20a3f3475a0af1aeebf1205345b16a23f6f5def
SHA512baee81ebdd97fb10ea6072b735938550b8f16fbc36712e79e52e08055236798395a3ce7172e820ef83d164c414bc24752b74a9e99ef49512f028fef9260333d1