Analysis
-
max time kernel
119s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-01-2025 18:05
Static task
static1
Behavioral task
behavioral1
Sample
fe04562ba37a35c4d3c0f44c1e721f24078eaa70c8bd1ceb7c6ac6a6f1d2843aN.dll
Resource
win7-20240903-en
General
-
Target
fe04562ba37a35c4d3c0f44c1e721f24078eaa70c8bd1ceb7c6ac6a6f1d2843aN.dll
-
Size
804KB
-
MD5
0f413d5ba9a89182b758896df48db410
-
SHA1
7a1fbfde26fd73a4d27a71bd4300392c3b2dadf7
-
SHA256
fe04562ba37a35c4d3c0f44c1e721f24078eaa70c8bd1ceb7c6ac6a6f1d2843a
-
SHA512
1a083ad20a5def7fef52dba3327e968aa288105b1820c5639d80b488d38e50e0c0005f085233d70f22600e3cda8079e60db4f5b541f28636686505d47bf6126f
-
SSDEEP
12288:YbP23onr2XV7KrPqgmNiQhDOy4/AT4r/E16K1QS/lsHAGHdDvRQ2sd1gqQeB:Ybe42XV7KWgmjDR/T4a/Mdjmv
Malware Config
Signatures
-
Dridex family
-
resource yara_rule behavioral2/memory/3588-5-0x0000000002DE0000-0x0000000002DE1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
pid Process 3228 quickassist.exe 5004 SystemPropertiesAdvanced.exe 2232 psr.exe -
Loads dropped DLL 3 IoCs
pid Process 3228 quickassist.exe 5004 SystemPropertiesAdvanced.exe 2232 psr.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nzvdnevrdk = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\TEMPLA~1\\LIVECO~1\\16\\User\\SMARTA~1\\PgwXCO\\SYSTEM~1.EXE" Process not Found -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA quickassist.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesAdvanced.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA psr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2644 regsvr32.exe 2644 regsvr32.exe 2644 regsvr32.exe 2644 regsvr32.exe 3588 Process not Found 3588 Process not Found 3588 Process not Found 3588 Process not Found 3588 Process not Found 3588 Process not Found 3588 Process not Found 3588 Process not Found 3588 Process not Found 3588 Process not Found 3588 Process not Found 3588 Process not Found 3588 Process not Found 3588 Process not Found 3588 Process not Found 3588 Process not Found 3588 Process not Found 3588 Process not Found 3588 Process not Found 3588 Process not Found 3588 Process not Found 3588 Process not Found 3588 Process not Found 3588 Process not Found 3588 Process not Found 3588 Process not Found 3588 Process not Found 3588 Process not Found 3588 Process not Found 3588 Process not Found 3588 Process not Found 3588 Process not Found 3588 Process not Found 3588 Process not Found 3588 Process not Found 3588 Process not Found 3588 Process not Found 3588 Process not Found 3588 Process not Found 3588 Process not Found 3588 Process not Found 3588 Process not Found 3588 Process not Found 3588 Process not Found 3588 Process not Found 3588 Process not Found 3588 Process not Found 3588 Process not Found 3588 Process not Found 3588 Process not Found 3588 Process not Found 3588 Process not Found 3588 Process not Found 3588 Process not Found 3588 Process not Found 3588 Process not Found 3588 Process not Found 3588 Process not Found 3588 Process not Found 3588 Process not Found -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3588 wrote to memory of 1920 3588 Process not Found 82 PID 3588 wrote to memory of 1920 3588 Process not Found 82 PID 3588 wrote to memory of 3228 3588 Process not Found 83 PID 3588 wrote to memory of 3228 3588 Process not Found 83 PID 3588 wrote to memory of 3924 3588 Process not Found 84 PID 3588 wrote to memory of 3924 3588 Process not Found 84 PID 3588 wrote to memory of 5004 3588 Process not Found 85 PID 3588 wrote to memory of 5004 3588 Process not Found 85 PID 3588 wrote to memory of 5020 3588 Process not Found 86 PID 3588 wrote to memory of 5020 3588 Process not Found 86 PID 3588 wrote to memory of 2232 3588 Process not Found 87 PID 3588 wrote to memory of 2232 3588 Process not Found 87 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\fe04562ba37a35c4d3c0f44c1e721f24078eaa70c8bd1ceb7c6ac6a6f1d2843aN.dll1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2644
-
C:\Windows\system32\quickassist.exeC:\Windows\system32\quickassist.exe1⤵PID:1920
-
C:\Users\Admin\AppData\Local\I50eLE\quickassist.exeC:\Users\Admin\AppData\Local\I50eLE\quickassist.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3228
-
C:\Windows\system32\SystemPropertiesAdvanced.exeC:\Windows\system32\SystemPropertiesAdvanced.exe1⤵PID:3924
-
C:\Users\Admin\AppData\Local\YFq\SystemPropertiesAdvanced.exeC:\Users\Admin\AppData\Local\YFq\SystemPropertiesAdvanced.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5004
-
C:\Windows\system32\psr.exeC:\Windows\system32\psr.exe1⤵PID:5020
-
C:\Users\Admin\AppData\Local\alFD2Y78\psr.exeC:\Users\Admin\AppData\Local\alFD2Y78\psr.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2232
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
808KB
MD57cbec9566f1b06347338dc81840c8ff8
SHA1b74821b9c304295df7891c0f5e8793e4aacd374e
SHA25673b4a89f3bd727350fdfa1e911bd57036ae0d8305f8285e2a16317b6a1f77d60
SHA5123efb514b9b39b78d58af23edefc4108567d1d0540a550e7463adaee23eba6d1568fd649d3b2fef63027e317d27386df625d579cb7184aabe96f5be751268e1bb
-
Filesize
665KB
MD5d1216f9b9a64fd943539cc2b0ddfa439
SHA16fad9aeb7780bdfd88a9a5a73b35b3e843605e6c
SHA256c1e8fda00da574e8759ba262d76b6edc1d5f4a80620730ef0be7527e0d803db2
SHA512c5fd7d81d1d478056fcbed0ba887ce551832f0104e7c31753c3c8760b4d63f38324f74e996684042acc8f9682fce8a8c85172741a868257e87d5e0f988c4e567
-
Filesize
804KB
MD533e40f513b3955838b89dba82181adc7
SHA1834614f2ded7460564a31fe7182cf5f4c9b0fe51
SHA25694e75f41a9a6ce7fe29d8dfcf3515d593a1e3cc7a7f3c7db3e4abeca1d5dc63e
SHA5123b248a11baf4fa2325857e10a7e17fbd1b08fa4243415e01ce34b23cfc24a97dd6d98ff71021369402464f61356368f36499a63d27b08c5435ab289ca1327e71
-
Filesize
82KB
MD5fa040b18d2d2061ab38cf4e52e753854
SHA1b1b37124e9afd6c860189ce4d49cebbb2e4c57bc
SHA256c61fa0f8c5d8d61110adbcceaa453a6c1d31255b3244dc7e3b605a4a931c245c
SHA512511f5981bd2c446f1f3039f6674f972651512305630bd688b1ef159af36a23cb836b43d7010b132a86b5f4d6c46206057abd31600f1e7dc930cb32ed962298a4
-
Filesize
804KB
MD5073a1eba7634b3c68cf3ffeaff851e29
SHA1df4e081002bbcbe3a8a190d69f34697b8aaae04c
SHA256cfd0f369d5d8b2689b4d494613defe443a84041125b49e916750686a7f0cce75
SHA5123173dfa8bcfe8dc9fddef2a950fd1aa762cad2d401827eddc82d6285b9338c447734bed4d926d242a47d7e0d3217fe5f034a9c8d9e268f438230f895ba8bce4b
-
Filesize
232KB
MD5ad53ead5379985081b7c3f1f357e545a
SHA16f5aa32c1d15fbf073558fadafd046d97b60184e
SHA2564f0144f0e3e721b44babbf41b513942e4117f730546105480571f9c8fce56a1f
SHA512433098bd74c34fbadfa447ef45cfa9dc076aef4cf7f2a0a6fe79d5e67f2504eebe8aa31fc1b7a4c5eeb20ede2c5485f75ad0fd77b4ecba3d68ca63313e6f6ea0
-
Filesize
1KB
MD5f87c68a98d4d931741538b83cab30a3f
SHA1537a5c580ce9b929dd9eb2d186607e23be0e1ff9
SHA256baff0519869bda51bec975e56504ce72ccf1f4260724d210e3436d8660dce87f
SHA51257b4a0eee3787da86801c58254a7dd6f7a96a773e569640a3be4090345000c781a7675ac7e9dd598efb0ce3d9ddfd66c9738110fc16206d4200635ba6ba67518