Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
19-01-2024 19:20
Static task
static1
Behavioral task
behavioral1
Sample
686ead54f11ad7a199730fa54bd87917.dll
Resource
win7-20231215-en
General
-
Target
686ead54f11ad7a199730fa54bd87917.dll
-
Size
3.5MB
-
MD5
686ead54f11ad7a199730fa54bd87917
-
SHA1
c45300b31ef01134e50004809d5e945c10ef6f21
-
SHA256
157dba446a7b409cd3c0b7b59b764fde1820a4c8c7431a2ea28e841ec9ea5056
-
SHA512
46cb02ef280e20b25201edb1d7fb0ab7752ea573c492e23c49421a931a60bd8ab700cd5fe851bbf71232cbe3627ac903a6133aaccd53111b8f8cc4d06caf2e39
-
SSDEEP
12288:2VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:rfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1216-5-0x0000000002A80000-0x0000000002A81000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
SystemPropertiesPerformance.exeDeviceDisplayObjectProvider.exedialer.exepid process 2732 SystemPropertiesPerformance.exe 1696 DeviceDisplayObjectProvider.exe 2972 dialer.exe -
Loads dropped DLL 7 IoCs
Processes:
SystemPropertiesPerformance.exeDeviceDisplayObjectProvider.exedialer.exepid process 1216 2732 SystemPropertiesPerformance.exe 1216 1696 DeviceDisplayObjectProvider.exe 1216 2972 dialer.exe 1216 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\UserData\\ooE\\DEVICE~1.EXE" -
Processes:
rundll32.exeSystemPropertiesPerformance.exeDeviceDisplayObjectProvider.exedialer.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesPerformance.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DeviceDisplayObjectProvider.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dialer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 1912 rundll32.exe 1912 rundll32.exe 1912 rundll32.exe 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 1216 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1216 wrote to memory of 2588 1216 SystemPropertiesPerformance.exe PID 1216 wrote to memory of 2588 1216 SystemPropertiesPerformance.exe PID 1216 wrote to memory of 2588 1216 SystemPropertiesPerformance.exe PID 1216 wrote to memory of 2732 1216 SystemPropertiesPerformance.exe PID 1216 wrote to memory of 2732 1216 SystemPropertiesPerformance.exe PID 1216 wrote to memory of 2732 1216 SystemPropertiesPerformance.exe PID 1216 wrote to memory of 2044 1216 DeviceDisplayObjectProvider.exe PID 1216 wrote to memory of 2044 1216 DeviceDisplayObjectProvider.exe PID 1216 wrote to memory of 2044 1216 DeviceDisplayObjectProvider.exe PID 1216 wrote to memory of 1696 1216 DeviceDisplayObjectProvider.exe PID 1216 wrote to memory of 1696 1216 DeviceDisplayObjectProvider.exe PID 1216 wrote to memory of 1696 1216 DeviceDisplayObjectProvider.exe PID 1216 wrote to memory of 2440 1216 dialer.exe PID 1216 wrote to memory of 2440 1216 dialer.exe PID 1216 wrote to memory of 2440 1216 dialer.exe PID 1216 wrote to memory of 2972 1216 dialer.exe PID 1216 wrote to memory of 2972 1216 dialer.exe PID 1216 wrote to memory of 2972 1216 dialer.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\686ead54f11ad7a199730fa54bd87917.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1912
-
C:\Windows\system32\SystemPropertiesPerformance.exeC:\Windows\system32\SystemPropertiesPerformance.exe1⤵PID:2588
-
C:\Users\Admin\AppData\Local\eNHG53n1G\SystemPropertiesPerformance.exeC:\Users\Admin\AppData\Local\eNHG53n1G\SystemPropertiesPerformance.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2732
-
C:\Windows\system32\DeviceDisplayObjectProvider.exeC:\Windows\system32\DeviceDisplayObjectProvider.exe1⤵PID:2044
-
C:\Users\Admin\AppData\Local\4k4ENMr\DeviceDisplayObjectProvider.exeC:\Users\Admin\AppData\Local\4k4ENMr\DeviceDisplayObjectProvider.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1696
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe1⤵PID:2440
-
C:\Users\Admin\AppData\Local\eqVDJN76\dialer.exeC:\Users\Admin\AppData\Local\eqVDJN76\dialer.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2972
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.5MB
MD5a4a453776b7d07f79c3f8296c7febf72
SHA13af3ea16e71c3655ec2f59290bde9254ed9020d2
SHA25662d74716443adc56f3f726c29b4d158f76876e5440d4ed9ae8e022e11f81b6b9
SHA5125ffd33f18a692a327fa95b8126a55a8a5f758bc9843ce624fbb25ff63612ae8bfd8fc4fa33a759c92e53ecb6e6208120eb954e4fe9c2ed6599f54b09472cab0a
-
Filesize
80KB
MD5870726cdcc241a92785572628b89cc07
SHA163d47cc4fe9beb75862add1abca1d8ae8235710a
SHA2561ab77fa1ee0cbe59ca185c228c3c11abeba2b2008a162c91a06d3c40542e7fc6
SHA51289b961c2a2716fe0800e54e0206c8b349a26f1bc2a463ec9bd12f3ab22bfcb13e6402b4c20ddcf284d838a3c66e73335af8f6dc4554d76646382e387242c6f72
-
Filesize
3.5MB
MD546fbb655538001d339135d4c77ee8d21
SHA1c4b592a79a2a53d9aef93039118efbb1f9e57388
SHA2567ff55a829b489dad5c4e9bd62b97443a9ca2c411f62b32691bb883e537f30539
SHA512cf8a3197fdf7bd39e9ff7b90ff2c1c77fc29c8a009aa759058c2d08153dd3b555b35e6e56c68c80123175f1c58985f9763f1701b307a26187724c0bc110425bc
-
Filesize
1KB
MD539311e9d44fc91675f28e1583a4cddd2
SHA17a2aabaa786e306e6c8ff8914ba49e1a682d38f0
SHA256be712bfb5efe009120d00fb774abc1e8deb779466871f5139b8e7173f4aa826c
SHA512b647667a47a2eec165a5195c8c91e64523e4adcd8a27ed0b3ac744a28425c16958463bd1a3e96183504654128df9b2e66a5dd6184f240af5d8b6a7cf9a40d4e2
-
Filesize
109KB
MD57e2eb3a4ae11190ef4c8a9b9a9123234
SHA172e98687a8d28614e2131c300403c2822856e865
SHA2568481a8ec19cb656ce328c877d5817d317203ba34424a2e9d169ddce5bf2cd2b0
SHA51218b1a0637f48929972a463d441182307725ebf1410dd461a1966bd040ac5dcced138155b7c713bfc924ea2f7b39527a084a08b44fa24c3eb9c654871f99caabf
-
Filesize
3.5MB
MD5a121d03a6d07fcac2b4074f19af1a147
SHA14e6f486f76833315bd56fe32e527311d100abf5e
SHA256660046c1841f5e7dec979546b7fe3e1be5dabce6b4b7af6fe10b864ac03d5be4
SHA512f9968942ebb5b9dafaae70f92988b0105648c956715b98fbb36ecba74e0a9172d8b8f7d66f32588cd1035f412088e0a98cb037df1ab4dc8dccc3980d55a17bc7
-
Filesize
34KB
MD546523e17ee0f6837746924eda7e9bac9
SHA1d6b2a9cc6bd3588fa9804ada5197afda6a9e034b
SHA25623d8a6a1d847a324c556c30e10c8f63c2004aeb42ac3f5a5ca362077f1517382
SHA512c7117c3778650864e685bd89df599d7cdd9319d757344ddc7cfd9403d6673964127f6ff0c5ac48455fd3097af31a6ff09173f85dfa7be2d25f395cdf3692bb9a