Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
29-12-2023 20:46
Static task
static1
Behavioral task
behavioral1
Sample
038fac256867b97309719d78ffada177.dll
Resource
win7-20231215-en
General
-
Target
038fac256867b97309719d78ffada177.dll
-
Size
1.7MB
-
MD5
038fac256867b97309719d78ffada177
-
SHA1
fa48e8a93c0d26cdd5f4a442655f634d7a5e89e8
-
SHA256
824b3fcc72e9e5493e7be24f46d26c1f5972846b947ce1782207faaf9458429a
-
SHA512
59ba340ca23e03f969d0f62df6a1de329a90f8084a8fcb33e6393c7a3b80df28b5d12ed3802f2eee0cbb571f70c8381774ccabdcbb3caece35c22782880b84a0
-
SSDEEP
12288:MVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:5fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1200-5-0x0000000002A90000-0x0000000002A91000-memory.dmp dridex_stager_shellcode -
Drops startup file 3 IoCs
Processes:
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hxr File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hxr\credui.dll File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hxr\WFS.exe -
Executes dropped EXE 4 IoCs
Processes:
SnippingTool.exeWFS.exeiexpress.exemmc.exepid Process 1336 SnippingTool.exe 2848 WFS.exe 1712 iexpress.exe 3020 mmc.exe -
Loads dropped DLL 9 IoCs
Processes:
SnippingTool.exeWFS.exeiexpress.exemmc.exepid Process 1200 1336 SnippingTool.exe 1200 2848 WFS.exe 1200 1712 iexpress.exe 1200 3020 mmc.exe 1200 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\Niubkzso = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\UserData\\Low\\V2\\iexpress.exe" -
Processes:
rundll32.exeSnippingTool.exeWFS.exeiexpress.exemmc.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SnippingTool.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WFS.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA iexpress.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mmc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 1040 rundll32.exe 1040 rundll32.exe 1040 rundll32.exe 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
description pid Process procid_target PID 1200 wrote to memory of 2616 1200 28 PID 1200 wrote to memory of 2616 1200 28 PID 1200 wrote to memory of 2616 1200 28 PID 1200 wrote to memory of 1336 1200 29 PID 1200 wrote to memory of 1336 1200 29 PID 1200 wrote to memory of 1336 1200 29 PID 1200 wrote to memory of 2916 1200 30 PID 1200 wrote to memory of 2916 1200 30 PID 1200 wrote to memory of 2916 1200 30 PID 1200 wrote to memory of 2848 1200 31 PID 1200 wrote to memory of 2848 1200 31 PID 1200 wrote to memory of 2848 1200 31 PID 1200 wrote to memory of 1232 1200 34 PID 1200 wrote to memory of 1232 1200 34 PID 1200 wrote to memory of 1232 1200 34 PID 1200 wrote to memory of 1712 1200 35 PID 1200 wrote to memory of 1712 1200 35 PID 1200 wrote to memory of 1712 1200 35 PID 1200 wrote to memory of 652 1200 36 PID 1200 wrote to memory of 652 1200 36 PID 1200 wrote to memory of 652 1200 36 PID 1200 wrote to memory of 3020 1200 37 PID 1200 wrote to memory of 3020 1200 37 PID 1200 wrote to memory of 3020 1200 37 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\038fac256867b97309719d78ffada177.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1040
-
C:\Windows\system32\SnippingTool.exeC:\Windows\system32\SnippingTool.exe1⤵PID:2616
-
C:\Users\Admin\AppData\Local\jJ3o07Ih\SnippingTool.exeC:\Users\Admin\AppData\Local\jJ3o07Ih\SnippingTool.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1336
-
C:\Windows\system32\WFS.exeC:\Windows\system32\WFS.exe1⤵PID:2916
-
C:\Users\Admin\AppData\Local\GRfUG51h5\WFS.exeC:\Users\Admin\AppData\Local\GRfUG51h5\WFS.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2848
-
C:\Windows\system32\iexpress.exeC:\Windows\system32\iexpress.exe1⤵PID:1232
-
C:\Users\Admin\AppData\Local\Ysj5\iexpress.exeC:\Users\Admin\AppData\Local\Ysj5\iexpress.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1712
-
C:\Windows\system32\mmc.exeC:\Windows\system32\mmc.exe1⤵PID:652
-
C:\Users\Admin\AppData\Local\k5IbmYi\mmc.exeC:\Users\Admin\AppData\Local\k5IbmYi\mmc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3020
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
215KB
MD57ab42fbca12fcf43e84a4616cadf7628
SHA11c7730d668c4b3bd30ccc2226e53ecd9ec4ad7b4
SHA25666cf9e6e5f1899db4d20cccef0507ffdcea48e3d4da70473bf285e0532af74f2
SHA512a8dbbc126f2b75e02e2c878e5e5db9abfaa01c48ab8721b425bebe63db71fd24f62b56e3c2bca6994060c4c4a7e4f25ec8ff678196b9ab3e1f62b7c2216b8d5a
-
Filesize
113KB
MD5b8ea20a1033540fac5d6c39ebdb58cf4
SHA1f44b0122258b2492baffb996d8935f58ec7bb035
SHA2564b08b0b33edcc5b77932d95e4d5cf5d37813b90abcfa655123a59b8a26ed1ff6
SHA512f8786dc8f807de21a016f3f18543b9ec208086946250439556b3643b6c6f43cd0479534b9600ecad712ad67ca6b0b6d5f1dc9ca5fbee2812bae98ef277ed7147
-
Filesize
254KB
MD5afca11f26908e24b913e9a083b8cef0c
SHA16801c93aa01e60cf7055a3285c89577b70672922
SHA256eb8748e9a2b3429ed5b4ebe4c33d21783b5a6c1ae626a4fa506fc8c62b9942f7
SHA51241ce3b0781f8efe34bd846fc4bf83387956e24bd73ebee7f08c9f07e3661e3b7a26d3a75becd981a264415397da63d32e34342892e5d04533edee36512c90a53
-
Filesize
1.7MB
MD58a6fb281c6ed7ec00d7da29e20e8dd87
SHA15da96e0ce45fd37eaa4d756eee0497e884009dbe
SHA256ea91a08fcb14d19a80610534e5232fc8192cd35e5f88c9ab609c4c44de82733c
SHA512ed650c6e014fdfd07f38720979ecb5b7615e73004f8d443e322611f9d28660be67ae24241d0d1245390d336050239065405ff791493dd381613e5072fb7f7948
-
Filesize
378KB
MD5aadc5bbc9150aebc63e13556f6abe27a
SHA1991985ee5bfe67d09e1ee6a1381481136d1a0941
SHA25664b6c9748e0d4f001697d1524c51402c12464e75df9b14cd5c04618a318a7203
SHA512651ec2b436da88a7f95255a94e8c72963743f0e09b47f448c07c7d47bdc66ea9a66dee219c72e4855d92bede13d7cd8efe73d30c3e02747d88571122f62b0bab
-
Filesize
178KB
MD584b201fadfbcf1ce26955ba23887e1cd
SHA10dd5d527c0b6aeb6b0519e65a0b4bbf8b7f4a383
SHA256977e036d98d91c4a6518f3f0b3ca48722d9e8465bf8f3a584394a01f379c456b
SHA512960f212163c4e565bdc5eb74e2203345528295b187c1f5e310afb7df1b18f65f09c6bb837e78c20e4062ce66fd60f2c14375e47671d80e2880fc7da44f9e291f
-
Filesize
103KB
MD5ae6f30914c0fa5d298ee5e3808addf13
SHA114ceac0e4ddfcc16939bbc9a4e189834ed5f1748
SHA256fc1424658496f34bc1aefb5c1c8b5649148491e29f2622af7b29caa893be1e0a
SHA512e500196089517b5c9406307efb5b230e9e92b74c4b3b15de4110f0aed1d4e32f0daa16c5155e63206422784280db81ec60ca46e3108ebb7465c24f9d45b29316
-
Filesize
1KB
MD56ee65acc3a8ac2b8b25ceebad45ade6a
SHA1ef2920319b7688352f30c0f46513257a8bb0d6ed
SHA25632809f315960eab615fb0b674c89d62f6bc0db3780c7ce78160c43607eb1fc5c
SHA5124df730d2021be96eeabdb8a9a4909973ede593cbd6c495cabb6a7efbed6967cc79df1eacb2ab21ebab40a2c02b2eb1ea608e9f1f2f41180c7aa3c9821ace21bd
-
Filesize
1.0MB
MD53948a3f3f7fbd491c0686e84ba9fc03a
SHA1527693e1a20189ed80d464d0d8fa548b4f93f873
SHA2565a950cde840e8f1c5c63490fd509ed3ae96c3f2f3ce31d131d87a071bf36f751
SHA51226a49c9ec00a3fb05d23c3c9e81c73e62ea0405cbd607a3dd20f2d2a9e090c538a45b2097f3df4ccce6a7b2d756f941700d1859f9483df9ce286062ca62b4830
-
Filesize
1.7MB
MD537c6bde3a4996bd5f98e47b62ead2157
SHA1abacbbcc12ce94a5c10892cd684eb2661528ac08
SHA256d9de421deeba7dc03f790bf4c6a266a24ebcafb40176745db4432b451ef37e03
SHA512cd1e31c57cfa73c64f970640948fbb234ccfef7701aad087f3c21e7df706fcbf607e45ae4cb5bd19c55b5928091728fcab9a9059a88cc12c41f4ef679964074f
-
Filesize
252KB
MD561dec248231314aad706e956b7225dd9
SHA153ff6ab70bbe436843f4a984531745a0ad3b37cd
SHA25645b48007f699f1cad9491471b0ea719d3b176c8ad8535a73ac62b61c347b5d2b
SHA512485a20a5bd14c8b0c06ef5507f9a3434a2407ef84a282bd4e6d71dfca19f431734e74b116dd0924030863b1ff55718ec9caa29b4c7563f52e7e08ea1dd52f336
-
Filesize
216KB
MD5eafee89e622955d6a0f27e0ffa9973d9
SHA18e12aa04aa0a7dc9a6891a47317ef86c5c2cfc2d
SHA256153b223b93a5a53201d65e998ed4182eb18f86e26b5b76afa56b6f1ee42c6ae6
SHA512a75dd6f43c05cf114d6c886527382016ffa0068be750d518bf0226e4594f14955af2e10bf24054a770a04fcb7fffccfca32dfd7098dd818a25f129724a6753bd
-
Filesize
163KB
MD546fd16f9b1924a2ea8cd5c6716cc654f
SHA199284bc91cf829e9602b4b95811c1d72977700b6
SHA2569f993a1f6a133fa8375eab99bf1710471dd13ef177ef713acf8921fb4ff565a3
SHA51252c91043f514f3f8ce07f8e60357786eb7236fcf6cdcccca0dd76000b9a23d6b138cebcdec53b01823cb2313ec850fc7bece326ec01d44ed33f4052b789b7629
-
Filesize
290KB
MD56c0995128d501edbf35ae2bf56de809c
SHA12d94ddd3496b0b28cb31d2920eb7f23c63c45180
SHA2567379d0aaa97c74a968df83a00a261216c3cef394310bd8cdc0a8d7976a605f08
SHA51202850064fcd226dce5ffeefe672e3cdd7a2b57c6e000f4d0776ac84ae4f60a611e2176d91e51c8eb641804155dcf074cf49c544d4a01e46c1ba8c10f9d3c2380
-
Filesize
136KB
MD579382ad57678cb38bc57de62829e66c6
SHA19f93bca069df1b5492f377976d3a3229e5e28e45
SHA2561ed47b4b7ef9f5def330f2f7f744217b1effd812662a6713b9f495d756b52ec6
SHA512f5ffe8d8d2d15e42c3aa13dc54379e5310b3030b47af7caa352b32043cf8ca1e07f65bb214f6cbccb3e59da14997f1567ccdb25cbcee4d61646b3f4a3c0cb212
-
Filesize
1.7MB
MD5547a835a27e3bc0747da8a3a2380bb36
SHA1c0d4e69592fe7eee856db17ab855d702f82034ff
SHA256f50394f89c05055b4684bf227df1390d27a336067541dae8a677b8909f135c28
SHA512cd7ca9b80b916e9906cbd26b86d0651df76b206f6ead309f981b3d5a07319e224b28a305334377c6d99a8b8b1d06536c91b5f0b58c96678ebfb8a54fe9bbc14a
-
Filesize
2.0MB
MD59fea051a9585f2a303d55745b4bf63aa
SHA1f5dc12d658402900a2b01af2f018d113619b96b8
SHA256b212e59e4c7fe77f6f189138d9d8b151e50eb83a35d6eadfb1e4bb0b4262c484
SHA512beba79f0b6710929871fbdf378d3c0a41f230ac30cbfa87173f7b77c35e06425f48db42ed3b16d5d9bcb7ef0098dffcd0d2947da8fb7ec1136ea62205f1afc76