Analysis
-
max time kernel
152s -
max time network
41s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-12-2023 18:58
Static task
static1
Behavioral task
behavioral1
Sample
362efdb462f7563b069081e0de821389.dll
Resource
win7-20231215-en
General
-
Target
362efdb462f7563b069081e0de821389.dll
-
Size
696KB
-
MD5
362efdb462f7563b069081e0de821389
-
SHA1
3d2f676e15b6d677c2e77edd2b5d4aae009423de
-
SHA256
36cce483a655202788e541b658a2c9afe18d4b1868199231874dd1c10fb8962c
-
SHA512
4afa497167ff9b93001d04052f4757e0376c6fd088a1d531691132ca53581bf0f0cb4047b942abafafb3c06e110eee9e02f4ffb50d28795ff7d3bd2e8fbe0362
-
SSDEEP
12288:MEwgKnIhABTW0HcD5a1PKxdZhC+k+V9Hgeb/tf/B9P632vHAA:MEwXnOAx5HcDM1Sxd3ChCHg2/P9yGo
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1204-4-0x0000000002B50000-0x0000000002B51000-memory.dmp dridex_stager_shellcode -
Processes:
resource yara_rule behavioral1/memory/2976-0-0x0000000140000000-0x00000001400AE000-memory.dmp dridex_payload behavioral1/memory/1204-23-0x0000000140000000-0x00000001400AE000-memory.dmp dridex_payload behavioral1/memory/1204-34-0x0000000140000000-0x00000001400AE000-memory.dmp dridex_payload behavioral1/memory/1204-36-0x0000000140000000-0x00000001400AE000-memory.dmp dridex_payload behavioral1/memory/2976-37-0x0000000140000000-0x00000001400AE000-memory.dmp dridex_payload behavioral1/memory/2884-57-0x0000000140000000-0x00000001400B5000-memory.dmp dridex_payload behavioral1/memory/2884-52-0x0000000140000000-0x00000001400B5000-memory.dmp dridex_payload behavioral1/memory/2912-69-0x0000000140000000-0x00000001400AF000-memory.dmp dridex_payload behavioral1/memory/2912-73-0x0000000140000000-0x00000001400AF000-memory.dmp dridex_payload behavioral1/memory/2496-99-0x0000000140000000-0x00000001400AF000-memory.dmp dridex_payload -
Executes dropped EXE 4 IoCs
Processes:
DevicePairingWizard.exeisoburn.exewermgr.exeicardagt.exepid Process 2884 DevicePairingWizard.exe 2912 isoburn.exe 1808 wermgr.exe 2496 icardagt.exe -
Loads dropped DLL 8 IoCs
Processes:
DevicePairingWizard.exeisoburn.exeicardagt.exepid Process 1204 2884 DevicePairingWizard.exe 1204 2912 isoburn.exe 1204 1204 2496 icardagt.exe 1204 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\Srfjajs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\NT\\isoburn.exe" -
Processes:
icardagt.exerundll32.exeDevicePairingWizard.exeisoburn.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA icardagt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DevicePairingWizard.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA isoburn.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 2976 rundll32.exe 2976 rundll32.exe 2976 rundll32.exe 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
description pid Process procid_target PID 1204 wrote to memory of 1500 1204 30 PID 1204 wrote to memory of 1500 1204 30 PID 1204 wrote to memory of 1500 1204 30 PID 1204 wrote to memory of 2884 1204 31 PID 1204 wrote to memory of 2884 1204 31 PID 1204 wrote to memory of 2884 1204 31 PID 1204 wrote to memory of 1052 1204 33 PID 1204 wrote to memory of 1052 1204 33 PID 1204 wrote to memory of 1052 1204 33 PID 1204 wrote to memory of 2912 1204 32 PID 1204 wrote to memory of 2912 1204 32 PID 1204 wrote to memory of 2912 1204 32 PID 1204 wrote to memory of 1268 1204 35 PID 1204 wrote to memory of 1268 1204 35 PID 1204 wrote to memory of 1268 1204 35 PID 1204 wrote to memory of 1808 1204 34 PID 1204 wrote to memory of 1808 1204 34 PID 1204 wrote to memory of 1808 1204 34 PID 1204 wrote to memory of 2504 1204 36 PID 1204 wrote to memory of 2504 1204 36 PID 1204 wrote to memory of 2504 1204 36 PID 1204 wrote to memory of 2496 1204 37 PID 1204 wrote to memory of 2496 1204 37 PID 1204 wrote to memory of 2496 1204 37 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\362efdb462f7563b069081e0de821389.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2976
-
C:\Windows\system32\DevicePairingWizard.exeC:\Windows\system32\DevicePairingWizard.exe1⤵PID:1500
-
C:\Users\Admin\AppData\Local\iwfkVgNb3\DevicePairingWizard.exeC:\Users\Admin\AppData\Local\iwfkVgNb3\DevicePairingWizard.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2884
-
C:\Users\Admin\AppData\Local\RFFvRDXM\isoburn.exeC:\Users\Admin\AppData\Local\RFFvRDXM\isoburn.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2912
-
C:\Windows\system32\isoburn.exeC:\Windows\system32\isoburn.exe1⤵PID:1052
-
C:\Users\Admin\AppData\Local\L3G\wermgr.exeC:\Users\Admin\AppData\Local\L3G\wermgr.exe1⤵
- Executes dropped EXE
PID:1808
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe1⤵PID:1268
-
C:\Windows\system32\icardagt.exeC:\Windows\system32\icardagt.exe1⤵PID:2504
-
C:\Users\Admin\AppData\Local\FkR\icardagt.exeC:\Users\Admin\AppData\Local\FkR\icardagt.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2496
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
125KB
MD5dbd9bcfc5e1723ec725bd87b42786c4f
SHA19c39b2806668741dad49354f8b6739711c7ef964
SHA256004b888330a9893a0312daa49487f77e0e12ce2aed604a8f65595550ca68118d
SHA5125d2299487870262c7c247de26b4fbb2c83878d95925fb6334a017c0718354df6a43c36295c6d8b2d432dde93012e2d8edde675eb8cb28b6ad7c7f6122f42be3d
-
Filesize
31KB
MD52288d3b6d05f84b40aef932a4848120c
SHA111260bacdb663fb04e0ec6ef2b2b204778fe7362
SHA25639142fee79a058d4b67357fa00c39385d8a7e59eb235dc285852fbd99b08a030
SHA512721e81d76bb0041397108b654f8fc6fc3c278f65decba37ca4c90c6be1fc73e99f8aebe06e48a3375030fa9f040a2ef828e452fc038896442bd1b940306f42ce
-
Filesize
86KB
MD5c02f61848cb04603350ed53b69e08b2c
SHA15a3ed41c57456441023c7b484ae8ae1ed7cff04b
SHA2567271996f23c832f0cd32cfddd376d8a30c3dd62300de9a2f145a2c81c5e0ef91
SHA51223fcfcb349198ce0a9461c0b8fae56b64a30d0a6a7ebd19b168d3351d2d47d2d8337388fb14f43dca2bdf38db16a4f0faff5a4eead1e33703b2e77ad197b3be2
-
Filesize
49KB
MD541df7355a5a907e2c1d7804ec028965d
SHA1453263d230c6317eb4a2eb3aceeec1bbcf5e153d
SHA256207bfec939e7c017c4704ba76172ee2c954f485ba593bc1bc8c7666e78251861
SHA51259c9d69d3942543af4f387137226516adec1a4304bd5696c6c1d338f9e5f40d136450907351cce018563df1358e06a792005167f5c08c689df32d809c4cebdcf
-
Filesize
120KB
MD5bf05c1f0cede1ce92cc2ee3e7b6f0a2f
SHA1e0ef49f41f4212c448e8ddea5e1dfe4ba0ac61d7
SHA25685b770e24a6d75935f7516b0500766518da39cbe2d10e557a955cb8c893851cb
SHA5124f58651d22d69af84ce0674be3bc7f6f47dd3699ebebf4385a349213663a20beffe3a460acc98cc09b6fc56005e1d097fc09c8ce530e55d56fb9c6b56828ad41
-
Filesize
89KB
MD5f8051f06e1c4aa3f2efe4402af5919b1
SHA1bbcf3711501dfb22b04b1a6f356d95a6d5998790
SHA25650dcb4be409f50d26c0fc32dd9cdbf96bff4e19bf624221cb566ebeb3e09ce1a
SHA5125f664d937abe4426ee7e0d8491a395f9ef4ffe7a51dba05b54b7ba27e80c9be37833400911c5878d3dec659f4fa1579ec8ba4cfc485fb2ce24dd37c321006daa
-
Filesize
73KB
MD59728725678f32e84575e0cd2d2c58e9b
SHA1dd9505d3548f08e5198a8d6ba6bcd60b1da86d5c
SHA256d95d3aa065a657c354244e3d9d4dc62673dc36c1bed60650fade7d128ddab544
SHA512a5d22240450e7b659cba507f9abe7e6d861e9712ca2335ea5ceb69e3557362b00f5d02bf84c3a6fed82a09eda555866dcab43741ad9c6db96e1e302ef2363377
-
Filesize
150KB
MD50c9b13defb490d13937d56de9c2367df
SHA1a11d94638e69cc5a2fcd3f6c7cb61a924027c72b
SHA2568388a07ecbc1c55aab4509a94107616a607948a17bf0c0dcaf6a10563977b6d8
SHA512d7149319a59dac441f8fe846638933d62666232cd0550160f0d0f939b42a86bb7ebbff4dddbbf3bd485e71e39a3bfcce6da478ca686de48c42e906adef0ba606
-
Filesize
1KB
MD55b70ceeb0d90403f90f3b6ad53899933
SHA1e965c52554411ae62e9d405ae2bf665e01076f25
SHA256c1592880fb41040eb3848f642ec0169803bc31f19259c306dc1c3103b5bea920
SHA5122e34d6ef4a33d2a25032a247f18f0aadbdea489cefd69e552327a5398667f46744e5f3ab4ae7e97c89736cd31bcf780fe2ae0e10c2527813d9861988597dc2b2
-
Filesize
44KB
MD5b5dfaacb58e04a624efe333ab5b50a42
SHA150c21475b111c4bb6135b526bcfc105e4392806a
SHA256f9a9a871a19f7ece776f467053a3cf74c9b0a11118bab50f5b156d46edcd00cb
SHA51250d71c541edeaee1656c8ee6fa651da61149f5dffa872fbb0c2d8361a7d08f18dc2d5cd99d13fd8c21b3ea79e4dc988e6ed0301894291f3158320ecb2b3821f4
-
Filesize
22KB
MD533c1a81df7f9cf9556dc66751f9cf3b8
SHA18046e6da99778f893650f76c1dfeb452a8ae379c
SHA256fdf76764af52efaec55874a8f34653027700008d9136f78be867cfead2b7b4ab
SHA51273933983c0ce595edb5fc292e7b5cff1572f9ff5862a5ee24992b2a362834f85d18f5a738a0e6940cd9979456e49836ead6535b8767f6c4964a0be8b1f057e42
-
Filesize
724KB
MD5da2a5426976e984fc6cef2bf16c2de4d
SHA1b3b1c1ebafa1f54c65ce7b37d2115f5d0fcd4f7a
SHA256700c30076555e5b2ec81bcbda00d6931cc86e4670897566b733f6150de8fb6d7
SHA5124b2cc748a0ba26473719c30f8b321144d35cc04c4e8312f40a6786fef1be9ea0cc6e262c703e249832c55733717dbf2e94e5773231ab90e14c396bdca1db8e2b
-
Filesize
43KB
MD53f8b567b9ecb1d9c6bd8a980d6262adb
SHA140b78c32d15112c0044e25095d79ad12c9c4255a
SHA25633bbece7295f1465bdd106b058ffc53f29cb78d6b279fd40811bf91f6f84e6dd
SHA512b5939b4c8bc80ce99ea707c8c2c1e739fead7977ceba63b1237171ab5c1703ba703be65b92bbb92db4909abfd54219cac6a334092bde9422367e7d0c41df5fbf
-
Filesize
100KB
MD5a3930bc881089abb2df025abfeac46fa
SHA1d4488e5b9db6b0d294dcbe5f1601535d4593768a
SHA2567982639ca04b46befc2ff1d4a19830b33bc198ef49e04d2f041609bc55168b5f
SHA512e1fa2a5e8fe937b4233c334f682e916e2bf960bdde6372dce8d57928368e9355a292587768fbd732fafd624f1c6d963040a510640e5a55784aaf990196ad175a
-
Filesize
45KB
MD516d5b66819e4e4ae8ca357f7aa02ffaa
SHA10889ea9c0ec516bc6b1aec5ab6ed34d484665856
SHA256cce68dd60f7c84dd555bda1ab0097b2fc280ba8bb395bc6013cfd3633af2a665
SHA51235472e2a0f1a650d27a98d89b711b18d82e2dd7e74a594242b9f3490eb83f5e6fdf505137f2cc39b714ae072c0c4481c06385659beb242eecf84c6cde1f5632d
-
Filesize
95KB
MD546d8a51aea115f4314007c3f5047a460
SHA16b269fcdcdc8c03aa039f2d5e0ea1c7fbe474d2d
SHA256a2f4ac0cd30589f10819c8626ee1b9b5ee870f9c2b139c7a3a1469316ab5cece
SHA512cb109949a41a8ca3cf62851893741739680962247fedc631f9ee7f826c4fecc1279b141c0b5957c4e13e5b09c9135db13530c338303e750ff6cd0c6dfdc4be0e
-
Filesize
17KB
MD5c4002c6e4e91b4a659f5b51882aa26ec
SHA1bacfbc6f5b3be3e3e416cf872f3c087a90aede0d
SHA256918d0a3592293179291b692f8172be3418b45041b285cd6b62d56130ade4c037
SHA51201b9ef6a896c9a9b0954bd2a051ff050d0e5b88863a0f35f4ac4a241b5243182705f6ef8e079c6c8d42110683816fb23378fd57fb8f9a9b944a851291cdd1188
-
Filesize
81KB
MD5adc269dafc7051b4c624cbba2d451801
SHA1dabba25df48ae71364b27cbb409b5b169f6b9ffd
SHA256c71edc0a27b5325587a941e7e09cbf000fb55163bd561476115b80e236511e90
SHA51226989ac9d515fe0f6d1f90a7f49648507d651a5691a01439c387f9c1a00e9ccfe9eee89756bbc7336d96132e27af4a0a26f856fe378f502738a37a798ea30c70
-
Filesize
56KB
MD500ba321bb13c59d14c3eb3dffecfa04a
SHA173ef4eb00227b9bf6846d61be1182599ce1bcc19
SHA256a69aaaf07193de10c28897f3bdd3dc566a192c2ea71de1068f16eadd6b06db00
SHA512d4c1abfefed2e60e12942a519272fa1cae4e4b4682e47e6db2f75199bd0c07ee55454041fa32b3011c202cf7c1917c8573ff27ca9945aafd0c59c2cdb74037f1