Analysis
-
max time kernel
8s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2023 15:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e0766950c83a3551309ffe32a39cf502.dll
Resource
win7-20231215-en
9 signatures
150 seconds
General
-
Target
e0766950c83a3551309ffe32a39cf502.dll
-
Size
2.9MB
-
MD5
e0766950c83a3551309ffe32a39cf502
-
SHA1
91c525d856e976147ac070289ca9c749ede297e5
-
SHA256
aa4895a92de07b083cd4ae91f0dfa52a25713b7103d573512465a75f23ffbdc4
-
SHA512
c2c7b427e6e44f4b6114170e80bc4f9823882337489892a185b06418440bee9a25a0754e76a198b67f3af4b6f8b6fc91107a4af9591cbe2616b19bb2c28ce38e
-
SSDEEP
12288:TVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ11:CfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3480-4-0x00000000020E0000-0x00000000020E1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
quickassist.exeie4ushowIE.exeProximityUxHost.exepid Process 624 quickassist.exe 2624 ie4ushowIE.exe 3216 ProximityUxHost.exe -
Loads dropped DLL 3 IoCs
Processes:
quickassist.exeie4ushowIE.exeProximityUxHost.exepid Process 624 quickassist.exe 2624 ie4ushowIE.exe 3216 ProximityUxHost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qzenv = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Credentials\\Y4VnGL\\ie4ushowIE.exe" -
Processes:
ie4ushowIE.exeProximityUxHost.exequickassist.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ie4ushowIE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ProximityUxHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA quickassist.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
regsvr32.exepid Process 3240 regsvr32.exe 3240 regsvr32.exe 3240 regsvr32.exe 3240 regsvr32.exe 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid Process procid_target PID 3480 wrote to memory of 3280 3480 80 PID 3480 wrote to memory of 3280 3480 80 PID 3480 wrote to memory of 624 3480 87 PID 3480 wrote to memory of 624 3480 87 PID 3480 wrote to memory of 2236 3480 86 PID 3480 wrote to memory of 2236 3480 86 PID 3480 wrote to memory of 2624 3480 85 PID 3480 wrote to memory of 2624 3480 85 PID 3480 wrote to memory of 4824 3480 81 PID 3480 wrote to memory of 4824 3480 81 PID 3480 wrote to memory of 3216 3480 82 PID 3480 wrote to memory of 3216 3480 82 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\e0766950c83a3551309ffe32a39cf502.dll1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3240
-
C:\Windows\system32\quickassist.exeC:\Windows\system32\quickassist.exe1⤵PID:3280
-
C:\Windows\system32\ProximityUxHost.exeC:\Windows\system32\ProximityUxHost.exe1⤵PID:4824
-
C:\Users\Admin\AppData\Local\yXANtbX\ProximityUxHost.exeC:\Users\Admin\AppData\Local\yXANtbX\ProximityUxHost.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3216
-
C:\Users\Admin\AppData\Local\jtbopf\ie4ushowIE.exeC:\Users\Admin\AppData\Local\jtbopf\ie4ushowIE.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2624
-
C:\Windows\system32\ie4ushowIE.exeC:\Windows\system32\ie4ushowIE.exe1⤵PID:2236
-
C:\Users\Admin\AppData\Local\7QAFCA\quickassist.exeC:\Users\Admin\AppData\Local\7QAFCA\quickassist.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:624