Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
25/02/2025, 02:37
Static task
static1
Behavioral task
behavioral1
Sample
24b578f6ed5e0e3936a230c135def3af248deca34d13e377c40212288bc5359dN.dll
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
24b578f6ed5e0e3936a230c135def3af248deca34d13e377c40212288bc5359dN.dll
Resource
win10v2004-20250217-en
General
-
Target
24b578f6ed5e0e3936a230c135def3af248deca34d13e377c40212288bc5359dN.dll
-
Size
780KB
-
MD5
523e161e7f0441375283519de5dd1640
-
SHA1
18317845671b0ed94fa1b4633d673c55193e39ad
-
SHA256
24b578f6ed5e0e3936a230c135def3af248deca34d13e377c40212288bc5359d
-
SHA512
1556e848fa07d1dc24ca516313c1479dddcd527246df26ddf1dcb01cc8e8a98caf37879c01b4472d93115575791366984f93d401f6ea9047153ab99c8e080b57
-
SSDEEP
12288:obP23onr2XV7KrPqgmNiQhDOy4/AT4r/E16K1QS/lsHAGHdDvRQ2sd1gqQ:obe42XV7KWgmjDR/T4a/Mdjm
Malware Config
Signatures
-
Dridex family
-
resource yara_rule behavioral1/memory/1204-5-0x0000000002E70000-0x0000000002E71000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
pid Process 2920 Magnify.exe 2636 unregmp2.exe 2504 sdclt.exe -
Loads dropped DLL 7 IoCs
pid Process 1204 Process not Found 2920 Magnify.exe 1204 Process not Found 2636 unregmp2.exe 1204 Process not Found 2504 sdclt.exe 1204 Process not Found -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Uuyszikihxbb = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\zncF\\unregmp2.exe" Process not Found -
Checks whether UAC is enabled 1 TTPs 4 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Magnify.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA unregmp2.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdclt.exe -
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 752 rundll32.exe 752 rundll32.exe 752 rundll32.exe 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1204 wrote to memory of 2760 1204 Process not Found 31 PID 1204 wrote to memory of 2760 1204 Process not Found 31 PID 1204 wrote to memory of 2760 1204 Process not Found 31 PID 1204 wrote to memory of 2920 1204 Process not Found 32 PID 1204 wrote to memory of 2920 1204 Process not Found 32 PID 1204 wrote to memory of 2920 1204 Process not Found 32 PID 1204 wrote to memory of 2880 1204 Process not Found 33 PID 1204 wrote to memory of 2880 1204 Process not Found 33 PID 1204 wrote to memory of 2880 1204 Process not Found 33 PID 1204 wrote to memory of 2636 1204 Process not Found 34 PID 1204 wrote to memory of 2636 1204 Process not Found 34 PID 1204 wrote to memory of 2636 1204 Process not Found 34 PID 1204 wrote to memory of 2692 1204 Process not Found 35 PID 1204 wrote to memory of 2692 1204 Process not Found 35 PID 1204 wrote to memory of 2692 1204 Process not Found 35 PID 1204 wrote to memory of 2504 1204 Process not Found 36 PID 1204 wrote to memory of 2504 1204 Process not Found 36 PID 1204 wrote to memory of 2504 1204 Process not Found 36 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\24b578f6ed5e0e3936a230c135def3af248deca34d13e377c40212288bc5359dN.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:752
-
C:\Windows\system32\Magnify.exeC:\Windows\system32\Magnify.exe1⤵PID:2760
-
C:\Users\Admin\AppData\Local\BNIGNAH\Magnify.exeC:\Users\Admin\AppData\Local\BNIGNAH\Magnify.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2920
-
C:\Windows\system32\unregmp2.exeC:\Windows\system32\unregmp2.exe1⤵PID:2880
-
C:\Users\Admin\AppData\Local\7bMK5\unregmp2.exeC:\Users\Admin\AppData\Local\7bMK5\unregmp2.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2636
-
C:\Windows\system32\sdclt.exeC:\Windows\system32\sdclt.exe1⤵PID:2692
-
C:\Users\Admin\AppData\Local\i7IeWAnN\sdclt.exeC:\Users\Admin\AppData\Local\i7IeWAnN\sdclt.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2504
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Accessibility Features
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
316KB
MD564b328d52dfc8cda123093e3f6e4c37c
SHA1f68f45b21b911906f3aa982e64504e662a92e5ab
SHA2567d6be433ba7dd4a2b8f8b79d7b87055da8daafa3e0404432d40469c39c2040e1
SHA512e29fc068532df36f39c86b79392b5c6191de6f69b7beaba28f9ac96a26089b341b770ff29556eca14f57afd1de59a6f3726818482d6861bdd8ac556ae768df00
-
Filesize
637KB
MD5233b45ddf77bd45e53872881cff1839b
SHA1d4b8cafce4664bb339859a90a9dd1506f831756d
SHA256adfd109ec03cd57e44dbd5fd1c4d8c47f8f58f887f690ba3c92f744b670fd75a
SHA5126fb5f730633bfb2d063e6bc8cf37a7624bdcde2bd1d0c92b6b9a557484e7acf5d3a2be354808cade751f7ac5c5fe936e765f6494ef54b4fdb2725179f0d0fe39
-
Filesize
780KB
MD5cf8c1ed060ad4a0f72ee7f10919b9e70
SHA1443f277c41e16edae26364e71bc753f0c36decef
SHA256dd5a03ca528414637120eb3639acb1602254df699b58583a2e6b6940a2a9e4d7
SHA512dbfbaf57a5d7fabba8740d73558ccf55e40234a003ee19bf79074bfea05793958e09f3cd90c5ce4309d28fec7795a067bd7ef6eadfac78c879c0a166aba94587
-
Filesize
784KB
MD5c5b604bc56bbf625066cd540be6d296b
SHA1b83700b7ae11af6241a3cbb4ce1b53fee1759fe6
SHA256ab5d16098110f1d88eafb16d451a4620e986e4fda2cb7ce7d101b1b85d0e7e75
SHA5127837dbec399c0fcc3c0eaed8b6287c0dddd85e50012aa5ca4e073adb4173fdf95a58dfdfcef16339c0fe43050ec36205f4ac408074a797c79fd8c0e1874ba7cf
-
Filesize
1.2MB
MD5cdebd55ffbda3889aa2a8ce52b9dc097
SHA14b3cbfff5e57fa0cb058e93e445e3851063646cf
SHA25661bd24487c389fc2b939ce000721677cc173bde0edcafccff81069bbd9987bfd
SHA5122af69742e90d3478ae0a770b2630bfdc469077311c1f755f941825399b9a411e3d8d124126f59b01049456cddc01b237a3114847f1fe53f9e7d1a97e4ba36f13
-
Filesize
1KB
MD596168eff7d83670073ac71aaa8b0ad6d
SHA121b1ffe2bff0086e6a17b181bee843bb9fcded98
SHA2568edb32d00febda0fa6117bfc02afdcc2fc8ddd59142b27d6f7ec6e1f5cee7967
SHA512cf6b7ad37c6dfcb3a8b15517bdeed222709c73c6c53cf3d3f6d233922feb348b88dfd21b10c2b620d43ffe3e1ab1a4df62630cb39b70c1d18326a794b65c146e
-
Filesize
780KB
MD5821851ee9d9b0f396aa16dd322a72dae
SHA13860001bcc477463bd934fe94b668e48f9473bed
SHA256d7846e1c3920be20a20491aac3c4b392b706e33e4aca53d784105e580004c0e3
SHA512e7a722cbc834830458b9f301ca2cac67949926a97c7c2a56758c8ad53f1bfb4ab2ccdb7c621fc0f1b7fcf5e47745d87cc4440cfd8d0e617406619d088111299f