Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
01-02-2024 02:35
Static task
static1
Behavioral task
behavioral1
Sample
82a4bc5335713f3201927604dc1c17fa.dll
Resource
win7-20231215-en
General
-
Target
82a4bc5335713f3201927604dc1c17fa.dll
-
Size
1.7MB
-
MD5
82a4bc5335713f3201927604dc1c17fa
-
SHA1
0760fdf10d7b767e7b1c6c75b5a6df7fa582f2de
-
SHA256
b24b5a97da7b45c297575085b7e6a6812e70391a8460609e4ab225c8b8c421b8
-
SHA512
fdc555fae69369b3e61dae10b2e01607d5c853ed93bc403d08678447454e550ed598a3c46e4c7489e9e9626ffca57c317a92b64a3e48c6d44717667be684fe2e
-
SSDEEP
12288:hVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:QfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1420-5-0x0000000002AA0000-0x0000000002AA1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
Dxpserver.exeMpSigStub.exerdpclip.exepid process 2436 Dxpserver.exe 2888 MpSigStub.exe 1464 rdpclip.exe -
Loads dropped DLL 7 IoCs
Processes:
Dxpserver.exeMpSigStub.exerdpclip.exepid process 1420 2436 Dxpserver.exe 1420 2888 MpSigStub.exe 1420 1464 rdpclip.exe 1420 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\MAINTE~1\\HB04N6~1\\MPSIGS~1.EXE" -
Processes:
rundll32.exeDxpserver.exeMpSigStub.exerdpclip.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Dxpserver.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MpSigStub.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rdpclip.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 828 rundll32.exe 828 rundll32.exe 828 rundll32.exe 1420 1420 1420 1420 1420 1420 1420 1420 1420 1420 1420 1420 1420 1420 1420 1420 1420 1420 1420 1420 1420 1420 1420 1420 1420 1420 1420 1420 1420 1420 1420 1420 1420 1420 1420 1420 1420 1420 1420 1420 1420 1420 1420 1420 1420 1420 1420 1420 1420 1420 1420 1420 1420 1420 1420 1420 1420 1420 1420 1420 1420 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1420 wrote to memory of 3056 1420 Dxpserver.exe PID 1420 wrote to memory of 3056 1420 Dxpserver.exe PID 1420 wrote to memory of 3056 1420 Dxpserver.exe PID 1420 wrote to memory of 2436 1420 Dxpserver.exe PID 1420 wrote to memory of 2436 1420 Dxpserver.exe PID 1420 wrote to memory of 2436 1420 Dxpserver.exe PID 1420 wrote to memory of 1372 1420 MpSigStub.exe PID 1420 wrote to memory of 1372 1420 MpSigStub.exe PID 1420 wrote to memory of 1372 1420 MpSigStub.exe PID 1420 wrote to memory of 2888 1420 MpSigStub.exe PID 1420 wrote to memory of 2888 1420 MpSigStub.exe PID 1420 wrote to memory of 2888 1420 MpSigStub.exe PID 1420 wrote to memory of 2064 1420 rdpclip.exe PID 1420 wrote to memory of 2064 1420 rdpclip.exe PID 1420 wrote to memory of 2064 1420 rdpclip.exe PID 1420 wrote to memory of 1464 1420 rdpclip.exe PID 1420 wrote to memory of 1464 1420 rdpclip.exe PID 1420 wrote to memory of 1464 1420 rdpclip.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\82a4bc5335713f3201927604dc1c17fa.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:828
-
C:\Windows\system32\Dxpserver.exeC:\Windows\system32\Dxpserver.exe1⤵PID:3056
-
C:\Users\Admin\AppData\Local\3qL8\Dxpserver.exeC:\Users\Admin\AppData\Local\3qL8\Dxpserver.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2436
-
C:\Windows\system32\MpSigStub.exeC:\Windows\system32\MpSigStub.exe1⤵PID:1372
-
C:\Users\Admin\AppData\Local\nbYXZm\MpSigStub.exeC:\Users\Admin\AppData\Local\nbYXZm\MpSigStub.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2888
-
C:\Windows\system32\rdpclip.exeC:\Windows\system32\rdpclip.exe1⤵PID:2064
-
C:\Users\Admin\AppData\Local\5mJA\rdpclip.exeC:\Users\Admin\AppData\Local\5mJA\rdpclip.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1464
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD57ddea799917208e8c09706692f7b2b9d
SHA19cd88c64b018f42873252c13ed6bfd84e15658f9
SHA256c15c3d6ce355c8fc5432cf6bb58b62a00c25966fc07a75a04e7f542f7dffa74d
SHA512644b7937a28ee897dcd32cf69ebe242824bfecba19f20f846e29a03b94f3c2a0570402da756e8b3d3e9962c719f52527e3194d8dde0115022e435e79c159ecb8
-
Filesize
1.7MB
MD5ce077bd26ddf35a45bb35299dcfab262
SHA1d5306e834f7fee74bc5181c8211c6f22441bf794
SHA2569b2b07f731e4195112fa0da1a91f5f4496d5256c9d2af3602074642dac5a6d17
SHA512dcff0f95e170155e7e3ec3f5f4e5b69df2b13c31e4ab4e3e0b3acb531ea2007301351cedd926436cb79561d026338a4a4d48fc022018c1bf6484b35419fe5d49
-
Filesize
1.7MB
MD54ebd2394fa6661a3583ec9e3e16438dd
SHA17491b01fc1e9b130a1381cd6b80d2a895a76e6bb
SHA2564894a94be835028a32c05fb911e847fead89d36ad02970285d6da6e474af370d
SHA51295b80b6fa08a815a7d4dd9335f21073e6f64e0fef1ed3e8d0500642ed67c12d29919e20a51fc3f1050d41ea44b1926fde878e168141f1ed91db8c7ad134991a8
-
Filesize
1KB
MD5efb971c697b8c2f47f4dce70769f9765
SHA179ce970a44f2693a788740dd289c438bd632d4c9
SHA2560ac827ec4558c7f427a14b79d932050eee6b5ea4209abbc992f1336aeebd2247
SHA512fe06c3ff7aed5d7620d4c178296f453558ad565221cbf384cff777b53d12d515ab3f4715bf3cca19c97246c934515476ef694197b9cf2491fbd7455cde962c9c
-
Filesize
259KB
MD54d38389fb92e43c77a524fd96dbafd21
SHA108014e52f6894cad4f1d1e6fc1a703732e9acd19
SHA256070bc95c486c15d2edc3548ba416dc9565ead401cb03a0472f719fb55ac94e73
SHA51202d8d130cff2b8de15139d309e1cd74a2148bb786fd749e5f22775d45e193b0f75adf40274375cabce33576480ff20456f25172d29a034cd134b8084d40a67ba
-
Filesize
206KB
MD525d284eb2f12254c001afe9a82575a81
SHA1cf131801fdd5ec92278f9e0ae62050e31c6670a5
SHA256837e0d864c474956c0d9d4e7ae5f884007f19b7f420db9afcf0d266aefa6608b
SHA5127b4f208fa1681a0a139577ebc974e7acfc85e3c906a674e111223783460585eb989cb6b38f215d79f89e747a0e9224d90e1aa43e091d2042edb8bac7b27b968b
-
Filesize
264KB
MD52e6bd16aa62e5e95c7b256b10d637f8f
SHA1350be084477b1fe581af83ca79eb58d4defe260f
SHA256d795968b8067bb610033fa4a5b21eb2f96cef61513aba62912b8eb5c6a5ff7b3
SHA5121f37150f6bcbe0df54bb85a5ad585824cea9332baa9be1649a95c1dfb41723de85c09d98fb2ca8261a49c2184d3bda638b84b2b7b60b97fe42a15ab1620a2542