Analysis
-
max time kernel
149s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
17/07/2024, 19:49
Static task
static1
Behavioral task
behavioral1
Sample
e2de0d401a8809be7f287cdb30e3151282c0de21c5bcb7b41437e8fdd6b38f66.dll
Resource
win7-20240705-en
General
-
Target
e2de0d401a8809be7f287cdb30e3151282c0de21c5bcb7b41437e8fdd6b38f66.dll
-
Size
800KB
-
MD5
252395046102ed9612e50d71bdc56fe5
-
SHA1
23b893ede7e9473b4fdae8051d935ca08593c958
-
SHA256
e2de0d401a8809be7f287cdb30e3151282c0de21c5bcb7b41437e8fdd6b38f66
-
SHA512
a5cde48eff1e96551d66cae42d8cc88c58efd71bf3ce9da18bdd77c82b285d643c11ffbe55631d22c6e9ecaaa0c45053d74ba46254766c983563704d5d4ba12e
-
SSDEEP
12288:zBim9Tnts08FbKuPcA8NAc1l/XkGaZKoRQIpRX2/0Ak2ng/Zi66wNdufAdN:t/nts0Q9K/0ooRQIxAk2wi0N/
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/1204-4-0x0000000002550000-0x0000000002551000-memory.dmp dridex_stager_shellcode -
resource yara_rule behavioral1/memory/2384-1-0x000007FEF6BB0000-0x000007FEF6C78000-memory.dmp dridex_payload behavioral1/memory/1204-29-0x0000000140000000-0x00000001400C8000-memory.dmp dridex_payload behavioral1/memory/1204-37-0x0000000140000000-0x00000001400C8000-memory.dmp dridex_payload behavioral1/memory/1204-49-0x0000000140000000-0x00000001400C8000-memory.dmp dridex_payload behavioral1/memory/1204-48-0x0000000140000000-0x00000001400C8000-memory.dmp dridex_payload behavioral1/memory/2384-57-0x000007FEF6BB0000-0x000007FEF6C78000-memory.dmp dridex_payload behavioral1/memory/2608-65-0x000007FEF6C80000-0x000007FEF6D4A000-memory.dmp dridex_payload behavioral1/memory/2608-70-0x000007FEF6C80000-0x000007FEF6D4A000-memory.dmp dridex_payload behavioral1/memory/1036-82-0x000007FEF6660000-0x000007FEF6729000-memory.dmp dridex_payload behavioral1/memory/1036-87-0x000007FEF6660000-0x000007FEF6729000-memory.dmp dridex_payload behavioral1/memory/1812-105-0x000007FEF6660000-0x000007FEF6729000-memory.dmp dridex_payload -
Executes dropped EXE 3 IoCs
pid Process 2608 dpnsvr.exe 1036 perfmon.exe 1812 SystemPropertiesComputerName.exe -
Loads dropped DLL 7 IoCs
pid Process 1204 Process not Found 2608 dpnsvr.exe 1204 Process not Found 1036 perfmon.exe 1204 Process not Found 1812 SystemPropertiesComputerName.exe 1204 Process not Found -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tlngny = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\GMc\\perfmon.exe" Process not Found -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dpnsvr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA perfmon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesComputerName.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 2608 dpnsvr.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1204 wrote to memory of 1624 1204 Process not Found 31 PID 1204 wrote to memory of 1624 1204 Process not Found 31 PID 1204 wrote to memory of 1624 1204 Process not Found 31 PID 1204 wrote to memory of 2608 1204 Process not Found 32 PID 1204 wrote to memory of 2608 1204 Process not Found 32 PID 1204 wrote to memory of 2608 1204 Process not Found 32 PID 1204 wrote to memory of 876 1204 Process not Found 33 PID 1204 wrote to memory of 876 1204 Process not Found 33 PID 1204 wrote to memory of 876 1204 Process not Found 33 PID 1204 wrote to memory of 1036 1204 Process not Found 34 PID 1204 wrote to memory of 1036 1204 Process not Found 34 PID 1204 wrote to memory of 1036 1204 Process not Found 34 PID 1204 wrote to memory of 2828 1204 Process not Found 35 PID 1204 wrote to memory of 2828 1204 Process not Found 35 PID 1204 wrote to memory of 2828 1204 Process not Found 35 PID 1204 wrote to memory of 1812 1204 Process not Found 36 PID 1204 wrote to memory of 1812 1204 Process not Found 36 PID 1204 wrote to memory of 1812 1204 Process not Found 36 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e2de0d401a8809be7f287cdb30e3151282c0de21c5bcb7b41437e8fdd6b38f66.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2384
-
C:\Windows\system32\dpnsvr.exeC:\Windows\system32\dpnsvr.exe1⤵PID:1624
-
C:\Users\Admin\AppData\Local\hdQU\dpnsvr.exeC:\Users\Admin\AppData\Local\hdQU\dpnsvr.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2608
-
C:\Windows\system32\perfmon.exeC:\Windows\system32\perfmon.exe1⤵PID:876
-
C:\Users\Admin\AppData\Local\plicqJ\perfmon.exeC:\Users\Admin\AppData\Local\plicqJ\perfmon.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1036
-
C:\Windows\system32\SystemPropertiesComputerName.exeC:\Windows\system32\SystemPropertiesComputerName.exe1⤵PID:2828
-
C:\Users\Admin\AppData\Local\eEiXM\SystemPropertiesComputerName.exeC:\Users\Admin\AppData\Local\eEiXM\SystemPropertiesComputerName.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1812
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
804KB
MD5f2bdf2364790d1be9f6683a3bd1d6983
SHA1723499ce87b05f03905c30d77863348671ee7dda
SHA25692a80b424e3771068f73b97e52e1b63df7e5979984536fa131c3145688eac05f
SHA51290247ebe2c99d25c55f2db482aa2b0915ba296988344a0b562be1545388e2284cb433ff33e202e7a37a4ec980323f6383b469803453b252b2e1ba87cf6b54f86
-
Filesize
808KB
MD5e897f0c4aab89ee797828423449c4d23
SHA140c1cbe08b2dcbc949c636826b3e92ce520cc971
SHA256480918156fede89192ec08403db11a4ebd2c0a47b8fd2fff87c70f924a05905b
SHA5125e46a7a3a103f48c1aea0578f9e90800257d23f7ae90fc5fd36507e5047dba871bf1072252565bfe581e0ae6d9af2b18184bceff250bbbf567961229ad654c01
-
Filesize
804KB
MD530921147fe8a324cf18008ae652a0fd8
SHA130ca7d81c01877cc0d542780003a3f71130b6d5f
SHA256525411fd4b857a9ec0b1588d6782aa01252b70e3825c9d417f42836599d6dfa1
SHA5120d3b1c579d0468c93e41ede8fd4cd39f1c2ec278c32c8f7416248c15934be755451699ab1dc57fbd76d5e3cd2923f01188b7d7c28cacbcc4cdc75dd454c1458f
-
Filesize
1KB
MD503ef75560f24e70fe7104c45c0220e9a
SHA180f095f3fb2be4e89621e79ace9acd22f92b6779
SHA25685107716de99ec31166c711caba52d94b920a9d36900e9ab7977a739c405baf5
SHA512db63c797de88dc4e85d23c441e2035c9d3742ecd2f20746aa712ec8077f901c4b316b8c6f470c3fc624637a0c4326a3f75747d1fbd1465062ace67cfc1f39ac2
-
Filesize
80KB
MD5bd889683916aa93e84e1a75802918acf
SHA15ee66571359178613a4256a7470c2c3e6dd93cfa
SHA2560e22894595891a9ff9706e03b3db31a751541c4a773f82420fce57237d6c47cf
SHA5129d76de848b319f44657fb7fbe5a3b927774ae999362ff811a199002ffa77ad9e1638a65a271388e605ab5e5a7cb6ce5aa7fcabc3ed583ade00eaa4c265552026
-
Filesize
33KB
MD56806b72978f6bd27aef57899be68b93b
SHA1713c246d0b0b8dcc298afaed4f62aed82789951c
SHA2563485ee4159c5f9e4ed9dd06e668d1e04148154ff40327a9ccb591e8c5a79958c
SHA51243c942358b2e949751149ecc4be5ff6cb0634957ff1128ad5e6051e83379fb5643100cae2f6ef3eaf36aff016063c150e93297aa866e780d0e4d51656a251c7b
-
Filesize
168KB
MD53eb98cff1c242167df5fdbc6441ce3c5
SHA1730b27a1c92e8df1e60db5a6fc69ea1b24f68a69
SHA2566d8d5a244bb5a23c95653853fec3d04d2bdd2df5cff8cffb9848bddeb6adb081
SHA512f42be2a52d97fd1db2ed5a1a1a81a186a0aab41204980a103df33a4190632ba03f3cbb88fcea8da7ed9a5e15f60732d49a924b025fe6d3e623195ec1d37dfb35