Analysis
-
max time kernel
150s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
28-12-2023 05:07
Static task
static1
Behavioral task
behavioral1
Sample
c60920a9c292aa669035396b03965a08.dll
Resource
win7-20231215-en
General
-
Target
c60920a9c292aa669035396b03965a08.dll
-
Size
932KB
-
MD5
c60920a9c292aa669035396b03965a08
-
SHA1
c6005bcff4c1a3161bdc681b68ddadb2b771a5b6
-
SHA256
4e37a17479c456a66c1b5bbc8204e65e2a7049852836df593d3cffad7ea546c9
-
SHA512
e5b79d76ea45af823612782d5c1c6426084c6cfab908d5bb5db4134b24e9f91ee3bd291e1da2dbb9b3801483926b767b2ad1b9c35c02d7ab4177893d630a2797
-
SSDEEP
12288:yPVKLvdxQPKSoVXxTaGcb68Uzx2TBeOWhZJpK88:ytKTrsKSKBTSb6DUXWq88
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1212-4-0x00000000029E0000-0x00000000029E1000-memory.dmp dridex_stager_shellcode -
Processes:
resource yara_rule behavioral1/memory/2524-1-0x0000000140000000-0x00000001400E9000-memory.dmp dridex_payload behavioral1/memory/1212-22-0x0000000140000000-0x00000001400E9000-memory.dmp dridex_payload behavioral1/memory/2524-33-0x0000000140000000-0x00000001400E9000-memory.dmp dridex_payload behavioral1/memory/1212-36-0x0000000140000000-0x00000001400E9000-memory.dmp dridex_payload behavioral1/memory/1212-34-0x0000000140000000-0x00000001400E9000-memory.dmp dridex_payload behavioral1/memory/2012-52-0x0000000140000000-0x00000001400EA000-memory.dmp dridex_payload behavioral1/memory/2012-56-0x0000000140000000-0x00000001400EA000-memory.dmp dridex_payload behavioral1/memory/1960-76-0x0000000140000000-0x00000001400EA000-memory.dmp dridex_payload behavioral1/memory/776-88-0x0000000140000000-0x000000014011D000-memory.dmp dridex_payload behavioral1/memory/776-93-0x0000000140000000-0x000000014011D000-memory.dmp dridex_payload -
Executes dropped EXE 3 IoCs
Processes:
rekeywiz.exeVaultSysUi.exeWindowsAnytimeUpgradeResults.exepid Process 2012 rekeywiz.exe 1960 VaultSysUi.exe 776 WindowsAnytimeUpgradeResults.exe -
Loads dropped DLL 8 IoCs
Processes:
rekeywiz.exeVaultSysUi.exeWindowsAnytimeUpgradeResults.exepid Process 1212 2012 rekeywiz.exe 1212 1212 1960 VaultSysUi.exe 1212 776 WindowsAnytimeUpgradeResults.exe 1212 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\Srfjajs = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\#SHARE~1\\23Q1I1A2\\VAULTS~1.EXE" -
Processes:
rundll32.exerekeywiz.exeVaultSysUi.exeWindowsAnytimeUpgradeResults.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rekeywiz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA VaultSysUi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WindowsAnytimeUpgradeResults.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 2524 rundll32.exe 2524 rundll32.exe 2524 rundll32.exe 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid Process procid_target PID 1212 wrote to memory of 2592 1212 29 PID 1212 wrote to memory of 2592 1212 29 PID 1212 wrote to memory of 2592 1212 29 PID 1212 wrote to memory of 2012 1212 30 PID 1212 wrote to memory of 2012 1212 30 PID 1212 wrote to memory of 2012 1212 30 PID 1212 wrote to memory of 1248 1212 32 PID 1212 wrote to memory of 1248 1212 32 PID 1212 wrote to memory of 1248 1212 32 PID 1212 wrote to memory of 1960 1212 33 PID 1212 wrote to memory of 1960 1212 33 PID 1212 wrote to memory of 1960 1212 33 PID 1212 wrote to memory of 584 1212 34 PID 1212 wrote to memory of 584 1212 34 PID 1212 wrote to memory of 584 1212 34 PID 1212 wrote to memory of 776 1212 35 PID 1212 wrote to memory of 776 1212 35 PID 1212 wrote to memory of 776 1212 35 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c60920a9c292aa669035396b03965a08.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2524
-
C:\Windows\system32\rekeywiz.exeC:\Windows\system32\rekeywiz.exe1⤵PID:2592
-
C:\Users\Admin\AppData\Local\WzlF\rekeywiz.exeC:\Users\Admin\AppData\Local\WzlF\rekeywiz.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2012
-
C:\Windows\system32\VaultSysUi.exeC:\Windows\system32\VaultSysUi.exe1⤵PID:1248
-
C:\Users\Admin\AppData\Local\oP1YJUqQY\VaultSysUi.exeC:\Users\Admin\AppData\Local\oP1YJUqQY\VaultSysUi.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1960
-
C:\Windows\system32\WindowsAnytimeUpgradeResults.exeC:\Windows\system32\WindowsAnytimeUpgradeResults.exe1⤵PID:584
-
C:\Users\Admin\AppData\Local\I0MBl\WindowsAnytimeUpgradeResults.exeC:\Users\Admin\AppData\Local\I0MBl\WindowsAnytimeUpgradeResults.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:776
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
141KB
MD51e3ec73e63598d793ab266ee2d2adad5
SHA1d8afb986665feda3970c567f28a724ef4f109334
SHA25663cee2f180167899c14ab68dd83cbfa609933d2169ee3100164a24a1b48bd140
SHA5122a06147c5e93c3817c8095ba82f42ebc2325cff1c58ed5c83e919a096f0d0456e5a3cb35b9b7bd775c437c866dc2c630e5436795d689469da3ef42054a99b52a
-
Filesize
119KB
MD5a4d8ba3f08458a308adf1909e01ebf8a
SHA1bdc4be6169cf6620f6923d68a9eb450d953c9b38
SHA256eca342c1342881e750ebbf4152320b887d09a6be641d7762cf23cccc6465e1c9
SHA512d2d39395f47036ec480e468e9f3a8df0cb14ca9dfc1bd643ff1f7af71b07e49241585b4ecbba1f0ab9dce10a9e154c7ccd8fa2e74cd9b62a7487cf73a4b840c8
-
Filesize
48KB
MD5f5ee9a1a389cfa775d19c8b243c07cfc
SHA1cd3ca4b78d5c739cced0c2ea19b3b103426dba1e
SHA25628f4fb36813499b08db8ad61235bbb84228f20c871c95307bb1524f880818ec5
SHA512111151db9854c92e4e4937f949bd32c74d535a3ef91b96fb1b46671c1c5837233aa17263a7e43234611f6437e6fac699706419526c2d3c6024c84783228fa4aa
-
Filesize
936KB
MD55b7b3b177a05bb3c88f408bdc36d0eab
SHA1f2aeae6cfb0662d065e004813611656d25d461a3
SHA256b38d1747e148627c2d7d9f5a5666fbae3eba7e5fe9a967f566f2b82ffd4ad764
SHA512a86bfd3bde01f389d58ab3080cae388a3686a203583c75c286efedf4bcec8e3f0f79b5bd696d01e9f09640df36be288391e2c93cc7ab683113199ae6cd548ddc
-
Filesize
936KB
MD56510e1f763d9c57570766e1eeaa45f44
SHA1925039212921ede1cbfc8141d23946cedfb91f70
SHA256d87a965e77996fc3f1955bda011245ccc57931fe59f00f7ae0490ae924fc9ea7
SHA512f4ca528a61de9528d23619fc78dfeb4153c4f108321d5dc715a2caa2bfb34957df1baba7fa82ef3309ccd504261f38e137fcbb87f47b6917f2a15289304e6f2e
-
Filesize
222KB
MD5e5a6697b862a52dfe1fb836b7b2da7a3
SHA1272eddaa70ffaf031cf81cef1bcb696781994a92
SHA256fc5abbd2289493ab59a0061886bbe1820ed4f15df33bf0061523077fc21cfb8f
SHA512386cc1d04d8c10b2e51ad059a77fa3f4b18af672e809096b7fd9f0788c9717b793737621a5cc096fdbc8c58a226129591589234569051b5815fe1f05788f9390
-
Filesize
1023B
MD5e4052fe17f9a516971a1acc7c7c35987
SHA121d8baf7e052ff5c435cd76778feba18fd228b94
SHA256e2fd71c0166bb34bb55d42f329c3a5a5bb141e95d5025f19008b93097a23b5f6
SHA512a627689c7824f97ba6a356c9ee168f7d8b13b05cc87b5e7e43e30b5e458f51de4336ce6c6767c23f6426042c19158c96e825f55e585996ab8820b6fbd8407480
-
Filesize
639KB
MD5d08723fd833c6edddc2eeb25a404bd11
SHA185fdddc7a9ed07e7bd5534db3dbfda418e3634a8
SHA256e715152fd1481511d6a7528c0873231fc0d5a859a20712caf9cb965d895b15b9
SHA512dc779688f35dc76fd79866cc6f497b4f9919291822e026addee6d6334146454643924420326c5784215309a453c68db06caa98f27eb43982e0272a7a2ebb0aea
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\bRAL\slc.dll
Filesize7KB
MD544cf4ca34c0bbb82b6023e04e2592b7f
SHA1993ba8d20ec2f3dd82308251540191a70801c287
SHA256bee61487f3c0905e4f126dd3e52b2d6f7a1f0df725bc84d03622265e26c40441
SHA512de60a04d8c3ef4e3df902e350136605d48a8e33f3bbfe86d37fffd1353b1b104bcdae2308768a303be6da9e628d2e590254be176c2ab9f4858e521863bb44892
-
Filesize
110KB
MD509a598d589c74c9ead54cd1e5a45fa64
SHA1e0c771cf37c265588d76f323aa65e9dceeb2862e
SHA256b1a9300ea638ea81a6befeff77badb7cd074eec6d290d61bf8c7e93719dedb72
SHA5121403739cb97a8635856b5408aa38485c1d6f6041dcbe8fcbc649e0cf5cdc62fd386d2d1050186da3b14bda0a69c57cba65d6eb8b702a5e0e5e87a58c6bd10ba6
-
Filesize
147KB
MD5589324d14a31291fbedac9791c4ae94f
SHA1460bc63a186da4250b9e5ccc5e35ca0da392a8ef
SHA256cee540948a789b677a262072166e7526847387764d2e05b83a9385811587f85d
SHA5125818b3d7b216e3db68dfa8c105322afece3e83b2b218163ae19ad4a95e5d3d89e765e93bd936f73f5c392c7758368ee63d7874734af0929cf8a1a60cd7498552
-
Filesize
67KB
MD5767c75767b00ccfd41a547bb7b2adfff
SHA191890853a5476def402910e6507417d400c0d3cb
SHA256bd70e504871a2ac1c883d19b87970c8d1b8b251c784bf777ba77ed764f5f2395
SHA512f096043452a1aa213a5e4d62638de3ee4b0b3ad3d12b7ee0372d8c79e00e2e13b4fd0ebc4206bbdb5124bed292dd5b30ef1641288046ef835f89c332985154f9
-
Filesize
39KB
MD5f40ef105d94350d36c799ee23f7fec0f
SHA1ee3a5cfe8b807e1c1718a27eb97fa134360816e3
SHA256eeb3f79be414b81f4eb8167390641787f14a033414533fb8de651c2247d054b2
SHA512f16bcca6f6cecbdae117d5a41de7e86a6d9dfdfa2ce8c75ebff10d097083c106e7f9d030debed8cb20fdd71815a8aa7723a1d3c68b38ec382e55370331c594a1
-
Filesize
1KB
MD52ed4268820067ec145ba0a99a2bf7043
SHA156ed21b742d5b97c5d8ab5d002745d4dc6a43412
SHA25665502f644b49be98a5e5f936fe5c8c91bdbf66147f468132d604fd0e15802cbc
SHA51230869c4ee9195e07d0fcdebf8b672fc5f0b48d25302b1f8e4500377ee2699a4848474ef0f6a1cd3743049e51e79edb5960bb4188ef9f213e8c6d4ef5d79e0422