Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
22-12-2023 16:11
Static task
static1
Behavioral task
behavioral1
Sample
ea6796cf6fd3dd169db3dec29b9eb1ca.dll
Resource
win7-20231129-en
General
-
Target
ea6796cf6fd3dd169db3dec29b9eb1ca.dll
-
Size
2.0MB
-
MD5
ea6796cf6fd3dd169db3dec29b9eb1ca
-
SHA1
10b004395f869122c0643b6db854997bed8b8d4a
-
SHA256
8e2e8778ef549228680a2702f07127d29b07b708df8977a09db0caf592bb5a88
-
SHA512
545476f9585013ba6b9152d1372bf1cc40a35cfee479a69fec3f7a9022122c96194125b9263325bf5ab4d11f46572bebce706d9fe1ba2bdd413d3bbeea98f16e
-
SSDEEP
12288:gVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:FfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1384-5-0x0000000002A00000-0x0000000002A01000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
winlogon.exeicardagt.exemspaint.exepid Process 2496 winlogon.exe 1332 icardagt.exe 1752 mspaint.exe -
Loads dropped DLL 7 IoCs
Processes:
winlogon.exeicardagt.exemspaint.exepid Process 1384 2496 winlogon.exe 1384 1332 icardagt.exe 1384 1752 mspaint.exe 1384 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mjgqrtoi = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\b8Y\\icardagt.exe" -
Processes:
rundll32.exewinlogon.exeicardagt.exemspaint.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA winlogon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA icardagt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mspaint.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 2892 rundll32.exe 2892 rundll32.exe 2892 rundll32.exe 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid Process procid_target PID 1384 wrote to memory of 2464 1384 29 PID 1384 wrote to memory of 2464 1384 29 PID 1384 wrote to memory of 2464 1384 29 PID 1384 wrote to memory of 2496 1384 28 PID 1384 wrote to memory of 2496 1384 28 PID 1384 wrote to memory of 2496 1384 28 PID 1384 wrote to memory of 2036 1384 30 PID 1384 wrote to memory of 2036 1384 30 PID 1384 wrote to memory of 2036 1384 30 PID 1384 wrote to memory of 1332 1384 31 PID 1384 wrote to memory of 1332 1384 31 PID 1384 wrote to memory of 1332 1384 31 PID 1384 wrote to memory of 1236 1384 32 PID 1384 wrote to memory of 1236 1384 32 PID 1384 wrote to memory of 1236 1384 32 PID 1384 wrote to memory of 1752 1384 33 PID 1384 wrote to memory of 1752 1384 33 PID 1384 wrote to memory of 1752 1384 33 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ea6796cf6fd3dd169db3dec29b9eb1ca.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2892
-
C:\Users\Admin\AppData\Local\soOlTpz\winlogon.exeC:\Users\Admin\AppData\Local\soOlTpz\winlogon.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2496
-
C:\Windows\system32\winlogon.exeC:\Windows\system32\winlogon.exe1⤵PID:2464
-
C:\Windows\system32\icardagt.exeC:\Windows\system32\icardagt.exe1⤵PID:2036
-
C:\Users\Admin\AppData\Local\vLsT\icardagt.exeC:\Users\Admin\AppData\Local\vLsT\icardagt.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1332
-
C:\Windows\system32\mspaint.exeC:\Windows\system32\mspaint.exe1⤵PID:1236
-
C:\Users\Admin\AppData\Local\FPyXd\mspaint.exeC:\Users\Admin\AppData\Local\FPyXd\mspaint.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1752
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Identities\{85F2D219-4DA8-41B0-8F71-51D9FDB705AC}\ZDk594Jk\MFC42u.dll
Filesize92KB
MD597f7e789b6ccdb877bf89d02f5bdfcf8
SHA1390bc86ee724cb688fb9082c563cfbebf2852dd7
SHA256d746bf0e990d9990a8b1666d40f6efa1671f0e26e9ddd72a047cfe1fabc31d4a
SHA5123545668834183a145f165e4dcb2eaecec52a9277d09d73ad4821856ac9b57831ee70f794adc7730db263720e51c62364874ffd1233a5965ab000008e8923e9dd
-
Filesize
62KB
MD593d1334aea0b6add2055c1371676f2a6
SHA1e32d32639efc441c1259d702da217ec01430c6e4
SHA2562d7f8e78c09e02ada6de3437e7e9f903be70f15c39540cad8ff6c2309e32d76d
SHA512df4ff2fa0e24c80f9b3c2c74a985c137f8cc6f02fdcba6008809a838e928fef9a76dd15f7d842eb3e86fbee6e78a8a0abd037915c718cf29dd28a7fe068e69cd
-
Filesize
32KB
MD54f28c723f419ca4dfa55b0b62f4f5523
SHA10a22272b613dc7e5bd202315c2f0c722ee5cdb07
SHA256bd91043653e27b03615f02b6690b7cdfd2554028f01bff4f71cee8da1e4ca67f
SHA512d39fd418ff6ac22c478c59a4ed4a2b382e56b70ca8e550564d2f0c7dd0926e7ae473a5a75480aaba7d1e51c3b589e3e66d412d8fbebcb2ed550df90b278f0351