Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26-01-2024 14:01
Static task
static1
Behavioral task
behavioral1
Sample
778d4730d5f23525661b573a83f5a65f.dll
Resource
win7-20231215-en
General
-
Target
778d4730d5f23525661b573a83f5a65f.dll
-
Size
1.7MB
-
MD5
778d4730d5f23525661b573a83f5a65f
-
SHA1
b4363f418266b63f4036546ab4a54e52fd530c2d
-
SHA256
72ab82c1cb0c63ec0a02f3bd9061de964700d7490d0704cafc3eb3459b0e906d
-
SHA512
0ae77c82fb95805277f52235354ae296455ffb7c33a863dff46b6245738fadec923dfe742c2554bdbb53cebc664c58630cbce935c5ddf714ca1bf55f9ae105cd
-
SSDEEP
12288:CVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:ffP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1252-5-0x0000000002960000-0x0000000002961000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
msdt.exerdpinit.exeFXSCOVER.exepid process 2640 msdt.exe 748 rdpinit.exe 3016 FXSCOVER.exe -
Loads dropped DLL 7 IoCs
Processes:
msdt.exerdpinit.exeFXSCOVER.exepid process 1252 2640 msdt.exe 1252 748 rdpinit.exe 1252 3016 FXSCOVER.exe 1252 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\Srfjajs = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\MACROM~1.COM\\support\\FLASHP~1\\k4xPwzO\\rdpinit.exe" -
Processes:
msdt.exerdpinit.exeFXSCOVER.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msdt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rdpinit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA FXSCOVER.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2144 rundll32.exe 2144 rundll32.exe 2144 rundll32.exe 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1252 wrote to memory of 2584 1252 msdt.exe PID 1252 wrote to memory of 2584 1252 msdt.exe PID 1252 wrote to memory of 2584 1252 msdt.exe PID 1252 wrote to memory of 2640 1252 msdt.exe PID 1252 wrote to memory of 2640 1252 msdt.exe PID 1252 wrote to memory of 2640 1252 msdt.exe PID 1252 wrote to memory of 1156 1252 rdpinit.exe PID 1252 wrote to memory of 1156 1252 rdpinit.exe PID 1252 wrote to memory of 1156 1252 rdpinit.exe PID 1252 wrote to memory of 748 1252 rdpinit.exe PID 1252 wrote to memory of 748 1252 rdpinit.exe PID 1252 wrote to memory of 748 1252 rdpinit.exe PID 1252 wrote to memory of 2964 1252 FXSCOVER.exe PID 1252 wrote to memory of 2964 1252 FXSCOVER.exe PID 1252 wrote to memory of 2964 1252 FXSCOVER.exe PID 1252 wrote to memory of 3016 1252 FXSCOVER.exe PID 1252 wrote to memory of 3016 1252 FXSCOVER.exe PID 1252 wrote to memory of 3016 1252 FXSCOVER.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\778d4730d5f23525661b573a83f5a65f.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2144
-
C:\Windows\system32\msdt.exeC:\Windows\system32\msdt.exe1⤵PID:2584
-
C:\Users\Admin\AppData\Local\PBI\msdt.exeC:\Users\Admin\AppData\Local\PBI\msdt.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2640
-
C:\Windows\system32\rdpinit.exeC:\Windows\system32\rdpinit.exe1⤵PID:1156
-
C:\Users\Admin\AppData\Local\ysgckb4kP\rdpinit.exeC:\Users\Admin\AppData\Local\ysgckb4kP\rdpinit.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:748
-
C:\Windows\system32\FXSCOVER.exeC:\Windows\system32\FXSCOVER.exe1⤵PID:2964
-
C:\Users\Admin\AppData\Local\riKqWacaW\FXSCOVER.exeC:\Users\Admin\AppData\Local\riKqWacaW\FXSCOVER.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3016
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD57d68750f6a08025d0728ccda2a9d5fcb
SHA1b2ed946722ef9d8d255ba2c787e6562863a3e84d
SHA2568ea501d2d76b7ce1d48b8ca2c6105866307c55c95ceda248d87f6532b6171fe1
SHA51281e1ea131fcafdaf8fefd910b9ebe80f5cf702747a440beab03f51f6b4caeb7e962dd60d282290b8a4ab2772441bf5aa2ab5ca334925fb8600b451dbe73f4908
-
Filesize
37KB
MD551f6e08c39f2f1c46e1f80c3550f6596
SHA1fd59a0e6fa4c65c78ab45ee435c6db93c06281a3
SHA256ffb68ab699d32900cdbf2b1d3c8a7a71dcc7e2ac0884c1d170e14458eea0d3d4
SHA5123d502d0a0810f686f85047f80075f6eaf1515695fa21f5c582781ab7857a022eba22b39d97e895849848371191f5a4e58a017251afd8639759df0610b0694451
-
Filesize
179KB
MD5194c73b7fadb1e79c1c84d092663177a
SHA18ee6a5a2b82dbacb7cef6c067b5fd86051a65344
SHA256ffabd359a9f4de658a9f4bcf2b0cec251f5c73bec5936a2ef34536a4a550e209
SHA512daa279fc2c5e597eaca287b0bf781756128d722ac8e9c49a9241bff3551f64706b357302d019eb57056fdfe55b0405ec7a5eb07a569740f43adeb60525a358ec
-
Filesize
31KB
MD5698715487f6176f68d70ec6a90bd7455
SHA17877eb01ddd7e01b4f3dd5d5da5e974b66b6f789
SHA25647d6ed10b22984428964d9749565cea365c9c3e9eca0903e0246ded4203687d3
SHA51239b02c4f04e3a9dde4ecb03bec9a8935ddb0c305b90f5c9595a2244cbcbf2ed41063ced405f8b02d762e618c51d48f5dafc96b3b23e888b8b3625cf533ad29f5
-
Filesize
31KB
MD5d93aaa73de5c563f11fb8dcc44dde566
SHA137020f3b5661d13a1b38740b44eda063a0c53285
SHA2563a431d3d3b48e1ced4d6357b89e9663df5a809921d1a9cfc20af785c255d3a73
SHA5128c753900ca7ece8b7bc719b9213b1059ec9ddf0d15b7806a70d3a43eea3d448ef3e4bbb28bceb43323acc4528f3e5711912ac284c70faae36a0717008813f7d9
-
Filesize
39KB
MD543e4456d9539163197a0ed76f2b4e30f
SHA1437908db9834ee8b5934995e3f74442334af7560
SHA256bba1d292dd66ca86230ec459bfc0d4eb64d9b33070282583fd4604a512495a42
SHA51204c48b782b156a8b33d9acbf17ed8cc3ed80030fdc0522286476fe8ce8eb761bc975d8b24065a415c80550eb2a87c0ddf17b09e37cb215623337cc9bfda07dd3
-
Filesize
102KB
MD526ad07a4770912eec58abd5644213b73
SHA17f715a1047daa2bcf046c93c07a8aead826749d7
SHA25616962166f1713410aabd8cbbbb67c0e7c1bc68984fe17eb54a106e0bf2e58bcf
SHA5128c9e68c729dda1129f007ca98e65052e07358168f7f03c66219fb0cd944248133d6fffb520c04e0f87c92d43ed539675e0fc213b871dc16d33ccd66652ad955e
-
Filesize
60KB
MD5c95c06ba102102a26de91a3947927ec6
SHA1e4cf659a6c1931493c746e908a1b9d4b4536226b
SHA25662874984595212117ac92983e9c1fe90f27373e8129855f211c38f4d80644bb3
SHA51254568b4068b823f4b62122759dcf22e8f326d86618130456a8159c22598810790f4ed2afd7369ed5863ff552ae34cf011557dea9454e1d49ef6e2fb445245e50
-
Filesize
1KB
MD516999e5b5f4784468e4872f5d1d6e6f9
SHA153a017ba930a5ec781a5ce6072ea1de98c080abc
SHA256b456a24b6127ca4c6279c46dc0fd3bcc5392939fc2ec16f4e5ba627ca61a574d
SHA51230789583fa7cd2c6ae4cd0939e9373c23080003386d18ef336685b7f4faee122e42bcd49336cb3b37061ec5329756d3b35af30052adcbd7dde0b24f587d4ca17
-
Filesize
1.7MB
MD5dad0a9b61d0c4c1baa3963c6a70d00fb
SHA102d1144208bc83af3d0c82293d009618d4f74551
SHA256819c7a31bd0d47cd797b7fa8589c1f8caeac47e60f034b40d5bfe2efe736b3de
SHA51253a208130432f3b63d3dfb63251f210642ac20a60e459b0bfee03d7fc08f5a5ddf3656684cc635382a3221cca6349d4875eaba8708fcbf9bf275b093ac910099
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\k4xPwzO\WTSAPI32.dll
Filesize1.7MB
MD5ac6d82aa633f8a0487594326a7718aac
SHA193904096e733057b12dafe4e4152fe2629ee6b8e
SHA256c50fa5d5483856fb01a99b33466bc83046c4a7d422159bdeecbf39c3ca8c995b
SHA512022c108aec640fe6fee5809abf075dcf47249802df309559961f548c348641988e89d1d423377d313fb8902904ecf73a11673e6a9d7d2e5a47e0581134e15b5e
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\k4xPwzO\rdpinit.exe
Filesize89KB
MD5f8901aaa6a4f1114c6ca42bfd4955ae3
SHA19dac033f80a3fc94cf7751f5ed0da4b4021a1245
SHA2566d4161e1ddc6507922433455ab620daf6bd66d44758fa307a5d6e136797890fd
SHA51215ca01e6018fc4e8b01ee4285001a9c3f23789b395b6b2f4dad9ae0d1143165fa05f7e5835f34c231907a0466de8ff64de8ace4fe381aaae74bfe3d60daf53de
-
Filesize
1.7MB
MD584f9c9fbf14549881f72d7cf6c615974
SHA167706faf64b6715fc3da96da3fe946f2e77289a4
SHA256c59d50c503c181c0af9fdf19a0e448aa98787aaf70ccb0b811d70ef81301770a
SHA51260be5a635ef6eeb9234398ed2b48b3647844404437a9dd8c616a81d90fad2c3528241042823e297a11479ad0cb0ab6e140599721b180ff6248ed631c1ff75b11
-
Filesize
5KB
MD5c0878943b28d02d694d1ce5a86752c5f
SHA190d1f8ab98c5fa2e7bf12c63d90d4044e0bacafa
SHA2569a77faf54407ae848e9ba95ff85fc2f40ca8cf65e2fefa0e9d9c9c963d3f409d
SHA5121518d9f1eb279d116002a7f297abc6b157ca6fc130764b4450203be9327f24dc055a670e66a150070e1f22c03652c7dc2a8e62c5444c8f8171ad996c9546f41a
-
Filesize
34KB
MD5ec4e80eebeb4d2726a8961bb67e0885f
SHA1764a9cf67092dc1616b1a01b9fa96c4adb02b1df
SHA2561f1f8a3e54be47828cd04304e4fff7e7e7b6d8d5a75d72911bc6efbddab2b4e6
SHA5125edb21333062ede813d0b0a37013cb77e380ecf7c582966d41fb4496e51ef92d89eb80910e7015a46edffb8cf055e88670749e1bad9349540c4841d9071d98a5
-
Filesize
1KB
MD5c594432d751279e1d640d8706d1ef786
SHA15f778437dd968356917a8e4e2bf48a8461833568
SHA256babb74b5b305291e95a46b9261da770d5e9713d7ad4dfdc2a491ff8ee6e23c5c
SHA512f31c88a4b00cb1e5372bca0ba3f407fdc9d6366328bbb988198244b27ffd70c6add2ef0c175e87270924ddeda8086fcabf6bfb3a92a6561ef05a302dbee075d8
-
Filesize
13KB
MD5476cc01f8ea1b82107107322578d665e
SHA174763e32aa08e3683c663d60075c9c5c95472198
SHA256a246164225437b43336c2bd39aaf26da68bb8f1022a28f9b2268e0521d0ec30f
SHA51204b33a2500c370bcd5b48a7d1d77f8687aaf0a980fb057dc34a7ba267f8bad9fa96116df41b261a15201245a79bfac9100eaf5a9a4f0cceeb5549f144ecc374b
-
Filesize
45KB
MD54b0315183eaa630e6e44532fdc09bac9
SHA178f77533a62ec802aeeb673aee709bc89efcb8d3
SHA256931ad1a4fc76006966a9b8b2d80a1cd4447d5fccf08086343d561f94dede683f
SHA5129163e88d4eb55618fc39b8cc34b87cba0cb60340e9c52d10585b842ecac6a81e7fa39610aae212036df1ffa68f920d315acb030c6e64a2bc5e29c29850c17421
-
Filesize
114KB
MD5a6a11c90b70811659e0750bd93902046
SHA1c4fb3c93a3297ec80dccb0f349f0a177e75d5e1c
SHA2566cb0ffbce52e31367d325e6a58b2d5454b824bf5a791f0a597e4421fd597f595
SHA512546f6a6a57f35d0c3d3b691b0eb78c4c4f60124d723ef339bc4da1f88c384f7b604375b4c83dda6c2f244c38ade28357c5a220b271b5a96df2735e50935662cf
-
Filesize
185KB
MD52f70b2d1e8ba87cc3d27c1b86d2bc550
SHA1a9bb005d93fb9136824ec721ed385a6d1e6f7069
SHA2562aa21e22cccff9419a2fa7a5eaa16319183e0be7633f0482aacae59ada5adf1c
SHA512eae423d85c633a07415fc5dfdfcb333cddcb4fc22ad72cd39c556814c7cd1991aae09e1a697b58540441d3746be4b4b12cde481bfbce7dbce73d01d9dcc717ad