Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
24-01-2024 23:02
Static task
static1
Behavioral task
behavioral1
Sample
7315a7e24b903536485987c77dc91956.dll
Resource
win7-20231215-en
General
-
Target
7315a7e24b903536485987c77dc91956.dll
-
Size
2.9MB
-
MD5
7315a7e24b903536485987c77dc91956
-
SHA1
526cd2d7389cda304cc3c81c002c1114073f1c92
-
SHA256
17b5bae1fc1b7efdbcd4dc107c246ffe24201cdb7e3bafe80e23b7e5f3c1169b
-
SHA512
b3399a9415848cb351726ff2bebf8124086f61d5cb5823a7789dab291da8780f5ef313b662a1a925054e8ffde76f5f5b960b774f51b9b894d02733bd4ef33489
-
SSDEEP
12288:RVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:gfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1336-5-0x0000000002730000-0x0000000002731000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
wscript.exemsdtc.exeicardagt.exepid process 860 wscript.exe 940 msdtc.exe 1612 icardagt.exe -
Loads dropped DLL 8 IoCs
Processes:
wscript.exemsdtc.exeicardagt.exepid process 1336 1336 860 wscript.exe 1336 940 msdtc.exe 1336 1612 icardagt.exe 1336 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\Identities\\ZJw\\msdtc.exe" -
Processes:
rundll32.exewscript.exemsdtc.exeicardagt.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wscript.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msdtc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA icardagt.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2288 rundll32.exe 2288 rundll32.exe 2288 rundll32.exe 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1336 wrote to memory of 1036 1336 wscript.exe PID 1336 wrote to memory of 1036 1336 wscript.exe PID 1336 wrote to memory of 1036 1336 wscript.exe PID 1336 wrote to memory of 860 1336 wscript.exe PID 1336 wrote to memory of 860 1336 wscript.exe PID 1336 wrote to memory of 860 1336 wscript.exe PID 1336 wrote to memory of 1564 1336 msdtc.exe PID 1336 wrote to memory of 1564 1336 msdtc.exe PID 1336 wrote to memory of 1564 1336 msdtc.exe PID 1336 wrote to memory of 940 1336 msdtc.exe PID 1336 wrote to memory of 940 1336 msdtc.exe PID 1336 wrote to memory of 940 1336 msdtc.exe PID 1336 wrote to memory of 1552 1336 icardagt.exe PID 1336 wrote to memory of 1552 1336 icardagt.exe PID 1336 wrote to memory of 1552 1336 icardagt.exe PID 1336 wrote to memory of 1612 1336 icardagt.exe PID 1336 wrote to memory of 1612 1336 icardagt.exe PID 1336 wrote to memory of 1612 1336 icardagt.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7315a7e24b903536485987c77dc91956.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2288
-
C:\Windows\system32\wscript.exeC:\Windows\system32\wscript.exe1⤵PID:1036
-
C:\Users\Admin\AppData\Local\gMz\wscript.exeC:\Users\Admin\AppData\Local\gMz\wscript.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:860
-
C:\Windows\system32\msdtc.exeC:\Windows\system32\msdtc.exe1⤵PID:1564
-
C:\Users\Admin\AppData\Local\Hjs7J\msdtc.exeC:\Users\Admin\AppData\Local\Hjs7J\msdtc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:940
-
C:\Windows\system32\icardagt.exeC:\Windows\system32\icardagt.exe1⤵PID:1552
-
C:\Users\Admin\AppData\Local\AUG\icardagt.exeC:\Users\Admin\AppData\Local\AUG\icardagt.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1612
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD51feced945acdba9cffa5857aaf4cf3b1
SHA1f2e6379208a8805cffdc5697d81039fe7c1acd5e
SHA2560a57215cfc9614a7a1e91fd0c2c783558e2c90f8074d2508a683346905715e70
SHA5127f875feef529cba7895a82507fc97645da754d61531d8efbaf3609efa412ff2a0c40d6d735cecce2493ac51528ad7e845c8650b9182509a893b4b9d7ef179e86
-
Filesize
1.3MB
MD56cb5da01b3c308053acc932a666da9b4
SHA124ae405cd4f9e64ef4ee71cc0060ca1376c0bf3f
SHA256513e685cb234c597bfc0b1fd5943a134ad43347a7cd052fb61651df1e3d2b7c6
SHA512c684358c469b2b9c3379fb3cfe500f02ccd4e191e4c7ed87600fae8f6f130b3d4893eff876c7045e6f84221e31d13cb58f00fcf79ec4f86a7322935903aa8a80
-
Filesize
2.2MB
MD5f301ce161f4e5901bebc84edd901b633
SHA15f83391c8e688a7e44ee5fb6502db12bf59c7490
SHA2560ca37c01232d26c506161be201a8a5685a970f6c3745410b26dc6ae16ace56c8
SHA51255a6a833c688aefe89fe6d68d30f8ee95578d97f148a737bd009f8c086d7a789d945b390a9cacbab68f811bfd3e1976f8e1deb3d34e8f5403f22d4e4f1387bed
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
2.9MB
MD586730aa899ad6b76e3af31a5aeb6ea0e
SHA1e76113e2615dfb8eceac823c439d2f2be3dd5763
SHA2569541a2e6b0ea8e86a5c25687e67a2b00d494cfad903f717cce643822ac961c1c
SHA5128461a7b9dc262db561143c34b704ac599e147d7e5358d4aebfc0c0f8b3bfa7b288d4a36dec1c8cd496ffd2dfa41c1a2bb220e7141eee70fdc1b583bba1f0ba77
-
Filesize
1KB
MD5d7560a198e835b762d7f29ad7948b4f0
SHA1de190517f4235553696fe11da3c35df232cb31a6
SHA256e8b1f13dad3831f33dd01fff3956d8f3bffc67fa705bd93090464d625234210c
SHA512acfc3b4c9d70618a54444883c04c31e200048e2c364f0ce9257bedb13f8ad1c3f5848ce9a270670bf12280c8c9bc9fd62359f71f5b2250fe006820c8049f341f
-
Filesize
2.9MB
MD591f2f20b0cec218466f6022cb7092aec
SHA1f115a3a5367492dcd7f75c45a9cc9860f6ae0ba5
SHA25650cca8d5eb9493a36055935c91f0dfd73bde6f61d1eb1fc6458eedbc1a6130ef
SHA512094a50e80ca34fd62303fa912e501d05fb8d743897c542d53872ed41d53dd3f93c796abe5b978377ff5201d1ef4f10d817fc64d5a9b00441861b609574aa72aa
-
Filesize
1.3MB
MD52fe97a3052e847190a9775431292a3a3
SHA143edc451ac97365600391fa4af15476a30423ff6
SHA256473d17e571d6947ce93103454f1e9fe27136403125152b97acb6cad5cc2a9ac7
SHA51293ed1f9ef6fb256b53df9c6f2ce03301c0d3a0ef49c3f0604872653e4ba3fce369256f50604dd8386f543e1ea9231f5700213e683d3ea9af9e4d6c427a19117a
-
Filesize
2.2MB
MD5647d63dd709fea183e7ff4abd4beeddd
SHA1781aba8a06fe07f331a8142d7b9057292d571d20
SHA256175503d866f535352d45f9b657f7e503cb71fa605683963876c08a975a52282e
SHA51212f90397896c7877c74e1a641042b2d2c5a4547d520638368eb312a9cfa67032c968a78f476b9c5fbe30cfe1b253a6d964429aac3135485decdc6d5324328e12
-
Filesize
138KB
MD5de0ece52236cfa3ed2dbfc03f28253a8
SHA184bbd2495c1809fcd19b535d41114e4fb101466c
SHA2562fbbec4cacb5161f68d7c2935852a5888945ca0f107cf8a1c01f4528ce407de3
SHA51269386134667626c60c99d941c8ab52f8e5235e3897b5af76965572287afd5dcd42b8207a520587844a57a268e4decb3f3c550e5b7a06230ee677dc5e40c50bb3
-
Filesize
2.9MB
MD59bf0a0010974f2e6c7e2ab90066b57aa
SHA14710d39a533d994acefea96074bb2a45985a36b5
SHA256ded74e8affe0ca3f41904cb0c98b233d3eab76d85644c31e154c99babf4289a7
SHA5126947f0fb7c011f7e6e76d90bde2cebb0e192a8666f008b4eae0d1a08542175836ef85ac727661294fe7073ff814aaded71f3f52c33a70463cbdeac126af618e8
-
Filesize
165KB
MD58886e0697b0a93c521f99099ef643450
SHA1851bd390bf559e702b8323062dbeb251d9f2f6f7
SHA256d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f
SHA512fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837