Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
29-12-2023 22:27
Static task
static1
Behavioral task
behavioral1
Sample
0597e704a1234f7f0a2cc4dd823194cb.dll
Resource
win7-20231215-en
General
-
Target
0597e704a1234f7f0a2cc4dd823194cb.dll
-
Size
712KB
-
MD5
0597e704a1234f7f0a2cc4dd823194cb
-
SHA1
50e72b88256c7807853bea80c0c660a503383f75
-
SHA256
7ba44f9bf826852b97d7fd37af4450957684acdea533f27440e8bfb5db1cd729
-
SHA512
368b8672d5e1123fe15021264390d71482aae6b52cea5089afeaeed63ebf89c60addede65dd8ae1409c74e1f05009eb5f0e02e5326fa49f617fe36502b12f75c
-
SSDEEP
12288:1dMIwS97wJs6tSKDXEabXaC+jhc1S8XXk7CZzHsZH9dq0T:bMIJxSDX3bqjhcfHk7MzH6z
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1248-4-0x0000000002120000-0x0000000002121000-memory.dmp dridex_stager_shellcode -
Processes:
resource yara_rule behavioral1/memory/1232-1-0x0000000140000000-0x00000001400B2000-memory.dmp dridex_payload behavioral1/memory/1248-28-0x0000000140000000-0x00000001400B2000-memory.dmp dridex_payload behavioral1/memory/1248-40-0x0000000140000000-0x00000001400B2000-memory.dmp dridex_payload behavioral1/memory/1248-39-0x0000000140000000-0x00000001400B2000-memory.dmp dridex_payload behavioral1/memory/1232-48-0x0000000140000000-0x00000001400B2000-memory.dmp dridex_payload behavioral1/memory/2288-57-0x0000000140000000-0x00000001400B3000-memory.dmp dridex_payload behavioral1/memory/2288-61-0x0000000140000000-0x00000001400B3000-memory.dmp dridex_payload behavioral1/memory/1168-74-0x0000000140000000-0x00000001400B4000-memory.dmp dridex_payload behavioral1/memory/1168-78-0x0000000140000000-0x00000001400B4000-memory.dmp dridex_payload behavioral1/memory/2568-95-0x0000000140000000-0x00000001400B3000-memory.dmp dridex_payload -
Executes dropped EXE 3 IoCs
Processes:
wusa.exewinlogon.exeDeviceDisplayObjectProvider.exepid Process 2288 wusa.exe 1168 winlogon.exe 2568 DeviceDisplayObjectProvider.exe -
Loads dropped DLL 7 IoCs
Processes:
wusa.exewinlogon.exeDeviceDisplayObjectProvider.exepid Process 1248 2288 wusa.exe 1248 1168 winlogon.exe 1248 2568 DeviceDisplayObjectProvider.exe 1248 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lgpbj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\ngAl\\winlogon.exe" -
Processes:
DeviceDisplayObjectProvider.exerundll32.exewusa.exewinlogon.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DeviceDisplayObjectProvider.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wusa.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA winlogon.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 1232 rundll32.exe 1232 rundll32.exe 1232 rundll32.exe 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid Process procid_target PID 1248 wrote to memory of 2600 1248 28 PID 1248 wrote to memory of 2600 1248 28 PID 1248 wrote to memory of 2600 1248 28 PID 1248 wrote to memory of 2288 1248 29 PID 1248 wrote to memory of 2288 1248 29 PID 1248 wrote to memory of 2288 1248 29 PID 1248 wrote to memory of 700 1248 30 PID 1248 wrote to memory of 700 1248 30 PID 1248 wrote to memory of 700 1248 30 PID 1248 wrote to memory of 1168 1248 31 PID 1248 wrote to memory of 1168 1248 31 PID 1248 wrote to memory of 1168 1248 31 PID 1248 wrote to memory of 1628 1248 32 PID 1248 wrote to memory of 1628 1248 32 PID 1248 wrote to memory of 1628 1248 32 PID 1248 wrote to memory of 2568 1248 33 PID 1248 wrote to memory of 2568 1248 33 PID 1248 wrote to memory of 2568 1248 33 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0597e704a1234f7f0a2cc4dd823194cb.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1232
-
C:\Windows\system32\wusa.exeC:\Windows\system32\wusa.exe1⤵PID:2600
-
C:\Users\Admin\AppData\Local\LlJ\wusa.exeC:\Users\Admin\AppData\Local\LlJ\wusa.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2288
-
C:\Windows\system32\winlogon.exeC:\Windows\system32\winlogon.exe1⤵PID:700
-
C:\Users\Admin\AppData\Local\D26i\winlogon.exeC:\Users\Admin\AppData\Local\D26i\winlogon.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1168
-
C:\Windows\system32\DeviceDisplayObjectProvider.exeC:\Windows\system32\DeviceDisplayObjectProvider.exe1⤵PID:1628
-
C:\Users\Admin\AppData\Local\8qH\DeviceDisplayObjectProvider.exeC:\Users\Admin\AppData\Local\8qH\DeviceDisplayObjectProvider.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2568
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
716KB
MD5105e73dbca8f4514f3a53b1cc83afe55
SHA106cecc793a136b1531cc5777b5e49177b3e1beab
SHA256a1c8b14932039df84472f156ca028e82b1d3061faf6140164894a53310915cc8
SHA512c02a422be31512868c7489f242589aba1f8db421639d3eff95b776960bedf39645e9d12ecc8ee9d8e580bd5487c9f3c75606272f8727355d29276ce04362d3d9
-
Filesize
720KB
MD5fa0170f26463a68bc38cd50860777745
SHA1303ee82cfb90473baa76c8ef2118ce1cbccb8f16
SHA25665e6e9f0cf8e81212dd8b0fae1acbb733583aed3311ea8855d4cbaa8eb74fb97
SHA5129db4f8edc8f73213fa67e66a8799ec54f3d5dcab9b78ba6fd89a9915e5046dfd79f87fb5b320396ca48c171582bcecd15ea3de06ac23fcf3f520800969aaaefa
-
Filesize
716KB
MD55be419bd9e1f507f93d7d2912f1bed49
SHA1d04d3f8215051c3f042b5f18a18446d6ab9167e8
SHA25688e5fb81b7c53b941b4bb31bbe381d92d3b7817b1e234a7a8e156de545458ab4
SHA512aeb82e359773982074ba1d3340aa856b01bc0fd6026d346e03612693ad1686ccbdee4abde883294732c93c7ad3acf04561b5bf8e4646aeb46a18054aae28e142
-
Filesize
1KB
MD5274cef091c3344f25cf27b9807e15d92
SHA10aeb3386a8983d5e05df9d3d18d71f8794983cf9
SHA256ce3ca6eaaa6da9a6c3b0ef5bb853291832dc1cb33b2efc0f5b399a62cd178111
SHA512696cd1e3460603a1e8440de5ddcca6646721b36da9ab9edc7513eb06ede5d26f9469825d2304169daafeb9892e298408d67a7547f0768124137d48ca619d775c
-
Filesize
109KB
MD57e2eb3a4ae11190ef4c8a9b9a9123234
SHA172e98687a8d28614e2131c300403c2822856e865
SHA2568481a8ec19cb656ce328c877d5817d317203ba34424a2e9d169ddce5bf2cd2b0
SHA51218b1a0637f48929972a463d441182307725ebf1410dd461a1966bd040ac5dcced138155b7c713bfc924ea2f7b39527a084a08b44fa24c3eb9c654871f99caabf
-
Filesize
381KB
MD51151b1baa6f350b1db6598e0fea7c457
SHA1434856b834baf163c5ea4d26434eeae775a507fb
SHA256b1506e0a7e826eff0f5252ef5026070c46e2235438403a9a24d73ee69c0b8a49
SHA512df728d06238da1dece96f8b8d67a2423ed4dcb344b42d5958768d23bd570a79e7189e7c5ba783c1628fe8ddd1deaebeacb1b471c59c8a7c9beb21b4f1eb9edab
-
Filesize
300KB
MD5c15b3d813f4382ade98f1892350f21c7
SHA1a45c5abc6751bc8b9041e5e07923fa4fc1b4542b
SHA2568f067da98eb3ea9f1db2f0063ff54e07d992fbf051779b467e222639be4127e3
SHA5126d028fe81fe45d0ef291741513ecf939e412912647347d4d5bad89571f33e1084dc0fd26eb7313c7191f938c3f50243f453e2690e2475fc3f5539a20c2ff2f3c