Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
28-05-2024 00:16
Static task
static1
Behavioral task
behavioral1
Sample
84729875b5cf12ed4b09f053e2c429da3f76a7de0b312ff292396e036580d243.dll
Resource
win7-20240508-en
General
-
Target
84729875b5cf12ed4b09f053e2c429da3f76a7de0b312ff292396e036580d243.dll
-
Size
892KB
-
MD5
009476457e7f03b7c55a0b468c9be2c1
-
SHA1
ea8823b66b647bd936a65d9b745d4431378e14e9
-
SHA256
84729875b5cf12ed4b09f053e2c429da3f76a7de0b312ff292396e036580d243
-
SHA512
ef82b8b9c84ac1fe2c1326c2a07a632504786179811f956bfc9c65f203d4fe395981db8891420b18906302d8ff01d63a18bb34e88104c7975b13531fc412d180
-
SSDEEP
12288:3ZgJtlQepQn+NDo7nIgegQCLDF/B9wvj/cLvVZFuw:3ZK6F7nVeRmDFJivohZFV
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1196-5-0x0000000002D80000-0x0000000002D81000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
sdclt.exefvenotify.exevmicsvc.exepid process 2512 sdclt.exe 2000 fvenotify.exe 2984 vmicsvc.exe -
Loads dropped DLL 7 IoCs
Processes:
sdclt.exefvenotify.exevmicsvc.exepid process 1196 2512 sdclt.exe 1196 2000 fvenotify.exe 1196 2984 vmicsvc.exe 1196 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gdussggr = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~1\\SYSTEM~1\\smM\\FVENOT~1.EXE" -
Processes:
rundll32.exesdclt.exefvenotify.exevmicsvc.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdclt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fvenotify.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vmicsvc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exesdclt.exefvenotify.exepid process 1088 rundll32.exe 1088 rundll32.exe 1088 rundll32.exe 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 2512 sdclt.exe 2512 sdclt.exe 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 2000 fvenotify.exe 2000 fvenotify.exe 1196 1196 1196 1196 1196 1196 1196 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1196 wrote to memory of 2624 1196 sdclt.exe PID 1196 wrote to memory of 2624 1196 sdclt.exe PID 1196 wrote to memory of 2624 1196 sdclt.exe PID 1196 wrote to memory of 2512 1196 sdclt.exe PID 1196 wrote to memory of 2512 1196 sdclt.exe PID 1196 wrote to memory of 2512 1196 sdclt.exe PID 1196 wrote to memory of 1028 1196 fvenotify.exe PID 1196 wrote to memory of 1028 1196 fvenotify.exe PID 1196 wrote to memory of 1028 1196 fvenotify.exe PID 1196 wrote to memory of 2000 1196 fvenotify.exe PID 1196 wrote to memory of 2000 1196 fvenotify.exe PID 1196 wrote to memory of 2000 1196 fvenotify.exe PID 1196 wrote to memory of 2864 1196 vmicsvc.exe PID 1196 wrote to memory of 2864 1196 vmicsvc.exe PID 1196 wrote to memory of 2864 1196 vmicsvc.exe PID 1196 wrote to memory of 2984 1196 vmicsvc.exe PID 1196 wrote to memory of 2984 1196 vmicsvc.exe PID 1196 wrote to memory of 2984 1196 vmicsvc.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\84729875b5cf12ed4b09f053e2c429da3f76a7de0b312ff292396e036580d243.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1088
-
C:\Windows\system32\sdclt.exeC:\Windows\system32\sdclt.exe1⤵PID:2624
-
C:\Users\Admin\AppData\Local\LCJKTAnn\sdclt.exeC:\Users\Admin\AppData\Local\LCJKTAnn\sdclt.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2512
-
C:\Windows\system32\fvenotify.exeC:\Windows\system32\fvenotify.exe1⤵PID:1028
-
C:\Users\Admin\AppData\Local\sd5V6iw\fvenotify.exeC:\Users\Admin\AppData\Local\sd5V6iw\fvenotify.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2000
-
C:\Windows\system32\vmicsvc.exeC:\Windows\system32\vmicsvc.exe1⤵PID:2864
-
C:\Users\Admin\AppData\Local\vvgaFrkH\vmicsvc.exeC:\Users\Admin\AppData\Local\vvgaFrkH\vmicsvc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2984
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\LCJKTAnn\sdclt.exeFilesize
1.2MB
MD5cdebd55ffbda3889aa2a8ce52b9dc097
SHA14b3cbfff5e57fa0cb058e93e445e3851063646cf
SHA25661bd24487c389fc2b939ce000721677cc173bde0edcafccff81069bbd9987bfd
SHA5122af69742e90d3478ae0a770b2630bfdc469077311c1f755f941825399b9a411e3d8d124126f59b01049456cddc01b237a3114847f1fe53f9e7d1a97e4ba36f13
-
C:\Users\Admin\AppData\Local\sd5V6iw\slc.dllFilesize
896KB
MD5197cb723c8402b1a7956e7425dd9d3a1
SHA1f0967ab2205c6a49ba4beea550f919ef85cc96a1
SHA256374333a502848945dd16294008b1bab4cd1d9d516ee50773eefe98f53c10587d
SHA5124a80fec4f3e260ab2828b303d79b2abd2ac369c0a374779cc42916485d821d1698df026eb4067d7959e86cbee18d606c67bd54bacf55f61b5536eee0e9a163c3
-
C:\Users\Admin\AppData\Local\vvgaFrkH\ACTIVEDS.dllFilesize
896KB
MD5af13f4b26029521582ed2827b9ec0e87
SHA1a4e1a84af7f86fee0b565d5c0a77645b59b33326
SHA256ac278603f979e6eb95a965a3a995c568f1dda0ab27ad846ae2e28c62c80c524e
SHA512213a25c4cc0d877b1671f957a0b6b46c6fada4c452017b8e756b356f4d0463e91ff9611eb15b8d6f3cdfe97fde67a9b18ad78cc587cc88868bea9fdbd14615ea
-
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Smfbypnq.lnkFilesize
1KB
MD53ee5cedeb4859730accd2f6f54e71621
SHA1ef4227615fd3196f47f02c3f8dcc03f8e3520383
SHA25661333aafa8d2c14466b8cb8a2d7bdb5d17eb2fc56111e36431bbc5f79972d0a1
SHA512563f18682ccd2bb8c9b1ea926f51e08b28e865cc8552ac32752d26933501792655ca50b785b9a2c2a5755e900b70ce0e6d9d779f505f41f046aaf5ae1950f337
-
\Users\Admin\AppData\Local\LCJKTAnn\wer.dllFilesize
896KB
MD5045f1fa4e6f47c851ea75fb652f720c5
SHA1ca8ca6cca75745be497315c401de5484c1d7ec9d
SHA2567422d2a47e993b46554f8bc38c605dddc9c3522d1987ca30b3a96b10c2ce619e
SHA5127cbeb3112014e705fe0675e9c975fd7db6f299f2d3f477795c5306d7a37f9a05255379b2b05df584a4eaa8688466d784a6a39dc35381758699d5acafdf761cd5
-
\Users\Admin\AppData\Local\sd5V6iw\fvenotify.exeFilesize
117KB
MD5e61d644998e07c02f0999388808ac109
SHA1183130ad81ff4c7997582a484e759bf7769592d6
SHA25615a85cd6fbcb1ec57d78f986d6dd8908bd56231ce0cf65775075512303f7e5fa
SHA512310141b73394ae12a35f8d4f0c097868ee8a8045a62dd402a5dfbe2151980dd4fe18409ae3ca9422e3b88b2fa9afb04c1acbf8ec23a937a0a242b32a9a1e9272
-
\Users\Admin\AppData\Local\vvgaFrkH\vmicsvc.exeFilesize
238KB
MD579e14b291ca96a02f1eb22bd721deccd
SHA14c8dbff611acd8a92cd2280239f78bebd2a9947e
SHA256d829166db30923406a025bf33d6a0997be0a3df950114d1f34547a9525b749e8
SHA512f3d1fa7732b6b027bbaf22530331d27ede85f92c9fd64f940139fd262bd7468211a8a54c835d3934b1974b3d8ecddefa79ea77901b9ef49ab36069963693f988
-
memory/1088-1-0x0000000000190000-0x0000000000197000-memory.dmpFilesize
28KB
-
memory/1088-0-0x000007FEF6A40000-0x000007FEF6B1F000-memory.dmpFilesize
892KB
-
memory/1088-11-0x000007FEF6A40000-0x000007FEF6B1F000-memory.dmpFilesize
892KB
-
memory/1196-21-0x0000000140000000-0x00000001400DF000-memory.dmpFilesize
892KB
-
memory/1196-20-0x0000000140000000-0x00000001400DF000-memory.dmpFilesize
892KB
-
memory/1196-44-0x0000000077430000-0x0000000077432000-memory.dmpFilesize
8KB
-
memory/1196-45-0x0000000140000000-0x00000001400DF000-memory.dmpFilesize
892KB
-
memory/1196-43-0x00000000772D1000-0x00000000772D2000-memory.dmpFilesize
4KB
-
memory/1196-40-0x0000000002D60000-0x0000000002D67000-memory.dmpFilesize
28KB
-
memory/1196-33-0x0000000140000000-0x00000001400DF000-memory.dmpFilesize
892KB
-
memory/1196-32-0x0000000140000000-0x00000001400DF000-memory.dmpFilesize
892KB
-
memory/1196-31-0x0000000140000000-0x00000001400DF000-memory.dmpFilesize
892KB
-
memory/1196-30-0x0000000140000000-0x00000001400DF000-memory.dmpFilesize
892KB
-
memory/1196-29-0x0000000140000000-0x00000001400DF000-memory.dmpFilesize
892KB
-
memory/1196-28-0x0000000140000000-0x00000001400DF000-memory.dmpFilesize
892KB
-
memory/1196-27-0x0000000140000000-0x00000001400DF000-memory.dmpFilesize
892KB
-
memory/1196-25-0x0000000140000000-0x00000001400DF000-memory.dmpFilesize
892KB
-
memory/1196-24-0x0000000140000000-0x00000001400DF000-memory.dmpFilesize
892KB
-
memory/1196-26-0x0000000140000000-0x00000001400DF000-memory.dmpFilesize
892KB
-
memory/1196-54-0x0000000140000000-0x00000001400DF000-memory.dmpFilesize
892KB
-
memory/1196-22-0x0000000140000000-0x00000001400DF000-memory.dmpFilesize
892KB
-
memory/1196-23-0x0000000140000000-0x00000001400DF000-memory.dmpFilesize
892KB
-
memory/1196-4-0x00000000771C6000-0x00000000771C7000-memory.dmpFilesize
4KB
-
memory/1196-49-0x0000000140000000-0x00000001400DF000-memory.dmpFilesize
892KB
-
memory/1196-39-0x0000000140000000-0x00000001400DF000-memory.dmpFilesize
892KB
-
memory/1196-19-0x0000000140000000-0x00000001400DF000-memory.dmpFilesize
892KB
-
memory/1196-18-0x0000000140000000-0x00000001400DF000-memory.dmpFilesize
892KB
-
memory/1196-17-0x0000000140000000-0x00000001400DF000-memory.dmpFilesize
892KB
-
memory/1196-16-0x0000000140000000-0x00000001400DF000-memory.dmpFilesize
892KB
-
memory/1196-15-0x0000000140000000-0x00000001400DF000-memory.dmpFilesize
892KB
-
memory/1196-13-0x0000000140000000-0x00000001400DF000-memory.dmpFilesize
892KB
-
memory/1196-12-0x0000000140000000-0x00000001400DF000-memory.dmpFilesize
892KB
-
memory/1196-10-0x0000000140000000-0x00000001400DF000-memory.dmpFilesize
892KB
-
memory/1196-9-0x0000000140000000-0x00000001400DF000-memory.dmpFilesize
892KB
-
memory/1196-102-0x00000000771C6000-0x00000000771C7000-memory.dmpFilesize
4KB
-
memory/1196-14-0x0000000140000000-0x00000001400DF000-memory.dmpFilesize
892KB
-
memory/1196-5-0x0000000002D80000-0x0000000002D81000-memory.dmpFilesize
4KB
-
memory/1196-8-0x0000000140000000-0x00000001400DF000-memory.dmpFilesize
892KB
-
memory/1196-7-0x0000000140000000-0x00000001400DF000-memory.dmpFilesize
892KB
-
memory/2000-86-0x000007FEF74F0000-0x000007FEF75D0000-memory.dmpFilesize
896KB
-
memory/2000-83-0x0000000000380000-0x0000000000387000-memory.dmpFilesize
28KB
-
memory/2000-80-0x000007FEF74F0000-0x000007FEF75D0000-memory.dmpFilesize
896KB
-
memory/2512-68-0x000007FEF6A40000-0x000007FEF6B20000-memory.dmpFilesize
896KB
-
memory/2512-63-0x000007FEF6A40000-0x000007FEF6B20000-memory.dmpFilesize
896KB
-
memory/2984-101-0x0000000000020000-0x0000000000027000-memory.dmpFilesize
28KB
-
memory/2984-105-0x000007FEF74F0000-0x000007FEF75D0000-memory.dmpFilesize
896KB