Analysis
-
max time kernel
21s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2023 15:41
Static task
static1
Behavioral task
behavioral1
Sample
ddbbe63a86fa196d739928c165f32cac.dll
Resource
win7-20231215-en
General
-
Target
ddbbe63a86fa196d739928c165f32cac.dll
-
Size
1.7MB
-
MD5
ddbbe63a86fa196d739928c165f32cac
-
SHA1
6762a54f563ac149a70487d45c9f2b0146a0f38b
-
SHA256
2a9d2e3b8a8a847b49653f88fa4da14ef6798706f216af7a739f157dec5746ea
-
SHA512
2b5a7c5ebd2bf153101df35a4656600d419e7e889cf61ac44b503c13be6b84c986b70ea00cf1d4ac72504f9d128477e0dae2697330f1635dceb807a876993430
-
SSDEEP
12288:1VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:sfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3436-4-0x0000000003380000-0x0000000003381000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
dwm.exeAtBroker.exeBackgroundTransferHost.exepid Process 3048 dwm.exe 4792 AtBroker.exe 4312 BackgroundTransferHost.exe -
Loads dropped DLL 6 IoCs
Processes:
dwm.exeAtBroker.exeBackgroundTransferHost.exepid Process 3048 dwm.exe 3048 dwm.exe 3048 dwm.exe 3048 dwm.exe 4792 AtBroker.exe 4312 BackgroundTransferHost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ddiqrdu = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\IMPLIC~1\\7AUKTP~1\\AtBroker.exe" -
Processes:
rundll32.exedwm.exeAtBroker.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA AtBroker.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 2512 rundll32.exe 2512 rundll32.exe 2512 rundll32.exe 2512 rundll32.exe 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid Process procid_target PID 3436 wrote to memory of 3496 3436 93 PID 3436 wrote to memory of 3496 3436 93 PID 3436 wrote to memory of 3048 3436 94 PID 3436 wrote to memory of 3048 3436 94 PID 3436 wrote to memory of 2324 3436 95 PID 3436 wrote to memory of 2324 3436 95 PID 3436 wrote to memory of 4792 3436 96 PID 3436 wrote to memory of 4792 3436 96 PID 3436 wrote to memory of 5080 3436 97 PID 3436 wrote to memory of 5080 3436 97 PID 3436 wrote to memory of 4312 3436 114 PID 3436 wrote to memory of 4312 3436 114 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ddbbe63a86fa196d739928c165f32cac.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2512
-
C:\Windows\system32\dwm.exeC:\Windows\system32\dwm.exe1⤵PID:3496
-
C:\Users\Admin\AppData\Local\QvAOeKY3j\dwm.exeC:\Users\Admin\AppData\Local\QvAOeKY3j\dwm.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3048
-
C:\Windows\system32\AtBroker.exeC:\Windows\system32\AtBroker.exe1⤵PID:2324
-
C:\Users\Admin\AppData\Local\Rm7U1GO46\AtBroker.exeC:\Users\Admin\AppData\Local\Rm7U1GO46\AtBroker.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4792
-
C:\Windows\system32\mspaint.exeC:\Windows\system32\mspaint.exe1⤵PID:5080
-
C:\Users\Admin\AppData\Local\chXxaK\mspaint.exeC:\Users\Admin\AppData\Local\chXxaK\mspaint.exe1⤵PID:4312
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4312
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD55c27608411832c5b39ba04e33d53536c
SHA1f92f8b7439ce1de4c297046ed1d3ff9f20bc97af
SHA2560ac827c9e35cdaa492ddd435079415805dcc276352112b040bcd34ef122cf565
SHA5121fa25eabc08dff9ea25dfa7da310a677927c6344b76815696b0483f8860fa1469820ff15d88a78ed32f712d03003631d9aceaf9c9851de5dd40c1fc2a7bc1309
-
Filesize
36KB
MD5f9997c2400aee2450643c2c9adaeea15
SHA1a1db14e70040d60db9b0dfb08f5d3ae726053687
SHA2565d4e234ab8cf39db3e5f755c2c96d4ed64d0ad625e1d789847bd7a8b3ff39979
SHA512663372cf078133ef77c8e6c3987abc5288fcb222d7d8353a09bce9b95f40fa95eb99f36653ab294233d940118331306cf980bedc5d523ca43ed26292ac9eaecf
-
Filesize
14KB
MD5f1c9edff9708b785430513ee896e8a73
SHA1490779b6e1c81a90b6308be3e02dff1846039709
SHA256bd71f681a70c36e4e64279c8ea7c6ea92c9188b24b1997d9f4e04cd5be01f3c4
SHA5125b7179aaaa0f105ae2d0fa70de761e6fd7281ec80ce6936ca5a0a90017fbd3a2e6998055c0f855e36498a82d28ed1b86dea0889ebbffa605d61d76315606f30b
-
Filesize
52KB
MD5321e0c8a3c4975ac5aed3d7b982a2b91
SHA1870ccbb8e56d7f92368381fd0b1352ddaaa01478
SHA2560ea7fa75aa4b6b9d308c7068f44747fb8b5ee9a74b7a0ec989da44637ad0234d
SHA5122ec7ae6aa11b6bccf7ccba7660458f27658341ac3d8f3c95af6dd8e38620ab2856bbdceed8f6dce599375dd5fa40153cccc747ebc5db03564e07f596fe70c6d6
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
1KB
MD59c087fcb22c8baae2de82e60874edadd
SHA193c2226d83c2bfa9d8ec0bacf3cd06d794e02045
SHA2566b955db2186fcc90807d854feceb30b2952d62219d5ea5ea4ab10833befe7723
SHA512cbe602359ea32c1ca443472648e43afadfdf18ebbcb72472ac98ee8795101e2c112987e2cd8c510b880ce8b8dd1c469cf20e6e5d24a5e913fe5bc55712ebb5a7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\7AUkTp84EI\UxTheme.dll
Filesize40KB
MD5ced5f9c1b46d069d66fa391f6c4fbc37
SHA1ba71df78fa84bbc841e50da15b6f94a4a434ee52
SHA256e29fd8548c7e6cdadc94a34377304c62105b7d1cc2d502da954c1bcd62a9b82f
SHA51262b833cfbfed520a9da079379975a8c05b5db2816100b1ac9241004a72d2af0717943cdc6dee58513f490bd00b25c2c078cbb9410df6b701596edbb7f1293f0e
-
Filesize
126KB
MD5ccbff4b93a8275a6d07673af73f3de33
SHA17a4630ffdf4434da315c390e63671a5d049be151
SHA256cc7aaf1019ab41d6440741fb297baf8877b87cfebcd5a7794b68a6cf3b74aaaf
SHA5126578b9209ccc8001e3f8e1a3506eba235519939563e1613e36f20c2357a19476b37d7b8f5f4d30ea45a303bc4cbb0d61a718c7d20a576c984d0b4d4ee08b6b04
-
Filesize
59KB
MD59f793a96f2c6b59553e4fe588d5e6c5a
SHA18720fde8e8ae9f26843b485ed29d00b92639b3fc
SHA256314652e400511acfd728b50b8bbbe1f55fb9034d31f30e90dc8b48d96b36a48f
SHA512608666d5adf250a7a5ac8a9f8b17e76a6be235e214ab8a3555c435493bdc39ce776615f1c366afd37bb8ac5fecfabaa2d9429b92dbe954b28dd15c2868396b8b
-
Filesize
164KB
MD58f39f59d551d3dea8a997fe20b2806e6
SHA14740024c1afd9e2537f28da89e926ca2fdbd9ea0
SHA256bbb9967c0fad6df92ff2905f27b9b1759380f4ec95ed7a659e2a031b29f5509e
SHA51218a479ca78241a90ea65771471961a2cb073403ec675a0222b05502c7411b4ebeb55561199fbf8357a8c971d29cbec9290093c82750791e788b388b37b3da035