Analysis
-
max time kernel
132s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2023 15:14
Static task
static1
Behavioral task
behavioral1
Sample
d5124b4f11f73e615ab6573dc5bb02cf.dll
Resource
win7-20231215-en
General
-
Target
d5124b4f11f73e615ab6573dc5bb02cf.dll
-
Size
1.9MB
-
MD5
d5124b4f11f73e615ab6573dc5bb02cf
-
SHA1
8a2f582744a0cdca0d21e40ce81f2ce3067c8bee
-
SHA256
9b64a70112f7e8f285ac2c020036d4fa5d3cc529daf0fbbfefab39630ec50a2b
-
SHA512
889ca16bb6fdd0a1677111c340cf67f29d3b0d305ed5ced6e4a4ed129b1828cc72021b9544b8f545c534671be11034e50d40596a6924ebe024c6cfa800495451
-
SSDEEP
12288:/VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1K:2fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3540-4-0x0000000002050000-0x0000000002051000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
ProximityUxHost.exewusa.exewbengine.exepid Process 696 ProximityUxHost.exe 4880 wusa.exe 412 wbengine.exe -
Loads dropped DLL 3 IoCs
Processes:
ProximityUxHost.exewusa.exewbengine.exepid Process 696 ProximityUxHost.exe 4880 wusa.exe 412 wbengine.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qoccyyzfzcu = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Extensions\\nHb5\\wusa.exe" -
Processes:
ProximityUxHost.exewusa.exewbengine.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ProximityUxHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wusa.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wbengine.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
regsvr32.exepid Process 1092 regsvr32.exe 1092 regsvr32.exe 1092 regsvr32.exe 1092 regsvr32.exe 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid Process procid_target PID 3540 wrote to memory of 3580 3540 91 PID 3540 wrote to memory of 3580 3540 91 PID 3540 wrote to memory of 696 3540 92 PID 3540 wrote to memory of 696 3540 92 PID 3540 wrote to memory of 2500 3540 93 PID 3540 wrote to memory of 2500 3540 93 PID 3540 wrote to memory of 4880 3540 96 PID 3540 wrote to memory of 4880 3540 96 PID 3540 wrote to memory of 3516 3540 94 PID 3540 wrote to memory of 3516 3540 94 PID 3540 wrote to memory of 412 3540 95 PID 3540 wrote to memory of 412 3540 95 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\d5124b4f11f73e615ab6573dc5bb02cf.dll1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1092
-
C:\Windows\system32\ProximityUxHost.exeC:\Windows\system32\ProximityUxHost.exe1⤵PID:3580
-
C:\Users\Admin\AppData\Local\6Hc\ProximityUxHost.exeC:\Users\Admin\AppData\Local\6Hc\ProximityUxHost.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:696
-
C:\Windows\system32\wusa.exeC:\Windows\system32\wusa.exe1⤵PID:2500
-
C:\Windows\system32\wbengine.exeC:\Windows\system32\wbengine.exe1⤵PID:3516
-
C:\Users\Admin\AppData\Local\n7k6haF\wbengine.exeC:\Users\Admin\AppData\Local\n7k6haF\wbengine.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:412
-
C:\Users\Admin\AppData\Local\S7gSC6\wusa.exeC:\Users\Admin\AppData\Local\S7gSC6\wusa.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4880
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5652fcdef80b39a9d1cd509a1cb00bb20
SHA140e67d0f558c19b01c0679c1d46cc54dc8fbd324
SHA2564c60f836a04256ef9a80ee937f06389779ff9bca785a72afd658b28598456110
SHA512309aa692df7224e71861be8b3d0005c9577f116de3a1cba1947788d2f7bcd0ccbf13dcf71968261bdc6902e02702047c45c8401aff6ecd6f8a1786e8c6482508
-
Filesize
19KB
MD5a660813d06e7e2292c96fc9bb13e8959
SHA13bf5c0a56c40192dc6d776a95dc9c5e883cd6d10
SHA256c5e9408408dd2e67113824e2615eaf92365502be73867d20fd1747cd4ea3aa5a
SHA512161cd0eb8877c2a65f4f3eaa5a05b8ff2685febf2d64325ce13e9d071d7dfab2aae69897a45bb3baf354912b2a5490ef7a27b27b4426d0fd22d1f3403897813f
-
Filesize
56KB
MD54f2fb7eb689f8c15ead53f9454586c97
SHA1b9994397f9d6ad3bc9b3d6925c2c82149e8220fb
SHA256253a7336f0641bd938211640b2a4c997a9fb45ba05803239e563ee7a35164046
SHA512fca80f9fad9da9f0828d14e543da1d597b4f90429dcf6927015e6add97dee7635adc010978946bf3001a2580af83f1bbeedb560ee93634e3279964480ee69b56
-
Filesize
92KB
MD5b6a93ec51b0536a7566dca777213709d
SHA13af4759225446c9061a551633929fbda86a62b14
SHA2561c5e9fa19f7f55c6960dca8a1890c712931b7c52492ed33057f76477ed69fc1e
SHA512146229aa4a190868dd18c1f829de6e6d4dca18b6801b0ff3b7a8761175ee38c96405810b87dc0faaa7af7b624aa38c97274a643edce8570ed814c9adff618ba1