Analysis
-
max time kernel
156s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22-12-2023 15:47
Static task
static1
Behavioral task
behavioral1
Sample
e07278c27ec90b3d8fc7500d8180f0a8.dll
Resource
win7-20231215-en
General
-
Target
e07278c27ec90b3d8fc7500d8180f0a8.dll
-
Size
2.2MB
-
MD5
e07278c27ec90b3d8fc7500d8180f0a8
-
SHA1
2182eb858155c58ed16cab5d023fe4fde762a6be
-
SHA256
ea2fba4b7d64dc7c14d8b7e2bbb4f2333976b93c5f6d32310925eda10593ca72
-
SHA512
73b7d147fb8242d641315bf6e8f5824738dad17356ec8245b38754fd190f174278fdf69f1326a7f7e819de3aeebdbf563bbbf4a0e27ba461ceb8170d4a7cd8db
-
SSDEEP
12288:bVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:6fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1204-5-0x0000000002A30000-0x0000000002A31000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
icardagt.exeSystemPropertiesProtection.exewextract.exepid Process 1564 icardagt.exe 1908 SystemPropertiesProtection.exe 1228 wextract.exe -
Loads dropped DLL 7 IoCs
Processes:
icardagt.exeSystemPropertiesProtection.exewextract.exepid Process 1204 1564 icardagt.exe 1204 1908 SystemPropertiesProtection.exe 1204 1228 wextract.exe 1204 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\Xkgbzoakajt = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\24TdjKl\\SystemPropertiesProtection.exe" -
Processes:
rundll32.exeicardagt.exeSystemPropertiesProtection.exewextract.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA icardagt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesProtection.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wextract.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 2404 rundll32.exe 2404 rundll32.exe 2404 rundll32.exe 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid Process procid_target PID 1204 wrote to memory of 1516 1204 27 PID 1204 wrote to memory of 1516 1204 27 PID 1204 wrote to memory of 1516 1204 27 PID 1204 wrote to memory of 1564 1204 28 PID 1204 wrote to memory of 1564 1204 28 PID 1204 wrote to memory of 1564 1204 28 PID 1204 wrote to memory of 756 1204 29 PID 1204 wrote to memory of 756 1204 29 PID 1204 wrote to memory of 756 1204 29 PID 1204 wrote to memory of 1908 1204 30 PID 1204 wrote to memory of 1908 1204 30 PID 1204 wrote to memory of 1908 1204 30 PID 1204 wrote to memory of 2880 1204 31 PID 1204 wrote to memory of 2880 1204 31 PID 1204 wrote to memory of 2880 1204 31 PID 1204 wrote to memory of 1228 1204 32 PID 1204 wrote to memory of 1228 1204 32 PID 1204 wrote to memory of 1228 1204 32 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e07278c27ec90b3d8fc7500d8180f0a8.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2404
-
C:\Windows\system32\icardagt.exeC:\Windows\system32\icardagt.exe1⤵PID:1516
-
C:\Users\Admin\AppData\Local\zIJHw3ib\icardagt.exeC:\Users\Admin\AppData\Local\zIJHw3ib\icardagt.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1564
-
C:\Windows\system32\SystemPropertiesProtection.exeC:\Windows\system32\SystemPropertiesProtection.exe1⤵PID:756
-
C:\Users\Admin\AppData\Local\u6AEzWV\SystemPropertiesProtection.exeC:\Users\Admin\AppData\Local\u6AEzWV\SystemPropertiesProtection.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1908
-
C:\Windows\system32\wextract.exeC:\Windows\system32\wextract.exe1⤵PID:2880
-
C:\Users\Admin\AppData\Local\X1MjLwJ\wextract.exeC:\Users\Admin\AppData\Local\X1MjLwJ\wextract.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1228
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5272bd1743fea94984d93cfec65b9c3d1
SHA12be3b0128d4e99d5b6413b86dd2ff0cebc3e78df
SHA25659f6b9fb5836f66f0b82819ca111562f710f8dd440d48fd45eae8ae313131c17
SHA512089492545b13794c027d0497fa549be3ac7f01c0e52e1ea96ba6386554ef51ce56d53b117c4c093de757dfb3523a2caaef58999e5bb71ef0d6d18e7d80307842
-
Filesize
71KB
MD54974fab807ddb1d05fa4d31126b42f87
SHA11811d3fadc7806cd3351472d10b64e6996093ca0
SHA256d37db080c90438ae46e4def81447cb40a660b9e0a07eb4e97e83b7a89c981453
SHA512afd28307c03c830f6cc1b5a232cdeb607fc110202ace505063819e3354f17cd76c7cf6bd5d8c09bbb01bd38881dd8d6b047dda0249063cec0a88583b91002442
-
Filesize
1KB
MD539422855658bd1be91f04154e050fc8b
SHA15b83ff414ee52f740212e439a33e20531b754c18
SHA2561fabd9bef3058d78ca18b81515a6e64a71ee6273d6cf927a1860326ee4ca3b0e
SHA5120c5587eee82532aa1ec319082cebca1f65eb98301adbf6303df2a038236a8cbdfeda7b57c1a7a0bdd5411a0d9b03601d5305b57c819f86fb47445ba288125f29
-
Filesize
2KB
MD5a8214c754d4f9e5b457de0261bc26aac
SHA12f7d337459a2f9122b475857565d599b6533395a
SHA256adfe78b64e5be346ef3ff5a98fd81e887ba2092161f0185985be77d42052c447
SHA5125d4add254839b79ba5a822b21356c1973031535fa173d6ab4ee4bb80bc6e3f4e7a29a6e1f1ecad6f86e4a14a501eb30120e2b6a29d601fc91f463aa432265b03
-
Filesize
39KB
MD54203aa3d1935214fb6d32c591d0d3aa1
SHA16099415b10972c0b31032fbf80a5edf2b31df8a3
SHA256eb1713ead3e2fc6888361e8e5e9f23a503b49fcc15125203e186fef2f2d1b77d
SHA512210386293616d7b210f0258fb579018a2c2906c9dd76970a8417d97869ca34503c3bca5077b0ccb84b259f20ed3954bb8ce81ca0b829c73eafd47f589f7cd883
-
Filesize
29KB
MD57e2b55fabcb6f591d64c520d5e334579
SHA1aa85c361e282f878c2d886820227a57079c2247f
SHA25604b723eb9b29bd2d2b0e34a7c23a5840a85931aff8a1b15b8b66516f65f8343d
SHA512bd6febc1fd1b49d129d1e798cd20ee0a059cd02887e2b514292bbb3c3291e518b07b274c54db05fd0ac634811340e79266c032f73b89e0960f9db0c04059b4d0
-
Filesize
219KB
MD570b9d70dcc909de160865eab88a90790
SHA1233e7aa18f870f04371114590c227e25b5fafe53
SHA256713e0e7a220b53329598e7d67ceb2613b7897a7a064757ede6c807e8b3940102
SHA512829ce7767baf1e60ff50d314ba0b049d6336a55b5237971c5d1d46bca33e2f783f1dec6acbd8f4977f21276c85b4920cb9bc7d067204a75eff8adc2092a60daa
-
Filesize
1KB
MD5c6adb32eaee9726a4e167d319a0e1c96
SHA1170e5660d236d3bf13240a22dae52ac3d950d13b
SHA256c00c10c1e688ba92f00d10dd57f9f83518834725d48373416954b6204ccd1477
SHA512cbea5bf89ec0b71e03ccbe7192994effcc20b94d645b10a18120e736167963c74ceb5c6877a3fac239966b52316edc03542e2ac8772ed3a260e10bc885b51c3d
-
Filesize
139KB
MD519d68d32bbdd55227b836aea2c2506b9
SHA1ff165dd031ee3c198d86182b2c3b00d6d6e6ac6c
SHA256d455ac7eddd35cdedf5db54ef2a7a34130168015f6f9c8496c4319b5eb21d489
SHA512ae015e2e98761cc1a1a1d5b03eefa7201b57125b2b713a4832acca823dfa8ed962dad84068bec6632ea5716410cd2f784c57836a73b2bf63b95d2cb11cec1a67
-
Filesize
1KB
MD50e652aedf276de92cd4e3fbbe4bf1c40
SHA1a3e48b8d333b4ed6ebed0425bf2f58b51c987bee
SHA25646498af42a49bac7f9cb34104fcaa86d5b581e969cd6f8e62a53ae01ed7c3c4e
SHA512e38d12aa1f451ab528d0791e1dcb3a6b7c499a06ae858873fd5ce7a832af0a0688234a712776aec0a7dda75da57bc08fe8dda5c82fac174b304c4bc3a60e7648
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\OIO9GbO\UxTheme.dll
Filesize2.2MB
MD520e9ce0abf848819ecc75072be2b8d81
SHA19e1b86dcfbb3ef34fe936dd170fc07662c755da2
SHA256b39faa7a0ac3998e39f52b8ae9bee89bffb50b48af26f663e34f47dba46a3b9f
SHA512cc4e35fd2c4fc69e5f8a24d817ab4bb9743778ee2b5321cd2333cb13b55386e593e6782e1ccc91a41a1dacad0c9c80b50c11b707e6af9a32ff0f503e427f5c87
-
Filesize
1.1MB
MD5dac7ec3b49ee04ec5897883f3346fa62
SHA1e1d1ed8282a0647b2527a45bbd7f50cb7ab625cd
SHA256418b731647d74b272fcf5444366759215d03fa43dc1ccdbbb51415b1ef77fb9b
SHA51293b167fa4e1a62b09e41c8fd2a6cc2d91d8ee6e1c7c85f027244979c60807089c90078674bf63ec8fc1f703eed67f14d4a0e7d450799f623986f93ea9d17da44
-
Filesize
479KB
MD5975de0bb942081b89ba48de4c2d301ea
SHA1795450e4ef5c795d80b8c6dafe0ea61360914806
SHA25666111f70a833371d9eaa2074ae6ecd6c9192517d9ffbb8e6e0581fd5713b0d63
SHA5121f728800e59a7096c83ade89743136226bc6238ef1c74ade91e1cc2f49cba0aefcee2f621b5a1e85b3658e1c717b3972efe8c8a1ec58538be7ad89b597228f64
-
Filesize
36KB
MD5d24bf5d39a272d9bba62e0ccafc4e439
SHA15aba184c4988cfd9e4e4d1331cbfac2502fad38c
SHA256c07ab1af13bab47be3a31c944b6029a404b3fdd6d4b9ab7ac857bbcc8c330d26
SHA5128a833871ee404da9744e4e9f50fb55aa53aeed969bb792a8507469db71e75aa7e7a5b57be8cbead4fac5a9b43b7cd769f29fde2279e1f6f573af6cac1d5cf243
-
Filesize
26KB
MD5fa84912d3a38f86cb90fcdd2fe43870a
SHA12f91718dba700e5a905a7359f94ac31f2e099508
SHA2564d0460518834a661f3ade086eecdca59281e8a05d63c1a5684e6fc5fb51fd161
SHA512c59d1bb5c14dba9228c0fdd2b3530099cd15076f2833b54284f497c721d58ce854e4b19f3fff94533e80e427713b40cd8a705e013d647f710d42d7bc5295d84a
-
Filesize
41KB
MD5498eb31ac14dbd434d7886c24750fd6b
SHA1b9d9f40705ca38cafe03506e751997d055c771e7
SHA256000ed5e8e4dbcda01fd0a821c96139604920f07c971611de8fc9d811ff6ad9b2
SHA51291f4ca7230059703267aeeaf88ce05702354ea834909ff2dc3c86bf4cf9ee63b4ea9664b636f955a9c4461605a99a82975e9927f4d5d427fbe95ae07ef664c3f
-
Filesize
39KB
MD5365c3f59ebddb46b7c4fc632ea1b68da
SHA10acec6063c5a100eef85eccd7cd3f6c84f16631a
SHA256f4bb65ce7c7e096d644c3417c32dc6658398c80fcc9d76c5e18a256b5e622def
SHA512cc00aa8a039a10590b6a6d67d11f75e3ae141fed3309ac27d41fe4f1631255d1e2e986e39f6c383965f3a9aa691e6cc17b7d65d821b9d5e558bb5b7150bc7288
-
Filesize
86KB
MD5d55d466028efd8170bd29163b9b6758f
SHA1bda4e8a5a8ff81b762836dfcebf0acc57ee269ff
SHA25689c36919b0714702d8d094568089cdbc6557b0c1c5eb0d7f40e11bfd9c23fc59
SHA512b9c37c88991cd570926f460f67e8256da832961dc3d5187527cdf0a94ccb48bf548861e96a7f1c3902867fd1598cded25b56c0646a8833a23e5033cbd0af349c
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
140KB
MD51ea6500c25a80e8bdb65099c509af993
SHA16a090ef561feb4ae1c6794de5b19c5e893c4aafc
SHA25699123d4e7bf93aa7f3315a432307c8b0cbaf24ad2cfb46edc149edbe24de4ca2
SHA512b8f9f1ab48671e382d1385c34f0f19fc52fc0061e00db53bbbc2cdaee6d8a3f245707329f98e9167c53721aeaddcebfe66632729b6bcc98892031fd9914fb1fb