Analysis
-
max time kernel
140s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
01-02-2024 13:56
Static task
static1
Behavioral task
behavioral1
Sample
870eeef933351d3ca6e6f77f6f1b0506.dll
Resource
win7-20231215-en
General
-
Target
870eeef933351d3ca6e6f77f6f1b0506.dll
-
Size
3.5MB
-
MD5
870eeef933351d3ca6e6f77f6f1b0506
-
SHA1
292b7b5c4c378e9d4f9271ceb61af16ccecca218
-
SHA256
0244e314ec929575d050f32ef42e74e572b141b849802f6929ca22fc1401553e
-
SHA512
3116fc28269a0056ad24e65c488ac694e7a1d67880130f006c1ee1002a9345f9c7b04264cd6788aeb24f086adbed527a0cdff2abd3c6af35f5162ede228a38df
-
SSDEEP
12288:iVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1Fag:/fP7fWsK5z9A+WGAW+V5SB6Ct4bnbFa
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1184-5-0x00000000025F0000-0x00000000025F1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
sigverif.exexpsrchvw.exeperfmon.exepid process 888 sigverif.exe 2192 xpsrchvw.exe 1436 perfmon.exe -
Loads dropped DLL 7 IoCs
Processes:
sigverif.exexpsrchvw.exeperfmon.exepid process 1184 888 sigverif.exe 1184 2192 xpsrchvw.exe 1184 1436 perfmon.exe 1184 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bsfvntd = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\zzYUDHK8\\xpsrchvw.exe" -
Processes:
rundll32.exesigverif.exexpsrchvw.exeperfmon.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sigverif.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xpsrchvw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA perfmon.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 1428 rundll32.exe 1428 rundll32.exe 1428 rundll32.exe 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1184 wrote to memory of 2172 1184 sigverif.exe PID 1184 wrote to memory of 2172 1184 sigverif.exe PID 1184 wrote to memory of 2172 1184 sigverif.exe PID 1184 wrote to memory of 888 1184 sigverif.exe PID 1184 wrote to memory of 888 1184 sigverif.exe PID 1184 wrote to memory of 888 1184 sigverif.exe PID 1184 wrote to memory of 2688 1184 xpsrchvw.exe PID 1184 wrote to memory of 2688 1184 xpsrchvw.exe PID 1184 wrote to memory of 2688 1184 xpsrchvw.exe PID 1184 wrote to memory of 2192 1184 xpsrchvw.exe PID 1184 wrote to memory of 2192 1184 xpsrchvw.exe PID 1184 wrote to memory of 2192 1184 xpsrchvw.exe PID 1184 wrote to memory of 1832 1184 perfmon.exe PID 1184 wrote to memory of 1832 1184 perfmon.exe PID 1184 wrote to memory of 1832 1184 perfmon.exe PID 1184 wrote to memory of 1436 1184 perfmon.exe PID 1184 wrote to memory of 1436 1184 perfmon.exe PID 1184 wrote to memory of 1436 1184 perfmon.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\870eeef933351d3ca6e6f77f6f1b0506.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1428
-
C:\Windows\system32\sigverif.exeC:\Windows\system32\sigverif.exe1⤵PID:2172
-
C:\Users\Admin\AppData\Local\5vWUO\sigverif.exeC:\Users\Admin\AppData\Local\5vWUO\sigverif.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:888
-
C:\Windows\system32\xpsrchvw.exeC:\Windows\system32\xpsrchvw.exe1⤵PID:2688
-
C:\Users\Admin\AppData\Local\agLuwjaQg\xpsrchvw.exeC:\Users\Admin\AppData\Local\agLuwjaQg\xpsrchvw.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2192
-
C:\Windows\system32\perfmon.exeC:\Windows\system32\perfmon.exe1⤵PID:1832
-
C:\Users\Admin\AppData\Local\RdaDc\perfmon.exeC:\Users\Admin\AppData\Local\RdaDc\perfmon.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1436
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
172KB
MD58129b65d8cf55f3bde74c84910041179
SHA14ab1c6193a6a3749e3f0cae24afd6b865e689793
SHA2569474e536fcb23cc075c9a63433c0fdde5d4dafdda3efd82e2bd5a613e651ee88
SHA5124fa0026a6b9827e5128e80040c4bc1ed1515b8e102bf7c1f0c6374d2eae06ebf2316b0d96e0e378f3e26357c8c1344900c2790325bbbb5410a9631bc8a403a62
-
Filesize
73KB
MD5e8e95ae5534553fc055051cee99a7f55
SHA14e0f668849fd546edd083d5981ed685d02a68df4
SHA2569e107fd99892d08b15c223ac17c49af75a4cbca41b5e939bb91c9dca9f0d0bec
SHA5125d3c32d136a264b6d2cfba4602e4d8f75e55ba0e199e0e81d7a515c34d8b9237db29647c10ab79081173010ff8e2c6a59b652c0a9cfa796433aed2d200f02da6
-
Filesize
164KB
MD5c6c9b550fa9915920b1042cbebc5c0ce
SHA1e5a03c6694b578101af5dade9e6ef9b101fb641d
SHA256c011d07b8dcd581efacb8bd562412af1401f6c924d6d8fc469c1b8a4270dc455
SHA512ff087b63c4b1f6f1016df3d72d2c21a974b2820e2422ea53904c58a7de8523869fd02db264bf5c6bea802adcd623f1c17624e386ee4c25d202f3b86c33c3b48e
-
Filesize
56KB
MD564df089147fbfcdfdd7ee5a3f501c593
SHA1a46f4ab09b5557bb1467bbb8bf2fc31d4fb17a09
SHA2568843c777d1f4f7fb6d79c0956c6c21a25509bd6fb196b1ce6df800ea72c91c65
SHA512cf8cd2e263e32bb3860bec777490d758516b52c86806f015f70e10624fbe48cd6444c820380ca9f54c1633082916ed9d392d532fbb66b033fdef26565a922b0b
-
Filesize
163KB
MD53a87b94c2f374966d12237093b5828cb
SHA123ef1d49a795eae36ac8266e9880c294340a863c
SHA256f014e17f1ceae69fc24614b1e2b5e668f83caf395df924c2ef0c8a7319a7661a
SHA5128d4f854b8d964ec5e3a5260f0b011d6bac9ad55e0acce2b577703656588d48b25e73c1cc9736f296818385f7c14e10f07f6770716ffbd61b4259fd20b5abb4ec
-
Filesize
124KB
MD59c88d46f1b7d4b411b9c4294e0b907a7
SHA13327e0c9bf2b0780a455ed9c40ded06e1701520c
SHA256bf5c385b0c30ac2e5e138aa7a1cf5b2d87208fca2585cc3ff66941216697f10c
SHA51278496edbad17bb329992975c7ae3cea9ed785f6340d07e761771fe60a5eade50302d4ed4acb332a8516d392012afe6ca0eb098f30bca7540b6f92d647bce1be9
-
Filesize
301KB
MD5693609ddf32481586c1856505ca38898
SHA1f0db7aefb797d702352945747b8514abad9859a2
SHA256e09910756072703e8afb3115d3c7fad75205c502b967d960eccc9d252ced5572
SHA5122f2f4cebfe4a8ef9f6bbb7b735943f7a9a34b42b8d2eb7a22df99cbf086711686bd085086637ebb8a715b60c2e9af61f0ca5efa8b424e691d8b29d45739081cb
-
Filesize
1KB
MD555baa3c40c648375593671026c4d105d
SHA1eadcfd3f797be8c00957e7245fde74553b9fd852
SHA256be2acee9dc58f30153fa016f027dc86ff120693697f52ad378af41ac2c4648fb
SHA51228721cef5ae0a0bfe86f0c8352f27ec3ccb5ca11bbd2465c150bf6c093d9d62bafcd5a8838e97d78c1e0df4b271828942ce0d7b880e39cc7c5347f9c8d236446
-
Filesize
437KB
MD59d01e0ede99eaf4408b0ba20c2a8f37b
SHA18212daa51a41395c937c064266045ff5fe2e0310
SHA256d6700a8997f099a2caba3ab3a8d9e481fdc7a468222bb0ea8424205e61fe336c
SHA5122d2514db9cee6f21864709df5ed7db258e217674daaa12c19dcde22f30f764d6917e1d574fe6b3fb5a9b557dd2fd7e06ad3f353900618f4b120d999e7e721b0b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\q2Ma7Uj\credui.dll
Filesize3.5MB
MD525309d4f50efdc6cbc6e582141554160
SHA194079cce08f6a68628aef995fdc497912b56406f
SHA256ce100fd50627c4db73eb8c85f7ba21d99b6c10200554420e136d8061b9e2345c
SHA51239ea2c6eee78c57384287eaacbf0860b4f5b9da2ebacd00df4488493e6212ad970a874b4d9ad6e1f3ddd0351b16c57806c069233f6b4171fc9f26b07bea92967
-
Filesize
306KB
MD5e6142c9a25ba8dda6028814648ee2600
SHA10ced623238f72f2651173e888ff701a44f506905
SHA25685a5a441b5ec3b9a798f5998ad0d2de1f3d8fdd2b701ad41bcaef41fea2b6e25
SHA512129d191a53bb50d8cec7b32ce5145e711bf4a1a2fffb3887ce3314f5455aaf083b54ba2a63b03ea2117f7ec5db0f1b232f1a5bf3d0ba3b60accffba09889e454
-
Filesize
216KB
MD59941768515410a14403f003cd7c28b60
SHA10106560f6cac2345d1dd99c40a99c683f323baa2
SHA2561dea8e692150da355da3fa14921e6a13460482b29169f80a127bfded2ade0312
SHA512a010d87285d6c1234497c45edc4971e480e62a58cf5da76f407e1c6d9686d7042f29ea20261deeed51d1045d2b87f31ed064c1c4edb33b38518a41c5e6fe1d59
-
Filesize
27KB
MD5176dd928ef85f23cb1c3de429a5b11cb
SHA19abb53bd6d749862b837ba38d87c77bd7624943f
SHA256eda14e8e2fb3c1fd4615677fed092eee91ffad0cc3869a7665a66848b35fb59b
SHA512d1c80875167310285a3885cb0d9792b657daafe2ba28b2bd877cdd68b54b838c5745ab1dc0a0c1a3b467c7300ca77f0000892b5ccb5a5c3e915c52ee8291636a
-
Filesize
93KB
MD5b6cdc7d02e7ba1f00688ff5d6c647c4c
SHA127427dd8e2680595e85aa54a8e3901701a0452e2
SHA256c0566e6c0115254cce1325680cc5927bf77a403903146ad1eb2167f8348ad64a
SHA5128fe59342754ae00b262a80b91b3581c699e16fc0c869787a1bf5b98644b60e138cf8a9734ad80972c3a3b7788fb926aa947c3fb2541a82619a3992d6ffefba85
-
Filesize
152KB
MD53cf51abf1230046e2c689a167c057be1
SHA14dd494b23404adaeefaac28e110191abe8abe41a
SHA256f1a4658f91be10fc448b096a44deeaef77381da0df92c1497aee6c41f71a7c66
SHA51277af32437e8095c1f4d71f251dbbc8dfdb82c464fdae78f6b0e5e0a1ca51a714dc8e6dcbbaeff5015c02c8a92b26f56200b445c2c29d8ac03713b8bc98ec17f7
-
Filesize
83KB
MD5f1580a3683f07d6467fc9ac9aee3a361
SHA1d83fe8112744ce4df59529cfb876d2bce5c67294
SHA25674bdd8b7e677f73e6b8f0bd819942e460f025f4fb9b40ca94aee1344e005f9fa
SHA512d68930de906e3494121b19f53bd21442793e7f2fed844b1b4373e8ed4de7579c0e40f19f1d5107ea88939269e46b1d53f9b6e4c037ad193424fb27437e10078d
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\q2Ma7Uj\perfmon.exe
Filesize168KB
MD53eb98cff1c242167df5fdbc6441ce3c5
SHA1730b27a1c92e8df1e60db5a6fc69ea1b24f68a69
SHA2566d8d5a244bb5a23c95653853fec3d04d2bdd2df5cff8cffb9848bddeb6adb081
SHA512f42be2a52d97fd1db2ed5a1a1a81a186a0aab41204980a103df33a4190632ba03f3cbb88fcea8da7ed9a5e15f60732d49a924b025fe6d3e623195ec1d37dfb35