Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 12:10
Static task
static1
Behavioral task
behavioral1
Sample
74aa7a7b1a55a686da6fb64c99496b53.dll
Resource
win7-20231215-en
General
-
Target
74aa7a7b1a55a686da6fb64c99496b53.dll
-
Size
3.2MB
-
MD5
74aa7a7b1a55a686da6fb64c99496b53
-
SHA1
baf7fcf0fe7a57031c1285f02cb4a0814e54fa31
-
SHA256
e12d72cce77128cc87490c508bb9e32003d1141cf5ccc962117961d65c2d71ab
-
SHA512
6e7d2349024ceb235cb85ddc9c88695796197d9dd84f19518e0639f93f5cd0cd713c216d04f85e961be6115b93e34e4fc39912b8b9262b2f8b69ed7d68ef05b1
-
SSDEEP
12288:4VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:tfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1280-5-0x0000000002940000-0x0000000002941000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
dialer.exeicardagt.exeBdeUISrv.exepid process 1748 dialer.exe 1696 icardagt.exe 2896 BdeUISrv.exe -
Loads dropped DLL 7 IoCs
Processes:
dialer.exeicardagt.exeBdeUISrv.exepid process 1280 1748 dialer.exe 1280 1696 icardagt.exe 1280 2896 BdeUISrv.exe 1280 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\Srfjajs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\rZIGC5s8\\icardagt.exe" -
Processes:
rundll32.exedialer.exeicardagt.exeBdeUISrv.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dialer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA icardagt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BdeUISrv.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 1968 rundll32.exe 1968 rundll32.exe 1968 rundll32.exe 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1280 wrote to memory of 2408 1280 dialer.exe PID 1280 wrote to memory of 2408 1280 dialer.exe PID 1280 wrote to memory of 2408 1280 dialer.exe PID 1280 wrote to memory of 1748 1280 dialer.exe PID 1280 wrote to memory of 1748 1280 dialer.exe PID 1280 wrote to memory of 1748 1280 dialer.exe PID 1280 wrote to memory of 2860 1280 icardagt.exe PID 1280 wrote to memory of 2860 1280 icardagt.exe PID 1280 wrote to memory of 2860 1280 icardagt.exe PID 1280 wrote to memory of 1696 1280 icardagt.exe PID 1280 wrote to memory of 1696 1280 icardagt.exe PID 1280 wrote to memory of 1696 1280 icardagt.exe PID 1280 wrote to memory of 572 1280 BdeUISrv.exe PID 1280 wrote to memory of 572 1280 BdeUISrv.exe PID 1280 wrote to memory of 572 1280 BdeUISrv.exe PID 1280 wrote to memory of 2896 1280 BdeUISrv.exe PID 1280 wrote to memory of 2896 1280 BdeUISrv.exe PID 1280 wrote to memory of 2896 1280 BdeUISrv.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\74aa7a7b1a55a686da6fb64c99496b53.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1968
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe1⤵PID:2408
-
C:\Users\Admin\AppData\Local\FzFtepNFE\dialer.exeC:\Users\Admin\AppData\Local\FzFtepNFE\dialer.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1748
-
C:\Windows\system32\icardagt.exeC:\Windows\system32\icardagt.exe1⤵PID:2860
-
C:\Users\Admin\AppData\Local\HF74NVWB\icardagt.exeC:\Users\Admin\AppData\Local\HF74NVWB\icardagt.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1696
-
C:\Windows\system32\BdeUISrv.exeC:\Windows\system32\BdeUISrv.exe1⤵PID:572
-
C:\Users\Admin\AppData\Local\I12\BdeUISrv.exeC:\Users\Admin\AppData\Local\I12\BdeUISrv.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2896
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
147KB
MD55622f39e4960cfd322f1db1fc8e3ff32
SHA12293249f3049e67e7524cb48ef5ee700f91d73e5
SHA256722e128961be7028de08500b837c166a6dfdd2b76c11e4b7ce80ea3bb706c37c
SHA512c9088091c00b762c688e796eddbb19e0c806b1f1624d1d561bae7289731054c59d407ea6793c541fb578a8373d6b39703c6490b619e3962c725d7757452b7e73
-
Filesize
34KB
MD546523e17ee0f6837746924eda7e9bac9
SHA1d6b2a9cc6bd3588fa9804ada5197afda6a9e034b
SHA25623d8a6a1d847a324c556c30e10c8f63c2004aeb42ac3f5a5ca362077f1517382
SHA512c7117c3778650864e685bd89df599d7cdd9319d757344ddc7cfd9403d6673964127f6ff0c5ac48455fd3097af31a6ff09173f85dfa7be2d25f395cdf3692bb9a
-
Filesize
157KB
MD561fa9b176faa456ae210521ce2e50fae
SHA1526d59e9e5f1c95c4af603fbff74fc1f9fd1c52e
SHA256d5b52ceef582983341fd72e66d8d83cfd9d9f6bf1c17780916cb60ee94db6441
SHA5123d200c68f16ee6b7fea615e6b952ac819fdfaac98f1bd8c90e62b772a6c7868805d36a0bdcd7e1f007522176c63945b3d05673ff8465e9e55bce58d4dd51b51f
-
Filesize
90KB
MD5ebd853ae26e9d29184b5de8ed4236d64
SHA10852cf6e980991a04ba1f69dfc84c44777a32d32
SHA2567f89f1e4b24dbc16fe8a87125d9ec2beea3eda8d12d759589163e29323bbf1a2
SHA51279cdfac83a3a5bc150f9e4c4afd6dad55e859c0f69b355b16891b29727c8b52e5e458cea80df4b7d1aeab3e336cd6b21d8e862ee9e1f3df02ebccdc19b3d5249
-
Filesize
102KB
MD503157c9dba02bfce4f263d88b2d9bb3a
SHA1f7576353b6bfe36f7d92b5501a7eeb950a722bd7
SHA25636560d970185c3e20e201e834ef2eef950b32b40b377366970e2fe6949ee9ecd
SHA512c6a763c6d124cf119be643335d05b3b3351a9d5543508afccd2ab6497d51e151778587f9eb3bc852b13ac753bb32d85b06d7367051e66175603366b2b552b344
-
Filesize
47KB
MD51da6b19be5d4949c868a264bc5e74206
SHA1d5ee86ba03a03ef8c93d93accafe40461084c839
SHA25600330a0e0eb1dbb6ee84997963f8e15c7c15c1df787f1c7f109609d7b31bd35c
SHA5129cee858c55eb0852e5bad53a675a094ae591b46b07afe9fb4224cac32e0be577fe36c1ed3e9f6bda4d4eb0c924a773d00e3181cd97f07e24c6c68c70f2b002c6
-
Filesize
173KB
MD54962828dbcbba0781e87932d853f1ac3
SHA19684b11ce11d99aaff0f39988195044fef3fb1de
SHA25622d6d7a934a87017208afab0fce5e41ca97303281d8f9f9e2a3e7fcef8addc7d
SHA5129981f996268f122ce7ae8af96df94ffd42ef0c6d3ff9f844e7a2493ab53ba8c0cb4568b8238d547231bf4ac480453972b8e5362d3556b49df70619efe9ee8885
-
Filesize
1KB
MD500fc1eec0ab09f1f230689ac12b8de8d
SHA1aa2eb969bc3afd198986097a5e1a282602e016ad
SHA25618cef11707b90141b11c73614ace3d687a34e3d36c7b6b3a85d977877ae71183
SHA51274e790d763905de75fa9893495b111e83d5eb74db85e7d607b19680eef1897c399cf2aab8dbac9fc794c53d21f09329135125d496e85d042c48190396b362626
-
Filesize
691KB
MD563224b144cb1bfc690c666cf5dc72309
SHA109ce6affe35f4e8938bc9c8bc51981b5786698fb
SHA25687fb6382d9d4746783a4a10bcd3b29b895e7bd8743194364a96406727832d912
SHA512cb36d4d36d280ff3fb058effeaf8545ab2cb779de56d3de7210e0c2baa6f9a5ce2043a30a39519d2dedf9e70395c8d3647b3371d85326f58977616adda455ea7
-
Filesize
342KB
MD5b406385583f9347ac7b402df5e35c28d
SHA1d4d51a0b4c2dad4fc1e8fcf642eab0ee6fe1929d
SHA256fd2cf877b7a2b9a321d183c254398542b5f66e916969aeeaba7e1b703e86c2e3
SHA512ca1622585be55766b86de7d58b6f269262ee8de82c4e67e57066b9e156c359f14065b7a18db59108d99bc01d31f46b2c58656bfaa309d00ef53224b8d60b0a30
-
Filesize
131KB
MD54e71519e160975cb6363f49148ae252e
SHA1374174971c12e1e7209ef4242ab17e9eabc6df6a
SHA256ea50cedc1cf31105534104a68029eb20e24789233be6ab19098bca73423a12a7
SHA51252960643fe3f11ee0c52e137e3765ca9952b0deeb00499c6ca1407579a3b96172888bd4c51e300413eb627f536b482a10fd65690a01e0318d79b54f65d19ef20
-
Filesize
64KB
MD555ffeb9abdfa40569c9e0741e2d31e36
SHA12e82c7f16c6a5d031854f153c0eeaad64371322d
SHA25663adc73067fc01298e7d07bb2b6d426ba257737dcb17dbfe6afd015182ee0a36
SHA512648a69b4dbcbec93ce4cac5890efe9e1dabf139c14886ebb32b8a687737cb678844e7fe6f81c84b26bbb7555bfc5bbca2ac05ea296c4392b6d1877f17ff90e17
-
Filesize
136KB
MD533e283f4d56a71618ace2c17b99d03cc
SHA1287306d4177968d996a9ef92c82e5432771e4a48
SHA25624bc320b3c4e75d919af24c6c19d86526ab3a68d42a263181eb273fc553cce7d
SHA512e9219c271d7297e550214aed2556d4a00dcf1dff086b678757c557cf9d146b72f108d830f92f1499737d8119b5fe09151060140be47d29d13e67c9b2742a0ba2
-
Filesize
74KB
MD5a4d190d2541640ed09ece5930ceb8b5d
SHA1a7856071120df5752b8de9709e180db0f7c653a9
SHA256dea2d025bb9ba57903467c7d91210f911463379ce971d0d8ca867c4ab494c6b4
SHA51294fed021fc7eb348c7ce516be76ce37a639c40d63387b6f7ecad24064c74b1f1a8763358cb18f63073a1595e3b663f9fb8c592b4e8fe5b7d09bf0f525f7668b1
-
Filesize
158KB
MD502dd54cf2bc29a3bf40648c9bc01a6cc
SHA106ef037fe3f982c2d34708b2bddcd9ae665d4287
SHA256f60905a55996f5c5140766f18ab7fae2daaa6ba339651ef02f0d30d73413be05
SHA51230b6a90798d21434145e7c86121d228d323b27371c5487ba572394eca2dd552f1025bc888bc8fcae1ff8a890afaa15989e468c33d1a4cafc798e6c89b0d66a87
-
Filesize
45KB
MD522128497245eebd711a8902ca1391814
SHA16a1212e03206e6f7f48078c982311be4e59cb427
SHA256e185b210eef21c8a0cca2c1a66515c44f892a1b1d0c59900236391fd6e986b56
SHA512b935fa6c4bce155c4ecd3ef5fc107248046116f7d276132a964317b51b5a28d382bb59612e2783fd0ec0995dbe9493df3c52dbe89b886953d7748bf412f31184