Analysis
-
max time kernel
153s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
20-01-2024 19:58
Static task
static1
Behavioral task
behavioral1
Sample
6b53deb79d5fb69b096922195df55b2d.dll
Resource
win7-20231215-en
General
-
Target
6b53deb79d5fb69b096922195df55b2d.dll
-
Size
1.9MB
-
MD5
6b53deb79d5fb69b096922195df55b2d
-
SHA1
87dc146e5644c8cb19cfc413a5e09c94d6bc8935
-
SHA256
3d0b692633b057a2b142656465598db8387395fd9a39752639b4667ae4479da8
-
SHA512
2178739a2db8c272c7ed0bb1b3a43c72bdd7bc3bdda8fbc560bb4cccf656ba200c7a341b7dc347e8b26fd878732ea0d6ba2feb774328cf1ed7bdc9bf94f67a83
-
SSDEEP
12288:4VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:tfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1208-5-0x00000000025B0000-0x00000000025B1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
dialer.exeicardagt.exep2phost.exepid process 1248 dialer.exe 1916 icardagt.exe 1972 p2phost.exe -
Loads dropped DLL 7 IoCs
Processes:
dialer.exeicardagt.exep2phost.exepid process 1208 1248 dialer.exe 1208 1916 icardagt.exe 1208 1972 p2phost.exe 1208 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\Niubkzso = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\5WsH\\icardagt.exe" -
Processes:
rundll32.exedialer.exeicardagt.exep2phost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dialer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA icardagt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA p2phost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 1320 rundll32.exe 1320 rundll32.exe 1320 rundll32.exe 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1208 wrote to memory of 2584 1208 dialer.exe PID 1208 wrote to memory of 2584 1208 dialer.exe PID 1208 wrote to memory of 2584 1208 dialer.exe PID 1208 wrote to memory of 1248 1208 dialer.exe PID 1208 wrote to memory of 1248 1208 dialer.exe PID 1208 wrote to memory of 1248 1208 dialer.exe PID 1208 wrote to memory of 1544 1208 icardagt.exe PID 1208 wrote to memory of 1544 1208 icardagt.exe PID 1208 wrote to memory of 1544 1208 icardagt.exe PID 1208 wrote to memory of 1916 1208 icardagt.exe PID 1208 wrote to memory of 1916 1208 icardagt.exe PID 1208 wrote to memory of 1916 1208 icardagt.exe PID 1208 wrote to memory of 1956 1208 p2phost.exe PID 1208 wrote to memory of 1956 1208 p2phost.exe PID 1208 wrote to memory of 1956 1208 p2phost.exe PID 1208 wrote to memory of 1972 1208 p2phost.exe PID 1208 wrote to memory of 1972 1208 p2phost.exe PID 1208 wrote to memory of 1972 1208 p2phost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6b53deb79d5fb69b096922195df55b2d.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1320
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe1⤵PID:2584
-
C:\Users\Admin\AppData\Local\anX\dialer.exeC:\Users\Admin\AppData\Local\anX\dialer.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1248
-
C:\Windows\system32\icardagt.exeC:\Windows\system32\icardagt.exe1⤵PID:1544
-
C:\Users\Admin\AppData\Local\On5aLtEj\icardagt.exeC:\Users\Admin\AppData\Local\On5aLtEj\icardagt.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1916
-
C:\Windows\system32\p2phost.exeC:\Windows\system32\p2phost.exe1⤵PID:1956
-
C:\Users\Admin\AppData\Local\mMU\p2phost.exeC:\Users\Admin\AppData\Local\mMU\p2phost.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1972
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5f82defffc01ac721cec71da67bdc1bdb
SHA1dccd04c6e0d2f42bf95f1b63a793ea5039a7433b
SHA256543ba6ed51dedf016e3dd162cfbeefc0fde8a6e2caa5b70c169586c64228edcc
SHA512b9041dbb630bd09f370b5b57632138de43a6775fe37291714cd5cbe42f2a44f48a8b70e458bd6d84b693ef4a7e95821b8d33abaf00b319004d392876d1176cf2
-
Filesize
1.9MB
MD5401e231705e9025a7fdf25adfd0838b6
SHA12b2aecaeee42ac0bd9c120a05ec9d422ef2e0f44
SHA25601208ea9a0f97369b3399ccce10c1a45ebd9b54d0beea64af18ca637dd20af20
SHA512d79cd0d8f4a8064c42bc8622ae1e79e272e0147dc9488045ab876a1c802e23cc8f2d657fa8f4274fe4f814617f4516b6b8124fd0b0b30b568e8eabf294ebb1a9
-
Filesize
172KB
MD50dbd420477352b278dfdc24f4672b79c
SHA1df446f25be33ac60371557717073249a64e04bb2
SHA2561baba169de6c8f3b3c33cea96314c67b709a171bdc8ea9c250a0d016db767345
SHA51284014b2dcc00f9fa1a337089ad4d4abcaa9e3155171978ec07bc155ddaebebfabb529d8de3578e564b3aae59545f52d71af173ebb50d2af252f219ac60b453d1
-
Filesize
899B
MD56511452330812436d9476e55b0caadef
SHA1e54da50da5f08336d8576fa88b6c285eb35af1b9
SHA256bc281118131d64c9cf0a3a0e2509a0cd78bc80bc82673e597318106277cd5a44
SHA5125f392471ca5505ad1a6757e4cf8dc6423693d7ca3ce87113e0955595e588b691d08009b0773c834e943e8a4edf78e148b93170795b384ab2830ed94bb09e81b4
-
Filesize
1.9MB
MD5f59a1f53410bf8013a07679cd327ff9f
SHA147b9287fd5aa77c5d812fb5821a1aed3ddbc97a6
SHA2560ff63df8f4945951c2a9646ff29765e8411b64803f7fefb5f32cb8aa86c8db6d
SHA512a437e35ba7017f4beb0e43d9322051dfd2e4f7dde23b0a77c0afe0ac68f80368a42f290d5608685c80e15ee765e052c41e567c679aba06c3dd7b37ce1d053060
-
Filesize
1.3MB
MD52fe97a3052e847190a9775431292a3a3
SHA143edc451ac97365600391fa4af15476a30423ff6
SHA256473d17e571d6947ce93103454f1e9fe27136403125152b97acb6cad5cc2a9ac7
SHA51293ed1f9ef6fb256b53df9c6f2ce03301c0d3a0ef49c3f0604872653e4ba3fce369256f50604dd8386f543e1ea9231f5700213e683d3ea9af9e4d6c427a19117a
-
Filesize
34KB
MD546523e17ee0f6837746924eda7e9bac9
SHA1d6b2a9cc6bd3588fa9804ada5197afda6a9e034b
SHA25623d8a6a1d847a324c556c30e10c8f63c2004aeb42ac3f5a5ca362077f1517382
SHA512c7117c3778650864e685bd89df599d7cdd9319d757344ddc7cfd9403d6673964127f6ff0c5ac48455fd3097af31a6ff09173f85dfa7be2d25f395cdf3692bb9a