Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
29-12-2023 22:02
Static task
static1
Behavioral task
behavioral1
Sample
0512aedf039191c7a60c97cd87a5d490.dll
Resource
win7-20231215-en
General
-
Target
0512aedf039191c7a60c97cd87a5d490.dll
-
Size
1.9MB
-
MD5
0512aedf039191c7a60c97cd87a5d490
-
SHA1
f5ffb6e18f6e8c2b06d040509d4542f13fdfa459
-
SHA256
d168ef7be6e3b73f63a62c817c0d87e4dd84cbe577454da94b7cc8bf8ff55879
-
SHA512
71b20bfb893dc6013c4d790b19dd92815a33b269ae2125ac7afaccf2821a196c843ee41696d978d2b1ef2789fa789c52d1829dcefa23e9cdbc02cbb973dfe6a3
-
SSDEEP
12288:YVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:NfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1252-5-0x00000000024D0000-0x00000000024D1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
calc.exeDWWIN.EXEspreview.exepid Process 2600 calc.exe 2944 DWWIN.EXE 1364 spreview.exe -
Loads dropped DLL 7 IoCs
Processes:
calc.exeDWWIN.EXEspreview.exepid Process 1252 2600 calc.exe 1252 2944 DWWIN.EXE 1252 1364 spreview.exe 1252 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fskzoiv = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~1\\SYSTEM~1\\R5KmR\\DWWIN.EXE" -
Processes:
rundll32.execalc.exeDWWIN.EXEspreview.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA calc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DWWIN.EXE Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spreview.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 2168 rundll32.exe 2168 rundll32.exe 2168 rundll32.exe 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid Process procid_target PID 1252 wrote to memory of 2584 1252 28 PID 1252 wrote to memory of 2584 1252 28 PID 1252 wrote to memory of 2584 1252 28 PID 1252 wrote to memory of 2600 1252 29 PID 1252 wrote to memory of 2600 1252 29 PID 1252 wrote to memory of 2600 1252 29 PID 1252 wrote to memory of 2892 1252 30 PID 1252 wrote to memory of 2892 1252 30 PID 1252 wrote to memory of 2892 1252 30 PID 1252 wrote to memory of 2944 1252 31 PID 1252 wrote to memory of 2944 1252 31 PID 1252 wrote to memory of 2944 1252 31 PID 1252 wrote to memory of 1260 1252 32 PID 1252 wrote to memory of 1260 1252 32 PID 1252 wrote to memory of 1260 1252 32 PID 1252 wrote to memory of 1364 1252 33 PID 1252 wrote to memory of 1364 1252 33 PID 1252 wrote to memory of 1364 1252 33 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0512aedf039191c7a60c97cd87a5d490.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2168
-
C:\Windows\system32\calc.exeC:\Windows\system32\calc.exe1⤵PID:2584
-
C:\Users\Admin\AppData\Local\3wl\calc.exeC:\Users\Admin\AppData\Local\3wl\calc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2600
-
C:\Windows\system32\DWWIN.EXEC:\Windows\system32\DWWIN.EXE1⤵PID:2892
-
C:\Users\Admin\AppData\Local\NoXU\DWWIN.EXEC:\Users\Admin\AppData\Local\NoXU\DWWIN.EXE1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2944
-
C:\Windows\system32\spreview.exeC:\Windows\system32\spreview.exe1⤵PID:1260
-
C:\Users\Admin\AppData\Local\8z76P5X4b\spreview.exeC:\Users\Admin\AppData\Local\8z76P5X4b\spreview.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1364
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD58654cf4216544007779f89a886d42569
SHA1c8470dd2db8dfc3b637a54229688026bdcc6351b
SHA25668b958103987753014a8a795a37231245d6b52191ee48d87aef0392674ecda23
SHA512068d224d759138e0c1922e2e90f29a73e6ad2d69204781a7a87f50305abde80287343ea62f851ee15804fb803b8fd98a9dcac62778d68f128b8c61f2e9bf9ba5
-
Filesize
32KB
MD58be359cd66021a9ab74a5307febb3d02
SHA1f9439922b985f6ab1b702d8be46135d8cdc36c39
SHA256124e583d8e6ff0e066447d6129a4c200b27b6dca59c48b7e2aab3b273d6cba8f
SHA5129e67af19009f0445cfbeaa1889eecf9464c1c1ad740add7bb227734671bf5756313053247595e0ff82549fdec623d3c82543f6ee25113b583f97dc6caedb1351
-
Filesize
201KB
MD5294385625197223728c6a6f7532240ff
SHA10ced12e7347d39187bef138e3deb49eaa7de1b51
SHA2565bab01744e82f681beb02b83ae2dd5b620682c9ab7d2e2950683216d8808be34
SHA5123272723052536662664258eefafc8f0f26a2099532c1879d5d284463855b1cf7df1c69a740a21d66c9a2608cecbc53dcbaab99f40098277725215130914bf45c
-
Filesize
100KB
MD5060aff2d94d9fed857d2324a8d5328cc
SHA12618a88285b4bd88b7c5d930908121f1ef9c3577
SHA256bcee680f17d43d45728bb178c5b7535a683731dec99b34171f0bc3cb3c54f5a1
SHA5124c349da0836115120c5a4bfa4373bc1992472c57a4abeaa46ed0ebabb3f08005149a76e8daeecdde7de29355b4a934549e5bb7b132aadd6eb26e19fc731580bc
-
Filesize
172KB
MD53d669d1adf501966262fa3626ed7f4a3
SHA18a45b6f04fba8eb0075fbaee5f5ddc5b376fc158
SHA256bd6d19b8a7ed037c37940369b612d30bcae7665951e9bff11d2326bbe93b6239
SHA512454f5b8d1d37a3f86c2f99da4e338a998001ad50c36ae362b2ef305d00bd6d7bbbe70def9bfafd9396c9aba9f3746f2e4041dfba5926af2d9e7d85c73d7118d3
-
Filesize
134KB
MD508fb65553ecae21bd94a85fc88ae1b73
SHA15932b5b3912cc0962534496f2af9ed53b5968592
SHA256cd186bffdd47ff17624da70131f68385fd1e3aa79cea67f7fabdba62599a6411
SHA5128dfebef4306c6e56c9cf6957b415cdb51999b7297f52591b6d8cd59a241bfd1a50c5f953192e5a7bece9f68b0878ff09bd00f0273d95ec7b5a564b5361df70fc
-
Filesize
249KB
MD500c949b1d89379876d8d6d68cdecb511
SHA1d1f9177960ed3927825d5f609d6545b152b865b7
SHA2568f74ba69a9564c67c1ee4f0398d8b129d0ea7dad27955b536f135e69a48d32c5
SHA512e1192708d12eb6742c471285c09c55b295d0cf2a6353ab05dd98603abb8049e1e11d008bbfef637b329d1feaa675fb786083098095ed1a5bf74f181acf731bfc
-
Filesize
1KB
MD57b1397720ad81632d9bdfe543a913a57
SHA173d1aa1ebb23dd23c9e148dd79047d9a9c1f4ee1
SHA2565cdf6705c29f1c94a976b15635ecfc52fccb025c5b49a91bd7a495bd65dd1d80
SHA5127979acefe6757c216f92f8bf8d56f3f625f52642d7a3fa4881d7ff10fec8c5bc9c766e5b59604c607e4c054eec9933abfdbfce9836d508063e94c0cb3b3d825c
-
Filesize
495KB
MD5b3df8bdd9ecd09e0a69df46d46782b36
SHA1cd20a3fa55e33fb8b67022f2ecd12cae7ef77eed
SHA2560c349fe17caf4c8021a4571532619e3741ccca49660ae7e7ded3fb92c7892cd0
SHA512b0dd6dccc5e41e368b9873fd80e485d3a88b3c1495cddb45a961107a43150b4d793572313eaed7ce23da42e5ff45494cb936d72325e4383fdc5af9509897e078
-
Filesize
142KB
MD5c4708c48fbca2b94f19759aa67adbe42
SHA1efd62b851ae3ab2f72c0ce8eec61f580d648f542
SHA256aef0cc4508cc6f3e62fda1dce7d7cd00e47b8186985d0c23b0d59ba27c93176e
SHA512088f3a11d2e862fbd5459c3e8366611c774a2dd627d33359ecb29d046ff1f11bae75f8b80e1ab3ed0252de8728274f9954c474d2e46550d11424b63a4981587b
-
Filesize
1.9MB
MD5a199c45fa7d67f0dbbd569748536beb6
SHA123a730b8f04989bab2fc817d58d3f6d82c371112
SHA2564c39b54751668e412ced8abe00bd5b39f6869fc5e8f0379b1a597935d5711f09
SHA512fabff48b19ad2b93db766324fc0d2a27866e536ffcc41eb6e4b4f287b87f4a79f27524cd350424d3adff4059431966a56ec7e065eab067fd50c51d5a860224d2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\R5KmR\VERSION.dll
Filesize1.5MB
MD5152a098fb248a7a78cfad9791c6053b0
SHA1ba84bc3a98fef3ba2d51eb22ae86c8c693710a61
SHA2564ed67f4d290ac4cc5dc09c900306fe32cf9b6326a7111ccacf6e11611422923e
SHA5128f7914b473ecd2c6b22c7a03fa37cb318c4e2a7cb0e04d2d9dff9d48abe028c57de3abc1e8ee1e9fc78e0d6309bb7dc3fe74942e6e349576faca386b1d5d283e
-
Filesize
64KB
MD57865ef64ac46aff236f9dc5d96e082de
SHA1d5f9eb72af3205e6818e2529e67313b5e6351714
SHA2566b638407e522feb643775978de2bfbaa6549b344dd8a72e615805cc3c970313d
SHA512e83c7eea6e05f6344cb1411bb465e9fa8c339ec368fc05ad88f6459a5064cf15ee2dd3a1ad1d405adb8e59b30681e18c98ac66e2550e516ac6a2b09507e48112
-
Filesize
1KB
MD5e81caf1ca745db496798c904b8c43e63
SHA16536b8ee06e8de6dfe804b6d9bc331564bd87aed
SHA25654ccc60ff473be99f852485ea18a224aa97cd71de4b3c978f7e1cbfc838d634d
SHA51284f6e6a10acba9aca5266529751a523beaa6da8dc080926e908b6df3e12fabbc9abc414e81b89e44d9e4e3cdf20eca8d9e045a0bd22d15df6cb81d95a41b87b3
-
Filesize
88KB
MD5b3218a80063ea9b84cc8a887f2574588
SHA121a76a7ef9d239f96d39f9871203a882be7970af
SHA25625837691bc812d6626f2c396f49ffbf189887273c412653ba2f141650673d5df
SHA512e22da4b8b412e9da708823c85b7f70edb942188f5355ec90f77470f2892f12153b49057d427a97a63bce74c095defd2c467dff21040395cbf877baffb04668c3
-
Filesize
93KB
MD519148e3efa7d03bff9ea61c190bd58ed
SHA13a0cbe868e7c9bd7c38b9b9b966365880a30de25
SHA2565d7ff004e04df56323c79aa66be0cec54f519fbaef9b7245f42b8eaf20fda53c
SHA51258687563c2788c190a6d182aaf9d007ab26c834b36c94fc5be405bc2d1783888da0826c436b48432efe313c1ca408c4db4fc9194dfaa204aefe06a41600f9bc7
-
Filesize
149KB
MD525247e3c4e7a7a73baeea6c0008952b1
SHA18087adb7a71a696139ddc5c5abc1a84f817ab688
SHA256c740497a7e58f7678e25b68b03573b4136a364464ee97c02ce5e0fe00cec7050
SHA512bc27946894e7775f772ac882740430c8b9d3f37a573e2524207f7bb32f44d4a227cb1e9a555e118d68af7f1e129abd2ac5cabbcd8bbf3551c485bae05108324b
-
Filesize
265KB
MD5b358b6b76f40f3779fb31565bcb7edb6
SHA1ca0b271c6c13f97c9cb3f401d147f1cc37d131dc
SHA256b4ad5251329104a99195779d9f82a8019da57e565d1a4c226e190f04df5e8ad5
SHA512551e4c236db0a406d4429cb747fa1f234cb07856e5adedc11c71a27389257fb6614515c394ff8fb8d4cdea6e9f648d800cd0478aae7ee8138c4d63392ffd4651
-
Filesize
173KB
MD56cd189936a8b983efd0dbee0dd768d38
SHA198069ebd4468441b13d0a5c22ae119aa0c1d8dea
SHA25661d2d1945a8a825575cebe02b00ceece2cc66fc3a03b76ba40d71ecb0e8441fe
SHA5125a35210c821f58c359c37a1c95a809a54546379d45ccb5f9d2853d3b03b5597b9a2a67074c1a2dc62a3e03b07190f237b858a43da8dc62b7272404b9d760357c