Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-01-2025 06:28
Static task
static1
Behavioral task
behavioral1
Sample
b723987104cf85aaedc0a5dc457d13be8fa1e12526a8b59551729bcc9b0a6247.dll
Resource
win7-20240903-en
General
-
Target
b723987104cf85aaedc0a5dc457d13be8fa1e12526a8b59551729bcc9b0a6247.dll
-
Size
776KB
-
MD5
435455aa73a48604914eb8271db3b4a3
-
SHA1
8d321b4bd4eb646f18e6507fff8eaa1f93982375
-
SHA256
b723987104cf85aaedc0a5dc457d13be8fa1e12526a8b59551729bcc9b0a6247
-
SHA512
797db5b4854395b5b4a0904abcf3e56b43d99faa507c70954216128dcd2861566d78a0d9e6f573aa7ffa3eb220212911e9a8e54a20bc7d0d01e1e0cabd81610f
-
SSDEEP
24576:1WyoqFMVMKkN3ZvxEhb0IsaQ4KriCo0j6Ij:gKuVMK6vx2RsIKNrj
Malware Config
Signatures
-
Dridex family
-
resource yara_rule behavioral2/memory/3528-5-0x0000000002B30000-0x0000000002B31000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 4 IoCs
pid Process 4952 consent.exe 3620 EhStorAuthn.exe 2220 systemreset.exe 5084 cmstp.exe -
Loads dropped DLL 4 IoCs
pid Process 3620 EhStorAuthn.exe 2220 systemreset.exe 5084 cmstp.exe 5084 cmstp.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fzrdqelbmr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\xrPY\\systemreset.exe" Process not Found -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA EhStorAuthn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA systemreset.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmstp.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4888 regsvr32.exe 4888 regsvr32.exe 4888 regsvr32.exe 4888 regsvr32.exe 3528 Process not Found 3528 Process not Found 3528 Process not Found 3528 Process not Found 3528 Process not Found 3528 Process not Found 3528 Process not Found 3528 Process not Found 3528 Process not Found 3528 Process not Found 3528 Process not Found 3528 Process not Found 3528 Process not Found 3528 Process not Found 3528 Process not Found 3528 Process not Found 3528 Process not Found 3528 Process not Found 3528 Process not Found 3528 Process not Found 3528 Process not Found 3528 Process not Found 3528 Process not Found 3528 Process not Found 3528 Process not Found 3528 Process not Found 3528 Process not Found 3528 Process not Found 3528 Process not Found 3528 Process not Found 3528 Process not Found 3528 Process not Found 3528 Process not Found 3528 Process not Found 3528 Process not Found 3528 Process not Found 3528 Process not Found 3528 Process not Found 3528 Process not Found 3528 Process not Found 3528 Process not Found 3528 Process not Found 3528 Process not Found 3528 Process not Found 3528 Process not Found 3528 Process not Found 3528 Process not Found 3528 Process not Found 3528 Process not Found 3528 Process not Found 3528 Process not Found 3528 Process not Found 3528 Process not Found 3528 Process not Found 3528 Process not Found 3528 Process not Found 3528 Process not Found 3528 Process not Found 3528 Process not Found 3528 Process not Found -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 3528 wrote to memory of 2852 3528 Process not Found 84 PID 3528 wrote to memory of 2852 3528 Process not Found 84 PID 3528 wrote to memory of 4952 3528 Process not Found 85 PID 3528 wrote to memory of 4952 3528 Process not Found 85 PID 3528 wrote to memory of 760 3528 Process not Found 86 PID 3528 wrote to memory of 760 3528 Process not Found 86 PID 3528 wrote to memory of 3620 3528 Process not Found 87 PID 3528 wrote to memory of 3620 3528 Process not Found 87 PID 3528 wrote to memory of 1832 3528 Process not Found 88 PID 3528 wrote to memory of 1832 3528 Process not Found 88 PID 3528 wrote to memory of 2220 3528 Process not Found 89 PID 3528 wrote to memory of 2220 3528 Process not Found 89 PID 3528 wrote to memory of 4104 3528 Process not Found 90 PID 3528 wrote to memory of 4104 3528 Process not Found 90 PID 3528 wrote to memory of 5084 3528 Process not Found 91 PID 3528 wrote to memory of 5084 3528 Process not Found 91 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\b723987104cf85aaedc0a5dc457d13be8fa1e12526a8b59551729bcc9b0a6247.dll1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4888
-
C:\Windows\system32\consent.exeC:\Windows\system32\consent.exe1⤵PID:2852
-
C:\Users\Admin\AppData\Local\PI2KW0h\consent.exeC:\Users\Admin\AppData\Local\PI2KW0h\consent.exe1⤵
- Executes dropped EXE
PID:4952
-
C:\Windows\system32\EhStorAuthn.exeC:\Windows\system32\EhStorAuthn.exe1⤵PID:760
-
C:\Users\Admin\AppData\Local\3cm3\EhStorAuthn.exeC:\Users\Admin\AppData\Local\3cm3\EhStorAuthn.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3620
-
C:\Windows\system32\systemreset.exeC:\Windows\system32\systemreset.exe1⤵PID:1832
-
C:\Users\Admin\AppData\Local\QXWY\systemreset.exeC:\Users\Admin\AppData\Local\QXWY\systemreset.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2220
-
C:\Windows\system32\cmstp.exeC:\Windows\system32\cmstp.exe1⤵PID:4104
-
C:\Users\Admin\AppData\Local\T193by\cmstp.exeC:\Users\Admin\AppData\Local\T193by\cmstp.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5084
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
128KB
MD5d45618e58303edb4268a6cca5ec99ecc
SHA11f8049fc5ea8b57bb68e19fb55cb9dc1e18e9513
SHA256d527323643be9df4d174c3169c6f2c7854a59b781654bcaebd154cb51fb4219c
SHA5125d7ae663dcfedfaf00836dc018131851e5a40778bd582b417b9f0bbd4bb6d1b2eb8f37f7f5a01cd2beed78b6037ef6eb2a3290248d5e901173b1407990a202bd
-
Filesize
780KB
MD51721fbd56501c014e59fd813c37a6b0b
SHA1fe8808618d7e36b7a574e655f3faf39c5ecf73db
SHA25644fce13c0323a99a1e7462d512b05708268f7a859b033a437c1f67e0d220c412
SHA512f42f8c3aed48c1274ffe323d0bdfb01cf0b132068a885a15ee82dd35e24adcea2125c4ad3797c179aaf237a2f9c831523eb048801d6e556a1406b209334eff3c
-
Filesize
162KB
MD56646631ce4ad7128762352da81f3b030
SHA11095bd4b63360fc2968d75622aa745e5523428ab
SHA25656b2d516376328129132b815e22379ae8e7176825f059c9374a33cc844482e64
SHA5121c00ed5d8568f6ebd119524b61573cfe71ca828bd8fbdd150158ec8b5db65fa066908d120d201fce6222707bcb78e0c1151b82fdc1dccf3ada867cb810feb6da
-
Filesize
780KB
MD56c435658064302665d3b281b7f6b9ecf
SHA1a05a74b5d99e696ce97430273d364a6112008de6
SHA2564c754ffbc7a6b2cc960f3ad1d4890836c319ca92e9b24278101ea11bed761005
SHA5124f15ed9554215f9692883f1a9ab0f101ef2ff42b3161b74a986eafce6d69ce18e201399090dc8e9a81a8763e2893828a96e8b233387fffd2ee01e30b15aec953
-
Filesize
508KB
MD5325ff647506adb89514defdd1c372194
SHA184234ff97d6ddc8a4ea21303ea842aa76a74e0ea
SHA256ebff6159a7627234f94f606afa2e55e98e1548fd197d22779a5fcff24aa477ad
SHA5128a9758f4af0264be08d684125827ef11efe651138059f6b463c52476f8a8e1bed94d093042f85893cb3e37c5f3ba7b55c6ce9394595001e661bccbc578da3868
-
Filesize
776KB
MD50bbd44d0df86b1ff9d85aa07e2a8e4fb
SHA1eaf82b6f8a15ec460e0f2b321095604923eda6ce
SHA2568b0f7eac3af56b6cd2a756520a1f5bbf44c51ccae88de2d19ad109a7cca4be14
SHA5127b93e39c457ad334dbf9286fc0a8eeb52a040ebcac7f35a1ee4c490dadb4e3a7c45d3e51aa2cb8953f98422f1c231f7dab2900cffed72ad0d5175b3936d9bd43
-
Filesize
96KB
MD54cc43fe4d397ff79fa69f397e016df52
SHA18fd6cf81ad40c9b123cd75611860a8b95c72869c
SHA256f2d3905ee38b2b5c0b724d582f14eb1db7621ffb8f3826df686a20784341614c
SHA512851ef9fa5a03ec8b9fea0094c6e4bfa0b9e71cee3412ee86b2dfc34682aa5fb6455fefe7fc0092b711956d7c880cf8a5761b63ee990aa8e72f3473086ac0f157
-
Filesize
1KB
MD5b7d61fcf8371c528ca0853cb51bd9e59
SHA1926d53e24a2dc4d321d1251bfd928d58a9f509f8
SHA25695373bc84dd90a1d698f3e8aa590f5aa9fae51681b6694af8f4f7ea5760f5348
SHA512c97509b1b5118accfffcc422f58875a0cd29477bbf71d101420c93d7029befbf32ef19b0cfe157af71a71462be8469e9aca93e5cf9670d15d6590aa512cde183