Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
01-02-2024 23:34
Static task
static1
Behavioral task
behavioral1
Sample
87f4ff988b3efc9a3e0d996f68db1be0.dll
Resource
win7-20231215-en
General
-
Target
87f4ff988b3efc9a3e0d996f68db1be0.dll
-
Size
2.0MB
-
MD5
87f4ff988b3efc9a3e0d996f68db1be0
-
SHA1
89c3b7a72d3dab1fbf000ec432f9e4bdf8169c67
-
SHA256
a7f598f265286347b55802674110210e08986dad0a49bdd83caf30ee6d6085f0
-
SHA512
7487d405c81a5a1fb200ffd92223569f782168a092fb09d318e55ba76faece7a8edfbaf97f727f9bff7c92f695a69f33b78d77e66a989e51071d9641669292c0
-
SSDEEP
12288:kVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1dP4bL:BfP7fWsK5z9A+WGAW+V5SB6Ct4bnbc
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1204-5-0x00000000029C0000-0x00000000029C1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
shrpubw.exeddodiag.exeunregmp2.exepid process 832 shrpubw.exe 3020 ddodiag.exe 292 unregmp2.exe -
Loads dropped DLL 7 IoCs
Processes:
shrpubw.exeddodiag.exeunregmp2.exepid process 1204 832 shrpubw.exe 1204 3020 ddodiag.exe 1204 292 unregmp2.exe 1204 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pfoxtyecp = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\PRINTE~1\\UWEFXB~1\\ddodiag.exe" -
Processes:
unregmp2.exerundll32.exeshrpubw.exeddodiag.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA unregmp2.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA shrpubw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ddodiag.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2532 rundll32.exe 2532 rundll32.exe 2532 rundll32.exe 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1204 wrote to memory of 2276 1204 shrpubw.exe PID 1204 wrote to memory of 2276 1204 shrpubw.exe PID 1204 wrote to memory of 2276 1204 shrpubw.exe PID 1204 wrote to memory of 832 1204 shrpubw.exe PID 1204 wrote to memory of 832 1204 shrpubw.exe PID 1204 wrote to memory of 832 1204 shrpubw.exe PID 1204 wrote to memory of 2964 1204 ddodiag.exe PID 1204 wrote to memory of 2964 1204 ddodiag.exe PID 1204 wrote to memory of 2964 1204 ddodiag.exe PID 1204 wrote to memory of 3020 1204 ddodiag.exe PID 1204 wrote to memory of 3020 1204 ddodiag.exe PID 1204 wrote to memory of 3020 1204 ddodiag.exe PID 1204 wrote to memory of 2252 1204 unregmp2.exe PID 1204 wrote to memory of 2252 1204 unregmp2.exe PID 1204 wrote to memory of 2252 1204 unregmp2.exe PID 1204 wrote to memory of 292 1204 unregmp2.exe PID 1204 wrote to memory of 292 1204 unregmp2.exe PID 1204 wrote to memory of 292 1204 unregmp2.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\87f4ff988b3efc9a3e0d996f68db1be0.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2532
-
C:\Windows\system32\shrpubw.exeC:\Windows\system32\shrpubw.exe1⤵PID:2276
-
C:\Users\Admin\AppData\Local\9uWbol3Cc\shrpubw.exeC:\Users\Admin\AppData\Local\9uWbol3Cc\shrpubw.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:832
-
C:\Windows\system32\ddodiag.exeC:\Windows\system32\ddodiag.exe1⤵PID:2964
-
C:\Users\Admin\AppData\Local\wjfo\ddodiag.exeC:\Users\Admin\AppData\Local\wjfo\ddodiag.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3020
-
C:\Windows\system32\unregmp2.exeC:\Windows\system32\unregmp2.exe1⤵PID:2252
-
C:\Users\Admin\AppData\Local\oVUV0nDe\unregmp2.exeC:\Users\Admin\AppData\Local\oVUV0nDe\unregmp2.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:292
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD5539ddddf6797759e820854ec54adf82e
SHA1fec486d6e9a38a54963e01ac18b370c5173aaeee
SHA256b59c25b7f8fa161e2ab78507dbe258e6b2c281d028790ebd1d321ce285186afc
SHA512633d9b735144bbc79016e211a248830d6ef57bc232cd7de7c4d62934e0345b45218c233120ba5a61e9dfbbed572b4cafbfecc102ff35edcedf6aebbb2cefacb2
-
Filesize
118KB
MD52d73937b3735925ebcacd04151459500
SHA1115aaaccd01d1c8beaba6fd84fe30dbd84210597
SHA256d05cf222f7fb9b6dd72b0ce7f13b0ce273a4a603ac390134273cca4664e746cd
SHA512a34c7286f49c79b0e5ab63e5735c9f886641b7bf09138186f15145ef7e3e7ae5a32f21243d473d546ee4e5a3e80dc78de60460b61acf7d313553a1d24534a6d9
-
Filesize
33KB
MD5d19b9de6ac49b9604059136f3957d5b9
SHA128d8cd6ec45b553f529189989f2c85a78b615e3f
SHA256b6100cbdd7bbf827653bcc69019cf33ad8c23ed1aa5fdd0a86c62a85f0bee760
SHA512d3395863c6cf348b47583b606756f3fbc13cbff3151cce936cbb785f3e5283c16db4e17db99e61c33e05a89f86e18f8682f900304ebc52ddf0fde40ab8fb3b40
-
Filesize
88KB
MD515d41c9aa88d3a13c880b4d7a6772477
SHA140597f28624a1976da21dfccb3ef4d3801e176e7
SHA256a45125550d80a397a6472fefed0c3bca25daa7cd7951b840405723e7a85f6128
SHA51246f287574c0aff8dd94156132a575332836eb04b201da5b3a8b14ab0a49613136c411b3e2a168d3fe1f16582872be268bb8309d46dfdf264a2d3081df3862ddf
-
Filesize
132KB
MD59121740ff1acfa9ac5f33b9dfdc1a8f5
SHA1db47b4adc72371cd0978c0892fe3aeefc07de047
SHA2569e29665d3b2d6c1b7f374875b79b304f89da162b41741c80db1eb4f25be1a6da
SHA512b3df5c42edaa2f86ac0415f97979bebda7ae70d4e7c971e423dd85040f79d6e199324c4588367994f7a5a7584be83565c08bf1153a699b34be41fd4a4e5efb81
-
Filesize
134KB
MD532b97eb34f4b8fa296839cc4f4c48377
SHA124ef8a039ecd35ea1780e17197ae37583869226b
SHA256688c823234f46b7a264c8c2252a2b303239d42d751480f67bdc67e0d7c8bcd04
SHA5123eef44c1ea009ba89a3351d0865028ef7e75e43679568585eda8161d76798f774a9e51816c0099f92907d40db906f2e187a40512bef20ec36803d56bf2273068
-
Filesize
68KB
MD51ac402c5cb88c684287132abae86623c
SHA14d0c6cfb802c2aeb03b4ae5772eb0f88e5d510d3
SHA25600beee083fc2f58969734d7ae1a9a9bcf14e331c489a0a65107b66b02b14dec7
SHA5125d7e84b1ee1c9d1ede22795dd2c251c667f8969945fe66a3af165b2b97cb2aeb28e9e66fdf1efdb28afa9d881fef78fe6234c491b735c96f12f2de799247c8f6
-
Filesize
1010B
MD582fba99901a34346a60d2876f5b7a1a1
SHA166ab939671763a5b745686b15ab109fe5c058d05
SHA2566a2727bd99e05e6077da6f64c32d714892528edfccc1f8e8af9295359eefb083
SHA5123df32f426ab3664c9b9ba1a3b2662f9ba987def014d6976976bb860d289a257b8b3d23180ae84442be60e94937d9326a33ba676588dea40482be5319a3eecb9d
-
Filesize
158KB
MD5989e7e42fbd0fb346e45ac17b0f81a2d
SHA197b4f4d3aae15b65f3d4500e83ed8eb06caeece2
SHA2564c27c652dd1fff3259ed15a82827ad7744a4a67dc4cf7318cc02c09e255e23bb
SHA512bb4873fabcf501d77ac61882f5d43188ddb447bba7fc4e84febe0502978e12f1562765bf75ada90f9fb457a4018102ff2a9cc9d171ff35fab33c47bf7c058a06
-
Filesize
495KB
MD5791ea65fad082e86db609282b5472023
SHA1937ab541f9b4cfb1b25e07fa0ca617c9dec417c8
SHA256e61ed85b57d053eaf57d06274a08ab0de01d506ffe07ca1e94b9841bd539e5d2
SHA51222f20a61d91d7b57e2c5d2e61690082e1aab4e83bb5b9c59003892d7a53e31e5a17fe99299b84c4527f24f8e67d13dea7eac024820cc626af6682cf46b11afec
-
Filesize
375KB
MD506b9dabd4677f9cbbf4c2b939c3f02f5
SHA1adf61f5258063be5b97c2db0e4b6110db837ba2b
SHA256d7c4e74c36629172139c9f1538287c2ffae6b04037955bd7a971df4376290d26
SHA51207958b61765c885efdc13b3681a120b9960d2656064b4593572e1a77e9b03ec301a33af653ae5ad32e9254f8ae19c23adb365bf0d4cda00af1d825a00ee927b5
-
Filesize
128KB
MD5217e248ccbce89e478d531cf3bd89ae3
SHA1332e074da0c9e44153bad6988c85e59987ea3a42
SHA25670d14772f74b1868c75578c94f8ca43d091c14661ac1309c9b347a2baa1239ac
SHA5127d27c4e15d13b0181a9f645d845234e4a164078c56e7603c5a7a9079760024dd26e05b09618338ec17d33d62648bb7ef90faf1b24164c81221657170248b0f0f
-
Filesize
38KB
MD5088a1f2fbdcaf68235232d1ae12cdf77
SHA151a2569da0d9d567347b4a3e7dcbf07bc67a29fd
SHA25608311273a69d5617aa35e6673f20aabcc8522acfdb300621ba3960157d827d15
SHA512137f09863e717be1f997aa5c61752186beb1be858912745fc88df62bee35c497c924ab2367fb17865e0020efff49e8740cee0203dc57e4a38e422c2aa5e676cb
-
Filesize
216KB
MD5dbf594cb79d5fe4dcbfc41626a471e96
SHA1d19b0f5606c9341235d74a324a2ba7480197cdf7
SHA2566989166e3283c2d2053edafd2e5f441568a5a6135efe0294597aed5931a82b43
SHA512bd8e0ed21d5620e1c649cabdb22beaa82bd0e2f331c9997b8b807fbc343497ef5f3491f7d30e217c6006a659e0c607fca8d5d821ca0db4d82334f41c922c42a5
-
Filesize
110KB
MD54de9c366740815e266defc61b23092a3
SHA176a790f158e3f10a3ba1ec7ef33f70c1b118386e
SHA256160b65c63f2947e074d69224d66ab0d599c6a87df6a8dd03267fb77d23bf9639
SHA5126374c50e9c0a1620604cfc8643ac5917bc22e4dccfb0797f89301c70b961d806659a740829ccda79a78b02fdd305cb2a3d9ca52bc18d93e6343b5ffbfb33740c
-
Filesize
79KB
MD50a18d673623d33e7746048d8f39a530d
SHA1eab8bae2e4b0ef310de0e71b9321af1bee7b0dea
SHA256d8772a41cc5d00bd518c1b88d8f9a278f586c4b8d6634a71d65f52653eac364b
SHA512aeecb3b26e74fa4cadac3c36fda5b6588554b86a531944cd216fc82b1a78c99d32630be928e257b539bfc0a5be636bc159b6aa8fbd8230a6c729f6d405ac53ed
-
Filesize
42KB
MD5509f9513ca16ba2f2047f5227a05d1a8
SHA1fe8d63259cb9afa17da7b7b8ede4e75081071b1a
SHA256ddf48c333e45c56c9e3f16e492c023bf138629f4c093b8aaab8ea60310c8c96e
SHA512ad3168767e5eba575ae766e1e2923b1db4571bbeb302d7c58e8023612e33913dcd9e5f4a4c1bc7b1556442a0807117066f17c62b38fe2ae0dfaa3817b7318862
-
Filesize
147KB
MD55e2143090655d160d69119f6e2d39ff1
SHA1fb804416a0809c27c137bbf51b14ff47bbb19ff5
SHA256321bb5328e335b783df753413d2c26d18f4d057c7223d702d25606fdf44a1df0
SHA512930543cb84e9060616238995bb8803ad3319030f648c74feba8effe5571c3a10c51c0f3b3835a564086eb768cb2b576851b32cc16a691b0a3420df5c351d86d8