Analysis
-
max time kernel
98s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2023 15:44
Static task
static1
Behavioral task
behavioral1
Sample
deac37150b94c6871f020007e2d20de8.dll
Resource
win7-20231215-en
General
-
Target
deac37150b94c6871f020007e2d20de8.dll
-
Size
2.0MB
-
MD5
deac37150b94c6871f020007e2d20de8
-
SHA1
3b89d6d3afb9fc1111676be750b79ee563e0b51c
-
SHA256
b9a2afe692a14758fe22e04ec1d379839fcee981e7c82d4c884af960394ccf9a
-
SHA512
d511b778312473f7987fe3d69b419350a6acf096e3cab9a45b9320e944493bc694da073d502249c2c5f0e4b6452d5c5cdf808f8f12530b4cedd16b8e402ac87f
-
SSDEEP
12288:gVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:FfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3552-4-0x00000000025E0000-0x00000000025E1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
wbengine.exesdclt.execmstp.exepid Process 4492 wbengine.exe 648 sdclt.exe 1580 cmstp.exe -
Loads dropped DLL 4 IoCs
Processes:
wbengine.exesdclt.execmstp.exepid Process 4492 wbengine.exe 648 sdclt.exe 1580 cmstp.exe 1580 cmstp.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qoccyyzfzcu = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\5E3UIA~1\\sdclt.exe" -
Processes:
rundll32.exewbengine.exesdclt.execmstp.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wbengine.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdclt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmstp.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 456 rundll32.exe 456 rundll32.exe 456 rundll32.exe 456 rundll32.exe 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid Process procid_target PID 3552 wrote to memory of 3348 3552 91 PID 3552 wrote to memory of 3348 3552 91 PID 3552 wrote to memory of 4492 3552 92 PID 3552 wrote to memory of 4492 3552 92 PID 3552 wrote to memory of 3200 3552 93 PID 3552 wrote to memory of 3200 3552 93 PID 3552 wrote to memory of 648 3552 94 PID 3552 wrote to memory of 648 3552 94 PID 3552 wrote to memory of 4708 3552 97 PID 3552 wrote to memory of 4708 3552 97 PID 3552 wrote to memory of 1580 3552 96 PID 3552 wrote to memory of 1580 3552 96 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\deac37150b94c6871f020007e2d20de8.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:456
-
C:\Windows\system32\wbengine.exeC:\Windows\system32\wbengine.exe1⤵PID:3348
-
C:\Users\Admin\AppData\Local\BDsfjXfc\wbengine.exeC:\Users\Admin\AppData\Local\BDsfjXfc\wbengine.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4492
-
C:\Windows\system32\sdclt.exeC:\Windows\system32\sdclt.exe1⤵PID:3200
-
C:\Users\Admin\AppData\Local\moZL7\sdclt.exeC:\Users\Admin\AppData\Local\moZL7\sdclt.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:648
-
C:\Users\Admin\AppData\Local\Ki96x\cmstp.exeC:\Users\Admin\AppData\Local\Ki96x\cmstp.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1580
-
C:\Windows\system32\cmstp.exeC:\Windows\system32\cmstp.exe1⤵PID:4708
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
31KB
MD572c68d2e4d307a9d661d573eb3602614
SHA1608ebe396145a6b33676266255dd28f3a2961df8
SHA25663d7daae2811fa2c777ec92b9fcaf6254697bbf3d6259bcf1e7fcdb57ca5a768
SHA51224201d951323ac4f75324cbc1b3e5803a0b845f4823b30021e0ea4ac41216a4544a4a90a19ccd46104c5a979a762026cbd56ac5bdd9ed7318a4cd3501c0d5033
-
Filesize
1KB
MD5410e9dda3899daec560597e1a2089af7
SHA19458a4e231b1cdcf4074d4657e02e883bf0e4868
SHA2568ef93b655645f595b8b8188d2531f7f4750e3d1912812f1ed6b5e691cc11fb62
SHA51234fce71c8dad4324793ab1fec5227e9a935baa3e332c7b2f688412b926b262fc7fab3f2f639853ae7a456cc8acc992be5783f6789e86829e223b30c7f9b87661
-
Filesize
27KB
MD55f04e842eeb866dfc780944f9aefa0c4
SHA169b79de26f4179d92e3b276711fa51b95120572f
SHA256d59f31c5d50df792fe322e23c59a2df5035b2da0a6bab2d74245116287bcf398
SHA512a86d2709ff51cc9b074bcd476fa8d97f769e791b4f18d183b8af63272108269de633ef354278949fbcc351539ee491f75bb1133e010be3e17b5de5a4573a128f
-
Filesize
85KB
MD58fae34af42f84b2579dfe7b8597bac5d
SHA1ac10b24681744e83f65356dc3c75ab9f4a67d556
SHA256c05a1e78ea9ac5ebe178c19af69c6f6142a4b461db19a087febea2d5ca8b6483
SHA512366b84a762ea97788d3e32ae5eae3d04a0d9659e40497fb7fc2d5a6bf94bbd7e0822cc69e624ec42f9d0abfd6e5ba177cb9bea40db0fe5ac89f6495958de2210