Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
27-01-2024 04:12
Static task
static1
Behavioral task
behavioral1
Sample
793df85f287f06c4764a229b404e0a7f.dll
Resource
win7-20231215-en
General
-
Target
793df85f287f06c4764a229b404e0a7f.dll
-
Size
660KB
-
MD5
793df85f287f06c4764a229b404e0a7f
-
SHA1
454ad7fe4ede68aeffa2144dc95d22618a17a17e
-
SHA256
823691284d6b7786dee73b7315b3cd146eac4160d5f7fca663cab821b66698fa
-
SHA512
e20fce0797127f695247109fa01d39db3304fee14aa34441cc5f88c3ea38c18bf8d013b2207c57dd56b542dc9eaee0100a3c3c58c326be54677e760dd7f50c9f
-
SSDEEP
6144:Z34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:ZIKp/UWCZdCDh2IZDwAFRpR6Au
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1200-4-0x0000000002B60000-0x0000000002B61000-memory.dmp dridex_stager_shellcode -
Processes:
resource yara_rule behavioral1/memory/1220-1-0x000007FEF6C70000-0x000007FEF6D15000-memory.dmp dridex_payload behavioral1/memory/1200-15-0x0000000140000000-0x00000001400A5000-memory.dmp dridex_payload behavioral1/memory/1200-22-0x0000000140000000-0x00000001400A5000-memory.dmp dridex_payload behavioral1/memory/1200-34-0x0000000140000000-0x00000001400A5000-memory.dmp dridex_payload behavioral1/memory/1200-33-0x0000000140000000-0x00000001400A5000-memory.dmp dridex_payload behavioral1/memory/1220-42-0x000007FEF6C70000-0x000007FEF6D15000-memory.dmp dridex_payload behavioral1/memory/1252-50-0x000007FEF6D20000-0x000007FEF6DC7000-memory.dmp dridex_payload behavioral1/memory/1252-55-0x000007FEF6D20000-0x000007FEF6DC7000-memory.dmp dridex_payload behavioral1/memory/1380-67-0x000007FEF66D0000-0x000007FEF6776000-memory.dmp dridex_payload behavioral1/memory/1380-73-0x000007FEF66D0000-0x000007FEF6776000-memory.dmp dridex_payload behavioral1/memory/1788-90-0x000007FEF66D0000-0x000007FEF6776000-memory.dmp dridex_payload -
Executes dropped EXE 3 IoCs
Processes:
winlogon.exemsra.exesethc.exepid process 1252 winlogon.exe 1380 msra.exe 1788 sethc.exe -
Loads dropped DLL 7 IoCs
Processes:
winlogon.exemsra.exesethc.exepid process 1200 1252 winlogon.exe 1200 1380 msra.exe 1200 1788 sethc.exe 1200 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lgpbj = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~1\\QpjyFUS\\msra.exe" -
Processes:
rundll32.exewinlogon.exemsra.exesethc.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA winlogon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msra.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sethc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 1220 rundll32.exe 1220 rundll32.exe 1220 rundll32.exe 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1200 wrote to memory of 2596 1200 winlogon.exe PID 1200 wrote to memory of 2596 1200 winlogon.exe PID 1200 wrote to memory of 2596 1200 winlogon.exe PID 1200 wrote to memory of 1252 1200 winlogon.exe PID 1200 wrote to memory of 1252 1200 winlogon.exe PID 1200 wrote to memory of 1252 1200 winlogon.exe PID 1200 wrote to memory of 2536 1200 msra.exe PID 1200 wrote to memory of 2536 1200 msra.exe PID 1200 wrote to memory of 2536 1200 msra.exe PID 1200 wrote to memory of 1380 1200 msra.exe PID 1200 wrote to memory of 1380 1200 msra.exe PID 1200 wrote to memory of 1380 1200 msra.exe PID 1200 wrote to memory of 308 1200 sethc.exe PID 1200 wrote to memory of 308 1200 sethc.exe PID 1200 wrote to memory of 308 1200 sethc.exe PID 1200 wrote to memory of 1788 1200 sethc.exe PID 1200 wrote to memory of 1788 1200 sethc.exe PID 1200 wrote to memory of 1788 1200 sethc.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\793df85f287f06c4764a229b404e0a7f.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1220
-
C:\Windows\system32\winlogon.exeC:\Windows\system32\winlogon.exe1⤵PID:2596
-
C:\Users\Admin\AppData\Local\AUyx93Rp\winlogon.exeC:\Users\Admin\AppData\Local\AUyx93Rp\winlogon.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1252
-
C:\Windows\system32\msra.exeC:\Windows\system32\msra.exe1⤵PID:2536
-
C:\Users\Admin\AppData\Local\v544g\msra.exeC:\Users\Admin\AppData\Local\v544g\msra.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1380
-
C:\Windows\system32\sethc.exeC:\Windows\system32\sethc.exe1⤵PID:308
-
C:\Users\Admin\AppData\Local\ZlJ5xMj\sethc.exeC:\Users\Admin\AppData\Local\ZlJ5xMj\sethc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1788
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
668KB
MD50f7b1cd42cb3008b513c68b61cd3edac
SHA1dad4038551566471c408d0c467aa8df5efd02fb2
SHA256eaa3e3df2d903a176a9ba47bd617c5a9dbbfc910e076ab5f0f6ae436418fd0f4
SHA51256c0b2ec7a68ea554235d6cf9634dabaf5aa9f7fbc57011c70d96e5f7aabdf14d32676a72d07cd779b01789c19a72131d424aac083841a8e1920e2fa8fc3e519
-
Filesize
664KB
MD5677dc45dd6238854f18e3c9e75348af4
SHA1c6424a702fc06e551b390aa38f4547608c1a748d
SHA256543e9c0a6dc3515494a173d16fa8118d8503800cbb25c165f0b4e7c7dea01c4d
SHA512d09e0fa1b44a34b86546d36e56943647d4eb27ae7aa8fc2679ef7079dd38e8e6fe29f2142877e23e1b2fdb3bd08158ce281bf5bd28d22ddedfbed55ec0dfc204
-
Filesize
636KB
MD5e79df53bad587e24b3cf965a5746c7b6
SHA187a97ec159a3fc1db211f3c2c62e4d60810e7a70
SHA2564e7c22648acf664ab13dfeb2dc062ae90af1e6c621186981f395fb279bbc9b9d
SHA5129a329c39ce0bc5aede01e96c4190cc7ccd17729fbc3a2b6df73057be8efaa3fa92cfef6e26a25bde6f7f94f64f6d6d0e4c5459aef2aead367e43178dd275acfb
-
Filesize
1KB
MD5451d3c5dbfe045f7047207e8a48c2e28
SHA15cb9a8ea1a705bb69520cea6300b2a79ba476dce
SHA2561d77f0898c66bc0a2723911e2492c6b57f8b29e5f6b84f90aedca50b0f50eb5d
SHA51219afaec36d2dcca0160d3049aeead04ae9177981f2d76be52d523d3a128ccf03d666073dd8d7794f9cf7dc3eec7655bc1836e74fb8b9d8945d5cb5f4e97f514e
-
Filesize
381KB
MD51151b1baa6f350b1db6598e0fea7c457
SHA1434856b834baf163c5ea4d26434eeae775a507fb
SHA256b1506e0a7e826eff0f5252ef5026070c46e2235438403a9a24d73ee69c0b8a49
SHA512df728d06238da1dece96f8b8d67a2423ed4dcb344b42d5958768d23bd570a79e7189e7c5ba783c1628fe8ddd1deaebeacb1b471c59c8a7c9beb21b4f1eb9edab
-
Filesize
664KB
MD5d292aac9f1b55a652fbd9f2743d27659
SHA1268cf9c4a0258371a1705e068d1adeaf5c80c333
SHA2569399d8785a4da618530d08c1c67f7409a048e27788d24c196776c9f7effd2c26
SHA5124128188f00c0ac441cd053b52d88ddf06cb6ac55e234c8c934e24c67a17295df9a110bca77cab410e4226c19a824951d5695840bcefefb5718962d6405bbb40b
-
Filesize
272KB
MD53bcb70da9b5a2011e01e35ed29a3f3f3
SHA19daecb1ee5d7cbcf46ee154dd642fcd993723a9b
SHA256dd94bf73f0e3652b76cfb774b419ceaa2082bc7f30cc34e28dfa51952fa9ccb5
SHA51269d231132f488fd7033349f232db1207f88f1d5cb84f5422adf0dd5fb7b373dada8fdfac7760b8845e5aab00a7ae56f24d66bbb8aa70c3c8de6ec5c31982b4df