Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
24/02/2025, 10:58
Static task
static1
Behavioral task
behavioral1
Sample
afa9c41340915e052915ffb037526bfed01e8d7befc8767f4bb8e0fa628365d9N.dll
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
afa9c41340915e052915ffb037526bfed01e8d7befc8767f4bb8e0fa628365d9N.dll
Resource
win10v2004-20250217-en
General
-
Target
afa9c41340915e052915ffb037526bfed01e8d7befc8767f4bb8e0fa628365d9N.dll
-
Size
780KB
-
MD5
3caa124004a7de62cdbcb2c165e57610
-
SHA1
9e023d9ad84bc5fe1dee5399d4f7772bf11cae61
-
SHA256
afa9c41340915e052915ffb037526bfed01e8d7befc8767f4bb8e0fa628365d9
-
SHA512
5368089956fb170ed6cf04d4172843dbe0250484905b3d33d844fbe74bc503873802dadb167aea0d66198e40a8e90ad96cbe3937b6cb930c418c63edc739f4aa
-
SSDEEP
24576:aWyoHFMVMKkN3ZvxEhb0IsaQ4KriCo0j6Ij:dnuVMK6vx2RsIKNrj
Malware Config
Signatures
-
Dridex family
-
resource yara_rule behavioral1/memory/1196-5-0x0000000002E70000-0x0000000002E71000-memory.dmp dridex_stager_shellcode -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\6Bgr\UxTheme.dll Process not Found File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\6Bgr\msdt.exe Process not Found File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\6Bgr Process not Found -
Executes dropped EXE 3 IoCs
pid Process 796 javaws.exe 1704 msdt.exe 2120 BitLockerWizardElev.exe -
Loads dropped DLL 7 IoCs
pid Process 1196 Process not Found 796 javaws.exe 1196 Process not Found 1704 msdt.exe 1196 Process not Found 2120 BitLockerWizardElev.exe 1196 Process not Found -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Uuyszikihxbb = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\6Bgr\\msdt.exe" Process not Found -
Checks whether UAC is enabled 1 TTPs 4 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msdt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BitLockerWizardElev.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA javaws.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2848 rundll32.exe 2848 rundll32.exe 2848 rundll32.exe 1196 Process not Found 1196 Process not Found 1196 Process not Found 1196 Process not Found 1196 Process not Found 1196 Process not Found 1196 Process not Found 1196 Process not Found 1196 Process not Found 1196 Process not Found 1196 Process not Found 1196 Process not Found 1196 Process not Found 1196 Process not Found 1196 Process not Found 1196 Process not Found 1196 Process not Found 1196 Process not Found 1196 Process not Found 1196 Process not Found 1196 Process not Found 1196 Process not Found 1196 Process not Found 1196 Process not Found 1196 Process not Found 1196 Process not Found 1196 Process not Found 1196 Process not Found 1196 Process not Found 1196 Process not Found 1196 Process not Found 1196 Process not Found 1196 Process not Found 1196 Process not Found 1196 Process not Found 1196 Process not Found 1196 Process not Found 1196 Process not Found 1196 Process not Found 1196 Process not Found 1196 Process not Found 1196 Process not Found 1196 Process not Found 1196 Process not Found 1196 Process not Found 1196 Process not Found 1196 Process not Found 1196 Process not Found 1196 Process not Found 1196 Process not Found 1196 Process not Found 1196 Process not Found 1196 Process not Found 1196 Process not Found 1196 Process not Found 1196 Process not Found 1196 Process not Found 1196 Process not Found 1196 Process not Found 1196 Process not Found 1196 Process not Found -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1196 wrote to memory of 2576 1196 Process not Found 30 PID 1196 wrote to memory of 2576 1196 Process not Found 30 PID 1196 wrote to memory of 2576 1196 Process not Found 30 PID 1196 wrote to memory of 796 1196 Process not Found 31 PID 1196 wrote to memory of 796 1196 Process not Found 31 PID 1196 wrote to memory of 796 1196 Process not Found 31 PID 1196 wrote to memory of 376 1196 Process not Found 32 PID 1196 wrote to memory of 376 1196 Process not Found 32 PID 1196 wrote to memory of 376 1196 Process not Found 32 PID 1196 wrote to memory of 1704 1196 Process not Found 33 PID 1196 wrote to memory of 1704 1196 Process not Found 33 PID 1196 wrote to memory of 1704 1196 Process not Found 33 PID 1196 wrote to memory of 2920 1196 Process not Found 34 PID 1196 wrote to memory of 2920 1196 Process not Found 34 PID 1196 wrote to memory of 2920 1196 Process not Found 34 PID 1196 wrote to memory of 2120 1196 Process not Found 35 PID 1196 wrote to memory of 2120 1196 Process not Found 35 PID 1196 wrote to memory of 2120 1196 Process not Found 35 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\afa9c41340915e052915ffb037526bfed01e8d7befc8767f4bb8e0fa628365d9N.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2848
-
C:\Windows\system32\javaws.exeC:\Windows\system32\javaws.exe1⤵PID:2576
-
C:\Users\Admin\AppData\Local\FwmOVu\javaws.exeC:\Users\Admin\AppData\Local\FwmOVu\javaws.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:796
-
C:\Windows\system32\msdt.exeC:\Windows\system32\msdt.exe1⤵PID:376
-
C:\Users\Admin\AppData\Local\5US\msdt.exeC:\Users\Admin\AppData\Local\5US\msdt.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1704
-
C:\Windows\system32\BitLockerWizardElev.exeC:\Windows\system32\BitLockerWizardElev.exe1⤵PID:2920
-
C:\Users\Admin\AppData\Local\cAU0\BitLockerWizardElev.exeC:\Users\Admin\AppData\Local\cAU0\BitLockerWizardElev.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2120
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
784KB
MD5f2bdc5b037f194b8e6f05c0811afdc86
SHA193be58bc0d3048574b0533401548e9f68c2ac61f
SHA25699baf245c34214c6064391fa6f54797a00080f413bbb89dde3560f85fabed8e2
SHA512fc3f07ac979942ea08cb4832da66ee2b2b846ee5a65a4374d394c11af4852d8181a0472eb68cd874f576e319ee7139fe2470c139b7d2d0b5e604935dacf8247d
-
Filesize
780KB
MD50732baaf249111e4292c0dd34a226271
SHA1d2eec50679cc428256845dda769340e6654d02e5
SHA2562bfd746b91f198526e3d4fe884868a30ab27c8de289e8313aaad846c62df24ff
SHA512dd5b02c547492e6170763cbcd2d902b0f96bafbf3961a7163a0d8cae915eea680b253518dcfb90351d9daaf132b192f64cf97df8082bfe71c99b1449b25ace77
-
Filesize
784KB
MD5e6b24a250eb85d2ccd37346cc6efb1ba
SHA12344bf4481e3ed0797949d6b6e246f4207522233
SHA25682979e82e765a2b9df21da38e67382424a7f9b7f9d38be96b3c6ca7eefc3475d
SHA512a239768aeab6f7ff6fdffe75dd08842725b9d3f44872c86bb517ba39b5ee16b5338f1598da9b018f85c767f24a5672f3db1fb64055c8934f6f9a1d11b0d704b1
-
Filesize
1KB
MD532f42047915c0126378cf9ac0955bdd2
SHA1df546f2a65bd409d834e65ff3019e22822b16f6e
SHA25672cff30c93845747c3d6d06751414111a3876e381fc6708dde3491a7081dc07d
SHA51222909cf070e35011d087bdcb2d4fe5ef014f28ae982720fdfe43d7207cd141ed64dfbcb6c3b98d761b6d32435406782bb28db238dca03136402d56cc03aac391
-
Filesize
1.0MB
MD5aecb7b09566b1f83f61d5a4b44ae9c7e
SHA13a4a2338c6b5ac833dc87497e04fe89c5481e289
SHA256fbdbe7a2027cab237c4635ef71c1a93cf7afc4b79d56b63a119b7f8e3029ccf5
SHA5126e14200262e0729ebcab2226c3eac729ab5af2a4c6f4f9c3e2950cc203387d9a0a447cf38665c724d4397353931fd10064dc067e043a3579538a6144e33e4746
-
Filesize
312KB
MD5f94bc1a70c942621c4279236df284e04
SHA18f46d89c7db415a7f48ccd638963028f63df4e4f
SHA256be9f8986a6c86d9f77978105d48b59eebfec3b9732dbf19e0f3d48bf7f20120c
SHA51260edf20ca3cae9802263446af266568d0b5e0692eddcfcfc3b2f9a39327b3184613ca994460b919d17a6edc5936b4da16d9033f5138bcfd9bc0f09d88c8dcd52
-
Filesize
98KB
MD573f13d791e36d3486743244f16875239
SHA1ed5ec55dbc6b3bda505f0a4c699c257c90c02020
SHA2562483d2f0ad481005cca081a86a07be9060bc6d4769c4570f92ad96fa325be9b8
SHA512911a7b532312d50cc5e7f6a046d46ab5b322aa17ce59a40477173ea50f000a95db45f169f4ea3574e3e00ae4234b9f8363ac79329d683c14ebee1d423e6e43af