Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26-12-2023 07:26
Static task
static1
Behavioral task
behavioral1
Sample
5c73ce8acd26a01655041010b2d4ff6a.dll
Resource
win7-20231215-en
General
-
Target
5c73ce8acd26a01655041010b2d4ff6a.dll
-
Size
848KB
-
MD5
5c73ce8acd26a01655041010b2d4ff6a
-
SHA1
d8781699300176bbbbd36489a1c82725c33edcb1
-
SHA256
03691ec0a206c672022cbf25d02a4b0ab1f67bd6acf5782de498977d88e41474
-
SHA512
9d73f66eb48fa1265751d612ac745f97780d97361b4ab864b8e9f37cbe3eb801fd85857191e0d0bfc10ec0add00e892a5b7a8c1b27ea5d378e277b713fbe384b
-
SSDEEP
12288:3kbQEkWqv+157EYfxarhwLNuR7ek1tHffB/HzTyNQ6NIeGYr/R:3kbHkWfzZ5adwLNGeStHntqN7v
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1384-4-0x00000000025F0000-0x00000000025F1000-memory.dmp dridex_stager_shellcode -
Processes:
resource yara_rule behavioral1/memory/1888-0-0x000007FEF62F0000-0x000007FEF63C4000-memory.dmp dridex_payload behavioral1/memory/1384-19-0x0000000140000000-0x00000001400D4000-memory.dmp dridex_payload behavioral1/memory/1384-27-0x0000000140000000-0x00000001400D4000-memory.dmp dridex_payload behavioral1/memory/1384-38-0x0000000140000000-0x00000001400D4000-memory.dmp dridex_payload behavioral1/memory/1888-44-0x000007FEF62F0000-0x000007FEF63C4000-memory.dmp dridex_payload behavioral1/memory/1384-39-0x0000000140000000-0x00000001400D4000-memory.dmp dridex_payload behavioral1/memory/2512-55-0x000007FEF6950000-0x000007FEF6A26000-memory.dmp dridex_payload behavioral1/memory/2512-60-0x000007FEF6950000-0x000007FEF6A26000-memory.dmp dridex_payload behavioral1/memory/1784-74-0x000007FEF62F0000-0x000007FEF63C5000-memory.dmp dridex_payload behavioral1/memory/1784-78-0x000007FEF62F0000-0x000007FEF63C5000-memory.dmp dridex_payload behavioral1/memory/1900-105-0x000007FEF62F0000-0x000007FEF63C5000-memory.dmp dridex_payload -
Executes dropped EXE 4 IoCs
Processes:
mfpmp.exeperfmon.exewermgr.exerdpinit.exepid Process 2512 mfpmp.exe 1784 perfmon.exe 2028 wermgr.exe 1900 rdpinit.exe -
Loads dropped DLL 8 IoCs
Processes:
mfpmp.exeperfmon.exerdpinit.exepid Process 1384 2512 mfpmp.exe 1384 1784 perfmon.exe 1384 1384 1900 rdpinit.exe 1384 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\MACROM~1.COM\\support\\YCL\\perfmon.exe" -
Processes:
rundll32.exemfpmp.exeperfmon.exerdpinit.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mfpmp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA perfmon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rdpinit.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 1888 rundll32.exe 1888 rundll32.exe 1888 rundll32.exe 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
description pid Process procid_target PID 1384 wrote to memory of 2600 1384 28 PID 1384 wrote to memory of 2600 1384 28 PID 1384 wrote to memory of 2600 1384 28 PID 1384 wrote to memory of 2512 1384 29 PID 1384 wrote to memory of 2512 1384 29 PID 1384 wrote to memory of 2512 1384 29 PID 1384 wrote to memory of 568 1384 32 PID 1384 wrote to memory of 568 1384 32 PID 1384 wrote to memory of 568 1384 32 PID 1384 wrote to memory of 1784 1384 33 PID 1384 wrote to memory of 1784 1384 33 PID 1384 wrote to memory of 1784 1384 33 PID 1384 wrote to memory of 1864 1384 34 PID 1384 wrote to memory of 1864 1384 34 PID 1384 wrote to memory of 1864 1384 34 PID 1384 wrote to memory of 2028 1384 35 PID 1384 wrote to memory of 2028 1384 35 PID 1384 wrote to memory of 2028 1384 35 PID 1384 wrote to memory of 1912 1384 36 PID 1384 wrote to memory of 1912 1384 36 PID 1384 wrote to memory of 1912 1384 36 PID 1384 wrote to memory of 1900 1384 37 PID 1384 wrote to memory of 1900 1384 37 PID 1384 wrote to memory of 1900 1384 37 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5c73ce8acd26a01655041010b2d4ff6a.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1888
-
C:\Windows\system32\mfpmp.exeC:\Windows\system32\mfpmp.exe1⤵PID:2600
-
C:\Users\Admin\AppData\Local\TWcSZI\mfpmp.exeC:\Users\Admin\AppData\Local\TWcSZI\mfpmp.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2512
-
C:\Windows\system32\perfmon.exeC:\Windows\system32\perfmon.exe1⤵PID:568
-
C:\Users\Admin\AppData\Local\N1yJU0zy\perfmon.exeC:\Users\Admin\AppData\Local\N1yJU0zy\perfmon.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1784
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe1⤵PID:1864
-
C:\Users\Admin\AppData\Local\nVSMvE\wermgr.exeC:\Users\Admin\AppData\Local\nVSMvE\wermgr.exe1⤵
- Executes dropped EXE
PID:2028
-
C:\Windows\system32\rdpinit.exeC:\Windows\system32\rdpinit.exe1⤵PID:1912
-
C:\Users\Admin\AppData\Local\wDHs08JC\rdpinit.exeC:\Users\Admin\AppData\Local\wDHs08JC\rdpinit.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1900
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
852KB
MD56b40e5433a62f7cd745f59d375112868
SHA135f16f3a2dac0ed9fb226d4bab356dc567bda4fb
SHA256a3946aa3282391dc534903acf7a54d4fb3a7f50758cf2383b991293067b75ca1
SHA512ea23552c722028aedc2ec46194a7a0a2dbe5caaf5d648e509d7e7a09a1ddd9fa3905ff52d36f754747145c044e1aa50aee08c69e9ccbbddc22714ff5c8796838
-
Filesize
856KB
MD5269ad9f031e0c4e99d2e23c56de3d27a
SHA100fdfd4df643743e58daa755e61734bdf3b0b332
SHA2561a9ee8e0308b959d4de8f935eb561ce0f6b597f66a377f6013236d6ef6c6e3e0
SHA512df8dcab347cafaa72c16a04a04fbb01fc6b5e1af5d16d3b9ef33475a7c0237a02ca563c0faea1c93ef32eaaa9b35469b23f21ae6fb0dce00b804b5220ebe9998
-
Filesize
49KB
MD541df7355a5a907e2c1d7804ec028965d
SHA1453263d230c6317eb4a2eb3aceeec1bbcf5e153d
SHA256207bfec939e7c017c4704ba76172ee2c954f485ba593bc1bc8c7666e78251861
SHA51259c9d69d3942543af4f387137226516adec1a4304bd5696c6c1d338f9e5f40d136450907351cce018563df1358e06a792005167f5c08c689df32d809c4cebdcf
-
Filesize
852KB
MD5a82d4d876b3a3c95a0032c10e493d18f
SHA1761ae78c931caac30214df59ddf5189ead808e7f
SHA25640c5c397b920d94a41e51b02d00c026f966b08e7148596c567318e1815651af2
SHA512078c3902c90e78b96b936a6b520c41c0ed3c468395ce0c91f6dd1bdc40d920c7c4cf6dc92bcd7766ac14f590652fd71ef40d34f7dfbedcbc1033dab3a246024d
-
Filesize
174KB
MD5664e12e0ea009cc98c2b578ff4983c62
SHA127b302c0108851ac6cc37e56590dd9074b09c3c9
SHA25600bd9c3c941a5a9b4fc8594d7b985f5f1ac48f0ba7495a728b8fa42b4b48a332
SHA512f5eee4e924dcc3cf5e82eff36543e9d0e9c17dc2272b403cf30f8d2da42312821f5566249a98a952f5441b1f0d6d61a86b5c5198bc598d65ea9d4fb35822505d
-
Filesize
1KB
MD5d9e5b5a5773766bcba2c0bbd19dd0a69
SHA1bbe07f1b81462453def556a5de30247cb034d6c3
SHA2564c726263d9ebaebf2e1f3ac92489332f75cba263d8adf20539bf9140822160c5
SHA5128455c9f674b0ca220fee424e0c6176a6c5ac4a5090c7b0ce19973916deda38acfa8cb452e4cb96436e1cc554330cf6ad303ba10285f140afaf70daec02b289e5
-
Filesize
168KB
MD53eb98cff1c242167df5fdbc6441ce3c5
SHA1730b27a1c92e8df1e60db5a6fc69ea1b24f68a69
SHA2566d8d5a244bb5a23c95653853fec3d04d2bdd2df5cff8cffb9848bddeb6adb081
SHA512f42be2a52d97fd1db2ed5a1a1a81a186a0aab41204980a103df33a4190632ba03f3cbb88fcea8da7ed9a5e15f60732d49a924b025fe6d3e623195ec1d37dfb35
-
Filesize
24KB
MD52d8600b94de72a9d771cbb56b9f9c331
SHA1a0e2ac409159546183aa45875497844c4adb5aac
SHA2567d8d8918761b8b6c95758375a6e7cf7fb8e43abfdd3846476219883ef3f8c185
SHA5123aaa6619f29434c294b9b197c3b86fdc5d88b0254c8f35f010c9b5f254fd47fbc3272412907e2a5a4f490bda2acfbbd7a90f968e25067abf921b934d2616eafc