Analysis
-
max time kernel
153s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22-12-2023 17:05
Static task
static1
Behavioral task
behavioral1
Sample
fb1badc1eca5035ae1b98513d0cfef32.dll
Resource
win7-20231215-en
General
-
Target
fb1badc1eca5035ae1b98513d0cfef32.dll
-
Size
2.8MB
-
MD5
fb1badc1eca5035ae1b98513d0cfef32
-
SHA1
86c4360f82192f01f05460d7ec2c70ebe8682ef1
-
SHA256
a5c474972a6ac68a91e311ba343163c82cd7762e663ddf5b030c5bae06d1e9eb
-
SHA512
d863d9e1b7c5b2a57de8992797fc09357c6af64611bb05af78fa37bd5db7179b77c32267c7ee39c3c7cf4923369ee067493f1849e0a08bcf93c67efe83eb8254
-
SSDEEP
12288:YVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:NfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1240-5-0x0000000002A60000-0x0000000002A61000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
perfmon.exedccw.exeosk.exepid Process 2056 perfmon.exe 2920 dccw.exe 1496 osk.exe -
Loads dropped DLL 7 IoCs
Processes:
perfmon.exedccw.exeosk.exepid Process 1240 2056 perfmon.exe 1240 2920 dccw.exe 1240 1496 osk.exe 1240 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lgpbj = "C:\\Users\\Admin\\AppData\\Roaming\\Identities\\{EF0662BB-4AFF-4F56-815E-2ED0C139F855}\\tYhhRx\\dccw.exe" -
Processes:
perfmon.exedccw.exeosk.exerundll32.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA perfmon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dccw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA osk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid Process procid_target PID 1240 wrote to memory of 2640 1240 28 PID 1240 wrote to memory of 2640 1240 28 PID 1240 wrote to memory of 2640 1240 28 PID 1240 wrote to memory of 2056 1240 29 PID 1240 wrote to memory of 2056 1240 29 PID 1240 wrote to memory of 2056 1240 29 PID 1240 wrote to memory of 2916 1240 30 PID 1240 wrote to memory of 2916 1240 30 PID 1240 wrote to memory of 2916 1240 30 PID 1240 wrote to memory of 2920 1240 31 PID 1240 wrote to memory of 2920 1240 31 PID 1240 wrote to memory of 2920 1240 31 PID 1240 wrote to memory of 1364 1240 32 PID 1240 wrote to memory of 1364 1240 32 PID 1240 wrote to memory of 1364 1240 32 PID 1240 wrote to memory of 1496 1240 33 PID 1240 wrote to memory of 1496 1240 33 PID 1240 wrote to memory of 1496 1240 33 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fb1badc1eca5035ae1b98513d0cfef32.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1796
-
C:\Windows\system32\perfmon.exeC:\Windows\system32\perfmon.exe1⤵PID:2640
-
C:\Users\Admin\AppData\Local\XNj\perfmon.exeC:\Users\Admin\AppData\Local\XNj\perfmon.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2056
-
C:\Windows\system32\dccw.exeC:\Windows\system32\dccw.exe1⤵PID:2916
-
C:\Users\Admin\AppData\Local\Kn7CY2il\dccw.exeC:\Users\Admin\AppData\Local\Kn7CY2il\dccw.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2920
-
C:\Windows\system32\osk.exeC:\Windows\system32\osk.exe1⤵PID:1364
-
C:\Users\Admin\AppData\Local\CD5\osk.exeC:\Users\Admin\AppData\Local\CD5\osk.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1496
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
41KB
MD54871ac84db39df25c4fa2a90ce3389cf
SHA152c31ef73cc5f7105a2300c73a8f80a3d657a370
SHA256622a78ebfdc1a052de9519d2c61be74c190951ad46fa16aa8f4d3ff8a7adc176
SHA512a7ce8a92a857733edca1b7c3f1a65174f372a3a36c63411cd5b4974240d460f57764c9b9f2421da29cbe0be06cd69fd58073c6c06cf64251bee1b12ffbba8cab
-
Filesize
66KB
MD580a8659bfe6ca1fa40eb00225ed45725
SHA16cf3002eb06919d115169e1f998cb986f6caf731
SHA256b2e24119135aef077b0849250901cf25684bb4b4641e8ef157a0e3bb3bcb3b19
SHA512a1791844f689805e0c1b57a6a9ba9a1f5b9f2bc5af4b29f2449800aedde9fcdabf77a0543764e0cb791c8e71d0ca98c2ddd43c0e870cc090001b969e1343d56b
-
Filesize
218KB
MD50c9d499f2d6b50da10187633d0783bea
SHA1c4beffc25de6b57f7f1d1873721cdabe344d7461
SHA256b720bddfddb0a3381b063e87d4724ac1ae5251d8f7d8d4b7f5c732a68b55c05e
SHA512a9c386b717bca5c4e9e9d379113f51fb50a771546c072ee9162ecba0cbd424bec802f6041a5288a764cd261acf3fd6b21819b8f0f0893fcdc5a969b46e7cd602
-
Filesize
178KB
MD5423199194601c75041c17f11d75be503
SHA1c04b110a4800d018ca1af40c1624cca9360d2256
SHA256bfc48f22aaa40519a95148042296b4ffc3deea9e5c5b7c76ade55ff42128598f
SHA512f6547d5db1dd7aae483e5aa91a54398ca28ed90fb68fa3437daefc9a47e4504bf85ca143e5366bbbde518efc0ed7a7af88f7413c0faa08fd8048ccafe9364b63
-
Filesize
230KB
MD51f137257c90f4157a0e7e3bd9e23ace7
SHA15a3aeb6a77610c370d14636575051b680f26b49c
SHA2562eb89efa073d8f5166255273eecd31f6f4cbdc2384ea4dcc3776dc94a54fa33f
SHA51226127cfaeddcc442dd0d743a2ef2800209d07d70173259d3723458520e120485a73619cbf4d3b0312e195c873052efc257c599f4798d182fb86afdcdc80ec3ba
-
Filesize
272KB
MD5f010a9e86036d89e1ea908e68f039462
SHA100e8ec37ee5febe2699b63a9a37e212e74e7d2cc
SHA256fb35d8df0dbf287b8b97e933806b19436e40573f71f9a4ebe63e1da53c170b3b
SHA5123b347f8d1a4e4e7a64bc45e3d3e0b80554718624c56cf183f651e45a338e20f571500e4ac2961cd06c977cf51a46f32945751e2ec2446d5c135b213b78c96dc3
-
Filesize
190KB
MD5b5d33f82005d2c6139b776fce209b014
SHA175847efb949f21e53d1760a76ea923fc2b50b137
SHA256ced60dc29e70a6c80c1b9126f6e163055f7fe52b15d6bf5abb03d62252d54b6d
SHA512b1b54d6581c64a85876d6aaa93c50d12561226587720e50eac495a70d5892cef62697765583ec19bee9919a9ad197491e78c743af61d8241798a9f57806ab146
-
Filesize
168KB
MD53eb98cff1c242167df5fdbc6441ce3c5
SHA1730b27a1c92e8df1e60db5a6fc69ea1b24f68a69
SHA2566d8d5a244bb5a23c95653853fec3d04d2bdd2df5cff8cffb9848bddeb6adb081
SHA512f42be2a52d97fd1db2ed5a1a1a81a186a0aab41204980a103df33a4190632ba03f3cbb88fcea8da7ed9a5e15f60732d49a924b025fe6d3e623195ec1d37dfb35
-
Filesize
145KB
MD506d9864e20223f24dd313e9508beedfb
SHA1a08e5bdd5ebb7e92216944621f2c8ab02e933927
SHA25623d601e7cd7f6e938d398402ec3590aaac5e62a092bb69c330046b5438a8474a
SHA512ea04d53fb1e5e3cb7000ec23976366170f90a73df7dac74a0243290f5204dc33dde8bf592d75576ed9f3d3e5efe56fbcafc3ff0f8f516243d2405df88dcde0db
-
Filesize
2.8MB
MD5029956aacdaed94c84e4304ff879b6d8
SHA19690a6b5a53d9ab36dc6f4bdaeb7b4b076af5cb0
SHA2560444c3899250a8618c79bf389cf17ab99c388e34d90fab16492584d1dc6eb822
SHA5121a8c558aae2bb9cdcc8734b9475c1aea9ce4b524d63b55753cbaebe9e42dc7a5d45bb669f7a0ea04f79795c92b881904eb187e2843913f3521e51ed58161d2d0
-
Filesize
1KB
MD5a4703b869afaedd5d6f9253b0e1e43ac
SHA1ae37bacb154982ba50a776e0ad859fd21310ec76
SHA2566673372c486953b7ffcbcc73f2986c407e74dc87dfb197b0f221f58d61671593
SHA512fa74cfb09f7315d18b490e50056cdece3ef3fd3f68a71900a3cd4393faf57cbc4a8dbf2838ac9a55b71a236a7bf41fb7d2341beba39086cee6bb0ce267b8539d
-
Filesize
2.8MB
MD5df6f13d91f2eb1b37179abd79da2e5c5
SHA18c6cb2c0d0294006a78f465cab45a7d7a48b830a
SHA256b3433d54b3c3ddf0a09db041963471f2f30bb527bc5ead670e410a1111dd6796
SHA5125f0256e7c6f9e79e354bcc28b270eee43ee0ae422f41a9ec27ba80e79b0f9207962695f923a6709e1211f2d0e9898d1cf5d398c7efdd7e765412f7498133ba65
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\KqjAkpkG5F\credui.dll
Filesize2.8MB
MD5a7addbf8c2395e11314cba64ab287da9
SHA18635fa24ab4722a2f4543de1f10ca21f819d5b71
SHA25621e117841fa3941c6d93c333e5ba63bc5ac6937eddeccefd2555f10644f4338f
SHA51299172ab80ccec325af96e8a3a93dc936ccac1f043ad243aeb4a1ec5943059d4d1def36b908aa87e8c66e08791109adfc09e540aab3e973002e9d849365d0fb67
-
Filesize
191KB
MD586963b4bdf19693de34ceb0863ef8fdd
SHA1baa51faae22096aaf2840b98765c5352f96eab46
SHA25634ce8bf1d2fdcc17b024f924e116e75b8ef83d65c2ac7022b9525e4da8f8d4a0
SHA512336dec509008a99fe00591567a21cef3e206da0ac26bc3e95dbb2985166ed64afda1bf5b7c4b323afb0ff2558f3da34455e64129d21a3642bb3a7b4d875c20da
-
Filesize
161KB
MD528e17df8e1150cf5fefa03e35bfd16e5
SHA1f4af067e8d7e10370208b340a684972be9e4cab1
SHA256ea224589e3aaffc048939068999f9aad79ace348e0391d37f025d59bce61da48
SHA5128005a34a20e046f41d687f46d153ef853497dd888a07ec0b116e1fe7635965dc79dd41bc81b48f4fe71a8fb5ecbb2df673f67adb3684a5160625d83c5f061cdd
-
Filesize
208KB
MD5debdc8a1916441f58d28a87eabc1c8e7
SHA17b2ed6eae33118de2355add9a3c9d5204e07ce62
SHA25642542c4de7ec72c2048965fb1e0e449ab2deb104dc662e72e69389f6380c2569
SHA512ed94d07edcfd6a880d3a3e00c91001a4704c563e70fddf15df7d92aaf3441cf59953ad8cc92d43277c81f318cad80730e1fe183a4dff3785cac11ca2ac01419a
-
Filesize
213KB
MD525b6920fe8f99dadf02dcef4e965c469
SHA1b65addde11f4ae02aeb716f51c9c69d0b43521be
SHA2562946d1a6e2a4a1c1d1ac9f58389a79a6263820ed442c511938463b9e70e84076
SHA51217a1d55b5c3b6e276fd3ee7621c029386b95fa4b6a6ef230ead6d785bbf805f27ca8f8588037ce7e77f546e86e2750d78d625bbcdb3b1bd151780aa168c412ca
-
Filesize
239KB
MD57234ee8c6a1282f42cd71b4f0b6135bb
SHA1a0a46155c8289822877fd4fc05995ffde0d67d52
SHA2566e76e78cc0d106fd1ef5f39cfadd6a54b11c9c2708c3c55714ca56c098f15d89
SHA51284317c8c9c00bbfbc821d3131f2a73cfedd05c4b34430701c2bc4002e50ef3ed8d143cd5ac67ca2c6a23d50df3ea82680d15afb252432f8e6010e725889380bf
-
Filesize
45KB
MD50fa7ce2eceda9893bb82a9305111d451
SHA1bdb3b79d8bf7f8f50be59eb4a899daba5d9c9a5c
SHA25633426059111f000ba8be77ec2a43a3bbcbfe10f388b27cefca4cfdcca415b42d
SHA51281008b6999cc678013f344487b27962c5a8d2b8448f0984786d0f293322fd1d193f34f5c680d62906dbb7d126edc9190acf62b212b869e8a9390e270f4c91671