Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
29-12-2023 23:05
Static task
static1
Behavioral task
behavioral1
Sample
06757f0f902f5be0f5997657f6eb9265.dll
Resource
win7-20231215-en
General
-
Target
06757f0f902f5be0f5997657f6eb9265.dll
-
Size
1.7MB
-
MD5
06757f0f902f5be0f5997657f6eb9265
-
SHA1
e6a16036b2f2b471440093625ff7712b274b3a88
-
SHA256
ae2ad50601ea9427bbd5976872c8854d51b8411b1d542a6df8d32169b62848ec
-
SHA512
3694179f2495a0f92bee6096f1a4c7cde9f1b0953051ce9d9e618a72548410d12362d6ca3204c803d3e6f234d80c56cb62150d958f33c15afcbd262b22ef5015
-
SSDEEP
12288:8VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:JfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1308-5-0x0000000002AC0000-0x0000000002AC1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
Netplwiz.exewextract.exerdpshell.exepid Process 912 Netplwiz.exe 2824 wextract.exe 2792 rdpshell.exe -
Loads dropped DLL 7 IoCs
Processes:
Netplwiz.exewextract.exerdpshell.exepid Process 1308 912 Netplwiz.exe 1308 2824 wextract.exe 1308 2792 rdpshell.exe 1308 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\9.0\\VKk0QVuQvA1\\wextract.exe" -
Processes:
Netplwiz.exewextract.exerdpshell.exerundll32.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Netplwiz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wextract.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rdpshell.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 1308 1308 1308 1308 1308 1308 1308 1308 1308 1308 1308 1308 1308 1308 1308 1308 1308 1308 1308 1308 1308 1308 1308 1308 1308 1308 1308 1308 1308 1308 1308 1308 1308 1308 1308 1308 1308 1308 1308 1308 1308 1308 1308 1308 1308 1308 1308 1308 1308 1308 1308 1308 1308 1308 1308 1308 1308 1308 1308 1308 1308 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid Process procid_target PID 1308 wrote to memory of 3028 1308 28 PID 1308 wrote to memory of 3028 1308 28 PID 1308 wrote to memory of 3028 1308 28 PID 1308 wrote to memory of 912 1308 29 PID 1308 wrote to memory of 912 1308 29 PID 1308 wrote to memory of 912 1308 29 PID 1308 wrote to memory of 2584 1308 30 PID 1308 wrote to memory of 2584 1308 30 PID 1308 wrote to memory of 2584 1308 30 PID 1308 wrote to memory of 2824 1308 31 PID 1308 wrote to memory of 2824 1308 31 PID 1308 wrote to memory of 2824 1308 31 PID 1308 wrote to memory of 2908 1308 32 PID 1308 wrote to memory of 2908 1308 32 PID 1308 wrote to memory of 2908 1308 32 PID 1308 wrote to memory of 2792 1308 33 PID 1308 wrote to memory of 2792 1308 33 PID 1308 wrote to memory of 2792 1308 33 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\06757f0f902f5be0f5997657f6eb9265.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2000
-
C:\Windows\system32\Netplwiz.exeC:\Windows\system32\Netplwiz.exe1⤵PID:3028
-
C:\Users\Admin\AppData\Local\92E4R\Netplwiz.exeC:\Users\Admin\AppData\Local\92E4R\Netplwiz.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:912
-
C:\Windows\system32\wextract.exeC:\Windows\system32\wextract.exe1⤵PID:2584
-
C:\Users\Admin\AppData\Local\IfUgxvo\wextract.exeC:\Users\Admin\AppData\Local\IfUgxvo\wextract.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2824
-
C:\Windows\system32\rdpshell.exeC:\Windows\system32\rdpshell.exe1⤵PID:2908
-
C:\Users\Admin\AppData\Local\Ixyx\rdpshell.exeC:\Users\Admin\AppData\Local\Ixyx\rdpshell.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2792
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD50f26c96cab988349f4837dfa51269d41
SHA13c245325b737a4e3f3b656e2387898463d1ec551
SHA2565907a2aadde2e043cce921a5fdc67d6e953cc9c0261d39567896f11bb36556fa
SHA51224005c42a8fb671412ad6927c54fe346abb66f710955e43c1cdf0fe9b7206d5145bfc5930a703a0be6a96618869f57739048f292d742455d8b3cd9a8539e46b9
-
Filesize
1.7MB
MD555404af70ad6f761dec2483681dde95c
SHA111bcb4664613afbd0ee8783ad6c791194012de0e
SHA256243d5b51f69b7b5631eca48cf870c1ec7589d23fddb03213d72b17b6fbee9e99
SHA51229831fdcf36f289550b3971d620b9ea3170766353c305e352df71b2e19ef2cefa33bbe5a9accd8582a508ebadce80fad848ebfbce37f6a3e90bd803914081eef
-
Filesize
1.7MB
MD5573ecdfb11e15ad2792c704f0b4381f3
SHA1290b95d02611ebf941319afc1fcacb9d90f8a95d
SHA256cb480da37e646ae60303ff95bf99bac3e570b05db80a07fe33cdd607d66ef038
SHA51261f6e38371c07ca88887f6e0d80109040a8ed86285b04881897500b93f7a5a0d029394884bd47fd56f053b32748011e47f21a4e2e27d62c7a1d8ecae48d208df
-
Filesize
1KB
MD508123b4b785085a51376d425aeb2da3e
SHA197babed3e0dda49ca7ab343ff737b47de1c2c315
SHA256c4d71981dce95b763343afd5527f504a6c3ab6aa860b57bc4ba84688b795013c
SHA512349191e4c222d189466e8061abd1737c5f3d07e51131c128e6387c38c19de8ef84c37a6493a3c21de09c55318f2dce49fe2a1e9bf1d8d3e7c87587c3a3cfa2cf
-
Filesize
26KB
MD5e43ec3c800d4c0716613392e81fba1d9
SHA137de6a235e978ecf3bb0fc2c864016c5b0134348
SHA256636606415a85a16a7e6c5c8fcbdf35494991bce1c37dfc19c75ecb7ce12dc65c
SHA512176c6d8b87bc5a9ca06698e2542ff34d474bcbbf21278390127981366eda89769bd9dd712f3b34f4dd8332a0b40ee0e609276400f16b51999471c8ff24522a08
-
Filesize
140KB
MD51ea6500c25a80e8bdb65099c509af993
SHA16a090ef561feb4ae1c6794de5b19c5e893c4aafc
SHA25699123d4e7bf93aa7f3315a432307c8b0cbaf24ad2cfb46edc149edbe24de4ca2
SHA512b8f9f1ab48671e382d1385c34f0f19fc52fc0061e00db53bbbc2cdaee6d8a3f245707329f98e9167c53721aeaddcebfe66632729b6bcc98892031fd9914fb1fb
-
Filesize
292KB
MD5a62dfcea3a58ba8fcf32f831f018fe3f
SHA175f7690b19866f2c2b3dd3bfdff8a1c6fa8e958b
SHA256f8346a44f12e5b1ca6beaae5fbdf5f7f494ba204379c21d1875b03ba6da6152e
SHA5129a3df5be95017c23ab144302d2275654e86193e2cd94957d5f72bda3cb171ec2a6da14e6631a7fd4fd053b4529f4083aa287ada57484ad0ee01a8e5b2b54c603