Analysis
-
max time kernel
165s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2023 15:49
Static task
static1
Behavioral task
behavioral1
Sample
e16fbec8441b778d6ffa3c0a50387254.dll
Resource
win7-20231215-en
General
-
Target
e16fbec8441b778d6ffa3c0a50387254.dll
-
Size
1.6MB
-
MD5
e16fbec8441b778d6ffa3c0a50387254
-
SHA1
f4618ea77b9fc65e1dae34efec00a1bee0121580
-
SHA256
dcfe6f600462653084dd91777388c633bf70f43a2c2e9d2b51851feae9aa3598
-
SHA512
501b030422ead74da9a3e43b304008178e612678c8b36bff2c89bcb32a744148d2ccf7ab07e76cdabdf434406c9901bced4b3d3dcd9f9e54e2ed9db1c07aa565
-
SSDEEP
12288:QVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:VfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3448-4-0x00000000031F0000-0x00000000031F1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
EaseOfAccessDialog.exeSystemPropertiesProtection.exeshrpubw.exepid Process 3380 EaseOfAccessDialog.exe 932 SystemPropertiesProtection.exe 4120 shrpubw.exe -
Loads dropped DLL 3 IoCs
Processes:
EaseOfAccessDialog.exeSystemPropertiesProtection.exeshrpubw.exepid Process 3380 EaseOfAccessDialog.exe 932 SystemPropertiesProtection.exe 4120 shrpubw.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Loeeeopgcaia = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\LxLxJqU\\SystemPropertiesProtection.exe" -
Processes:
rundll32.exeEaseOfAccessDialog.exeSystemPropertiesProtection.exeshrpubw.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA EaseOfAccessDialog.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesProtection.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA shrpubw.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 3556 rundll32.exe 3556 rundll32.exe 3556 rundll32.exe 3556 rundll32.exe 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid Process procid_target PID 3448 wrote to memory of 2740 3448 90 PID 3448 wrote to memory of 2740 3448 90 PID 3448 wrote to memory of 3380 3448 91 PID 3448 wrote to memory of 3380 3448 91 PID 3448 wrote to memory of 2500 3448 93 PID 3448 wrote to memory of 2500 3448 93 PID 3448 wrote to memory of 932 3448 96 PID 3448 wrote to memory of 932 3448 96 PID 3448 wrote to memory of 3916 3448 99 PID 3448 wrote to memory of 3916 3448 99 PID 3448 wrote to memory of 4120 3448 100 PID 3448 wrote to memory of 4120 3448 100 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e16fbec8441b778d6ffa3c0a50387254.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3556
-
C:\Windows\system32\EaseOfAccessDialog.exeC:\Windows\system32\EaseOfAccessDialog.exe1⤵PID:2740
-
C:\Users\Admin\AppData\Local\2noz\EaseOfAccessDialog.exeC:\Users\Admin\AppData\Local\2noz\EaseOfAccessDialog.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3380
-
C:\Windows\system32\SystemPropertiesProtection.exeC:\Windows\system32\SystemPropertiesProtection.exe1⤵PID:2500
-
C:\Users\Admin\AppData\Local\pRu\SystemPropertiesProtection.exeC:\Users\Admin\AppData\Local\pRu\SystemPropertiesProtection.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:932
-
C:\Windows\system32\shrpubw.exeC:\Windows\system32\shrpubw.exe1⤵PID:3916
-
C:\Users\Admin\AppData\Local\y0iRtaY\shrpubw.exeC:\Users\Admin\AppData\Local\y0iRtaY\shrpubw.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4120
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
123KB
MD5e75ee992c1041341f709a517c8723c87
SHA1471021260055eac0021f0abffa2d0ba77a2f380e
SHA2560b1731562413eaa972b373cd7388c644a3059940ce67eb89668e4073f3e068dc
SHA51248c3a8531df6bcc5077367cdf32af104c94cf7701118a85e8beabba2e9c4f511ae14e47b6d1b57d11a2bc1e8b4f6d5bacae27a8d16fcd09a8f9e0018f5a6370a
-
Filesize
254KB
MD59897afbd7ba03b9b9cf94b52285e2e6f
SHA138b39e2bf1039f72c0a866349bcfbf91b36f0b5d
SHA256de5c7564f814124aab94a03edd5c45d7856f63c4aa25ce4fc01df4d666743dd5
SHA512828bcf8557e3289958bf54112776e67d4ca9081a551ac61601413949561d4a6f0910577da0a7747062d17e6fd7b244a4beeb2fdae5b720a892502a0ab490103f
-
Filesize
149KB
MD5bbd7f16cf91a81902e481f0c08e3a497
SHA1c71ec7b5bb01042ac1d9f2db9f6e3d60a9948726
SHA256d2ab5551f18fad22014e35a4a839bad24975b8d0584cc9319116a6eccaa639ab
SHA512a113ec3bc94bf7e77a8d23358a823dcf21796a1d27dd0ff52929720c59db261bf2297f76e3e8cabfa42cba628b4d6efabba207f741211ff5e1acee9a52bfd0c3
-
Filesize
171KB
MD54664038ea8c0fdb4567e6369df7555ae
SHA12cef539ffff29c16d961926f4b998ef3b497bbbf
SHA256855b28d41bcfa359a3f56d6c12b35fd067ac3feb56677b8b04e5f6df4645a19d
SHA512eaeec150fb2cdbe755ed4707663a359cb50cfd674a9d3593948e9dc1a35fac84dad475e23515643f1d659a9aee81835ba7deca6eb84fc1852c691921565413cd
-
Filesize
59KB
MD583ee0009d00019c37aa59646850f14b2
SHA1873d721ab0a8bcfaf208ba672398cdd026235a27
SHA256910a2bd9ec1aa23372e4782c033a2379807d08cd65935a333c219f3399eb4aef
SHA512af19b5ba79d4ebc59338b49d743fa952c9319a3638d1f8b7631367b3e939b22402724e8dc3dee8c8dfacabeb43697d2da53a997a82080b03261a17950c74fcff
-
Filesize
82KB
MD526640d2d4fa912fc9a354ef6cfe500ff
SHA1a343fd82659ce2d8de3beb587088867cf2ab8857
SHA256a8ddf1b17b0cbc96a7eaedb0003aa7b1631da09ebfe85b387f8f630222511b37
SHA51226162a3d9d4a8e3290dbcf6fe387b5c48ab1d9552aa02a38954649d877f408cb282e57580f81e15128e3a41da0eb58328d1d6253e1b57232f9a8cecdd99991dc
-
Filesize
194KB
MD5f94b09fe64c3fab6a9d3297f1c4819fc
SHA1cff413f7a087b071d70908cdfe94ad588140e596
SHA2567e36819bf5e6c885a1c088720b9158390bea4510e2c4082b264655035d4fc37b
SHA512ccf4a2de99283ae3e9b8878f9994b1bcd57a02a58049fa340f4bb2b64b7d9031491271a9be069d169fd4aa52223e4546334d7edb36137e3e82d63203a218b017
-
Filesize
57KB
MD58770a6173b27a213d5d63789ad55056b
SHA1ead37aa79ccfdc274c29178474edfdab14ca1a4b
SHA25664b19a67581bbc886f62ddeeab6b2ea56abb2dcf48959c27ef693eb24370f211
SHA512cfa175535def478cd93b87fd2adeb62bc17e5f2fcf0fa91df2dd516598fd6c38e765dcb08ddee6ef95f49663201803342500072cebd69eb0cb2b53664304ed0c
-
Filesize
59KB
MD59910d5c62428ec5f92b04abf9428eec9
SHA105f27d7515e8ae1fa3bc974ec65b864ec4c9ac8b
SHA2566b84e6e55d8572d7edf0b6243d00abb651fcb0cddddac8461de5f9bb80035a2e
SHA51201be043f7ff879a683e53962eec58456ba200d6787ea66581bb62669ae65d5e58a5577cdf23441165f7a535fce1dec933e3ad2465c72172b4a1488b24ce722cb
-
Filesize
1KB
MD585b40e636635717acbff0ee4f96d3fa1
SHA10503004fb31addc8a116be98028d985b1f00d6cc
SHA2567046bc825d8c7925d56dffa2f2538e4af4a18106420590ead56fc88ba36ffcd5
SHA51227cf272852c9d7db65951de4802394aac31d859a56f7b33e7f3c5d1e696526c6ac43847934b8771159826959beafd5d559cba1657349f08f334dc9eee560e033
-
Filesize
1.6MB
MD51a5ed215d1ba4b70a023af52fd97711f
SHA1362022ed46b6abf5e12b8a18cce278cb4a2ff926
SHA2565a8e687f73afafb73d0d4c255b8c6430f10f070fa08e1b16ad9e09679cd52e65
SHA512558d63704145e1807f5ab6183644c9413ca98169c6faa7dc366587b61e3ae7efa54df646669e2d9d5bdc211ad022935ce49d7a0533366a6fbc8e083d1b31ce62
-
Filesize
1.6MB
MD5ffce2d54155de10616c37daf5e6a27da
SHA17badadf38d892d8848b195bece2ec78cf6e2b01c
SHA256dd3d7c2cd969e4c7b6a65241a6c6abb0821f540d64b9c7e496f77fc5ef85ef6c
SHA5128e5481cf2b317cb90d44c618860693309a917ee46f32decd2f34462dede5e636af648a4a1614070cd9cce19b9d0ffa965f8a8b20ec693c5e1b93d15e752f2a7e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\SOYme1th\OLEACC.dll
Filesize974KB
MD57a1006a386ee4a07d08512829b9bdc53
SHA12206be5ab0ae57f4f6ea6174044894cff91c5351
SHA25684660e5d12acce110958ffd06e9b9812434b6973dc19a489ff0d05ae39d75756
SHA512ed92e34828d0b5cab4eb5e2e31982b0eebe3c27e18447c3c95ef9d6c0deb7dfaa83c1adb03f49bcf352180720fce52209989372229db7865c383bd68b61e9bc6