Analysis
-
max time kernel
107s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2023 15:44
Static task
static1
Behavioral task
behavioral1
Sample
df0708fcf553fdf7b27a1591a96257db.dll
Resource
win7-20231215-en
General
-
Target
df0708fcf553fdf7b27a1591a96257db.dll
-
Size
2.0MB
-
MD5
df0708fcf553fdf7b27a1591a96257db
-
SHA1
cb8d06051f06b38cba24df4ccf676c1be7090484
-
SHA256
6dffce1ea68f5480f850e4b067f15d5950bca8d75f8d1a4b70059e11c0e02445
-
SHA512
11ec4c936d13c08215f41a023f3846773aabfa0cc89d35cf2674cc9072e51537fc147b690a1bbb7d4fa1c845eed35345cf78ad43acde8cb8e55e612509d524d6
-
SSDEEP
12288:AVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1xx:lfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3412-4-0x0000000001560000-0x0000000001561000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
rdpinit.exesessionmsg.exerdpclip.exepid Process 2976 rdpinit.exe 4576 sessionmsg.exe 3552 rdpclip.exe -
Loads dropped DLL 3 IoCs
Processes:
rdpinit.exesessionmsg.exerdpclip.exepid Process 2976 rdpinit.exe 4576 sessionmsg.exe 3552 rdpclip.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qoccyyzfzcu = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\DnIua\\SESSIO~1.EXE" -
Processes:
rdpinit.exesessionmsg.exerdpclip.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rdpinit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sessionmsg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rdpclip.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
regsvr32.exepid Process 4052 regsvr32.exe 4052 regsvr32.exe 4052 regsvr32.exe 4052 regsvr32.exe 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid Process procid_target PID 3412 wrote to memory of 4588 3412 90 PID 3412 wrote to memory of 4588 3412 90 PID 3412 wrote to memory of 2976 3412 91 PID 3412 wrote to memory of 2976 3412 91 PID 3412 wrote to memory of 3404 3412 92 PID 3412 wrote to memory of 3404 3412 92 PID 3412 wrote to memory of 4576 3412 93 PID 3412 wrote to memory of 4576 3412 93 PID 3412 wrote to memory of 2096 3412 94 PID 3412 wrote to memory of 2096 3412 94 PID 3412 wrote to memory of 3552 3412 95 PID 3412 wrote to memory of 3552 3412 95 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\df0708fcf553fdf7b27a1591a96257db.dll1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4052
-
C:\Windows\system32\rdpinit.exeC:\Windows\system32\rdpinit.exe1⤵PID:4588
-
C:\Users\Admin\AppData\Local\BfR\rdpinit.exeC:\Users\Admin\AppData\Local\BfR\rdpinit.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2976
-
C:\Windows\system32\sessionmsg.exeC:\Windows\system32\sessionmsg.exe1⤵PID:3404
-
C:\Users\Admin\AppData\Local\oKit\sessionmsg.exeC:\Users\Admin\AppData\Local\oKit\sessionmsg.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4576
-
C:\Windows\system32\rdpclip.exeC:\Windows\system32\rdpclip.exe1⤵PID:2096
-
C:\Users\Admin\AppData\Local\wDwAK7eTt\rdpclip.exeC:\Users\Admin\AppData\Local\wDwAK7eTt\rdpclip.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3552
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
979B
MD59c5846b2ef41404ebe9bc92f7d44ec88
SHA181c091f00fc271ed09447203dbb076aa052f81aa
SHA2569e46888e3cafde71a2844fddf7c1133641848ba53c664b1e35b78dcabfee6806
SHA512f5f7490bd79753deb66becf21c037c1043b9fd73ee482e47f0e6cd68496d08727c5ca946176b22caae01798ee5f0585497e5c8ec99292a5b7dfd4c29e0f490ff
-
Filesize
35KB
MD51dc4773c79706f31955fec51b6659738
SHA179ae74552b413b0d589b04dc4b96eb614bed2a54
SHA25622bb5fd5c14406ee26c5165109d0ac94d546f38142f43b56139b61a2bc5cffc7
SHA5127c25d5e4277662005ce8aa60f464ed3551cb92c087bb4e7462b171934dbc827f2323a7f426f6449fce6e740fefe5a2434753dddf5226605b1c1e31b679293f5c
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
189KB
MD5e57944510f4c8b095dfa0c68d8666e76
SHA13e2b9ce9b3e7989d71f27bc4983e56fc3394bf78
SHA256a70bacb1497a441cfd9121608c2a312f93d3663374890934d8f321424ca83638
SHA512fa2db2ff7c5caf78bf690fab72e8a17ec7a93760da86167364924952e68a1fc19222b7c4c430bb808ecee0a706423d82396629d48a2a661c43523d510e93e60a