Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-10-2024 07:22
Static task
static1
Behavioral task
behavioral1
Sample
21351817e1f2f115e543f9034572210fe04fbea47a16922f3957c805671dc25f.dll
Resource
win7-20240903-en
General
-
Target
21351817e1f2f115e543f9034572210fe04fbea47a16922f3957c805671dc25f.dll
-
Size
1.2MB
-
MD5
2a6a4941d8146df58356dd5c72b0478a
-
SHA1
c6f28c746bddcc4e68512911bc99afe0d8f2d3d9
-
SHA256
21351817e1f2f115e543f9034572210fe04fbea47a16922f3957c805671dc25f
-
SHA512
5d36fd395ea33e9a838fca4b5b0a7eabe893fb6e51f39e2aae59ad60c763e6b5bf83e2cedbe9095b74bff682ee300f13c777254e81e4ef724699167f1f5094f9
-
SSDEEP
6144:k34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTP:kIKp/UWCZdCDh2IZDwAFRpR6Au+
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1156-4-0x0000000002E20000-0x0000000002E21000-memory.dmp dridex_stager_shellcode -
Processes:
resource yara_rule behavioral1/memory/2384-0-0x000007FEF6840000-0x000007FEF6973000-memory.dmp dridex_payload behavioral1/memory/1156-18-0x0000000140000000-0x0000000140133000-memory.dmp dridex_payload behavioral1/memory/1156-26-0x0000000140000000-0x0000000140133000-memory.dmp dridex_payload behavioral1/memory/1156-38-0x0000000140000000-0x0000000140133000-memory.dmp dridex_payload behavioral1/memory/1156-37-0x0000000140000000-0x0000000140133000-memory.dmp dridex_payload behavioral1/memory/2384-46-0x000007FEF6840000-0x000007FEF6973000-memory.dmp dridex_payload behavioral1/memory/2664-56-0x000007FEF6840000-0x000007FEF6974000-memory.dmp dridex_payload behavioral1/memory/2664-60-0x000007FEF6840000-0x000007FEF6974000-memory.dmp dridex_payload behavioral1/memory/2924-76-0x000007FEF6840000-0x000007FEF6974000-memory.dmp dridex_payload behavioral1/memory/2428-92-0x000007FEF6840000-0x000007FEF6974000-memory.dmp dridex_payload -
Executes dropped EXE 3 IoCs
Processes:
msdtc.exeSystemPropertiesComputerName.exep2phost.exepid process 2664 msdtc.exe 2924 SystemPropertiesComputerName.exe 2428 p2phost.exe -
Loads dropped DLL 7 IoCs
Processes:
msdtc.exeSystemPropertiesComputerName.exep2phost.exepid process 1156 2664 msdtc.exe 1156 2924 SystemPropertiesComputerName.exe 1156 2428 p2phost.exe 1156 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtunysabu = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-4177215427-74451935-3209572229-1000\\d1\\SystemPropertiesComputerName.exe" -
Processes:
p2phost.exerundll32.exemsdtc.exeSystemPropertiesComputerName.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA p2phost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msdtc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesComputerName.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2384 rundll32.exe 2384 rundll32.exe 2384 rundll32.exe 1156 1156 1156 1156 1156 1156 1156 1156 1156 1156 1156 1156 1156 1156 1156 1156 1156 1156 1156 1156 1156 1156 1156 1156 1156 1156 1156 1156 1156 1156 1156 1156 1156 1156 1156 1156 1156 1156 1156 1156 1156 1156 1156 1156 1156 1156 1156 1156 1156 1156 1156 1156 1156 1156 1156 1156 1156 1156 1156 1156 1156 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1156 wrote to memory of 2204 1156 msdtc.exe PID 1156 wrote to memory of 2204 1156 msdtc.exe PID 1156 wrote to memory of 2204 1156 msdtc.exe PID 1156 wrote to memory of 2664 1156 msdtc.exe PID 1156 wrote to memory of 2664 1156 msdtc.exe PID 1156 wrote to memory of 2664 1156 msdtc.exe PID 1156 wrote to memory of 2620 1156 SystemPropertiesComputerName.exe PID 1156 wrote to memory of 2620 1156 SystemPropertiesComputerName.exe PID 1156 wrote to memory of 2620 1156 SystemPropertiesComputerName.exe PID 1156 wrote to memory of 2924 1156 SystemPropertiesComputerName.exe PID 1156 wrote to memory of 2924 1156 SystemPropertiesComputerName.exe PID 1156 wrote to memory of 2924 1156 SystemPropertiesComputerName.exe PID 1156 wrote to memory of 2368 1156 p2phost.exe PID 1156 wrote to memory of 2368 1156 p2phost.exe PID 1156 wrote to memory of 2368 1156 p2phost.exe PID 1156 wrote to memory of 2428 1156 p2phost.exe PID 1156 wrote to memory of 2428 1156 p2phost.exe PID 1156 wrote to memory of 2428 1156 p2phost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\21351817e1f2f115e543f9034572210fe04fbea47a16922f3957c805671dc25f.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2384
-
C:\Windows\system32\msdtc.exeC:\Windows\system32\msdtc.exe1⤵PID:2204
-
C:\Users\Admin\AppData\Local\PpEiWdTy\msdtc.exeC:\Users\Admin\AppData\Local\PpEiWdTy\msdtc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2664
-
C:\Windows\system32\SystemPropertiesComputerName.exeC:\Windows\system32\SystemPropertiesComputerName.exe1⤵PID:2620
-
C:\Users\Admin\AppData\Local\ITNBW\SystemPropertiesComputerName.exeC:\Users\Admin\AppData\Local\ITNBW\SystemPropertiesComputerName.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2924
-
C:\Windows\system32\p2phost.exeC:\Windows\system32\p2phost.exe1⤵PID:2368
-
C:\Users\Admin\AppData\Local\ZwG\p2phost.exeC:\Users\Admin\AppData\Local\ZwG\p2phost.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2428
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD58575c7113d20bab33524567e188287dd
SHA16c187a7290d62c585ff730295ae3063c52878852
SHA2560cd3e3bdb157470f7da09c5fd995af7d733099382133c2a660047684778d683c
SHA5122e9d08cb18d206cd18c479908f4db824752b165bdcf4373f81c26713c19dc111d1844d10df7489cc1a91a00e2fde1d99e910306d1737d07fa20a3e9a1a58f946
-
Filesize
1.2MB
MD53ff68aef7c776bf6c63acfbc1d67e587
SHA108e5f6bd5f20d3f6cc4d3cfb4bf83382bfe226a9
SHA256b8ac453053a6351f0762b638d6d62b74f88e737d23c71006e7ff89528722f69b
SHA5121268c9c0439c6899f9eae02c5b7299d3166f0707b73d46236611be1c6d0002132ddc548ca7167218f8d6cb4d32ca3227091cc88d3d723da2e189fedcaacae3ba
-
Filesize
1.2MB
MD5e967a2f6fa20d7ea6bd45410419efb27
SHA1f623e724946d54ee4bedd72522ae2c547ea88f62
SHA2561ec31eba7ccecdc432255f177ef598c45b869446f6cae1a43123cfae16243fb0
SHA512692128d6df58f5b9cc76829193307cc6cbab5923892af027fe1c60fc0e8471a4085f5dbb908093cd8f69721d9f26175197cd3f6278dc66a4690ee02607457abf
-
Filesize
1KB
MD5eb362b0ba70e386325afa79715b44008
SHA11d513c54ca8a86820e9c84ec95280bf38c268e56
SHA2560dc69ce4a019ede93ff84e91474ab95e7ebf564e54aecbe596834b917634748e
SHA512c023977446b6f5fa7b61bed28314970eb775fd81ade84dbb895865d782c6943344f9bfa16cf02c6200e74829fe5dfe876027870543c3b6966309a73672aa1ae5
-
Filesize
80KB
MD5bd889683916aa93e84e1a75802918acf
SHA15ee66571359178613a4256a7470c2c3e6dd93cfa
SHA2560e22894595891a9ff9706e03b3db31a751541c4a773f82420fce57237d6c47cf
SHA5129d76de848b319f44657fb7fbe5a3b927774ae999362ff811a199002ffa77ad9e1638a65a271388e605ab5e5a7cb6ce5aa7fcabc3ed583ade00eaa4c265552026
-
Filesize
138KB
MD5de0ece52236cfa3ed2dbfc03f28253a8
SHA184bbd2495c1809fcd19b535d41114e4fb101466c
SHA2562fbbec4cacb5161f68d7c2935852a5888945ca0f107cf8a1c01f4528ce407de3
SHA51269386134667626c60c99d941c8ab52f8e5235e3897b5af76965572287afd5dcd42b8207a520587844a57a268e4decb3f3c550e5b7a06230ee677dc5e40c50bb3
-
Filesize
172KB
MD50dbd420477352b278dfdc24f4672b79c
SHA1df446f25be33ac60371557717073249a64e04bb2
SHA2561baba169de6c8f3b3c33cea96314c67b709a171bdc8ea9c250a0d016db767345
SHA51284014b2dcc00f9fa1a337089ad4d4abcaa9e3155171978ec07bc155ddaebebfabb529d8de3578e564b3aae59545f52d71af173ebb50d2af252f219ac60b453d1