Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22-12-2023 15:15
Static task
static1
Behavioral task
behavioral1
Sample
d577f77a0cf8344c9bb7d3be5578311b.dll
Resource
win7-20231215-en
General
-
Target
d577f77a0cf8344c9bb7d3be5578311b.dll
-
Size
1.9MB
-
MD5
d577f77a0cf8344c9bb7d3be5578311b
-
SHA1
d150adc8a686a849c666159ab896fcc845fc6c00
-
SHA256
95fc26f100d5508c34cd691e6e2e1d6cca2f621de4cd4769433e1564fc6f7e1f
-
SHA512
a097092b1886bffcd6d963700f8ad88b0ac4e75f80979030eea65984d9e062d21a6a1b53dd62b16866b88a757449977198311e3040cbbd3db0b0c09cfa760319
-
SSDEEP
12288:XVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:efP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1204-5-0x0000000002EA0000-0x0000000002EA1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
fveprompt.exemsdtc.exeComputerDefaults.exepid Process 2572 fveprompt.exe 2804 msdtc.exe 1620 ComputerDefaults.exe -
Loads dropped DLL 7 IoCs
Processes:
fveprompt.exemsdtc.exeComputerDefaults.exepid Process 1204 2572 fveprompt.exe 1204 2804 msdtc.exe 1204 1620 ComputerDefaults.exe 1204 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bsfvntd = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\DNTException\\Low\\fJkZdRhLSbg\\msdtc.exe" -
Processes:
rundll32.exefveprompt.exemsdtc.exeComputerDefaults.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fveprompt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msdtc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ComputerDefaults.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 2468 rundll32.exe 2468 rundll32.exe 2468 rundll32.exe 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid Process procid_target PID 1204 wrote to memory of 2556 1204 29 PID 1204 wrote to memory of 2556 1204 29 PID 1204 wrote to memory of 2556 1204 29 PID 1204 wrote to memory of 2572 1204 28 PID 1204 wrote to memory of 2572 1204 28 PID 1204 wrote to memory of 2572 1204 28 PID 1204 wrote to memory of 2132 1204 31 PID 1204 wrote to memory of 2132 1204 31 PID 1204 wrote to memory of 2132 1204 31 PID 1204 wrote to memory of 2804 1204 30 PID 1204 wrote to memory of 2804 1204 30 PID 1204 wrote to memory of 2804 1204 30 PID 1204 wrote to memory of 1224 1204 33 PID 1204 wrote to memory of 1224 1204 33 PID 1204 wrote to memory of 1224 1204 33 PID 1204 wrote to memory of 1620 1204 32 PID 1204 wrote to memory of 1620 1204 32 PID 1204 wrote to memory of 1620 1204 32 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d577f77a0cf8344c9bb7d3be5578311b.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2468
-
C:\Users\Admin\AppData\Local\dLcgJG\fveprompt.exeC:\Users\Admin\AppData\Local\dLcgJG\fveprompt.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2572
-
C:\Windows\system32\fveprompt.exeC:\Windows\system32\fveprompt.exe1⤵PID:2556
-
C:\Users\Admin\AppData\Local\K6GtNFCS\msdtc.exeC:\Users\Admin\AppData\Local\K6GtNFCS\msdtc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2804
-
C:\Windows\system32\msdtc.exeC:\Windows\system32\msdtc.exe1⤵PID:2132
-
C:\Users\Admin\AppData\Local\f2F22\ComputerDefaults.exeC:\Users\Admin\AppData\Local\f2F22\ComputerDefaults.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1620
-
C:\Windows\system32\ComputerDefaults.exeC:\Windows\system32\ComputerDefaults.exe1⤵PID:1224
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5ebc9d024bbe7ab6460ecf813aa807254
SHA1d684f5a1cc0788aec9ee18ec55a10dbce3c14e34
SHA256af92a3699e4170c14e7ef5e7f2204c13b17be8a78f69859923a3adfdfb8ff253
SHA5123bfacc61c5a7a8d7186bb99fe2af069e06c1395992e4ac919aac0422ec6a11da0d06c141166af64eecdd7b6450ee49225ddfc73de03c4af415654dbb210c1888
-
Filesize
1KB
MD5c075f2402f617baa66a912c33b29e982
SHA1a28c147d7d229547d4ff262e468e60e4f1f9b1d6
SHA256be66c27e72cb0ea111779710a9d12820e7fbb9b7dfa0585bd799a0976b038c46
SHA512795c973d17c8e181fe19b6d71b855a8205cfb660aaa59176dddd4f9d2ec47ae711932a1808933fae544eebba338950ad62faee5e13d39c045d3c8b651aa96674
-
Filesize
1.9MB
MD558fc7617bc31d466b4fff9c4ef58afc1
SHA139131a144c923f51dc84313aa6d97ee786a7329c
SHA256641eb4e7c2acd77cfbaccd5fb664c419bae41bf88a3a936c29517635ede3f1dc
SHA5125ba82d22cb1018eeb3f77e6e3297d1c392e88512b13e30f3a41a6bb7db6a89c4d333a5fceab981952640c89dd8abe44fd0951473546fd9530d414ba8c8410d49
-
Filesize
1.9MB
MD586f95eaccbd73aa83f235161f7f726f2
SHA1f6d1ca22b228496409b8cb02bd0413d9d051f909
SHA2569c6b9c5f124e55ff9e1b74005c4aed97ddf2ff6ec0dc3dbd5e2c65d56698fa23
SHA5122bff1c540dc40955b8a870e572f86d20371ea50fa72fcab090780b0b77d275f228cd377487b18583f14bd28e594c4315568aba2a4020bfb758397a633672e141