Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26-01-2024 00:55
Static task
static1
Behavioral task
behavioral1
Sample
75f65720fe58821d96cea7f4f1f6f530.dll
Resource
win7-20231215-en
General
-
Target
75f65720fe58821d96cea7f4f1f6f530.dll
-
Size
3.5MB
-
MD5
75f65720fe58821d96cea7f4f1f6f530
-
SHA1
2a9ff7f107e3feda0a0dfece7a475e0950b023b8
-
SHA256
dc652ba2912e47491ce16ba0da31998a4f7f8e30dc968203b5ed070fcebbf887
-
SHA512
cf57fd4f1285344ee520906509c946f0416ac4e85b4fff18f308b8cfbb65fc7fb4dac573a9c65a90ef1c95f131592b11011a53117225a19c1e88114ad830b2f3
-
SSDEEP
12288:PVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:mfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1228-5-0x0000000002AA0000-0x0000000002AA1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
rdpclip.exeComputerDefaults.exeVaultSysUi.exepid process 2224 rdpclip.exe 1548 ComputerDefaults.exe 2400 VaultSysUi.exe -
Loads dropped DLL 8 IoCs
Processes:
rdpclip.exeComputerDefaults.exeVaultSysUi.exepid process 1228 2224 rdpclip.exe 1228 1548 ComputerDefaults.exe 1228 1228 2400 VaultSysUi.exe 1228 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\PRINTE~1\\z3cd\\COMPUT~1.EXE" -
Processes:
rundll32.exerdpclip.exeComputerDefaults.exeVaultSysUi.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rdpclip.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ComputerDefaults.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA VaultSysUi.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2772 rundll32.exe 2772 rundll32.exe 2772 rundll32.exe 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1228 wrote to memory of 1248 1228 rdpclip.exe PID 1228 wrote to memory of 1248 1228 rdpclip.exe PID 1228 wrote to memory of 1248 1228 rdpclip.exe PID 1228 wrote to memory of 2224 1228 rdpclip.exe PID 1228 wrote to memory of 2224 1228 rdpclip.exe PID 1228 wrote to memory of 2224 1228 rdpclip.exe PID 1228 wrote to memory of 1732 1228 ComputerDefaults.exe PID 1228 wrote to memory of 1732 1228 ComputerDefaults.exe PID 1228 wrote to memory of 1732 1228 ComputerDefaults.exe PID 1228 wrote to memory of 1548 1228 ComputerDefaults.exe PID 1228 wrote to memory of 1548 1228 ComputerDefaults.exe PID 1228 wrote to memory of 1548 1228 ComputerDefaults.exe PID 1228 wrote to memory of 2492 1228 VaultSysUi.exe PID 1228 wrote to memory of 2492 1228 VaultSysUi.exe PID 1228 wrote to memory of 2492 1228 VaultSysUi.exe PID 1228 wrote to memory of 2400 1228 VaultSysUi.exe PID 1228 wrote to memory of 2400 1228 VaultSysUi.exe PID 1228 wrote to memory of 2400 1228 VaultSysUi.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\75f65720fe58821d96cea7f4f1f6f530.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2772
-
C:\Windows\system32\rdpclip.exeC:\Windows\system32\rdpclip.exe1⤵PID:1248
-
C:\Users\Admin\AppData\Local\jvzgmK\rdpclip.exeC:\Users\Admin\AppData\Local\jvzgmK\rdpclip.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2224
-
C:\Windows\system32\ComputerDefaults.exeC:\Windows\system32\ComputerDefaults.exe1⤵PID:1732
-
C:\Users\Admin\AppData\Local\Zac\ComputerDefaults.exeC:\Users\Admin\AppData\Local\Zac\ComputerDefaults.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1548
-
C:\Windows\system32\VaultSysUi.exeC:\Windows\system32\VaultSysUi.exe1⤵PID:2492
-
C:\Users\Admin\AppData\Local\9CUd\VaultSysUi.exeC:\Users\Admin\AppData\Local\9CUd\VaultSysUi.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2400
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD5a12a864b1ab1be297ae245b45ca77d85
SHA1efd7cae5e91f53cab259325219169a50fe793655
SHA2565277bbf58b3208380062673c81249431d4d7628abfa35caa140560c3d80d0394
SHA51232b1f95285175f58b5f86e0dcddaffc7b03385fc9319267792b7a9e370fa4ef727c4e8564938fb39f664e6ce66dd595308306e2280013354f54d7d22857258f7
-
Filesize
36KB
MD586bd981f55341273753ac42ea200a81e
SHA114fe410efc9aeb0a905b984ac27719ff0dd10ea7
SHA25640b194be2bad2d3d4d1b69f9aec2853c8b663130810a11607ff72a9e3a06d5b3
SHA51249bb6d4bf7a9356fadde7f6165af6973630827d28b69db10ad477a84d98b08fb82e4daae777166e1ddddb5b5efcdf634e4e9bd34b255dae87462ba32e8bba143
-
Filesize
512KB
MD51fb78a3cc71c83bcc85ab36f87be4321
SHA12ad7623204c0e1ae6c25382948e4b29f1c15ff5e
SHA2568433f5deaa2536f5ba9c33b57b9ca50eaea03a3ea4aa1d02d302ee3daf6c8056
SHA512f4d276f1809b2961177a374a0b6385a476ce6da41a661122ce1499f2ff19ca05d913d522578f7a01e1399432ef506a7b589db360b3e42a1f2203df47995c92d0
-
Filesize
921B
MD526101af389c944fa1e85d75b5130c27a
SHA1a03a6a1b9716ac6e689f7a0de4121d3dc97f17df
SHA25690293f5a19e07971705e0b57c9a5a21fdb3590ebf1e7132f31eabce379054d56
SHA5125d3793a47422baeba9c0d09ef7dc6801ca2a724b1c0ca8d8d00163ae3828f053e7d8478665fc5e86a20624a798ed9dd41a3932293e7c4016d3d41c45c8e927a6
-
Filesize
3.5MB
MD56935049e89968874c453d1fe02bfcaee
SHA14bf50fc86e81851059eac8d4bd6898f4414dbce8
SHA256978a20f4f06419ee58f4b2f8184dcfcff2a5f4d0dd2596f3af44d0ac698c3660
SHA5128732788356a95666983b94900706b7fa43ead42cf8172ae5360935f8ec85afbbcf0e091ce34b8acbd405a9a7e5ea7d95cd66394017e0c42c149dbd91cb55cc30
-
Filesize
3.5MB
MD569bbd5b7143ab36334d117e538563464
SHA17487251acc0fa4ad4643d96d5cc13457b458b1e1
SHA256de568870f52c78e34d35db8ff98bbe744d85801aca9be937862a5294c4b35f36
SHA5123311107f1b86a6a4403d6629108c60da7bf3ef50bb8b6e08b5705a8c15d52bc63d2ac32a52cacbe3cd9f9953aa8b0732806e1f4f0a14a0d72301d6fec3544842
-
Filesize
39KB
MD5f40ef105d94350d36c799ee23f7fec0f
SHA1ee3a5cfe8b807e1c1718a27eb97fa134360816e3
SHA256eeb3f79be414b81f4eb8167390641787f14a033414533fb8de651c2247d054b2
SHA512f16bcca6f6cecbdae117d5a41de7e86a6d9dfdfa2ce8c75ebff10d097083c106e7f9d030debed8cb20fdd71815a8aa7723a1d3c68b38ec382e55370331c594a1
-
Filesize
2.0MB
MD5a1a2918303b7006e00c031f4f69705ac
SHA19fd8b0d4d49620da1664aab5d32fc477328f2bf4
SHA25662ba3222c310edf52ee23d59424ba5c036fe8fec115df844c65726f5d07b6ae2
SHA512794ba8edbb8499984c7a2243ff0abc053f36df5564733a20ee6a3462621975a2f3afc685236cc5d5f1fcdbef29362d4d1b8efc5476aff0931060ff3e27508518
-
Filesize
64KB
MD571f17a85abbc72bc87f3ef680c51eb3d
SHA1b554444db3c1d8953579d1871c340b10a667ce9d
SHA256be815dfa3d230f883d35207048d7f2623700c2df270a64543626fc1b64f263da
SHA51219971a4fac2538c5bec3ae60699c9cb744863893085ef75339db207396459b676096eb20ae8742b861aad2e7d77f56d998687158e0f32ef66d2c089b8d106762
-
Filesize
3.5MB
MD58cb554e8036652806cc12d92e38bcf19
SHA1c2dc370b87232ab731e9447441db5901f23f9bbc
SHA256ac5c9fc33a4bee4f9a4e2d241024ca7284765c80ddac41530d325a72d926aa25
SHA5124eae8de092a6f0f01192c09ca9284b53cfbbc84c3b1c31bc61226bb6f97ced510e18df938040e280761ca39ce1f70b6084917c213a85f571adc7b45fea176401
-
Filesize
206KB
MD525d284eb2f12254c001afe9a82575a81
SHA1cf131801fdd5ec92278f9e0ae62050e31c6670a5
SHA256837e0d864c474956c0d9d4e7ae5f884007f19b7f420db9afcf0d266aefa6608b
SHA5127b4f208fa1681a0a139577ebc974e7acfc85e3c906a674e111223783460585eb989cb6b38f215d79f89e747a0e9224d90e1aa43e091d2042edb8bac7b27b968b