Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22-12-2023 16:27
Static task
static1
Behavioral task
behavioral1
Sample
ef80a26b9b53544e6ece76e1f163edfe.dll
Resource
win7-20231215-en
General
-
Target
ef80a26b9b53544e6ece76e1f163edfe.dll
-
Size
3.5MB
-
MD5
ef80a26b9b53544e6ece76e1f163edfe
-
SHA1
c15d4c24a6039135c6d9c694c547afe9d5f32941
-
SHA256
3e4452a0f8ad4d71bf7fa8a9f39acd16c2dc8480781308d33208229f188f6540
-
SHA512
d5504b28d1c8197f1419f42f3f6eb3f68683facc95957a3d1b2a7e221fba07aeccdb3cfc1adb097637b8a92f7db6289ddf2a31a5a56ae02d20c108dffdc0ed5a
-
SSDEEP
12288:6VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ17dv:nfP7fWsK5z9A+WGAW+V5SB6Ct4bnbZ
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1348-5-0x00000000025C0000-0x00000000025C1000-memory.dmp dridex_stager_shellcode -
Drops startup file 3 IoCs
Processes:
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eYqf File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eYqf\ACTIVEDS.dll File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eYqf\vmicsvc.exe -
Executes dropped EXE 3 IoCs
Processes:
fveprompt.exevmicsvc.exespinstall.exepid Process 1772 fveprompt.exe 2520 vmicsvc.exe 1500 spinstall.exe -
Loads dropped DLL 7 IoCs
Processes:
fveprompt.exevmicsvc.exespinstall.exepid Process 1348 1772 fveprompt.exe 1348 2520 vmicsvc.exe 1348 1500 spinstall.exe 1348 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\Startup\\eYqf\\vmicsvc.exe" -
Processes:
fveprompt.exevmicsvc.exespinstall.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fveprompt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vmicsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spinstall.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
regsvr32.exepid Process 2032 regsvr32.exe 2032 regsvr32.exe 2032 regsvr32.exe 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid Process procid_target PID 1348 wrote to memory of 1184 1348 28 PID 1348 wrote to memory of 1184 1348 28 PID 1348 wrote to memory of 1184 1348 28 PID 1348 wrote to memory of 1772 1348 29 PID 1348 wrote to memory of 1772 1348 29 PID 1348 wrote to memory of 1772 1348 29 PID 1348 wrote to memory of 1080 1348 31 PID 1348 wrote to memory of 1080 1348 31 PID 1348 wrote to memory of 1080 1348 31 PID 1348 wrote to memory of 2520 1348 33 PID 1348 wrote to memory of 2520 1348 33 PID 1348 wrote to memory of 2520 1348 33 PID 1348 wrote to memory of 1488 1348 34 PID 1348 wrote to memory of 1488 1348 34 PID 1348 wrote to memory of 1488 1348 34 PID 1348 wrote to memory of 1500 1348 35 PID 1348 wrote to memory of 1500 1348 35 PID 1348 wrote to memory of 1500 1348 35 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\ef80a26b9b53544e6ece76e1f163edfe.dll1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2032
-
C:\Windows\system32\fveprompt.exeC:\Windows\system32\fveprompt.exe1⤵PID:1184
-
C:\Users\Admin\AppData\Local\iuLTb\fveprompt.exeC:\Users\Admin\AppData\Local\iuLTb\fveprompt.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1772
-
C:\Windows\system32\vmicsvc.exeC:\Windows\system32\vmicsvc.exe1⤵PID:1080
-
C:\Users\Admin\AppData\Local\m5ww5z\vmicsvc.exeC:\Users\Admin\AppData\Local\m5ww5z\vmicsvc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2520
-
C:\Windows\system32\spinstall.exeC:\Windows\system32\spinstall.exe1⤵PID:1488
-
C:\Users\Admin\AppData\Local\DAXqf\spinstall.exeC:\Users\Admin\AppData\Local\DAXqf\spinstall.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1500
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
584KB
MD529c1d5b330b802efa1a8357373bc97fe
SHA190797aaa2c56fc2a667c74475996ea1841bc368f
SHA256048bd22abf158346ab991a377cc6e9d2b20b4d73ccee7656c96a41f657e7be7f
SHA51266f4f75a04340a1dd55dfdcc3ff1103ea34a55295f56c12e88d38d1a41e5be46b67c98bd66ac9f878ce79311773e374ed2bce4dd70e8bb5543e4ec1dd56625ee
-
Filesize
3.5MB
MD578de0b7d33a5cc6198e5dd1827179030
SHA13ba19cc89923b3921d311440f45a41f0fd055dab
SHA2561e8269aa0a7a6ec478ca1b25b6c1c603d5085c760a24ba84419fb477d8609da4
SHA5120f4379fe7b7b22d90197e5d7f338fdcd5425f9ef3068fdd5aa7eaadba92a8a1bff80fa584a713ad6d2cb452f0b92e9d6304c28b85b453d78cb540351b9988765
-
Filesize
3.5MB
MD5328ccef172dc5e8a8c396d36fba2551b
SHA19d0b2e41a398c3ab0409b84e92ae35b12775efdf
SHA256bb2db008dd95d05a6aea5ae9c5574821ab658eb80e7688d6b0b3dc471c0f636b
SHA512c3dda410bbdc734c0d0702bb818d141b1c5253272684ecce90a2ccae949512ac4cdf13e588e6aa13bcf3a287da1d9c33950e85e984c48d68f39638221a28b56a
-
Filesize
3.5MB
MD5309c032f61cb6b6e4f85d083eb6eab2b
SHA15efb986efe2112a5cd17c8376ddbae6bd488c23b
SHA25657f6c5dc7ae4cb8d2b3893cedfa27c68d1492107374e16a5f83408ebf6a5ca91
SHA5128796eae17928ecbb7fefffacfa4448bc91111aae797fcedfce8af699c1c15174560152639fbbce529e4862cf81d82310558e7ab6bd735f763234cbd26c10ce7a
-
Filesize
1KB
MD5b22410cba545caa35d03c869f92fbd1e
SHA162e50801a38c1be96ff26356899a22e69da74ab6
SHA256a1fc6344065578caf335ca4181bd69ce0d9e17d639e481acdab41ef18fa77b54
SHA512bce4263393b4ea4d8f84163fc0da4ecebe90eaffe96e45ff7f53a5eb0601acb5fe223e0e838bf50fae357ef56d42be0ef09adebec8ca9aebae1fb406f9a414fb
-
Filesize
256KB
MD56c2f0a55f91dec2b88dd1c42ce6fde72
SHA1aba5287888d06e844fee88afac434e9bd42a17cf
SHA25671a4d830171741a1a3009f7ad79b878647aefd1a5edc748480f1a26b409aa88a
SHA512b46b0d4fb10f98542e089f7b0f6d2f0dc593d48451e7271e05b42973afe2701ff37710f3494c11d71c69afe82416bf8a151752951786ca03b91d27490607abe3
-
Filesize
104KB
MD5dc2c44a23b2cd52bd53accf389ae14b2
SHA1e36c7b6f328aa2ab2f52478169c52c1916f04b5f
SHA2567f5b19f2c6a94833196ee1929d48094889b33b504d73d3af88dd857ceaf67921
SHA512ff083f74777a9cfc940d4e0cb55886397e27c85f867de9a5dd9ea2c2751d2a77bf75fe0734e424d9678c83e927788d07d0b3072024f7e5a9848c7ff1aa4090dc
-
Filesize
238KB
MD579e14b291ca96a02f1eb22bd721deccd
SHA14c8dbff611acd8a92cd2280239f78bebd2a9947e
SHA256d829166db30923406a025bf33d6a0997be0a3df950114d1f34547a9525b749e8
SHA512f3d1fa7732b6b027bbaf22530331d27ede85f92c9fd64f940139fd262bd7468211a8a54c835d3934b1974b3d8ecddefa79ea77901b9ef49ab36069963693f988