Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
27-01-2024 05:36
Static task
static1
Behavioral task
behavioral1
Sample
7968f591e01c7a4a04d2d9c53d667082.dll
Resource
win7-20231215-en
General
-
Target
7968f591e01c7a4a04d2d9c53d667082.dll
-
Size
1.9MB
-
MD5
7968f591e01c7a4a04d2d9c53d667082
-
SHA1
d360ace519351b3109e26800067532b2d26ee952
-
SHA256
00a23ef486863b29a272d8b4405e375fefa0a629927a9bccd0434886b02c5cdd
-
SHA512
261007611f113167d1e3a8c9fc1d7e6867fcb82ec8c1bf0c82f5ae6d17de7abf8807834c4d6d68720ed83c6fca428d0400ca4e86119cfe80fe1315b3cb1f29cc
-
SSDEEP
12288:3VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1V:+fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1260-5-0x0000000002C20000-0x0000000002C21000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
taskmgr.exeiexpress.exemsra.exepid process 1312 taskmgr.exe 1016 iexpress.exe 2872 msra.exe -
Loads dropped DLL 7 IoCs
Processes:
taskmgr.exeiexpress.exemsra.exepid process 1260 1312 taskmgr.exe 1260 1016 iexpress.exe 1260 2872 msra.exe 1260 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IEDownloadHistory\\wDV7Jj\\iexpress.exe" -
Processes:
rundll32.exetaskmgr.exeiexpress.exemsra.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskmgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA iexpress.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msra.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2912 rundll32.exe 2912 rundll32.exe 2912 rundll32.exe 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1260 wrote to memory of 3008 1260 taskmgr.exe PID 1260 wrote to memory of 3008 1260 taskmgr.exe PID 1260 wrote to memory of 3008 1260 taskmgr.exe PID 1260 wrote to memory of 1312 1260 taskmgr.exe PID 1260 wrote to memory of 1312 1260 taskmgr.exe PID 1260 wrote to memory of 1312 1260 taskmgr.exe PID 1260 wrote to memory of 1912 1260 iexpress.exe PID 1260 wrote to memory of 1912 1260 iexpress.exe PID 1260 wrote to memory of 1912 1260 iexpress.exe PID 1260 wrote to memory of 1016 1260 iexpress.exe PID 1260 wrote to memory of 1016 1260 iexpress.exe PID 1260 wrote to memory of 1016 1260 iexpress.exe PID 1260 wrote to memory of 2824 1260 msra.exe PID 1260 wrote to memory of 2824 1260 msra.exe PID 1260 wrote to memory of 2824 1260 msra.exe PID 1260 wrote to memory of 2872 1260 msra.exe PID 1260 wrote to memory of 2872 1260 msra.exe PID 1260 wrote to memory of 2872 1260 msra.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7968f591e01c7a4a04d2d9c53d667082.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2912
-
C:\Users\Admin\AppData\Local\SYi\taskmgr.exeC:\Users\Admin\AppData\Local\SYi\taskmgr.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1312
-
C:\Windows\system32\taskmgr.exeC:\Windows\system32\taskmgr.exe1⤵PID:3008
-
C:\Windows\system32\iexpress.exeC:\Windows\system32\iexpress.exe1⤵PID:1912
-
C:\Users\Admin\AppData\Local\pQ6\iexpress.exeC:\Users\Admin\AppData\Local\pQ6\iexpress.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1016
-
C:\Windows\system32\msra.exeC:\Windows\system32\msra.exe1⤵PID:2824
-
C:\Users\Admin\AppData\Local\3KDM3e\msra.exeC:\Users\Admin\AppData\Local\3KDM3e\msra.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2872
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
636KB
MD5e79df53bad587e24b3cf965a5746c7b6
SHA187a97ec159a3fc1db211f3c2c62e4d60810e7a70
SHA2564e7c22648acf664ab13dfeb2dc062ae90af1e6c621186981f395fb279bbc9b9d
SHA5129a329c39ce0bc5aede01e96c4190cc7ccd17729fbc3a2b6df73057be8efaa3fa92cfef6e26a25bde6f7f94f64f6d6d0e4c5459aef2aead367e43178dd275acfb
-
Filesize
1.9MB
MD5dba2f56fdeaa3e8ce90ee1d3649276e9
SHA1fdd7e1b898f24809bae38cac86cad107e3315cd2
SHA25645c35b6aab5ff252316fd9d80612b10b1dd78f53e21391425f4f5648ffc69b1e
SHA512b9274a460706582660b3eceaef75e8a0751709fceef16671bcdd4156566bba3fd8cd335ba1c83e40ee884baf1a92cca29acf48f74177bbcf58c57c5b866e1ca5
-
Filesize
1.9MB
MD5fda59afd0c6e113db719a9c4bc13a6ec
SHA1b69a6f1dcf4782c6dda468fde6773732f77e8581
SHA256ea26732655b9ed19b15a521cf7055d0d40a8d9035352a5a8976bcbee02d822bd
SHA512bc9e6d088e0f56ca5b901f30b6dba01baba675b4f9211c5a3bc4f9c58a9f2ea87acd6707b547e1cd150bbddf5a2a5052f93428b9692a57c3926ac612669b3d3f
-
Filesize
1KB
MD565f1b19c148965d66854fb7ec54500ed
SHA11a90aa720cb26b3eca6e19b91d695d8aec649bf0
SHA2565c2f71c06ed379a1260b5bb651b03f8273edde631bc7c8883843a00740016219
SHA5128e6208e7565fb824c43790d251f6d1755886ba052d30c53c24a0ca55fe694f20248d13e431210ec9c6d2dc40dc73fe2e03bd030607f4a4b617c56a194704e74b
-
Filesize
1.9MB
MD52275127c227c413afe1b173506c828b9
SHA1978e60d9cd6c4a890f9a77f9227f25858698d439
SHA256a59e45b77d467938dc20568fa55398c245322253d29e85b798fc572814a2ed7b
SHA51201ba3a5bbdee791f496514fe23a294bcea3efc1b4e27dd7beba44568f199aec7f18b0e5a619d05a86305f5395b7b98d93e1778af1f43c562cafa13f288cb00cb
-
Filesize
251KB
MD509f7401d56f2393c6ca534ff0241a590
SHA1e8b4d84a28e5ea17272416ec45726964fdf25883
SHA2566766717b8afafe46b5fd66c7082ccce6b382cbea982c73cb651e35dc8187ace1
SHA5127187a27cd32c1b295c74e36e1b6148a31d602962448b18395a44a721d17daa7271d0cd198edb2ed05ace439746517ffb1bcc11c7f682e09b025c950ea7b83192
-
Filesize
163KB
MD546fd16f9b1924a2ea8cd5c6716cc654f
SHA199284bc91cf829e9602b4b95811c1d72977700b6
SHA2569f993a1f6a133fa8375eab99bf1710471dd13ef177ef713acf8921fb4ff565a3
SHA51252c91043f514f3f8ce07f8e60357786eb7236fcf6cdcccca0dd76000b9a23d6b138cebcdec53b01823cb2313ec850fc7bece326ec01d44ed33f4052b789b7629