Analysis
-
max time kernel
156s -
max time network
131s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
26-11-2021 09:29
Static task
static1
Behavioral task
behavioral1
Sample
a7e4a244a0c2c589c237ed8ee1870017ee62e84809d589cb0824db74ca64ec99.dll
Resource
win7-en-20211104
General
-
Target
a7e4a244a0c2c589c237ed8ee1870017ee62e84809d589cb0824db74ca64ec99.dll
-
Size
1MB
-
MD5
7bdaee4bb6adf9e4b601e6d577759dac
-
SHA1
887a4784967fa269affaa90866bb5c2527b66474
-
SHA256
a7e4a244a0c2c589c237ed8ee1870017ee62e84809d589cb0824db74ca64ec99
-
SHA512
947aca10d1aeb83b275bcdd844cb3019e91e198838ba15b054d04fe1bba42017284e5b14a871dfc08fd6a8c0f7f919c14d0e3375f0c3ea2cf7c2f872d8e90a49
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/396-125-0x00000000003D0000-0x00000000003D1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
rdpinput.exeSystemPropertiesPerformance.exeSystemSettingsAdminFlows.exepid process 4220 rdpinput.exe 3140 SystemPropertiesPerformance.exe 1144 SystemSettingsAdminFlows.exe -
Loads dropped DLL 3 IoCs
Processes:
rdpinput.exeSystemPropertiesPerformance.exeSystemSettingsAdminFlows.exepid process 4220 rdpinput.exe 3140 SystemPropertiesPerformance.exe 1144 SystemSettingsAdminFlows.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ziekmjidk = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\66Knf\\SystemPropertiesPerformance.exe" -
Processes:
rundll32.exerdpinput.exeSystemPropertiesPerformance.exeSystemSettingsAdminFlows.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rdpinput.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesPerformance.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemSettingsAdminFlows.exe -
Modifies registry class 2 IoCs
Processes:
description ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exerdpinput.exepid process 3636 rundll32.exe 3636 rundll32.exe 3636 rundll32.exe 3636 rundll32.exe 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 4220 rdpinput.exe 4220 rdpinput.exe 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 396 -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 396 Token: SeCreatePagefilePrivilege 396 Token: SeShutdownPrivilege 396 Token: SeCreatePagefilePrivilege 396 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 396 wrote to memory of 4272 396 rdpinput.exe PID 396 wrote to memory of 4272 396 rdpinput.exe PID 396 wrote to memory of 4220 396 rdpinput.exe PID 396 wrote to memory of 4220 396 rdpinput.exe PID 396 wrote to memory of 4308 396 SystemPropertiesPerformance.exe PID 396 wrote to memory of 4308 396 SystemPropertiesPerformance.exe PID 396 wrote to memory of 3140 396 SystemPropertiesPerformance.exe PID 396 wrote to memory of 3140 396 SystemPropertiesPerformance.exe PID 396 wrote to memory of 1096 396 SystemSettingsAdminFlows.exe PID 396 wrote to memory of 1096 396 SystemSettingsAdminFlows.exe PID 396 wrote to memory of 1144 396 SystemSettingsAdminFlows.exe PID 396 wrote to memory of 1144 396 SystemSettingsAdminFlows.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a7e4a244a0c2c589c237ed8ee1870017ee62e84809d589cb0824db74ca64ec99.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\rdpinput.exeC:\Windows\system32\rdpinput.exe1⤵
-
C:\Users\Admin\AppData\Local\yWX\rdpinput.exeC:\Users\Admin\AppData\Local\yWX\rdpinput.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\SystemPropertiesPerformance.exeC:\Windows\system32\SystemPropertiesPerformance.exe1⤵
-
C:\Users\Admin\AppData\Local\HGo\SystemPropertiesPerformance.exeC:\Users\Admin\AppData\Local\HGo\SystemPropertiesPerformance.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\SystemSettingsAdminFlows.exeC:\Windows\system32\SystemSettingsAdminFlows.exe1⤵
-
C:\Users\Admin\AppData\Local\58lm8oTJ\SystemSettingsAdminFlows.exeC:\Users\Admin\AppData\Local\58lm8oTJ\SystemSettingsAdminFlows.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\58lm8oTJ\DUI70.dllMD5
54e1537f6dae1b821b4c0af6e96f6577
SHA1ae82e38019d3df8bc38c015c2250e19b7d59255c
SHA2562509493f357a313e2bb731fab9b1ff8353fa1fa008098733dda6103fc5777322
SHA512cedebd34e2f6a7c18190a06da485a4884e0c1c2195c73261cf2722aa6d5c82a039e2f9fde425124c45292865d67f419ecd80cda04880fdee21a0bf2030c7b101
-
C:\Users\Admin\AppData\Local\58lm8oTJ\SystemSettingsAdminFlows.exeMD5
ed20a50080dc6977c774b42810f6c94c
SHA1a3a6fbf9a10b67b7b5bf6ef1fb0912483ff68ba4
SHA256fd537b9a6dd9349a98d19d2023fb6de8a0cb6e7e2e230dcc3fc2621eca024f5d
SHA5120cdd7b145567c78a6800e47819d6d2c370fdac1fdb92cf726cad6c588a38b44a69f101dc470eb64745938fb47615d28c0d1215755eef7d3a739c9f39a24d7d8e
-
C:\Users\Admin\AppData\Local\HGo\SYSDM.CPLMD5
36bb0a8f06cc4ec55fd41a056192ebda
SHA19f9b66fb4d5b1ea8f8c17f7c55688eea7618bc10
SHA256031ae5a8a1e717a59852bb322f18c409f7aa7cff5128bb10e4b7113cd07dbebb
SHA512c2821b92c1d02e38383488233f6de02ffbb0e5bf2bac1bee1cd9c8289d9d5fedcde9d25c1ff5d921d3eddcdef85b8948927a1741f28fef9b8018b1e6a2a22f63
-
C:\Users\Admin\AppData\Local\HGo\SystemPropertiesPerformance.exeMD5
0a23dbe5f3926280d0eeef6e35b8e603
SHA13023d1eaef3944a8487c18672af1d562114b9f5f
SHA25624482d0a1972e7424e50de2aeb37d6f0d8a05e3f09afe4a0c7354817193a2d40
SHA512ef7c1f4fe4d20f47f4d8576df86cdd14f89e35a88e1253f27a0432e4963885acede7622e350116135f0f90eb2eaea60cba5f0612c127cb495e5e4f54333126f4
-
C:\Users\Admin\AppData\Local\yWX\WINSTA.dllMD5
27fb69f60d7278e83baa2c30d50172b2
SHA12c2a90614b4189a8968a046c1a668f1122b6b922
SHA25624dbc71f69d0a04b7751a109746ad890d243baa2365ce5fe4e3deedcb62ba239
SHA51223e64b0cd59b898eeec306bf05216c4b1c0a5c5299f5c312ee0eb2ac5a7f1c880d17bae02517b7d460f1291a27ecfdbe9f49c2757812a2ead20c027ca83127bb
-
C:\Users\Admin\AppData\Local\yWX\rdpinput.exeMD5
431364c49991ebfea19b468020368e08
SHA1c36c8a01ccd17b8ec754fe92d1e03558bb3f05ac
SHA2566c59ea8b7807d9cc9de5c67cf679a1fb1bed4629da1f0a071e03af775de8e4fc
SHA5126b2baeb9abc1277fef874ead7d0c4b2b5c5953b8f9db5ae056a14a0af6edb6482b303e7f4ba5237a22e62919f09cd8334692dd58053754ed18837ace14565d8f
-
\Users\Admin\AppData\Local\58lm8oTJ\DUI70.dllMD5
54e1537f6dae1b821b4c0af6e96f6577
SHA1ae82e38019d3df8bc38c015c2250e19b7d59255c
SHA2562509493f357a313e2bb731fab9b1ff8353fa1fa008098733dda6103fc5777322
SHA512cedebd34e2f6a7c18190a06da485a4884e0c1c2195c73261cf2722aa6d5c82a039e2f9fde425124c45292865d67f419ecd80cda04880fdee21a0bf2030c7b101
-
\Users\Admin\AppData\Local\HGo\SYSDM.CPLMD5
36bb0a8f06cc4ec55fd41a056192ebda
SHA19f9b66fb4d5b1ea8f8c17f7c55688eea7618bc10
SHA256031ae5a8a1e717a59852bb322f18c409f7aa7cff5128bb10e4b7113cd07dbebb
SHA512c2821b92c1d02e38383488233f6de02ffbb0e5bf2bac1bee1cd9c8289d9d5fedcde9d25c1ff5d921d3eddcdef85b8948927a1741f28fef9b8018b1e6a2a22f63
-
\Users\Admin\AppData\Local\yWX\WINSTA.dllMD5
27fb69f60d7278e83baa2c30d50172b2
SHA12c2a90614b4189a8968a046c1a668f1122b6b922
SHA25624dbc71f69d0a04b7751a109746ad890d243baa2365ce5fe4e3deedcb62ba239
SHA51223e64b0cd59b898eeec306bf05216c4b1c0a5c5299f5c312ee0eb2ac5a7f1c880d17bae02517b7d460f1291a27ecfdbe9f49c2757812a2ead20c027ca83127bb
-
memory/396-151-0x00007FF9383D0000-0x00007FF9383D2000-memory.dmpFilesize
8KB
-
memory/396-128-0x0000000140000000-0x0000000140149000-memory.dmpFilesize
1MB
-
memory/396-132-0x0000000140000000-0x0000000140149000-memory.dmpFilesize
1MB
-
memory/396-133-0x0000000140000000-0x0000000140149000-memory.dmpFilesize
1MB
-
memory/396-134-0x0000000140000000-0x0000000140149000-memory.dmpFilesize
1MB
-
memory/396-135-0x0000000140000000-0x0000000140149000-memory.dmpFilesize
1MB
-
memory/396-136-0x0000000140000000-0x0000000140149000-memory.dmpFilesize
1MB
-
memory/396-137-0x0000000140000000-0x0000000140149000-memory.dmpFilesize
1MB
-
memory/396-138-0x0000000140000000-0x0000000140149000-memory.dmpFilesize
1MB
-
memory/396-139-0x0000000140000000-0x0000000140149000-memory.dmpFilesize
1MB
-
memory/396-140-0x0000000140000000-0x0000000140149000-memory.dmpFilesize
1MB
-
memory/396-141-0x0000000140000000-0x0000000140149000-memory.dmpFilesize
1MB
-
memory/396-142-0x0000000140000000-0x0000000140149000-memory.dmpFilesize
1MB
-
memory/396-148-0x0000000000780000-0x0000000000782000-memory.dmpFilesize
8KB
-
memory/396-147-0x0000000000780000-0x0000000000782000-memory.dmpFilesize
8KB
-
memory/396-149-0x00007FF938295000-0x00007FF938296000-memory.dmpFilesize
4KB
-
memory/396-150-0x0000000000780000-0x0000000000782000-memory.dmpFilesize
8KB
-
memory/396-185-0x0000000000780000-0x0000000000782000-memory.dmpFilesize
8KB
-
memory/396-125-0x00000000003D0000-0x00000000003D1000-memory.dmpFilesize
4KB
-
memory/396-130-0x0000000140000000-0x0000000140149000-memory.dmpFilesize
1MB
-
memory/396-129-0x0000000140000000-0x0000000140149000-memory.dmpFilesize
1MB
-
memory/396-131-0x0000000140000000-0x0000000140149000-memory.dmpFilesize
1MB
-
memory/396-126-0x0000000140000000-0x0000000140149000-memory.dmpFilesize
1MB
-
memory/396-127-0x0000000140000000-0x0000000140149000-memory.dmpFilesize
1MB
-
memory/1144-174-0x0000000000000000-mapping.dmp
-
memory/1144-184-0x000001B4224A0000-0x000001B4224A2000-memory.dmpFilesize
8KB
-
memory/1144-183-0x000001B4224A0000-0x000001B4224A2000-memory.dmpFilesize
8KB
-
memory/1144-182-0x000001B4224A0000-0x000001B4224A2000-memory.dmpFilesize
8KB
-
memory/1144-178-0x00007FF92A110000-0x00007FF92A29F000-memory.dmpFilesize
1MB
-
memory/3140-163-0x0000000000000000-mapping.dmp
-
memory/3140-167-0x00007FF92B7E0000-0x00007FF92B92A000-memory.dmpFilesize
1MB
-
memory/3140-171-0x00000231BB0A0000-0x00000231BB0A2000-memory.dmpFilesize
8KB
-
memory/3140-172-0x00000231BB0A0000-0x00000231BB0A2000-memory.dmpFilesize
8KB
-
memory/3140-173-0x00000231BB0A0000-0x00000231BB0A2000-memory.dmpFilesize
8KB
-
memory/3636-123-0x0000023B4BB20000-0x0000023B4BB22000-memory.dmpFilesize
8KB
-
memory/3636-124-0x0000023B4BB10000-0x0000023B4BB17000-memory.dmpFilesize
28KB
-
memory/3636-122-0x0000023B4BB20000-0x0000023B4BB22000-memory.dmpFilesize
8KB
-
memory/3636-118-0x00007FF92B7E0000-0x00007FF92B929000-memory.dmpFilesize
1MB
-
memory/4220-160-0x000001AB75C50000-0x000001AB75C52000-memory.dmpFilesize
8KB
-
memory/4220-152-0x0000000000000000-mapping.dmp
-
memory/4220-156-0x00007FF92B7E0000-0x00007FF92B92B000-memory.dmpFilesize
1MB
-
memory/4220-161-0x000001AB75C50000-0x000001AB75C52000-memory.dmpFilesize
8KB
-
memory/4220-162-0x000001AB75C50000-0x000001AB75C52000-memory.dmpFilesize
8KB