Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
20-01-2024 07:08
Static task
static1
Behavioral task
behavioral1
Sample
69cd7320b88e1819f445bb8db3d0e43f.dll
Resource
win7-20231215-en
General
-
Target
69cd7320b88e1819f445bb8db3d0e43f.dll
-
Size
1.7MB
-
MD5
69cd7320b88e1819f445bb8db3d0e43f
-
SHA1
5564a3813c18c1a44a3808c4f148ff3cace908c7
-
SHA256
bcdd2a40691235cb270bc9cdcf08b99de975ddb77896eb02fd19508fdd2a57d5
-
SHA512
9d357c5c0f48eac03bd63dbed69bf075054401a629e0ecd467a7a6ff6cbaa9081d90bcecb0c755361c3f0774ce43abd64463aad3230d5ba156af814e57735611
-
SSDEEP
12288:6VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:nfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1212-5-0x0000000002B20000-0x0000000002B21000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
icardagt.exetcmsetup.exedpapimig.exepid process 592 icardagt.exe 3020 tcmsetup.exe 2212 dpapimig.exe -
Loads dropped DLL 7 IoCs
Processes:
icardagt.exetcmsetup.exedpapimig.exepid process 1212 592 icardagt.exe 1212 3020 tcmsetup.exe 1212 2212 dpapimig.exe 1212 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lgpbj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\wr8pTpN92\\tcmsetup.exe" -
Processes:
rundll32.exeicardagt.exetcmsetup.exedpapimig.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA icardagt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tcmsetup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dpapimig.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2968 rundll32.exe 2968 rundll32.exe 2968 rundll32.exe 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1212 wrote to memory of 1204 1212 icardagt.exe PID 1212 wrote to memory of 1204 1212 icardagt.exe PID 1212 wrote to memory of 1204 1212 icardagt.exe PID 1212 wrote to memory of 592 1212 icardagt.exe PID 1212 wrote to memory of 592 1212 icardagt.exe PID 1212 wrote to memory of 592 1212 icardagt.exe PID 1212 wrote to memory of 988 1212 tcmsetup.exe PID 1212 wrote to memory of 988 1212 tcmsetup.exe PID 1212 wrote to memory of 988 1212 tcmsetup.exe PID 1212 wrote to memory of 3020 1212 tcmsetup.exe PID 1212 wrote to memory of 3020 1212 tcmsetup.exe PID 1212 wrote to memory of 3020 1212 tcmsetup.exe PID 1212 wrote to memory of 1672 1212 dpapimig.exe PID 1212 wrote to memory of 1672 1212 dpapimig.exe PID 1212 wrote to memory of 1672 1212 dpapimig.exe PID 1212 wrote to memory of 2212 1212 dpapimig.exe PID 1212 wrote to memory of 2212 1212 dpapimig.exe PID 1212 wrote to memory of 2212 1212 dpapimig.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\69cd7320b88e1819f445bb8db3d0e43f.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2968
-
C:\Windows\system32\icardagt.exeC:\Windows\system32\icardagt.exe1⤵PID:1204
-
C:\Users\Admin\AppData\Local\sIuNUZy\icardagt.exeC:\Users\Admin\AppData\Local\sIuNUZy\icardagt.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:592
-
C:\Windows\system32\tcmsetup.exeC:\Windows\system32\tcmsetup.exe1⤵PID:988
-
C:\Users\Admin\AppData\Local\pfaKg9vz\tcmsetup.exeC:\Users\Admin\AppData\Local\pfaKg9vz\tcmsetup.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3020
-
C:\Windows\system32\dpapimig.exeC:\Windows\system32\dpapimig.exe1⤵PID:1672
-
C:\Users\Admin\AppData\Local\7Z9\dpapimig.exeC:\Users\Admin\AppData\Local\7Z9\dpapimig.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2212
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
77KB
MD5cc3b1bff8e1bd665f18b92448c84ca8c
SHA1aad725560d3ae8283e096c1fae686ba1d2fa519f
SHA256176bf96ea3f0bdad235c04eb5f973d778400292cc3c1e2e3726fd48dd41716db
SHA512f20162eb8f59f92a94c659b95e5a62a959f656f3f76b9e7408bf91b2704791f51eeaf859cc0a7b551a2cd99fc80c4956b5627d692d837a76a3ba02b4dd318b10
-
Filesize
73KB
MD50e8b8abea4e23ddc9a70614f3f651303
SHA16d332ba4e7a78039f75b211845514ab35ab467b2
SHA25666fc6b68e54b8840a38b4de980cc22aed21009afc1494a9cc68e892329f076a1
SHA5124feded78f9b953472266693e0943030d00f82a5cc8559df60ae0479de281164155e19687afc67cba74d04bb9ad092f5c7732f2d2f9b06274ca2ae87dc2d4a6dc
-
Filesize
72KB
MD56966bec7cae45006a7c0f9eadcbc25c2
SHA1419c5e7bdbccafd37bec70ece2684ed67da3264e
SHA256c0cf1ca579251cf3ce8c66774ee5eb7fc488070adbe0fcf2993324294c8b8651
SHA512abd94d2ab6d403116fc7b2d42670f4b47801c90be7f0f05d031fe4e1bf0aac2d98998e1b801a214201420b8e8c0be4a82cf07708afd793b6b9df2a9609e6fb8d
-
Filesize
1KB
MD5fd020b037e6517def1d8d1322c77c0d9
SHA13fbc7d70929d2781f2178626cfc489aa188ef9dd
SHA2562cca676a08c2ab765a4bd8368e9a4a6228ee31d1959d3aca7c15bb9a464f30cf
SHA5121f3da985bb180ac287ae1ba6b6aee1c91198345ef7fb0e554701a0ed0d0aebe6fdb8caee8cf3ae9f7b8281657c2ae0bebed6d352f43639b07fdbf0e9c787d85c
-
Filesize
15KB
MD50b08315da0da7f9f472fbab510bfe7b8
SHA133ba48fd980216becc532466a5ff8476bec0b31c
SHA256e19556bb7aa39bbd5f0d568a95aec0b3af18dda438cc5737f945243b24d106e7
SHA512c30501546efe2b0c003ef87ac381e901c69ddfc6791c6a5102cff3a07f56555d94995a4413b93036821aa214fc31501fa87eb519e1890ef75b2ec497983ffd58
-
Filesize
140KB
MD5c9385c0ba09767995bf2e8407e68dd8d
SHA1415308c0e13ded65c22197797b2629d351163856
SHA256458a5b9bf16fadb417c090c8b94370abcb0ed6f061d924095eed19597e7e9a8c
SHA512c01f7b154b5e50e136a4c8a060453a91247fdabf122ae27d7cb3ed4cded4298f23fb909aaa28f7f54ae7cc0f7b275b978f47ab93631487ecaf2e1573d3127783
-
Filesize
136KB
MD52763c73ec27fbf4f66b7c183b48393d0
SHA1051aee887fef944ed7a42491f17bfc5b105e28f5
SHA2568894ba0eaa73094990ea8143b959a321f3a2b6076e6ba3150ceb10b811f6cf52
SHA51216c34a52ab483797e3273bd2aaed4ecfd289aed00a19d9fb2d566a804215c5c8c43371c0f872cfe4b7e920df2705a11a5169bb8cc562abe1dd48b191661eac20
-
Filesize
347KB
MD5a5ad94dc8a9820653956e68f2e5c9040
SHA138a29fddff6724054c283f5e9ee2c4efb368d8d8
SHA256cb61bb1a071dddbe0558aa7f404fccdb9be24786da034a35419d57312d0cdc44
SHA512283dd737c5bb20e73ea1602fe5d96bde6d4e04016696da00258487d1d647017e7953806038dd7de847d57da711a77c62e182628b1c7378875e66457cbd8ca6d1
-
Filesize
1KB
MD5207310677cc002610410a30bc19e6fff
SHA1675ca1e0b8c9aa12cab7578be8491cc11092c6c6
SHA256f343a860fd73002e16e8c157c4844c96b1ec64f18dc4c75a562c25e4e782e589
SHA512fcf7c4957f5870f6d72299edc36ada9b2efb944890a7eb1c6d4771db1467a7d57a6ba42a2cb45d530201930118873a489a2caba81d02d3922b57210ba6d0df61
-
Filesize
1.9MB
MD5417f25949c36271d81c3f1964461d04d
SHA1772ab65d28206b935c4d5e02a18cd729fd58e349
SHA256084727b10e99bd67df09aa6b5f66f5fa61ffee6d1ae671ba15e8893bc512abc1
SHA512474daced1ae18dcc459c933a4e5d92439642304a3a49f03e301c09c5e3bb16b17494ddbe58654b0020cb977947665dabaa17179ca1473ab32ff05f8320a5bfa5
-
Filesize
1.7MB
MD57bdcfc7b01c9ab7ad29835541d536349
SHA1a6458ee7519ae2f197abf25ad7d3d004c8c7c2f0
SHA256740dc4f183d739d0bab0814b27cd9b62d833f7492d460ba6aa1923f066c0eb8f
SHA51223d32f5740e3fa09245576a4e58512eca1465ad2b75ddbb63cfb332c8844cf7b2b79a5b0430af058416a052ab6eee747dbccd145b525416fb54c6547864bcf02
-
Filesize
1.7MB
MD5dd7f0f99c3c00e31b8fd20fbd5ad4f93
SHA1c3cc11ee96968210eb68c4161d19b334e2ec33db
SHA25642ae418173af25bc4f280134099cbbd2fb106feeb83bc812f346e18329a802ad
SHA51204e6c5f66b7de6a292ebe3d090613b2121652f2cc714056411a4ee3e3cd7c8575b9f1abae3aad032fe4582cf6e5846dce26a32d83696e2c442add16569842b5e
-
Filesize
40KB
MD56097680372b9004823b13dc918d382a9
SHA1f1142332ad4459604772acf3efdd1e7519809f5f
SHA2564fe16c88764089187c0bd478b51cf25607f29db8381e5c2f07a53d64e3a46976
SHA512bc12856fe00cc8db72d276b8a66aec3e6600c64e27276cecec593833fe5af9c5b1af28d045d845e29570b4b8cd282498a94e1af94f7d71eaf6460323e2a1e87e
-
Filesize
58KB
MD5168921893dcac96e79bfc4a76c0d8016
SHA1940d9ebdb7376fddc442a36b9151609f5ccb096c
SHA256c7030fbac527514b789dd81f37059c5291ae2184f8b1f1f672e0d59cb428265a
SHA51251974963fe861463d52ece22dd8aa4135d93d9449e9ce3923271f4dbb897566e30156c1e94de91be53658359d8d9527fab395a3766c633ba8285dfa629ab2229
-
Filesize
12KB
MD55ee00be4e9cc8211ce9774f3bf983804
SHA1585d0af75a51405f9c05fe41b15d12cd9e31887c
SHA25642b6b09325e0b644ddb22980538dc760d311e8cc62b1e6d5fec4e6ee59b9ea58
SHA512e534cb000f86dc37586b15e9b1c98a079229a179716c5986e5d70468544ec66ef6688fdfb1f2e6f946adceb18abbdc2033251658327992eafb61a87545a47a99
-
Filesize
45KB
MD542ac48bdaf6d69917b60fc7e3f51cdb0
SHA1c7b479813d2f0f35548d1ec2871ea73c3136d7ff
SHA2564a0c116ca7d509b38726121b38bc8bd0b86099bb55ec7dc1f383998ab521d39e
SHA51275d4c670894196570c9df00be23842454ff1c6b59ee44779954c3d80d7faf42981d50f31f3fe2088db3e54e07ad64938d27864fefc257cc638ade28f0ab05dea
-
Filesize
80KB
MD5a520593b050b99f2b09815c3d37c69e4
SHA13a1064b06131d2c187c2be46c01a8830e4a9919c
SHA2560287143d4ecf9600418d343c655ed945832aa071e2a1326e398e4039dc41f11c
SHA512b98686e1449e629f70c67a8ea0f618ceed0b3e8c02a0d47c18c071f3777ad4f78d237ab2f5bc06d7f4d02f0cd263ee9de46a6c2926246d207165e477a8141ac4