Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
20-01-2024 18:50
Static task
static1
Behavioral task
behavioral1
Sample
6b2fb57199a0f55f49fc0b789c648d8f.dll
Resource
win7-20231215-en
General
-
Target
6b2fb57199a0f55f49fc0b789c648d8f.dll
-
Size
660KB
-
MD5
6b2fb57199a0f55f49fc0b789c648d8f
-
SHA1
e2f1f1f40061ab510d2660fae69a78718eaf2afd
-
SHA256
91e3ce41002c675b3c1fb73ecb4b2c055d2560a0c909753a9ad1f26f47d1d2b0
-
SHA512
b4dbf4859b61a180b6d1473b065e7fc76153679e505f4cf9896a4757c34d088c4cb335421880aa702cb82ed29ae79b14f71045b56463d64f72741d99c39a84c4
-
SSDEEP
6144:a34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:aIKp/UWCZdCDh2IZDwAFRpR6Au
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1196-4-0x0000000003BA0000-0x0000000003BA1000-memory.dmp dridex_stager_shellcode -
Processes:
resource yara_rule behavioral1/memory/2404-0-0x000007FEF75C0000-0x000007FEF7665000-memory.dmp dridex_payload behavioral1/memory/1196-14-0x0000000140000000-0x00000001400A5000-memory.dmp dridex_payload behavioral1/memory/1196-22-0x0000000140000000-0x00000001400A5000-memory.dmp dridex_payload behavioral1/memory/1196-34-0x0000000140000000-0x00000001400A5000-memory.dmp dridex_payload behavioral1/memory/1196-33-0x0000000140000000-0x00000001400A5000-memory.dmp dridex_payload behavioral1/memory/2404-42-0x000007FEF75C0000-0x000007FEF7665000-memory.dmp dridex_payload behavioral1/memory/2528-50-0x000007FEF7670000-0x000007FEF7716000-memory.dmp dridex_payload behavioral1/memory/2528-55-0x000007FEF7670000-0x000007FEF7716000-memory.dmp dridex_payload behavioral1/memory/2412-67-0x000007FEF6A40000-0x000007FEF6AE6000-memory.dmp dridex_payload behavioral1/memory/2412-71-0x000007FEF6A40000-0x000007FEF6AE6000-memory.dmp dridex_payload behavioral1/memory/2840-90-0x000007FEF6A40000-0x000007FEF6AE6000-memory.dmp dridex_payload -
Executes dropped EXE 3 IoCs
Processes:
spinstall.exewbengine.exeDxpserver.exepid process 2528 spinstall.exe 2412 wbengine.exe 2840 Dxpserver.exe -
Loads dropped DLL 7 IoCs
Processes:
spinstall.exewbengine.exeDxpserver.exepid process 1196 2528 spinstall.exe 1196 2412 wbengine.exe 1196 2840 Dxpserver.exe 1196 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtxtioiynm = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\NETWOR~1\\Nqof\\wbengine.exe" -
Processes:
rundll32.exespinstall.exewbengine.exeDxpserver.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spinstall.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wbengine.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Dxpserver.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exespinstall.exepid process 2404 rundll32.exe 2404 rundll32.exe 2404 rundll32.exe 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 2528 spinstall.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1196 wrote to memory of 2644 1196 spinstall.exe PID 1196 wrote to memory of 2644 1196 spinstall.exe PID 1196 wrote to memory of 2644 1196 spinstall.exe PID 1196 wrote to memory of 2528 1196 spinstall.exe PID 1196 wrote to memory of 2528 1196 spinstall.exe PID 1196 wrote to memory of 2528 1196 spinstall.exe PID 1196 wrote to memory of 1460 1196 wbengine.exe PID 1196 wrote to memory of 1460 1196 wbengine.exe PID 1196 wrote to memory of 1460 1196 wbengine.exe PID 1196 wrote to memory of 2412 1196 wbengine.exe PID 1196 wrote to memory of 2412 1196 wbengine.exe PID 1196 wrote to memory of 2412 1196 wbengine.exe PID 1196 wrote to memory of 2828 1196 Dxpserver.exe PID 1196 wrote to memory of 2828 1196 Dxpserver.exe PID 1196 wrote to memory of 2828 1196 Dxpserver.exe PID 1196 wrote to memory of 2840 1196 Dxpserver.exe PID 1196 wrote to memory of 2840 1196 Dxpserver.exe PID 1196 wrote to memory of 2840 1196 Dxpserver.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6b2fb57199a0f55f49fc0b789c648d8f.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2404
-
C:\Windows\system32\spinstall.exeC:\Windows\system32\spinstall.exe1⤵PID:2644
-
C:\Users\Admin\AppData\Local\NiZ\spinstall.exeC:\Users\Admin\AppData\Local\NiZ\spinstall.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2528
-
C:\Windows\system32\wbengine.exeC:\Windows\system32\wbengine.exe1⤵PID:1460
-
C:\Users\Admin\AppData\Local\4j5\wbengine.exeC:\Users\Admin\AppData\Local\4j5\wbengine.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2412
-
C:\Windows\system32\Dxpserver.exeC:\Windows\system32\Dxpserver.exe1⤵PID:2828
-
C:\Users\Admin\AppData\Local\WDp\Dxpserver.exeC:\Users\Admin\AppData\Local\WDp\Dxpserver.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2840
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD578f4e7f5c56cb9716238eb57da4b6a75
SHA198b0b9db6ec5961dbb274eff433a8bc21f7e557b
SHA25646a4e78ce5f2a4b26f4e9c3ff04a99d9b727a82ac2e390a82a1611c3f6e0c9af
SHA5121a24ea71624dbbca188ee3b4812e09bc42e7d38ceac02b69940d7693475c792685a23141c8faa85a87ab6aace3f951c1a81facb610d757ac6df37cf2aa65ccd2
-
Filesize
584KB
MD529c1d5b330b802efa1a8357373bc97fe
SHA190797aaa2c56fc2a667c74475996ea1841bc368f
SHA256048bd22abf158346ab991a377cc6e9d2b20b4d73ccee7656c96a41f657e7be7f
SHA51266f4f75a04340a1dd55dfdcc3ff1103ea34a55295f56c12e88d38d1a41e5be46b67c98bd66ac9f878ce79311773e374ed2bce4dd70e8bb5543e4ec1dd56625ee
-
Filesize
664KB
MD572dbe7ff8cb3b1c782692f3cc9615602
SHA17b97c3abc1e53da0d174f5f49bac65b2e005f13b
SHA256c3ec167bc24e86e10581efc8f52840c6af30a72fe312924da4bc3f115ed55756
SHA512cb5f4ef030942e8136626b9a225ef2b2d243dad900b2b196289335c592c537d5289382d25491c3e89bd0546a126ebdda8b6c0eee7dacd713ae155f62e8b0ea72
-
Filesize
664KB
MD5fb64ceed968029f403123531851d7acf
SHA1f37a9ca0f5dd5696f2c351977870ade2e82d8bc4
SHA256a87870c970a7423677f3ae09e7e08bb3105444a7da98768746b06911a17dea0e
SHA51215899dc3332e0c16bc3dbd4b54fa73e7218a7661fd79bc913807480535ea68d5ef2ec1f01608542300fb1085761d01122257d056a76c2c44c35309d444bc5df1
-
Filesize
1KB
MD59534854b41c9e1473edad151a648f6a0
SHA1841219278c63a9f696f988b277dbcff8c2c04a01
SHA2561dfe125c1e67d9ca9224ff594e9d111fed822cdc585ff0e7b260db839f19de50
SHA5125ccd8cdcdbd6e8e91362a7ee3f90e59a6db4715793aebe69330ba6850999f4233cc26f1e07ee0f55695a06756695d894240b705e200d3957713d93dd415c2d75
-
Filesize
664KB
MD585ba6340c836fdcd7efc7fbc78d60817
SHA153e49b348a3ff1db4a5b59f34165f3ca6c1cbe4f
SHA2562e0188862974438b82ac36ba48da6ff36884ac60fb4d4d95dee475dec5785c3e
SHA512c4249b7c390a382aeddc94c1b3e3f445517c2c5962ae8d1bebc837f30e2b2a9997c758c4f892be4c55eea757c31e4ba58baf9d336dda8b74ef2de8f263ca3a67
-
Filesize
259KB
MD54d38389fb92e43c77a524fd96dbafd21
SHA108014e52f6894cad4f1d1e6fc1a703732e9acd19
SHA256070bc95c486c15d2edc3548ba416dc9565ead401cb03a0472f719fb55ac94e73
SHA51202d8d130cff2b8de15139d309e1cd74a2148bb786fd749e5f22775d45e193b0f75adf40274375cabce33576480ff20456f25172d29a034cd134b8084d40a67ba