Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
24-01-2024 10:46
Static task
static1
Behavioral task
behavioral1
Sample
72069f253d65873ca37d22ed502e1911.dll
Resource
win7-20231215-en
General
-
Target
72069f253d65873ca37d22ed502e1911.dll
-
Size
3.7MB
-
MD5
72069f253d65873ca37d22ed502e1911
-
SHA1
551a0c0ea3996301997e8f133c3ab4933456b7db
-
SHA256
95675ed8705063e78d6feec16544b7d5bbe62b4bc34b13462280c0ec046f0d71
-
SHA512
113a86c3fd39d5cb43ccfbee1a8ca8a0f2c08d76439eb39c228f1a56432ab121f61696087b21df958b15b16b16c3169d5109aac638ab60b91eb4ce76b9dc52a1
-
SSDEEP
12288:bVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1K8yQy:6fP7fWsK5z9A+WGAW+V5SB6Ct4bnbKn
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1272-5-0x00000000026E0000-0x00000000026E1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
BdeUISrv.exeWFS.exexpsrchvw.exepid process 2932 BdeUISrv.exe 1624 WFS.exe 660 xpsrchvw.exe -
Loads dropped DLL 7 IoCs
Processes:
BdeUISrv.exeWFS.exexpsrchvw.exepid process 1272 2932 BdeUISrv.exe 1272 1624 WFS.exe 1272 660 xpsrchvw.exe 1272 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lgpbj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\j0cb\\WFS.exe" -
Processes:
WFS.exexpsrchvw.exerundll32.exeBdeUISrv.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WFS.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xpsrchvw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BdeUISrv.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1272 wrote to memory of 2756 1272 BdeUISrv.exe PID 1272 wrote to memory of 2756 1272 BdeUISrv.exe PID 1272 wrote to memory of 2756 1272 BdeUISrv.exe PID 1272 wrote to memory of 2932 1272 BdeUISrv.exe PID 1272 wrote to memory of 2932 1272 BdeUISrv.exe PID 1272 wrote to memory of 2932 1272 BdeUISrv.exe PID 1272 wrote to memory of 1324 1272 WFS.exe PID 1272 wrote to memory of 1324 1272 WFS.exe PID 1272 wrote to memory of 1324 1272 WFS.exe PID 1272 wrote to memory of 1624 1272 WFS.exe PID 1272 wrote to memory of 1624 1272 WFS.exe PID 1272 wrote to memory of 1624 1272 WFS.exe PID 1272 wrote to memory of 2740 1272 xpsrchvw.exe PID 1272 wrote to memory of 2740 1272 xpsrchvw.exe PID 1272 wrote to memory of 2740 1272 xpsrchvw.exe PID 1272 wrote to memory of 660 1272 xpsrchvw.exe PID 1272 wrote to memory of 660 1272 xpsrchvw.exe PID 1272 wrote to memory of 660 1272 xpsrchvw.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\72069f253d65873ca37d22ed502e1911.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3000
-
C:\Windows\system32\BdeUISrv.exeC:\Windows\system32\BdeUISrv.exe1⤵PID:2756
-
C:\Users\Admin\AppData\Local\vO6mC\BdeUISrv.exeC:\Users\Admin\AppData\Local\vO6mC\BdeUISrv.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2932
-
C:\Windows\system32\WFS.exeC:\Windows\system32\WFS.exe1⤵PID:1324
-
C:\Users\Admin\AppData\Local\3EzN\WFS.exeC:\Users\Admin\AppData\Local\3EzN\WFS.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1624
-
C:\Windows\system32\xpsrchvw.exeC:\Windows\system32\xpsrchvw.exe1⤵PID:2740
-
C:\Users\Admin\AppData\Local\eSnT4YjY\xpsrchvw.exeC:\Users\Admin\AppData\Local\eSnT4YjY\xpsrchvw.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:660
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
89KB
MD58f20249758d6982a016560c01f3a26ab
SHA18044eb22f0c30289071c1bda3899694eb8f4520e
SHA256ac2c57348bffd7f2e3bffd2d46fdc206ea8171cab049212da4177308ace73268
SHA512a580f7725de17c59097fc8682ab6a746bf8db2938c6559111390f30b4eee199626b4b62855f8eb07af52cf9f6cfeca0b9ce3d3f3761d236123898ef9682d840b
-
Filesize
194KB
MD52700cf7fad30f650eb8bae4ad14cd789
SHA17ae736913d0e5e653fb9ecf78db728cc02e8c7c5
SHA256b0a605836be4d3363df0083660f6ce5e506ae67261b4767db8c2f57b0a33f3ce
SHA51224a1ec8f70cfe69906a1429d059e1b7dce57eeef0d5076d205fed2be300d7e194e04cd09719fa6f12be1a8e50898f7bbc9c5a5ca282c0d07896c3a41c637a12c
-
Filesize
36KB
MD5116b328d5248bdc6f56ea5688f35521d
SHA1725b240e1320140154ee684f2ef3977ddbf6bc99
SHA256d97f86c6d79d4bbe54a30b649a85a1e05f211e94cc3fdb285f3c80c6a35506cc
SHA512685a7176014d8e94d7e101e7701dbfc402882d5609afe9d0838260ef6996e4ae95423a48ee4d50a247aaf439c6b121f305863170b605d1a63919982ee4d1af9d
-
Filesize
71KB
MD5ff112775613be272d655da374e7b72c3
SHA13a270c68d61b9b14465b70619dc304bf2126d781
SHA2566d3a99dd94ad5a62c0d654ab4c6b17df78babe3d447a8a47bcfef372671f1fba
SHA512350594b9e647253d2e52ebc04115d7952c282b592537195fc753f8d747721ce9c3cb3012d887739b4a9b0358d9af0b4a0c8b55838e34a3348bbfc7abbb1007ca
-
Filesize
11KB
MD5a419b97ad08f24d52700575f506b202a
SHA154b87b9becf67ad9e3c03815f6d304bc6e363eb2
SHA256acdc1947e48ff26eeed7f945795fd5293d66609449b22e75574db1c5218e7c99
SHA51261a9afb5828e5e037d5a220a7bc573ea431ff222ccc59aa045bb4ca47591acf464bd77a898f26fe4edf1f479ea3a91391a84c05421e7ce439f97ebc9914c3914
-
Filesize
237KB
MD50fbaab96ccc53e466d3adf7a39d45037
SHA1480c2bb23feaef2d04fa77f6ffb48eacab1fa3b1
SHA256072b253815d41b57f78ff31783eef94200233209ad30ee1d99ccb398f8dcff0e
SHA5120fd2b4a3e57b02f9baa15b5a8fd76d726f6cce71452812562e821cb549731b3486863c69f29d994b1f89f9fdfe3fa2495b27cd62c65a87f537d51586cf72d08b
-
Filesize
21KB
MD5d526dab478969eb6fab7a82d4be6cb59
SHA1200f04e2a2fb2f04d12775cd9fe40b40f76db705
SHA256bb5ff742ef3ac2a5f08e2cb8b3e5e62fcb0afa4ce9012ac720192de11e228bdf
SHA512252803d5f46b721d3f0bb082dde3058f0414e71ec5ee9cc327c8b21981acd8c99e960c85d0e793d6dfefe67726e1483f87ca0897b4aac04c318f81967712f951
-
Filesize
62KB
MD5441810deb20a0beeaca793e5dd68b04d
SHA1f07bb853f68fc07b61f98aa462fb3495ee7faeed
SHA2564997997f49f99e9150f448064918a848933a787d3956f6bfa7ec37bd9bbbf0a4
SHA5128e732739e4e0e2aebcd65475230f6edaea2effa611e90c5fae2d7e6744d4874eb4ae60d5fb3c6897a92c68d55c0a4365af60456e14821d316e75315737fa54ec
-
C:\Users\Admin\AppData\Roaming\Identities\{EF0662BB-4AFF-4F56-815E-2ED0C139F855}\v8Pt7S7N\WTSAPI32.dll
Filesize1.8MB
MD52bf2f71bab5cad10b47031fc14915362
SHA12fff2c6089aed41d9ca06d8956f7ddeaf3a449fd
SHA256a104192f8299b6cf53f3595e3a0d7d7beb3a2521473b72feef84507b6513c249
SHA512e38cfcc75b1a2ed1564dde7479824b6f5cc9a84d506468b46c7abaeb686e429a7f77b69b1bc68771e122b3b456949a3220fcd7933484d574ed42ac7e0eb2c56c
-
Filesize
1KB
MD5708be9c3e850df602c1d752162510606
SHA13d48f749f90966c3cd64a1e13d4b6711e5724034
SHA256dd367f316b6bf89cfccecc636a6cda7ee0502864472b6a19666757d6ee160893
SHA512756274739b4032a04f755aa835ef06206a99a88b9d3d24125317323e130a4913bed0d10e3c2cf781de5d34df78882f83451e5a173feee288b4dbe661e7a95db3
-
Filesize
3.8MB
MD592568ffe50d507281f62ab24bd01ee14
SHA14e4c552b664118b7e7726c013c3214315d0f6d9a
SHA256a11f1e009014e9d75227f6d200d12b9ba0ae409287ac0b9a4832d53ac4ee3807
SHA5124430fa89f22c62d2ab5718acb203674b2a76fb8873b256a7d22bc00d117d52bb54cc24786367ec1e65c8e78b42bbc8ed439c6b83460655927b71faa646ed87b8
-
Filesize
614KB
MD5ebde81d3a266a0ef0db55de7edc758f1
SHA1a369b667a31b5eeb6f89e3266c8fa7e7f0f7cafc
SHA256c3d7d968a01ac0a154091ee646dedc9f33979d9d1c9753ad75b3107e06804465
SHA512818ef28b6be26847cfe5b86061ae4bfac4d9fb5979ad5aaad0574fbcca049033e6731fb3c71a5074cd14786275f1436f0aa696b47a02723686cd0829bc1faac0
-
Filesize
163KB
MD56be99cac1629ad7ca4b8c9769d911bbf
SHA1bb54c3ec95988430922f5458c7f99abd2dede7f8
SHA2561897d88db026b4244cc123923ce052dbf03d9d633420b987e8b6de9674893672
SHA5125bd152044d151459af4912f6556eed34236f754235c705bc81f6a62bef25adbb5177f21c6f59d53bdf1fb99c76670c8194e0d4efac695f530bd8d9b34575a736
-
Filesize
120KB
MD5ef7f4cf6bb53de0de186f4ac52832f7b
SHA1515772aad7d2a5dc0a12b5ae61b5aead5cd5781b
SHA25646fba5763a98cb8116c953cf31ac7fcb8d461ad9ba091942025fe87412497875
SHA512561ca1233e9fb2ed306af632feba40505963c2e76f716b0fadf1963b02aa6388b902d8c4f0386b94edb40c6923c0e209a596392ef20c8d9739bc95230a99a22a
-
Filesize
7KB
MD5b404e8598944c13f6a6330bb1f7bfa92
SHA1217f43354732856ac64382197f5fabf7ab75b48b
SHA256d9bd9a5b86c21500ec39b3976468176d6a3455214917da8397e96e168703b9a8
SHA51286f1995710c7cb6579a63b9646122e242672be81be63d426284bd564dfbe24d793f666370bb04934fedc7b6ee851d840d0ad8255829777edce08039665195834
-
Filesize
292KB
MD5022d3a08d08f0cc6508db0c2dcdcfeb8
SHA1361df50887884b1f3b7b4d2f2b31b1d3dea6c14a
SHA2562708846d8a4bf5e77722970c16431cc33e1d5548d85fd98e64a498e9c77a3325
SHA512205e3f1a9ccda9fe7ad3ebe5a7e9e04bcbd7a4191c1818241364a3c3ef0ec524da242c36c1f5e7316358553e69970e4a64dbe63da3e360d9d1ba132ed7925100
-
Filesize
47KB
MD51da6b19be5d4949c868a264bc5e74206
SHA1d5ee86ba03a03ef8c93d93accafe40461084c839
SHA25600330a0e0eb1dbb6ee84997963f8e15c7c15c1df787f1c7f109609d7b31bd35c
SHA5129cee858c55eb0852e5bad53a675a094ae591b46b07afe9fb4224cac32e0be577fe36c1ed3e9f6bda4d4eb0c924a773d00e3181cd97f07e24c6c68c70f2b002c6
-
Filesize
7KB
MD575de1f25a2b37fdc4646176b9aaa244a
SHA1f92fbeef48bf85b229e1ebe52652bb9847aeb5be
SHA256f50ff03137ad126614e76dc9b9faa367ff89e2a6ca62b3530ca1ab023aaa2608
SHA51260d86e9eb4c35f4ac12f3cf9cbb6ae272c34b056b7b9be689ae3133a5fcbccbc94c8bc62b6f88e6623d47955a024ec6caf0e91f1b7c0f90ba00bbf2243503fa5
-
Filesize
113KB
MD5cba607de4b3afd201441ef1b57d86c9d
SHA1540a2e7a476e21ea601304465a60022b57f9615c
SHA2564135a4fba1fea5f603355105b3442592276928f60fae2a5c1fc1413ab3978ebd
SHA512d7243eaec1b5e6fe88d601681b1e1cf50b7e507744ffbdacad83d1a55370ddf4c369f2a44839020225e8750e92c527fdb688b0730dca47864190688585d1b45b