Analysis
-
max time kernel
150s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31-01-2024 04:39
Static task
static1
Behavioral task
behavioral1
Sample
837792f925aca842eba981ebc7aff9a1.dll
Resource
win7-20231215-en
General
-
Target
837792f925aca842eba981ebc7aff9a1.dll
-
Size
2.2MB
-
MD5
837792f925aca842eba981ebc7aff9a1
-
SHA1
527e5a2d67f6422ae44a5276ae6cf67f7e597823
-
SHA256
3806ec3c6ae591fb47c6b48f5dbfaf45d7500d6efb12c07311ecdc5e9c9d514d
-
SHA512
a4b0865d290225b514fd4b711ae83d5f659b19edf1fd2409920054ef706eb580e2d2a816ba34ceaa5778d1c43bce7149575b736e8828de9c942906800512c90f
-
SSDEEP
12288:eVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:DfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1192-5-0x00000000025F0000-0x00000000025F1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
rdrleakdiag.exerstrui.exeRDVGHelper.exepid process 2016 rdrleakdiag.exe 3064 rstrui.exe 1964 RDVGHelper.exe -
Loads dropped DLL 7 IoCs
Processes:
rdrleakdiag.exerstrui.exeRDVGHelper.exepid process 1192 2016 rdrleakdiag.exe 1192 3064 rstrui.exe 1192 1964 RDVGHelper.exe 1192 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bsfvntd = "C:\\Users\\Admin\\AppData\\Roaming\\Identities\\{4C0CEA03-C988-4067-9D42-5D4466084111}\\rgxk6\\rstrui.exe" -
Processes:
RDVGHelper.exerdrleakdiag.exerstrui.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RDVGHelper.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rdrleakdiag.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rstrui.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
regsvr32.exepid process 2356 regsvr32.exe 2356 regsvr32.exe 2356 regsvr32.exe 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1192 wrote to memory of 2672 1192 rdrleakdiag.exe PID 1192 wrote to memory of 2672 1192 rdrleakdiag.exe PID 1192 wrote to memory of 2672 1192 rdrleakdiag.exe PID 1192 wrote to memory of 2016 1192 rdrleakdiag.exe PID 1192 wrote to memory of 2016 1192 rdrleakdiag.exe PID 1192 wrote to memory of 2016 1192 rdrleakdiag.exe PID 1192 wrote to memory of 3068 1192 rstrui.exe PID 1192 wrote to memory of 3068 1192 rstrui.exe PID 1192 wrote to memory of 3068 1192 rstrui.exe PID 1192 wrote to memory of 3064 1192 rstrui.exe PID 1192 wrote to memory of 3064 1192 rstrui.exe PID 1192 wrote to memory of 3064 1192 rstrui.exe PID 1192 wrote to memory of 1324 1192 RDVGHelper.exe PID 1192 wrote to memory of 1324 1192 RDVGHelper.exe PID 1192 wrote to memory of 1324 1192 RDVGHelper.exe PID 1192 wrote to memory of 1964 1192 RDVGHelper.exe PID 1192 wrote to memory of 1964 1192 RDVGHelper.exe PID 1192 wrote to memory of 1964 1192 RDVGHelper.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\837792f925aca842eba981ebc7aff9a1.dll1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2356
-
C:\Users\Admin\AppData\Local\yPjURgvo6\rdrleakdiag.exeC:\Users\Admin\AppData\Local\yPjURgvo6\rdrleakdiag.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2016
-
C:\Windows\system32\rdrleakdiag.exeC:\Windows\system32\rdrleakdiag.exe1⤵PID:2672
-
C:\Windows\system32\rstrui.exeC:\Windows\system32\rstrui.exe1⤵PID:3068
-
C:\Users\Admin\AppData\Local\8a8gkC\rstrui.exeC:\Users\Admin\AppData\Local\8a8gkC\rstrui.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3064
-
C:\Windows\system32\RDVGHelper.exeC:\Windows\system32\RDVGHelper.exe1⤵PID:1324
-
C:\Users\Admin\AppData\Local\dfCDb\RDVGHelper.exeC:\Users\Admin\AppData\Local\dfCDb\RDVGHelper.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1964
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
77KB
MD542d899924a17323b75cda36df53d4dfc
SHA1a06a41885a9a5b5307a4e3ea4ee78e0832bf5582
SHA2564d49673083ef17dcc4fdaa0b640e46fa88146e66a83b4b3446a4f36be32e93ab
SHA512e51c7252131618a84932dda59a69e62cc2b81fb749a94003cc847976bcb4a29175635e311e48fae6d2d9babae3fb7763fafc17ea2bedf85213bb235407342715
-
Filesize
39KB
MD588eb800b34f2965fb1df4cb085f2da45
SHA1c067887129f61141843ac71e3737bd013b3956d6
SHA2565dc34600ea837e257e8ea75ade466b6258fa2c408768edee83fa588ed4770f5e
SHA512cc889953b6d9a038891a95679585dd4be1ff9d293a6a540eb77281eb3c07165d45c6ff30893fd5020a955862785c2c2c812f2c2b6f3290540807e0952606d572
-
Filesize
89KB
MD51c1c92ef23e19b28f74e05ca617c83d2
SHA1ff03ffef96bb5bf7b84a9cc4bceea19e7b3dcca3
SHA2562f34c4041e2e2a9573fbf8b5295475a79361421bc0bcf1454d73df975fd6dc35
SHA5121bfc5f3c6698ebaa55ccf1a0db7f3c07bcef39f9296f8e57c0b6893195593c605a597a46b1d325674650394265ebd5aa20ce30bc49205d866d090cd18ecf9fbe
-
Filesize
86KB
MD58c88510b28fe119238eef0a004ec439a
SHA12f32df5e48de99babd13c83be9e5a56c13917268
SHA256eee46a51c223a0d3b82662e1260d196a55160d6895166f541e9348554c8198db
SHA5124fb3e4b23e6c4ce61e26014f4c2f66dbee345ab7db9959bd4b75eb717bea59b85940c775a3e4aeb8a571437fbd0fdfc551927597977a9b25446bd2eeb5b0cd50
-
Filesize
261KB
MD5006181c98ffbc7ed2d934bf50261d91b
SHA1e7d2acbca480a9fb47e077dc61a9fc00a4d70331
SHA25636aca031bdc1e1788a9cd83f3ea5ec4701e030ce362e036fe2f62c259d4944ca
SHA512ffe8dfab5a449fc926bb503c6c44bc7abb73567cc6903f032d872d7a7967bb01fd021173473b99b2fa41dd138fe0895a9ff06f7a72476f1967c4178f9fb8e36d
-
Filesize
39KB
MD55e058566af53848541fa23fba4bb5b81
SHA1769ce3bfc45e4d56ed01dbeeeca7be22f9b9eed6
SHA256ae83b050fa722da7e4b19fc3d534f0126b1ec055643bb1f267b85b55160f4409
SHA512352029cf0af7583a4c525cfd1da7467446bac410a885b2768d8052f39577ccce85b21d5bd946be6bf8341e7308c8e4f645e4d79232b93aaf6a92d6cd55f598d0
-
Filesize
295KB
MD52686c9396a088eea4b32aa99962b1e1b
SHA1638c3b7ed5684850f4addb2135de6b1a0a463b89
SHA256cf2ae1d19d6aba263670301bba650a3388293a946e9a58bc147383d5cdfdac44
SHA5125125607cfa4672218964ba9662b3d11c929aafca92b3187e058eeaf06ff619aefa414132ebd8e6f496f808f855fdb05853df1129bfd93ee59ebf7a898beb00a1
-
Filesize
2.2MB
MD58f1a0a7921b468e13a5dca68f85853d3
SHA1ca217f92ea3e19997da953b1cedc110b708e8b6e
SHA25639cc768724dd38096e1d32dc01d138df6dfecbb017c2f24089a478191a6f1232
SHA512803a031d984200e06683f76bbf374365561d085685b2f527ea13e12640a48ba17b9e2eb6e0aa5690ab3cf929bab8e264a9c2ac48ae2da006871fa2332b5b344e
-
Filesize
2.2MB
MD531b8815efeae55cd850c1016d46c2b03
SHA1bc81712cab24ac15cabc5a185deb1e93dbcc2cf3
SHA2567daa06831fc98560f8945f156c49652be554b9caf1861693560d255ad87e9503
SHA51297148967cfc57d686affc5511a8764f30fe7ba904f665322fe79a7e60564696f12562ff5acd7ec7d80eec6e3a5b60a31e9af6eed5b1871df9397a17bfb642ac7
-
Filesize
1KB
MD5ef3f2daa69b28e0b0899db4634cde7b6
SHA1f36d2d417a463e60dbfab41c7e79717fbe185b06
SHA2567a00961f23a759984f1a9fee4392381ab5ae54fe055dd568e3348026113069ca
SHA5124ef8eedbea537f0b41b04eaf45c106be915a5398ddd93dcc5c05703e91cc492ea47065a7ecc5878200470e4b2b7166b47a82f10ed954d2a4d5b59ad1cbda95fc
-
Filesize
56KB
MD55b5434ab98c4f17f0b2dfdb09bbc91aa
SHA1a117d43262a7bb84c96de5fc2bc91b2b41f3052e
SHA2567bead478f9498447c09499abf4efaa8f66db1a51ab92c5a9d2bed7640b045e06
SHA5129c6af6232df433ca023d8c82355fbb3689d6c0970ec53073ee3a7d85dd6bf31ed5e7f4a2403a94b3676ea0bb10d94b40df36221170fdd8af6147ddf420c9fb91
-
Filesize
2.2MB
MD51f26c5135ed449ef1af1a05b8a9999e4
SHA14de81a0cb9ff22195aecfd700eb45383398c4dcc
SHA256e5aec39fa5f0ec235db7c635ffe40aabf0655232fbbf9f3717969bba7b364fbd
SHA51202f7f0aa9d77a9877eb4950b99973310c25ed158736115520fe80f5876cb2c0a8ec9184a03ce18fe534555b82d47486385d19f9dfe0f63561ea4e466e69c9ad2
-
Filesize
96KB
MD59e561f93c460125756daa7c9deb8c9e7
SHA1d5d011008ce9da528b916743de29fb773cbc146f
SHA256d278861ba638523ef5e56cf3737d16fc930ce920f439ca8ca81143667629433f
SHA5126e8324203c5a816e4131b3f1421ea8e1626ac510c7ce772eeda01e7122b4fa7d555cbe8658c10e63b1cb65660e9f8cb6541c9b91e4bd7480de70c1b71a2dd68f
-
Filesize
118KB
MD5a16075a2e705d64dd3d545f6d0551a59
SHA1ee4783e097bd1a2514655641deddcd175d444504
SHA2561eac6f17f0e2390869e3ab3497b8263b58b8f3ad1ec473fd1a6b9d18a860b0ef
SHA512b1a8a75bc280bd38446aa2605c0a0272d05bb0e7c22523b36cefae00cca98bc22ba01366217900c0b8f8b4dcb9bceb09f71064707a3eac892b02d0b1556e807d
-
Filesize
93KB
MD553fda4af81e7c4895357a50e848b7cfe
SHA101fb2d0210f1c47aaf684e31a9fb78f89bba9c0f
SHA25662ab8c2c5b5bd84fd07e96b6a3b87a4ea56946107ed9b7f8076580ae1fefd038
SHA512dbbda90a57d27160c5a3a5e4e94cfc43b1663fcbfe424fdec851e52356f61492bdcf677c46be8aa4e8ccc8be7c389b6aa7bbbce8447e1fae32f03e5e409f4051
-
Filesize
5KB
MD5488228ac5bdc124ad457ae32bf412f5b
SHA136feb33fb14cb1a47369d289050275b3ef2ed234
SHA256bfcfc9953d1026bd1d7930601e98786039318f6050596b3e225a114c9daf79a3
SHA512a404903074de56bc40b25ef296f15e3b49726632c4cda1f6db9b07abfaf88f40c03e22e81a2a7696b71b467cf7773f3372d2a9b8217a47c24efe89df06ca6db5
-
Filesize
41KB
MD555b0050601f5e48c71ef3ccc9000d7e4
SHA17d468eb2a47ef93550512e4aee6886fa85bd8132
SHA256263c52c98c6e717607226bfb14339a21fd59c516b93d0a26c8add64c99302c4d
SHA512bb95138798343abefa6d6deb0403b7e6079f705a91b443828ab6857c31c631afb6d0d32a231e923960f6d19055bd84947fd104eed5e91239e47b2c48427a3243