Analysis
-
max time kernel
151s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26-12-2023 02:15
Static task
static1
Behavioral task
behavioral1
Sample
4c0c037a083e2b1f6b5fcb9c68263c5a.dll
Resource
win7-20231215-en
General
-
Target
4c0c037a083e2b1f6b5fcb9c68263c5a.dll
-
Size
852KB
-
MD5
4c0c037a083e2b1f6b5fcb9c68263c5a
-
SHA1
5b4abfb3aeaf1c1fa6658f6d8fc3b14c17bc931d
-
SHA256
7c710407ba8ed2c0d2f970a81715d7982ddd44ad0838bfefdca8119350325bc4
-
SHA512
6d1237fdc0187e7f2385a02e44d0e8ec4124b1bd1a340bf8c089bc79db8b212ad2b7831cd187ac15060a4aaed4e3587688cce508a11aeecc9b903ca94b838b3e
-
SSDEEP
12288:4kbQEkWqv+157EYfxarhwLNuR7ek1tHffB/HzTyNQ6NIeGYr/R:4kbHkWfzZ5adwLNGeStHntqN7v
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1368-4-0x0000000002780000-0x0000000002781000-memory.dmp dridex_stager_shellcode -
Processes:
resource yara_rule behavioral1/memory/1520-0-0x000007FEF6A50000-0x000007FEF6B25000-memory.dmp dridex_payload behavioral1/memory/1368-20-0x0000000140000000-0x00000001400D5000-memory.dmp dridex_payload behavioral1/memory/1520-27-0x000007FEF6A50000-0x000007FEF6B25000-memory.dmp dridex_payload behavioral1/memory/2896-56-0x0000000140000000-0x00000001400D5000-memory.dmp dridex_payload behavioral1/memory/2896-69-0x0000000140000000-0x00000001400D5000-memory.dmp dridex_payload behavioral1/memory/2896-67-0x0000000140000000-0x00000001400D5000-memory.dmp dridex_payload behavioral1/memory/2244-85-0x000007FEF6A50000-0x000007FEF6B26000-memory.dmp dridex_payload -
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Executes dropped EXE 3 IoCs
Processes:
sethc.exeDWWIN.EXENetplwiz.exepid Process 2244 sethc.exe 1360 DWWIN.EXE 2288 Netplwiz.exe -
Loads dropped DLL 7 IoCs
Processes:
explorer.exesethc.exeDWWIN.EXENetplwiz.exepid Process 2896 explorer.exe 2244 sethc.exe 2896 explorer.exe 1360 DWWIN.EXE 2896 explorer.exe 2288 Netplwiz.exe 2896 explorer.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pfoxtyecp = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\BVRAXD~1\\DWWIN.EXE" explorer.exe -
Processes:
rundll32.exesethc.exeDWWIN.EXENetplwiz.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sethc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DWWIN.EXE Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Netplwiz.exe -
Modifies registry class 5 IoCs
Processes:
explorer.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exeexplorer.exepid Process 1520 rundll32.exe 1520 rundll32.exe 1520 rundll32.exe 1520 rundll32.exe 1520 rundll32.exe 1520 rundll32.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid Process 2896 explorer.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
explorer.exedescription pid Process Token: SeShutdownPrivilege 2896 explorer.exe Token: SeShutdownPrivilege 2896 explorer.exe Token: SeShutdownPrivilege 2896 explorer.exe Token: SeShutdownPrivilege 2896 explorer.exe Token: SeShutdownPrivilege 2896 explorer.exe Token: SeShutdownPrivilege 2896 explorer.exe Token: SeShutdownPrivilege 2896 explorer.exe Token: SeShutdownPrivilege 2896 explorer.exe Token: SeShutdownPrivilege 2896 explorer.exe Token: SeShutdownPrivilege 2896 explorer.exe Token: SeShutdownPrivilege 2896 explorer.exe Token: SeShutdownPrivilege 2896 explorer.exe -
Suspicious use of FindShellTrayWindow 29 IoCs
Processes:
explorer.exepid Process 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe -
Suspicious use of SendNotifyMessage 28 IoCs
Processes:
explorer.exepid Process 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
explorer.exedescription pid Process procid_target PID 2896 wrote to memory of 1896 2896 explorer.exe 32 PID 2896 wrote to memory of 1896 2896 explorer.exe 32 PID 2896 wrote to memory of 1896 2896 explorer.exe 32 PID 2896 wrote to memory of 2244 2896 explorer.exe 33 PID 2896 wrote to memory of 2244 2896 explorer.exe 33 PID 2896 wrote to memory of 2244 2896 explorer.exe 33 PID 2896 wrote to memory of 2372 2896 explorer.exe 34 PID 2896 wrote to memory of 2372 2896 explorer.exe 34 PID 2896 wrote to memory of 2372 2896 explorer.exe 34 PID 2896 wrote to memory of 1360 2896 explorer.exe 35 PID 2896 wrote to memory of 1360 2896 explorer.exe 35 PID 2896 wrote to memory of 1360 2896 explorer.exe 35 PID 2896 wrote to memory of 2368 2896 explorer.exe 36 PID 2896 wrote to memory of 2368 2896 explorer.exe 36 PID 2896 wrote to memory of 2368 2896 explorer.exe 36 PID 2896 wrote to memory of 2288 2896 explorer.exe 37 PID 2896 wrote to memory of 2288 2896 explorer.exe 37 PID 2896 wrote to memory of 2288 2896 explorer.exe 37 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4c0c037a083e2b1f6b5fcb9c68263c5a.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1520
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\system32\sethc.exeC:\Windows\system32\sethc.exe2⤵PID:1896
-
-
C:\Users\Admin\AppData\Local\wuyKxiO\sethc.exeC:\Users\Admin\AppData\Local\wuyKxiO\sethc.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2244
-
-
C:\Windows\system32\DWWIN.EXEC:\Windows\system32\DWWIN.EXE2⤵PID:2372
-
-
C:\Users\Admin\AppData\Local\WU2HYkr\DWWIN.EXEC:\Users\Admin\AppData\Local\WU2HYkr\DWWIN.EXE2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1360
-
-
C:\Windows\system32\Netplwiz.exeC:\Windows\system32\Netplwiz.exe2⤵PID:2368
-
-
C:\Users\Admin\AppData\Local\B2E\Netplwiz.exeC:\Users\Admin\AppData\Local\B2E\Netplwiz.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2288
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
381KB
MD52921af0f67f1bf496a7b4c4e2358c305
SHA10ece311f9e726baca770772f8040dca935879b11
SHA2560be4db4ad7e7e34f59babe397f08984b57d4d7d6f6ac1e3694059e6bcd44d457
SHA5123c391a0102966b1b30207ba487125d36e779e712eb0fea0b79223899c731978b335ad0cb90398c73492e52ca3cdeadffa3a6a23613f80bdcdd9bcedaafadd039
-
Filesize
856KB
MD544e477b53743a23fd57e22462b617b67
SHA1d3063acf475515c84020619aeec6474719bb5a3c
SHA256e7871b8464905bcd9de629bcda24eec14cb17f12b1b6413587787e5e15425f79
SHA5129c98d63158dd796c1d95830920fd3e96ca99b66eaa318b73cb1c1af7163b562393861216366fd60603715f44b661be9656d267245daa3543a7c18471c300777c
-
Filesize
272KB
MD53bcb70da9b5a2011e01e35ed29a3f3f3
SHA19daecb1ee5d7cbcf46ee154dd642fcd993723a9b
SHA256dd94bf73f0e3652b76cfb774b419ceaa2082bc7f30cc34e28dfa51952fa9ccb5
SHA51269d231132f488fd7033349f232db1207f88f1d5cb84f5422adf0dd5fb7b373dada8fdfac7760b8845e5aab00a7ae56f24d66bbb8aa70c3c8de6ec5c31982b4df
-
Filesize
1KB
MD540113533f6adef00575473f0669f8f60
SHA110d8cc9c1cb333555cc8a987fad94a2eacbba600
SHA256da9cb7c743afe41e54bd143f99f367e9e480e0b600ef3ff7bd9758fe61082d85
SHA5128be040fa4a0f108e111ba8aee2b15721f95961ce4c639045976166663ce96980f679b36825a4341e123ea14bc3d90571f838f528e4c83ab09c04441df718a379
-
Filesize
573KB
MD5620429ff8eab888c419cf049a274fe5e
SHA133491a8fc87a6b36ce44f1f17f61331fd5c5a994
SHA2560682794738f770371ef3b865b86a34fa608bebdce1f996cf2f6de86d258b0893
SHA512f4b31f7710c5edf86b7510ed5500901355e306e5d23573e9355d23eeafa0655b16adf6882e835470d66982f14d5a6ba84887898ee0791181e8660f5f70dceabd
-
Filesize
856KB
MD56d4bc6da4c5fb0eff6253c7d3facc473
SHA1828e0e7f1e9c85d68893da182c6269c992f21b31
SHA256e3dcbb8120c48c08bda90c7f24459a80502557562766096a3cc54ab3d43ce56d
SHA5123f9156f4f0c2c6bb6ce7309aa1f488aef5d1b6b7ce1f7b2423b7f0f4ed466989203924009f43a39338a1282cbd5e53bd87b816bcd88c681af6b9214c7dd45e44
-
Filesize
26KB
MD5e43ec3c800d4c0716613392e81fba1d9
SHA137de6a235e978ecf3bb0fc2c864016c5b0134348
SHA256636606415a85a16a7e6c5c8fcbdf35494991bce1c37dfc19c75ecb7ce12dc65c
SHA512176c6d8b87bc5a9ca06698e2542ff34d474bcbbf21278390127981366eda89769bd9dd712f3b34f4dd8332a0b40ee0e609276400f16b51999471c8ff24522a08
-
Filesize
149KB
MD525247e3c4e7a7a73baeea6c0008952b1
SHA18087adb7a71a696139ddc5c5abc1a84f817ab688
SHA256c740497a7e58f7678e25b68b03573b4136a364464ee97c02ce5e0fe00cec7050
SHA512bc27946894e7775f772ac882740430c8b9d3f37a573e2524207f7bb32f44d4a227cb1e9a555e118d68af7f1e129abd2ac5cabbcd8bbf3551c485bae05108324b
-
Filesize
856KB
MD50863db87b29922d15403a0939089f7e5
SHA125fd6c6743c7e2d40c137bcb31acf413ff5fbb02
SHA2567eaf0f7056462d01a8a95cbe0da22db34d88a2250ca8f8aefff6e72f0ec3c32f
SHA5123d4d8a6fb88b4057568ea688feb8ba70dae5ec8de193c1e9e3b148f5f955e6d457a6e6509013e44d6bea6e4f9dd7d2ed9df1a0344addfb72ffaa38840ef6065e
-
Filesize
99KB
MD5526924c3f34218a419448b744fadcdea
SHA1db8b185181de56c223e101e06cf521dcde4f99c9
SHA2568dc1454e22bf71a457fee6b1ff2518bfde592e7c321276b4cedd89f97ef48f42
SHA512a8361a18d5e491dbb520a878161eb4ca948a8a6690ee9fc1033dfd65b673a90cc578f5ea04910d76e740a37cf36c2520d343a2468fbf4c55807e7f4e07396966