Analysis
-
max time kernel
60s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
25-12-2023 14:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2419b291711b308d6179fc8b0f354260.dll
Resource
win7-20231129-en
10 signatures
150 seconds
General
-
Target
2419b291711b308d6179fc8b0f354260.dll
-
Size
1.3MB
-
MD5
2419b291711b308d6179fc8b0f354260
-
SHA1
d0a1b025a83a51d6a55f4bfc6f1920053bb40d81
-
SHA256
b01ea30dce81bda2d39cd626a731e698910e9e51576dce55487d5df791fe8f94
-
SHA512
158640e0e3ba1a7a0e2e70ced3f56b20dd1743cbb29f64e55ba3e0ce72e5168900180534e7e4fd8b7988f2150e755b561b2d946c84a908beb089d37b33bc0083
-
SSDEEP
12288:fXBQ3fMQyWV0rbDxyBWZh2TvtgHoiemIKI1ydX7wmqzq3wkgJ:vB/Qn0rbD8UZUDtgIiemI51Mwtewkm
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1212-4-0x0000000002E10000-0x0000000002E11000-memory.dmp dridex_stager_shellcode -
Processes:
resource yara_rule behavioral1/memory/2856-0-0x000007FEF5990000-0x000007FEF5AD9000-memory.dmp dridex_payload behavioral1/memory/1212-20-0x0000000140000000-0x0000000140149000-memory.dmp dridex_payload behavioral1/memory/1212-39-0x0000000140000000-0x0000000140149000-memory.dmp dridex_payload behavioral1/memory/1212-40-0x0000000140000000-0x0000000140149000-memory.dmp dridex_payload behavioral1/memory/1212-28-0x0000000140000000-0x0000000140149000-memory.dmp dridex_payload behavioral1/memory/2856-48-0x000007FEF5990000-0x000007FEF5AD9000-memory.dmp dridex_payload behavioral1/memory/2620-60-0x000007FEF5960000-0x000007FEF5ADD000-memory.dmp dridex_payload behavioral1/memory/2620-56-0x000007FEF5960000-0x000007FEF5ADD000-memory.dmp dridex_payload behavioral1/memory/2920-170-0x000007FEF5860000-0x000007FEF59AA000-memory.dmp dridex_payload behavioral1/memory/2920-174-0x000007FEF5860000-0x000007FEF59AA000-memory.dmp dridex_payload behavioral1/memory/1720-283-0x000007FEF5830000-0x000007FEF59AD000-memory.dmp dridex_payload behavioral1/memory/1720-286-0x000007FEF5830000-0x000007FEF59AD000-memory.dmp dridex_payload -
Executes dropped EXE 3 IoCs
Processes:
Utilman.exewusa.exedpapimig.exepid Process 2620 Utilman.exe 2920 wusa.exe 1720 dpapimig.exe -
Loads dropped DLL 7 IoCs
Processes:
Utilman.exewusa.exedpapimig.exepid Process 1212 2620 Utilman.exe 1212 2920 wusa.exe 1212 1720 dpapimig.exe 1212 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Groztcac = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\0T\\wusa.exe" -
Processes:
dpapimig.exerundll32.exeUtilman.exewusa.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dpapimig.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Utilman.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wusa.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exeUtilman.exepid Process 2856 rundll32.exe 2856 rundll32.exe 2856 rundll32.exe 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 2620 Utilman.exe 2620 Utilman.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid Process procid_target PID 1212 wrote to memory of 2756 1212 28 PID 1212 wrote to memory of 2756 1212 28 PID 1212 wrote to memory of 2756 1212 28 PID 1212 wrote to memory of 2620 1212 29 PID 1212 wrote to memory of 2620 1212 29 PID 1212 wrote to memory of 2620 1212 29 PID 1212 wrote to memory of 3068 1212 31 PID 1212 wrote to memory of 3068 1212 31 PID 1212 wrote to memory of 3068 1212 31 PID 1212 wrote to memory of 2920 1212 30 PID 1212 wrote to memory of 2920 1212 30 PID 1212 wrote to memory of 2920 1212 30 PID 1212 wrote to memory of 300 1212 32 PID 1212 wrote to memory of 300 1212 32 PID 1212 wrote to memory of 300 1212 32 PID 1212 wrote to memory of 1720 1212 33 PID 1212 wrote to memory of 1720 1212 33 PID 1212 wrote to memory of 1720 1212 33 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2419b291711b308d6179fc8b0f354260.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2856
-
C:\Windows\system32\Utilman.exeC:\Windows\system32\Utilman.exe1⤵PID:2756
-
C:\Users\Admin\AppData\Local\FFM8\Utilman.exeC:\Users\Admin\AppData\Local\FFM8\Utilman.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2620
-
C:\Users\Admin\AppData\Local\etS\wusa.exeC:\Users\Admin\AppData\Local\etS\wusa.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2920
-
C:\Windows\system32\wusa.exeC:\Windows\system32\wusa.exe1⤵PID:3068
-
C:\Windows\system32\dpapimig.exeC:\Windows\system32\dpapimig.exe1⤵PID:300
-
C:\Users\Admin\AppData\Local\OT09Eq\dpapimig.exeC:\Users\Admin\AppData\Local\OT09Eq\dpapimig.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1720