Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
24-01-2024 02:55
Static task
static1
Behavioral task
behavioral1
Sample
7142569287a29d07ca328243db7a1f74.dll
Resource
win7-20231215-en
General
-
Target
7142569287a29d07ca328243db7a1f74.dll
-
Size
1.7MB
-
MD5
7142569287a29d07ca328243db7a1f74
-
SHA1
0bb092d2cf5779d598f619d801bb1eda19a7f883
-
SHA256
6d6b79a6bb6023fd10ffe393db35e78b77bc403f068b5ac7cfece64692b2edc1
-
SHA512
9df2653a5f920d62b6d72d2f1e199d503e3328e63b7d0611fbcbcc1a084ac2b59a82739aedf665cdd64b6b08260e9b212e7d9ed20de363261dce6d2d2b4eb06f
-
SSDEEP
12288:JVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:ofP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1192-5-0x00000000024D0000-0x00000000024D1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
dialer.exemsdt.exeDeviceDisplayObjectProvider.exepid process 2544 dialer.exe 2920 msdt.exe 2864 DeviceDisplayObjectProvider.exe -
Loads dropped DLL 7 IoCs
Processes:
dialer.exemsdt.exeDeviceDisplayObjectProvider.exepid process 1192 2544 dialer.exe 1192 2920 msdt.exe 1192 2864 DeviceDisplayObjectProvider.exe 1192 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtxtioiynm = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\Pge2m\\msdt.exe" -
Processes:
rundll32.exedialer.exemsdt.exeDeviceDisplayObjectProvider.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dialer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msdt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DeviceDisplayObjectProvider.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 1268 rundll32.exe 1268 rundll32.exe 1268 rundll32.exe 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1192 wrote to memory of 2776 1192 dialer.exe PID 1192 wrote to memory of 2776 1192 dialer.exe PID 1192 wrote to memory of 2776 1192 dialer.exe PID 1192 wrote to memory of 2544 1192 dialer.exe PID 1192 wrote to memory of 2544 1192 dialer.exe PID 1192 wrote to memory of 2544 1192 dialer.exe PID 1192 wrote to memory of 1628 1192 msdt.exe PID 1192 wrote to memory of 1628 1192 msdt.exe PID 1192 wrote to memory of 1628 1192 msdt.exe PID 1192 wrote to memory of 2920 1192 msdt.exe PID 1192 wrote to memory of 2920 1192 msdt.exe PID 1192 wrote to memory of 2920 1192 msdt.exe PID 1192 wrote to memory of 2872 1192 DeviceDisplayObjectProvider.exe PID 1192 wrote to memory of 2872 1192 DeviceDisplayObjectProvider.exe PID 1192 wrote to memory of 2872 1192 DeviceDisplayObjectProvider.exe PID 1192 wrote to memory of 2864 1192 DeviceDisplayObjectProvider.exe PID 1192 wrote to memory of 2864 1192 DeviceDisplayObjectProvider.exe PID 1192 wrote to memory of 2864 1192 DeviceDisplayObjectProvider.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7142569287a29d07ca328243db7a1f74.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1268
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe1⤵PID:2776
-
C:\Users\Admin\AppData\Local\C6PQ\dialer.exeC:\Users\Admin\AppData\Local\C6PQ\dialer.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2544
-
C:\Windows\system32\msdt.exeC:\Windows\system32\msdt.exe1⤵PID:1628
-
C:\Users\Admin\AppData\Local\nlcR62a8n\msdt.exeC:\Users\Admin\AppData\Local\nlcR62a8n\msdt.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2920
-
C:\Users\Admin\AppData\Local\juqf81\DeviceDisplayObjectProvider.exeC:\Users\Admin\AppData\Local\juqf81\DeviceDisplayObjectProvider.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2864
-
C:\Windows\system32\DeviceDisplayObjectProvider.exeC:\Windows\system32\DeviceDisplayObjectProvider.exe1⤵PID:2872
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224KB
MD587dce7f113ce1244076dc611b1cc1181
SHA16e6deddc0ab65e69c684ff66176968cb4df98c7d
SHA256714ee2009d9869bdf43f843af2d920367cb4e0d4e62f45ffdc40953730600dfd
SHA5120bb0d229895f68aed4b8cf124f370ebcc14a14e4e3b4726050c65be8b068ad972bef56764657442c3bf99013d3f9a749d4a8b86475c4bdb957e52b8c9a70e5a8
-
Filesize
34KB
MD546523e17ee0f6837746924eda7e9bac9
SHA1d6b2a9cc6bd3588fa9804ada5197afda6a9e034b
SHA25623d8a6a1d847a324c556c30e10c8f63c2004aeb42ac3f5a5ca362077f1517382
SHA512c7117c3778650864e685bd89df599d7cdd9319d757344ddc7cfd9403d6673964127f6ff0c5ac48455fd3097af31a6ff09173f85dfa7be2d25f395cdf3692bb9a
-
Filesize
25KB
MD5766bdc76c172eca7198e88bc35002825
SHA1ef8ec7ed9f08c0b12b52fefc9f6a84548281dd3a
SHA256d011aa8821ca757fe05f9678cfea839b68f3db7878d99fdefd667fafde2b8c6c
SHA512edfea7f08a6b76b237e744f106ea2ffa848d34190475f73b911cc30abe00200ccbfa5c652bb3f632a1b450eba22bc6b32cd4d04d27d5d965ab211ea6be6c5251
-
Filesize
159KB
MD5897af3f9f864ebb548223b96d1c726d3
SHA10af783d3bf6faa7368eae6d090d06e13ca6d7815
SHA25647031299ba92d377e11dc98785b77a36449dc1e5551ac31f6353054149d93b53
SHA512f9c225ba1018a4b94ca6cc835d44db84588c15404d3ef2ff299f7b1acc198e64f0edbb67962db48c41893b9607e0fb21689c48b0ed42ebb0d65cb5026a5bdd3b
-
Filesize
174KB
MD51fb46e9d47984cda565618dc11399684
SHA1895f9076c58df7415e4cbc7f3922c85720ae5d04
SHA256b1e92baafe232d0f52302404633539cff0fa1c48bcacce99f50f79be8e5f8086
SHA512be42a38f24a2bacd2d2b3915f964de595bdd9b854cd6aa92de44c8622bc560dbbcff274b844c41f9c83d62d02287399f860023d48541e8c64f2668a2e7e14d9a
-
Filesize
155KB
MD50a552f1e62fd5328bb83db3d273c3db3
SHA144f9ef4e39b002265ebc190c27b30f38c42dcd2a
SHA25604b2e2e11d44069379eb61b1a9c0bef8a1a3dc71ea7d81f20110e3368f9285ab
SHA512fcd2e48539f39fcc0574d7fbf14e3f9c54b12f044af5d19220ec066bec7c086ce1f3c7119a5d2fb72277fe1e2cd7b3cf4002b3e876e91142f8db61775dc8d0a3
-
Filesize
264KB
MD51662e5a4cf1c0cd5e63244b35f3bd2a3
SHA1a303fd86075be7ef4466506e23de608b5940b01a
SHA2562c254699ab821031465e70005ac496ab6b1da3c2da1d4ac79cb80849a42e3a6b
SHA51210fe194c07ac0ab2cfcb182ed2625f61ffdb53f1112486df6f7598b6426bd4ccc1016acbe2427b5c9f89516c306e8d97a5636c16d99b366a350fdc67220db7bc
-
Filesize
1.9MB
MD53ca7e7aff10214a70e9ca994261686ba
SHA18dbf76d5decd99de5462911b13c1489c7d1f76d3
SHA256e3f884816a4ca4770059bedd158713fd54d306f1b53873c5e82c1b6c5738d31b
SHA5122100672b3dc1d84f022f71cb78353ea71e13840d1d26b5806158d206a358d2c220c8d00ca937a9fd97a26de2d453aebfd15d367d03e15beba32db08f66ebfc0e
-
Filesize
1KB
MD531939b4d300f13c796c322003cf4f287
SHA1c32efbd993355c8ac324122ea7475fd9962b1cfa
SHA25689695c4d6d5fbdd602694943837a6ab8b0b2e4700db7b2adcfaac5dc78c30cef
SHA512dd52c114054ab222ff299ae9ffb0ae343d5e184ef1d10c180961ae2bb989ca52b808bb714b55f5990c2ccbb937332e361374418f7405d749f919c89340d94c72
-
Filesize
1.7MB
MD5d6c41a675080bd6ecbce53aca58aa24f
SHA15beb48e5ae1a596b29d622564fb7fe1838f2d79d
SHA2568c9ad5e4e9e1a21e05e48787a64d533b44a7c40fd213e9695ed96c765955884b
SHA51239743f90250b5d778a67f49690aa66178cbae108525c3ab586a4b82711ef37ebf5c9a3a781358aa7c52550230653b2538710475d265ee930ffa06af2b66cd145
-
Filesize
1.7MB
MD55fd2cea554adc4518e494f95c2b16b05
SHA1096d7c2f71e624d5141847116de3d415271a1f24
SHA256df376156000d2db0387a1413c8581d4d81215a8f6d90eb223ccbd928b4cb2988
SHA512cceb42344d0290d81dbda7ec25d0109c5c2c36209b491b34196afe3fa47ff909eafc32b116fb743f1c5252e87689896cdea3ebb05b3492407275add2a3f14f39
-
Filesize
189KB
MD58228889237218d499bfbc8a83044b376
SHA1957fe603593cbdc6b8be1af573b123a7f9ea1acb
SHA25657326ffe1a199bd4896af98fb3dfa62f956c4526cd6693db3b439c570da0ec16
SHA5125d44b84ba3bc504f0574cfb067f52af02c15ebc81906df02e1337416115a571216f1ebbf6ba92ad7ad2d508d8c8e111d2086d35a406921b90e9ffd4ee0d77352
-
Filesize
21KB
MD565948731d59506bffe9157e6c357c8e3
SHA10daeb62efc36e43f1b0f526054bfb8acd3eaa40f
SHA256488cb5d908475911dc8569543cbe5696b214aa5f439b2409d4984f2fe9d3d5ab
SHA5129591a746ce17a418feb851e46aba242974463727f9bf51c696c22222e325f4325d5454e611ae49fe981e5f7f3a185100ad69e1a53c1f628c13cc8b0235fa89b7
-
Filesize
5KB
MD50102165a38c46c3e9ed2a791fb18960c
SHA13b5f6cbdc92f355f08247f505869dcbc66b463c8
SHA256dfefb88736426933cce32efaa10a02967064ebbb5be4985f75e91e0bf5d5db8b
SHA512737570e00f4a6fe076ded9fe5633f6fd2a39a56aa12ace7eda076782ef4603c3b35ab18d0ce3c5936cedfb0113d2d0c94e2b77cb955754e8f009e08b4ce41e19
-
Filesize
106KB
MD5058d610496e851e5b6b32d639e25e315
SHA14031ead23c79e423311dbf50fadd62738eb4a315
SHA256a73fbf9ea33b0299e88ca6452eb6dbf0a931db450e598ab86b305ccf01bc44fe
SHA51202adeecdfc97c458a59aad7cecf31766316a22325c9f84ef1a3f821f8f947b39ee2f0d49511ff9b4297b0a7ec7afd16204f8262a879fdece1f3e36a9a8282607
-
Filesize
143KB
MD5530211fdd0e6ed7bbdf74a3af4c2c767
SHA10155adfc9d4a8088f82d8ee999cb53300112b822
SHA25662a34bb8c0252836309da6dd079cb040c447339407c45fae5b80758ebf1947b0
SHA512306a190d2b29765173a763928acee2dd571ac84cb9aad107c22dd0bb1b23925853d120f75417b02cd55235b7a95b62b00c00675f8ac08b606af9a50bbc325e2f
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\5H5HnADA\DeviceDisplayObjectProvider.exe
Filesize109KB
MD57e2eb3a4ae11190ef4c8a9b9a9123234
SHA172e98687a8d28614e2131c300403c2822856e865
SHA2568481a8ec19cb656ce328c877d5817d317203ba34424a2e9d169ddce5bf2cd2b0
SHA51218b1a0637f48929972a463d441182307725ebf1410dd461a1966bd040ac5dcced138155b7c713bfc924ea2f7b39527a084a08b44fa24c3eb9c654871f99caabf