Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22-12-2023 16:24
Static task
static1
Behavioral task
behavioral1
Sample
edfa77cc042165230bda125457230eff.dll
Resource
win7-20231215-en
General
-
Target
edfa77cc042165230bda125457230eff.dll
-
Size
2.1MB
-
MD5
edfa77cc042165230bda125457230eff
-
SHA1
a5be3756956178ab76ab58a1e5ad877066153513
-
SHA256
f950e61cdd81d2cf15ee868489a6b5d887fc9a4d3ca4ab69928dda40b131274b
-
SHA512
9329b8ad60683c6c574069a3966c4c2919a8d51b82b3b8e7fb2ce8ec5ab03f6d0f19e6cf961a8477280d93c0666e1c7e055c186747e65dc03143cd8704d31f6d
-
SSDEEP
12288:lVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:8fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1388-5-0x0000000002660000-0x0000000002661000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 4 IoCs
Processes:
shrpubw.exeSnippingTool.exeRDVGHelper.exedwm.exepid Process 1008 shrpubw.exe 2240 SnippingTool.exe 1676 RDVGHelper.exe 1972 dwm.exe -
Loads dropped DLL 9 IoCs
Processes:
shrpubw.exeSnippingTool.exeRDVGHelper.exedwm.exepid Process 1388 1008 shrpubw.exe 1388 2240 SnippingTool.exe 1388 1676 RDVGHelper.exe 1388 1972 dwm.exe 1388 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\vXy2uIWQuY\\RDVGHelper.exe" -
Processes:
rundll32.exeshrpubw.exeSnippingTool.exeRDVGHelper.exedwm.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA shrpubw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SnippingTool.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RDVGHelper.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 2624 rundll32.exe 2624 rundll32.exe 2624 rundll32.exe 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
description pid Process procid_target PID 1388 wrote to memory of 1184 1388 28 PID 1388 wrote to memory of 1184 1388 28 PID 1388 wrote to memory of 1184 1388 28 PID 1388 wrote to memory of 1008 1388 29 PID 1388 wrote to memory of 1008 1388 29 PID 1388 wrote to memory of 1008 1388 29 PID 1388 wrote to memory of 952 1388 30 PID 1388 wrote to memory of 952 1388 30 PID 1388 wrote to memory of 952 1388 30 PID 1388 wrote to memory of 2240 1388 31 PID 1388 wrote to memory of 2240 1388 31 PID 1388 wrote to memory of 2240 1388 31 PID 1388 wrote to memory of 1304 1388 32 PID 1388 wrote to memory of 1304 1388 32 PID 1388 wrote to memory of 1304 1388 32 PID 1388 wrote to memory of 1676 1388 33 PID 1388 wrote to memory of 1676 1388 33 PID 1388 wrote to memory of 1676 1388 33 PID 1388 wrote to memory of 1276 1388 34 PID 1388 wrote to memory of 1276 1388 34 PID 1388 wrote to memory of 1276 1388 34 PID 1388 wrote to memory of 1972 1388 35 PID 1388 wrote to memory of 1972 1388 35 PID 1388 wrote to memory of 1972 1388 35 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\edfa77cc042165230bda125457230eff.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2624
-
C:\Windows\system32\shrpubw.exeC:\Windows\system32\shrpubw.exe1⤵PID:1184
-
C:\Users\Admin\AppData\Local\hxU\shrpubw.exeC:\Users\Admin\AppData\Local\hxU\shrpubw.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1008
-
C:\Windows\system32\SnippingTool.exeC:\Windows\system32\SnippingTool.exe1⤵PID:952
-
C:\Users\Admin\AppData\Local\nGWnU7c7\SnippingTool.exeC:\Users\Admin\AppData\Local\nGWnU7c7\SnippingTool.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2240
-
C:\Windows\system32\RDVGHelper.exeC:\Windows\system32\RDVGHelper.exe1⤵PID:1304
-
C:\Users\Admin\AppData\Local\IBl2lv9X9\RDVGHelper.exeC:\Users\Admin\AppData\Local\IBl2lv9X9\RDVGHelper.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1676
-
C:\Windows\system32\dwm.exeC:\Windows\system32\dwm.exe1⤵PID:1276
-
C:\Users\Admin\AppData\Local\6RepiR\dwm.exeC:\Users\Admin\AppData\Local\6RepiR\dwm.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1972
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD543cff4b0205a64187e88df7002240dd3
SHA104f36fbef2e8bdcec625466b715512c41e09a77a
SHA256d991ac20ce927603814ee5d36de39aa25920caaff723016ff1a22353db298f9a
SHA512361c59c7e9d08e065d3d362a9674b31611a11bb09286d353a1bcc9257a684a6d944ea3af3a691d44cc78fdb19973b39122953f8211aea7bb0e7fe367c9f7dbcd
-
Filesize
2.1MB
MD55086ff5eb693644156a1b995127c5708
SHA1a2da2376b162da168f10e98c9773cbcf141a252e
SHA256eefb5822fb0cee9a11e37423b843ac08f6f2b25253b9e1c12b209d1a7a61a7f5
SHA512ba6f967fcc0cb0dd865b9b096e22e4c3ab9fc5f5ab6d67ade39d15ccfd966b3190add5eec4ed6f1c839731e59f6bcefabd4834fed5c65c8ef98a74979f57c4b5
-
Filesize
2.1MB
MD57c5c8545b599de4f5c7a42fca254b37c
SHA1fc1179597a8e14a1b052c95010dd293d30abfb52
SHA256a60ad920f4d0575e1be6946001d09f136bafc318626e67457fdd58eb30611759
SHA512eef99ddbd1fec01da52a525515be40486b5d471bf5a7037d863842fba7d9565222cd88391a0df1620fcc38175f21e83a44e4c6ceed671a2bc3e8b14930bcecd2
-
Filesize
1.4MB
MD5070a87dcaa26b88b5162af4e8a3a39c7
SHA1cdd94e0d2f63c5613a976c4a10422b8f5b49d71d
SHA2567b53cf6c53ca97077772426962662a6e85a22d5026ef93a4735786b7df5fa63f
SHA51288c399d7fea70e658d00b9c65bfbd43d992bfefe38fd2e56f720032d29039bbe9fc8185b81b092d8887089474bf69e9a05549c324450f74ab44d386bb8ece021
-
Filesize
1KB
MD537b08f3755771a2ded60145ce76a7aea
SHA11d30e1e0533802ca7a19fc281149e7ff98c40509
SHA256663d43aa9d9cc6d00c05608a6248ffcfdf9b534f63153f97a3d9f1766f8950e4
SHA512de40cfd7e046b2d89376f64adaf8ff0628e6477b102a6d0cb97033da2987c8d374e3c1008f505935b8f488b6f1f89aeb67cf6486f2c75c7d08339f0f25ad58ef
-
Filesize
117KB
MD5f162d5f5e845b9dc352dd1bad8cef1bc
SHA135bc294b7e1f062ef5cb5fa1bd3fc942a3e37ae2
SHA2568a7b7528db30ab123b060d8e41954d95913c07bb40cdae32e97f9edb0baf79c7
SHA5127077e800453a4564a24af022636a2f6547bdae2c9c6f4ed080d0c98415ecc4fbf538109cbebd456e321b9b74a00613d647b63998e31925fbd841fc9d4613e851
-
Filesize
93KB
MD553fda4af81e7c4895357a50e848b7cfe
SHA101fb2d0210f1c47aaf684e31a9fb78f89bba9c0f
SHA25662ab8c2c5b5bd84fd07e96b6a3b87a4ea56946107ed9b7f8076580ae1fefd038
SHA512dbbda90a57d27160c5a3a5e4e94cfc43b1663fcbfe424fdec851e52356f61492bdcf677c46be8aa4e8ccc8be7c389b6aa7bbbce8447e1fae32f03e5e409f4051
-
Filesize
398KB
MD529e6d0016611c8f948db5ea71372f76c
SHA101d007a01020370709cd6580717f9ace049647e8
SHA25653c868882ebc9e0d4f703afeccb172043069ccc0b5b6f7cac1d2aad9c4640930
SHA512300216ab47ee44b8f68d4835bf26641f949039522b680af00fb602f57d31c38812428dc624461bc2cc7d6384cad396bc033718e41e11a65f7dd0eeb36ed924e4
-
Filesize
421KB
MD57633f554eeafde7f144b41c2fcaf5f63
SHA144497c3d6fada0066598a6170b90c53e28ddf96c
SHA256890884c7fe7d037e6debd21d1877e9c9c5e7790cdba007ddb219ae6a55667f78
SHA5127b61b6736c2c4f49d80f53c839914ad845f86a7d921fee1557e49aa7b4e9713e3483417d6c717eca155229bb6a90fc2253e1543cf05192aaf08262dc761fa203
-
Filesize
2.1MB
MD5913f6f240f8476ebd53708907f7b9790
SHA180cceceeaa76ab2a3c7263182dde628acdac2104
SHA25661143c17163268c6d0360b32551c94a8f5298bd3a2f71e5ae9d29c3e2a1d1f90
SHA5125a717741cb9bfad117fe0662a9c70c2139c3ce7fa95f6fdf473ae188c32a5cd5bf4ee8965b372b20b028b38cf540ef9880d4bc0ce52e6b3ea3a10e976b10f0cf