Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
30-01-2024 22:26
Static task
static1
Behavioral task
behavioral1
Sample
82b98a019126a5f30050d77d82814f93.dll
Resource
win7-20231129-en
General
-
Target
82b98a019126a5f30050d77d82814f93.dll
-
Size
3.5MB
-
MD5
82b98a019126a5f30050d77d82814f93
-
SHA1
903191e96053b8e6ac7ba8cbea36462ca8cf27c0
-
SHA256
9463a439b0c76f66e03535405b713b906c9bce1453dfdc13a0ce3579c7059e41
-
SHA512
aa8c585df62b333496bae2c05db6dbb026df46f2dc0a535a6a743479c8f7b6d2c7c4146e21430d955f9d60f4742e5c808267e535059d9470ba921c758b88d90e
-
SSDEEP
12288:ZVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:YfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1380-5-0x0000000002B20000-0x0000000002B21000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
mspaint.exemsra.exep2phost.exepid process 1848 mspaint.exe 1796 msra.exe 1696 p2phost.exe -
Loads dropped DLL 7 IoCs
Processes:
mspaint.exemsra.exep2phost.exepid process 1380 1848 mspaint.exe 1380 1796 msra.exe 1380 1696 p2phost.exe 1380 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Groztcac = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\gpqP\\msra.exe" -
Processes:
mspaint.exemsra.exep2phost.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mspaint.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msra.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA p2phost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1380 wrote to memory of 2036 1380 mspaint.exe PID 1380 wrote to memory of 2036 1380 mspaint.exe PID 1380 wrote to memory of 2036 1380 mspaint.exe PID 1380 wrote to memory of 1848 1380 mspaint.exe PID 1380 wrote to memory of 1848 1380 mspaint.exe PID 1380 wrote to memory of 1848 1380 mspaint.exe PID 1380 wrote to memory of 896 1380 msra.exe PID 1380 wrote to memory of 896 1380 msra.exe PID 1380 wrote to memory of 896 1380 msra.exe PID 1380 wrote to memory of 1796 1380 msra.exe PID 1380 wrote to memory of 1796 1380 msra.exe PID 1380 wrote to memory of 1796 1380 msra.exe PID 1380 wrote to memory of 1140 1380 p2phost.exe PID 1380 wrote to memory of 1140 1380 p2phost.exe PID 1380 wrote to memory of 1140 1380 p2phost.exe PID 1380 wrote to memory of 1696 1380 p2phost.exe PID 1380 wrote to memory of 1696 1380 p2phost.exe PID 1380 wrote to memory of 1696 1380 p2phost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\82b98a019126a5f30050d77d82814f93.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2880
-
C:\Windows\system32\mspaint.exeC:\Windows\system32\mspaint.exe1⤵PID:2036
-
C:\Users\Admin\AppData\Local\Y4vs1\mspaint.exeC:\Users\Admin\AppData\Local\Y4vs1\mspaint.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1848
-
C:\Windows\system32\msra.exeC:\Windows\system32\msra.exe1⤵PID:896
-
C:\Users\Admin\AppData\Local\19bz\msra.exeC:\Users\Admin\AppData\Local\19bz\msra.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1796
-
C:\Windows\system32\p2phost.exeC:\Windows\system32\p2phost.exe1⤵PID:1140
-
C:\Users\Admin\AppData\Local\q1JNgLbp\p2phost.exeC:\Users\Admin\AppData\Local\q1JNgLbp\p2phost.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1696
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53KB
MD5f2beb3380818a1d3b3a31ca35492c4ed
SHA1556375c96734fbd6953351e772a3a82497650be4
SHA25650d3076b45014be7e32f866eabcab14d7454f94b85976b0c0aad1fdd561f56bb
SHA5124e0401ab134bf5ccae8b04ff36fa2079fdef713e8e4bc0aa093d714aa3cbcfa72fd0072ef4e4ffa83d00327b8e0a67d9a4e5aa3fa75412446d4bafffad08a45f
-
Filesize
1KB
MD5fee1881479374568a8d8a05b700a4fe4
SHA1ab329330117487091aa041ed83c1d05aba5ebcda
SHA256c47c38fad79a01a25a98de4dc01bc0f3562f8c57db802b8ec127af998f590e64
SHA5122266c464ed4df06a201d0364901df76804bfaf93e8dde393188575f5e63fc9db239ea9c8236f434729aa699d97f1a41e003686ce467b97548f5a2d43897fe53a
-
Filesize
45KB
MD51c68e664bba559daf7293872b77d5d10
SHA11426e7fce119c04ef433622ae77ec5f3428a2e4e
SHA256347fc4edd8903071d1acd42c93ac0c3695cb850b49e1946d97e3b7f9390cb24d
SHA5123b5fe8ae2c4d31cdadbe35546e1997c3c15a54fdd83ece6dc0c42d5f5685dd50a9c96efaa565d16fd5dc70f98633d01bcba2547f99ed73ecea47ecabdf6249fa
-
Filesize
169KB
MD511039144381d4b3ab64daf1457487d37
SHA199a10e763e6ebfca3f5452209dba337c425c1890
SHA25687d8579015490581352ec2d8126322123ff24eb48629040f3fc8cb4bedf04178
SHA5123e5a6882db7823fb6289747a0617e1806185f628fa6b8ece534e9d55ab18dc66a93e5834cd298234026aacee43b5c05e886fbee062383e5ce3b817865ebccae9
-
Filesize
130KB
MD58d395e79a524374d99ea4fc7b5fde9b4
SHA11dfc956ef9150014c905c4a1abca7b852236560c
SHA2561348c2ecd998de6424a7acac12eec05f5833386c65a998e9040477275093bfca
SHA512d56d9abfbc049f225248c79415ce3d154fc55de6218af4e45f2667c3d4abcc1b1e1e83e333e40ed07772fdf68ad59f186c57fc96fbb6c7f2d624814f52154a97
-
Filesize
45KB
MD5310568515c600e08c5b5743618c5f7d2
SHA1d0aae6ef59b33a2a06a5d72c45d8ef99cb6d465b
SHA2561ce773c7695b0c07b1f756833d2c01019f2809aaea7ca802d5902713dceb25f7
SHA512d429e741ab35b563030f67e192c4ac7cadd1b3620fc67dcef5e7154600f49f680465284d341f8446abd7747f8f415c51c7f941b55a9e3f2bc237dd219e52af18
-
Filesize
42KB
MD50f26e9a3559fcd9ef0632508aca2de3c
SHA18308d90a758b0a7803b00c3a60c5006390827906
SHA256803a5a153f07e2270e896115087fda58831841c0f8ee06862507a420f5e8e408
SHA5126b826657c27f8118c2bd20fbc1c9d996c25c8c03d89cf049c4908620d96810e271d33bedc67c1e1c903caafbe6fbaeff919d66c06a42493080966d51d3d3a80c
-
Filesize
92KB
MD5c1ce469d418497208efda563edc69927
SHA1b0cfdec97b89ca14af36c2a32859c4fedb3a53b5
SHA2561aff2edbe45ad6f5900e9fea376bb4d0029cbe51304c300a882445184aa73681
SHA51281a6a492258f1afa8f234ba85abd343dc34d95f9961f0bb3a19244acd83e2fce870de640be5548604f82abb8e44743bd48a11837dfb3947f59471dd27e530402
-
Filesize
172KB
MD50dbd420477352b278dfdc24f4672b79c
SHA1df446f25be33ac60371557717073249a64e04bb2
SHA2561baba169de6c8f3b3c33cea96314c67b709a171bdc8ea9c250a0d016db767345
SHA51284014b2dcc00f9fa1a337089ad4d4abcaa9e3155171978ec07bc155ddaebebfabb529d8de3578e564b3aae59545f52d71af173ebb50d2af252f219ac60b453d1
-
Filesize
279KB
MD593ca81cd11837c3f5236756f1c505eb5
SHA1a52ea5074e80b200e19560d32985bbcbb73d71a3
SHA256f416f38e78e77e6d2198dc365b6c982ae2d43192f67154e991b9dbfe7fbf8af8
SHA5120b45a0e11840a3a26a41d1890d623439936afea559788f37aca0a86141493b2c1581f713f1eb530e6585af7fdef1338387afe50981830103a912f80eac93c9ea
-
Filesize
1KB
MD58096fedb7eaca1a65e1773d2994b5ca7
SHA1ef5b195e4fc6b3949d00b5fb3c0608d1c09b250a
SHA25662f147580774d8ce951d53137f633ed9a56ae912343d8be73e98d897e85b8fb8
SHA512b07cd95889e1d0c2629937e1702a9f02d8726e6e16bcb8e5efb762a89d0a69455f7ea792a6cf6102fab5ea6294f3cc542b12cc58a7c964a979e57fa74876e61c
-
Filesize
38KB
MD56c1c8b64a709a6d44370a0c99aa87ae4
SHA1836a32bfd1964a52dd3db6a35f3500924c530795
SHA2560ed285382b8a30deb67bcfa23784f2be087e34c9de15ce96de4c592fa26cc61b
SHA512e5af17ea02ebeabd9bf093bd3ee6eeef142ab1bb08851916844a5729706e44df6e72807df4991abed26a99e98fad107dfff912212655d04a224cffa07b9e29eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\AI5aLZ\P2PCOLLAB.dll
Filesize206KB
MD5f85a7fd91ce1966dcfa2835c3dbfa7a5
SHA19ca7ffeb7b11da2d727e92d9537db7426dddeadc
SHA256e8fd8a5ea7fc17be6296631f0a6a4b3cfb887942d461a4ce32784bb3b8e672b1
SHA512a44fc3321b8792643d25ee2beacc7d6425650767e08047eb76891a5f8d86a51b0b02bafae9f7117930f3d114e07496e271a4b3baf3ba1359da75ed822d7ae116
-
Filesize
38KB
MD5f66504741905cbe1d742c133c03722e8
SHA160687c77d276b413bb1284f7d5e510ac5876e9e3
SHA2561c0933aa32529ed48f64b0890a28094def995f687cb4e466443d1748e5c12f23
SHA51237facc480def234784f0cd30f6784f10ecab0de42e0fa381956026745c0478f17c3c476d3bbd31aae3f2a02f7968e6aaec3faba5b6d54217d1f23d89fa1631d9
-
Filesize
16KB
MD5d0af3305e149b1bc2722b241b75b3eef
SHA1358c5ec22d123f92a161a5cdddc25aba5d128535
SHA256ea0091ed06961a5db990461d2bba4d605e85e2098d2e34e41bd3a56c6489bd6a
SHA512ad43aa7be846fa479692a9bd8e383b5c660397ea7ec0ab59164e2508ffe511db2854cd70e8a30b47112345e601cb5a7d31d669ceac78ef667473963aefb4a5ae
-
Filesize
164KB
MD5378a843b86d13f4f2a26a61694ead31e
SHA1a2dc28c9501daa3c69dc20df41b506e908f09761
SHA256770ce5f5fb4fcc47f5852d2aef8bf26c93daa6ed334b0bddeb2e9a9143068e2b
SHA512ab831b622c8795b58ebdb719d0dde7f5fcde12d1e379cb0b29c486ed5bc0dcefcd6541d24789d4edbd3042d268d1865a93b90ac4d1e3bab843e412f695e53fa3
-
Filesize
36KB
MD5da543e3f949e4b36f6a2fd2f4c8479d0
SHA18de73c7295668ec28a94a39b90446f828911cf41
SHA256a2d55f5a8c47002bc003af7737b93ec15d7ffe6339649f5f5af8481925b5ca3f
SHA5124329322debfbe2b26eb519f00cebd07e210286e216df02efdafadf0736dbeb77d8dca4d5140fbbd6fe816ddacc96b0a8479061bf499c990c277655f3f41a473e
-
Filesize
63KB
MD5c9e0d8bfa4dc8d13e7eb9f202d023449
SHA1abd901708efa756927b1e6a12756873f02d9b388
SHA25662458c61b55e7e01d308b7a1de1a6bc48a8fbf56b844c3a9f9aacee995a807bb
SHA512bac5d0d58a1d5327e250115b8d60b212d83855ca95960f630f76efccd9fa1a38ce232993ae244e6cea5b7b4c0281d30b5c72db968bcf14e89ec62f62f55a20e3
-
Filesize
69KB
MD5870f3386e0a3ffe93616886faa092a46
SHA101e764d5b00787ccc8249e81c17406245a3b20f5
SHA25681cb47631f1fca3e1a97a5186b0b1b9570bae5c7011cfb8d3e50339de886b0be
SHA5121e944890bbdc6a2a06d94d457728079354be5fc791e59c5b1fda2dd75ac7e048833d29c88b978a8e849100a6106cea79e27fac4a57af6bb20567ba6acb2dcf96