Analysis
-
max time kernel
3s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2023 16:33
Static task
static1
Behavioral task
behavioral1
Sample
f325ee7a242e62a3685763de8d71db15.dll
Resource
win7-20231215-en
General
-
Target
f325ee7a242e62a3685763de8d71db15.dll
-
Size
873KB
-
MD5
f325ee7a242e62a3685763de8d71db15
-
SHA1
3439a0a62364526a7bcecda134f532d20e578bc0
-
SHA256
064dd0fe494677278bb6d1bc0bc811f872b583604d27a81258023f7c695c0a20
-
SHA512
549c34b5e9f097b91c26c1bf37688eb60169cef025a0466212536446494cda53e4f08d626cdf6ec97c393f18b9119543d1064da7783390438f6519aea631ebb1
-
SSDEEP
24576:Zxru6GOISSgyFCsIysmcWy0WToFwYqOss:Zw6jsgyzGTQ
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/1624-1-0x0000000140000000-0x00000001400E2000-memory.dmp dridex_ldr_dmod behavioral2/memory/3404-24-0x0000000140000000-0x00000001400E2000-memory.dmp dridex_ldr_dmod behavioral2/memory/3404-34-0x0000000140000000-0x00000001400E2000-memory.dmp dridex_ldr_dmod behavioral2/memory/1624-37-0x0000000140000000-0x00000001400E2000-memory.dmp dridex_ldr_dmod behavioral2/memory/3888-50-0x0000000140000000-0x00000001400E4000-memory.dmp dridex_ldr_dmod behavioral2/memory/3888-44-0x0000000140000000-0x00000001400E4000-memory.dmp dridex_ldr_dmod behavioral2/memory/4812-67-0x0000000140000000-0x00000001400E3000-memory.dmp dridex_ldr_dmod behavioral2/memory/4812-61-0x0000000140000000-0x00000001400E3000-memory.dmp dridex_ldr_dmod behavioral2/memory/4192-84-0x0000000140000000-0x00000001400E3000-memory.dmp dridex_ldr_dmod -
Processes:
resource yara_rule behavioral2/memory/3404-4-0x0000000002A40000-0x0000000002A41000-memory.dmp dridex_stager_shellcode -
Processes:
rundll32.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid Process 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f325ee7a242e62a3685763de8d71db15.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1624
-
C:\Users\Admin\AppData\Local\cRq\tcmsetup.exeC:\Users\Admin\AppData\Local\cRq\tcmsetup.exe1⤵PID:3888
-
C:\Windows\system32\tcmsetup.exeC:\Windows\system32\tcmsetup.exe1⤵PID:760
-
C:\Users\Admin\AppData\Local\o1jLI\phoneactivate.exeC:\Users\Admin\AppData\Local\o1jLI\phoneactivate.exe1⤵PID:4812
-
C:\Windows\system32\phoneactivate.exeC:\Windows\system32\phoneactivate.exe1⤵PID:2984
-
C:\Users\Admin\AppData\Local\2EQlojm9\MusNotificationUx.exeC:\Users\Admin\AppData\Local\2EQlojm9\MusNotificationUx.exe1⤵PID:4192
-
C:\Windows\system32\MusNotificationUx.exeC:\Windows\system32\MusNotificationUx.exe1⤵PID:1968
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD534a442145739e7b68a831c1f7a468c50
SHA150518e78044b7ac30e694f431a0d2f21fb724367
SHA25638180a11bf6ba4b94f9dc851fee5a20d23b557327cbf68063b3979931ac2bc85
SHA5126a811268691daec7a2e9c39734a1d2ec6a05ae6425bbc300fd6d38330a19795032e99fd8b3a49f9642d1229f033a490620c7d7eeedf788dac2744d8eec87c057
-
Filesize
57KB
MD5969a614ead88811dcc6baacb769ac975
SHA1fe23dfdaa316cbef7452c75735157ac2d1c8097f
SHA256d2e72d9bac3bd2e27b648de69aa5e37063e8d1047042b306a924171d8b5e0d37
SHA5122527105d94b620bee1beb1060b0eb39fef7d72441438080000daf23c0f9fbbb816ee2ca8c5ccb3a26cbf5aa49f45c06969eded8983453316f90d47f1d6b75f1e
-
Filesize
28KB
MD5df4d3cbd5baeb935f75db51d21c93085
SHA1caedaa90d81f7ee680cb242d156c867df911bb5c
SHA25648e7f910a5a7a985d2522c00e8cf2a49aa6b281e1b4b167d52efdbccca777e1c
SHA512450d7a41041707c5d154461a22591face2ccfaf8178581606bf2fe9318d43576b1c930b51a58406785cc4338f9485a35b2f9b24ca8cea174e3fb25f335fadf3f
-
Filesize
78KB
MD54bd77062a0094b7a2d9b1dc56c6f824b
SHA1f28b1f14b49e978612a46c80c7edcc1be8316d9d
SHA2562d33f403f7c52de56974ee44d42d14038a2766c2bcd0629088b0c347fe7f3378
SHA5123d2ff237ec4d7558ef29c17b9da340b470aa503f5e96d4388094cb81820ccc26b8aceeef94c78007d3b9e8b25824ec9885da4efde7f0b3f3e63361c761c80591
-
Filesize
56KB
MD5c8dd9e948f61bbb66355a45ea585b227
SHA10239a7f3cd55b6302f0fc62b3164654dc88bc770
SHA2560e5ec84a61d77170be46d8beff2d577e281e9ec66d01985ae589948b2bf3f336
SHA51237da10a158420b6e55a96863560c38ef0db513d20f000462b51cbfb594a1e21fdc0f08c46558b53e6229decc2ee3bf1dfc96373678b6b265f943b2f721a2f9e5
-
Filesize
24KB
MD503785321acfcca8033aae84ae14d1da9
SHA155a56835446983774edc229dbb3d798bcce73e7e
SHA256612a59c6820fbdb44abd15141e5abb12d9be36c4febef9074f5a4d406ea10e0d
SHA512ba65229f19e345cb197225db36be2f23da71ff0f6b0af3fa688777e8b365d9309af86d2932eae8723d7b9facac350adca7b391b5a564e48b122a632059114715
-
Filesize
16KB
MD558f3b915b9ae7d63431772c2616b0945
SHA16346e837da3b0f551becb7cac6d160e3063696e9
SHA256e243501ba2ef7a6f04f51410bb916faffe0ec23450a4d030ce6bfe747e544b39
SHA5127b09192af460c502d1a94989a0d06191c8c7a058ce3a4541e3f45960a1e12529d0cdaff9da3d5bacfdceed57aeb6dc9a159c6c0a95675c438f99bf7e418c6dc5
-
Filesize
10KB
MD534e91e814e0da8dcc6a3d43abe93ece8
SHA1002b651f40abc5d1a02bf493062c5e425455c60b
SHA25633a85bb6ff30c08f471b2315c43d682a52bbb824dc3c177a0554d15b4aeb42bd
SHA5122b466bfde295f04a898b2df94dbaf175cfe6da70cf60413e02a2d6e9af78309050a78e4c42332985b7aaa5e0f7541b1bba05e0ff8dc44007a1e646c62b232e65
-
Filesize
22KB
MD53c72f408c697c23f3b012b25bee3305d
SHA1805b6b550aaac871483ae05ddb8876257c94c6ec
SHA2563aef5400aa44369e01564b35c218bbbd8df99703c955faca8d3dead3865b5e6b
SHA512157723290c060c9598ed65ee04d9b076f15e0b76702cefaf3b3da8eacd126bd34d20e29a341a8d6ac737e7e0cbfeaab9a5f19384894e794adfbcfd287ab6075e
-
Filesize
43KB
MD556b51e0ac4ee47fbd7ee166fedc0a847
SHA14a8232b4b3b3f6f82a8b58c60e567d276af6b8d5
SHA256485983a549421906ccdc20bf06870180061fb6cc17480fb59139fbed0459e1b4
SHA5121a02726e90d0e10e3176623217556a758b1107a99c12cbaee86770bca46221c8f7fc033dee1976381bd15e7a208ef929cbb13bc249bbd59e2a5a4ac00a6cf567
-
Filesize
29KB
MD5d9c4beb0e8fb3f0e724e09729ec1769c
SHA130fd237f5472f9cc4b195b0e5db31ea40e55daa3
SHA2563acc447b497ecf478cb97c7b44041856f4cbc16e03f20e92f4ef24b558c6d230
SHA512c38b0991b9421f4076beffe6a3a74ec733f706261c2e5dd24ebb5bf261673df6a602073a8dc6e89364590dadc723b07a5a05def5cc2af1a5419f2bf3a47300a6
-
Filesize
1KB
MD51ed3497323b0d5b36f3aa8b93987e661
SHA1344cfb057f4f26c8d82ff501f76897aeb5a5a45b
SHA2562427fda69f560c383d233af9dfb385423e1156d10e7df783248493b8c4318f43
SHA51298c776e11b8b2a7d326a1bd209cfa8a1b375cf1d77f41dc01b1f293a2e80e4a23aa50ebd6c6c18139f5425ade90d3def4350657eaae63993e9f26a95aeeb8b8d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\2Ul9Dtn02zO\SLC.dll
Filesize5KB
MD586533f0faaf510444bea8c39c9657c39
SHA1a6495b8ca9d377c93c6d910d08e96de7ed2264c6
SHA2560f64a778ad3d646a877e9a1c651f081d89d39bbf141b9bdf10ad905bfe521101
SHA512b59d6bad2ca234f9360b44ef81a323c8f6a566717745c286d10cd7d11979bdb5631a9284c2c58130a801b06a54e53c0f3a8e62c0b9bc50c0349ee6aaeeadca87
-
Filesize
35KB
MD5a5f7c9f4b6cbab0d6e61e149fc035063
SHA152c22976d2a6d57310067050a47f6ee6eea4b9c2
SHA25644e3dc2a40f332855635400e31ea831ef7f8be20edc09629a6014c371270ad7f
SHA5127ad5866dc768246177ebf162f4e7d4a8d5a6e02041980c9432c4f1b03fd7aff68cc8755cf4e2b938a16941adcd22d8e308e968a9afd287b9c85d8e68570aa8d7
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e