Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24/02/2025, 11:19
Static task
static1
Behavioral task
behavioral1
Sample
794e1fc591d09ba1650cb356384f33dc3a1a4810cb9c64f9d30b24b8c3ac8a43.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
794e1fc591d09ba1650cb356384f33dc3a1a4810cb9c64f9d30b24b8c3ac8a43.dll
Resource
win10v2004-20250217-en
General
-
Target
794e1fc591d09ba1650cb356384f33dc3a1a4810cb9c64f9d30b24b8c3ac8a43.dll
-
Size
780KB
-
MD5
1554104d7f9db2f8a779405eb5707b9b
-
SHA1
77434050361476de655662ac77e4543ed387f653
-
SHA256
794e1fc591d09ba1650cb356384f33dc3a1a4810cb9c64f9d30b24b8c3ac8a43
-
SHA512
f278140c72faf11cf14cfe885016034dd735ad569c8ee5cb9ae4a6d5694e7ed91b491ae02ef9473d1554d2da19292598d44414c1c714b506929be0fb46307ad1
-
SSDEEP
24576:aWyoHFMVMKkN3ZvxEhb0IsaQ4KriCo0j6Ij+:dnuVMK6vx2RsIKNrj+
Malware Config
Signatures
-
Dridex family
-
resource yara_rule behavioral1/memory/1224-5-0x0000000002D80000-0x0000000002D81000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
pid Process 2756 SystemPropertiesAdvanced.exe 2668 xpsrchvw.exe 1552 wisptis.exe -
Loads dropped DLL 7 IoCs
pid Process 1224 Process not Found 2756 SystemPropertiesAdvanced.exe 1224 Process not Found 2668 xpsrchvw.exe 1224 Process not Found 1552 wisptis.exe 1224 Process not Found -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rcoehfpd = "C:\\Users\\Admin\\AppData\\Roaming\\Identities\\{7E7E7BEF-1C99-4DF9-B906-CCA42F97441A}\\X3\\xpsrchvw.exe" Process not Found -
Checks whether UAC is enabled 1 TTPs 4 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesAdvanced.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xpsrchvw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wisptis.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1660 rundll32.exe 1660 rundll32.exe 1660 rundll32.exe 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1224 wrote to memory of 2564 1224 Process not Found 31 PID 1224 wrote to memory of 2564 1224 Process not Found 31 PID 1224 wrote to memory of 2564 1224 Process not Found 31 PID 1224 wrote to memory of 2756 1224 Process not Found 32 PID 1224 wrote to memory of 2756 1224 Process not Found 32 PID 1224 wrote to memory of 2756 1224 Process not Found 32 PID 1224 wrote to memory of 2724 1224 Process not Found 33 PID 1224 wrote to memory of 2724 1224 Process not Found 33 PID 1224 wrote to memory of 2724 1224 Process not Found 33 PID 1224 wrote to memory of 2668 1224 Process not Found 34 PID 1224 wrote to memory of 2668 1224 Process not Found 34 PID 1224 wrote to memory of 2668 1224 Process not Found 34 PID 1224 wrote to memory of 1248 1224 Process not Found 35 PID 1224 wrote to memory of 1248 1224 Process not Found 35 PID 1224 wrote to memory of 1248 1224 Process not Found 35 PID 1224 wrote to memory of 1552 1224 Process not Found 36 PID 1224 wrote to memory of 1552 1224 Process not Found 36 PID 1224 wrote to memory of 1552 1224 Process not Found 36 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\794e1fc591d09ba1650cb356384f33dc3a1a4810cb9c64f9d30b24b8c3ac8a43.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1660
-
C:\Windows\system32\SystemPropertiesAdvanced.exeC:\Windows\system32\SystemPropertiesAdvanced.exe1⤵PID:2564
-
C:\Users\Admin\AppData\Local\BxhhVvfu\SystemPropertiesAdvanced.exeC:\Users\Admin\AppData\Local\BxhhVvfu\SystemPropertiesAdvanced.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2756
-
C:\Windows\system32\xpsrchvw.exeC:\Windows\system32\xpsrchvw.exe1⤵PID:2724
-
C:\Users\Admin\AppData\Local\zW3\xpsrchvw.exeC:\Users\Admin\AppData\Local\zW3\xpsrchvw.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2668
-
C:\Windows\system32\wisptis.exeC:\Windows\system32\wisptis.exe1⤵PID:1248
-
C:\Users\Admin\AppData\Local\eictkfcRm\wisptis.exeC:\Users\Admin\AppData\Local\eictkfcRm\wisptis.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1552
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
780KB
MD5a05358cee02e83f1128856aa422a886b
SHA1157bfc87322cba6135cbe06d100ac18e4e0d3064
SHA2560d835d93fdf2d1e300d2bd3e74e2086270541446b80fddb4d9720b693eae81b2
SHA512e17b9d2b1ad8b4ed3a32c78004de529a6edb24ed0616eb9e7545e154618ef8bbe419c42bf637d7b0511e52f27063fd64b691f6cf4468c7bb548d5cb6673be310
-
Filesize
784KB
MD570ae5cffdf821d7b4f3dfff6e80b6b42
SHA15d3afb6492f7e1868dd67f07ef715248f0a82f1d
SHA25687cce18d46e773fe2149bac73aaff24ee3f078d16e9c5d36645654e8ed9b4900
SHA5129585ce01f1332535265d659bbfaacb74440a55210c299ff5d106018bb88b818f4129be42d9d9236863cb7633d9e9e391d0da929f599423898e71eb63a22bdd12
-
Filesize
1KB
MD5bd8e6bcd125eb05de54925e8150956fc
SHA1831e26db978d778d836cc06b4087b0d22cca3670
SHA25651c719cef515fbb81abaff496eb7863a382bb713da1cdd56565da4eeade9e9b4
SHA512bbdde33aacdc9c81c7dac7e4a3fce02725024b46751affc9362ab42e199640c16532574ad49f54d6e39a95a05e34b271b1b2791d21fcf0888f46a63b496bcc5b
-
Filesize
80KB
MD525dc1e599591871c074a68708206e734
SHA127a9dffa92d979d39c07d889fada536c062dac77
SHA256a13b2ba5892c11c731869410b1e3dd2f250d70ff9efd513a9f260ab506dd42ef
SHA512f7da9ce4c3e8aea9095fcc977084c042f85df48fca0b58fb136dfd835ce69b5b1e68f3c11eeb14c617ffcec7011ffc7e5d5a948f49dde653a2348b28e10adb72
-
Filesize
396KB
MD502e20372d9d6d28e37ba9704edc90b67
SHA1d7d18ba0df95c3507bf20be8d72e25c5d11ab40c
SHA2563338129ddf6fb53d6e743c10bc39ec372d9b2c39c607cbe8a71cff929f854144
SHA512bcad8894614dcfc1429be04829c217e7c8ac3c40ea3927073de3421d96d9815739ee1b84f0200eb18b3b8406b972bd934204b7b31638c9fe7c297fb201ed4200
-
Filesize
788KB
MD572605534c93924166b3421959b422c6c
SHA1ca9d144fc2147845f1f8dafe015409c5c336567c
SHA25696be985459135a912acdaa4ddb790e1b5848ec6153386ea9a03e496ef18d9285
SHA512550309839611c065013457ceec94fdf40c01f988d16e2fd9375ceec1e93ab59ecffc911f7e92e0b69e5755e8111404e1c346911cf0235a354d11ba25a5bc3107
-
Filesize
4.6MB
MD5492cb6a624d5dad73ee0294b5db37dd6
SHA1e74806af04a5147ccabfb5b167eb95a0177c43b3
SHA256ccb4ecd48561ce024ea176b7036f0f2713b98bc82aa37347a30d8187762a8784
SHA51263bf2931764efe767fb42f9576702dd585a032f74ad2be2481eaf309f34950f05974d77b5cb220a3ff89c92af0c7693dc558f8e3a3ee2a0be6c5c07171d03835