Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26-01-2024 21:17
Static task
static1
Behavioral task
behavioral1
Sample
786915fd97a5568543a2c219b4116abf.dll
Resource
win7-20231215-en
General
-
Target
786915fd97a5568543a2c219b4116abf.dll
-
Size
1.4MB
-
MD5
786915fd97a5568543a2c219b4116abf
-
SHA1
4c76633b4440df5c58a8e835001c8921a5171cd0
-
SHA256
a4c35298a6852c3e1ebec89e8d2c739c9dafe977cd2931af02f46f8d640dabe0
-
SHA512
4c78d00677052e2cc189862f72ef6a8acc490fadba92e157292b0af022a437f685794617a3b462d59feb18178f1234019e503b23087cba4d3f3d2e1fa61b47ea
-
SSDEEP
12288:yVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:vfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1284-5-0x0000000002990000-0x0000000002991000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
mstsc.exeOptionalFeatures.exemsinfo32.exepid process 2640 mstsc.exe 2848 OptionalFeatures.exe 544 msinfo32.exe -
Loads dropped DLL 7 IoCs
Processes:
mstsc.exeOptionalFeatures.exemsinfo32.exepid process 1284 2640 mstsc.exe 1284 2848 OptionalFeatures.exe 1284 544 msinfo32.exe 1284 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\Niubkzso = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\RBpPDAEJq\\OptionalFeatures.exe" -
Processes:
msinfo32.exemstsc.exeOptionalFeatures.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msinfo32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mstsc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA OptionalFeatures.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
regsvr32.exepid process 3016 regsvr32.exe 3016 regsvr32.exe 3016 regsvr32.exe 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1284 wrote to memory of 2584 1284 mstsc.exe PID 1284 wrote to memory of 2584 1284 mstsc.exe PID 1284 wrote to memory of 2584 1284 mstsc.exe PID 1284 wrote to memory of 2640 1284 mstsc.exe PID 1284 wrote to memory of 2640 1284 mstsc.exe PID 1284 wrote to memory of 2640 1284 mstsc.exe PID 1284 wrote to memory of 2880 1284 OptionalFeatures.exe PID 1284 wrote to memory of 2880 1284 OptionalFeatures.exe PID 1284 wrote to memory of 2880 1284 OptionalFeatures.exe PID 1284 wrote to memory of 2848 1284 OptionalFeatures.exe PID 1284 wrote to memory of 2848 1284 OptionalFeatures.exe PID 1284 wrote to memory of 2848 1284 OptionalFeatures.exe PID 1284 wrote to memory of 3020 1284 msinfo32.exe PID 1284 wrote to memory of 3020 1284 msinfo32.exe PID 1284 wrote to memory of 3020 1284 msinfo32.exe PID 1284 wrote to memory of 544 1284 msinfo32.exe PID 1284 wrote to memory of 544 1284 msinfo32.exe PID 1284 wrote to memory of 544 1284 msinfo32.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\786915fd97a5568543a2c219b4116abf.dll1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3016
-
C:\Windows\system32\mstsc.exeC:\Windows\system32\mstsc.exe1⤵PID:2584
-
C:\Users\Admin\AppData\Local\DV2\mstsc.exeC:\Users\Admin\AppData\Local\DV2\mstsc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2640
-
C:\Windows\system32\OptionalFeatures.exeC:\Windows\system32\OptionalFeatures.exe1⤵PID:2880
-
C:\Users\Admin\AppData\Local\92WiHl\OptionalFeatures.exeC:\Users\Admin\AppData\Local\92WiHl\OptionalFeatures.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2848
-
C:\Windows\system32\msinfo32.exeC:\Windows\system32\msinfo32.exe1⤵PID:3020
-
C:\Users\Admin\AppData\Local\5DT4\msinfo32.exeC:\Users\Admin\AppData\Local\5DT4\msinfo32.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:544
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5355362be283e498f71083411070a1fb0
SHA1296ee323103fc25e2d15e5f250bd63837f081be9
SHA25618c12b151413fad471e730cf0078d1d8750105461c4504e7f19e73ad39a7390f
SHA512271120bbb2e2f517e41af676c01551779740c39a013c70e5723bf2fd0f9785a83c29946b51dfc29e9e9391dec9b8cc1d38d32be75eb11f605adc5194a9d6f78a
-
Filesize
732KB
MD5b2ae57d46c51e5ec79907bd2ad1b6536
SHA154f93a5aa0fe922d3f52280c49ca4edd5a443895
SHA256571108b440b6b1da394fcdad94ea78759e932240c754d7dd8ffb0168b0ee3209
SHA512c4c45b1cc91704dad8cefa9ce22a0a4343d8e911b3e1de1cc6841365767f2ef9f51601ea9913036ad62ce790e133561a92e1b269282250e176d1a2bda16bac6c
-
Filesize
256KB
MD5ea5698226420f430a006eb5b952c8c20
SHA11154f1a1db16d0c747d628b1fd9de82176fdb76b
SHA25662654eb11d50b303da9977bb7cf78328a9266f37e282aaefc523d7be94b0642d
SHA51297c00d276bd1dc6d6b9b541d18510d55c02ddb21d122c159feee061bd0da3b779d76264f23de9a7f7e59e2d51f2ce560c3ad3f161d9091e98cc38b6485302361
-
Filesize
325KB
MD5be4f3322feaed27ae5a582697e4d33e5
SHA15ef95ffba3e9803327cf49366cd5cb5d850ba7c7
SHA256e454baa0a9682dec8a8ac84ca86b2c0c4aa65efbb0b5bd6dd27e0aa694743fca
SHA512ef079c4fe6f0061ee00f4a69ea25e304edfbfae0a74b6761e9690abcd2bbfb2df66e12fe74cc16f972841d077c1932260986be26c7cf73c6ff9c3bffddefc35a
-
Filesize
331KB
MD5e66090e446fd6b7bc5bee16ccc7f367a
SHA19c2a10f5e6b1ca9575aa0574a76bc8b1c18c49dd
SHA25615c893034cb79fff6e920bfd15b4ace43cb05b031d326355dbaffec17c271da2
SHA5120b84b727b7219bf2d5bd58bcce56a7867043181174a7de03e66367f1a6aa8f94cf3582a537d5ad195f9b59b23f14305d56134eff35849989e5c26bcc7418cc9a
-
Filesize
1.4MB
MD58e18160955028aa6e2ffb55e6e463e02
SHA15691dedeea2968a153e67e327e2eeae59a003ef3
SHA256cf9b4080a333825697bdd52895789baddae7ec3ebc170716a10995c6bae52c02
SHA51274725d9c956a5f69fbc7d1c7076cc085ce5a16163e832fe04e28e6347234c2240743d783749395840a94216bada625ec3007ff9efc023ec35acffd1cd4c23424
-
Filesize
1KB
MD55340f66ebb69ebd062f232123ad92055
SHA161ff1612bd7f01b64f7c775a64b02002039ff139
SHA256e80537ac58e440c7658d23661dc55076baf42ab8adf17712621439ded9257194
SHA5124d41564bb7a5c2df2946911fb30fe48d74613d24980f12a0a0bf0c94d8f765b7d732805e5e2832da321e550f410bf20658942c24556ecd8aa93eda937678c55c
-
Filesize
1.4MB
MD58f8719e64180283621870ffb7334b5b7
SHA1d21df765cfcfd41c64a2e605bc158669c60caae2
SHA2561671ef6833cc12c0eea3e45beb7ed411e57886770f8e1a92ed8109f5b9825742
SHA51210e2f3d309e2824ba4022f11213a602daa4e565af24d5b496d2783fcb26533d884b6751e047da368f08223b19a7b832271fcf93843909ca042d8163cfb8be826
-
Filesize
370KB
MD5d291620d4c51c5f5ffa62ccdc52c5c13
SHA12081c97f15b1c2a2eadce366baf3c510da553cc7
SHA25676e959dd7db31726c040d46cfa86b681479967aea36db5f625e80bd36422e8ae
SHA51275f9bcce4c596dae1f4d78e13d9d53b0c31988d2170c3d9f5db352b8c8a1c8ca58f4a002b30a4b328b8f4769008b750b8a1c9fda44a582e11c3adc38345c334b
-
Filesize
95KB
MD5eae7af6084667c8f05412ddf096167fc
SHA10dbe8aba001447030e48e8ad5466fd23481e6140
SHA25601feebd3aca961f31ba4eac45347b105d1c5772627b08f5538047721b61ff9bc
SHA512172a8accaa35a6c9f86713a330c5899dfeeffe3b43413a3d276fc16d45cd62ed9237aa6bff29cc60a2022fba8dcc156959723c041df4b7463436a3bdabef2a9d
-
Filesize
814KB
MD5839b013c01c825d2666a31a40b399798
SHA130961b25377ba427b511e3bac5ee60f0d23fb35c
SHA2561fe3840d6d15a2655f5f7d85e0d265b0933c22553fbe813794feb0633b9580ee
SHA51215c67bd569aa1c596c897f0b6fa951ab4e659317cbd07ce986f138c5d298f3929ccdda7bd2069bbf5766f6ae02e37a3c2677f1da42f54e0d7e3d5d543ca112c2
-
Filesize
227KB
MD523a1d2165ccab4e449a37ccae26261df
SHA1866ef28cc5d19d832a771944b89cbf515d0f4dc5
SHA2567c5b4878ede5a2f895e8d1fe240f8eaba79d7126c3b5ef15ff8423512ad7aafd
SHA512f93743bf84e13be09589283fd18de9761735322261234b3b87ad1919c2b1e1ade65adcde034637c3a04c6189b14496f033949e26e3fb4a8bc78f7a92397dc177
-
Filesize
410KB
MD5fbbbb1d192fdadb3c4016f55ecba6a7c
SHA10bf9174fec44c3887543edb46f0213aea56709cc
SHA256f83e8a61cbc1be22a281e8b8e2222b3fd1f48969f4918f1533ef780b42d2accf
SHA5121ae072fbd7d291e78658ffead31839ce9bb95709925208403058a00994ebb598f36447642e7c2f768657b0d6410810c1d78df582ceb1af0291a6c70e4bff596a