Analysis
-
max time kernel
157s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22-12-2023 15:47
Static task
static1
Behavioral task
behavioral1
Sample
e0766950c83a3551309ffe32a39cf502.dll
Resource
win7-20231215-en
General
-
Target
e0766950c83a3551309ffe32a39cf502.dll
-
Size
2.9MB
-
MD5
e0766950c83a3551309ffe32a39cf502
-
SHA1
91c525d856e976147ac070289ca9c749ede297e5
-
SHA256
aa4895a92de07b083cd4ae91f0dfa52a25713b7103d573512465a75f23ffbdc4
-
SHA512
c2c7b427e6e44f4b6114170e80bc4f9823882337489892a185b06418440bee9a25a0754e76a198b67f3af4b6f8b6fc91107a4af9591cbe2616b19bb2c28ce38e
-
SSDEEP
12288:TVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ11:CfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1272-5-0x0000000002B20000-0x0000000002B21000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
wscript.exeOptionalFeatures.exeEhStorAuthn.exepid Process 2932 wscript.exe 2972 OptionalFeatures.exe 1368 EhStorAuthn.exe -
Loads dropped DLL 8 IoCs
Processes:
wscript.exeOptionalFeatures.exeEhStorAuthn.exepid Process 1272 1272 2932 wscript.exe 1272 2972 OptionalFeatures.exe 1272 1368 EhStorAuthn.exe 1272 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\Niubkzso = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~1\\ACCESS~1\\99LB0P~1\\OPTION~1.EXE" -
Processes:
EhStorAuthn.exewscript.exeOptionalFeatures.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA EhStorAuthn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wscript.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA OptionalFeatures.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
regsvr32.exepid Process 2504 regsvr32.exe 2504 regsvr32.exe 2504 regsvr32.exe 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid Process procid_target PID 1272 wrote to memory of 2032 1272 28 PID 1272 wrote to memory of 2032 1272 28 PID 1272 wrote to memory of 2032 1272 28 PID 1272 wrote to memory of 2932 1272 29 PID 1272 wrote to memory of 2932 1272 29 PID 1272 wrote to memory of 2932 1272 29 PID 1272 wrote to memory of 2692 1272 30 PID 1272 wrote to memory of 2692 1272 30 PID 1272 wrote to memory of 2692 1272 30 PID 1272 wrote to memory of 2972 1272 31 PID 1272 wrote to memory of 2972 1272 31 PID 1272 wrote to memory of 2972 1272 31 PID 1272 wrote to memory of 1380 1272 32 PID 1272 wrote to memory of 1380 1272 32 PID 1272 wrote to memory of 1380 1272 32 PID 1272 wrote to memory of 1368 1272 33 PID 1272 wrote to memory of 1368 1272 33 PID 1272 wrote to memory of 1368 1272 33 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\e0766950c83a3551309ffe32a39cf502.dll1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2504
-
C:\Windows\system32\wscript.exeC:\Windows\system32\wscript.exe1⤵PID:2032
-
C:\Users\Admin\AppData\Local\ZKwzQXQ\wscript.exeC:\Users\Admin\AppData\Local\ZKwzQXQ\wscript.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2932
-
C:\Windows\system32\OptionalFeatures.exeC:\Windows\system32\OptionalFeatures.exe1⤵PID:2692
-
C:\Users\Admin\AppData\Local\FMo0a\OptionalFeatures.exeC:\Users\Admin\AppData\Local\FMo0a\OptionalFeatures.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2972
-
C:\Windows\system32\EhStorAuthn.exeC:\Windows\system32\EhStorAuthn.exe1⤵PID:1380
-
C:\Users\Admin\AppData\Local\kug\EhStorAuthn.exeC:\Users\Admin\AppData\Local\kug\EhStorAuthn.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1368
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
81KB
MD5a4b95f129f100ef9349aeda03d5dc7ef
SHA1d4fb62221cea37f760ae891bdb4b4b3fcf12e0d9
SHA2564a0f4ceddcd53031ff9b8c3dcf9905cf93f1c3e5413e9dc3da0e4464791099c5
SHA512e30598b0f8562c50c33457a5cfd4680503b796d171d87c2c95db526b0b4f21a94d563579cf3a9c9a02217b095648553fd80887e54bc228459da6a2418229716d
-
Filesize
101KB
MD5184f4dda30fa08ca34e5bc2173c0946b
SHA1ad5dbb58876c5c1fed1f7d8e3544612d33ad18fd
SHA256ebf5fcde69ae5dc8fb21d4f63596a69597a8fdb7f4997ead029f21391db9e1c5
SHA51262816d7d7e64610a21e29d44eed3b35aed57c8fd87cbc78bf7960673e113ce184122bbf41d7b3b27e540d256b7df5a6e948d5bc3b9173517bfca15dc8af7c6f0
-
Filesize
54KB
MD52e82444dbbf00150e6aa5c74bc5611f8
SHA187ebcdaa95759aab7701ebaf48a5105cf532ca71
SHA256935f1bb1532b33ae82018df082918341c5dd49b0b5c5e5591823e09e34d23d28
SHA512a5b3acf0bbb8215c90fa9fa7d7594110398ac7b130c8c4225191ca82d52d23f5738ac1bfee902acef4079ee6df35d3f87ad46046e6c87d770666bbc8ff6179d8
-
Filesize
61KB
MD52b223b04bf8c80193f8311703f0babdc
SHA1d1bdf83845b6d1877b11480d38b7db99023c5422
SHA256d667a2ebf90219cbea4fe221ad689f10630ec7069ce92b61c12646023a7c69d5
SHA512ef36727b9275e76eb8dc1c50465fa50d3b418f916867958049717cb392ed8134afaa52a0f3f2b9b86c302f6fcc19d0634075dc8a6d66f812ebf545509e1bf5e9
-
Filesize
95KB
MD50c0ec8ea6e93e18d0c9971044a176597
SHA10cf51bcc802d062358ad1d13065ebd16b30ac9cf
SHA2568dfb879d7343048781310b7e992ab39cb2a52a2b95298aeb8c69da8479ed664d
SHA512e8e6a2d92cad3f25d007d375c7b1b9ba0cc90c14d99b05f9d108a09fc0c724e1ad2f1da5bb589761cfe16c51107bbacd5cd7ffda079b329293e0c1a89070a9db
-
Filesize
64KB
MD55e88527a55c08ad842f452f2b1e0a8fb
SHA1c4214b0047a1f3c83fd6178f1aa3d34595b4e38f
SHA2568fc5e0bd3b28d0c979b05b922e46be6bae0a3a142767ba46d2804804075e32cb
SHA5121a60e883188787aa2fe46274aa79c6dfe2f285541f1b0de7e7460b9e1b148909efbcbdab9f7b837313e7fd724218e46585f0dba6f1c57fc6a3520120fe23c21b
-
Filesize
92KB
MD5bfd3f83302a2ee72fa811ee4f6643759
SHA1ddc7e39087d686c641efe4df2424d1d73bcfe35a
SHA25636b10dbadac14c62ffb04a77e5699ad3a9c4fb13869592e1672e11689aa6d7ab
SHA5122f69987500ee4aee5d33a8e14a110550202e93f49b3c443c0a8f3c0deb0a8aa17ce5cf3ebc50e6afdc14f6d64be49376bcab754bcb5b54bacbc695dbfb2c78e6
-
Filesize
162KB
MD53ac06460b0405301e277f8d2ddfacdd5
SHA1b66daa7116fc1ed197e2cae7ab80770b9712a1ec
SHA2563553dbdc7704a674ffed29b9347e8f375e66e1e21c366640a7237397b4dd44dc
SHA512fe9ef55357b69a2342bbe407226c71a5f61f3794850a980fea479867a8319cd6b364ac1cf48050c9ad1fd933513878caa7a52dedd4658e1b1f38ac8ef141ad7e
-
Filesize
1KB
MD5d3f1975c750dc0ee183f1d34ad999dfd
SHA1de9cf834960e36144af4a7d13f16008fdcaa97f4
SHA256fec3a4fd3c06909debb06292bda981e3fc5451cbdeb902176fa4db384ded9c45
SHA512109d568aa13371248ed29811d462511c6ad46d6869c917b0027a99422fe63e6e5d5749f8c7483c9b1d58c4af4ee6fda45b64724bde7487f5b01ef89b96996571
-
Filesize
86KB
MD5e8a252edd8ee8ef34cb029730440d290
SHA143e47d640886f6f2e8a48bcce71f199311543320
SHA256bb59c825cdd0ec1af7399f2e24e40fbb8756e4aa9d7bff46eb0e013ba10b846b
SHA512191d35f6a84116a1e129c7bde1972c4ae6fd2580b156004bbef609cd018fee1b1bce086ef94acb647c7093a0e08da2c2156af1e90bc059588f7c5ad02accfdc7
-
Filesize
1KB
MD5fc69d44d6c061d5fce75de61cd579aa4
SHA1c94b2309c4339c7593d6b95d6096516b4a63fdb9
SHA2569ab73255e2808674d46bdee86695c4d0ddf9e43c2ae33e853f3a6c402d10033b
SHA51267dce67192b99c67e6e21bcc20922815aa6b79ecd4addd5d97e500ae0a1433f4317d45bf80dbb096ac2858f060c4c6e55e335d885bcc431be47ec66d4112e21e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\99LB0pkB56l\appwiz.cpl
Filesize1KB
MD5566c5256ca075e80018c5f5ead015f34
SHA1d3efedc6f08410faf3ad8ebef72c6443e9ad117b
SHA25616d1bf6e4d3c4c7947032bdc46264f353dcd16cc1c33cea4dece0fda234c9f5c
SHA512fbe1fae4d43089443b31db48a245587cdf8f2285eb4edc0afb5d4d899a789147502b5f29984f9bbb2146dcab3e6a435ef1a378e5f673b71147127a5431ae892d
-
Filesize
95KB
MD5eae7af6084667c8f05412ddf096167fc
SHA10dbe8aba001447030e48e8ad5466fd23481e6140
SHA25601feebd3aca961f31ba4eac45347b105d1c5772627b08f5538047721b61ff9bc
SHA512172a8accaa35a6c9f86713a330c5899dfeeffe3b43413a3d276fc16d45cd62ed9237aa6bff29cc60a2022fba8dcc156959723c041df4b7463436a3bdabef2a9d
-
Filesize
73KB
MD55e79e740e29ab88bc686e008e09a6546
SHA129cbc3cf7e5511c1dc22ca4b8ee9239a48007dd1
SHA25615dbee77b950fb7abc42920f5f60d798c6e2877acd62a6fcaa9d88b6312d3bf1
SHA512df334daef490d0195beb863b24f1352cf51ce6d6ab8f3016c03352e820b8a428bb4da9205f505b54d51454a792450d742b5a05ed2eff72de89bb35a739bcf5ed
-
Filesize
42KB
MD59ef49ba69a852310fe3f0d0d0dc8d303
SHA19fdd4177ba5ad0583453b12cdb2496c2cdb76921
SHA2560618e1dc79d8c5f8e53df9f6deab8dcd6a28b2190a0cd3791a669ca9c20bb468
SHA512cf8d49f3b863c2cbd7b951007c7e8f1ab89d0f4544b31911642aac77e657bd9bcdd8156ed2993ef13dc85586d1b0533e32b7ecf40779d85b6260c458e0884cef
-
Filesize
39KB
MD5bb7a6a37321b5caf1625e9e56e836dd6
SHA1b2721b24c2e5e29608e274d92c6fb1e14373d356
SHA256cb99e5f89654927f7b69864dbd0917c3b15ece2bc840076491f4825269c30da1
SHA5124642d87aabcb9ac305f0de340ee4971d6b500263a92500b23067bfa1167437f6b0bb18eb954d4d4383df98e17f656459b08e9960b93269dcb10c5d03ba33a9f0
-
Filesize
32KB
MD51adef384faf554a124d84a142b1c3802
SHA1d855776ed411c27ca7bd1a5c2a0833e7719ac9c2
SHA256fe130f371fa4fb5f67a97132a684f4d0416c4b33dcd9eed2afd9341c4805e235
SHA512f45128a5c6996f75d35a18ea1bbc87f4ce42496a7b4d44d331138baa9811d5c4c1f448c36ddcdcc01d85c057e23304ac7e55bb5762747e633c4ea733ea38299d
-
Filesize
137KB
MD53abe95d92c80dc79707d8e168d79a994
SHA164b10c17f602d3f21c84954541e7092bc55bb5ab
SHA2562159d9d5c9355521de859d1c40907fcdfef19f8cf68eda7485b89e9aa119e3ad
SHA51270fee5e87121229bba5c5e5aaa9f028ac0546dc9d38b7a00a81b882c8f8ce4abfdc364a598976b1463cca05e9400db715f8a4478ec61b03a693bbeee18c6ae5c
-
Filesize
94KB
MD5f005c843e7d634ecd97da686d6df0cfe
SHA159ee1a70056ca0eb90251b5acdb623e423176418
SHA2564d4579cfa59ee1d532567b8a9b38711bf731accecfd4ac6c6107da2f91f846cc
SHA5124fe2d6adbb218802a8d05260337c8bd310a097e63bce486aa745166c694f696b86cb35870466590e37ea0e06bbc4f5c2946a3571c5b89929bdcbdd9c19373a35
-
Filesize
85KB
MD527fc63ee98bc85c6ea207db041539866
SHA15cf11fb2666fe99bdbeb7051d159963602e52b2a
SHA25639b5090e04f4d1b13e8d93c1869421bfa96aae5747bc31d10e6623c8b21698cc
SHA512098a7358b3870d3b6fc950f3eeb12e56433c8a7fb090669be9ca35a1b98f4318ed5f38c352debe0a600e4ff5bfc94a4128d2f52e251b880b3ae931bc9d569d06