Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30-01-2024 08:33
Static task
static1
Behavioral task
behavioral1
Sample
81f8648768d984dad73854085026281b.dll
Resource
win7-20231215-en
General
-
Target
81f8648768d984dad73854085026281b.dll
-
Size
1.7MB
-
MD5
81f8648768d984dad73854085026281b
-
SHA1
46693723c9775aa609b2a4fdb53bb7d383c9adf3
-
SHA256
f5a2a17ec58c0e535e888c046a88eb1703fd65111fff76073fa8b540702f5efa
-
SHA512
0372bb40acb5549ddc542b2899358c10bc50d77acea5cc8de2cc808e859f87bcf5979843ede11723e6aee0b227ee6191e2186f4e5ed70e174723a0242f52f914
-
SSDEEP
12288:MVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:5fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1144-5-0x0000000002660000-0x0000000002661000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
unregmp2.exeNetplwiz.exenotepad.exepid process 2664 unregmp2.exe 2136 Netplwiz.exe 768 notepad.exe -
Loads dropped DLL 7 IoCs
Processes:
unregmp2.exeNetplwiz.exenotepad.exepid process 1144 2664 unregmp2.exe 1144 2136 Netplwiz.exe 1144 768 notepad.exe 1144 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bsfvntd = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\ST5EPZ~1\\Netplwiz.exe" -
Processes:
unregmp2.exeNetplwiz.exenotepad.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA unregmp2.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Netplwiz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA notepad.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2356 rundll32.exe 2356 rundll32.exe 2356 rundll32.exe 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1144 wrote to memory of 2632 1144 unregmp2.exe PID 1144 wrote to memory of 2632 1144 unregmp2.exe PID 1144 wrote to memory of 2632 1144 unregmp2.exe PID 1144 wrote to memory of 2664 1144 unregmp2.exe PID 1144 wrote to memory of 2664 1144 unregmp2.exe PID 1144 wrote to memory of 2664 1144 unregmp2.exe PID 1144 wrote to memory of 1692 1144 Netplwiz.exe PID 1144 wrote to memory of 1692 1144 Netplwiz.exe PID 1144 wrote to memory of 1692 1144 Netplwiz.exe PID 1144 wrote to memory of 2136 1144 Netplwiz.exe PID 1144 wrote to memory of 2136 1144 Netplwiz.exe PID 1144 wrote to memory of 2136 1144 Netplwiz.exe PID 1144 wrote to memory of 2128 1144 notepad.exe PID 1144 wrote to memory of 2128 1144 notepad.exe PID 1144 wrote to memory of 2128 1144 notepad.exe PID 1144 wrote to memory of 768 1144 notepad.exe PID 1144 wrote to memory of 768 1144 notepad.exe PID 1144 wrote to memory of 768 1144 notepad.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\81f8648768d984dad73854085026281b.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2356
-
C:\Users\Admin\AppData\Local\649t\unregmp2.exeC:\Users\Admin\AppData\Local\649t\unregmp2.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2664
-
C:\Windows\system32\unregmp2.exeC:\Windows\system32\unregmp2.exe1⤵PID:2632
-
C:\Users\Admin\AppData\Local\qdv2Wme\Netplwiz.exeC:\Users\Admin\AppData\Local\qdv2Wme\Netplwiz.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2136
-
C:\Windows\system32\Netplwiz.exeC:\Windows\system32\Netplwiz.exe1⤵PID:1692
-
C:\Windows\system32\notepad.exeC:\Windows\system32\notepad.exe1⤵PID:2128
-
C:\Users\Admin\AppData\Local\pfpb\notepad.exeC:\Users\Admin\AppData\Local\pfpb\notepad.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:768
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
103KB
MD57b120bb947cbf784bd16cd92d57637b6
SHA1bb46b991af6d6d33ffd0f33cff3c45e4308a4ad4
SHA2568161829f647e4cc5963beebf318d861251544a239fbe3e8e40ecf64700bf265c
SHA5128295a197cc4af49a5bc5755c54c4c63b49f48c480a93579c12a791075b5e8bf8fc8ed333e7cbe0b3da7aa783dba20bcbac67c3c88d30c4d16384bd1892fcbf53
-
Filesize
264KB
MD56642f8ca5fd18b1d07a94bcc4989673e
SHA1d4edb7d17103cc73a97acf421c0b88bd5e8f2dee
SHA256d9acce294106703594d67b9e4aacffc6a056837ad4f8d55d554bae871f7fd0c1
SHA5122ba27ffe89f2eae86c518f5a7110655ef45119fc562703061cf679fab1f099d8aee1a0e18bde25747771da33f88708f6c02c47ea165248099c283c07afd909bf
-
Filesize
204KB
MD580b492e86ec74937d83678f1b8578514
SHA1c4e7a59720b2487b2fa744ccd1a97db51cf836a8
SHA256b3f5d13477de7e2fa82d9731cb19bcbf16efeb5edc943b8f77b0a26505197f4b
SHA5126ef8ef6c49c7b7d78d7d8f34c1664228b0c1a7f5abcbc027eb238302b3a12cb2258f2f1f18cecae2b9c821bcc67803596b41cb062e16389db4e59413533730fb
-
Filesize
137KB
MD5cf83a55891ebf8b7f653b31442fa4ee3
SHA14402aaf22d1d51ff6a803f4c339951c79a4010a3
SHA2566d0fa59bae77c235a792e428934b2fd8bb4cda8c098f1ed32e5e782b74f0b809
SHA512921ee1eea913682faadeb5bb20f19f0143e9f6c376e7ede53617e27aa0d07f9a8a1af792369342be7d314ab5821177363ff87dfed25cd9e2a065e2b494c900f4
-
Filesize
45KB
MD5e064e8f90f7712d3b4b4bebcc55fd5fa
SHA1636643cfec151d4a1a2cad29e240bc097c71d1dc
SHA2567ec0ac1deacd73b1b72ef302901cac2dbd9baf0f4ad09ace6b5f9d871243afaa
SHA512ef0283a72be005929dc2317c146881d06c4e65bf782c0861c429d90bb19d43ab83ba6650f2b6299264d450ca1c4ec147dd57fa7ef84c23a0544e8f06a5b21e74
-
Filesize
136KB
MD5abe9a7b3c54c54cdb3ca799d13164661
SHA178dfb869f38b67cd1d5bdb3ddade8aab4d7c7495
SHA256f50600bb967c845db4311a94ebf69447fffa989fe832e27c89d62a10c4951bf3
SHA51238cd5f4fa21e93c581490d4414ca3960946ca6281623d4b331866df77badf96c076d9ce00d1b3509550851a6ae5d1598acc34ed2ee461e6b54fadc773b770508
-
Filesize
124KB
MD5b4a1f6edc0584c645e125df0bb3e6f30
SHA10e27108bafe31f678c9baa72f9744c9609b0ebcb
SHA256ddcb9a06c4a827638fecc7cde5b71e178ae6d02c5833efcabb2b1e450d64fe2d
SHA512c6879d9df039426391fc5f57601abc91442f33565cc934d67c75f86755d1ad67155b65bf476890cb44aba5f1098c4c8aac22e2af920facf561b7e3edbb430b0d
-
Filesize
26KB
MD5e43ec3c800d4c0716613392e81fba1d9
SHA137de6a235e978ecf3bb0fc2c864016c5b0134348
SHA256636606415a85a16a7e6c5c8fcbdf35494991bce1c37dfc19c75ecb7ce12dc65c
SHA512176c6d8b87bc5a9ca06698e2542ff34d474bcbbf21278390127981366eda89769bd9dd712f3b34f4dd8332a0b40ee0e609276400f16b51999471c8ff24522a08
-
Filesize
1.7MB
MD56de9df6f4bbd3650ba77b3f0701ce5bb
SHA162d623c154886a7dda913a5c7efe0b6677b22f5d
SHA256d6e26b67b3b1732539ab6d9401f028bc921de95c5cfac09fc2b003f7008aa1e4
SHA5124a56acdca2fecc6fe6952a199b4e7439d4709c60702e92b9735291583ed4b364e24f40cc3eac133fbcce982b9151bf5cafc40a878d066900afa679756f5b9b04
-
Filesize
1KB
MD566c8c8c52b30da23d78f308cc3c301e6
SHA1ba2ef581e065171ec272d279f39b866ff40d8d52
SHA256dd75dc0516bf0baa6253dd7333c91a6c51c749525e8d925bf31721ee681575b6
SHA512fd87eb4e16af84bc731bf9b351f1bd18779ae20ce145c6fa5d3b957c6e142ee3800454b27114c936663808953506ab1039e838887f6a50d35cba4c362a52fb32
-
Filesize
1.7MB
MD5c119ca2853cb9e67044600f546a9b8e2
SHA1e24a7a1e6c0498106b05337cfa3a23b44ba9d254
SHA256e0d829c1e29e5cfd5a8ad4ba1e2bb9256336a3b3a75160bfcc0a783b895be8cb
SHA5129c586e77097410e4183df37eac51f7ae8855632a9df982ecb97cfe366c35778d3a22a1fc04b8942fd2934fca2d6989412902722b02b814c70613180e2eae824e
-
Filesize
1.7MB
MD571169c51a96a7b0b4e57f8713a999410
SHA1a5b7b7aabb51f2677b9d3d37078ae3d3ef487c1a
SHA2562cd8479bb75fcfa46c3a64548154b2117cb5732ee79e3f90fa04e3e7d5c46cba
SHA5128eaf0bd53afbd860689363a36c70e946b5303ebf4895d1e127e8ee7b0acfbf6622efabc7a0fe6d69b353a21c4d62646769d5876622624b1d2e508e1ec18f0bb1
-
Filesize
294KB
MD5d5f584158410038388fbb548455564ef
SHA1dee8d6c3dd6e1746969cc9bbd7a4092dbb562403
SHA25641fc8696605915b2b8840123cf15b368e502e104a31cd693c5f4e806eeaf23fd
SHA5125f73145ff78d5fe8f332ff3caf9801862fd0d17e897459e68a4562f77abaee0fbd1411d907c80276a65545c675757ae970669e6bbaaf53e77166a4f67b64b0d6
-
Filesize
148KB
MD573b8dcf6f14976335e48ed249f735fba
SHA1e3803187c178b6884350f4320dce0e0139d85997
SHA2568d3878a8a8e939a90b45537fd0b53def791339c10cd640ae1f30ad2316e59101
SHA512f18dd9b3526a0f99a56a61acc92adb2f163e0bc1f300d99f92ca139f664b0b256eb6fa51e825262cbf17b49b349203216e0ec6a57e3513db86e06ee50c107e5c
-
Filesize
80KB
MD5ebe212e32dec3bf17eebdf69d84f90e1
SHA114f556ff39766f19c5c32471e523c875f903af50
SHA256fbe65ab92bbd696a0a7305c91e9668979280a241f871c64f05273201f5b21258
SHA512dfd4ab90ec13cec5476db3c44f957ce0c274879306461e14fa173716c919ca4490f0edd9231691c79852ea5f824288e42849b5e6f65d2a70c53cdf0ab3e7ee38
-
Filesize
63KB
MD5a15971d8730726ad343be8c1ab50177b
SHA1fb3ec53cf8499248867dd00334801ebdee24c384
SHA25667ccce9703deaca0224332446c177490597087b0b8574151c8e44e8f6543f4cb
SHA51250dfacfc09bd423d992e8f8fb8d3623d06aa235336fbdfc453c12c41d79c3f616dc159588ade92c35f70d79b140f973e8f805c36652eff990566c07f7004298e
-
Filesize
78KB
MD5c2149487d107939f3ec727a30e65453a
SHA1ff18531f490ff46f827c79ee4cd7ed50e983cb1e
SHA256b5ae9c8aae1f944a6c850989a4efa4c1abc4b35edbf8c67e6fe6ccad8231ab33
SHA5120ba425be01561af9e2905894604c62b82bdb9449b93fc214b3db4b394633b5facf9e4222dd21c1b80cd571db2ff33f653dd9b5ac0c965ae547cde19ffc65513c
-
Filesize
64KB
MD5bdd930432e0329985fd6fdfcccecf9af
SHA1e027abea767a76a581a7ef678de5c6014b13812e
SHA2563f42c0d9a9e832beff2b2ae8eedcc7c93a6f626dd63fc21cbe2bbdc33469430d
SHA51283e4bac65b88c75b631dbbe0006593666b8d0aa2be96be23de0ba17d939213858dc17ba10bed01972954d4542a10ce8b8717aa940012be430e9e1cb66b6fa92a