Analysis
-
max time kernel
151s -
max time network
126s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
26-11-2021 09:27
Static task
static1
Behavioral task
behavioral1
Sample
494d90eeeb3acbdcf85d81839a17e2cf4843713b12fa03fe3ebaaff3711807b3.dll
Resource
win7-en-20211104
General
-
Target
494d90eeeb3acbdcf85d81839a17e2cf4843713b12fa03fe3ebaaff3711807b3.dll
-
Size
1.4MB
-
MD5
aec8754bce47765e6d1ff6641449f71b
-
SHA1
00de05368600c975e06c625974489e683177e331
-
SHA256
494d90eeeb3acbdcf85d81839a17e2cf4843713b12fa03fe3ebaaff3711807b3
-
SHA512
189971741bb1933c3c306bc423ad2d252bbefe00cc272c9733253afacd8eceb9f0a7efb37d9a742df85df6093b6d4be31475f993972c91fe5d02586063264c84
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/2960-121-0x00000000012F0000-0x00000000012F1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
SnippingTool.exeSysResetErr.exephoneactivate.exepid process 2660 SnippingTool.exe 2916 SysResetErr.exe 1496 phoneactivate.exe -
Loads dropped DLL 3 IoCs
Processes:
SnippingTool.exeSysResetErr.exephoneactivate.exepid process 2660 SnippingTool.exe 2916 SysResetErr.exe 1496 phoneactivate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\Slqggwbvaxk = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\izlLVmokdk\\SysResetErr.exe" -
Processes:
SnippingTool.exeSysResetErr.exephoneactivate.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SnippingTool.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SysResetErr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA phoneactivate.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2480 rundll32.exe 2480 rundll32.exe 2480 rundll32.exe 2480 rundll32.exe 2960 2960 2960 2960 2960 2960 2960 2960 2960 2960 2960 2960 2960 2960 2960 2960 2960 2960 2960 2960 2960 2960 2960 2960 2960 2960 2960 2960 2960 2960 2960 2960 2960 2960 2960 2960 2960 2960 2960 2960 2960 2960 2960 2960 2960 2960 2960 2960 2960 2960 2960 2960 2960 2960 2960 2960 2960 2960 2960 2960 -
Suspicious behavior: GetForegroundWindowSpam 5 IoCs
Processes:
rundll32.exeSnippingTool.exeSysResetErr.exephoneactivate.exepid process 2480 rundll32.exe 2960 2660 SnippingTool.exe 2916 SysResetErr.exe 1496 phoneactivate.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 2960 wrote to memory of 1188 2960 SnippingTool.exe PID 2960 wrote to memory of 1188 2960 SnippingTool.exe PID 2960 wrote to memory of 2660 2960 SnippingTool.exe PID 2960 wrote to memory of 2660 2960 SnippingTool.exe PID 2960 wrote to memory of 2340 2960 SysResetErr.exe PID 2960 wrote to memory of 2340 2960 SysResetErr.exe PID 2960 wrote to memory of 2916 2960 SysResetErr.exe PID 2960 wrote to memory of 2916 2960 SysResetErr.exe PID 2960 wrote to memory of 2832 2960 phoneactivate.exe PID 2960 wrote to memory of 2832 2960 phoneactivate.exe PID 2960 wrote to memory of 1496 2960 phoneactivate.exe PID 2960 wrote to memory of 1496 2960 phoneactivate.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\494d90eeeb3acbdcf85d81839a17e2cf4843713b12fa03fe3ebaaff3711807b3.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\system32\SnippingTool.exeC:\Windows\system32\SnippingTool.exe1⤵
-
C:\Users\Admin\AppData\Local\lns2\SnippingTool.exeC:\Users\Admin\AppData\Local\lns2\SnippingTool.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\system32\SysResetErr.exeC:\Windows\system32\SysResetErr.exe1⤵
-
C:\Users\Admin\AppData\Local\ysor3L\SysResetErr.exeC:\Users\Admin\AppData\Local\ysor3L\SysResetErr.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\system32\phoneactivate.exeC:\Windows\system32\phoneactivate.exe1⤵
-
C:\Users\Admin\AppData\Local\jTfO6wz\phoneactivate.exeC:\Users\Admin\AppData\Local\jTfO6wz\phoneactivate.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\jTfO6wz\SLC.dllMD5
bcb40c2c284ae6d77cd66dbd7c372b3d
SHA1348fce6496e4bdba941aab6b6099330a8c30200d
SHA2568f8aaf4939e19aa5f3b800a7ee649688690eb5babb3f8d7465e631c75efdd95c
SHA512fcaccd2b7948d3ae847d68031c66ef17b62982826f33a8a814cb33f4550ba18d3238489b34187b5a37cd5106e7b854bd3fc4d10b24b8ad8c356f1b029b7a4dcf
-
C:\Users\Admin\AppData\Local\jTfO6wz\phoneactivate.exeMD5
c2bc59e307f825237dce846049fda140
SHA130bf767297d2f3a833f57443fbf5dc02c80030bd
SHA2563a373641d048ef5964efa2d80248e8d441cfcd93b47961e0ed586c1609069c41
SHA512f4d9aec2b1c24cc8e8094abf561a181659afd86054422d32a67b7dd0b95e0ec710ea5a43a44e610bf94df3c817fca9fc620032e0dbd88e824766ef0e3e1c3b42
-
C:\Users\Admin\AppData\Local\lns2\SnippingTool.exeMD5
e40c6c256043c143f7b8cdca70f69f4f
SHA1129f4f0257715715d50fd7b7129ce231771ae1ea
SHA25676610fec5aabe77401425bc8a437f58e9307b636197ffd048ece9e02e955f88d
SHA512fb83e4feb112cbee5fb922178795df1f02f29cbe009d8b3b4d9b4f1a62c08d184a64df52e57ee3d4d8be839621f875a5279d15f39b94ff3a987a863fa4d743ba
-
C:\Users\Admin\AppData\Local\lns2\dwmapi.dllMD5
c3ccf6bf67cf648b0f8110591cf5658b
SHA1a22171b90e39fd7f0f1fab60ecf416d6d6523b23
SHA256ab0a2b06ae9e81d96a8520b1107e79c01490d067c512dfa33b1540161ff25ea8
SHA5120a81b808c2ae69757b00f861f32b035621484d865f20c8bb61242b1173b58b18d9805b199743ea689def6d40175aed5d673b763a462c7f5a4c50499110bd3806
-
C:\Users\Admin\AppData\Local\ysor3L\DUI70.dllMD5
3fa695440098e1a7955beb97f49b747e
SHA1fd3217b4d8c3d53e6ed7ec2191e2232730dec17b
SHA2564cde9d22ba0d21ce731833842ced8e719fa87fc826a1206b150b300163583a3b
SHA5121f3253c47669a4a746766d7899f6ff248deec0e8c1473b6e3133e1e93d477b2123a771cf0836f0b586c6f0943e37a55eec02a26104b8a16f1ee0577874a5dec2
-
C:\Users\Admin\AppData\Local\ysor3L\SysResetErr.exeMD5
432557a19cef7e1c23a4dcc7d148b712
SHA1b26c19de3b32108f8ac9307c30027e635615fc65
SHA256f519aba77298a8c04f3e9c8f5f1b40c8de05e41898f13033f337e13e05d4282a
SHA512542e71740094ea810651901ec23f06c495e0c2d57fae09d6dd9730e11650843ade34eeba0b2816df025179c597825129b3a26a0007c75e10f1a8857340452ff7
-
\Users\Admin\AppData\Local\jTfO6wz\SLC.dllMD5
bcb40c2c284ae6d77cd66dbd7c372b3d
SHA1348fce6496e4bdba941aab6b6099330a8c30200d
SHA2568f8aaf4939e19aa5f3b800a7ee649688690eb5babb3f8d7465e631c75efdd95c
SHA512fcaccd2b7948d3ae847d68031c66ef17b62982826f33a8a814cb33f4550ba18d3238489b34187b5a37cd5106e7b854bd3fc4d10b24b8ad8c356f1b029b7a4dcf
-
\Users\Admin\AppData\Local\lns2\dwmapi.dllMD5
c3ccf6bf67cf648b0f8110591cf5658b
SHA1a22171b90e39fd7f0f1fab60ecf416d6d6523b23
SHA256ab0a2b06ae9e81d96a8520b1107e79c01490d067c512dfa33b1540161ff25ea8
SHA5120a81b808c2ae69757b00f861f32b035621484d865f20c8bb61242b1173b58b18d9805b199743ea689def6d40175aed5d673b763a462c7f5a4c50499110bd3806
-
\Users\Admin\AppData\Local\ysor3L\DUI70.dllMD5
3fa695440098e1a7955beb97f49b747e
SHA1fd3217b4d8c3d53e6ed7ec2191e2232730dec17b
SHA2564cde9d22ba0d21ce731833842ced8e719fa87fc826a1206b150b300163583a3b
SHA5121f3253c47669a4a746766d7899f6ff248deec0e8c1473b6e3133e1e93d477b2123a771cf0836f0b586c6f0943e37a55eec02a26104b8a16f1ee0577874a5dec2
-
memory/1496-177-0x0000022A75160000-0x0000022A75162000-memory.dmpFilesize
8KB
-
memory/1496-178-0x0000022A75160000-0x0000022A75162000-memory.dmpFilesize
8KB
-
memory/1496-170-0x0000000000000000-mapping.dmp
-
memory/1496-179-0x0000022A75160000-0x0000022A75162000-memory.dmpFilesize
8KB
-
memory/2480-118-0x00000222B1B80000-0x00000222B1B82000-memory.dmpFilesize
8KB
-
memory/2480-115-0x0000000140000000-0x000000014015C000-memory.dmpFilesize
1.4MB
-
memory/2480-119-0x00000222B1B80000-0x00000222B1B82000-memory.dmpFilesize
8KB
-
memory/2480-120-0x00000222B1A70000-0x00000222B1A77000-memory.dmpFilesize
28KB
-
memory/2660-157-0x000001CCEFDF0000-0x000001CCEFDF2000-memory.dmpFilesize
8KB
-
memory/2660-150-0x0000000000000000-mapping.dmp
-
memory/2660-159-0x000001CCEFDF0000-0x000001CCEFDF2000-memory.dmpFilesize
8KB
-
memory/2660-158-0x000001CCEFDF0000-0x000001CCEFDF2000-memory.dmpFilesize
8KB
-
memory/2660-154-0x0000000140000000-0x000000014015D000-memory.dmpFilesize
1.4MB
-
memory/2916-160-0x0000000000000000-mapping.dmp
-
memory/2916-164-0x0000000140000000-0x00000001401A2000-memory.dmpFilesize
1.6MB
-
memory/2916-167-0x000001DDFE410000-0x000001DDFE412000-memory.dmpFilesize
8KB
-
memory/2916-168-0x000001DDFE410000-0x000001DDFE412000-memory.dmpFilesize
8KB
-
memory/2916-169-0x000001DDFE410000-0x000001DDFE412000-memory.dmpFilesize
8KB
-
memory/2960-129-0x0000000140000000-0x000000014015C000-memory.dmpFilesize
1.4MB
-
memory/2960-149-0x00007FF8576B0000-0x00007FF8576B2000-memory.dmpFilesize
8KB
-
memory/2960-148-0x0000000001300000-0x0000000001302000-memory.dmpFilesize
8KB
-
memory/2960-147-0x00007FF857575000-0x00007FF857576000-memory.dmpFilesize
4KB
-
memory/2960-146-0x0000000001300000-0x0000000001302000-memory.dmpFilesize
8KB
-
memory/2960-145-0x0000000001300000-0x0000000001302000-memory.dmpFilesize
8KB
-
memory/2960-139-0x0000000140000000-0x000000014015C000-memory.dmpFilesize
1.4MB
-
memory/2960-138-0x0000000140000000-0x000000014015C000-memory.dmpFilesize
1.4MB
-
memory/2960-137-0x0000000140000000-0x000000014015C000-memory.dmpFilesize
1.4MB
-
memory/2960-136-0x0000000140000000-0x000000014015C000-memory.dmpFilesize
1.4MB
-
memory/2960-135-0x0000000140000000-0x000000014015C000-memory.dmpFilesize
1.4MB
-
memory/2960-134-0x0000000140000000-0x000000014015C000-memory.dmpFilesize
1.4MB
-
memory/2960-133-0x0000000140000000-0x000000014015C000-memory.dmpFilesize
1.4MB
-
memory/2960-132-0x0000000140000000-0x000000014015C000-memory.dmpFilesize
1.4MB
-
memory/2960-131-0x0000000140000000-0x000000014015C000-memory.dmpFilesize
1.4MB
-
memory/2960-130-0x0000000140000000-0x000000014015C000-memory.dmpFilesize
1.4MB
-
memory/2960-128-0x0000000140000000-0x000000014015C000-memory.dmpFilesize
1.4MB
-
memory/2960-127-0x0000000140000000-0x000000014015C000-memory.dmpFilesize
1.4MB
-
memory/2960-126-0x0000000140000000-0x000000014015C000-memory.dmpFilesize
1.4MB
-
memory/2960-125-0x0000000140000000-0x000000014015C000-memory.dmpFilesize
1.4MB
-
memory/2960-124-0x0000000140000000-0x000000014015C000-memory.dmpFilesize
1.4MB
-
memory/2960-123-0x0000000140000000-0x000000014015C000-memory.dmpFilesize
1.4MB
-
memory/2960-122-0x0000000140000000-0x000000014015C000-memory.dmpFilesize
1.4MB
-
memory/2960-121-0x00000000012F0000-0x00000000012F1000-memory.dmpFilesize
4KB