Analysis
-
max time kernel
153s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22-12-2023 17:21
Static task
static1
Behavioral task
behavioral1
Sample
ffc534d7f4ae842b482459d6c9bdf83b.dll
Resource
win7-20231215-en
General
-
Target
ffc534d7f4ae842b482459d6c9bdf83b.dll
-
Size
1.5MB
-
MD5
ffc534d7f4ae842b482459d6c9bdf83b
-
SHA1
df4a15d08f9d32f13438cf5b5f517f435efce2e9
-
SHA256
edd5115e384baca646c21047b643317e71d268059851bb97426d07b1b9db9c23
-
SHA512
7d5a0725bc4c191101647e0d979acc647c500e52fb8c4986a7ffff44224d5b5f331079acf77c734169a84e6c248c5f1661f74a5c1e9348d15c3392bc3cc69d78
-
SSDEEP
12288:ZVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:YfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1196-5-0x0000000002A10000-0x0000000002A11000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
icardagt.exeSoundRecorder.exeSndVol.exepid Process 1988 icardagt.exe 1452 SoundRecorder.exe 268 SndVol.exe -
Loads dropped DLL 7 IoCs
Processes:
icardagt.exeSoundRecorder.exeSndVol.exepid Process 1196 1988 icardagt.exe 1196 1452 SoundRecorder.exe 1196 268 SndVol.exe 1196 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\Xkgbzoakajt = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\IMPLIC~1\\4CGMM5~1\\SOUNDR~1.EXE" -
Processes:
rundll32.exeicardagt.exeSoundRecorder.exeSndVol.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA icardagt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SoundRecorder.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SndVol.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 3044 rundll32.exe 3044 rundll32.exe 3044 rundll32.exe 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid Process procid_target PID 1196 wrote to memory of 2092 1196 28 PID 1196 wrote to memory of 2092 1196 28 PID 1196 wrote to memory of 2092 1196 28 PID 1196 wrote to memory of 1988 1196 29 PID 1196 wrote to memory of 1988 1196 29 PID 1196 wrote to memory of 1988 1196 29 PID 1196 wrote to memory of 1020 1196 30 PID 1196 wrote to memory of 1020 1196 30 PID 1196 wrote to memory of 1020 1196 30 PID 1196 wrote to memory of 1452 1196 31 PID 1196 wrote to memory of 1452 1196 31 PID 1196 wrote to memory of 1452 1196 31 PID 1196 wrote to memory of 524 1196 32 PID 1196 wrote to memory of 524 1196 32 PID 1196 wrote to memory of 524 1196 32 PID 1196 wrote to memory of 268 1196 33 PID 1196 wrote to memory of 268 1196 33 PID 1196 wrote to memory of 268 1196 33 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ffc534d7f4ae842b482459d6c9bdf83b.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3044
-
C:\Windows\system32\icardagt.exeC:\Windows\system32\icardagt.exe1⤵PID:2092
-
C:\Users\Admin\AppData\Local\3DDyKG\icardagt.exeC:\Users\Admin\AppData\Local\3DDyKG\icardagt.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1988
-
C:\Windows\system32\SoundRecorder.exeC:\Windows\system32\SoundRecorder.exe1⤵PID:1020
-
C:\Users\Admin\AppData\Local\UV7ipgUQa\SoundRecorder.exeC:\Users\Admin\AppData\Local\UV7ipgUQa\SoundRecorder.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1452
-
C:\Windows\system32\SndVol.exeC:\Windows\system32\SndVol.exe1⤵PID:524
-
C:\Users\Admin\AppData\Local\rWeeZxI\SndVol.exeC:\Users\Admin\AppData\Local\rWeeZxI\SndVol.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:268
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
170KB
MD5a31a80d976a7df97e62989a077184f8a
SHA113eb241115ad7db63f586276e352edb6a5f8b15a
SHA256b4de51b9b50c0c02de9218302d4ac8774a925bc5522e0b97041102d6ee623734
SHA512022976d01a37f6cef50ac319fd3b90e8ff19f16d5e1a5fc8c51e9740dd64b3c81a8c95f9c66663a020ac9113792e23ebeaa31563b299e414416c62573e351bfa
-
Filesize
133KB
MD5fe114118c0989f57765e7579a931dc68
SHA1142e96c7e490ffe22558b8c48dab6294478371e8
SHA2560961b5506a1bbfdf39a887d3a59690b5a0a938a0ba42cdbf6c58f0be560075ca
SHA512fad8cec6b27ac4c13a631d775404cb7109eed180da1aee0719c9e8e819049953f849f8443cd3aef9ac8b2ccef04282221b2c486e1a7ea3d20a595aba5cbc37e6
-
Filesize
127KB
MD57c406123a0548a1a9deca7dec9191a01
SHA1eab8d75728cfc08e338a0cfba5f27cb40e1ebd0a
SHA2564ebedd9561540ad1da4141d5eb3e8cec8916722d3d764d172705d63c3d116c30
SHA5128eb727b879f0642468bddcd928016f043efc3664d9ce8da7e466bb0fc040b66374564fc9626c906fbc38b1801f1d73ff3dfb3958082801c3b9f9e3658efc28e1
-
Filesize
8KB
MD55c28dff02d93e6bc5b146ea5a197b68c
SHA19c3865393a3dd930315267bf2ae56f46a4cbb157
SHA25624b89dce76f8e0b4e918a158d31d537a78aa2f0cb56dab89f62f6613dfb01ec4
SHA5129761b0a6842be3f5686fc00cfd7075f2c3778480ccf20a343716914a9975d60d05fb687e36cf0d5ffe76411095f30920ed5b6e4b3f04087a2568dea5a76e4354
-
Filesize
102KB
MD50c1fb28a0de7cd99f98b6a4bd7a8069a
SHA15962ae20a002514fd5450e57e7e159e322b180bd
SHA25604552d919ba006a39b9620fea2d4f88c2ae2facaf59473bd86b487f74d75d05a
SHA512d7a45c347a50558e998cc8429572ac81e1d3a8bd9b5863880a13a7cb93d066251bb803120ab950b77dffcb1268ca03e49e890fe7e3f9ea4669b8f77dd3a23a3c
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
111KB
MD5d484e0302f0400a7586e52213d6f8db3
SHA1a1ea3f124fe8abedac7debd7ed4a98bcea705d0b
SHA25685b05a7497d53e64a726fec91507ebf9cbdc115f14d227f427e4fbb460e1f278
SHA51290d89c186d345a9f7c298beb5d7711c87de0b199a7bfcfcef11653996613d5e83e3da632be97fe82d154b973617f1fb67ec2a51a331699c9b71e7dc408a83bd7
-
Filesize
14KB
MD502b0c6f460c13666e88d39ed6cfd9d96
SHA1c0759fce22f1ac862ffc92d1e79ee8bb0f3cb3d8
SHA25645c61cadd1c6fea3baa517252ec2f59b117297ec137f8512de556daa23b951dc
SHA5126678bcc7c7c48c34e08634a34ff90ee27ce900f62536b10f003df61e7fa8e60f57072b77c616df5493512380e49f971c8bd216277e3818d775b7ac3d0138c4e4
-
Filesize
63KB
MD5f2e8483e992b9ed7b36728e4b28c4443
SHA1e41b5cf157321e8e353b1c00ba4338d5cbe09bc3
SHA256b53c9ba382fa2c5b57cef936c56e850c9cd7e63fca2895b0ea228f83fe4f8ee4
SHA5127ffb77efe875406d563fdcee4d7699a13cf223edc1f925f722310c2997bffbb7e4165ba9b531270b27981804ba3c6b3da9b048b8847f2e5a08f955d1bcfd702a
-
Filesize
1KB
MD54673d1947bbba2167a37796b87fee55b
SHA13136284bdf9c89e81da615c1cb694f1022a9ce63
SHA256eff00e101c44f46905ef0d8b14752e3ca5b92e097f1a80888baae63e2d71d4c9
SHA51238edcbd86f9d125c0ddec39fa9d7f2496baee679787dd329e810f8f0c88c0ab011384c34c89e0ae164186b6a3ebd44423dbf0e17d3ba8441b279172b5d9a37cc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\4CgMM58Jp\WINMM.dll
Filesize1.5MB
MD51afb2c18f96da77eab89b0afb55efe8f
SHA141426bd74a7761df70d7d6ab059053b9acc4f0ee
SHA2567b98d9dba6bec66e7d824dcc36ef066a0d2a56935dd1cf10f8ae51313fcffaf5
SHA512f121901ac0220a06ca3a5cd75f14b789430d3499a043e72f3d92407e73968e9272b68c8118a4f469624bc589af815880a3102e4cf801b3d68b39bf7bb34c832e
-
Filesize
1.4MB
MD5a519b5a7222eaf471b817f175795fb03
SHA128e81f8d2e45d954f2e943ed680f2b24d17006c8
SHA256ca115d18ea55f4aa1c64b80b2aab183b910e1c60607157270d74213caddc965c
SHA512b8114e5e691307fa13d106605da23dbf85ef8869bf9986691d679907ac1d60039ef1c9632e8ebcf606d4994fdf9cee4cf5ebffb076e5c9bc97fb7ecc9d24ee7d
-
Filesize
1.5MB
MD5f016b71a7449a608d99362bd557a2520
SHA188c703b7f3f86c428008c3224b39e3e19f75ff83
SHA256ed6938c029332ea842066b1f1c7b1210258636345d99173f556496468b6ee589
SHA5125515b74e64be382b980523d586aca44e6ffcb0afd35ffe384463b9ac62dd13790dc2ba6ad2497ee881356bd60df0ec3a2d2145d74f6c942f3abcb0f6cd32d937
-
Filesize
116KB
MD52255f7b54f4983e50206f2948283a2bf
SHA12578e15b2cdf973a00289e4d7d3b8468c0829160
SHA256d784f35948f3e05955708a56e47ab36c00e7960d1ab34e957e8fab7439bbba3a
SHA51284c938e76879e19c219da349f9e97d843a167ffa103207596c723b28515f8795a96993036d03f298fbf26adae0a1158e139667542a15c14bb04bd3d2a3b703da
-
Filesize
60KB
MD54d0d61ac2062f6264a91868b20ba87db
SHA1ec59d4b33e63c8615ee30faf4c91e2b12eff08e0
SHA256dafabb3f979b4c4b5bafd9d64e8514bdd2cacf67b0fece899d55ac6cf96e2f25
SHA5125b48462d31c3c0de3b0432afc218ea6f91d22b609ffa8f0f480dc2f22486e64ad26a1030f2065cd8b262635e78bfcdb16bba08303f7391d051e56021727b02f3
-
Filesize
139KB
MD547f0f526ad4982806c54b845b3289de1
SHA18420ea488a2e187fe1b7fcfb53040d10d5497236
SHA256e81b11fe30b16fa4e3f08810513c245248adce8566355a8f2a19c63b1143ff5b
SHA5124c9a1aa5ed55087538c91a77d7420932263b69e59dc57b1db738e59624265b734bf29e2b6ed8d0adb2e0dec5763bfbf86876fd7d1139c21e829001c7868d515d
-
Filesize
44KB
MD5246ef2064ce46caec8a8794077ca9490
SHA1e8faf5c9d43dc801d07548d3a9338f766fb7e0d8
SHA2560699ce390b7e03519421e14b08ae0409618153088d53bb3cbdeadfd2ec13a276
SHA512db1951956212aa1d5086df997f3a6a9837c8da7ce001cbb8ea559c35c9c21ea39c70454b891ded5ec0fd2da6617295bc126dd214de4d520f1f507f85305f538c
-
Filesize
127KB
MD5e137c6bff3af6bdfa68e0d3aa2ee15b2
SHA184895c64a8df0c786a5526c7a5da77702bbf7d30
SHA256bed1175c90e4a8fdcd5e7a4902abacca555380a238092abdbd1d23ddf50360d0
SHA51216ee7fb5a2c86ae75380d347f1813cf86a680581f844ffc347fc15ade5c055d7684062e255707494617b54cd40fea7e32999771721d67376269e04dc69ab4d4c
-
Filesize
34KB
MD59793e6e55caf039e648a1708bbd509c1
SHA12111e34a18f785a9786e2a36bcb49d2cbb10c87d
SHA2569aa57ecda8f9324ba13fc32e7fd7e65830014bbad45f82ec6143cfc05118bb77
SHA512adac8a986a3673c9530369c4788d7c224eaba8e4325223299670f51a927229ad4ab365550ce96a52a08bf9e75f34d3d4e8df187a98cbe05653bf254ebf246507
-
Filesize
65KB
MD59c1e4218600731194bb2dc94b3b371e2
SHA18a7d6b87d0002338916f07d22ee96d01b97be20d
SHA256e9d7d229d5cb548d3b5a18c666b7c724f737a2a828c19b631d8a7fe770f9d153
SHA512c145e8d432674729b0005210d5b2abca96c7cd036b382112d4a39b416f4d11de5973eb3bc12ad20d1af7e80a2ac3681df419e0f5d283e6fa1c6415341af2d664