Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
20-01-2024 01:37
Static task
static1
Behavioral task
behavioral1
Sample
692759203e392d71d9dee01161280ef1.dll
Resource
win7-20231215-en
General
-
Target
692759203e392d71d9dee01161280ef1.dll
-
Size
2.6MB
-
MD5
692759203e392d71d9dee01161280ef1
-
SHA1
dd9376cdcb27e27eafce10498630c75ca1b11432
-
SHA256
3b12db2302d38fb3cb124b01f2f6bb81d2d14cc079e87406803e7883bc256a66
-
SHA512
400a6dde11da33279d426345744481ee8a790a43b017a7d510222874d83ddd9014fe9a3abbe9b2b89e1c39e9da55663484ca4fbcaea7082303fa167e6d99633f
-
SSDEEP
12288:gVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:FfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1312-5-0x0000000002AF0000-0x0000000002AF1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
p2phost.exeiexpress.exepsr.exepid process 2612 p2phost.exe 1396 iexpress.exe 1900 psr.exe -
Loads dropped DLL 7 IoCs
Processes:
p2phost.exeiexpress.exepsr.exepid process 1312 2612 p2phost.exe 1312 1396 iexpress.exe 1312 1900 psr.exe 1312 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fskzoiv = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\nL5vk0\\iexpress.exe" -
Processes:
rundll32.exep2phost.exeiexpress.exepsr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA p2phost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA iexpress.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA psr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2092 rundll32.exe 2092 rundll32.exe 2092 rundll32.exe 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1312 wrote to memory of 2576 1312 p2phost.exe PID 1312 wrote to memory of 2576 1312 p2phost.exe PID 1312 wrote to memory of 2576 1312 p2phost.exe PID 1312 wrote to memory of 2612 1312 p2phost.exe PID 1312 wrote to memory of 2612 1312 p2phost.exe PID 1312 wrote to memory of 2612 1312 p2phost.exe PID 1312 wrote to memory of 1928 1312 iexpress.exe PID 1312 wrote to memory of 1928 1312 iexpress.exe PID 1312 wrote to memory of 1928 1312 iexpress.exe PID 1312 wrote to memory of 1396 1312 iexpress.exe PID 1312 wrote to memory of 1396 1312 iexpress.exe PID 1312 wrote to memory of 1396 1312 iexpress.exe PID 1312 wrote to memory of 1816 1312 psr.exe PID 1312 wrote to memory of 1816 1312 psr.exe PID 1312 wrote to memory of 1816 1312 psr.exe PID 1312 wrote to memory of 1900 1312 psr.exe PID 1312 wrote to memory of 1900 1312 psr.exe PID 1312 wrote to memory of 1900 1312 psr.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\692759203e392d71d9dee01161280ef1.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2092
-
C:\Windows\system32\p2phost.exeC:\Windows\system32\p2phost.exe1⤵PID:2576
-
C:\Users\Admin\AppData\Local\Z0VgzS\p2phost.exeC:\Users\Admin\AppData\Local\Z0VgzS\p2phost.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2612
-
C:\Windows\system32\iexpress.exeC:\Windows\system32\iexpress.exe1⤵PID:1928
-
C:\Users\Admin\AppData\Local\Ki2Bh6Dn4\iexpress.exeC:\Users\Admin\AppData\Local\Ki2Bh6Dn4\iexpress.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1396
-
C:\Windows\system32\psr.exeC:\Windows\system32\psr.exe1⤵PID:1816
-
C:\Users\Admin\AppData\Local\ZlEsTIdS\psr.exeC:\Users\Admin\AppData\Local\ZlEsTIdS\psr.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1900
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD587b2e3a784a789de78b2a31ea1de4390
SHA1f70cabca5a3c1e41c58ef2351b9de11eb4152fef
SHA256dc484a974ec45d0983c429b0d919b89fff0226df28813aa041a73edd28d89f75
SHA512ff2c63a82874d98bf40663a170a790e0a6cc314dad8d5e5c9ea56427f5f3dfbb6c47437defa97a0132d3f2f85c333c806a7ab568a3d7b224ba8bd8a087a83803
-
Filesize
163KB
MD546fd16f9b1924a2ea8cd5c6716cc654f
SHA199284bc91cf829e9602b4b95811c1d72977700b6
SHA2569f993a1f6a133fa8375eab99bf1710471dd13ef177ef713acf8921fb4ff565a3
SHA51252c91043f514f3f8ce07f8e60357786eb7236fcf6cdcccca0dd76000b9a23d6b138cebcdec53b01823cb2313ec850fc7bece326ec01d44ed33f4052b789b7629
-
Filesize
1.7MB
MD507a287432eda352e76eac111bb5e9098
SHA1370c5e3e713f243b1c808518e9a6668d1d182d16
SHA256fd114b54985c0e2bf29dfa98852fb012bc5178c424df47bc2c469800da143fb2
SHA5126c0baea99784df1cc61c4c3aa9b30ed90872b38c0d5504155df202f3f951028411c75f3e7c01b5867b4deb99404ee29eee118d9cfea4ca6ba934b02fc270f567
-
Filesize
60KB
MD5d8cac9aa6c580f35485a011b11b5a4c9
SHA135e27d4140c5cfdd46c5ad7978c3ba3465c7d892
SHA2563f13d679c3ad907664fec9a7ece931085aa40ec99a0af69d1c06c86bc9edfde1
SHA51241218e851a483c181271f60ccaae55820500910a18f86ba429fa36ec694de8f993d3a4389e413c311cdacf2daa8426c4e98a7086fb12bdf069c89028ee1319fa
-
Filesize
1.6MB
MD5f7b1d37acf90859d126cd7db9bf33a04
SHA19bd7a9e4c93a4d8ef8b537b23e0b72c433edd4c7
SHA256188dcc8d2566949336c28e61e00c775bb72938b88d1cdf503e88d42a625d3174
SHA5123f26beb6c772311cb343703d4846b5d520b03cdd9267e1ee6af87b284dae7fe654d570bf77265abd47bda15a76468720107dca0ec116f36081079610a980461e
-
Filesize
1KB
MD5d33247ac2623a8e8da47e8ed7a7c0f15
SHA1e20068ac70ce529f8bc01396dc03a99d24f84f4f
SHA256afeb41e83ac78e60c81524239dc89e62e20f6a365951b2279d1fce0f6ced1db8
SHA512a29939f7f60b1beca056f38dfe5627690f15145d09f6df338c2087c4d94327fbf5d5da85444214b8cc8c14c7761f4c73e772a5e18fd8bdcb724702a2e55a969c
-
Filesize
2.6MB
MD595ea9c54318ea1439b0b03346f944bb5
SHA1a94667871a8d096c499de5d55a17a79049a550e6
SHA25686ef970ea2ab6440cf11e3501c90035b485c7b56e5245e30fce6112a289d7222
SHA5126fdac0be620fee1a844afd3834be8ab9caabcf82cf27d723e8827986ed9b8953d0a41ba152ea170f6cd4f15da6ffd79c4a38c0882c8103fa2986c0828ad530d4
-
Filesize
2.6MB
MD5a054aaafd87d279962e2f587cbe3c6cd
SHA139bb8bd45d8119240ceec9fc5d8056a878f8d1c5
SHA256c843daa2634c4d6c0675249eab71a005f71d0fc2a723ccfecee56120d2520ff4
SHA5120aca1c07d0d51c03d1a94101ab1b4ec36f781dc827c175ee350499f931bb681dbaa59753784b2d188b54a13490d67a9608c6da3c06917e077d38545d772e4c8b
-
Filesize
2.6MB
MD5a988a5c7373c89ed5b84e40c117c2a6b
SHA1a3827115dca4e0ec6e2053d0996fb1b62b141cba
SHA2560366357d287fad33662e342dee63c338c402bd47c1da1fa43d2d1a8b3667b5ea
SHA5124a267e8dbdb4750b370056cdcf9d2d5886c28ab234ee1a3b15de09c565877d0d253ba10d8f82707f8157f83bec6957cc07c45210d7a2a7e751d398552788081e
-
Filesize
917KB
MD51a959e119a7e5a0330aa6676703af19e
SHA1cbe937a151baae703918e0f57a42e556c14f6c85
SHA2565509bf34b8a981abb8c2cff8420f832d900f19ee3223b0237aebe210ac1d8354
SHA512e655911074b1621e48ffb465e4a12fea925386ed84d0f215a2e126c6475ee7f7db9a9aaac9a71d8dd72e4f92075398a8ce15b9651adda1a11f943dae5f4c8fb3
-
Filesize
172KB
MD50dbd420477352b278dfdc24f4672b79c
SHA1df446f25be33ac60371557717073249a64e04bb2
SHA2561baba169de6c8f3b3c33cea96314c67b709a171bdc8ea9c250a0d016db767345
SHA51284014b2dcc00f9fa1a337089ad4d4abcaa9e3155171978ec07bc155ddaebebfabb529d8de3578e564b3aae59545f52d71af173ebb50d2af252f219ac60b453d1
-
Filesize
785KB
MD5bcab8a465870c6416ec9e79e29ff8808
SHA186b842872bca6f94279e0fb9691e9d0c5ee16fad
SHA25699144373f8bc93a170d0bd725a54e4fb34c56cdff8c7ea13d4bad62f6685edf9
SHA5125b1f22c86ca4e30c38248aad0f75f64e2a86d85c707d70ef56af1f44248691183019ea32d66fef9db5272af088c9c84c45411597b7636f40b535046deba7fbfb
-
Filesize
715KB
MD5a80527109d75cba125d940b007eea151
SHA1facf32a9ede6abfaa09368bfdfcfec8554107272
SHA25668910f8aae867e938b6a3b76cdf176898ba275d9ade85b4ce00b03232de4c495
SHA51277b86a597c33af8d3fbd9711f4abe6e0ca33b86279b1d28a25dcf3545a34b221be1ad7d11004d016203809cead1ebfd4b7e889ee9df2efc100eabf77963c1774