Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
19-01-2024 12:26
Static task
static1
Behavioral task
behavioral1
Sample
679f5677802f338adc80c1c2058b5f66.dll
Resource
win7-20231215-en
General
-
Target
679f5677802f338adc80c1c2058b5f66.dll
-
Size
1.4MB
-
MD5
679f5677802f338adc80c1c2058b5f66
-
SHA1
de3198e8574810a74dea319fa5f3646b2ed05b64
-
SHA256
7c001fa46c93bc6147cf0e2fafbbf52213c1ec82788aa9bba51c89bb12cfe90f
-
SHA512
1720b8eb1a8c1f0d35519c30089acf516f79bb4071636862b53d47a97a79f650dff53f823a7209a6099b884b4f898eedd1a7747d5b00fc21d268e8cd5561e11d
-
SSDEEP
12288:SVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:PfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1256-5-0x00000000029A0000-0x00000000029A1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
psr.exerdpshell.exeDWWIN.EXEpid process 2632 psr.exe 1484 rdpshell.exe 2596 DWWIN.EXE -
Loads dropped DLL 7 IoCs
Processes:
psr.exerdpshell.exeDWWIN.EXEpid process 1256 2632 psr.exe 1256 1484 rdpshell.exe 1256 2596 DWWIN.EXE 1256 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pfoxtyecp = "C:\\Users\\Admin\\AppData\\Roaming\\Identities\\cNk17rkA1\\rdpshell.exe" -
Processes:
psr.exerdpshell.exeDWWIN.EXErundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA psr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rdpshell.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DWWIN.EXE Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 1700 rundll32.exe 1700 rundll32.exe 1700 rundll32.exe 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1256 wrote to memory of 2588 1256 psr.exe PID 1256 wrote to memory of 2588 1256 psr.exe PID 1256 wrote to memory of 2588 1256 psr.exe PID 1256 wrote to memory of 2632 1256 psr.exe PID 1256 wrote to memory of 2632 1256 psr.exe PID 1256 wrote to memory of 2632 1256 psr.exe PID 1256 wrote to memory of 476 1256 rdpshell.exe PID 1256 wrote to memory of 476 1256 rdpshell.exe PID 1256 wrote to memory of 476 1256 rdpshell.exe PID 1256 wrote to memory of 1484 1256 rdpshell.exe PID 1256 wrote to memory of 1484 1256 rdpshell.exe PID 1256 wrote to memory of 1484 1256 rdpshell.exe PID 1256 wrote to memory of 2912 1256 DWWIN.EXE PID 1256 wrote to memory of 2912 1256 DWWIN.EXE PID 1256 wrote to memory of 2912 1256 DWWIN.EXE PID 1256 wrote to memory of 2596 1256 DWWIN.EXE PID 1256 wrote to memory of 2596 1256 DWWIN.EXE PID 1256 wrote to memory of 2596 1256 DWWIN.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\679f5677802f338adc80c1c2058b5f66.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1700
-
C:\Windows\system32\psr.exeC:\Windows\system32\psr.exe1⤵PID:2588
-
C:\Users\Admin\AppData\Local\MV9PFCsb\psr.exeC:\Users\Admin\AppData\Local\MV9PFCsb\psr.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2632
-
C:\Windows\system32\rdpshell.exeC:\Windows\system32\rdpshell.exe1⤵PID:476
-
C:\Users\Admin\AppData\Local\rROJpS\rdpshell.exeC:\Users\Admin\AppData\Local\rROJpS\rdpshell.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1484
-
C:\Windows\system32\DWWIN.EXEC:\Windows\system32\DWWIN.EXE1⤵PID:2912
-
C:\Users\Admin\AppData\Local\8KCIv\DWWIN.EXEC:\Users\Admin\AppData\Local\8KCIv\DWWIN.EXE1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2596
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34KB
MD5c40e3ac357d53db3e87cd9550d7f5673
SHA16838f08269981e8c2e9d1128bd8afe8ada1f69e2
SHA256c9fe84f54804c39845ba0b0668a1cc713569f05cc9f2d1f3e7fc3efa12d64ee6
SHA5127c15e2303e27b0d6b8ec56a40780510d99723d45f0739fb702dfb4330331cf6b3a8c5138e9bc91b9533ef6f829da6ca9edd7e86a2191fdacc872fc33ea15f704
-
Filesize
35KB
MD56064b8f30bcd7072a98f9773e44c4035
SHA1909f8c53d7db15c3a8e532ffb4770ff9e087904e
SHA25687ff8d061e4ce447dff6893482f911a98945ce7525f3a052571a14526249f938
SHA5120d6f2bc53525c4b1834a1c885a5cd5685364bb6604bd36c24131d7a8645da094878932b3f4a41386a93932f3a66018f8540c7b09c3ed0ee2a77bcf58c11d4bfd
-
Filesize
127KB
MD50ed3fa6e52776eb7028ebee97e05eba2
SHA1f6b913e04b3d129c32e43b6278b1b849c1c58d34
SHA256ef5a59e45bdcfd212ae07018d30a1be7ad71bbf27dfc9148867f09b8395acd4a
SHA5123244ca4a90c75a005dffc7446f19e8c64e08f027b59f725a382bddae8e04dd5417d9348976ebf6806c55fb12bc695190459d24498c609c1f13fee840dfb57456
-
Filesize
96KB
MD538382d1273b37fbcf2ef43d20df39013
SHA168a68ac5f3cd728e417e0e58d226f95d6b52c473
SHA25679ef84b0b50cd965742335555aaea1cf0f91e725c4034351b0895f76e84213cf
SHA51253fa597cffcb481099b5fc72537cef7a3cb04e79dac7fcb540453a603a038f4fc639b302c1dd7d3284569f5e36cf91d22292c94648ff7246f38d263a29b67992
-
Filesize
70KB
MD551a63d55e43f4dc5655d271a18c1f7e3
SHA13034875b78e06a0ea7096031c22a2d5051f7522f
SHA2561dc000cc391ac33ead458c91c4c6521c38f6552dd11ee4a3114f3d2f70194a8e
SHA512b5feb2599e60ab1c4f60430dd2dfde4db84efb4ea87c9170af9ceabe7e9ac5e87c40c81933b2d49a363ece3527ca4b4df40b015a4e59e873ec004f594051f068
-
Filesize
134KB
MD5be21b393717f06dbc9d05d1f77a2cfef
SHA1649c0a10797212e0c6c648c7bb5c7998538a1acd
SHA25621949c94bfdd978e7beb433143b95d5bbc2c4792735cf8707a3b83bc527838fa
SHA51240301687134b4f0f369b371692ebe3f87187017194b2744db86778e9a0c7a2fd3f0c20797870b173001968cd663daf7d9a08c5342df7f4ff23149cbb3cd9be22
-
Filesize
216KB
MD5754f7871ad9feabbafb79db819faad77
SHA19d2478c0128ef07a2100226294fa67a8639a4ac4
SHA25698cbd1418286dc9c46031a5dd0391d820dba55eb8cfcb57d23ff6762bd642986
SHA512fa2e2c9423a62c595893b325b85f0315fc8ac7e1086e22bbc12b2f24467db8800f7ccbb67a2cf6257bbc79df19df79cf7c4aad172551c6bdf9503beccbfd04f2
-
Filesize
96KB
MD5a262e4b1669a85e0ba25a03a4039bab0
SHA16f08df16ff05ee4da069d1cc9089a02b95bf5a0d
SHA256169faa2a633af682fdf36f3cfb193019df8028922fd3a6de18cb25128d26318c
SHA512d6de0bddeb9015e387ce4744822e66adfee7fdb25b78c6fe995f02d87ba64d1881c5a7a633ea152a9b9d368334da50ee68e367c18873c04589f42f185f25c10f
-
Filesize
1.4MB
MD5d33238f17c7a871f8682c5593648a75d
SHA134eb2c0af8fc7b52e216f3251acdcea63d985006
SHA256867f41b788727d482622e3c67c68c0473e743dc17d2ca71843a2b2fd526f6dd7
SHA5124a72a6b1de4d69cd84cd4886d8d4028712ae414f4fbdd76c85298192f09326920b207b60b3479f646a2836600a8d27316019ae09cbbace76a8fb227a0df4fc06
-
Filesize
1.4MB
MD576aed4a94b23acfdbf3282514aec5d5b
SHA185ccd29984bb1c65a7dadda5d4bfde710b776bdd
SHA25671029c3bfe02745f049d22ae406b62bccec443ab40f0e16fb9d5c7b13bf57c89
SHA512af12ee34091aa7a68c2556d0d2a70f0d30cb40b29e7ca6bb981fb34e0f6e13a7ae088281f71058ab0c5b45e55b9e563194e808a65280907b7a67fe5e48707388
-
Filesize
1KB
MD5f54832099084270f768a19b48b99b60a
SHA1966a5a0917163e3433be36474b08a0209c5fad3c
SHA256b92bc3831c873696b358d8bd962aa114d60d76f130f771463f268eb3ae21a3ca
SHA51241183cb36af3b0970225010b6209ffa130f04cefeea91ebc378ddfb8c306311e08a327d7262893c2a83a2eb52623848efee3c5688c6cdf2e6762b015460f6ce5
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\GYjwXoax4EI\DWWIN.EXE
Filesize93KB
MD54d2171ba2993a7ad8ec778440920eb31
SHA120c34afda8ca4eae382c104e01f9d851d0410370
SHA256a48c64a3e9c55b5b07345f27463dba1819e8d152706f059c3c7ce31f18286da3
SHA51249313d05abc8539d6988df3ea7ac8de08142a0dbc9205039f7b3e2e15dca15db1b411acc5a74215ca9188953f3590f0d3818947d509569804103131e65118389
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\GYjwXoax4EI\VERSION.dll
Filesize1.4MB
MD53177bb54df3646e4820b31b9a53fb954
SHA18aeaddfeee5a443918e5b72d12508ee442f321a4
SHA2564134fb688470ae345d6ed2b277793d38b5225f5968dd8ffe13479b4d4f987451
SHA512adf893bb3d39edd58fae53490c48a036f7cf577baf6d1b54c1adda23689240251673369b474174c0461413f6e4b1b2466fe612914786e71db3da4e22ed8f7df0
-
Filesize
59KB
MD5cc593e93a39b5fb69a63c0f1793b49f4
SHA10b9f87865f469caabc5beaaa4b175f780ffa1104
SHA256aeea8a47dcaa3d5e73a41e8d006319e9df51e1e5f983b2a6d91c7b8dd96e63a2
SHA512885a70812880e4fad456606d2967fe05e9b4c55b0cc3028d5592555f28711e68cdd842f859753aa2a34d7823a0480537fb9230397f81a9a1e31dd07cde281f95
-
Filesize
43KB
MD5c25d0beb1bc99e68fbf790d7348e8e5e
SHA1bc857c15b0c42429962979f01a937d1ef4c31c47
SHA2565db0d61aee0b175106e67c26967b34b465ea67acc472992c46216a621f838baf
SHA5121ec3d60496fe4b2005d36fac89fc82615f8eb239760dd24085738267ce7d4142dfd9d17803039e88b7b1219a939906bf14e1eeaa91b8f206eb19ece79daf1cb4
-
Filesize
70KB
MD532f8774a09ab9250133235037718eea5
SHA1301f49f0a86b69bbe7fca85b23aa32c15a370160
SHA256d45ce5dc62519739f1ddde8d57f17cfd4408a877b35dc839b1c300aad81ff377
SHA5125f96b34e46b5a2b73e2c37fa83bedf27f1908322101e37a51086de92662fe4d408b364eec7931fd1304a9cb1eabce21703a14d2adb122f4bcdb3f8e1b856f971
-
Filesize
48KB
MD52b49d7a773b5bb08e31c56e849d7cdc2
SHA1436483053909dd1125a45dcec3a2d9ade77e8600
SHA2562bc0a0b3e5cf75831bad4055f4201fc59b9a293f1971b1d1d4e3bac53fc3e9ea
SHA512427087c3fc497236e05c70de84cd848d227cb7415b67a1daab717e80027a9d92690765ce371d744aaf7fdb6d657883339b308f66412a162e640b37536615b9c6
-
Filesize
120KB
MD5c2b92f11a11f174629d9fc04f2ea7eac
SHA13920473b698ed74413e5ee898955b53c6f8c5318
SHA256433f4411b019ffb962dafaf42aa68c7be6a4f27c3819ba1bcdf6729e833e9136
SHA512bb7c1df8112a0cf27e17bcd0fcd60be54af9eeb00c90be84ce232f642feaf9e272861d180a88f7644356497fcaa5ae6434f2bab74dfea2a7888c69e0f1636e0b
-
Filesize
147KB
MD5b6c2251539732cabcac4402bedd804ec
SHA18baf7dc7cb7316066e59856f7928ba0b1de5bf84
SHA2560199d976bbddeb1b16afbf85c6168301ddc4fb167cb3c3c4ec33e07f793a55a7
SHA512529126a3507db4cef14f1021c8212f3d72a1f932a0f33ab637b300bc98894c478631a76312fcb4724ede4c8f00303dc037da78e7f44eb6eb86c3cf503c9ef2df
-
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\GYjwXoax4EI\DWWIN.EXE
Filesize92KB
MD5b81e20c086a21134104235aa45ca2623
SHA1605f12cdf34813c6de77f8122d24fdf32eb9ef35
SHA2564faafad24207b0a5320ee1ef71c25aaf9517542af0608d7f3c91103414fffcce
SHA512aba1cb2b6261f59307d616b1429351178b611bbaa57d71c2c49a3e12bb499717bcdb9badf2a01e6c2ad13ae6b2d1871874dcc7d77d8ccbb11ea40d826f6a128c