Analysis
-
max time kernel
139s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22-12-2023 16:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f71f16a72ace0fd6a636a6008e36dc8d.dll
Resource
win7-20231215-en
9 signatures
150 seconds
General
-
Target
f71f16a72ace0fd6a636a6008e36dc8d.dll
-
Size
1.7MB
-
MD5
f71f16a72ace0fd6a636a6008e36dc8d
-
SHA1
03c376915c929e4162d388f70a6a87ab200206ae
-
SHA256
f049251053c1be586de5e8d9804dcf16ec93afa5d0641c08f31706937d5410a1
-
SHA512
2529cf8d24ff1fc38769a91077a7201bcee8097b77705dde1d7d4d4b0f60f4deeb46cb22fa950ba35e9c380e26aa29464d9b0d39a3d64ba91e8d5cbfdf0225c8
-
SSDEEP
12288:uVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:zfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1196-5-0x00000000024E0000-0x00000000024E1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
raserver.exemfpmp.exerdpshell.exepid Process 2996 raserver.exe 2956 mfpmp.exe 2192 rdpshell.exe -
Loads dropped DLL 7 IoCs
Processes:
raserver.exemfpmp.exerdpshell.exepid Process 1196 2996 raserver.exe 1196 2956 mfpmp.exe 1196 2192 rdpshell.exe 1196 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bsfvntd = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\oRKlp\\mfpmp.exe" -
Processes:
rdpshell.exeraserver.exemfpmp.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rdpshell.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA raserver.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mfpmp.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
regsvr32.exepid Process 2336 regsvr32.exe 2336 regsvr32.exe 2336 regsvr32.exe 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid Process procid_target PID 1196 wrote to memory of 3000 1196 29 PID 1196 wrote to memory of 3000 1196 29 PID 1196 wrote to memory of 3000 1196 29 PID 1196 wrote to memory of 2996 1196 28 PID 1196 wrote to memory of 2996 1196 28 PID 1196 wrote to memory of 2996 1196 28 PID 1196 wrote to memory of 2636 1196 31 PID 1196 wrote to memory of 2636 1196 31 PID 1196 wrote to memory of 2636 1196 31 PID 1196 wrote to memory of 2956 1196 30 PID 1196 wrote to memory of 2956 1196 30 PID 1196 wrote to memory of 2956 1196 30 PID 1196 wrote to memory of 2500 1196 33 PID 1196 wrote to memory of 2500 1196 33 PID 1196 wrote to memory of 2500 1196 33 PID 1196 wrote to memory of 2192 1196 32 PID 1196 wrote to memory of 2192 1196 32 PID 1196 wrote to memory of 2192 1196 32 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\f71f16a72ace0fd6a636a6008e36dc8d.dll1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2336
-
C:\Users\Admin\AppData\Local\GUq\raserver.exeC:\Users\Admin\AppData\Local\GUq\raserver.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2996
-
C:\Windows\system32\raserver.exeC:\Windows\system32\raserver.exe1⤵PID:3000
-
C:\Users\Admin\AppData\Local\fVp\mfpmp.exeC:\Users\Admin\AppData\Local\fVp\mfpmp.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2956
-
C:\Windows\system32\mfpmp.exeC:\Windows\system32\mfpmp.exe1⤵PID:2636
-
C:\Users\Admin\AppData\Local\1DD1kEVR\rdpshell.exeC:\Users\Admin\AppData\Local\1DD1kEVR\rdpshell.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2192
-
C:\Windows\system32\rdpshell.exeC:\Windows\system32\rdpshell.exe1⤵PID:2500