Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30-01-2024 09:15
Static task
static1
Behavioral task
behavioral1
Sample
820d38a0c687ab0b550fe547c7bb1d6a.dll
Resource
win7-20231215-en
General
-
Target
820d38a0c687ab0b550fe547c7bb1d6a.dll
-
Size
1.7MB
-
MD5
820d38a0c687ab0b550fe547c7bb1d6a
-
SHA1
cf838d2bfcdc092fc2ed5d91225c487dbeaa0c54
-
SHA256
9ddd12552dc5850ed10c847816d6e5f80272a66117d765587662065ede3435c5
-
SHA512
a0786486bf985c7872c50c7e6a5af21ecee4295ec3fff1cae965d59422004bc00ce346e31c66a2af0c0481db634aeb87393dff80795f6a57903ee3f17426ca4e
-
SSDEEP
12288:jVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:yfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1252-5-0x00000000029E0000-0x00000000029E1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
msdtc.exexpsrchvw.exedvdupgrd.exepid process 2076 msdtc.exe 1632 xpsrchvw.exe 1732 dvdupgrd.exe -
Loads dropped DLL 7 IoCs
Processes:
msdtc.exexpsrchvw.exedvdupgrd.exepid process 1252 2076 msdtc.exe 1252 1632 xpsrchvw.exe 1252 1732 dvdupgrd.exe 1252 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pfoxtyecp = "C:\\Users\\Admin\\AppData\\Roaming\\Identities\\{EE07B9B8-79CB-4B35-87AB-D4E1BF99C984}\\N25vjPXg\\xpsrchvw.exe" -
Processes:
rundll32.exemsdtc.exexpsrchvw.exedvdupgrd.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msdtc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xpsrchvw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dvdupgrd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1252 wrote to memory of 1412 1252 msdtc.exe PID 1252 wrote to memory of 1412 1252 msdtc.exe PID 1252 wrote to memory of 1412 1252 msdtc.exe PID 1252 wrote to memory of 2076 1252 msdtc.exe PID 1252 wrote to memory of 2076 1252 msdtc.exe PID 1252 wrote to memory of 2076 1252 msdtc.exe PID 1252 wrote to memory of 2960 1252 xpsrchvw.exe PID 1252 wrote to memory of 2960 1252 xpsrchvw.exe PID 1252 wrote to memory of 2960 1252 xpsrchvw.exe PID 1252 wrote to memory of 1632 1252 xpsrchvw.exe PID 1252 wrote to memory of 1632 1252 xpsrchvw.exe PID 1252 wrote to memory of 1632 1252 xpsrchvw.exe PID 1252 wrote to memory of 2188 1252 dvdupgrd.exe PID 1252 wrote to memory of 2188 1252 dvdupgrd.exe PID 1252 wrote to memory of 2188 1252 dvdupgrd.exe PID 1252 wrote to memory of 1732 1252 dvdupgrd.exe PID 1252 wrote to memory of 1732 1252 dvdupgrd.exe PID 1252 wrote to memory of 1732 1252 dvdupgrd.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\820d38a0c687ab0b550fe547c7bb1d6a.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2088
-
C:\Users\Admin\AppData\Local\rmMTk\msdtc.exeC:\Users\Admin\AppData\Local\rmMTk\msdtc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2076
-
C:\Windows\system32\msdtc.exeC:\Windows\system32\msdtc.exe1⤵PID:1412
-
C:\Windows\system32\xpsrchvw.exeC:\Windows\system32\xpsrchvw.exe1⤵PID:2960
-
C:\Users\Admin\AppData\Local\bDxi\xpsrchvw.exeC:\Users\Admin\AppData\Local\bDxi\xpsrchvw.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1632
-
C:\Windows\system32\dvdupgrd.exeC:\Windows\system32\dvdupgrd.exe1⤵PID:2188
-
C:\Users\Admin\AppData\Local\HeBC\dvdupgrd.exeC:\Users\Admin\AppData\Local\HeBC\dvdupgrd.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1732
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD558cbfac6abadc2d92aff1c5c5aa86879
SHA1c160e19ac173df690ec73da52922ea6abd395833
SHA256f0db1da855ef94cb20981108b374d4320d84461c62caf2071dd0a4562f7fad41
SHA51232d05690c639377cab09b7edc1f1ee365257f6efffc8b18cfc7576bd69ebb9302ec57a45e358eaa2daffd04774f85664bbba0cfed23446428ba971ffcf192373
-
Filesize
70KB
MD56444714a86acf918262446a41b131b98
SHA13945fc27b26fc68dbadeaaf8a4d59dd7135329df
SHA25626c0b88b4fc45448fa9d4b96524aeea0dd81c6f95024a3a204bae605dc851d80
SHA5123351fd7637243929beb4be3acf4a75656624426d0061e9271dc3bccaad098d1a851f69c450d49a9eeeae140676d509b647574fe957056e21d0da5c4d48972bc4
-
Filesize
76KB
MD53e2646f3d1a868e0774bdd6bf0e3fdbb
SHA1a4ad399a09cbec61d66bd54fddef7c746d06b331
SHA256b93ce0e56607aca153204c2f5818bccef6b06281de99af7edbc11b15afbd5b21
SHA512ae262b118eaeb06798d45f1f609ddf4f5c678f441cd48f71e3bb4b457a03c41fdd0ca5813d7a75a4ed1a70bd6bec97edd8c47f64fe5e372be2116ef71dc79536
-
Filesize
70KB
MD58a338de9707bf3074d52792f3a4f63f7
SHA1c881b28391d8356aec51e921bdddfb6e9d0ce10d
SHA2569d510d9cb87dd7715e6c7d23ae6263d42acbbe1cc8ac0af73c2c094ed41bb5e2
SHA51257c91bacc0190f48efe616804318e0689b5e14980c9d206197aa2758294e669e729074a8b5d6594a723674948a4e87981280f9c5a681a610eb50a2a87d615421
-
Filesize
50KB
MD552f8a5a54b41ca32c40a6916e73197ce
SHA101ef11397d73f279faf22addedc73eadb900d45f
SHA256bc567c5f7a0fdc576b562168def556bd7edaa09c2cd64cbc4d923cfa9dc7f944
SHA512aa54d1e7f4727ae0420821baa9c83cc12a21582072b44acb460eb71f479cda3329a167685fcc8584785a3d44264ec007c547545283ef62cdee83691f7ea98786
-
Filesize
27KB
MD58d0d0b42476449211e2ea9c4aed1b16f
SHA1de9b4f5cf5bf5a975da5f343791a264e152c4e2d
SHA2569d70f548379eaf1916fbfb5b3c04a05419885a8c0078027ff196e7fd921a9c83
SHA512877b59c824e648a990700c2f0449feaacaf25d2c3284fcca2b3ebad0d5607c04a2d80195a637a6750a92ed1c3ec0399e2573c56ec1c11a6de3a67fd8ab256eb0
-
Filesize
6KB
MD504f9770f8c428db3a7c5fd5024e2e773
SHA1779a87a6359532e8efcb4d73937a665e953f2237
SHA25681a24f85a8e976c180ebc8a17d332a0d3f96a315e649dedf0e5651fad85f5d5d
SHA512c0d8ae404c5fc85890c68b5e53b1c530626a03cc4c7a63e35b22d5b8b99d282345d530ba2709b45cb0b0a52087f94c38afe4d3aab86b9c4182439178cbee2f12
-
Filesize
1.7MB
MD5c6a8780b9094a4c9e576f25e0f203808
SHA1726b0512a2118a0c08e68cc1e6f5eeffb1cf0008
SHA2564ab0fa46684644ea21357747ea3d115d76e0e38808fb4ecc52da49a9058338ec
SHA5121f0dbc64709a895a36303cda98e3fdaa617d0bdde582cf797993aa62ce2be16e53ec1c14f0fe1ff667dbcccbf4f2a4bbd070ab407bcc6bd09bd44015c2f84c24
-
Filesize
1KB
MD5444afa9370f304f2a7246432a51b8188
SHA115964e83c411589d86c480cb86b34bad1765bd57
SHA256d6c054ca01e14f68363dca9d7dd448211d1b4bd92ace134fd9f12d3d4579046d
SHA512e19cc76999cca62a6be62fb207ef8fdf62327cb5df468844b66fa33c7e24399979b04550b4ca7c3fd56523fe8c90752f8bde0fffa38edd107a538e63286dbe6a
-
Filesize
1.7MB
MD562c6aa0a49457b866379408ba07e52a2
SHA106a5034b12012e61359a8b8afee1ef21daa26067
SHA2563d68c0a1a91c9fa7dcd896d239922995d78d8c23d79ce249557d769ced376bd1
SHA51220a6948f44d5c10bbbc012b3d162173443496ad98757561474df4fae95be1dc730f30e1f1963a17dde14bbb49ea3584bb1e8708493951d44a82da96ef127c8f9
-
Filesize
1.7MB
MD530ee7c135b5e11f6d07a50f7fad01ee1
SHA13913fd92a91185fbe731a3b8bea5eb68edf91cb2
SHA25667956266b4948bf6e3cf27746b5522a6f22a809c5c660004798212c2ce2ba843
SHA5127bf8d139fb7a685b08c667cacf4d1a599f597c08b657fa027a530a865a9e0cfda3af1e84bc3ff38e0c17184145425cbf2311a0af7e2f6970e956cfd7cde8d7ca
-
Filesize
76KB
MD5fdc0988d1be75ecf8ca94637eafb9d17
SHA1259e4c5b15ebbf6c2bd1c32e67659e71d1e02950
SHA256ab7d21de90a43de9723ad062e26326690ce8b72d5768e6583318dc6ec384a5ff
SHA512b6c1c69eb81968fcb4cc4948b6580d753d88be552875d82a6f3d1159997210a68ac3e9f541e6b43165135e0eaf8ad7c332d3ba886908efc7014babfbe101a7de
-
Filesize
25KB
MD575a9b4172eac01d9648c6d2133af952f
SHA163c7e1af762d2b584e9cc841e8b0100f2a482b81
SHA25618f9f520c7157023b0e7dfe7433a63c4dedd47b04d24aac4038b795893050736
SHA5125a7a2c7f184efd9c84256a1a0a5e7aeb95432d63a567196be54e7a9437a5ada9b922983c5fc0cafb16eab4493665d8e56e2f646f9f6a2d6179986925ffcdf769
-
Filesize
45KB
MD5ea3d8c37c78f2a613539f3dcceb68282
SHA11a44a18cb4fec329cfb4dcf0074712c693e583da
SHA256428a724f11082b06ee0e0377cf512dada65e1405966a7b4f7cabe1a702377c05
SHA5129c3fa5aa16b271b29616d49025f3313a46064e0dd1582d9ee3c1d8b61d10468f83264f85940a10cd6b6a80ba1c520f6109a49729e16e3b79a195f8d7f3c814b2
-
Filesize
45KB
MD584c667411eb48a55d85110ccfa8b66e3
SHA1eab28a3548c6b8d9363d2ab0229331cb75d93b33
SHA256c45c4a1ccaa0f70bc30fa7d5f95a8ea5c22520b0bfad6a365b8913d805a61279
SHA512fa490be19eb18dc52913623a86eaa547fb46dcde6f6b2e773a8af94cf0852c80f380e8e55f2d726849f001d3dd15ff405ef07d056ed5616777696dda7e3536c1
-
Filesize
1KB
MD5e8a4711c70110f534df903f74c385d43
SHA1a2a38c864830d40e48a6c133174e362bf7a3800d
SHA2562a94850ec9f9e20a70de062a634a75196899aad6c2c5da660f19b36462f43c91
SHA51221954e66782bc2e66be77dc194a5bbeaabd36c28ad5997b2ceb3823fdb5d3dc299f14c5292cfa7143a75c6aafa86f4b99412062b5a63de15168839d83ef8a3cd
-
Filesize
138KB
MD5de0ece52236cfa3ed2dbfc03f28253a8
SHA184bbd2495c1809fcd19b535d41114e4fb101466c
SHA2562fbbec4cacb5161f68d7c2935852a5888945ca0f107cf8a1c01f4528ce407de3
SHA51269386134667626c60c99d941c8ab52f8e5235e3897b5af76965572287afd5dcd42b8207a520587844a57a268e4decb3f3c550e5b7a06230ee677dc5e40c50bb3
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e