Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
20-01-2024 02:11
Static task
static1
Behavioral task
behavioral1
Sample
661942dec5f555ea16390ab0b8805570.dll
Resource
win7-20231215-en
General
-
Target
661942dec5f555ea16390ab0b8805570.dll
-
Size
848KB
-
MD5
661942dec5f555ea16390ab0b8805570
-
SHA1
1c0cf8507b8ab448424fe88f164143291e17f4d8
-
SHA256
9fc724df4f2ae0f2d2b3a04540cf737782e0b77e296a03ec25418f3f36f05a6b
-
SHA512
09353633455251bb230592ca21328a63cee419b11b2d28ff9d2ad0da6b3b55d6a4c9614e3f99502001b6444e0e19ed8d0dcecd7a079bf5cd30f148f455be4606
-
SSDEEP
12288:wkbQEkWqv+157EYfxarhwLNuR7ek1tHffB/HzTyNQ6NIeGYr/R:wkbHkWfzZ5adwLNGeStHntqN7v
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1276-4-0x0000000002B70000-0x0000000002B71000-memory.dmp dridex_stager_shellcode -
Processes:
resource yara_rule behavioral1/memory/1268-0-0x000007FEF69D0000-0x000007FEF6AA4000-memory.dmp dridex_payload behavioral1/memory/1276-19-0x0000000140000000-0x00000001400D4000-memory.dmp dridex_payload behavioral1/memory/1276-27-0x0000000140000000-0x00000001400D4000-memory.dmp dridex_payload behavioral1/memory/1276-40-0x0000000140000000-0x00000001400D4000-memory.dmp dridex_payload behavioral1/memory/1276-38-0x0000000140000000-0x00000001400D4000-memory.dmp dridex_payload behavioral1/memory/1268-41-0x000007FEF69D0000-0x000007FEF6AA4000-memory.dmp dridex_payload behavioral1/memory/2744-55-0x000007FEF6AB0000-0x000007FEF6B85000-memory.dmp dridex_payload behavioral1/memory/2744-60-0x000007FEF6AB0000-0x000007FEF6B85000-memory.dmp dridex_payload behavioral1/memory/3020-72-0x000007FEF6470000-0x000007FEF6546000-memory.dmp dridex_payload behavioral1/memory/3020-77-0x000007FEF6470000-0x000007FEF6546000-memory.dmp dridex_payload behavioral1/memory/1984-98-0x000007FEF6470000-0x000007FEF6545000-memory.dmp dridex_payload behavioral1/memory/1984-102-0x000007FEF6470000-0x000007FEF6545000-memory.dmp dridex_payload -
Executes dropped EXE 3 IoCs
Processes:
SystemPropertiesAdvanced.exexpsrchvw.exemstsc.exepid process 2744 SystemPropertiesAdvanced.exe 3020 xpsrchvw.exe 1984 mstsc.exe -
Loads dropped DLL 7 IoCs
Processes:
SystemPropertiesAdvanced.exexpsrchvw.exemstsc.exepid process 1276 2744 SystemPropertiesAdvanced.exe 1276 3020 xpsrchvw.exe 1276 1984 mstsc.exe 1276 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fskzoiv = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\UserData\\5N9FPT~1\\xpsrchvw.exe" -
Processes:
rundll32.exeSystemPropertiesAdvanced.exexpsrchvw.exemstsc.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesAdvanced.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xpsrchvw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mstsc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 1268 rundll32.exe 1268 rundll32.exe 1268 rundll32.exe 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1276 wrote to memory of 2648 1276 SystemPropertiesAdvanced.exe PID 1276 wrote to memory of 2648 1276 SystemPropertiesAdvanced.exe PID 1276 wrote to memory of 2648 1276 SystemPropertiesAdvanced.exe PID 1276 wrote to memory of 2744 1276 SystemPropertiesAdvanced.exe PID 1276 wrote to memory of 2744 1276 SystemPropertiesAdvanced.exe PID 1276 wrote to memory of 2744 1276 SystemPropertiesAdvanced.exe PID 1276 wrote to memory of 3032 1276 xpsrchvw.exe PID 1276 wrote to memory of 3032 1276 xpsrchvw.exe PID 1276 wrote to memory of 3032 1276 xpsrchvw.exe PID 1276 wrote to memory of 3020 1276 xpsrchvw.exe PID 1276 wrote to memory of 3020 1276 xpsrchvw.exe PID 1276 wrote to memory of 3020 1276 xpsrchvw.exe PID 1276 wrote to memory of 748 1276 mstsc.exe PID 1276 wrote to memory of 748 1276 mstsc.exe PID 1276 wrote to memory of 748 1276 mstsc.exe PID 1276 wrote to memory of 1984 1276 mstsc.exe PID 1276 wrote to memory of 1984 1276 mstsc.exe PID 1276 wrote to memory of 1984 1276 mstsc.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\661942dec5f555ea16390ab0b8805570.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1268
-
C:\Windows\system32\SystemPropertiesAdvanced.exeC:\Windows\system32\SystemPropertiesAdvanced.exe1⤵PID:2648
-
C:\Users\Admin\AppData\Local\H8rgbmeSz\SystemPropertiesAdvanced.exeC:\Users\Admin\AppData\Local\H8rgbmeSz\SystemPropertiesAdvanced.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2744
-
C:\Windows\system32\xpsrchvw.exeC:\Windows\system32\xpsrchvw.exe1⤵PID:3032
-
C:\Users\Admin\AppData\Local\SBqVTmcXy\xpsrchvw.exeC:\Users\Admin\AppData\Local\SBqVTmcXy\xpsrchvw.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3020
-
C:\Windows\system32\mstsc.exeC:\Windows\system32\mstsc.exe1⤵PID:748
-
C:\Users\Admin\AppData\Local\C0aS\mstsc.exeC:\Users\Admin\AppData\Local\C0aS\mstsc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1984
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
852KB
MD5240aad42236aeb13e86146f82702e653
SHA1fb2728ae3870730256f927cfb327effa0db99eef
SHA256b97ada4dee841c40002f69601879ff0b22a8a0c51bc152038352947e5b2469be
SHA51266093dc83b492f7d118d7aeefabf0319d59961c04dab3adc55933f84d8721b4ff94ac93a77d97126b0cf7b7dfca24629f57679e3916dc561d9836f5f4fd300b8
-
Filesize
852KB
MD57c71547fee3b5b517809132b9771e082
SHA1d89b5d1fae6f7d45cb0638caa14d2fcc50aa06fe
SHA256cdb78b85e57a96c59be403c1d58c23d3a05fc4837f5b92c00cf7934b4ee9f5d4
SHA51269fab62d9daa4ee725d158f26c412f812dc9e6e258c47480c3fbf8d1d140c06533a530a3a657865bb04f5b2393a4a98cb52d8d3988d731ba3cf19a91f5863701
-
Filesize
856KB
MD5e5ce4daf77f8d529ed3a1f2e7c0875ec
SHA183fe8477f27611668034c55e340a28d4cf14f9f6
SHA2563074d49a74805ba97c408c512a9f1644ddcb3516c22d652a8aa55667153c37fb
SHA512a055022c3c006650f3eb11afe7a50e78ea67ddb920ed489fc2e116b03dc45296b123dc649bd78e593df332926f47de6ddcc707a78d99e704375a1b4608863b20
-
Filesize
4.2MB
MD5051bdf75fa2555be765d21abff20cd7a
SHA1c1d63d4f22f5a3290c47a7f796fff1d0ccdb994c
SHA2561c8afcc609898fd39f6e46858779679009f8799d5bfa3be4c44a74a5307f4dd9
SHA512d2c51be95d0246221272f80ba0374f9f6ccd6b79d0e8c2a34a197a20776605827c2e1f8488cba6faeefd52835b0367e08ce01c6d16f0fb130898a8fa2fe31825
-
Filesize
4.6MB
MD5492cb6a624d5dad73ee0294b5db37dd6
SHA1e74806af04a5147ccabfb5b167eb95a0177c43b3
SHA256ccb4ecd48561ce024ea176b7036f0f2713b98bc82aa37347a30d8187762a8784
SHA51263bf2931764efe767fb42f9576702dd585a032f74ad2be2481eaf309f34950f05974d77b5cb220a3ff89c92af0c7693dc558f8e3a3ee2a0be6c5c07171d03835
-
Filesize
1KB
MD528a3210bb8de6ea2c17095e313b4b481
SHA18948483251500430c10e7514a23ce511ef95add5
SHA25633c95fd4753130fce135f7ad669550ed3c523aae9995a9a77c7e085141f883ce
SHA512b9d612c011c6117d0e5751cdb274e07deb8020c612a985d154cbd6154455c02ec620415c9d8585eb06b7f1a1e561125a4877f41428d53b1fce1196bba259626c
-
Filesize
1.1MB
MD550f739538ef014b2e7ec59431749d838
SHA1b439762b8efe8cfb977e7374c11a7e4d8ed05eb3
SHA25685c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3
SHA51202e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8
-
Filesize
80KB
MD525dc1e599591871c074a68708206e734
SHA127a9dffa92d979d39c07d889fada536c062dac77
SHA256a13b2ba5892c11c731869410b1e3dd2f250d70ff9efd513a9f260ab506dd42ef
SHA512f7da9ce4c3e8aea9095fcc977084c042f85df48fca0b58fb136dfd835ce69b5b1e68f3c11eeb14c617ffcec7011ffc7e5d5a948f49dde653a2348b28e10adb72
-
Filesize
2.7MB
MD5b1a23481a00c0d3f60e9c78a16870359
SHA14b42250c20415b4fa0f874336f10d4441c3904e7
SHA256a51782b21b224399b500d9bc5588863afdbf2e9aa117106d2cfda27924c73e05
SHA51216307a68a5057c5fdd2b399bbf101639b252bd03871d1915a209842bcb8aa7fd98dfa4653ab613591af0d25a37bad8cc4451a9579c4c9974bf572c9f0c4c3167