Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
14-11-2024 17:08
Static task
static1
Behavioral task
behavioral1
Sample
69c455745647cfb7a255bb03b8a4279b64be1e542bc8c540c180b2884b8d858a.dll
Resource
win7-20241010-en
General
-
Target
69c455745647cfb7a255bb03b8a4279b64be1e542bc8c540c180b2884b8d858a.dll
-
Size
672KB
-
MD5
9b616d2c751b6b29a1c2a529a49daba4
-
SHA1
46341d4ab5707193e9e53ffc140a42a61b6629a4
-
SHA256
69c455745647cfb7a255bb03b8a4279b64be1e542bc8c540c180b2884b8d858a
-
SHA512
ac1e27da3fc0d5541382425232677e832896c6d3b8fa089db4799bad3a0383a1eb1e737f9b1f34213d30bdd842e1ef335599d4ff07c2b40f8f490e035c858f05
-
SSDEEP
6144:I34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:IIKp/UWCZdCDh2IZDwAFRpR6Au
Malware Config
Signatures
-
Dridex family
-
resource yara_rule behavioral1/memory/1272-4-0x00000000029F0000-0x00000000029F1000-memory.dmp dridex_stager_shellcode -
resource yara_rule behavioral1/memory/2200-0-0x000007FEF7B90000-0x000007FEF7C38000-memory.dmp dridex_payload behavioral1/memory/1272-17-0x0000000140000000-0x00000001400A8000-memory.dmp dridex_payload behavioral1/memory/1272-25-0x0000000140000000-0x00000001400A8000-memory.dmp dridex_payload behavioral1/memory/1272-37-0x0000000140000000-0x00000001400A8000-memory.dmp dridex_payload behavioral1/memory/1272-36-0x0000000140000000-0x00000001400A8000-memory.dmp dridex_payload behavioral1/memory/2200-45-0x000007FEF7B90000-0x000007FEF7C38000-memory.dmp dridex_payload behavioral1/memory/2936-59-0x000007FEF7BF0000-0x000007FEF7C9A000-memory.dmp dridex_payload behavioral1/memory/2936-54-0x000007FEF7BF0000-0x000007FEF7C9A000-memory.dmp dridex_payload behavioral1/memory/1532-80-0x000007FEF7BF0000-0x000007FEF7C9A000-memory.dmp dridex_payload behavioral1/memory/3024-92-0x000007FEF7BF0000-0x000007FEF7C99000-memory.dmp dridex_payload behavioral1/memory/3024-98-0x000007FEF7BF0000-0x000007FEF7C99000-memory.dmp dridex_payload -
Executes dropped EXE 3 IoCs
pid Process 2936 winlogon.exe 1532 dialer.exe 3024 cmstp.exe -
Loads dropped DLL 7 IoCs
pid Process 1272 Process not Found 2936 winlogon.exe 1272 Process not Found 1532 dialer.exe 1272 Process not Found 3024 cmstp.exe 1272 Process not Found -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kgvptlq = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\DQKQ7M~1\\dialer.exe" Process not Found -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dialer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmstp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA winlogon.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2200 regsvr32.exe 2200 regsvr32.exe 2200 regsvr32.exe 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1272 wrote to memory of 2796 1272 Process not Found 31 PID 1272 wrote to memory of 2796 1272 Process not Found 31 PID 1272 wrote to memory of 2796 1272 Process not Found 31 PID 1272 wrote to memory of 2936 1272 Process not Found 32 PID 1272 wrote to memory of 2936 1272 Process not Found 32 PID 1272 wrote to memory of 2936 1272 Process not Found 32 PID 1272 wrote to memory of 2724 1272 Process not Found 33 PID 1272 wrote to memory of 2724 1272 Process not Found 33 PID 1272 wrote to memory of 2724 1272 Process not Found 33 PID 1272 wrote to memory of 1532 1272 Process not Found 34 PID 1272 wrote to memory of 1532 1272 Process not Found 34 PID 1272 wrote to memory of 1532 1272 Process not Found 34 PID 1272 wrote to memory of 2664 1272 Process not Found 35 PID 1272 wrote to memory of 2664 1272 Process not Found 35 PID 1272 wrote to memory of 2664 1272 Process not Found 35 PID 1272 wrote to memory of 3024 1272 Process not Found 36 PID 1272 wrote to memory of 3024 1272 Process not Found 36 PID 1272 wrote to memory of 3024 1272 Process not Found 36 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\69c455745647cfb7a255bb03b8a4279b64be1e542bc8c540c180b2884b8d858a.dll1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2200
-
C:\Windows\system32\winlogon.exeC:\Windows\system32\winlogon.exe1⤵PID:2796
-
C:\Users\Admin\AppData\Local\j39ep\winlogon.exeC:\Users\Admin\AppData\Local\j39ep\winlogon.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2936
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe1⤵PID:2724
-
C:\Users\Admin\AppData\Local\q0dr1Dk\dialer.exeC:\Users\Admin\AppData\Local\q0dr1Dk\dialer.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1532
-
C:\Windows\system32\cmstp.exeC:\Windows\system32\cmstp.exe1⤵PID:2664
-
C:\Users\Admin\AppData\Local\y0VaNi6\cmstp.exeC:\Users\Admin\AppData\Local\y0VaNi6\cmstp.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3024
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
680KB
MD5fd6f0b531fd86aca37f3a90fb301d5d0
SHA166d10d8bc7c1224f766ca4ee9d670faabe46374d
SHA2561bf9217a192da76fb3ebaeaaf79dfda200b673ca62f0e1e36b0f3506272a4bcd
SHA5125a0fc6780aa4162a6e86aba77c3af837a354f51dcd5867078f2cb9fa8db7cb490f37abd47453efbc2e09a9fc191c91bf2f943b78e6eb01f1f9436dd9d40e35fa
-
Filesize
680KB
MD5326bd6fb1a56342438844d12f7b4bec1
SHA1ab969b63572e3f246a5a6bc413e3a3e4f028e2ef
SHA25629459677ac88875ad33c58eeaf32d8d1b0834c0620f34511bb7659fe59f614ba
SHA5127a34b0e21e4f26e1314c6ef518feb40e88ff93355a001146e3899f8aca5e05321e70003498bdbd188dc4e4bf6919aaa0740e7958507ed1f9289f941b8e4d2b56
-
Filesize
676KB
MD5aa88738148750c549c09ccc881cdeb9c
SHA15ec83a1a5da9eacb78465e0f937b70618c85e1af
SHA25619bbd2494d63765bec7372aed564613ae89d100ce3950d18f095642c56c52377
SHA512472512097d4286b3b39562644af44f9e1c9f07609baae5a18281a8b45c4cdac649a2248133a4472354e88a7c08e9541b081a26069a72c0705706cd591531c3a2
-
Filesize
892B
MD52c8746a7dfa5a8402606afa8d2be0c69
SHA172cf695973c611694daecd4a952b24fe53c5fa0f
SHA256a330e34cf69151724eadf27a1a91fa5bcb0f4153d5dcd473b14da1cd983b5261
SHA51220a954588e0e68c6b886ebcd8da1d07f6865e82a1cfb8d1cd805ca32687a3badf854e4e3bf99b9fdf3d2fee123e076ae0b319ff6a8cee05185d268e937dd5147
-
Filesize
381KB
MD51151b1baa6f350b1db6598e0fea7c457
SHA1434856b834baf163c5ea4d26434eeae775a507fb
SHA256b1506e0a7e826eff0f5252ef5026070c46e2235438403a9a24d73ee69c0b8a49
SHA512df728d06238da1dece96f8b8d67a2423ed4dcb344b42d5958768d23bd570a79e7189e7c5ba783c1628fe8ddd1deaebeacb1b471c59c8a7c9beb21b4f1eb9edab
-
Filesize
34KB
MD546523e17ee0f6837746924eda7e9bac9
SHA1d6b2a9cc6bd3588fa9804ada5197afda6a9e034b
SHA25623d8a6a1d847a324c556c30e10c8f63c2004aeb42ac3f5a5ca362077f1517382
SHA512c7117c3778650864e685bd89df599d7cdd9319d757344ddc7cfd9403d6673964127f6ff0c5ac48455fd3097af31a6ff09173f85dfa7be2d25f395cdf3692bb9a
-
Filesize
90KB
MD574c6da5522f420c394ae34b2d3d677e3
SHA1ba135738ef1fb2f4c2c6c610be2c4e855a526668
SHA25651d298b1a8a2d00d5c608c52dba0655565d021e9798ee171d7fa92cc0de729a6
SHA512bfd76b1c3e677292748f88bf595bfef0b536eb22f2583b028cbf08f6ae4eda1aa3787c4e892aad12b7681fc2363f99250430a0e7019a7498e24db391868e787a