Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
24-01-2024 08:16
Static task
static1
Behavioral task
behavioral1
Sample
71bb36f4bcc6b93c90c000f353db7173.dll
Resource
win7-20231215-en
General
-
Target
71bb36f4bcc6b93c90c000f353db7173.dll
-
Size
1.6MB
-
MD5
71bb36f4bcc6b93c90c000f353db7173
-
SHA1
4089e571bfda56a10036636485e1113cfb5fe669
-
SHA256
bad6364c6a3a60c2e7982bb223a06f05ec95abf264dc500f75d2454642d84034
-
SHA512
7845c3f5a2e5c78251e2accc1a0be49c9e0d6b3c85231bd417b2e806048e62389bb2d6088a6909f39e1573daf455f9cec629d98d9c0f02ab41099c5f96317615
-
SSDEEP
12288:QVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:VfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1264-5-0x0000000002990000-0x0000000002991000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
psr.exewextract.exeOptionalFeatures.exepid process 2492 psr.exe 2932 wextract.exe 1596 OptionalFeatures.exe -
Loads dropped DLL 7 IoCs
Processes:
psr.exewextract.exeOptionalFeatures.exepid process 1264 2492 psr.exe 1264 2932 wextract.exe 1264 1596 OptionalFeatures.exe 1264 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pfoxtyecp = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\FEi\\wextract.exe" -
Processes:
rundll32.exepsr.exewextract.exeOptionalFeatures.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA psr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wextract.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA OptionalFeatures.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 1648 rundll32.exe 1648 rundll32.exe 1648 rundll32.exe 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1264 wrote to memory of 2808 1264 psr.exe PID 1264 wrote to memory of 2808 1264 psr.exe PID 1264 wrote to memory of 2808 1264 psr.exe PID 1264 wrote to memory of 2492 1264 psr.exe PID 1264 wrote to memory of 2492 1264 psr.exe PID 1264 wrote to memory of 2492 1264 psr.exe PID 1264 wrote to memory of 2900 1264 wextract.exe PID 1264 wrote to memory of 2900 1264 wextract.exe PID 1264 wrote to memory of 2900 1264 wextract.exe PID 1264 wrote to memory of 2932 1264 wextract.exe PID 1264 wrote to memory of 2932 1264 wextract.exe PID 1264 wrote to memory of 2932 1264 wextract.exe PID 1264 wrote to memory of 2164 1264 OptionalFeatures.exe PID 1264 wrote to memory of 2164 1264 OptionalFeatures.exe PID 1264 wrote to memory of 2164 1264 OptionalFeatures.exe PID 1264 wrote to memory of 1596 1264 OptionalFeatures.exe PID 1264 wrote to memory of 1596 1264 OptionalFeatures.exe PID 1264 wrote to memory of 1596 1264 OptionalFeatures.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\71bb36f4bcc6b93c90c000f353db7173.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1648
-
C:\Windows\system32\psr.exeC:\Windows\system32\psr.exe1⤵PID:2808
-
C:\Users\Admin\AppData\Local\9os\psr.exeC:\Users\Admin\AppData\Local\9os\psr.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2492
-
C:\Windows\system32\wextract.exeC:\Windows\system32\wextract.exe1⤵PID:2900
-
C:\Users\Admin\AppData\Local\mlkMx4Vdt\wextract.exeC:\Users\Admin\AppData\Local\mlkMx4Vdt\wextract.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2932
-
C:\Windows\system32\OptionalFeatures.exeC:\Windows\system32\OptionalFeatures.exe1⤵PID:2164
-
C:\Users\Admin\AppData\Local\o3T\OptionalFeatures.exeC:\Users\Admin\AppData\Local\o3T\OptionalFeatures.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1596
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5ae4d9a51ab197f4deb6233644b38371d
SHA17e9a6267db2f7d30431c7cd1628b77b9337f462f
SHA2569621a190c389556bcfe9f41a9571ebcb9ebb63b0eca5608a1caa0ff42ffe05eb
SHA512ad7045298330ebe18ba566b0f270e559d8c981ce1b67c1d77c2ea42e84149b0b9816a3b7feb8efa5f440ed8534da157f5f7d7786b0df173369c2823bda5a84e4
-
Filesize
206KB
MD55c99e4193dd3aa88141ca929f6a3c4e8
SHA1783fa2e62d23337686e3947e0ccadc21e96d0f13
SHA25605da904e47cb862e42d242756c1aa93ae8a2b8bebed97f750c3337d3e2015d4f
SHA512fb2f92b8536c1773272d33752150d62f9e3b78138bf3eae48bb9375b8e3e734ecb830190002eec55d3adcefc7a08be12080a871235cb76bb1071a13007cb30cd
-
Filesize
120KB
MD5086a6fc0ea8b87ef2ef5fb9c70669e2e
SHA14e3cb3173428dea8e8801e0c3cb9511396907b86
SHA256c4d36fbadf57642b750fce90bf9cad4de4d4c13bb6ec60292b9f8e5dc74b2dfd
SHA51208e77eef5c32f39e4b7d4b428fd7c7504ef6a6282307f775eec3a6a53859db48fa48de5250126fd6036d2f14e2a22446ca59f37bc459f466b2d6f14eb197b4a2
-
Filesize
1KB
MD5dd08b4fb2af05ec48bad2034e79ad1dc
SHA148d2438243a56c00c18393e2b1b2abc6fd46b2e2
SHA2561c7bff58abf981c1fb1aa20adcabeb252e3dec3910b5011df76ad45e5a2b66db
SHA5124633b70ce095aff6c791068534d11935c04b9a48770ba063baa09263e8cff99ec8eceeac6bf9e8100f0c700d058acdad0d7978cfd8fcd3b1b661e6e8b3cf95c0
-
Filesize
140KB
MD51ea6500c25a80e8bdb65099c509af993
SHA16a090ef561feb4ae1c6794de5b19c5e893c4aafc
SHA25699123d4e7bf93aa7f3315a432307c8b0cbaf24ad2cfb46edc149edbe24de4ca2
SHA512b8f9f1ab48671e382d1385c34f0f19fc52fc0061e00db53bbbc2cdaee6d8a3f245707329f98e9167c53721aeaddcebfe66632729b6bcc98892031fd9914fb1fb
-
Filesize
95KB
MD5eae7af6084667c8f05412ddf096167fc
SHA10dbe8aba001447030e48e8ad5466fd23481e6140
SHA25601feebd3aca961f31ba4eac45347b105d1c5772627b08f5538047721b61ff9bc
SHA512172a8accaa35a6c9f86713a330c5899dfeeffe3b43413a3d276fc16d45cd62ed9237aa6bff29cc60a2022fba8dcc156959723c041df4b7463436a3bdabef2a9d
-
Filesize
150KB
MD50c33b412526e9097ad60baa514d39eb5
SHA141e92cab83764eec5c799dc4b2570616b66f4ef2
SHA2561b01efcdd9147da56a932ae32ff3857094bc12e80a8f730f06c4723865943e45
SHA5128465d6f6ea5acbbbff85d1692c0020d3dbb37e91ec241ffaad20d80e1822e7be895cc8a0b915be8c01fb98f703a51d8088bcffd7c3dd1d05a684cb2a74d02df6
-
Filesize
1KB
MD558b98de503c5a8fa03e6c683eccb8c3e
SHA1cc203352d8f9d6510a1f481f6c045bd54a9e8e1f
SHA25662fcb79a114671eb9ce17dc74d248c56d2625534cd2b3dae899e052cb8c33650
SHA51240300b2579b3147f24d2e177f944e664ae03a0f59103341ba6118d940a5e6326e9ceb4102e0ec642c0acbdca6b15b86de9d864748e5dd30880dddfd3ff7752f9
-
Filesize
367KB
MD5bd635950f3935de24fafba42ce9cde15
SHA19281963e4c06c3573f08bfa478a5785340828e23
SHA256b45e22f67760ef733c16aeedc06db7a7cd6818b45c1baf3a456381c0d4cf11c0
SHA512728de018277c67786cdd65f65a7920367f6d467c360013bff5ce79c1aefa19803eec0b0901d3c909dd78a8c24d1da655935cf472b6a9c31e254763aede1a47db
-
Filesize
100KB
MD5386bedd3e9297b6698694935315a3a75
SHA1d21656301f3c8c9dc7eef447c585566dcf1d5a5d
SHA25683901776daf724e0801e8ee46d4e7e539f3b147d9dd7c05cfd0375b94b099f6c
SHA51289f56acb215ba8345eb06901457b35d61ceb9ac82cd70795cb6c2c1e2a381edc673a8c348910eac39ef02f3efe0866372545a7fb5debad86f099b7128edefe40
-
Filesize
279KB
MD524f103741537dc80c61eeb162dab5b9e
SHA1aa63c903a6494e96c0c540a20ca0f8cd04761988
SHA2560fd80968bc3438dc82905920983fa4d8dd312854bb31134d86214ea0f67460b0
SHA5124e06ed0cc0406a2cac12861024f651902258ce84f33acafdc580a44e390a840c79feaff64ceb8a3297681c29f9650a67558fb8a81233cc502e47cba7b94ef984
-
Filesize
324KB
MD5efa5c77ac313c6d2b5972342e1315f33
SHA1163445d2b7dbd824d5713815634f165794cc2328
SHA256674591a92da6840ca90eb6702d6ef62145f6c8a310e777466fcd9d30f7ee214d
SHA51205a21da39db8170556a46b0ce562dfec53bd850f84fefcfb1579992783352d4aea1e87461ee3555c339ffc1144c53b2032cd0ef6eb0911e161289a09f0bba4c0
-
Filesize
371KB
MD5d113579ab4c7113df0e1eb2de68aacbc
SHA1dc9a63635878427b0c6f46bd7a4560e041824df6
SHA256004331c8cb4532b1b29ad0a92ed23a9836714306bec423f56bdac176ae5a1169
SHA5124ecd774375e0e5fb67e2e28cb5d6f2dec56b603e4fe358bdcce1a7786f53513bee9085dbb598ddd7fb2200ce8f9e4172ecf5e0c4d77774216b1e3e730ad60e70
-
Filesize
444KB
MD5f2bee034b9ca681c49d46af20aa88b22
SHA1944ea645b56ebc232b43c7756c70f095539a234a
SHA2563608d15002a3ba1fef18e8e66e87031a6635957af8eead65aa886e9d79134c8e
SHA512ec9f22341ad141355c69b01830d8ca596e2623fb2aff799070d5abee77b09eef5cdbf01bfb6e96ec1c42f76ba385a3c4d0064f63e4c290a55ffde66bcf6da509
-
Filesize
77KB
MD54858be73da7e2d68290ecf8e90f4b178
SHA1fdd1ff52b606a9a935f08f2ddf0680c6eb748af5
SHA2569a6dc28d9471ade2f5723f0cf30d255d2b13e503ac705edabca2a0162af9bd25
SHA5129bf47afcf824e1e204b69439bbcebc79d39e86a498b7a6dd51730b1c5106b300760b5f0e8c49554941e2861c3752cfc14537e1d32bdcb1c55d8211462c5a656d
-
Filesize
132KB
MD54141b588a2ea8c13de997f22fe2332fa
SHA15647b2782b44a90974509e7ebd9fbcdc26c19e36
SHA25605996ee65769b30ddf8d7d2b2bed21fceccb568a83ec579624ffdb59290a6257
SHA5123ee31b8a439df37a96358ecc5919804e23af90e26ee6815406ea1b5818410457a838cf7b97259a6b370874be93c010b08e67b10908b4046e8f162a5ffea80a5d
-
Filesize
72KB
MD582bde8cccd8456883ea3227de6b2772b
SHA16e92ecddf9ba3a8ccda6a15b4e37c3d4d1b5753a
SHA25613acda1155b61c8cd642f4c2112145d4e8fa91f7845eaec362e348cb66d50990
SHA5128daf96db9b05246798e6ebcacf0a9b0d3c274f6fd665ed08b30628743803fa3111cfe1ee81c12cdfebf50edf73b0b4ec02a9619e1467dcf663337a1640c51fae
-
Filesize
203KB
MD5859d83a8236cd5af5bf206cec8ef21c2
SHA1934ac7c8013010d5e6618cfaf37381a69ff5cd62
SHA256fa1ae4993775b1e2d04c48fd0a7bb45be02931739cfc6eeb2e36a1cc4df7ab19
SHA512a319c6468b75019a197b36f5c13c6a167cd222ae9610bec46b13f327c5b04bc3cb5817caa609b401160f2868fe61552ffa0a6a9c48c140faca0dffe23c49af67