Analysis
-
max time kernel
65s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
29-12-2023 19:48
Static task
static1
Behavioral task
behavioral1
Sample
023797dc02047e4d9ff5a2192e29df8a.dll
Resource
win7-20231215-en
General
-
Target
023797dc02047e4d9ff5a2192e29df8a.dll
-
Size
2.3MB
-
MD5
023797dc02047e4d9ff5a2192e29df8a
-
SHA1
bc008687c6b96d7bc46acff71d9a241ca71356fe
-
SHA256
9f8c3763244712c98190cd47b908b20c1a3486de99e3cf4b0d9b59b02bcb5f9e
-
SHA512
37b71cf639bdd78a10062511269b785c22eec6bf578ada8b0385c98b826a654d8351efe4f57d3e03afc9d32623ea212fbd0753da5fd1bfe15a18dd1047185867
-
SSDEEP
12288:DVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:SfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1204-5-0x0000000002E30000-0x0000000002E31000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 4 IoCs
Processes:
iexpress.exeEhStorAuthn.exepsr.exespreview.exepid Process 1924 iexpress.exe 3008 EhStorAuthn.exe 1308 psr.exe 2952 spreview.exe -
Loads dropped DLL 9 IoCs
Processes:
iexpress.exeEhStorAuthn.exepsr.exespreview.exepid Process 1204 1924 iexpress.exe 1204 3008 EhStorAuthn.exe 1204 1308 psr.exe 1204 2952 spreview.exe 1204 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtxtioiynm = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\L4QizKCcnt\\EhStorAuthn.exe" -
Processes:
spreview.exerundll32.exeiexpress.exeEhStorAuthn.exepsr.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spreview.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA iexpress.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA EhStorAuthn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA psr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
description pid Process procid_target PID 1204 wrote to memory of 2660 1204 28 PID 1204 wrote to memory of 2660 1204 28 PID 1204 wrote to memory of 2660 1204 28 PID 1204 wrote to memory of 1924 1204 29 PID 1204 wrote to memory of 1924 1204 29 PID 1204 wrote to memory of 1924 1204 29 PID 1204 wrote to memory of 2984 1204 31 PID 1204 wrote to memory of 2984 1204 31 PID 1204 wrote to memory of 2984 1204 31 PID 1204 wrote to memory of 3008 1204 30 PID 1204 wrote to memory of 3008 1204 30 PID 1204 wrote to memory of 3008 1204 30 PID 1204 wrote to memory of 1252 1204 33 PID 1204 wrote to memory of 1252 1204 33 PID 1204 wrote to memory of 1252 1204 33 PID 1204 wrote to memory of 1308 1204 32 PID 1204 wrote to memory of 1308 1204 32 PID 1204 wrote to memory of 1308 1204 32 PID 1204 wrote to memory of 2812 1204 35 PID 1204 wrote to memory of 2812 1204 35 PID 1204 wrote to memory of 2812 1204 35 PID 1204 wrote to memory of 2952 1204 34 PID 1204 wrote to memory of 2952 1204 34 PID 1204 wrote to memory of 2952 1204 34 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\023797dc02047e4d9ff5a2192e29df8a.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1872
-
C:\Windows\system32\iexpress.exeC:\Windows\system32\iexpress.exe1⤵PID:2660
-
C:\Users\Admin\AppData\Local\RhTaSE\iexpress.exeC:\Users\Admin\AppData\Local\RhTaSE\iexpress.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1924
-
C:\Users\Admin\AppData\Local\ClC5\EhStorAuthn.exeC:\Users\Admin\AppData\Local\ClC5\EhStorAuthn.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3008
-
C:\Windows\system32\EhStorAuthn.exeC:\Windows\system32\EhStorAuthn.exe1⤵PID:2984
-
C:\Users\Admin\AppData\Local\5QUshV5ee\psr.exeC:\Users\Admin\AppData\Local\5QUshV5ee\psr.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1308
-
C:\Windows\system32\psr.exeC:\Windows\system32\psr.exe1⤵PID:1252
-
C:\Users\Admin\AppData\Local\Tqepb\spreview.exeC:\Users\Admin\AppData\Local\Tqepb\spreview.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2952
-
C:\Windows\system32\spreview.exeC:\Windows\system32\spreview.exe1⤵PID:2812
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
63KB
MD571d96c8f73d47bc7919218d2b4be28b1
SHA12c1efe6e84641e96c8601d9d16f581f1cf9bf7ef
SHA25693426c82c023d83a9f9935f3551b0690bf632a09779c0d5637e77584a3d53420
SHA512158f5e6447a0608855c00360303570483b4ebbf0af8b34c0d8ae091343582725b23ba89aa1d25412db28459a79402a8d24605c903e15ca9c095775405a0d8e49
-
Filesize
6KB
MD598c6f3c6536b6dbb84fd7f758fd2a663
SHA1a2f4bd4512a3bbebabed8cf0e5192e72f6a446d8
SHA256c0d1fa5e382b3e4d2786babd3b4d3f571cc7321a9248f3837f05b9e577d96972
SHA512a34c7206c1cd85e5043ecd044fe3c20a71934fd5781da9e8cfca6bbc470151937072ad1bfccc679aad4823056465d54b668fd7432f116201c0b1a93269e02160
-
Filesize
43KB
MD5f264eff76631ef35d6e44985008935c9
SHA13e6dd245779a519dd7152a946c72e85284dc9fe2
SHA2565e8c802882e76a071d263b90f70207a03f745d4fadf43ae7d1c0af58a4c8279e
SHA5127ebd601ba50edee34070cf17bd6ceee4932766b3f50560a2fe10427102ac7eecea629aa7abf9de610afcf709987c678815bb762487f763e2e6daef6546ca35b6
-
Filesize
137KB
MD53abe95d92c80dc79707d8e168d79a994
SHA164b10c17f602d3f21c84954541e7092bc55bb5ab
SHA2562159d9d5c9355521de859d1c40907fcdfef19f8cf68eda7485b89e9aa119e3ad
SHA51270fee5e87121229bba5c5e5aaa9f028ac0546dc9d38b7a00a81b882c8f8ce4abfdc364a598976b1463cca05e9400db715f8a4478ec61b03a693bbeee18c6ae5c
-
Filesize
162KB
MD54554a7c3f834e4295314a635471c8717
SHA1656252a565f57e836459fe357d7f021ab0bbe3ea
SHA25684f1a1bd3493c088560a8114ddd8594d6dad14f4dd832175b813989980be355d
SHA5127e2318db565753efcc099ef83a992e4441e032ac3b51cc404ccd6bba00116fc8f6ec6a6b00e239c379f206df2c98e3fd810af2ee30476ecce1541fb8121725ae
-
Filesize
68KB
MD5b749ef8af1c46da616f42a7cb1b511f0
SHA162aeaca473c3249294124d8d810bcd3443b86752
SHA25658283fdfc30dba7ad0048cf70eee5b5434b9bc4646c62d47b2a31c5bada52f75
SHA512902b8fc797b8dda0e43f692acdf7b74815a467a2e861e389e35f24b5e875272e5efd9390a8ab7676b43f45b0d32b0f3095c20eb869827c3f7856c5d77349ada4
-
Filesize
92KB
MD52ef15379cad403b515eeda3024fc582d
SHA1a13a2775040ea5f007109916d4cbb5a059c2686a
SHA256cf7606deb64f568ae63eb0e31a58bd9f5b647b6f53a8c7a67bbfd3df7cf952c9
SHA512dde73caec9ac9fd1a4e29ad3734e6acad55a1569fecb4223b70b033284a564ed0e5cf097081c957616d2c37b860406cf4503bf1d5f74f08c2ac265b9a9372172
-
Filesize
49KB
MD57becf6798af32e6ed52e09ddae0f3638
SHA156c30c16bdf7c65d6f5548d7c8f23e16d34b863b
SHA2569952cbb3db723c98baaad7dc191b03d79ac765250169d695771cc5b2f19ed388
SHA512b6b2b37ad97f0d7291703c1a22673fe6884c2c4dc1988dc4a88533b10ebed53785e1d7ba6b6eb2639b9b0bbb838bf28b4cc7d1bc49282522315f2037e26b7430
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
16KB
MD5f918ad016b81bf932c74927a3a58d7e5
SHA19fd4df14fb4cb01ff7803cd981bc0c62c689b3b3
SHA256bd21fef1fd67d3f8c2b9c70be83161037d507a92f6df850cbcbb471dc56d5531
SHA512eefb44c9aa15d08ca5a424dc6e0cdf34e21ec84f0d25deaf654bb41680ae7f0c21f7e15360e76b69e66a9f81adb67ae4afd26fc03e06738647c1b12fa41f1a2e
-
Filesize
61KB
MD5465eccbf6eecee3f4a69008320be3b4c
SHA1601ccfe263f9ecc2bfa22714112861acdd51b7cf
SHA25675367ba2a18e669d454abb21b18339f78b316778b77739e80e7443106a2cd894
SHA512d4c1ca5221d2e4553f04a5356ebabeb7ae87d80dc5a838265edff3418df8b1cb71ed2f697b11c74396ceccf86bf0d2e6f044272324563ab26fa152a89398a743
-
Filesize
1KB
MD5da2014bea5e7343ff57ed6cc0aa87076
SHA139a968dd9647559b001d95f170674285ab6ac437
SHA25658c62e7c803099133e570d0357566f8a0ed452c82c29a1120de5887beed4c490
SHA51269d16a9595c69b787786de685f536fddbc8ada7ad3b927c72802fc5cdaddc455c2dd81156c7d74ec4e369fda3d8c6eca3edf82a57f97b6045949b1f9aaf928c8
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\Q6r\VERSION.dll
Filesize28KB
MD5c69348776f573defa00ce71d1c558a21
SHA1a17c50ef763901e40416bcdb2134b864c77babcb
SHA256cc86e0d2696e9ec0b05ac1316932cf2b1bf188c1a4ff321a05f30eff01fd174e
SHA512da79a4d093b2dad2a356dec21ab30ad2ac77f6502111b7950a61fc17c66fa503bbc20631c4a0bdecebe4774611eeba7255412fe904be5229b98c94b9a6be71eb
-
Filesize
18KB
MD54c5f88de373d25904f230d85fb2f50d2
SHA14e7255faf9cb91da1f4d2f647b125419b1aeeec5
SHA2567000614148dc929d1a2759a40709b82aaa8b4aa74d18f720e3489d2a2da333cf
SHA5126d9c630f5f09356d52743b61d06dabbb8c70c92722172968d9e7ed92c388f3a801bf5facaedffa5b71447dc337296c64103deef2f5ccbacac9ccce2babf6924a
-
Filesize
123KB
MD5a4cce9f3712598402008ee26642f0495
SHA1a2e4da79d3f83711ecf12a21426da0f9584f7f30
SHA256d7978b7cda4da6d0235ac82e2dea6e5ba2642e0868131a0bf1050498ef2f4f8b
SHA512ec22a6a02bf100d420b44e015346cbcee22c7008b84286e543b79719facbe2cb19773ea3a31b26c6385f8c32e0bbfc7009d368e4698dae030053b6b952b0301a
-
Filesize
60KB
MD5844361270d9275e521fdd8f56b3e0d94
SHA14df7da927cf81a29d98e39e4f83f30eead59da55
SHA2569c10d992b7810f6ba1a59ea37c62a419442c086d5b989b60b55f714535d8124f
SHA512641e1dd2a3efef8331c34d55f8eb83fbfc5aa335bca0f34dd35d3578dd243a6475b13854c9ad9f640f2e7ea792666439ec31d3ee34b2ea8ab639e65c28c94740
-
Filesize
60KB
MD596680c01171b4be738b407a3fbc24426
SHA1792f7b4bcfa7022515bcebfc6c5c7bef29ee6d0b
SHA256398fd8e3d957a1b8b815bab3682b515bb9f9fa0cc8c301cb9fa3d5c944e14d11
SHA512e95aec615ba040b77f28fd1a7d593310570d850801975d76252e436d374497d1c8256b6a3385faeac44b49da460186110839f3f4c9242b87334552d73b5a6e0e
-
Filesize
129KB
MD5fdb0c8ca2dfdab29f0228c7174717ba7
SHA13c9f315b9a473f88e86a7a9a2c74b0ad9a7ea495
SHA25680ec6b7cca8cb46bc3bdc051def1e4999c3989d668e9a553bd83ef6d91595fd5
SHA512e644079f38f125edd9268167f6c0250264406837cfe30cf091bec9cbb96a1e11876e2aaee6ac58d528f142d629d171937d32d6e68af1b858316a48a0226d6a3c
-
Filesize
71KB
MD515ee7fc73696bbe4f711d623e942e3cd
SHA1c09076a8da10e188187ad79b62a9833b01ff9e01
SHA2562958ffc50eae2b097c92af4ea20efbddfdde6231afc2a823de5bb7c87af92e69
SHA5120aab112f5c191570ce2622a7e2be83570f1f0b159d0dabf8f96a798e790158829a1bb5236107169a6a58e3201f1dbc3c4c09aa24fcd27c6a47d90286e2e166b1
-
Filesize
133KB
MD581732bba72971541eeddf71e39cb206b
SHA1a84ec3c1a76f237ace52360cd93ac6048ad73682
SHA256496bb8d799ad1b537e92231d8a80f4cefdfe372cefcfe666602ceb7e93a47f29
SHA51299e33675a374e91c06f1619b125e89b420863a19b88d8fd120acf6efc86b38804400504383e296e0f745eb445cd7b300ba9e1fb1a3d628ef2b27940dc121f5ef
-
Filesize
153KB
MD5ed7b3658c6fedfef6d28bc0597bbf3e4
SHA121c95eafa87c806b47ec99a29c2891a93e0bec00
SHA256b05131f4ef32c511978e3bdb54e6dbf5e5178c316f33dbb1344fc77f39dc17c6
SHA512dab70af7b061f5cb4c33c82a3652f05522d30bf7641760f9b8170ccf05cb0f7050864ce96cb2eeac1134f88aa26d4c06303db69826d36973aa20bac22718394d
-
Filesize
20KB
MD5c209171baf84453a9c1f0a8816bd64cb
SHA1415271f15e101de24647259b4cb491b5cc93d898
SHA256a43c725c3feb4a7a9eff9b9b8c83043de5963a60f42f57d3966a4bb27c929a5b
SHA512f8f8bdecb0ee7d75fedd15356b65a85e92ba32354d37e54c7593fbcd5b2ac52f69000d1b25d7c8f4664b0a20e1301121582ccb17b30e667b31946eca92cb8ebd
-
Filesize
1KB
MD58b1a3d05e56d223ce7ea011addc808f4
SHA1cebf2598950746af32999a3359da5142bf4b5306
SHA256f6ce83287a687c7b148398bce3361bf08c2e2b379046e19166ccb537ebf3b958
SHA512b9216be6cd7cb1bc6f036a79f8f71079476e59fffc61a24009bc3ae94da4f9665ea8735f244b3afc44937a5d6f72bf13995565c324ca99a70891a109b4e85b61
-
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\Q6r\spreview.exe
Filesize61KB
MD5c4c7048426ccd375de1fee7b0cb8cab9
SHA1dff4a99894a50f2c954e9bcdfc7ab0f4175231eb
SHA256806566781ce41e8340a9c8d077d8681b1b752c8fc27daa6af4ad853954f5328e
SHA512e59b0a983d2bb36756d602616e076b4784313b3c2491cf0d2d77efd74dd4c24d25d4abf215af6514ca992676416ddcb01319a7e105efd2b5b925ab877c742c94