Analysis
-
max time kernel
35s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2023 15:47
Static task
static1
Behavioral task
behavioral1
Sample
e06bc9c34016a67b0d3a56913db15515.dll
Resource
win7-20231129-en
General
-
Target
e06bc9c34016a67b0d3a56913db15515.dll
-
Size
2.1MB
-
MD5
e06bc9c34016a67b0d3a56913db15515
-
SHA1
b6b8a5ac1eb6952a7d92c37b4b9c38745796b1f5
-
SHA256
9defa598e8384355655dd2fcba9e94f1bfbb4fc1d14d4f43cef7ce3173cc8736
-
SHA512
79c4dcb7ff48c177ceba1d84946fde02ec9a122bccdff124fd2092d4b063837ba97f43ca49d4f43dc9c47e2ffba730a26bdca8cdfebedcfba03a5d7ab85bc313
-
SSDEEP
12288:2VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:rfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3444-4-0x0000000003220000-0x0000000003221000-memory.dmp dridex_stager_shellcode -
Drops startup file 3 IoCs
Processes:
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wWGTTbGvc File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wWGTTbGvc\VERSION.dll File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wWGTTbGvc\unregmp2.exe -
Executes dropped EXE 3 IoCs
Processes:
FileHistory.exepsr.exeunregmp2.exepid Process 444 FileHistory.exe 4832 psr.exe 768 unregmp2.exe -
Loads dropped DLL 3 IoCs
Processes:
FileHistory.exepsr.exeunregmp2.exepid Process 444 FileHistory.exe 4832 psr.exe 768 unregmp2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ddiqrdu = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\CloudStore\\trxFE74dJ\\psr.exe" -
Processes:
rundll32.exeFileHistory.exepsr.exeunregmp2.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA FileHistory.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA psr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA unregmp2.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 3720 rundll32.exe 3720 rundll32.exe 3720 rundll32.exe 3720 rundll32.exe 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid Process procid_target PID 3444 wrote to memory of 5096 3444 89 PID 3444 wrote to memory of 5096 3444 89 PID 3444 wrote to memory of 444 3444 94 PID 3444 wrote to memory of 444 3444 94 PID 3444 wrote to memory of 4192 3444 96 PID 3444 wrote to memory of 4192 3444 96 PID 3444 wrote to memory of 4832 3444 98 PID 3444 wrote to memory of 4832 3444 98 PID 3444 wrote to memory of 3732 3444 101 PID 3444 wrote to memory of 3732 3444 101 PID 3444 wrote to memory of 768 3444 102 PID 3444 wrote to memory of 768 3444 102 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e06bc9c34016a67b0d3a56913db15515.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3720
-
C:\Windows\system32\FileHistory.exeC:\Windows\system32\FileHistory.exe1⤵PID:5096
-
C:\Users\Admin\AppData\Local\SCrbFWM9\FileHistory.exeC:\Users\Admin\AppData\Local\SCrbFWM9\FileHistory.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:444
-
C:\Windows\system32\psr.exeC:\Windows\system32\psr.exe1⤵PID:4192
-
C:\Users\Admin\AppData\Local\WbHcFlDX\psr.exeC:\Users\Admin\AppData\Local\WbHcFlDX\psr.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4832
-
C:\Windows\system32\unregmp2.exeC:\Windows\system32\unregmp2.exe1⤵PID:3732
-
C:\Users\Admin\AppData\Local\RWqIx\unregmp2.exeC:\Users\Admin\AppData\Local\RWqIx\unregmp2.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:768
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
56KB
MD586530fcec58475907541563e349660c4
SHA1ce0bf5ca0dcfaa0cdf85ab19b0613c8c299d9b1e
SHA256abd60ca614536e6baafd32cdce866f436390cc518b4d930db596d7b5d9d9b18f
SHA5127d6a06d441db099872d49df1c371aaac5079df73eadda93cdc445846c433d1c2bb91a6757cf05e583df401cb12ed7d651316fe5cef351fc126d197584f329a50
-
Filesize
16KB
MD57ce177cc2245fe154827a45e0a90cad4
SHA108bc4eced6f0caa1eba32841ade084bbc86586fe
SHA25632600bc424fc355cb92144f52920e4e6634c37a178eb131a2a63ba13ef19696b
SHA512e1b60ae726d3d920ebd04ded17de8d8b1ff912aac92d092ac4ffdc2dd7d424663f8e1515503b47cc559cbc742ef5cd06b442a1981314534f4662f442314f3081
-
Filesize
73KB
MD547aede7b66c8a8bdc032e87c2780480b
SHA188bd0c1c94373a8de32c078f9d64d86c5bfc9902
SHA256f1254505ef3248878e9b89df444e5645653b1ade0e419fbe933cbd049f840c4c
SHA51265704c2989825c00a7478303cac4361ac0ddb428ef9944007371622e83c1cd5e2bff4cbf4e512f4bc592c45b46d5896f0ec660dbe686e08b41d0847cd585c9ef
-
Filesize
132KB
MD55af41fc5e4994b377c9883c0ba505380
SHA1b1d7e37c20c4c0944f744ae6d9d44c32f87eee2d
SHA256416466638ffd182b04a22208af4598f48d7e402932f7eaf84a7fda7644c286c1
SHA512728adfdeba91eadaf6210cd054dce64c8d17025f6f55e511086c1f508529a25ecd2943a35f3a59c6548e1ba55d693644efd1f36c9e4c0c8445ad7538c3a8a11e
-
Filesize
32KB
MD5c7c16c482b23fff3f45dbdc3bfd4c990
SHA1cd4a240e23569edfc197abd1b5dac6c27317891e
SHA2567563f2925de20cf66ca6bd308f2d4c50238965d2ff60dda164483601d49c7655
SHA5124316693060cd663ea650dbea3309357e68b6963a30e637a0fb948e2b877f720ea2104d4cc987e891a626b37de1cb7e33e8478e3dfcf68badf9d54c50b76cabd7
-
Filesize
92KB
MD5c9152e5603808531454be9b35963dd79
SHA126d4c433162f3cca192a75abb71de22cff464c9e
SHA25652204e278ed9947a7f418a4eec471320a09ad614c0edb0cadbce27178bff6a79
SHA512ec6f4a85a7fc774318d505188d6ecb7a78fa608c1823375f5a51ad06929903ab2a06a8506d4ba92b373c187b623b19011f326b90dded7f9b11278c904ca0cad4
-
Filesize
33KB
MD5c76b9a123bbf634dab6a70e52ee79a6b
SHA1f321f6d0d6fe9bcb039dc53d4116606eb6797661
SHA256538475c550db7be565756440b793f63c1a6c46b224db9c1f2f5e5cd84288f235
SHA512bb20c9ef2acd46fe11a40954775e08de2e85554ce46969cccf0454ffb5c9a0964a92f1795272b95320460b790a295ba3d232b5506f2f98acf4cba625e447a14d
-
Filesize
86KB
MD54ab8f088085a132fe120809edaba76cf
SHA1ce71f5a4e848543508078e82daa369392ce2db00
SHA256a410be9fe7df49032b84b3e0cfb5f6f73f42983a481dfc98eee6c3aaffd6928f
SHA5129766f2a96d277f9e794d4d43193a78a4bfa6a2150e12bacc97bafd4410861d68c9bcbd42006469b65fd3b85c42d474538caec9f6c683fc2c6e93fd7e2495b1ce
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
5KB
MD5d550310aee9d62163fdc222bb78ff2c7
SHA1038be4f23803a6ead9c1c19c4767f680e363743e
SHA2565c4fd95c5b3864a3ecd2addf774948d0d84a65d60e7eb044f7590f287faf0101
SHA512598276ece227cebc1ec4b84ec1069c2f019fb279221f531b92d41655bc2157d235bfb20465ba243ebaea51869e65c820474919c190dd6d434e015b3a2cec1b1a
-
Filesize
92KB
MD54535b8763ab2bfec6f3bd25884a3e6dc
SHA13de2f480b9264a982719c252fa72b13485a10e5d
SHA2569db005d5330f09f6d7f9df1818017e3f4a06bce661b8d02bf2a8f1a415fe49a8
SHA51253a2be72b582a0ea0246d609bffcc655fb7c93a2169e2058cfbd2a4179401a1202c4a59daa5356ebb6ac5dafee488b3837e6ccae2051d5d2d9a662bc5181a215