Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14-10-2024 17:19
Static task
static1
Behavioral task
behavioral1
Sample
af901d0533a3adcfec12e7844859f70bd22dffc6e83c54fd48cf13cdabc77600.dll
Resource
win7-20240903-en
General
-
Target
af901d0533a3adcfec12e7844859f70bd22dffc6e83c54fd48cf13cdabc77600.dll
-
Size
904KB
-
MD5
40d159e05ca3922e4c803ccf5614a085
-
SHA1
577e7196c8d2a022a49cc0381f9dea716c577be4
-
SHA256
af901d0533a3adcfec12e7844859f70bd22dffc6e83c54fd48cf13cdabc77600
-
SHA512
6be1af6877eea2b53ecfdd32596ba9b8465b3885537cb7847a9795b2f92effdf8fafeb654113bceca62c83045fe9c717a2543ee215543b517c85d420745fa67f
-
SSDEEP
12288:SqJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baed:SqGBHTxvt+g2gYed
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/1148-4-0x00000000021D0000-0x00000000021D1000-memory.dmp dridex_stager_shellcode -
resource yara_rule behavioral1/memory/2692-0-0x0000000140000000-0x00000001400E2000-memory.dmp dridex_payload behavioral1/memory/1148-24-0x0000000140000000-0x00000001400E2000-memory.dmp dridex_payload behavioral1/memory/1148-35-0x0000000140000000-0x00000001400E2000-memory.dmp dridex_payload behavioral1/memory/1148-36-0x0000000140000000-0x00000001400E2000-memory.dmp dridex_payload behavioral1/memory/2692-44-0x0000000140000000-0x00000001400E2000-memory.dmp dridex_payload behavioral1/memory/560-53-0x0000000140000000-0x00000001400E3000-memory.dmp dridex_payload behavioral1/memory/560-58-0x0000000140000000-0x00000001400E3000-memory.dmp dridex_payload behavioral1/memory/2140-75-0x0000000140000000-0x00000001400E3000-memory.dmp dridex_payload behavioral1/memory/2940-91-0x0000000140000000-0x00000001400E3000-memory.dmp dridex_payload -
Executes dropped EXE 3 IoCs
pid Process 560 AdapterTroubleshooter.exe 2140 javaws.exe 2940 PresentationSettings.exe -
Loads dropped DLL 7 IoCs
pid Process 1148 Process not Found 560 AdapterTroubleshooter.exe 1148 Process not Found 2140 javaws.exe 1148 Process not Found 2940 PresentationSettings.exe 1148 Process not Found -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Auwqk = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Office\\Recent\\0JB7UNX6x\\javaws.exe" Process not Found -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA javaws.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA PresentationSettings.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA AdapterTroubleshooter.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2692 rundll32.exe 2692 rundll32.exe 2692 rundll32.exe 1148 Process not Found 1148 Process not Found 1148 Process not Found 1148 Process not Found 1148 Process not Found 1148 Process not Found 1148 Process not Found 1148 Process not Found 1148 Process not Found 1148 Process not Found 1148 Process not Found 1148 Process not Found 1148 Process not Found 1148 Process not Found 1148 Process not Found 1148 Process not Found 1148 Process not Found 1148 Process not Found 1148 Process not Found 1148 Process not Found 1148 Process not Found 1148 Process not Found 1148 Process not Found 1148 Process not Found 1148 Process not Found 1148 Process not Found 1148 Process not Found 1148 Process not Found 1148 Process not Found 1148 Process not Found 1148 Process not Found 1148 Process not Found 1148 Process not Found 1148 Process not Found 1148 Process not Found 1148 Process not Found 1148 Process not Found 1148 Process not Found 1148 Process not Found 1148 Process not Found 1148 Process not Found 1148 Process not Found 1148 Process not Found 1148 Process not Found 1148 Process not Found 1148 Process not Found 1148 Process not Found 1148 Process not Found 1148 Process not Found 1148 Process not Found 1148 Process not Found 1148 Process not Found 1148 Process not Found 1148 Process not Found 1148 Process not Found 1148 Process not Found 1148 Process not Found 1148 Process not Found 1148 Process not Found 560 AdapterTroubleshooter.exe 560 AdapterTroubleshooter.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1148 wrote to memory of 1048 1148 Process not Found 31 PID 1148 wrote to memory of 1048 1148 Process not Found 31 PID 1148 wrote to memory of 1048 1148 Process not Found 31 PID 1148 wrote to memory of 560 1148 Process not Found 32 PID 1148 wrote to memory of 560 1148 Process not Found 32 PID 1148 wrote to memory of 560 1148 Process not Found 32 PID 1148 wrote to memory of 2228 1148 Process not Found 33 PID 1148 wrote to memory of 2228 1148 Process not Found 33 PID 1148 wrote to memory of 2228 1148 Process not Found 33 PID 1148 wrote to memory of 2140 1148 Process not Found 34 PID 1148 wrote to memory of 2140 1148 Process not Found 34 PID 1148 wrote to memory of 2140 1148 Process not Found 34 PID 1148 wrote to memory of 2728 1148 Process not Found 35 PID 1148 wrote to memory of 2728 1148 Process not Found 35 PID 1148 wrote to memory of 2728 1148 Process not Found 35 PID 1148 wrote to memory of 2940 1148 Process not Found 36 PID 1148 wrote to memory of 2940 1148 Process not Found 36 PID 1148 wrote to memory of 2940 1148 Process not Found 36 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\af901d0533a3adcfec12e7844859f70bd22dffc6e83c54fd48cf13cdabc77600.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2692
-
C:\Windows\system32\AdapterTroubleshooter.exeC:\Windows\system32\AdapterTroubleshooter.exe1⤵PID:1048
-
C:\Users\Admin\AppData\Local\bZ9ygYdc\AdapterTroubleshooter.exeC:\Users\Admin\AppData\Local\bZ9ygYdc\AdapterTroubleshooter.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:560
-
C:\Windows\system32\javaws.exeC:\Windows\system32\javaws.exe1⤵PID:2228
-
C:\Users\Admin\AppData\Local\LMR6FF\javaws.exeC:\Users\Admin\AppData\Local\LMR6FF\javaws.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2140
-
C:\Windows\system32\PresentationSettings.exeC:\Windows\system32\PresentationSettings.exe1⤵PID:2728
-
C:\Users\Admin\AppData\Local\RTroj\PresentationSettings.exeC:\Users\Admin\AppData\Local\RTroj\PresentationSettings.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2940
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
908KB
MD53abf555be36b09638e0918fbadbf2a57
SHA13443001abcb15a9ea3be792864ee1a82c02e070b
SHA2567743dcc66986f6f4962b8aeb734926fdb4599c57783d6a1d98578cc8d05fdde2
SHA51240f1bbd8cd1846fd66d737cd481ea8b4340a7e2213d368bfd1ba0351c8123364722ffa00689bab9fa3f6b9714aac84f3b5036486ce134ac056018c6cd689d8b3
-
Filesize
39KB
MD5d4170c9ff5b2f85b0ce0246033d26919
SHA1a76118e8775e16237cf00f2fb79718be0dc84db1
SHA256d05e010a2570cdd5a67f62c99483aeeecb6a8d5ecc523cd49b158a460c9be5da
SHA5129c85a9ea4002bd55cf9c51e470dd1bec527ff04b5d0d6f83094a998c541416cd47c9f42c6ca7e35ffa2842877f79e3c2e989489b9bf81644c5c57bb406b89608
-
Filesize
908KB
MD521f79901576f3a371dddb1e22a6b1d79
SHA13a8dc164e2e391a7a1a3e8150d041676d12d4fad
SHA256845c254ba14b85d64fa2c30b7e29a947b7750aad5105df363a391130db2ac919
SHA5123aa5b6d142ee89c02ae8406a29b3d5933f2f93158a7245e96e933d17fd3f8d76ee153ae20db6c51b4934d44bb41bf3a441dfe93ef99bdc921e2b66c5c5de78e2
-
Filesize
1KB
MD548dc2d115e043991ba9b82067d58b169
SHA14ef0b90f2928fab2555d43b9d9276fe7470f11a1
SHA25672fa679c17aa95b449e990b589c22d822ec891d89ec0cfa7c3ca9a0fe1f1804b
SHA5127e0217afc7a242686fcd3bed0c1d85b133c60fab29bacc9783d8545dc19b8eecc0689252e32da7a5a3078f6f5b0dc12ff5bc57aad9d11c313d918a44dcd1805c
-
Filesize
908KB
MD514dc8530fbeb3750d7197f45c5eab1f4
SHA1e7891b4f31c8b9934558622745bd5e8682019ac9
SHA25620d05c294726f807acc6ac78f9276519cb0fb6376e99b0dd34f4f4ed3d1b5502
SHA512e3d5962dd4eb427acb398c3e7ad8120de7a31b397b0b06554aba474067eb18097e81de89e6871ee0989ecf1568aad7dc306749448eaaf3c976873aab006f7681
-
Filesize
312KB
MD5f94bc1a70c942621c4279236df284e04
SHA18f46d89c7db415a7f48ccd638963028f63df4e4f
SHA256be9f8986a6c86d9f77978105d48b59eebfec3b9732dbf19e0f3d48bf7f20120c
SHA51260edf20ca3cae9802263446af266568d0b5e0692eddcfcfc3b2f9a39327b3184613ca994460b919d17a6edc5936b4da16d9033f5138bcfd9bc0f09d88c8dcd52
-
Filesize
172KB
MD5a6f8d318f6041334889481b472000081
SHA1b8cf08ec17b30c8811f2514246fcdff62731dd58
SHA256208b94fd66a6ce266c3195f87029a41a0622fff47f2a5112552cb087adbb1258
SHA51260f70fa8a19e6ea6f08f4907dd7fede3665ad3f2e013d49f6649442ea5871a967b9a53ec4d3328a06cb83b69be1b7af1bb14bf122b568bd1f8432ee1d0bfee69