Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
27-01-2024 15:21
Static task
static1
Behavioral task
behavioral1
Sample
7a96d67a18be2760a733a25afcbe0987.dll
Resource
win7-20231215-en
General
-
Target
7a96d67a18be2760a733a25afcbe0987.dll
-
Size
1.5MB
-
MD5
7a96d67a18be2760a733a25afcbe0987
-
SHA1
2f8a7ab45bfa0fc5af4ebd3a32788c4d2b70d39c
-
SHA256
322fdc6d77dfe2aaf96c4075f9798da0709dc4418400f9c15171be24360fed1c
-
SHA512
52af3bdb3f5c190049950843159200d683f396f366f74428b9cfde0ce524c4b29a6307b1d70842abaebc2b3b37b4236631743e106bc4da1633a020cec0180007
-
SSDEEP
12288:IVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1rUQ:dfP7fWsK5z9A+WGAW+V5SB6Ct4bnbr
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1264-5-0x00000000026E0000-0x00000000026E1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
spreview.exeFXSCOVER.exedpnsvr.exepid process 2072 spreview.exe 2884 FXSCOVER.exe 1548 dpnsvr.exe -
Loads dropped DLL 7 IoCs
Processes:
spreview.exeFXSCOVER.exedpnsvr.exepid process 1264 2072 spreview.exe 1264 2884 FXSCOVER.exe 1264 1548 dpnsvr.exe 1264 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fskzoiv = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\M9RwH\\FXSCOVER.exe" -
Processes:
spreview.exeFXSCOVER.exedpnsvr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spreview.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA FXSCOVER.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dpnsvr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
regsvr32.exepid process 1060 regsvr32.exe 1060 regsvr32.exe 1060 regsvr32.exe 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1264 wrote to memory of 2696 1264 spreview.exe PID 1264 wrote to memory of 2696 1264 spreview.exe PID 1264 wrote to memory of 2696 1264 spreview.exe PID 1264 wrote to memory of 2072 1264 spreview.exe PID 1264 wrote to memory of 2072 1264 spreview.exe PID 1264 wrote to memory of 2072 1264 spreview.exe PID 1264 wrote to memory of 2872 1264 FXSCOVER.exe PID 1264 wrote to memory of 2872 1264 FXSCOVER.exe PID 1264 wrote to memory of 2872 1264 FXSCOVER.exe PID 1264 wrote to memory of 2884 1264 FXSCOVER.exe PID 1264 wrote to memory of 2884 1264 FXSCOVER.exe PID 1264 wrote to memory of 2884 1264 FXSCOVER.exe PID 1264 wrote to memory of 268 1264 dpnsvr.exe PID 1264 wrote to memory of 268 1264 dpnsvr.exe PID 1264 wrote to memory of 268 1264 dpnsvr.exe PID 1264 wrote to memory of 1548 1264 dpnsvr.exe PID 1264 wrote to memory of 1548 1264 dpnsvr.exe PID 1264 wrote to memory of 1548 1264 dpnsvr.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\7a96d67a18be2760a733a25afcbe0987.dll1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1060
-
C:\Windows\system32\spreview.exeC:\Windows\system32\spreview.exe1⤵PID:2696
-
C:\Users\Admin\AppData\Local\6y7qG\spreview.exeC:\Users\Admin\AppData\Local\6y7qG\spreview.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2072
-
C:\Windows\system32\FXSCOVER.exeC:\Windows\system32\FXSCOVER.exe1⤵PID:2872
-
C:\Users\Admin\AppData\Local\wM37uuni\FXSCOVER.exeC:\Users\Admin\AppData\Local\wM37uuni\FXSCOVER.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2884
-
C:\Windows\system32\dpnsvr.exeC:\Windows\system32\dpnsvr.exe1⤵PID:268
-
C:\Users\Admin\AppData\Local\JHrxz\dpnsvr.exeC:\Users\Admin\AppData\Local\JHrxz\dpnsvr.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1548
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
79KB
MD549a328dc3123e068a04a0409bb8e4944
SHA1fcb54507db46a4249d5606e45ef42d3d612b6a6e
SHA25674359e58c5d3adac5db8c2e2cc283d63486a6306fa65588b1860db8221f7b20e
SHA512a53316fb040b79cf206b81ab9bff933f6e3c5921f4ae9ec71e4e49822e2ebe816bfed9cf5da5c55f739d0cfa39efde0a5d1afdaf3629b3d1d67c0cd9509f8635
-
Filesize
131KB
MD5bfeeb0db1b0fe23ed4059337a60f1c32
SHA1ec56f2351f69f17465773c503b4af0b84a7aefb5
SHA25653c11a22fe7c4a94cba22940b6dfa514cb95a512a3e632c83d974ad545e6c93d
SHA512bed36b54f837c73fa190efe96ba1bdcc4fb6cd3850be4c11386be523d2c06b9c821f914d6aa2dbfbc71634ed4246557e2e2c2f4c7d72f1323be40bf18ed20f59
-
Filesize
1.5MB
MD5849efd7563364efddadafa3a9e1538c2
SHA19f8c0501adf67c7a256664a404411d2b12c076d2
SHA256ccb3606cb74614b5a727cf568b99960dcce3e4ca48691a369c36b27b59d18314
SHA512d3db0a15149bba57b7d7ac4189ee7d97a511921cf5da61393564fed4817d08a8ba448f6fd69b4a822de1e56a2aef0165434cd6b0a5e65712ee9662b87e1173ff
-
Filesize
33KB
MD56806b72978f6bd27aef57899be68b93b
SHA1713c246d0b0b8dcc298afaed4f62aed82789951c
SHA2563485ee4159c5f9e4ed9dd06e668d1e04148154ff40327a9ccb591e8c5a79958c
SHA51243c942358b2e949751149ecc4be5ff6cb0634957ff1128ad5e6051e83379fb5643100cae2f6ef3eaf36aff016063c150e93297aa866e780d0e4d51656a251c7b
-
Filesize
126KB
MD5d7624dabe53e1a21fcc3f82156c19ee7
SHA11f84605ca0a8025976cafcd25938acf9b57306f3
SHA25676818bc0327d32ccc4f7faf6ff10159ed8f9b0424c8b507f9db2c00cf2b76054
SHA5129b81a9b7ad1b4b989ca36442ddd7ab26ad7d1401271b013432fb82c47a6629bd51288ded4c84ae647f83896069e08874170dccb0333deb9f7ec5d5223eaf6001
-
Filesize
169KB
MD5fb6efbd62bf00ae811ff799c0ce11e18
SHA1d801058da595318c2f7dd43404669684007d4403
SHA256910607f6fb0d1a9f61cdf85f29f05ec0851b59ccd0619501b8fec8f2beda3785
SHA5123b11f0692c567a584ef49870dbad1a0baa0cbee18948a431991aebce32b1f64d55a9a2c289a2c55e996ce5c4c07233c5f28cff2e2119ad0a9ea261351deb00b9
-
Filesize
311KB
MD53484e717f73a0ff2dcc808b55d5d06be
SHA1e0e543987e7b378f0bc227536b7163d96208d315
SHA256d77d4a6284361be90359a3030a8fe989c6ba2d30f413eb0b8968960a3b39ea86
SHA512899d8ef6e5511512b4af62215f233df3a473e6daaf9490d301d1c813e53266e7db4a8d891dd80daa1b0fec3184a614dd323b121f404238314685527dd628b618
-
Filesize
1KB
MD5216fcee358ceddef053562ddd7350424
SHA125a994be261838f92c53da6ff786ea5dfd4f910f
SHA256de6ce2dd54900f613555a34592f5404b9399e26a2aee9ef519a47a82a33aee91
SHA512670afc5e93f78c29a408925c3d585473053ff2f96ff21b496336b3d86dd4271e6b07e6e7c9143ffcda113095c7684df1a92e1afc3833e5af48c9f025ed0be023
-
Filesize
294KB
MD5704cd4cac010e8e6d8de9b778ed17773
SHA181856abf70640f102b8b3defe2cf65669fe8e165
SHA2564307f21d3ec3b51cba6a905a80045314ffccb4c60c11d99a3d77cc8103014208
SHA512b380264276bad01d619a5f1f112791d6bf73dc52cdd5cca0cc1f726a6f66eefc5a78a37646792987c508f9cb5049f0eb86c71fb4c7a2d3e670c0c8623f0522ee
-
Filesize
1.5MB
MD5e5883fabc54918b25cd3c6beb79c4de6
SHA1242ddbed4134c6a81c8b0ddf7fe07aa4ad60d17e
SHA256fea00faa4a606b618f40ae483ece9528e0de0c7013e2b89840e1c3c664c82391
SHA51248fc8970a72a5b4eaa99502a69f3b64d17cc3deaf48c8f23edf2a674dc4963b8a34c35cabca45253dadbeca3607fa2d44abc9d3b6112c62f71879649415f5e6d
-
Filesize
1.5MB
MD53b0247483656d6add4df27e3e81a5458
SHA1fddc67bf6063706e517c28f302c00a917a8255eb
SHA25682e2dd2f098c07ad0760cba9cc420be9ac0f10c48e44f29fc1575e7100bcba72
SHA5120ff854a5ba9109c4c65cc1c063ef84b0f1c1fa09a4eb0dc258b915b50b2aee2c02c238e19b07223bc1b36f2e52c87a92d03bf89d579179627dba9fda7b75e395
-
Filesize
45KB
MD5f2d8450375ada664ce46267b9452a845
SHA1fb5bb7f2288791a9fa80f2257701bf8f5f6a48e4
SHA25633978bfcf4bb7d9ada1460c0e9a494837d0f1a600aa94ff9770d05934e9f1a38
SHA5121922c0258aab4abc905181e3a7e3d58444e171a226c1a8180a2ef6d75441e212c0f4448ce0760322d8f18b0c9863943a41d80402237444156b9fcf3b2de0c094
-
Filesize
214KB
MD53e4480e8e630c18db403ade20f829483
SHA1da40ee9fae2c120fd7b3026176d743239a8bbd14
SHA2567c8a52298084de967bbf5f88f9709b1e860a47d7d683a2eabb88dd1ebc7422dc
SHA51261df1ea806167965d152590c6f9ab9f9df53886262f915be44c8760e946373c14e5cba5f7b5daa378e977861277b2572238231d6c2c8a29e36a4aeccf8f0c8f0
-
Filesize
261KB
MD55e2c61be8e093dbfe7fc37585be42869
SHA1ed46cda4ece3ef187b0cf29ca843a6c6735af6c0
SHA2563d1719c1caa5d6b0358830a30713c43a9710fbf7bcedca20815be54d24aa9121
SHA51290bf180c8f6e3d0286a19fcd4727f23925a39c90113db979e1b4bbf8f0491471ad26c877a6e2cf49638b14050d952a9ee02a3c1293129843ec6bba01bc325d0b
-
Filesize
273KB
MD5b4683a76616990432f8d7e0d544b7037
SHA191c1d57c0019d31e0a68216f68cdc0232c78abdc
SHA2567d83d03a8c28f81f1cdb05dbefdbbdedead416cd566f70996f46b9eaf7136a24
SHA5123ce14b0a19489653af7dc3629e7db09028f06d011b852b88f149e4dd28fbe39508fc92171754627d0d5e66d2d835bd4b500142960c42fc5c0c63b0d8a18c0f6e