Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31-01-2024 12:18
Static task
static1
Behavioral task
behavioral1
Sample
846540a9573e476e30b92db75daf0040.dll
Resource
win7-20231215-en
General
-
Target
846540a9573e476e30b92db75daf0040.dll
-
Size
1.7MB
-
MD5
846540a9573e476e30b92db75daf0040
-
SHA1
855922518de0270d786c73a8fff57122dcd0c91b
-
SHA256
5e53ece48ca9fe32af72a2718f10fe2dd25db88a393f7011a3805115f6b6bd46
-
SHA512
697f7c5a25e285d8d308d94e7172851083ea0e51a791ff9838c5999c560667a2850d3912593e3c94ec4eef256577487b008a5aef5448d56d1c437d4cd4e4646c
-
SSDEEP
12288:zVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1a1:ifP7fWsK5z9A+WGAW+V5SB6Ct4bnba1
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1264-5-0x0000000002B30000-0x0000000002B31000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
OptionalFeatures.exedpapimig.exeComputerDefaults.exepid process 2284 OptionalFeatures.exe 2928 dpapimig.exe 1892 ComputerDefaults.exe -
Loads dropped DLL 7 IoCs
Processes:
OptionalFeatures.exedpapimig.exeComputerDefaults.exepid process 1264 2284 OptionalFeatures.exe 1264 2928 dpapimig.exe 1264 1892 ComputerDefaults.exe 1264 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\Niubkzso = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\ZRUA9L~1\\dpapimig.exe" -
Processes:
ComputerDefaults.exerundll32.exeOptionalFeatures.exedpapimig.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ComputerDefaults.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA OptionalFeatures.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dpapimig.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1264 wrote to memory of 2632 1264 OptionalFeatures.exe PID 1264 wrote to memory of 2632 1264 OptionalFeatures.exe PID 1264 wrote to memory of 2632 1264 OptionalFeatures.exe PID 1264 wrote to memory of 2284 1264 OptionalFeatures.exe PID 1264 wrote to memory of 2284 1264 OptionalFeatures.exe PID 1264 wrote to memory of 2284 1264 OptionalFeatures.exe PID 1264 wrote to memory of 2896 1264 dpapimig.exe PID 1264 wrote to memory of 2896 1264 dpapimig.exe PID 1264 wrote to memory of 2896 1264 dpapimig.exe PID 1264 wrote to memory of 2928 1264 dpapimig.exe PID 1264 wrote to memory of 2928 1264 dpapimig.exe PID 1264 wrote to memory of 2928 1264 dpapimig.exe PID 1264 wrote to memory of 1632 1264 ComputerDefaults.exe PID 1264 wrote to memory of 1632 1264 ComputerDefaults.exe PID 1264 wrote to memory of 1632 1264 ComputerDefaults.exe PID 1264 wrote to memory of 1892 1264 ComputerDefaults.exe PID 1264 wrote to memory of 1892 1264 ComputerDefaults.exe PID 1264 wrote to memory of 1892 1264 ComputerDefaults.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\846540a9573e476e30b92db75daf0040.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2276
-
C:\Windows\system32\OptionalFeatures.exeC:\Windows\system32\OptionalFeatures.exe1⤵PID:2632
-
C:\Users\Admin\AppData\Local\SnNx\OptionalFeatures.exeC:\Users\Admin\AppData\Local\SnNx\OptionalFeatures.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2284
-
C:\Windows\system32\dpapimig.exeC:\Windows\system32\dpapimig.exe1⤵PID:2896
-
C:\Users\Admin\AppData\Local\j4pH\dpapimig.exeC:\Users\Admin\AppData\Local\j4pH\dpapimig.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2928
-
C:\Windows\system32\ComputerDefaults.exeC:\Windows\system32\ComputerDefaults.exe1⤵PID:1632
-
C:\Users\Admin\AppData\Local\Q3TKK\ComputerDefaults.exeC:\Users\Admin\AppData\Local\Q3TKK\ComputerDefaults.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1892
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD566c4f866c690b0d8e7bf1f390b944c59
SHA1ef3de43bf564848284cb41c82792a84e6d699a3a
SHA25628a7170a5d0713a6dbbdb57a7a227fa088ed0b340c1a7280985abb5cf9761e70
SHA512a1c5837f674f433200d3a3efeafa6cbe4d0904806d9c490dc001269a68bcc510b4136e4542db8d3e1969d6d306c3cff1b01bef266f50346c836d1ccad8d55ad0
-
Filesize
1.9MB
MD5abe5488c01911486ad2c880deb2b66dd
SHA17af9bf3dcf64ee9bc2075e9d6d4d48ac0c9b7a81
SHA256c340749fcd47303b505182242ed19ab75cf88b78be0e31f6b7a56a3cab96f2ac
SHA512627387a9139bccd5d3c331304a76d6f34c7e4a7610ea00b735d279ecd0a0d202e8ef7db3bb24c7dc617dab59a26dc0663f0ccde831f3170cd2b0bc46ee6a346d
-
Filesize
1KB
MD5dfc9477ea536c88ea49ed88b0bee20b3
SHA1ad9f1048221127e3ccbc97cfdf5b7fbf9127242b
SHA25683004035e192db7c9cb430b85b0a792b910c5ff6c46ca2777d5cf47d4f7a1020
SHA51209a04cad5f140c7533bfcb94145c9fc4ae539bb4909a215fd8c6b9a97a6fd1dcbd5ebac18457463fe5698fd90777f5c6aed2bf6678df11e007e96c3a4b4473ee
-
Filesize
36KB
MD586bd981f55341273753ac42ea200a81e
SHA114fe410efc9aeb0a905b984ac27719ff0dd10ea7
SHA25640b194be2bad2d3d4d1b69f9aec2853c8b663130810a11607ff72a9e3a06d5b3
SHA51249bb6d4bf7a9356fadde7f6165af6973630827d28b69db10ad477a84d98b08fb82e4daae777166e1ddddb5b5efcdf634e4e9bd34b255dae87462ba32e8bba143
-
Filesize
95KB
MD5eae7af6084667c8f05412ddf096167fc
SHA10dbe8aba001447030e48e8ad5466fd23481e6140
SHA25601feebd3aca961f31ba4eac45347b105d1c5772627b08f5538047721b61ff9bc
SHA512172a8accaa35a6c9f86713a330c5899dfeeffe3b43413a3d276fc16d45cd62ed9237aa6bff29cc60a2022fba8dcc156959723c041df4b7463436a3bdabef2a9d
-
Filesize
1.7MB
MD507f53023b27901d3a18416a0ad6b6e72
SHA127d4754466dbe35db844cafd282fe0b6e31d8d28
SHA25662b6299bfd292b82da10ff0687417c15de0bd3bc2b3ba8bb084f9fefec565a52
SHA5129dffc20ba2744596022f21773f7b2bfef695c9c2201a18c0cdff51fcb2e45664a8b54904ff0bb88e37750977cf3608dd4c310f17e776c0ed4713e27ee7779053
-
Filesize
73KB
MD50e8b8abea4e23ddc9a70614f3f651303
SHA16d332ba4e7a78039f75b211845514ab35ab467b2
SHA25666fc6b68e54b8840a38b4de980cc22aed21009afc1494a9cc68e892329f076a1
SHA5124feded78f9b953472266693e0943030d00f82a5cc8559df60ae0479de281164155e19687afc67cba74d04bb9ad092f5c7732f2d2f9b06274ca2ae87dc2d4a6dc