Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14-11-2024 17:07
Static task
static1
Behavioral task
behavioral1
Sample
f3ee4f0ee0df0701d4a42338b1e36ef39c8d4e7fb4726b015cd31ebb2dfbdf59.dll
Resource
win7-20240903-en
General
-
Target
f3ee4f0ee0df0701d4a42338b1e36ef39c8d4e7fb4726b015cd31ebb2dfbdf59.dll
-
Size
952KB
-
MD5
60615daea6718bb366a3360c61da8582
-
SHA1
a27c75340da626b4a9635a4e8d92ec3ee5c1bb3b
-
SHA256
f3ee4f0ee0df0701d4a42338b1e36ef39c8d4e7fb4726b015cd31ebb2dfbdf59
-
SHA512
9ccf9349ea4dab95292f9bda79a05cc8d96427cef00395c30f936b2ca7b19abf28d657d41f7c5eb1273c52078673b3007cf18b6a377b051e8bf417221405d9df
-
SSDEEP
6144:e34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTx:eIKp/UWCZdCDh2IZDwAFRpR6Aul+
Malware Config
Signatures
-
Dridex family
-
resource yara_rule behavioral1/memory/1252-4-0x0000000002530000-0x0000000002531000-memory.dmp dridex_stager_shellcode -
resource yara_rule behavioral1/memory/2892-1-0x000007FEF67B0000-0x000007FEF689E000-memory.dmp dridex_payload behavioral1/memory/1252-18-0x0000000140000000-0x00000001400EE000-memory.dmp dridex_payload behavioral1/memory/1252-26-0x0000000140000000-0x00000001400EE000-memory.dmp dridex_payload behavioral1/memory/1252-37-0x0000000140000000-0x00000001400EE000-memory.dmp dridex_payload behavioral1/memory/1252-38-0x0000000140000000-0x00000001400EE000-memory.dmp dridex_payload behavioral1/memory/2892-46-0x000007FEF67B0000-0x000007FEF689E000-memory.dmp dridex_payload behavioral1/memory/2196-55-0x000007FEF6DB0000-0x000007FEF6E9F000-memory.dmp dridex_payload behavioral1/memory/2196-60-0x000007FEF6DB0000-0x000007FEF6E9F000-memory.dmp dridex_payload behavioral1/memory/2944-72-0x000007FEF67B0000-0x000007FEF689F000-memory.dmp dridex_payload behavioral1/memory/2944-77-0x000007FEF67B0000-0x000007FEF689F000-memory.dmp dridex_payload behavioral1/memory/1880-93-0x000007FEF67B0000-0x000007FEF689F000-memory.dmp dridex_payload -
Executes dropped EXE 3 IoCs
pid Process 2196 SystemPropertiesComputerName.exe 2944 Dxpserver.exe 1880 mstsc.exe -
Loads dropped DLL 7 IoCs
pid Process 1252 Process not Found 2196 SystemPropertiesComputerName.exe 1252 Process not Found 2944 Dxpserver.exe 1252 Process not Found 1880 mstsc.exe 1252 Process not Found -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zoekctxdbskyzr = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\tfk\\DXPSER~1.EXE" Process not Found -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesComputerName.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Dxpserver.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mstsc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2892 rundll32.exe 2892 rundll32.exe 2892 rundll32.exe 1252 Process not Found 1252 Process not Found 1252 Process not Found 1252 Process not Found 1252 Process not Found 1252 Process not Found 1252 Process not Found 1252 Process not Found 1252 Process not Found 1252 Process not Found 1252 Process not Found 1252 Process not Found 1252 Process not Found 1252 Process not Found 1252 Process not Found 1252 Process not Found 1252 Process not Found 1252 Process not Found 1252 Process not Found 1252 Process not Found 1252 Process not Found 1252 Process not Found 1252 Process not Found 1252 Process not Found 1252 Process not Found 1252 Process not Found 1252 Process not Found 1252 Process not Found 1252 Process not Found 1252 Process not Found 1252 Process not Found 1252 Process not Found 1252 Process not Found 1252 Process not Found 1252 Process not Found 1252 Process not Found 1252 Process not Found 1252 Process not Found 1252 Process not Found 1252 Process not Found 1252 Process not Found 1252 Process not Found 1252 Process not Found 1252 Process not Found 1252 Process not Found 1252 Process not Found 1252 Process not Found 1252 Process not Found 1252 Process not Found 1252 Process not Found 1252 Process not Found 1252 Process not Found 1252 Process not Found 1252 Process not Found 1252 Process not Found 1252 Process not Found 1252 Process not Found 1252 Process not Found 1252 Process not Found 1252 Process not Found 1252 Process not Found -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1252 wrote to memory of 2656 1252 Process not Found 30 PID 1252 wrote to memory of 2656 1252 Process not Found 30 PID 1252 wrote to memory of 2656 1252 Process not Found 30 PID 1252 wrote to memory of 2196 1252 Process not Found 31 PID 1252 wrote to memory of 2196 1252 Process not Found 31 PID 1252 wrote to memory of 2196 1252 Process not Found 31 PID 1252 wrote to memory of 1264 1252 Process not Found 33 PID 1252 wrote to memory of 1264 1252 Process not Found 33 PID 1252 wrote to memory of 1264 1252 Process not Found 33 PID 1252 wrote to memory of 2944 1252 Process not Found 34 PID 1252 wrote to memory of 2944 1252 Process not Found 34 PID 1252 wrote to memory of 2944 1252 Process not Found 34 PID 1252 wrote to memory of 2916 1252 Process not Found 35 PID 1252 wrote to memory of 2916 1252 Process not Found 35 PID 1252 wrote to memory of 2916 1252 Process not Found 35 PID 1252 wrote to memory of 1880 1252 Process not Found 36 PID 1252 wrote to memory of 1880 1252 Process not Found 36 PID 1252 wrote to memory of 1880 1252 Process not Found 36 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f3ee4f0ee0df0701d4a42338b1e36ef39c8d4e7fb4726b015cd31ebb2dfbdf59.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2892
-
C:\Windows\system32\SystemPropertiesComputerName.exeC:\Windows\system32\SystemPropertiesComputerName.exe1⤵PID:2656
-
C:\Users\Admin\AppData\Local\cNqpNPF\SystemPropertiesComputerName.exeC:\Users\Admin\AppData\Local\cNqpNPF\SystemPropertiesComputerName.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2196
-
C:\Windows\system32\Dxpserver.exeC:\Windows\system32\Dxpserver.exe1⤵PID:1264
-
C:\Users\Admin\AppData\Local\0LDxVJ\Dxpserver.exeC:\Users\Admin\AppData\Local\0LDxVJ\Dxpserver.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2944
-
C:\Windows\system32\mstsc.exeC:\Windows\system32\mstsc.exe1⤵PID:2916
-
C:\Users\Admin\AppData\Local\lBFo\mstsc.exeC:\Users\Admin\AppData\Local\lBFo\mstsc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1880
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
956KB
MD56571975387e2366624c9fca5125df0ca
SHA16f7b01d3e5a7750a9b3905351ce30849d2c95cb5
SHA256f397bc47a18019c2081c893da2b0b90d5ff9d4ba38f3f47114a02b0a611a352a
SHA512792b9a1ca5944a1039d2f387539c9f1b6fc005f0aaf09b5ab51dc59ac7ee29734a344fc0a1379c3173fd81006131dd9f1a0cb605e4ba0fa4df9c8617fd6d35df
-
Filesize
956KB
MD560e2e01b34b89cd58dcc85547af391da
SHA1a33f424b2231c1376d21dd2782b85288982a6ebc
SHA256a80a60a1cf8ce2324e095fa7454eb304fc4d03296235b41e7658c34ec58bbd1a
SHA5123ec4ef538844f0c4d7bcc115c48becd683e6c9cabf4d771fb45a5b48ae163acb062a8c12235d8a48b305bf6a45100746dac4be73a33f3cb2c0ad71f635d60e0f
-
Filesize
1KB
MD58c9ac3addccb913cc9822d805a74edcf
SHA1d922e44c2bb3b37f0629007d763d5aefa96618dd
SHA25640b9897c9f5d2821068323ea63cacf3dfbdd18bf938ba56aa9353cf81e5c3b35
SHA51269e88d8828f971d992413bab89ee66f5c80c69d9307921fe7ff517a1c0875857af5f0eaeb055b158bc56743c3866145be26d68b85a35417741339bc060db95d9
-
Filesize
259KB
MD54d38389fb92e43c77a524fd96dbafd21
SHA108014e52f6894cad4f1d1e6fc1a703732e9acd19
SHA256070bc95c486c15d2edc3548ba416dc9565ead401cb03a0472f719fb55ac94e73
SHA51202d8d130cff2b8de15139d309e1cd74a2148bb786fd749e5f22775d45e193b0f75adf40274375cabce33576480ff20456f25172d29a034cd134b8084d40a67ba
-
Filesize
956KB
MD53985e90f225a812a8dad0614b065791b
SHA1cc76eb1acb88945ef416bfba4abfb36beb766acf
SHA256470e1169b6fa001dd172855b300bc069c77d0a6ea7b9f625f5c984da864175b4
SHA5124fc2f0b570608ff6e5c9f1ac430a29d1fc0f7fe76d79d3af12cf1e18da0facb93fbfe8bc1296dea6ab1cabfc052744db078476e1fd2d61b5f337d362adbc015b
-
Filesize
80KB
MD5bd889683916aa93e84e1a75802918acf
SHA15ee66571359178613a4256a7470c2c3e6dd93cfa
SHA2560e22894595891a9ff9706e03b3db31a751541c4a773f82420fce57237d6c47cf
SHA5129d76de848b319f44657fb7fbe5a3b927774ae999362ff811a199002ffa77ad9e1638a65a271388e605ab5e5a7cb6ce5aa7fcabc3ed583ade00eaa4c265552026
-
Filesize
1.1MB
MD550f739538ef014b2e7ec59431749d838
SHA1b439762b8efe8cfb977e7374c11a7e4d8ed05eb3
SHA25685c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3
SHA51202e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8