Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22-10-2024 16:15
Static task
static1
Behavioral task
behavioral1
Sample
6603627b822e6cddf2cb9cd264d26ebc46790f4ca90c6806e06a4b3c1be6a14d.dll
Resource
win7-20241010-en
General
-
Target
6603627b822e6cddf2cb9cd264d26ebc46790f4ca90c6806e06a4b3c1be6a14d.dll
-
Size
688KB
-
MD5
551c56a5dd44632dba1058d26deb2fce
-
SHA1
f160c54abfeb843c44d85abd9d7eb88519d1c104
-
SHA256
6603627b822e6cddf2cb9cd264d26ebc46790f4ca90c6806e06a4b3c1be6a14d
-
SHA512
c72c753caf8cd7f1c9be2cd4776be3175704acbdecb0494cd9734d84fab04f12a1d419954ac1ba985b03ba863a7a946c94b5bfe572eef8c4134e0221f3499160
-
SSDEEP
12288:bfndx6M581WsGRouyjzC6gn5l0H1Tak8jnGg/xeq7gz3xfsPEb4sk:zdAE81W381Wk8jnYz3dsPEb4s
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/1256-4-0x00000000029C0000-0x00000000029C1000-memory.dmp dridex_stager_shellcode -
resource yara_rule behavioral1/memory/844-0-0x0000000140000000-0x00000001400AC000-memory.dmp dridex_payload behavioral1/memory/1256-23-0x0000000140000000-0x00000001400AC000-memory.dmp dridex_payload behavioral1/memory/1256-34-0x0000000140000000-0x00000001400AC000-memory.dmp dridex_payload behavioral1/memory/1256-35-0x0000000140000000-0x00000001400AC000-memory.dmp dridex_payload behavioral1/memory/844-43-0x0000000140000000-0x00000001400AC000-memory.dmp dridex_payload behavioral1/memory/1620-54-0x0000000140000000-0x00000001400AE000-memory.dmp dridex_payload behavioral1/memory/1620-56-0x0000000140000000-0x00000001400AE000-memory.dmp dridex_payload behavioral1/memory/2988-82-0x0000000140000000-0x00000001400AD000-memory.dmp dridex_payload behavioral1/memory/2988-86-0x0000000140000000-0x00000001400AD000-memory.dmp dridex_payload behavioral1/memory/1992-102-0x0000000140000000-0x00000001400AD000-memory.dmp dridex_payload -
Executes dropped EXE 3 IoCs
pid Process 1620 xpsrchvw.exe 2988 wusa.exe 1992 calc.exe -
Loads dropped DLL 7 IoCs
pid Process 1256 Process not Found 1620 xpsrchvw.exe 1256 Process not Found 2988 wusa.exe 1256 Process not Found 1992 calc.exe 1256 Process not Found -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kgvptlq = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\VfZUz\\wusa.exe" Process not Found -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xpsrchvw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wusa.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA calc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 844 rundll32.exe 844 rundll32.exe 844 rundll32.exe 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1256 wrote to memory of 2612 1256 Process not Found 30 PID 1256 wrote to memory of 2612 1256 Process not Found 30 PID 1256 wrote to memory of 2612 1256 Process not Found 30 PID 1256 wrote to memory of 1620 1256 Process not Found 31 PID 1256 wrote to memory of 1620 1256 Process not Found 31 PID 1256 wrote to memory of 1620 1256 Process not Found 31 PID 1256 wrote to memory of 3008 1256 Process not Found 32 PID 1256 wrote to memory of 3008 1256 Process not Found 32 PID 1256 wrote to memory of 3008 1256 Process not Found 32 PID 1256 wrote to memory of 2988 1256 Process not Found 33 PID 1256 wrote to memory of 2988 1256 Process not Found 33 PID 1256 wrote to memory of 2988 1256 Process not Found 33 PID 1256 wrote to memory of 1776 1256 Process not Found 34 PID 1256 wrote to memory of 1776 1256 Process not Found 34 PID 1256 wrote to memory of 1776 1256 Process not Found 34 PID 1256 wrote to memory of 1992 1256 Process not Found 35 PID 1256 wrote to memory of 1992 1256 Process not Found 35 PID 1256 wrote to memory of 1992 1256 Process not Found 35 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6603627b822e6cddf2cb9cd264d26ebc46790f4ca90c6806e06a4b3c1be6a14d.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:844
-
C:\Windows\system32\xpsrchvw.exeC:\Windows\system32\xpsrchvw.exe1⤵PID:2612
-
C:\Users\Admin\AppData\Local\j6uX\xpsrchvw.exeC:\Users\Admin\AppData\Local\j6uX\xpsrchvw.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1620
-
C:\Windows\system32\wusa.exeC:\Windows\system32\wusa.exe1⤵PID:3008
-
C:\Users\Admin\AppData\Local\k8o\wusa.exeC:\Users\Admin\AppData\Local\k8o\wusa.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2988
-
C:\Windows\system32\calc.exeC:\Windows\system32\calc.exe1⤵PID:1776
-
C:\Users\Admin\AppData\Local\J6B3YQ\calc.exeC:\Users\Admin\AppData\Local\J6B3YQ\calc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1992
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
692KB
MD59eaf86c0dec656df8c14d98f4f2f2f50
SHA1c0478db39260084613e35b3a9e854446eec34881
SHA256f2354811ac75eaf9c1414288b9dcdc89dabf766a94e50b8605190a85a9636729
SHA5123bbc21d27313ff4b801190dca360d37bdf2b418a4acdd701ff5512d53c5c51a8c14c0f92880394ccaddc65b460ade3f7888c733e45c1ed80e6f5914f8ccc9553
-
Filesize
696KB
MD5aa70312844147c5ef3426f8d6dfbc051
SHA1c696e5f1b7bed4bcf9acc61acad7ebd45411e433
SHA25666d4bc1deaf277c473ba2d70a7c8d220c0ecb557c3b25cd8f23836f418511606
SHA512f80cf74c4f71dacdaa786f4ccdfa13037432532993cca974d6bc58f7aed62cf9ed8b784f6149601b951075c39b4cf75632523b8eb2ce9ecbd9f537d48ea11400
-
Filesize
692KB
MD5fd7b88df3a19258cb026e0e239b201fa
SHA131edb56608a17f6235bca3be21e64466bc182de9
SHA256c49e4d63a5179e9a71b80bdf0aeded47436d4c1b3a14de0d1f8d1ae2a6a36c52
SHA512fe0eaa3d77b78d668ee11101726c38d2b1ca07cacda9d470c64daac2e99c779c2bf4cdc58deef8711c63e0e55a6aacb25f65dde87c0018ca1c03a6ae09200179
-
Filesize
1KB
MD52076801c36e72d26372e1b0da3ea11f9
SHA16e3f7fe43137bb39a4fc28d975668a7ac09cd8ab
SHA2561156c1d72ef14ddf7079c4c547fa191318b352f2e610f434e450fc89b9413b50
SHA5123394251f107e8ae8c143fec1cbdc1b2cb31ef35dc270912774233fa97e79bda76d53d1a37f6cc6be64ebaa224ece3948ef13e505edf7f5d5dc8064ac8b77abbf
-
Filesize
897KB
MD510e4a1d2132ccb5c6759f038cdb6f3c9
SHA142d36eeb2140441b48287b7cd30b38105986d68f
SHA256c6a91cba00bf87cdb064c49adaac82255cbec6fdd48fd21f9b3b96abf019916b
SHA5129bd44afb164ab3e09a784c765cd03838d2e5f696c549fc233eb5a69cada47a8e1fb62095568cb272a80da579d9d0e124b1c27cf61bb2ac8cf6e584a722d8864d
-
Filesize
4.6MB
MD5492cb6a624d5dad73ee0294b5db37dd6
SHA1e74806af04a5147ccabfb5b167eb95a0177c43b3
SHA256ccb4ecd48561ce024ea176b7036f0f2713b98bc82aa37347a30d8187762a8784
SHA51263bf2931764efe767fb42f9576702dd585a032f74ad2be2481eaf309f34950f05974d77b5cb220a3ff89c92af0c7693dc558f8e3a3ee2a0be6c5c07171d03835
-
Filesize
300KB
MD5c15b3d813f4382ade98f1892350f21c7
SHA1a45c5abc6751bc8b9041e5e07923fa4fc1b4542b
SHA2568f067da98eb3ea9f1db2f0063ff54e07d992fbf051779b467e222639be4127e3
SHA5126d028fe81fe45d0ef291741513ecf939e412912647347d4d5bad89571f33e1084dc0fd26eb7313c7191f938c3f50243f453e2690e2475fc3f5539a20c2ff2f3c