Analysis
-
max time kernel
7s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
29-12-2023 21:00
Static task
static1
Behavioral task
behavioral1
Sample
03e11938813980f4ee92eafaa1ef0941.dll
Resource
win7-20231129-en
General
-
Target
03e11938813980f4ee92eafaa1ef0941.dll
-
Size
1.7MB
-
MD5
03e11938813980f4ee92eafaa1ef0941
-
SHA1
e38ff61eaaee9fd598dc696034625b95a6e8e444
-
SHA256
fb7090afa187d1404a763ce8352a48a9c6fa47da4f1c0dd1b0cbfb87a59c56e0
-
SHA512
4066cb8ecfaf9fdf0badc021d3d1c21d632d9242a7e9a5ccbe5e6683fd21802ea8e780428ce87b745d2241efe2e45b58e341f63b65dd2fb432eca1e9714cf418
-
SSDEEP
12288:DVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:SfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1248-5-0x0000000002520000-0x0000000002521000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
SystemPropertiesProtection.exeDWWIN.EXEspreview.exepid Process 2624 SystemPropertiesProtection.exe 2816 DWWIN.EXE 2340 spreview.exe -
Loads dropped DLL 7 IoCs
Processes:
SystemPropertiesProtection.exeDWWIN.EXEspreview.exepid Process 1248 2624 SystemPropertiesProtection.exe 1248 2816 DWWIN.EXE 1248 2340 spreview.exe 1248 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mjgqrtoi = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\OMZuj\\DWWIN.EXE" -
Processes:
rundll32.exeSystemPropertiesProtection.exeDWWIN.EXEspreview.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesProtection.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DWWIN.EXE Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spreview.exe -
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
rundll32.exepid Process 2976 rundll32.exe 2976 rundll32.exe 2976 rundll32.exe 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid Process procid_target PID 1248 wrote to memory of 2344 1248 29 PID 1248 wrote to memory of 2344 1248 29 PID 1248 wrote to memory of 2344 1248 29 PID 1248 wrote to memory of 2624 1248 28 PID 1248 wrote to memory of 2624 1248 28 PID 1248 wrote to memory of 2624 1248 28 PID 1248 wrote to memory of 1900 1248 31 PID 1248 wrote to memory of 1900 1248 31 PID 1248 wrote to memory of 1900 1248 31 PID 1248 wrote to memory of 2816 1248 30 PID 1248 wrote to memory of 2816 1248 30 PID 1248 wrote to memory of 2816 1248 30 PID 1248 wrote to memory of 1244 1248 33 PID 1248 wrote to memory of 1244 1248 33 PID 1248 wrote to memory of 1244 1248 33 PID 1248 wrote to memory of 2340 1248 32 PID 1248 wrote to memory of 2340 1248 32 PID 1248 wrote to memory of 2340 1248 32 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\03e11938813980f4ee92eafaa1ef0941.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2976
-
C:\Users\Admin\AppData\Local\uI8myEsuU\SystemPropertiesProtection.exeC:\Users\Admin\AppData\Local\uI8myEsuU\SystemPropertiesProtection.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2624
-
C:\Windows\system32\SystemPropertiesProtection.exeC:\Windows\system32\SystemPropertiesProtection.exe1⤵PID:2344
-
C:\Users\Admin\AppData\Local\0B2zk8txD\DWWIN.EXEC:\Users\Admin\AppData\Local\0B2zk8txD\DWWIN.EXE1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2816
-
C:\Windows\system32\DWWIN.EXEC:\Windows\system32\DWWIN.EXE1⤵PID:1900
-
C:\Users\Admin\AppData\Local\V18\spreview.exeC:\Users\Admin\AppData\Local\V18\spreview.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2340
-
C:\Windows\system32\spreview.exeC:\Windows\system32\spreview.exe1⤵PID:1244
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ed883c1168daa33af0b82fe3d9e430ec
SHA1ca560294ea4eb8f2ad48edbffa7d509a9390e955
SHA256d47618777d557c9cc45b560814e8b3c23d53d4bc191a2a4052d80998ea5c5378
SHA51252e40fc9d19cf95cd2f9157ac345ee431a2f2c254513265e6f4d8ea902138cf552e5aaf3f5e48faaca03ea8b7335f8f1fb854cc2e4f63f04d8c26b17f5313faf