Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26-01-2024 20:54
Static task
static1
Behavioral task
behavioral1
Sample
785ce10521b549ee5b635b6aaebf7f7f.dll
Resource
win7-20231215-en
General
-
Target
785ce10521b549ee5b635b6aaebf7f7f.dll
-
Size
1.6MB
-
MD5
785ce10521b549ee5b635b6aaebf7f7f
-
SHA1
abe7c72eef2d7414f84b0ff9811cfea344a35078
-
SHA256
2841518b5acc66a9fdbea00ba90c5775124fca822a3ae725b7dc86d68bfe4689
-
SHA512
eeb6d2c24914bef11cd8e74a1703fd65dda1d9d3fedf78bc9958c970ab69c28fd7d9963300fecc5d0076e082516d275ae8213a3cdfeb085d744b25bd447fb525
-
SSDEEP
12288:7VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:afP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1196-5-0x0000000002D90000-0x0000000002D91000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
ddodiag.exeUtilman.exeperfmon.exepid process 3052 ddodiag.exe 2872 Utilman.exe 1312 perfmon.exe -
Loads dropped DLL 7 IoCs
Processes:
ddodiag.exeUtilman.exeperfmon.exepid process 1196 3052 ddodiag.exe 1196 2872 Utilman.exe 1196 1312 perfmon.exe 1196 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtxtioiynm = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\gskfRJB\\Utilman.exe" -
Processes:
rundll32.exeddodiag.exeUtilman.exeperfmon.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ddodiag.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Utilman.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA perfmon.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2184 rundll32.exe 2184 rundll32.exe 2184 rundll32.exe 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1196 wrote to memory of 2684 1196 ddodiag.exe PID 1196 wrote to memory of 2684 1196 ddodiag.exe PID 1196 wrote to memory of 2684 1196 ddodiag.exe PID 1196 wrote to memory of 3052 1196 ddodiag.exe PID 1196 wrote to memory of 3052 1196 ddodiag.exe PID 1196 wrote to memory of 3052 1196 ddodiag.exe PID 1196 wrote to memory of 2860 1196 Utilman.exe PID 1196 wrote to memory of 2860 1196 Utilman.exe PID 1196 wrote to memory of 2860 1196 Utilman.exe PID 1196 wrote to memory of 2872 1196 Utilman.exe PID 1196 wrote to memory of 2872 1196 Utilman.exe PID 1196 wrote to memory of 2872 1196 Utilman.exe PID 1196 wrote to memory of 1976 1196 perfmon.exe PID 1196 wrote to memory of 1976 1196 perfmon.exe PID 1196 wrote to memory of 1976 1196 perfmon.exe PID 1196 wrote to memory of 1312 1196 perfmon.exe PID 1196 wrote to memory of 1312 1196 perfmon.exe PID 1196 wrote to memory of 1312 1196 perfmon.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\785ce10521b549ee5b635b6aaebf7f7f.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2184
-
C:\Windows\system32\ddodiag.exeC:\Windows\system32\ddodiag.exe1⤵PID:2684
-
C:\Users\Admin\AppData\Local\mWsxs\ddodiag.exeC:\Users\Admin\AppData\Local\mWsxs\ddodiag.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3052
-
C:\Windows\system32\Utilman.exeC:\Windows\system32\Utilman.exe1⤵PID:2860
-
C:\Users\Admin\AppData\Local\SDfUtMnc\Utilman.exeC:\Users\Admin\AppData\Local\SDfUtMnc\Utilman.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2872
-
C:\Users\Admin\AppData\Local\Xm2\perfmon.exeC:\Users\Admin\AppData\Local\Xm2\perfmon.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1312
-
C:\Windows\system32\perfmon.exeC:\Windows\system32\perfmon.exe1⤵PID:1976
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
676KB
MD5bf73e69cca856db8e26730b1bfef25a9
SHA158d9c96cc039561df5f2c197f9a463c4df09e886
SHA256c6e41943b8f28abaa9224235d445b2dff6b6962ff5b48c90cb20480618df2ab6
SHA5129d1627ccfc7293b9046f66e5d041a367753375d9900187d1ec9e20e349cc85dca48eb63ef4e05dfb4418ae34028368c04d86baef0ceec9a78a3819e2687fc3e2
-
Filesize
809KB
MD5caa87f2ac8968644287e672bcfa13956
SHA1ca6033641e2c508b8d7a45739519b66fb6cedf6b
SHA2562b736de9a5892882dfa5100498c181a6e117645f8bc59f8ce8308eb430e66943
SHA51297b329c7e169640ada4d6a2a1a8ffe4b3f8f7def44cf21741c331420135c7f66badc4978f514bc74207a0edd6fb18407d4d317a124a476cc7db755e0af5f28ec
-
Filesize
450KB
MD598640b5853fee7afb1d33828b6cdd6b0
SHA18f8d3c4e546a4d4a84bd6b451880965c10127ff7
SHA256e664e2e334f7d528b22b7e9640d5f3d97346f831d6717ace093ed272e47b40fa
SHA51277bb8483bf1e68567c5d4d2164f5cb03913ad1587a22ab3f062a563e6ca6039a7f82f73508c595f5fe008deb5236260ee562af3ee2c8ca962dc802fa7aa2a040
-
Filesize
453KB
MD584e5744aae7eae075666ca2ead7b6798
SHA179bbb86193d507ffbf9aa9d8b9eabafb6d9ce248
SHA256c8703c71916de189b07637f9ebbbe414eb33debdc91d81f463592191bb4b9047
SHA512bf9bf6a9d232a5150b47bf4f8ce8177ed4f55e8be174443b3f5f7ac31755e8191a7dcccb2af55a44ce50110591a516fc6769cc59c929f3343a0f16cc13dc21b2
-
Filesize
1.0MB
MD5320ecf0ac8e58bcc8f389ecef5e043e2
SHA16dbfe03d6f49d8f5c3833669d52b057e30784f1a
SHA2566ad5c43a37dce4f890d4d6b8120e72a860a2fe38fb2125b6000df0a1adebcdac
SHA512badc2cbcd04b8442ecdc0f720177c9d5cdd7feebcce63186e854c51978a86e536f7f88bfc446393f70e48a2339b0aed7092e857c26644dc674fa813e9c17dd15
-
Filesize
42KB
MD5509f9513ca16ba2f2047f5227a05d1a8
SHA1fe8d63259cb9afa17da7b7b8ede4e75081071b1a
SHA256ddf48c333e45c56c9e3f16e492c023bf138629f4c093b8aaab8ea60310c8c96e
SHA512ad3168767e5eba575ae766e1e2923b1db4571bbeb302d7c58e8023612e33913dcd9e5f4a4c1bc7b1556442a0807117066f17c62b38fe2ae0dfaa3817b7318862
-
Filesize
1KB
MD5be774044cc78cf0abaa85064fc734efd
SHA1ad6610981fdfad37372c38d50c9fa01a26bc7bf3
SHA256b27b5a75f62c2a6a5c678d1947b15b7c2582bd1e398be2462fbdb8663c0a14ac
SHA5124be73b9e00f2f2123f2eb7a175311ede91ffc9d0449c10196dc04c1a9c0854fff2376735e49efe391524bb3c38fdc8087b9efb847603bf469f2d32aade9f8c5d
-
Filesize
1.6MB
MD5c113332801e08061281b6a5f62f7e1bd
SHA1e75b03d36e3ea670978aff5ee971c9730171a14c
SHA2560165a691a9ab37bacfd78ff06d125a4a80403e14ce7f97a2af1601f36575556d
SHA5125e77525350fa687df75df0814acaa58906d2aef5527f930f4b42c1ca791ad5d01dd24df6df4e0d3883dd554afb20bb514b05d8e718470be73648fbedc248044b
-
Filesize
1.8MB
MD5a299cbaeecaa1ae87de43799544d222d
SHA123f4962226faf713ed83bbf0545dd50f3a2d014c
SHA2565a68b867bf6e8cad76e832b9e55b1f193741da526a2be562abb6265de5631d53
SHA512ae54423db57196278902ac61668743a901a919fdcd92b6d7a0e968be6e75ee1ff60ea36697c2bd822fb5b8f6eefc69c7f04fb781a22745d351386079f03a937e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\yCQ41miA8\Secur32.dll
Filesize1.6MB
MD5c9f7f43566584afeb0efea06c8e3451e
SHA12cdd7ea1715b0ac9f6e51ae48030119efe05f34e
SHA256107d1f936fa6689df6c71a4478ea1e155f183e2b9fea55d2a19a85804cf36f2f
SHA5129496dbf0d6d0c9233f7ac3e1e36fcd2204f0f988ff4226c4401408af5ee5b83fac214aefe532b3a7bef931b8d98bd26aedd04c14b0282d7d92ab375d1fb6f426
-
Filesize
638KB
MD5aaa398861c109e9e3ed9a4195399eee3
SHA1cf0fb5271d1eebff03cfa245f6f47e814a8d9638
SHA256ae48ad183a36960325787431a23495b26026dc6c2be769a125ae231dba28c27b
SHA512c04a82de025ee221faf704254ce7663a1486d278d58ceefb7d44468181cd78e2b8b4b3cc77dbf4c712326e6131aad3bf616802b76539d245451101a7eb2221b7
-
Filesize
497KB
MD5e0fa3b2b928553be21f6aabda84f3905
SHA12663d44ddbe3523d5937a4e54a0220152ed027c0
SHA256a4a838f8676f446c3ea54b524a6e4d5e597a16eb3b3777a7844626b894179a60
SHA5122b416442a19ac8cad20183e1a9fc8ed30ae05d937d66eef92d2c048a2afdb6fc21312916a8c05b11ce8d6b3bd749df28dedfc7fdddb78f8b28579abd80fb2df7
-
Filesize
271KB
MD55df98aec37418781e2aa1d1d1ee6ef83
SHA134f0fd4ec3d0f197952533bef3acf1f910755463
SHA2564fa165665d098b688a54d6742639f5e44a287e2d6387c0f8c86a8a69eeefb311
SHA512cb748a6974a255bff269cc49994083e860e1f6361dd4d292ae8a4a676de2f85393bc8fb999d8e789da22c55a9d422df0779d41dee4e2ab569a6a98e02dcf4485
-
Filesize
168KB
MD53eb98cff1c242167df5fdbc6441ce3c5
SHA1730b27a1c92e8df1e60db5a6fc69ea1b24f68a69
SHA2566d8d5a244bb5a23c95653853fec3d04d2bdd2df5cff8cffb9848bddeb6adb081
SHA512f42be2a52d97fd1db2ed5a1a1a81a186a0aab41204980a103df33a4190632ba03f3cbb88fcea8da7ed9a5e15f60732d49a924b025fe6d3e623195ec1d37dfb35
-
Filesize
1.2MB
MD506b87f62e6c1ff6d6d755a77a2c2f824
SHA111704ea6e9caa84605263a5e269ecbb4178fe001
SHA256fb421645d619e52229a4c3b21f22d9423a7ceef1ec6251298269454ffc3102cd
SHA5122be6606c853c33d9dc0ebf6cfdcfa9f6c31c8feb99964d4a933ed718a798a0f8bb6f9e16029c77fe8fa6e0785f76d25da96727fd305f4e20f723fc317ac6d88f
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\yCQ41miA8\perfmon.exe
Filesize58KB
MD5e485de53ce437a45e5d3463ee648e1ac
SHA1c4404a4160de3bd0bb3781de5bb6ae7e60098d37
SHA256cb73e11d6bba6713e047718b64240a8b09d110dfa032fc37796e003e55d4fb3d
SHA512993ebb8b190e5d63abf516ab0bd05b8dbe0933deee0c00536f668c8bdf216a97275481824830780deb1993b9f669e217b46621a6a437b494b74d84adcfc41def