Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 20:50
Static task
static1
Behavioral task
behavioral1
Sample
757e0a2c79443f7d9de1d2fa72898839.dll
Resource
win7-20231215-en
General
-
Target
757e0a2c79443f7d9de1d2fa72898839.dll
-
Size
668KB
-
MD5
757e0a2c79443f7d9de1d2fa72898839
-
SHA1
60098803bc798f80bf40d9f4621651f344c6dc23
-
SHA256
18d9182f2a3793c2c3eae6bb486603ed056d9bd1d3303da091ceaa8fbed7228b
-
SHA512
018eb061037a6f67b58978399855a60802d4cb3b3822d23c2747de1d5d83258dabb10d1423510cf8cff05f5c25828685f3cf190b8d68bee3484595b71f4edda0
-
SSDEEP
6144:o34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:oIKp/UWCZdCDh2IZDwAFRpR6Au
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1272-4-0x0000000002D60000-0x0000000002D61000-memory.dmp dridex_stager_shellcode -
Processes:
resource yara_rule behavioral1/memory/1768-1-0x000007FEF6F70000-0x000007FEF7017000-memory.dmp dridex_payload behavioral1/memory/1272-17-0x0000000140000000-0x00000001400A7000-memory.dmp dridex_payload behavioral1/memory/1272-24-0x0000000140000000-0x00000001400A7000-memory.dmp dridex_payload behavioral1/memory/1272-37-0x0000000140000000-0x00000001400A7000-memory.dmp dridex_payload behavioral1/memory/1272-35-0x0000000140000000-0x00000001400A7000-memory.dmp dridex_payload behavioral1/memory/1768-38-0x000007FEF6F70000-0x000007FEF7017000-memory.dmp dridex_payload behavioral1/memory/2612-52-0x000007FEF7020000-0x000007FEF70C8000-memory.dmp dridex_payload behavioral1/memory/2612-57-0x000007FEF7020000-0x000007FEF70C8000-memory.dmp dridex_payload behavioral1/memory/2904-70-0x000007FEF6960000-0x000007FEF6A08000-memory.dmp dridex_payload behavioral1/memory/2904-75-0x000007FEF6960000-0x000007FEF6A08000-memory.dmp dridex_payload behavioral1/memory/288-92-0x000007FEF6960000-0x000007FEF6A08000-memory.dmp dridex_payload -
Executes dropped EXE 3 IoCs
Processes:
spreview.exeslui.execttune.exepid process 2612 spreview.exe 2904 slui.exe 288 cttune.exe -
Loads dropped DLL 7 IoCs
Processes:
spreview.exeslui.execttune.exepid process 1272 2612 spreview.exe 1272 2904 slui.exe 1272 288 cttune.exe 1272 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lgpbj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\MO5rl152XC\\slui.exe" -
Processes:
rundll32.exespreview.exeslui.execttune.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spreview.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA slui.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cttune.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 1768 rundll32.exe 1768 rundll32.exe 1768 rundll32.exe 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1272 wrote to memory of 2572 1272 spreview.exe PID 1272 wrote to memory of 2572 1272 spreview.exe PID 1272 wrote to memory of 2572 1272 spreview.exe PID 1272 wrote to memory of 2612 1272 spreview.exe PID 1272 wrote to memory of 2612 1272 spreview.exe PID 1272 wrote to memory of 2612 1272 spreview.exe PID 1272 wrote to memory of 2924 1272 slui.exe PID 1272 wrote to memory of 2924 1272 slui.exe PID 1272 wrote to memory of 2924 1272 slui.exe PID 1272 wrote to memory of 2904 1272 slui.exe PID 1272 wrote to memory of 2904 1272 slui.exe PID 1272 wrote to memory of 2904 1272 slui.exe PID 1272 wrote to memory of 1932 1272 cttune.exe PID 1272 wrote to memory of 1932 1272 cttune.exe PID 1272 wrote to memory of 1932 1272 cttune.exe PID 1272 wrote to memory of 288 1272 cttune.exe PID 1272 wrote to memory of 288 1272 cttune.exe PID 1272 wrote to memory of 288 1272 cttune.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\757e0a2c79443f7d9de1d2fa72898839.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1768
-
C:\Windows\system32\spreview.exeC:\Windows\system32\spreview.exe1⤵PID:2572
-
C:\Users\Admin\AppData\Local\tvVMyL8fZ\spreview.exeC:\Users\Admin\AppData\Local\tvVMyL8fZ\spreview.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2612
-
C:\Windows\system32\slui.exeC:\Windows\system32\slui.exe1⤵PID:2924
-
C:\Users\Admin\AppData\Local\W6AJD6p55\slui.exeC:\Users\Admin\AppData\Local\W6AJD6p55\slui.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2904
-
C:\Windows\system32\cttune.exeC:\Windows\system32\cttune.exe1⤵PID:1932
-
C:\Users\Admin\AppData\Local\T90p\cttune.exeC:\Users\Admin\AppData\Local\T90p\cttune.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:288
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
672KB
MD5e117eaf81777895c668a81e2ea6ee047
SHA1f87fb5901001d9e6290188292dcfacaf088fb762
SHA25639acf884289c55948161fbfe5f1cb17ad7ffc4de4badc806b33d2cf14309abf4
SHA5127d840aadde23982285e8addf3e5dd946e8304265af53786272c41648807564baf777d0005fd90d6e1e8cf91a42a8e51edae85a86c5972f1406f57b7757eb1ecb
-
Filesize
672KB
MD50f232baba4d39571b154b880710c9ab7
SHA19259e6bca876bfcb56aa7d6f276272e18f532e3f
SHA25606001b493c35d4c28c0c0acd3ad5bf098811d942e1147813db765fba213617e5
SHA512f681db5a3dec52416646958df5b6291e27f150264651b9b5779104263b4767e18601dca41204a4fa0994d7976c608fded4726368a219499bf8460956df270f80
-
Filesize
672KB
MD53a5efc53cd7f1604c088bb2e5f308520
SHA1b966121f1290011ab3f097b5042c09ca32e3fabe
SHA2567bb631134bb0e14080f0eed540407f456ee5e5a83b9dd97363cb4d44782e7cf9
SHA512f1840a304008c49c96970ddd1c21ac322575e375e67092dce37b75e6ed1bb96e5207612f0db4fbb6e6ac88e43e47231b69be37f3ae6de7098afd3e4a462515f7
-
Filesize
1KB
MD5d40cf5df27feadd09a00e7f8ff162cc9
SHA183fa0469d96d6a0655838dbf14dbf38551ff3f91
SHA256c4f5ebdf9fe838f8a0b636605a70d7ef4cb985b27af7aa373249569316508709
SHA512bdd92686c16616b82011a6a8f3fd9987cb53d6bfc53caf29b646e9e170d3d39b31016ceefecd01a99ffa6b3f38ce7aa3ccb67039d4427a9c5f7ce1ba90a57ec6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\1u\OLEACC.dll
Filesize64KB
MD585f77645b0445c630413fa925e54c1ca
SHA1ee42131d6fa64ae0daacdad0c87bcf449e9b84cf
SHA256aacdf4b4f7aeadaf05b5bd1fdbcd9d7b9460476eb4da7af03087231a1b7fd562
SHA512c54423af3d5827a3604c23197022375fd25b312afeb41b11798b8ea8993c979c8d142d9282c944f9172a2d81f59184fe4fe25fd8a4089d921017af29dc602d76
-
Filesize
314KB
MD57116848fd23e6195fcbbccdf83ce9af4
SHA135fb16a0b68f8a84d5dfac8c110ef5972f1bee93
SHA25639937665f72725bdb3b82389a5dbd906c63f4c14208312d7f7a59d6067e1cfa6
SHA512e38bf57eee5836b8598dd88dc3d266f497d911419a8426f73df6dcaa503611a965aabbd746181cb19bc38eebdb48db778a17f781a8f9e706cbd7a6ebec38f894
-
Filesize
341KB
MD5c5ce5ce799387e82b7698a0ee5544a6d
SHA1ed37fdb169bb539271c117d3e8a5f14fd8df1c0d
SHA25634aa7ca0ea833263a6883827e161a5c218576c5ad97e0ce386fad4250676b42c
SHA51279453b45e1f38d164ee3dbc232f774ff121d4394c22783140f5c8c722f184a69f499f2fb9621bdb28f565065b791883526e1a1d4abef9df82289613c2ce97a5c
-
Filesize
294KB
MD5704cd4cac010e8e6d8de9b778ed17773
SHA181856abf70640f102b8b3defe2cf65669fe8e165
SHA2564307f21d3ec3b51cba6a905a80045314ffccb4c60c11d99a3d77cc8103014208
SHA512b380264276bad01d619a5f1f112791d6bf73dc52cdd5cca0cc1f726a6f66eefc5a78a37646792987c508f9cb5049f0eb86c71fb4c7a2d3e670c0c8623f0522ee