Analysis
-
max time kernel
149s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06-10-2024 19:42
Static task
static1
Behavioral task
behavioral1
Sample
e83967e75410b28a9ce51b667e754b0503df3d3e4861f56a1df8914d611a4c0bN.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e83967e75410b28a9ce51b667e754b0503df3d3e4861f56a1df8914d611a4c0bN.dll
Resource
win10v2004-20240910-en
General
-
Target
e83967e75410b28a9ce51b667e754b0503df3d3e4861f56a1df8914d611a4c0bN.dll
-
Size
1.3MB
-
MD5
3caab0352ba2d33f6e283006aa3349a0
-
SHA1
c88e6d554a0cf2f1f9d05867ff0a7607d683e486
-
SHA256
e83967e75410b28a9ce51b667e754b0503df3d3e4861f56a1df8914d611a4c0b
-
SHA512
ba8acba77d747dce3128da81e1b68f8352ba15e7b75beeee9e78922c3240acbc9348b1979b0f5ec819200c0d9ccbfbd3100e1a58fe0f1c524c5d5460d762527a
-
SSDEEP
12288:MdMIwS97wJs6tSKDXEabXaC+jhc1S8XXk7CZzHsZH9dq0T:+MIJxSDX3bqjhcfHk7MzH6z
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1200-4-0x00000000024A0000-0x00000000024A1000-memory.dmp dridex_stager_shellcode -
Processes:
resource yara_rule behavioral1/memory/1812-0-0x0000000140000000-0x0000000140158000-memory.dmp dridex_payload behavioral1/memory/1200-46-0x0000000140000000-0x0000000140158000-memory.dmp dridex_payload behavioral1/memory/1812-51-0x0000000140000000-0x0000000140158000-memory.dmp dridex_payload behavioral1/memory/1200-56-0x0000000140000000-0x0000000140158000-memory.dmp dridex_payload behavioral1/memory/1200-54-0x0000000140000000-0x0000000140158000-memory.dmp dridex_payload behavioral1/memory/2620-72-0x0000000140000000-0x0000000140159000-memory.dmp dridex_payload behavioral1/memory/2620-76-0x0000000140000000-0x0000000140159000-memory.dmp dridex_payload behavioral1/memory/2244-92-0x0000000140000000-0x0000000140159000-memory.dmp dridex_payload -
Executes dropped EXE 3 IoCs
Processes:
fvenotify.exewbengine.exerstrui.exepid process 2620 fvenotify.exe 2244 wbengine.exe 584 rstrui.exe -
Loads dropped DLL 7 IoCs
Processes:
fvenotify.exewbengine.exerstrui.exepid process 1200 2620 fvenotify.exe 1200 2244 wbengine.exe 1200 584 rstrui.exe 1200 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rcoehfpd = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Extensions\\K1OYHZ\\wbengine.exe" -
Processes:
rundll32.exefvenotify.exewbengine.exerstrui.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fvenotify.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wbengine.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rstrui.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exefvenotify.exepid process 1812 rundll32.exe 1812 rundll32.exe 1812 rundll32.exe 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 2620 fvenotify.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1200 wrote to memory of 1996 1200 fvenotify.exe PID 1200 wrote to memory of 1996 1200 fvenotify.exe PID 1200 wrote to memory of 1996 1200 fvenotify.exe PID 1200 wrote to memory of 2620 1200 fvenotify.exe PID 1200 wrote to memory of 2620 1200 fvenotify.exe PID 1200 wrote to memory of 2620 1200 fvenotify.exe PID 1200 wrote to memory of 2872 1200 wbengine.exe PID 1200 wrote to memory of 2872 1200 wbengine.exe PID 1200 wrote to memory of 2872 1200 wbengine.exe PID 1200 wrote to memory of 2244 1200 wbengine.exe PID 1200 wrote to memory of 2244 1200 wbengine.exe PID 1200 wrote to memory of 2244 1200 wbengine.exe PID 1200 wrote to memory of 2448 1200 rstrui.exe PID 1200 wrote to memory of 2448 1200 rstrui.exe PID 1200 wrote to memory of 2448 1200 rstrui.exe PID 1200 wrote to memory of 584 1200 rstrui.exe PID 1200 wrote to memory of 584 1200 rstrui.exe PID 1200 wrote to memory of 584 1200 rstrui.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e83967e75410b28a9ce51b667e754b0503df3d3e4861f56a1df8914d611a4c0bN.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1812
-
C:\Windows\system32\fvenotify.exeC:\Windows\system32\fvenotify.exe1⤵PID:1996
-
C:\Users\Admin\AppData\Local\j0lPMK\fvenotify.exeC:\Users\Admin\AppData\Local\j0lPMK\fvenotify.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2620
-
C:\Windows\system32\wbengine.exeC:\Windows\system32\wbengine.exe1⤵PID:2872
-
C:\Users\Admin\AppData\Local\jqW\wbengine.exeC:\Users\Admin\AppData\Local\jqW\wbengine.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2244
-
C:\Windows\system32\rstrui.exeC:\Windows\system32\rstrui.exe1⤵PID:2448
-
C:\Users\Admin\AppData\Local\pzF\rstrui.exeC:\Users\Admin\AppData\Local\pzF\rstrui.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:584
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
117KB
MD5e61d644998e07c02f0999388808ac109
SHA1183130ad81ff4c7997582a484e759bf7769592d6
SHA25615a85cd6fbcb1ec57d78f986d6dd8908bd56231ce0cf65775075512303f7e5fa
SHA512310141b73394ae12a35f8d4f0c097868ee8a8045a62dd402a5dfbe2151980dd4fe18409ae3ca9422e3b88b2fa9afb04c1acbf8ec23a937a0a242b32a9a1e9272
-
Filesize
1.3MB
MD59956c4ba7ca067b01fb05aa9f48dcb6a
SHA13a94097eba8ec755b6031bf5ff0bd7847dfe6e4a
SHA256bd10e938d690de25b1e0b6fe8dddd26c0d6f1e516feabeaf2cb353b89c4aa8a1
SHA512194e7a309957bc97fecb9bf08089abf7356f2250611bc365e922d9994ace219ef829e4aabd7754dc669791266d8f056b86e5cb42c520b9395d871ced51335a61
-
Filesize
1.3MB
MD5461ac60485d40d5e261f5851c13f4971
SHA1f475e822244f06258f687122b9308559feb758ce
SHA256ca166a13ea65723e78ec9ccc2700772446a8d5c3af1ac9dbd963a3d75840fa06
SHA51209e60d6a0238bdd457dbf0345e2d881947afa4d2e206fb417d1b90c67d78503f883229358380553c7c1bfa2abac513212948582949f222872f663374b98c1c66
-
Filesize
1.3MB
MD58556aa917d0cebba4c1f48edffd9deac
SHA1e3c14e90ab375ada5ce4a95055c5bef015a43851
SHA256c4dc3d4cb8412e4b84d474f8a420f2c10559c60264c189e90478db5822ad7515
SHA5120382fdb741828e5983235e85baaca907669f7faa70a5979f88e29bae3fb59f4bb930fe1ce45cef8824ddc2d34972cb0b1fb7104c8b6413a0f1a1b87411a8aa9f
-
Filesize
1KB
MD563b35326f082761c97557b1e545a5a80
SHA10cd5404dc3e8be5d701b71774f301469080dc14b
SHA25618995aed960f24546535f153c5911339c52219cc7c4ef60e992d70143dfd91c1
SHA512bfb246c1279bf3cc1e19b1d778d011730bcc6932f66182ad2ea84d4b928ada49dc3c159f71e50ff0f2902a0ea09bd8dccafce04990dc7d5ddfdc2b5c4f14de02
-
Filesize
1.4MB
MD578f4e7f5c56cb9716238eb57da4b6a75
SHA198b0b9db6ec5961dbb274eff433a8bc21f7e557b
SHA25646a4e78ce5f2a4b26f4e9c3ff04a99d9b727a82ac2e390a82a1611c3f6e0c9af
SHA5121a24ea71624dbbca188ee3b4812e09bc42e7d38ceac02b69940d7693475c792685a23141c8faa85a87ab6aace3f951c1a81facb610d757ac6df37cf2aa65ccd2
-
Filesize
290KB
MD53db5a1eace7f3049ecc49fa64461e254
SHA17dc64e4f75741b93804cbae365e10dc70592c6a9
SHA256ba8387d4543b8b11e2202919b9608ee614753fe77f967aad9906702841658b49
SHA512ea81e3233e382f1cf2938785c9ded7c8fbbf11a6a6f5cf4323e3211ae66dad4a2c597cb589ff11f9eae79516043aba77d4b24bfa6eb0aa045d405aabdea4a025