Analysis
-
max time kernel
152s -
max time network
122s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
03-12-2021 10:48
Static task
static1
Behavioral task
behavioral1
Sample
e3a97ee2fa0ea4dc05340e0778674a93e8c95944c519df7ee5f486c08b1df15a.dll
Resource
win7-en-20211104
General
-
Target
e3a97ee2fa0ea4dc05340e0778674a93e8c95944c519df7ee5f486c08b1df15a.dll
-
Size
1.2MB
-
MD5
ea1bfbc91324c0cbb97f17775e653dab
-
SHA1
61c6d875774c9cd59ae56e351a291c2cf9e79284
-
SHA256
e3a97ee2fa0ea4dc05340e0778674a93e8c95944c519df7ee5f486c08b1df15a
-
SHA512
903a180a93cc7ecd2b6e0fd76fc597456bbd1986d28f63993fc00b57dc47afad779fd05ce734f4070d3b16af08aec5e5da1086aefcf85929ba87c7cd1e27dc75
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3024-121-0x0000000001070000-0x0000000001071000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
FXSCOVER.exesdclt.exeLockScreenContentServer.exepid process 2324 FXSCOVER.exe 924 sdclt.exe 1376 LockScreenContentServer.exe -
Drops startup file 3 IoCs
Processes:
description ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\uuiSMZ8k File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\uuiSMZ8k\DUI70.dll File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\uuiSMZ8k\LockScreenContentServer.exe -
Loads dropped DLL 3 IoCs
Processes:
FXSCOVER.exesdclt.exeLockScreenContentServer.exepid process 2324 FXSCOVER.exe 924 sdclt.exe 1376 LockScreenContentServer.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\Slqggwbvaxk = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\SYSTEM~1\\LUibs4\\sdclt.exe" -
Processes:
rundll32.exeFXSCOVER.exesdclt.exeLockScreenContentServer.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA FXSCOVER.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdclt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA LockScreenContentServer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2816 rundll32.exe 2816 rundll32.exe 2816 rundll32.exe 2816 rundll32.exe 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 -
Suspicious behavior: GetForegroundWindowSpam 5 IoCs
Processes:
rundll32.exeFXSCOVER.exesdclt.exeLockScreenContentServer.exepid process 2816 rundll32.exe 3024 2324 FXSCOVER.exe 924 sdclt.exe 1376 LockScreenContentServer.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3024 wrote to memory of 1412 3024 FXSCOVER.exe PID 3024 wrote to memory of 1412 3024 FXSCOVER.exe PID 3024 wrote to memory of 2324 3024 FXSCOVER.exe PID 3024 wrote to memory of 2324 3024 FXSCOVER.exe PID 3024 wrote to memory of 836 3024 sdclt.exe PID 3024 wrote to memory of 836 3024 sdclt.exe PID 3024 wrote to memory of 924 3024 sdclt.exe PID 3024 wrote to memory of 924 3024 sdclt.exe PID 3024 wrote to memory of 3204 3024 LockScreenContentServer.exe PID 3024 wrote to memory of 3204 3024 LockScreenContentServer.exe PID 3024 wrote to memory of 1376 3024 LockScreenContentServer.exe PID 3024 wrote to memory of 1376 3024 LockScreenContentServer.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e3a97ee2fa0ea4dc05340e0778674a93e8c95944c519df7ee5f486c08b1df15a.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\system32\FXSCOVER.exeC:\Windows\system32\FXSCOVER.exe1⤵
-
C:\Users\Admin\AppData\Local\hZNqp\FXSCOVER.exeC:\Users\Admin\AppData\Local\hZNqp\FXSCOVER.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\system32\sdclt.exeC:\Windows\system32\sdclt.exe1⤵
-
C:\Users\Admin\AppData\Local\5tgk5LL1\sdclt.exeC:\Users\Admin\AppData\Local\5tgk5LL1\sdclt.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\system32\LockScreenContentServer.exeC:\Windows\system32\LockScreenContentServer.exe1⤵
-
C:\Users\Admin\AppData\Local\iHYBPf\LockScreenContentServer.exeC:\Users\Admin\AppData\Local\iHYBPf\LockScreenContentServer.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\5tgk5LL1\WTSAPI32.dllMD5
6426e34204b6ed0fe26afc3dc0191d5c
SHA15623d188b27649ace2b7181fb11d38125539abe5
SHA2566b5e2a16cfc6624932d193654db556fe110a4dc6837a438d9ba74499562cf108
SHA5125a9184c80b3f0ed7cd8056779866cfbc92288484decf3e34d6737e8c1a2d831a6e5dffeac5a11ae12dc515a393372b187f10f90c149ccd7f7c4daca2b8c3abea
-
C:\Users\Admin\AppData\Local\5tgk5LL1\sdclt.exeMD5
d583261d1da3e49fa34d0ed9fc550173
SHA164d55723f6fec895c7e8b50f42a815b125ce0b29
SHA2568577ef50c0dd969617fa313ebd927d6e4ca2faae24fa4516f643328a967c5e6a
SHA51277aceaf9992b40c859c95d6ee6d6b31c06add7a1227f8e2d1fc49245163a8ffdbf347bfdb0cffb400a9550b715cede3941e4c3f0499d0942dc5f7853db5cd0b5
-
C:\Users\Admin\AppData\Local\hZNqp\FXSCOVER.exeMD5
fd8a15f70619a553acd265264c3e435d
SHA1394f6a1db57b502eb5196d9276d1c00afc791663
SHA256b9eec80e92a71b7405db190ac0d1fc177ba3d1f97411c43328a340d30a9d71a4
SHA512af30027401e97a69aa57847c00c73ccafd4113e58349efd9addf5e7c3a5809f5ff35430d181844c5acd0abba947ff9acb450ff3e0383ef7c187bd9b7808a8799
-
C:\Users\Admin\AppData\Local\hZNqp\MFC42u.dllMD5
dce22d7d9020f440ea70a89d74735619
SHA10c19eb54e930d836c5e3d822ce8bfd078ad53ec7
SHA2568617114eef94480d0f92b60e0b4e7c4069d3f7d705b8fa0d11fb121787481dd1
SHA5125ada9a713bba37e4fb0e45df2029d32e2950ea8d17643f8c58f72769428e142a77afe4f197cc13f508112b085ab7a377135792d23626bf6737750a8d5b379534
-
C:\Users\Admin\AppData\Local\iHYBPf\DUI70.dllMD5
ef5f8a1cefa217f16dc3d65292e5c170
SHA18cc92795f85e55d16c2254347149006537ca4470
SHA2567ec86ab23b3fbd555e37bb2403bc8d64416e486eb640d24c37bc42bbb8de176e
SHA5122c33acd9be161b2e745c91c1c81e7fc605451c33a6d6982870a8d12e4550d69192cee490c81022eea07769f338b538cbdfe8cad8d97848a2ccb7252c31efad50
-
C:\Users\Admin\AppData\Local\iHYBPf\LockScreenContentServer.exeMD5
583914a93db0413668eadd743fd5fb1c
SHA18b95be0ad348f0aabfcceac3148109ef12e8a978
SHA256ec09ee1b2bb981335ea9db3ac031fbbc3ed74f9294d734a5799fb0d75e423583
SHA5122f5c22cc3f557c65c876e8a943c7b3dec92d5c0b5219ab2410a334f42e442ef08d0c7b1c5c0797b83a17578a25ce70aa631a15be7ec6a6ea8a8d865dca0b9cd4
-
\Users\Admin\AppData\Local\5tgk5LL1\WTSAPI32.dllMD5
6426e34204b6ed0fe26afc3dc0191d5c
SHA15623d188b27649ace2b7181fb11d38125539abe5
SHA2566b5e2a16cfc6624932d193654db556fe110a4dc6837a438d9ba74499562cf108
SHA5125a9184c80b3f0ed7cd8056779866cfbc92288484decf3e34d6737e8c1a2d831a6e5dffeac5a11ae12dc515a393372b187f10f90c149ccd7f7c4daca2b8c3abea
-
\Users\Admin\AppData\Local\hZNqp\MFC42u.dllMD5
dce22d7d9020f440ea70a89d74735619
SHA10c19eb54e930d836c5e3d822ce8bfd078ad53ec7
SHA2568617114eef94480d0f92b60e0b4e7c4069d3f7d705b8fa0d11fb121787481dd1
SHA5125ada9a713bba37e4fb0e45df2029d32e2950ea8d17643f8c58f72769428e142a77afe4f197cc13f508112b085ab7a377135792d23626bf6737750a8d5b379534
-
\Users\Admin\AppData\Local\iHYBPf\DUI70.dllMD5
ef5f8a1cefa217f16dc3d65292e5c170
SHA18cc92795f85e55d16c2254347149006537ca4470
SHA2567ec86ab23b3fbd555e37bb2403bc8d64416e486eb640d24c37bc42bbb8de176e
SHA5122c33acd9be161b2e745c91c1c81e7fc605451c33a6d6982870a8d12e4550d69192cee490c81022eea07769f338b538cbdfe8cad8d97848a2ccb7252c31efad50
-
memory/924-162-0x0000000000000000-mapping.dmp
-
memory/924-170-0x0000016C4DD30000-0x0000016C4DD32000-memory.dmpFilesize
8KB
-
memory/924-166-0x0000000140000000-0x000000014012E000-memory.dmpFilesize
1.2MB
-
memory/924-171-0x0000016C4DD30000-0x0000016C4DD32000-memory.dmpFilesize
8KB
-
memory/924-169-0x0000016C4DD30000-0x0000016C4DD32000-memory.dmpFilesize
8KB
-
memory/1376-176-0x0000000140000000-0x0000000140173000-memory.dmpFilesize
1.4MB
-
memory/1376-180-0x0000026CA8090000-0x0000026CA8092000-memory.dmpFilesize
8KB
-
memory/1376-172-0x0000000000000000-mapping.dmp
-
memory/1376-181-0x0000026CA8090000-0x0000026CA8092000-memory.dmpFilesize
8KB
-
memory/1376-179-0x0000026CA8090000-0x0000026CA8092000-memory.dmpFilesize
8KB
-
memory/2324-161-0x0000017527570000-0x0000017527572000-memory.dmpFilesize
8KB
-
memory/2324-152-0x0000000000000000-mapping.dmp
-
memory/2324-160-0x0000017527570000-0x0000017527572000-memory.dmpFilesize
8KB
-
memory/2324-159-0x0000017527570000-0x0000017527572000-memory.dmpFilesize
8KB
-
memory/2324-156-0x0000000140000000-0x0000000140134000-memory.dmpFilesize
1.2MB
-
memory/2816-115-0x0000000140000000-0x000000014012D000-memory.dmpFilesize
1.2MB
-
memory/2816-120-0x000001E0787C0000-0x000001E0787C7000-memory.dmpFilesize
28KB
-
memory/2816-119-0x000001E0787D0000-0x000001E0787D2000-memory.dmpFilesize
8KB
-
memory/2816-118-0x000001E0787D0000-0x000001E0787D2000-memory.dmpFilesize
8KB
-
memory/3024-130-0x0000000140000000-0x000000014012D000-memory.dmpFilesize
1.2MB
-
memory/3024-151-0x00007FFAAB050000-0x00007FFAAB052000-memory.dmpFilesize
8KB
-
memory/3024-150-0x00000000010C0000-0x00000000010C2000-memory.dmpFilesize
8KB
-
memory/3024-149-0x00007FFAAAF15000-0x00007FFAAAF16000-memory.dmpFilesize
4KB
-
memory/3024-148-0x00000000010C0000-0x00000000010C2000-memory.dmpFilesize
8KB
-
memory/3024-147-0x00000000010C0000-0x00000000010C2000-memory.dmpFilesize
8KB
-
memory/3024-141-0x0000000140000000-0x000000014012D000-memory.dmpFilesize
1.2MB
-
memory/3024-140-0x0000000140000000-0x000000014012D000-memory.dmpFilesize
1.2MB
-
memory/3024-139-0x0000000140000000-0x000000014012D000-memory.dmpFilesize
1.2MB
-
memory/3024-138-0x0000000140000000-0x000000014012D000-memory.dmpFilesize
1.2MB
-
memory/3024-137-0x0000000140000000-0x000000014012D000-memory.dmpFilesize
1.2MB
-
memory/3024-136-0x0000000140000000-0x000000014012D000-memory.dmpFilesize
1.2MB
-
memory/3024-135-0x0000000140000000-0x000000014012D000-memory.dmpFilesize
1.2MB
-
memory/3024-134-0x0000000140000000-0x000000014012D000-memory.dmpFilesize
1.2MB
-
memory/3024-133-0x0000000140000000-0x000000014012D000-memory.dmpFilesize
1.2MB
-
memory/3024-132-0x0000000140000000-0x000000014012D000-memory.dmpFilesize
1.2MB
-
memory/3024-131-0x0000000140000000-0x000000014012D000-memory.dmpFilesize
1.2MB
-
memory/3024-129-0x0000000140000000-0x000000014012D000-memory.dmpFilesize
1.2MB
-
memory/3024-128-0x0000000140000000-0x000000014012D000-memory.dmpFilesize
1.2MB
-
memory/3024-127-0x0000000140000000-0x000000014012D000-memory.dmpFilesize
1.2MB
-
memory/3024-126-0x0000000140000000-0x000000014012D000-memory.dmpFilesize
1.2MB
-
memory/3024-125-0x0000000140000000-0x000000014012D000-memory.dmpFilesize
1.2MB
-
memory/3024-124-0x0000000140000000-0x000000014012D000-memory.dmpFilesize
1.2MB
-
memory/3024-123-0x0000000140000000-0x000000014012D000-memory.dmpFilesize
1.2MB
-
memory/3024-122-0x0000000140000000-0x000000014012D000-memory.dmpFilesize
1.2MB
-
memory/3024-121-0x0000000001070000-0x0000000001071000-memory.dmpFilesize
4KB