Analysis
-
max time kernel
150s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
14-11-2024 16:57
Static task
static1
Behavioral task
behavioral1
Sample
c749a6d6524352a22d0f2233ce60383865b387a689d3630e2f574249dda35a5d.dll
Resource
win7-20241010-en
General
-
Target
c749a6d6524352a22d0f2233ce60383865b387a689d3630e2f574249dda35a5d.dll
-
Size
676KB
-
MD5
c28e410fb7df7dca23a4c47feace68e7
-
SHA1
98cce2e4073e23dbdb4af2535566b5cc8e889158
-
SHA256
c749a6d6524352a22d0f2233ce60383865b387a689d3630e2f574249dda35a5d
-
SHA512
0c73a663199187ef8a587c62ec5082ad843cefb9160cdb2ab4dd5bbeba0e0ee951da8cc5897b903510fc2efde3fd9743a03e5580c9b6a5efab76e8b60c455eae
-
SSDEEP
6144:z34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:zIKp/UWCZdCDh2IZDwAFRpR6Au
Malware Config
Signatures
-
Dridex family
-
resource yara_rule behavioral1/memory/1280-4-0x0000000003A80000-0x0000000003A81000-memory.dmp dridex_stager_shellcode -
resource yara_rule behavioral1/memory/2476-2-0x000007FEF7170000-0x000007FEF7219000-memory.dmp dridex_payload behavioral1/memory/1280-18-0x0000000140000000-0x00000001400A9000-memory.dmp dridex_payload behavioral1/memory/1280-26-0x0000000140000000-0x00000001400A9000-memory.dmp dridex_payload behavioral1/memory/1280-37-0x0000000140000000-0x00000001400A9000-memory.dmp dridex_payload behavioral1/memory/2476-41-0x000007FEF7170000-0x000007FEF7219000-memory.dmp dridex_payload behavioral1/memory/1280-38-0x0000000140000000-0x00000001400A9000-memory.dmp dridex_payload behavioral1/memory/2704-56-0x000007FEF7220000-0x000007FEF72CA000-memory.dmp dridex_payload behavioral1/memory/2704-60-0x000007FEF7220000-0x000007FEF72CA000-memory.dmp dridex_payload behavioral1/memory/2168-74-0x000007FEF70F0000-0x000007FEF719B000-memory.dmp dridex_payload behavioral1/memory/2168-79-0x000007FEF70F0000-0x000007FEF719B000-memory.dmp dridex_payload behavioral1/memory/2392-91-0x000007FEF70F0000-0x000007FEF719A000-memory.dmp dridex_payload behavioral1/memory/2392-95-0x000007FEF70F0000-0x000007FEF719A000-memory.dmp dridex_payload -
Executes dropped EXE 3 IoCs
pid Process 2704 DWWIN.EXE 2168 dialer.exe 2392 MpSigStub.exe -
Loads dropped DLL 7 IoCs
pid Process 1280 Process not Found 2704 DWWIN.EXE 1280 Process not Found 2168 dialer.exe 1280 Process not Found 2392 MpSigStub.exe 1280 Process not Found -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kgvptlq = "C:\\Users\\Admin\\AppData\\Roaming\\Macromedia\\uiN0dwR\\dialer.exe" Process not Found -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dialer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MpSigStub.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DWWIN.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1280 wrote to memory of 2152 1280 Process not Found 30 PID 1280 wrote to memory of 2152 1280 Process not Found 30 PID 1280 wrote to memory of 2152 1280 Process not Found 30 PID 1280 wrote to memory of 2704 1280 Process not Found 31 PID 1280 wrote to memory of 2704 1280 Process not Found 31 PID 1280 wrote to memory of 2704 1280 Process not Found 31 PID 1280 wrote to memory of 2616 1280 Process not Found 32 PID 1280 wrote to memory of 2616 1280 Process not Found 32 PID 1280 wrote to memory of 2616 1280 Process not Found 32 PID 1280 wrote to memory of 2168 1280 Process not Found 33 PID 1280 wrote to memory of 2168 1280 Process not Found 33 PID 1280 wrote to memory of 2168 1280 Process not Found 33 PID 1280 wrote to memory of 1988 1280 Process not Found 34 PID 1280 wrote to memory of 1988 1280 Process not Found 34 PID 1280 wrote to memory of 1988 1280 Process not Found 34 PID 1280 wrote to memory of 2392 1280 Process not Found 35 PID 1280 wrote to memory of 2392 1280 Process not Found 35 PID 1280 wrote to memory of 2392 1280 Process not Found 35 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c749a6d6524352a22d0f2233ce60383865b387a689d3630e2f574249dda35a5d.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2476
-
C:\Windows\system32\DWWIN.EXEC:\Windows\system32\DWWIN.EXE1⤵PID:2152
-
C:\Users\Admin\AppData\Local\eHMvk5OO\DWWIN.EXEC:\Users\Admin\AppData\Local\eHMvk5OO\DWWIN.EXE1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2704
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe1⤵PID:2616
-
C:\Users\Admin\AppData\Local\tKv4Z9nVw\dialer.exeC:\Users\Admin\AppData\Local\tKv4Z9nVw\dialer.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2168
-
C:\Windows\system32\MpSigStub.exeC:\Windows\system32\MpSigStub.exe1⤵PID:1988
-
C:\Users\Admin\AppData\Local\w0l\MpSigStub.exeC:\Users\Admin\AppData\Local\w0l\MpSigStub.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2392
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
680KB
MD50d81f9ed1ebf2e46de6df40e844ccdc7
SHA13489710e643ca7f01eabcea8d9ff9fca6a1b1151
SHA256c97d0aa296c165ae54acb49656bdf0463eabeb8964b7ac47bcc6238dd6af0c83
SHA512056f0d907fa8a4950bdcedc6e309645f95c956d4a3599bfdcccb2587ec821d5929650d8315bb2fd1fa4a622fb8a8c1e82c5d63a4ef98bf31763135987f61505c
-
Filesize
684KB
MD5ad2e13c0fbe94108ed0d4fbf9b20a2b6
SHA18d37582b0ed42ce366f3c9d464ac63a6852569e1
SHA256665e46fd8d060d72db0ec89a86f234834d70e87e741c05f0374544379fb63a0b
SHA5121549653c74ad972147d6954825a601126c5835f17e5b57c0a0664453273a4ae14623e05f57a8561f56ad5dac8c43a1ae38f5fa9ef7038f74de5336a7b1bbdfc9
-
Filesize
34KB
MD546523e17ee0f6837746924eda7e9bac9
SHA1d6b2a9cc6bd3588fa9804ada5197afda6a9e034b
SHA25623d8a6a1d847a324c556c30e10c8f63c2004aeb42ac3f5a5ca362077f1517382
SHA512c7117c3778650864e685bd89df599d7cdd9319d757344ddc7cfd9403d6673964127f6ff0c5ac48455fd3097af31a6ff09173f85dfa7be2d25f395cdf3692bb9a
-
Filesize
264KB
MD52e6bd16aa62e5e95c7b256b10d637f8f
SHA1350be084477b1fe581af83ca79eb58d4defe260f
SHA256d795968b8067bb610033fa4a5b21eb2f96cef61513aba62912b8eb5c6a5ff7b3
SHA5121f37150f6bcbe0df54bb85a5ad585824cea9332baa9be1649a95c1dfb41723de85c09d98fb2ca8261a49c2184d3bda638b84b2b7b60b97fe42a15ab1620a2542
-
Filesize
1KB
MD55aba89ed3e8bf2ce58f1d3d5f7fa01af
SHA158a528ee2ed0a558261b7643590279341476ed65
SHA25680b5c7b2ca58ba2c39e8c7f7f576448320417e1fb428be31eb2090594a147696
SHA512874d180e9f62d5daba76142b9c8178dd1f8ebe78118665529c46c8308b0e90d5e95dcbde8ab0298ad4d4b82861eeb385f2cb0e76dd51deb979a2a5077b8abf5a
-
Filesize
149KB
MD525247e3c4e7a7a73baeea6c0008952b1
SHA18087adb7a71a696139ddc5c5abc1a84f817ab688
SHA256c740497a7e58f7678e25b68b03573b4136a364464ee97c02ce5e0fe00cec7050
SHA512bc27946894e7775f772ac882740430c8b9d3f37a573e2524207f7bb32f44d4a227cb1e9a555e118d68af7f1e129abd2ac5cabbcd8bbf3551c485bae05108324b
-
Filesize
680KB
MD5a12fcb427c00fb34ce79b72e17d690ba
SHA17c3c71a3c8d5e1a9a3ea94c90481b1d9733e0586
SHA256beef41ecc5d0147fca411eef283373774cfb1b5e1703c405619720480da18e45
SHA5121277b1f35906fc1c3ec09adc6e0439070d526203b6e6c4303a420ad4ad6dc6b6969749cedde7b3e3dc209df85940860266bfc5f9d1c36fdc5b7d89594c470908