Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31-01-2024 11:13
Static task
static1
Behavioral task
behavioral1
Sample
8443322739870ab27a1db14eabc12b55.dll
Resource
win7-20231215-en
General
-
Target
8443322739870ab27a1db14eabc12b55.dll
-
Size
1.4MB
-
MD5
8443322739870ab27a1db14eabc12b55
-
SHA1
5481baebc9122bcd4c65e1afb7f02547f568f3f9
-
SHA256
caebc606f9cc00c645b3cc46aa6f0fc68cf20a2b832175b14965f5777b5981ca
-
SHA512
14f20116050d45e6bd7d91e38f87896c0c60c62b80e932325124835ded394e5984b938b544c434934a73bc4deb983e28723524d3223b376e32c5f2e8958cf925
-
SSDEEP
12288:cVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:pfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1208-5-0x0000000002E60000-0x0000000002E61000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
mstsc.exeperfmon.exeperfmon.exepid process 2708 mstsc.exe 2652 perfmon.exe 2568 perfmon.exe -
Loads dropped DLL 7 IoCs
Processes:
mstsc.exeperfmon.exeperfmon.exepid process 1208 2708 mstsc.exe 1208 2652 perfmon.exe 1208 2568 perfmon.exe 1208 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtxtioiynm = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\jB5u\\perfmon.exe" -
Processes:
rundll32.exemstsc.exeperfmon.exeperfmon.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mstsc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA perfmon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA perfmon.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 3032 rundll32.exe 3032 rundll32.exe 3032 rundll32.exe 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1208 wrote to memory of 2848 1208 mstsc.exe PID 1208 wrote to memory of 2848 1208 mstsc.exe PID 1208 wrote to memory of 2848 1208 mstsc.exe PID 1208 wrote to memory of 2708 1208 mstsc.exe PID 1208 wrote to memory of 2708 1208 mstsc.exe PID 1208 wrote to memory of 2708 1208 mstsc.exe PID 1208 wrote to memory of 2608 1208 perfmon.exe PID 1208 wrote to memory of 2608 1208 perfmon.exe PID 1208 wrote to memory of 2608 1208 perfmon.exe PID 1208 wrote to memory of 2652 1208 perfmon.exe PID 1208 wrote to memory of 2652 1208 perfmon.exe PID 1208 wrote to memory of 2652 1208 perfmon.exe PID 1208 wrote to memory of 2152 1208 perfmon.exe PID 1208 wrote to memory of 2152 1208 perfmon.exe PID 1208 wrote to memory of 2152 1208 perfmon.exe PID 1208 wrote to memory of 2568 1208 perfmon.exe PID 1208 wrote to memory of 2568 1208 perfmon.exe PID 1208 wrote to memory of 2568 1208 perfmon.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8443322739870ab27a1db14eabc12b55.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3032
-
C:\Users\Admin\AppData\Local\t7pg\mstsc.exeC:\Users\Admin\AppData\Local\t7pg\mstsc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2708
-
C:\Windows\system32\mstsc.exeC:\Windows\system32\mstsc.exe1⤵PID:2848
-
C:\Users\Admin\AppData\Local\g9CCAoNP\perfmon.exeC:\Users\Admin\AppData\Local\g9CCAoNP\perfmon.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2652
-
C:\Windows\system32\perfmon.exeC:\Windows\system32\perfmon.exe1⤵PID:2608
-
C:\Users\Admin\AppData\Local\4nxu94\perfmon.exeC:\Users\Admin\AppData\Local\4nxu94\perfmon.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2568
-
C:\Windows\system32\perfmon.exeC:\Windows\system32\perfmon.exe1⤵PID:2152
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
52KB
MD5c5766ffd685806f0b5bcd18e98bb0ca2
SHA1aaadacecdc5cab4e59f2f1a6d502e5b9fac1985b
SHA256e654cc934650351dcd90c2eef91938986fc43047bd8dcb405515366797a685da
SHA512f1df52b93559953fb61b7e6579c1185e087aaea3195f4d18af582234c2fa4142e70ecec647672ec45aa39a555a2d69d9ff5395ee0a7b3835788a186a46abc1b0
-
Filesize
42KB
MD579082b91c5fb33b9a11a806eae6cd1ee
SHA1d10dc650415d48b27dec6f1812d2a9fdd90eafde
SHA256d72011a67cc4dcdf211af30213d8c1fd07a16f51d71475954edfe6acf11eabe9
SHA512ee4c4b7e3fdc2712b817689108e73b9039278de2f0818388857019006a87ee41fd822a0dae5d1fbe590524f2f9bbc9485fb900e6f47c798333e01555c99b616a
-
Filesize
47KB
MD506d5968220e1ca58fdd9ce1b1bdd067b
SHA1ee7ff43a511e1f93df69099ed4ce6f0a3126f2b9
SHA256d7aab694224a16c31c07dc3790fc3bf8d32ca25381d5542ada5d4222baaa2a7e
SHA512be2f5abf6329bdf7e26cede627eaf668f51e4068c8c5bd4b6a77b48826e05fc48925ae29a1b1af90f488062895c1328c174bb236d09cf1e376c31bc71458a494
-
Filesize
12KB
MD5efc43c316367a64889f12bcb6f96f116
SHA1141a46b59eb874e319628de330636dd3e4c88020
SHA256d12d0c9a6c0adcf9e15fd5e18f11d8f91cbc23c744730e716954b9da4d7859a1
SHA512b436459069e664a68aec47a0bafde2b6910797eb0fc9080e2ec2982130edfb95a49026131f21fb20bac7566f626ef534b3359e19f07ad6e4dbbc5cf2231baa37
-
Filesize
44KB
MD53fbb6e4fd800badd87d00f4c35bc3310
SHA17fa510f6fe5819f9080746cdb924d3659f8986fc
SHA2567f7cd09beb14de38e9b21551de68c6ac8b3329dbf71032d39ebd79571e20fa20
SHA512aa6b03b6f04f3844672fc128cf6e6289a468a3e55fdb872accf8a6761fe10321c25244edaebb4832f92532f4c0159a5273669f6af07ee82ddd1d6815f1bc8c9d
-
Filesize
9KB
MD5978be70b42c696e94afb1238bea3784d
SHA14c31e45126db4269213e3a8c5c87d8209ccf4ff0
SHA2560eab6ff231b19b3907141c51002aef0927e6774e36277275ba8864d1f55d5195
SHA512541178020317fc0bc1df2f6b7f18f8d7a5f44d29235864e0866cbbe663efba1c27f4c82005804490b926d155e54970d3dace86a3ef8a6801ff91f5f2fc940bbd
-
Filesize
1KB
MD5cc38ba6032596355c1fe001c817fd07e
SHA1d462ff3c98bac5b742e53ffbeab56c4100794c2c
SHA256a843758770a76a6b39acd68e2a05b15b23cd9a318f97e11b996747ca491a2b08
SHA51230f38381679fc69f2b8999877e04fda613c70af9be776df277d52430b82252cbddfa0ab23b106105affecda59c0d02abe72b023efc17e72cbcd14e3713c4fa49
-
Filesize
33KB
MD508c53cb7b12bbbf3839b5ec7da603b72
SHA138d18b1a4b61ba458519f9befdb4b8ab3bbfda52
SHA256477acb52fb6c86f6446f1d945e9497ea8e2a1e14827feeb15cc9ce252f14221d
SHA512f9f78851e6d8fa2ab83e1d766dc182106a6c47e8feb1b60e2772a73d834a8ac0a33a2a45c5735897851c5451307346ab46e60263d0807aea8cf1ad29f5f3f70f
-
Filesize
899B
MD57366280da87bcdf37c5ec474e0b1d70f
SHA10a67ebef1da44e90fc101fe75500bdb75953f19f
SHA256275a02588eed552c4282e0c76ced42497be1f4369e4560717a235e908a94dc39
SHA512f708b4120cb7b954113cc8af6ae70be762acf13d04991b02b59bb4cd2cb9fa02f5959cf07ea4bd68e7978dd2b9cf5dd77f338692c20ad47cd0d14e83fded4925
-
Filesize
429KB
MD590d086a719b4b3aef5de38565a3539fc
SHA14c949e77d5278fd73dd0d5ca58f78543053cbbf5
SHA256c2db5d5bf556d7ac5eba30f762ac61087b9305a6e3fdf7f846015e4560ba0995
SHA512c5e0e40aa501b716f16de7ba8e8c927c363614132362655f3fc0f3037e7ec85442d9878a4213cc5c4a604ef3e065e946161cdd47dfd03df6b37d113e2a528a7d
-
Filesize
1.4MB
MD56621639fb6a471fee7a7a836d5be634e
SHA1247bf26530e4a256e06fa87feb9321ad0ec3c14f
SHA2561dc112d01e2e45d3981d9ba8028242f8f48ba6c75e1782b34ef59999dda8c794
SHA512a6a3ef82290167bde7fc40a18baa04ff7e130c54c0207493b3e2f457efced71b6682c8febe4bd7824bc0507e3c4680431805ba1f96bb2bd90408a4d1bf610bfb
-
Filesize
1.4MB
MD5ca4e72df803205d3a453288528152e9f
SHA1bf8301a125eebcb3beb22865361286354a27fdcb
SHA25612b7a73e90114d42177b70e679ccc93f357f9ec48d446ed22bd2bf96d7330f41
SHA51200074de015df7e9c46cf70e78a8e39284277a42b16d6dd22bf3a5c6b26b60df92b60bc1c30834a55e2c01a3d9c3a4229437288f4e1fc72b118ccb68fe7aa9be0
-
Filesize
45KB
MD54a7dccd94c16ba071fcd12310712479f
SHA14a23478338ec46c800fb8f0f190b72af74c0d4f1
SHA25680151cb92bebf6079e5a01373cf1500d33b8dcc17da18a112d7efd236a6b086f
SHA512d3102d05b1d237eb90d9582d7f933dfba7f51bdf6475b95e381227e7e4c9e100831d8d9031c4d58a1e84936d3ecb3f2497379ef3d631de91b536f2974dd5bd84
-
Filesize
36KB
MD5a922d1daff3ded8e0d7d071ecc714f7a
SHA19dce370210693a93a3c0b999b76b98682a8a1dce
SHA256d6a7317835d5eccd057c27ae5628326b2dd8f2b1bdb983c8315643f0dd103ba3
SHA512a981635a67d8d36a36891ce5a4700555d43fb1c273c63ec76e51a62b9de76f6f2bd01c41660a7f8dd14a4dea5b916f44c458ab1364c80f504ae37d0d123b4ec6
-
Filesize
113KB
MD5499508f3c6168c5049f485e5ab5ccea4
SHA11ef34186af901d3c7c3fb4a0511f6f40027d1d19
SHA2569afdb82fefc5ca7e5fd8382c03b15f0d978d85d2b4d180f290dc2b790ad88c30
SHA512e4ad013f7af509346ef71041c48e5549e45f26e1e124a01858a139cab49dfa9e8e9f9ec12146c398d03d71c55499c8d85cc517a7468f56870369113632255329
-
Filesize
92KB
MD56d43ad9984308e14f9cfa41b825717e9
SHA1e37b9c2a38c2907e57ac05cb855380a9d118d71f
SHA256deed2fd9c9ea022e0681b6bccfd208ff249c8207a0ca13be0464b5f29a65252f
SHA51266e775921e1553f56a467176dca5c55d8a73562a1e1d31daa1b736e5f850bbc52b5a902c7006eb9eb82c1a2b03624e55b41c1792c40b8b26a5ebcdd253174357
-
Filesize
1KB
MD59100a5d03fed24c3becafee62bfbda5d
SHA1a3e3e519ada34bf5f9890ad2550703e0ebbf81b7
SHA2564ed0b53f096962cb02f24e9b6ef6221f5c09bf11f72e48238ce3f6cd46dd72f3
SHA512df0fbe8e43bb4ce24d446c12a4c9e437f01333dafa74480613ae908cb47428d6ea64e22becab7640d205fa1fa81f11544339a484636f1ee5b9fb1b6586d205b5
-
Filesize
79KB
MD58d75b1cb25aabacd123835d59617c3c1
SHA13e14d2a3320065b10fdebad68be93311f2bf1db0
SHA256006e2a19015a5550780162290a1a7b5c2713828f48d5bb425402d5295c0aa8de
SHA5129991df8e192787d5df73dd6f25fde723c524031570d1fd3fa2dcb55c6f8044512ad3cfa1b7518d3bec5108df1564e526bde324f160767327dbf19d91ac7dcd3e