Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22-12-2023 15:34
Static task
static1
Behavioral task
behavioral1
Sample
da5e3cb85be5b54edb1e3b5ff9d733a2.dll
Resource
win7-20231215-en
General
-
Target
da5e3cb85be5b54edb1e3b5ff9d733a2.dll
-
Size
3.1MB
-
MD5
da5e3cb85be5b54edb1e3b5ff9d733a2
-
SHA1
e93524cf92f6c04fad09162a1462920dd0d48ec1
-
SHA256
e441dc66366d37c4598e91b6779169dcbc71f386ca494b9d6c9d8137b45233f7
-
SHA512
640fffd35412cc5100aaf4c14ce6359b7c6fcb4df6e22bf3d501b342cc16fe65dc07ad431d22544f49ba0b37b2da7e2c0c7b121d64cb078ccdb4a1d66da60c33
-
SSDEEP
12288:hVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1po:QfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1192-5-0x00000000029E0000-0x00000000029E1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
tabcal.exedpnsvr.exeSystemPropertiesRemote.exepid Process 1668 tabcal.exe 528 dpnsvr.exe 1696 SystemPropertiesRemote.exe -
Loads dropped DLL 7 IoCs
Processes:
tabcal.exedpnsvr.exeSystemPropertiesRemote.exepid Process 1192 1668 tabcal.exe 1192 528 dpnsvr.exe 1192 1696 SystemPropertiesRemote.exe 1192 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fskzoiv = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\gL9Gr7N\\jX0qkGq\\dpnsvr.exe" -
Processes:
tabcal.exedpnsvr.exeSystemPropertiesRemote.exerundll32.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tabcal.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dpnsvr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesRemote.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid Process procid_target PID 1192 wrote to memory of 3012 1192 28 PID 1192 wrote to memory of 3012 1192 28 PID 1192 wrote to memory of 3012 1192 28 PID 1192 wrote to memory of 1668 1192 29 PID 1192 wrote to memory of 1668 1192 29 PID 1192 wrote to memory of 1668 1192 29 PID 1192 wrote to memory of 524 1192 30 PID 1192 wrote to memory of 524 1192 30 PID 1192 wrote to memory of 524 1192 30 PID 1192 wrote to memory of 528 1192 31 PID 1192 wrote to memory of 528 1192 31 PID 1192 wrote to memory of 528 1192 31 PID 1192 wrote to memory of 1664 1192 34 PID 1192 wrote to memory of 1664 1192 34 PID 1192 wrote to memory of 1664 1192 34 PID 1192 wrote to memory of 1696 1192 35 PID 1192 wrote to memory of 1696 1192 35 PID 1192 wrote to memory of 1696 1192 35 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\da5e3cb85be5b54edb1e3b5ff9d733a2.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2296
-
C:\Windows\system32\tabcal.exeC:\Windows\system32\tabcal.exe1⤵PID:3012
-
C:\Users\Admin\AppData\Local\oXYk8tF\tabcal.exeC:\Users\Admin\AppData\Local\oXYk8tF\tabcal.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1668
-
C:\Windows\system32\dpnsvr.exeC:\Windows\system32\dpnsvr.exe1⤵PID:524
-
C:\Users\Admin\AppData\Local\gD4S\dpnsvr.exeC:\Users\Admin\AppData\Local\gD4S\dpnsvr.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:528
-
C:\Windows\system32\SystemPropertiesRemote.exeC:\Windows\system32\SystemPropertiesRemote.exe1⤵PID:1664
-
C:\Users\Admin\AppData\Local\NO5MhWON\SystemPropertiesRemote.exeC:\Users\Admin\AppData\Local\NO5MhWON\SystemPropertiesRemote.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1696
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD51250db6ac1f80e45ce1726ba98793343
SHA1eb021697afca15898dd7bb1ba53d512dac78830c
SHA25619f54da06b319e7b5ddd37ff7e5403d4573c4986f1a69d97acda7b1a0d1fc214
SHA512f54124419765a1b61c30b549ad32453173efdc6e79972dc55a7b4af0219492686f2583b3e3e3177d284d24c36cf24ea2576968f7d1c4b1b4ab0ecc855968b08c
-
Filesize
3.1MB
MD5072b04e6776057474fc519aeb3d8b12a
SHA17cf332a81bc22e37c66cd9bb06ef169274050011
SHA2565245485248efa5729a881f980bd1245b6747a3864ba6af3e4d35271402955737
SHA512569aac00250e46bd04ec3e1e79193c4dcd3016d1ec5362f6fa4a6a5c5264235a77b565cf6abb0cb3a7a55d4c036d08c3526d1b6e2850f178c1c4ca4999b679d9
-
Filesize
44KB
MD58e6eb2c8c9c0d0e3f0bc1350c8f3a86f
SHA14712a31ad4a7bb50b76282083dd21565752adad6
SHA2564153ce1e942c93aa1983a973d2359361cc69748706477523ed60c31cb2aacdb2
SHA512ebabdea2085658f879c979199289f2e5f6485a39a42bc4b416b2fc15a87dcffd6f5aa47a89d28f39796bc0b82be505783a4c96297397ac43843f30efd1cb1b67
-
Filesize
46KB
MD5b3c72b28e07f3f742ff6aa0426fec6e7
SHA1fe71de6002c0efede6cb17374b83bde0d694add8
SHA256f9073bf77382a9a62f7895185c5152eb8381b9aae1978dcf7325bcde02543ec3
SHA512a1c616f7aad1ccbb7f268b7e2feca0f9933779389641fc7032b0199b44befeba2d323d64d5dcc7e412f5ad8c476b98d0b32b40b8e4c2c513c96f39182842e746
-
Filesize
22KB
MD52b69b69d48b35982a0787d1b113975a1
SHA1b6bfcfab4c908d618d6a18b0b7a04fa2df8eb7a6
SHA2569e993b122e3b9ad80870a436de7faf97d1bdb56ddd407e2a27b54ed3137dd894
SHA5127421c2c9b5ba49f5f64ee9c4ff3bd4d651a71819d4c6a6759cd787b0dc80b062324ac65502bbcd0c1ad560d743e35d9a423f9df00fc19ce4f7f147b78adf6d7e
-
Filesize
3.1MB
MD59ab2835b115a98cccfa4d62ab8da6463
SHA1c105c41f0cc8bb1ce146b50d2b44350a6aa92ee8
SHA25645f882b528ec7be6e43e46fce5f2176bc832dc577c918c2942d9ab7630fcce6c
SHA5125160dc55ce37677c438af6196435dd9923ebf66919811445bdc19a337e8e5f8a94e7a05c89ba136523e71c350e3d71476c812018f778cfe0e1f5f84a0420cc16
-
Filesize
1KB
MD55cc627bad2cbc7106c0bc92a6aa624bb
SHA14456bc5d974d14fc7b87708dc62436c49677bd4e
SHA2567fa583800a791102333db04b0eacf12709a9f8dcf2ff6ffd7abcdd200e3adbdd
SHA512e27684d3ff3696adf895faeb4b6f7593e5c6275d50c141d07177eeafb7fabe0ebb6ccc6660f982efdb2c9c2db83577a1c69ce8a0a8627263c5949993a192f1a8
-
Filesize
3.1MB
MD5ae43e5f6f5c66979c219bf5a7d6ec421
SHA110bf8fa2186bbf1ded89e64156b64ce4b2091a65
SHA256f8dd8ee2ae90c37a26fee41b8fb9d27ac1f0946f48efefc6d3c6815c7975da4e
SHA512bc424839b141902e26af8a8273ad2ab905620d3205801c09b3d1b462d7779d93f77742b0dcb2c333f621159de168e417e61495fd69bbd1543a81461ca3a76553
-
Filesize
1.8MB
MD5c73758b3f03ab17fe2a91b9507674c45
SHA1aaf3dd30dcbfc2390615720ed5235fa667d5a97e
SHA2567b50c0af29415a4af44dc4c4b291a165f98b548420f4b3c8e53afb83d2e9c45b
SHA512af524821dd26b2324875864bfd02aad6d74e89d475797e2304a23fa49725790944cbc7c0d8bf82041a29fc53aea9ce86dd425acd0774d246b1c7c2cb520762ff
-
Filesize
80KB
MD5d0d7ac869aa4e179da2cc333f0440d71
SHA1e7b9a58f5bfc1ec321f015641a60978c0c683894
SHA2565762e1570de6ca4ff4254d03c8f6e572f3b9c065bf5c78fd5a9ea3769c33818a
SHA5121808b10dc85f8755a0074d1ea00794b46b4254573b6862c2813a89ca171ad94f95262e8b59a8f9a596c9bd6a724f440a14a813eab93aa140e818ee97af106db7
-
Filesize
33KB
MD56806b72978f6bd27aef57899be68b93b
SHA1713c246d0b0b8dcc298afaed4f62aed82789951c
SHA2563485ee4159c5f9e4ed9dd06e668d1e04148154ff40327a9ccb591e8c5a79958c
SHA51243c942358b2e949751149ecc4be5ff6cb0634957ff1128ad5e6051e83379fb5643100cae2f6ef3eaf36aff016063c150e93297aa866e780d0e4d51656a251c7b
-
Filesize
22KB
MD52f457fb6d3dee00266721055c40e5343
SHA17f2716c36667219f28697b844e29d7f7c6c2f8f7
SHA256dd3dfde1c0738c443ffe66a9df434812a5cd7ac1e7b2963cee51abc262c2d20d
SHA5125db9742eec66e3ae75e74979099823919daf3e6b668b3b9a33ecd821486a4cb12fde25d45dc7989fdfbea3a4d9471e4f7c25027c58d9b1ddbde9acc368b05b87
-
Filesize
17KB
MD5633d5773e99bfd0ca90c67045e3be81c
SHA196915b689e2a7d4010fef4c3cec7c93c447fb165
SHA256ca86412221a6d96e93ef8111f55eb9d165ebe62487976ddc8c91b641e9a48c52
SHA51281c38181f47b181fe0c251735e07ff11787d6ac9b9370db1b473dac292c879311fa970f913b1bcbd9d4dcaf600181fe06c0ddf979a3ed0ce3eefd50789c6a267