Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
01-02-2024 16:32
Static task
static1
Behavioral task
behavioral1
Sample
875d030c5fc6c9897bd817f84ca43711.dll
Resource
win7-20231215-en
General
-
Target
875d030c5fc6c9897bd817f84ca43711.dll
-
Size
2.9MB
-
MD5
875d030c5fc6c9897bd817f84ca43711
-
SHA1
865b73891c48646127255bfdc6104552b7aa90a4
-
SHA256
2303cd17c0c377a2c2446c1267c7ff5a772e4cc30c721eddf332fae15489d256
-
SHA512
d67ae0e3134a96e7c3948813206839eb330f411104751450cd600b4b7aea549aa2c140b9b45c9c7d36c21b4c09c3ed83c89eac384816dd5942c4d07490cca48b
-
SSDEEP
12288:tVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:0fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1192-5-0x0000000002BE0000-0x0000000002BE1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
SystemPropertiesRemote.exetaskmgr.exeDWWIN.EXEpid process 2860 SystemPropertiesRemote.exe 1324 taskmgr.exe 2464 DWWIN.EXE -
Loads dropped DLL 7 IoCs
Processes:
SystemPropertiesRemote.exetaskmgr.exeDWWIN.EXEpid process 1192 2860 SystemPropertiesRemote.exe 1192 1324 taskmgr.exe 1192 2464 DWWIN.EXE 1192 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pfoxtyecp = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\ZV\\taskmgr.exe" -
Processes:
rundll32.exeSystemPropertiesRemote.exetaskmgr.exeDWWIN.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesRemote.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskmgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DWWIN.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 1956 rundll32.exe 1956 rundll32.exe 1956 rundll32.exe 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1192 wrote to memory of 2800 1192 SystemPropertiesRemote.exe PID 1192 wrote to memory of 2800 1192 SystemPropertiesRemote.exe PID 1192 wrote to memory of 2800 1192 SystemPropertiesRemote.exe PID 1192 wrote to memory of 2860 1192 SystemPropertiesRemote.exe PID 1192 wrote to memory of 2860 1192 SystemPropertiesRemote.exe PID 1192 wrote to memory of 2860 1192 SystemPropertiesRemote.exe PID 1192 wrote to memory of 1112 1192 taskmgr.exe PID 1192 wrote to memory of 1112 1192 taskmgr.exe PID 1192 wrote to memory of 1112 1192 taskmgr.exe PID 1192 wrote to memory of 1324 1192 taskmgr.exe PID 1192 wrote to memory of 1324 1192 taskmgr.exe PID 1192 wrote to memory of 1324 1192 taskmgr.exe PID 1192 wrote to memory of 1284 1192 DWWIN.EXE PID 1192 wrote to memory of 1284 1192 DWWIN.EXE PID 1192 wrote to memory of 1284 1192 DWWIN.EXE PID 1192 wrote to memory of 2464 1192 DWWIN.EXE PID 1192 wrote to memory of 2464 1192 DWWIN.EXE PID 1192 wrote to memory of 2464 1192 DWWIN.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\875d030c5fc6c9897bd817f84ca43711.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1956
-
C:\Windows\system32\SystemPropertiesRemote.exeC:\Windows\system32\SystemPropertiesRemote.exe1⤵PID:2800
-
C:\Users\Admin\AppData\Local\iOtt4B7I\SystemPropertiesRemote.exeC:\Users\Admin\AppData\Local\iOtt4B7I\SystemPropertiesRemote.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2860
-
C:\Windows\system32\taskmgr.exeC:\Windows\system32\taskmgr.exe1⤵PID:1112
-
C:\Users\Admin\AppData\Local\OfNqYkjn\taskmgr.exeC:\Users\Admin\AppData\Local\OfNqYkjn\taskmgr.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1324
-
C:\Windows\system32\DWWIN.EXEC:\Windows\system32\DWWIN.EXE1⤵PID:1284
-
C:\Users\Admin\AppData\Local\8ipY5EaU\DWWIN.EXEC:\Users\Admin\AppData\Local\8ipY5EaU\DWWIN.EXE1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2464
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD5fee33d1833716e6455071f0392718965
SHA128b7a1cccb8164c1d3dc6262af4ad8897038a6a1
SHA2565eb2e41c2f4188885231ee6f55d27915424d7238caf70f4611b235a34683d9aa
SHA512276672528c1a7e03aa5c522bf44be19de391b3aa83f926b9d755623af93281fda735c34fce7ada529c3519165a4877122beb7d05b9ee8ae06cd9974dcaa7512b
-
Filesize
19KB
MD5a3ca98a2e443c36714633b14e0a1b91f
SHA133fb287ca151945aaa0726d975d12299081b3ec6
SHA256b79e07b142e1214e2f0edcb1dbd542e5b0ed11b862cba624f7314787cee5a462
SHA5121006be53236afb5ba5513ba9dba28b46b3eb55e7c8dc093b7d3e95a9f68bd1730347b4d3f5692bf4c88282d5b2d1097d2f686181e30c34fe59fd7dd515d1a066
-
Filesize
55KB
MD5b6fe94566625c1ba81beceb12b26239e
SHA1ccc2510eb25dac1d094e6a35d8eda108294be9e4
SHA2567ebbe8b362c73b51e7838c83c10d8f3de872034e258374b844ac93f36e6942be
SHA5126887d57d29b789a3f98039a66995eec94c2cdffec784c1c745b4e2547c3448806de8e4c94a9ebc3a46c6b3d1815ec1f1a4c1f5b3a3345858618a281872e607cb
-
Filesize
76KB
MD58929bc89a3ea791715782aa0725e324c
SHA1ca2242f2beb3ce063467ee5599ea2d2b93375572
SHA256127b932a31c6a04d34b9d8ba2dd51b4aa6706e2a06e3d122db11375f77add746
SHA512c2c5251e1d7bac2e8b8eef4e8126fd7e6d73e0d66e9d22ed351ceeb973d6100e6ab9072cca3aa20ae900890bd72339b731c187755b1fea0d4c30abe13d929725
-
Filesize
126KB
MD5a769c6a0e3d070bcc54fc41580a1d007
SHA12c00277b80c1ca40d77202c4af367384b659bc9b
SHA256b260d7659bb1a58ea78cfe3e6d7e2bb7819f3a48d5febfd496b24eee45c723c3
SHA5121eba28659888cd19fa2a0ced0094f618bfcbc1148900d2c0a42004ee7aff6244e8deb150353fca27e89817f0cefaa3cb2b9508d5e831d2aa2f1dfadfe0d4a39f
-
Filesize
77KB
MD5e93b5e3719ba5f2cd603bd4c3b776932
SHA1382ac9ea7a5fb3b99f2c5b2503e5a8360252497e
SHA2562a1a3f46dd61d0105835025c0039872270fc7ac9d234735fd0287316ad6f7fbf
SHA512a886f533e23c638de84ddcfd92ba2eb7f828d562811e8a236c248335ebc2257e2e773da5ac8211c423130cf3b83aa6bcd5323bc6eec90a55c43e0baee9fd17b2
-
Filesize
76KB
MD53d4d377d0b4ed3553d3722e383ba5bf4
SHA11a079675125661fb2ad5991504e54788b0442334
SHA2562650e1ba5e497177131abcd71fd1db0dd857930f7139803e1e32ad2a7f9736ce
SHA512d33000e4280ed428a4581e7170b488202b91e13da2c89945867bf1dc185c385940098eb6bca076fd541b64a7b59fef3a4c3918db7852e7211345bd2fedf74539
-
Filesize
6KB
MD592a04675d1dcf7a229c0709fafc44076
SHA17f54cc87ceda0510e66ebe7f11e1168438913d71
SHA256c9f51f1440b12023acf7e78d83f24b8df88dd51ed969f0faa4e00a5ab1e749c8
SHA51221f0b3194284e86e920082c00acd5c963499cab0f6a8cb82d048b6910affc7f9ff8c23c98b8cfdd03bc73ed72db5c9f92db5f6b9de2a66dad765e2795d892dfb
-
Filesize
80KB
MD5d0d7ac869aa4e179da2cc333f0440d71
SHA1e7b9a58f5bfc1ec321f015641a60978c0c683894
SHA2565762e1570de6ca4ff4254d03c8f6e572f3b9c065bf5c78fd5a9ea3769c33818a
SHA5121808b10dc85f8755a0074d1ea00794b46b4254573b6862c2813a89ca171ad94f95262e8b59a8f9a596c9bd6a724f440a14a813eab93aa140e818ee97af106db7
-
Filesize
2.9MB
MD50c96a0a35ff7d8dd6780237e2e0f1e5e
SHA19a5d3e39186971a57380877b7bab3a94f1f773d2
SHA256ee7fe8ceff9102c3a35168b25d385a1caa23077352debf14182f8e51e386f0cb
SHA5124230ba09a3146c223ed161465e4327709915acd4bcc44a46bf0abd864e5dd917c030e770b6c8e00f40d1e84e5d948fde1da1303acb7d55afa93412478f3ba0af
-
Filesize
1KB
MD5c375509f66de33365ade0a4ad044f4ee
SHA16fb1d9043c91f8b08c2c02084275351ad5b2c59f
SHA256e38476a287b8c9d4435a16a8fc390c90e71162029fd3c3543ad9a2c95b45bd70
SHA5125beac96e408a9f7024bd7ccd4ce3c9d063c434b57d6000de9e84b2b98b28a10c921803061ac1818282cf8415c050496eafa2adae015b85d492b4407d708e7104
-
Filesize
649KB
MD57095720ceb241935f055598e0ef9d154
SHA1716c47be9876cccbd91ec6d652bfc5c5da4a9264
SHA256f7de773ddacfaed5cf3130a260695fd6a51aa1235e8c3382a66f85f4ee0d2df3
SHA512b66c650aca17597ba27d7b9d90bf2d5706fa248c315ac3d238b77b2a86cbfaf4b1f5ce7cdfa17f47a49c2046ff25faa09e0f094449372b2c0e886710e61a4263
-
Filesize
2.9MB
MD531d5be96cae9221f64a666bc3e590696
SHA13c12b9e404447ec8f9a14ace55647db8fe2dbca1
SHA256967097d8be163ff99c0a2233b7c16c582d40c7bda31cd43af1aa15e4c95ef556
SHA5122f9d7943077a2c44c053a83246fd012c33b5c810ed4ea22103d0dc0fe32f0f28220e4689830c0ff9c0599cd326fb9827a9c24f00938f7b8096acbc6c0c040ed6
-
Filesize
111KB
MD5af279bf6b2b27ae69b348a7394aa3e8b
SHA1b115dd9f949a7000fccdee04cff7096835c89a04
SHA25679bd133a40cde72351c3e5e5f7676b0619f0b37c361c8a3fb02cf18f25a8a2ae
SHA512caabc5069f22fb4a41d5155a48a6e24a6200bea9de0370c7369081d9ae2e651bb7f8b155d1101127dd6c5ab39d23a3152e3d68f571b81657e5aa65a394e45f62
-
Filesize
172KB
MD573f3c80710ce2e2fd129a1714576fc25
SHA1c142e4b8bb7801c89b5a5873409b77eb5df456fb
SHA256f0c4f11b45bd441ec85d36e8b3de0f82a86d8533865c92e3e74258f68bb8d510
SHA512ce4245249dc53edd3b811cda4404ec0049f91bd6818a79a7c432d0526f8736ddc362bde99978e972c1156ec50ff6018c12821cb185bbc44e49b85bcca8fa0b64
-
Filesize
121KB
MD5176088226afb70ea27aea51a1e3dd8e5
SHA19d20fa5d31fc1b15a88fee0849cfd6174fe60e7a
SHA2566ffd287b878f7f141421f1ea16d77d7254d2a29230422434de2d569832568956
SHA512be3ab23f46ed4400887ee416ee986c3de30e7ab9b1029ad8df755ab08969df140960c0f91d74eb23a265049a0267334be45b51d1e26b4aea5e5f602626dc3332
-
Filesize
91KB
MD52cecc19c537e8a9fc2417ecfbbd432ac
SHA152c1c5fa50f5d96758dd95abc99f4991ba6bfb26
SHA2563a776d16c59ecb35931ede343f9187dc16317bf1a7b14c52975cd5bcf13f10b5
SHA5122733187909e98c19008dd6d771c4d972cf4e6e03b89456dc521a87334c98c5b27acc367d005d1ef44a6176a09dfc1324735445581d502d7232ce340fecc88691
-
Filesize
136KB
MD561f56d0217cd99fef80b72522e61cdc8
SHA101541821a9135aa4d9bb0f983094072dac47c7fd
SHA2562627c384643d7c9f566ce0875c55b274242d309eb06d1491d59d8253e840e569
SHA51215bba337a3d43f43f7117da1b564fef360cea3242bb2c93f747529f53cb3e27bbb6b2978b54a6f4d3a6cbc2b6ccb04c1e15208e7b8ed4393d073a1ac8ed05e19
-
Filesize
58KB
MD5870c7f902a5eae940c76b5e6bfd7f64b
SHA1b7a09b41f32b50155a73cf9e6d72c93c0cc57601
SHA256b7811b67f57b834483f4c931dfc1b8a402ccfffe4b27c5a511ea9b8cf76a9ce1
SHA51239c3b85f212286929032c348a4b9ae2fdb6e474b546b783897340025ec206c293c9a6a2c4b943f71b79bbb0c333228e21becbda31fe2877436c2fe85b13d694e
-
Filesize
123KB
MD556d1759d5f13348dbf2b0f48c63d3873
SHA1a544b49678354c1292f9938ef1a53dad32a97415
SHA256f1ad6ab0642e559ad74c3eadf62083b055c0c9944d93a36889a98a8e4ad54396
SHA5122310d904372fe8fdac4b1f52810679b257335fe1894909f698c133936949cad04051bce46960adfc4e65703c4184452229bd59aa86bb7a9465d1631c10180668