Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26-01-2024 14:31
Static task
static1
Behavioral task
behavioral1
Sample
779ba17cb5ed3bb94e1d07aa171986a5.dll
Resource
win7-20231215-en
General
-
Target
779ba17cb5ed3bb94e1d07aa171986a5.dll
-
Size
2.2MB
-
MD5
779ba17cb5ed3bb94e1d07aa171986a5
-
SHA1
058718b265fcc9798876a651e78bc532bc472e8f
-
SHA256
be9b2a400439006f513f0980901a98e17cc45eb12faab2c4bf9dbb87615049fb
-
SHA512
8063b1a68cd965b671b943e7b90306df0c62726b31a0a8cbdb6b8bac2b68644fa73f559c5780682a4f6562fec46819610d8fa0016a22935b1faf85f9434db256
-
SSDEEP
12288:KVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:XfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1144-5-0x0000000002DF0000-0x0000000002DF1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
rdpshell.exedvdupgrd.exemsinfo32.exepid process 2984 rdpshell.exe 2780 dvdupgrd.exe 2020 msinfo32.exe -
Loads dropped DLL 7 IoCs
Processes:
rdpshell.exedvdupgrd.exemsinfo32.exepid process 1144 2984 rdpshell.exe 1144 2780 dvdupgrd.exe 1144 2020 msinfo32.exe 1144 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bsfvntd = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\PRINTE~1\\3J0NIV~1\\dvdupgrd.exe" -
Processes:
rundll32.exerdpshell.exedvdupgrd.exemsinfo32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rdpshell.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dvdupgrd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msinfo32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 3052 rundll32.exe 3052 rundll32.exe 3052 rundll32.exe 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1144 wrote to memory of 2608 1144 rdpshell.exe PID 1144 wrote to memory of 2608 1144 rdpshell.exe PID 1144 wrote to memory of 2608 1144 rdpshell.exe PID 1144 wrote to memory of 2984 1144 rdpshell.exe PID 1144 wrote to memory of 2984 1144 rdpshell.exe PID 1144 wrote to memory of 2984 1144 rdpshell.exe PID 1144 wrote to memory of 2536 1144 dvdupgrd.exe PID 1144 wrote to memory of 2536 1144 dvdupgrd.exe PID 1144 wrote to memory of 2536 1144 dvdupgrd.exe PID 1144 wrote to memory of 2780 1144 dvdupgrd.exe PID 1144 wrote to memory of 2780 1144 dvdupgrd.exe PID 1144 wrote to memory of 2780 1144 dvdupgrd.exe PID 1144 wrote to memory of 1800 1144 msinfo32.exe PID 1144 wrote to memory of 1800 1144 msinfo32.exe PID 1144 wrote to memory of 1800 1144 msinfo32.exe PID 1144 wrote to memory of 2020 1144 msinfo32.exe PID 1144 wrote to memory of 2020 1144 msinfo32.exe PID 1144 wrote to memory of 2020 1144 msinfo32.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\779ba17cb5ed3bb94e1d07aa171986a5.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3052
-
C:\Users\Admin\AppData\Local\EXL\rdpshell.exeC:\Users\Admin\AppData\Local\EXL\rdpshell.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2984
-
C:\Windows\system32\rdpshell.exeC:\Windows\system32\rdpshell.exe1⤵PID:2608
-
C:\Users\Admin\AppData\Local\peYqjInqz\dvdupgrd.exeC:\Users\Admin\AppData\Local\peYqjInqz\dvdupgrd.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2780
-
C:\Windows\system32\dvdupgrd.exeC:\Windows\system32\dvdupgrd.exe1⤵PID:2536
-
C:\Windows\system32\msinfo32.exeC:\Windows\system32\msinfo32.exe1⤵PID:1800
-
C:\Users\Admin\AppData\Local\E5zj5M2Vi\msinfo32.exeC:\Users\Admin\AppData\Local\E5zj5M2Vi\msinfo32.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2020
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD505b48dbe3f176ee5d4f1d64395066b66
SHA1c7ec00aa2db6a0880dbf18fabdb22145e00868df
SHA256baa2cd98e304b2088e5ac24a897a311c0f1ebb395d5b1b48ffac6f330bda362d
SHA5120b5e092c35934f631116bc3e2e5f95470d868bb5d050f61abbcd6f10db6aa53e4d382d9bf41f427a9c1622c18f255c44b434cdcaf2f9e85631b4bc41628f542e
-
Filesize
13KB
MD5e6b3e9495d510a19beb13f720413d47e
SHA18162d0045e6af19a36f8f06b7e8db0483b7ebda3
SHA256089578bd7dd6ae2f54ff8406295a1a38e5e407324988315ad1709653e5a2f6e5
SHA51261de3afc99f18ba38212f8c5fc13169d98cc3ccfe221eed5532addeccb0715a792b12822df84e5db68c3fd90f5d293b0c55cf385ddb61aeaa3784dbe6cbf8f87
-
Filesize
19KB
MD596f74905acde8ded3eefa5306e5410b5
SHA1a175c0de58f70dee6a78d9fcca8eb2a4f9fde9a4
SHA256c1ca4c31c1ddf79ab117517fe79bbc460f3915b3b0d402b2db3349ed6b5675f4
SHA512f4001b02b5fd67fdd920fe70b5bd97e500911d0d4473430fd1444c3d7ddd2ba88f385ae4aad63fdb701be15e087dfdd0bc0c15529ff948db0adb1cc49e6a957e
-
Filesize
156KB
MD5159602201cb79dd1cbedbd6480bdad04
SHA1fd964277b61b9c53a2cf24f307678ab1797749b4
SHA256cdd66867942d9cb327cd69133bcf8554a58d1474e9891aa29dc6424b2ff82b83
SHA512e0eccc0e01541044c229050066685ad738f54238e3d8b4549ab4a9587fa4c5679e2ff83e3713b3fecc13947171bac2a78b2bb350a2b935f13a666377698b07fc
-
Filesize
104KB
MD55c206ddc0521053cda17c3d360641036
SHA14693a26392f3c0551824ef8c81ada79163843453
SHA25607bde3f378893c1530a8625329f6ebc06fe84813ee27027ba6e58ddb014a17da
SHA51231a29f60bb5de673363ae1754a06466f72864d842598f52a09b12231a465f636fc8f4725bb2649bf9c3c84e2feafcbb78103fc01d04a3adc90d2a7d27dce6185
-
Filesize
111KB
MD50fa37a003e8a771cce5334af2f474a90
SHA13c2347f5a06377dc64716b84e821ed67b52a2832
SHA2567f16cef249c84939cc55076987a537ee6f01cba266318b7df8f580c28552c7c7
SHA512420b76d295b2444dbdc98739971b03e7a64c8a26ff8258379c79effc9cf34eb928d5339e029440844307dcab24974d3d3dfa0130d32490b0d1ac6bc6f7f35825
-
Filesize
33KB
MD515f8d5ee1d03ce0374aca1200b6e8ede
SHA1ecad9e64dedb0786015ec620c5bf1823ce651695
SHA256b3a902e4313044f63e5684f38b65eb9edf9383f209d676442c47c2c252568b31
SHA512adc45f4817991ec3c9b6a5bfa9290b0b9e7d6f38f419ce277f2e304c553912b98e46bb3a3a3e95bfe2861b3020b64721062649f8d19723a7c6092bd42907ec95
-
Filesize
169KB
MD55c44808fdaf625c5639d58ef871e5689
SHA1ef1519c2b604b6e2d6e0e2e5e866b43888b65fdb
SHA256aecbce96791bf6cafa3eab7c32fcca9fa939234ebbe145da9fe4fe196ecc7052
SHA51252c6b864b4fa913a0e12e43244bfe1e0c8a4085f9bb61d005edb8e200e1fc8458c26776576edc5d07b81ce159f004cc49bc83180aa7303177d920f37099f33e5
-
Filesize
1KB
MD50a9b9004d26b3d3dd4945aa6e58158f9
SHA1cc16832f2026e5fa0634ede61a2a12d2d5624800
SHA256440585abf93a615a8d301232e0119616a7d9e3faccd3fe8439ed76ef535bfb60
SHA512b5ecc57f81146c95462446460f599ae02e8cfa65495520258eea5ac102baa6822fea6ca3cdd08649f51e42c3cf1f9bc2fec3195ab67193404ce46b419d165912
-
Filesize
584KB
MD51287c9cdfdfcc292083387f303faf138
SHA1fcc1ee81a5de44b91851a589db7a85e18376ecaf
SHA256aa60aff86b272c54779a73251304b8f99da61e30e1a71feb09010192dba34407
SHA51289ecf609c1b840da2c0423ada48eefbdfd4e89e44d7b8ee52739f340d77917ead8a6a09242fb5bbbc06d7ffb1ea6f0bd2b9d4c4acd7bc3b91d41a25051efcf3c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\buLg\MFC42u.dll
Filesize166KB
MD50f7d8978095005b83df049169a48b500
SHA13660de98a242e4582520b2d5a8a146be398bfffc
SHA256df1b9402eeb4e777fc92ffe28ce51356e3fa91851dde437c285ef4da94bc82c5
SHA512b2762a3830ca1c879a1afb6c2e0cf508660c6493209f1b8cef45c984d2713e02761d1e5fb629bab3ff2645653b18f21f6d4fecfa10a2e62d2b0c027a9768d113
-
Filesize
17KB
MD509216203f3c8a243702af379faa74ffd
SHA192640b2fb56295c10a17f09c6a2a6011d5d41ad4
SHA2560d38067472d95304a1a7239c690fd767e444e9fa9324181b3121d9343a15a235
SHA5127797229002ae2d57d5ecc160413c1a87b1587a11ac81395a19020933e43b46e85d3eead3ee74f023b44e110f20b704cc7a53abc8e7a354c8c9f97eb4a112bf08
-
Filesize
28KB
MD5805b2cd34da070f072bf48c92784a84d
SHA1d2b431f91ebab075e451d8ba1bf913ea602b202b
SHA256566a2ebc8e9f1085e465269aed8c48abb210ad5a225858e2f01743d2873b8458
SHA512c15b0a8dd55b29510ae29a72fa18e1da64a28c731f526cc7e9b7b8fec5aaa7efb21b3050790c7b6b5f0ed0f739085182e7c3e5ab3b86ccf940096c8abf944e43
-
Filesize
124KB
MD59c6e7cb84e27e81c56acfddc4f163eb8
SHA1edaff824c127863cc40cc9235ac4dc94d03d8afa
SHA256f17a66e37c1fee847c7f6121f6f7c68d0607c755a69cfbcf47b8f028c58a34f0
SHA5122fcaf90a8438bd559ffc1aad25031d82519577ce8be3b05f171ed7ba7d83b86406c21c6d3e7a3be672d5ee2c6164c19b44d2c9376b20ad9dd11a44b797fcbb3f
-
Filesize
119KB
MD54494238e9f1df55599d3df0b2cca987f
SHA1030cc7b7db7ef2484328b2adbff37d33f7be7f26
SHA256c178f66d98e76e0c93cea5728290fce30c8b71199941cb6bcc54f295c1d707db
SHA512e15b6006a2695e30b1f0a3b4a4120a149bf0535028695b6cd175af5041585d2204ccc9fc85d7ef76246dc1375a340e8314461e1558be8d33ddc60b15f2edec6c
-
Filesize
13KB
MD57a337dd6b780c254035fc675570f6af2
SHA10e58036a60a92301e402225bc68e404068c284e7
SHA25679ce7eda34ddb8c0d90b1bc66ddaa1e01ced006b05cf35f476bd55e4085ebc7b
SHA51283501507100a7da33f4e0b0b6ed1e58eebf41671e92d95373fe4b7b26a7b288f755c58f86300bf0bb88d2d3fa6ae13548653fcd9ed54f5f6094191a9b43e0cea
-
Filesize
25KB
MD575a9b4172eac01d9648c6d2133af952f
SHA163c7e1af762d2b584e9cc841e8b0100f2a482b81
SHA25618f9f520c7157023b0e7dfe7433a63c4dedd47b04d24aac4038b795893050736
SHA5125a7a2c7f184efd9c84256a1a0a5e7aeb95432d63a567196be54e7a9437a5ada9b922983c5fc0cafb16eab4493665d8e56e2f646f9f6a2d6179986925ffcdf769
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\buLg\msinfo32.exe
Filesize124KB
MD56b970c36453b0eb7737acb22e1f3827a
SHA1b1329b88bf4a3c5300fd6096b57d185f1c976a6a
SHA2561a644db37d0bdc510dbaa7b1bf8187c37afb1ae32f2a3d9ab34f8c8a47a9ac8c
SHA512c73dd58c3c6b5e377967a0f43de9778c01e0ca8b66ea91372f5fab5666ddb539490511c2a937d75e12bbc805553ac534d77fac15e3e63826ebf9a372fdd74a15