Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22-12-2023 17:08
Static task
static1
Behavioral task
behavioral1
Sample
fb8ef1d9b849463e08f469bc0ab5ab58.dll
Resource
win7-20231215-en
General
-
Target
fb8ef1d9b849463e08f469bc0ab5ab58.dll
-
Size
2.9MB
-
MD5
fb8ef1d9b849463e08f469bc0ab5ab58
-
SHA1
732ed4aaebbfce62885e91d1e76bfe60327a4454
-
SHA256
19988509d5eafd5dbd7ece29cfbe82adec569eea950c757aca5053e34c0ab652
-
SHA512
c77e066d96627df6d7ff281ca026683d32c96e13b702a27eb39a84524f816d685969c32cf70ae25af56d27a8a07a11f9da32885675dfd896bc7b7cacab4eb954
-
SSDEEP
12288:WVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:LfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1236-5-0x0000000002AF0000-0x0000000002AF1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
xpsrchvw.exedpnsvr.exetaskmgr.exepid Process 2364 xpsrchvw.exe 2892 dpnsvr.exe 1464 taskmgr.exe -
Loads dropped DLL 7 IoCs
Processes:
xpsrchvw.exedpnsvr.exetaskmgr.exepid Process 1236 2364 xpsrchvw.exe 1236 2892 dpnsvr.exe 1236 1464 taskmgr.exe 1236 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pfoxtyecp = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\YaiU07E\\dpnsvr.exe" -
Processes:
dpnsvr.exetaskmgr.exerundll32.exexpsrchvw.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dpnsvr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskmgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xpsrchvw.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 2020 rundll32.exe 2020 rundll32.exe 2020 rundll32.exe 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid Process procid_target PID 1236 wrote to memory of 2120 1236 28 PID 1236 wrote to memory of 2120 1236 28 PID 1236 wrote to memory of 2120 1236 28 PID 1236 wrote to memory of 2364 1236 29 PID 1236 wrote to memory of 2364 1236 29 PID 1236 wrote to memory of 2364 1236 29 PID 1236 wrote to memory of 2836 1236 30 PID 1236 wrote to memory of 2836 1236 30 PID 1236 wrote to memory of 2836 1236 30 PID 1236 wrote to memory of 2892 1236 31 PID 1236 wrote to memory of 2892 1236 31 PID 1236 wrote to memory of 2892 1236 31 PID 1236 wrote to memory of 756 1236 32 PID 1236 wrote to memory of 756 1236 32 PID 1236 wrote to memory of 756 1236 32 PID 1236 wrote to memory of 1464 1236 33 PID 1236 wrote to memory of 1464 1236 33 PID 1236 wrote to memory of 1464 1236 33 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fb8ef1d9b849463e08f469bc0ab5ab58.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2020
-
C:\Windows\system32\xpsrchvw.exeC:\Windows\system32\xpsrchvw.exe1⤵PID:2120
-
C:\Users\Admin\AppData\Local\RI9p\xpsrchvw.exeC:\Users\Admin\AppData\Local\RI9p\xpsrchvw.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2364
-
C:\Windows\system32\dpnsvr.exeC:\Windows\system32\dpnsvr.exe1⤵PID:2836
-
C:\Users\Admin\AppData\Local\uOd4YjcIc\dpnsvr.exeC:\Users\Admin\AppData\Local\uOd4YjcIc\dpnsvr.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2892
-
C:\Windows\system32\taskmgr.exeC:\Windows\system32\taskmgr.exe1⤵PID:756
-
C:\Users\Admin\AppData\Local\PdD\taskmgr.exeC:\Users\Admin\AppData\Local\PdD\taskmgr.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1464
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
25KB
MD56d7802aa9a18e218f23ed1554933d1bc
SHA1d4f102bf8da38f9952c2a3a1d9247f0e1ac3562f
SHA25614be8cd5f285affbdc573f7d4cd0e6fcd24f7f08521b3d8e65369cb0182ce004
SHA512eb175959e24945f221550841cea92509cd4776bd219b4771e8bf66ede06631a6560ff4bdd3bfb54989bb1c9d41c569969bb8cb3d1e478116930acc1d9dddedd7
-
Filesize
15KB
MD5af9f44e6186cdddae594dd4896277b87
SHA132c128d361fe19d5ffee9a6990c2ecc063954566
SHA25674fd2750982827b5c971d5df206d6dc42def68aa73ee2e6df214315c9ae6cdf8
SHA51231aca13d469a8d11a00c9050ad00c1f52589c6b333a1142cc96eafe7f3e75b0a3482a029eb190779c3d73fcb50a3ae657e5dd38b32bcdc23f045248c3615e29a
-
Filesize
901B
MD588ff0f95811f34dee4dda0c7315fdfa0
SHA11b86cb4ec5b49248ad09a939a886c7163466ba49
SHA256081ebd5fc026239914280e33ee880f6a5b122cf32711af185002b3434b30a9d6
SHA512a11e6fe2948192407b9888aed87b5797524f52dfdcec56c481aac253125ab45cac9e09182997d2670380aeeab2382bf55b82a531526c7602f0ee63d3121575be