Analysis
-
max time kernel
149s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2023 15:15
Static task
static1
Behavioral task
behavioral1
Sample
d577f77a0cf8344c9bb7d3be5578311b.dll
Resource
win7-20231215-en
General
-
Target
d577f77a0cf8344c9bb7d3be5578311b.dll
-
Size
1.9MB
-
MD5
d577f77a0cf8344c9bb7d3be5578311b
-
SHA1
d150adc8a686a849c666159ab896fcc845fc6c00
-
SHA256
95fc26f100d5508c34cd691e6e2e1d6cca2f621de4cd4769433e1564fc6f7e1f
-
SHA512
a097092b1886bffcd6d963700f8ad88b0ac4e75f80979030eea65984d9e062d21a6a1b53dd62b16866b88a757449977198311e3040cbbd3db0b0c09cfa760319
-
SSDEEP
12288:XVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:efP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3496-4-0x0000000002690000-0x0000000002691000-memory.dmp dridex_stager_shellcode -
Drops startup file 3 IoCs
Processes:
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\yU File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\yU\WINSTA.dll File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\yU\DisplaySwitch.exe -
Executes dropped EXE 3 IoCs
Processes:
DisplaySwitch.exePasswordOnWakeSettingFlyout.exeDisplaySwitch.exepid Process 2744 DisplaySwitch.exe 1532 PasswordOnWakeSettingFlyout.exe 2188 DisplaySwitch.exe -
Loads dropped DLL 3 IoCs
Processes:
DisplaySwitch.exePasswordOnWakeSettingFlyout.exeDisplaySwitch.exepid Process 2744 DisplaySwitch.exe 1532 PasswordOnWakeSettingFlyout.exe 2188 DisplaySwitch.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tgnmvdx = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\hT6wz\\PASSWO~1.EXE" -
Processes:
rundll32.exeDisplaySwitch.exePasswordOnWakeSettingFlyout.exeDisplaySwitch.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DisplaySwitch.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA PasswordOnWakeSettingFlyout.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DisplaySwitch.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 4932 rundll32.exe 4932 rundll32.exe 4932 rundll32.exe 4932 rundll32.exe 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid Process procid_target PID 3496 wrote to memory of 4752 3496 91 PID 3496 wrote to memory of 4752 3496 91 PID 3496 wrote to memory of 2744 3496 92 PID 3496 wrote to memory of 2744 3496 92 PID 3496 wrote to memory of 2172 3496 93 PID 3496 wrote to memory of 2172 3496 93 PID 3496 wrote to memory of 1532 3496 98 PID 3496 wrote to memory of 1532 3496 98 PID 3496 wrote to memory of 4468 3496 96 PID 3496 wrote to memory of 4468 3496 96 PID 3496 wrote to memory of 2188 3496 97 PID 3496 wrote to memory of 2188 3496 97 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d577f77a0cf8344c9bb7d3be5578311b.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4932
-
C:\Windows\system32\DisplaySwitch.exeC:\Windows\system32\DisplaySwitch.exe1⤵PID:4752
-
C:\Users\Admin\AppData\Local\n4K3m8E\DisplaySwitch.exeC:\Users\Admin\AppData\Local\n4K3m8E\DisplaySwitch.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2744
-
C:\Windows\system32\PasswordOnWakeSettingFlyout.exeC:\Windows\system32\PasswordOnWakeSettingFlyout.exe1⤵PID:2172
-
C:\Windows\system32\DisplaySwitch.exeC:\Windows\system32\DisplaySwitch.exe1⤵PID:4468
-
C:\Users\Admin\AppData\Local\NiTZR2yCb\DisplaySwitch.exeC:\Users\Admin\AppData\Local\NiTZR2yCb\DisplaySwitch.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2188
-
C:\Users\Admin\AppData\Local\KESB\PasswordOnWakeSettingFlyout.exeC:\Users\Admin\AppData\Local\KESB\PasswordOnWakeSettingFlyout.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1532
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
159KB
MD5344f692d46901b6d1bd22514d652d730
SHA1486d2b18f57de63c1ac5b399bf2f79f5492e1786
SHA2562b645f987ab20b6454a805a9e5e41d02b3fb9f60be2a17ab119c16aa1f32c1d4
SHA512a647dbe5b2fca7d5fb0b1f370215121da5d048c21ff7828785f8f05fa711041fe682710787fbec1c4b3770cf29a5c48593c5e8cc4b64ecc84750e45050318d7c
-
Filesize
298KB
MD5ee09232410deaf3b472e561ec7346b29
SHA17c62ecba9d6654013db8995241bb7bd64d130f61
SHA256b9277f524423b86c87ae7da3487afda515ca5a2177cef819796a59e9f9ec8598
SHA5125e2b1b35b102f870731aa37b38321a524c2db59ef8e6579b82a2c4d63ab2d89a121e984b72b9c6982f0bf003b7b30c665530d42242dd7f6f6f084426ebcad48e
-
Filesize
44KB
MD5591a98c65f624c52882c2b238d6cd4c4
SHA1c960d08c19d777069cf265dcc281807fbd8502d7
SHA2565e6ed524c955fb1ea3e24f132987143da3ec81db5041a0edcfa7bf3ac790eb06
SHA5121999f23c90d85857461f8ddc5342470296f6939a654ac015780c2977f293c1f799fc992462f3d4d9181c97ab960db3291b85ea7c0537edcb57755706b20b6074
-
Filesize
152KB
MD5447f1b07f2fba9289d4ccb16d6bd7262
SHA13557a4a5281ab9d9d13cd4ff9808e109e8ae0095
SHA25657beaeaf58e65fe46a2e5d351d534bc440b69de15e30390a5f6acdb069fe1a12
SHA512a4382f319d7d69206b867bb0cc6f0c1fb5083e21321909a705564d60ea31737dfbbd33f0335d53351700bcb3de714b2f207cd21510fcb3545bc2105696183154
-
Filesize
128KB
MD5097199d7e8fc610c66b5f532817b5f08
SHA157942480672d8554e653c1fc35cd23e6052ae89e
SHA25669e57208dba43eb6667d19600d8c0c4ce82eacc5c439c709aff4f90adcb118bf
SHA512c688bb936d51f046213ed95ed7c9831fc72d85551c582c2c69f90e1e53bfda10c0482803dd834fcf23818102a0a03bc2e7020d1c4a7c072ce78d53c13f83fe3a
-
Filesize
180KB
MD54a7fe742586e339c45268068dc6f60a3
SHA159ac8bed67152b0f09f93144a02d3979ce941ea2
SHA2564ff3a1b298586a728fd327d32238cdbd1019f09ee0070076ad558519a573a87f
SHA512727f585a0e620a6844db90d875254bd74db16ce9306d622b619a7dd01d0f74b84e142799c6ee3edf6cec0def01778c47975533ebe45c9acba3a3f434707709e9
-
Filesize
103KB
MD5ca8bc36055536b7b3e5d7e34bc753bcc
SHA1d71b158990c818e5e37171414d6b0990c4c9402a
SHA2560661b7e856dfffadcdb15494dfcad0a3e6fc6348f02b6ad66c432f0e5258aaea
SHA51226e27ab160c21b68378178ee9616e3db6d8d7b120090a053972e26f7ed77309145b5f4e1bdb77257c25bd8dde33b397b24f4b2ddffd9e777df0b7defa93e8c8d
-
Filesize
27KB
MD5c0192eb071a89e9f3e2b1ded502dfa51
SHA12acb31d46c1f47812c33bee6cad72c05a41ef549
SHA25697cd3ba644f0bee08bf10eb22f330a88e11bf133beb517117f6daa2d5a36b510
SHA51299705fec6217f087b120d960f71a674cb67a41733058c0e83e7ca684cf10fbe75da288662f3167b85fc1ea68ad58128a29df9356341af258aa10ef58f820cd59
-
Filesize
87KB
MD575613a324a7d1f61b1c2f236bdaac9b5
SHA152cdf5cea006b9617873a405ca51e8f3d922b1c9
SHA256c8932f9b5a54ccad718d2acc808290f9f2eef139cc942d2467a1419d0d0bab6d
SHA51274b173a92e5fedce053206d8c838e4d0c24002aa7aa171a01124f6a1c5d0a374a821601b6e914699b8c416f2d3811a1960bff9b415ec127bf3d2008eee59d83f
-
Filesize
109KB
MD5cd60a945c77920f813b98157581a4825
SHA1033361c3558859e6fe12678313b463a3d121ad6c
SHA256d057f6452a21d5d0c47d8ec4debcd6d4c7a033bebe4df833c1b855cf0ff716ff
SHA5120433ec9d54e055cc25de85bcc2edecf2c5b8ffba1e587d02abcbd745eacbf6a2f6fffa6d63925f3ca235cbbc85da802167efbfdbfda44c28c5a2fc3991532bad
-
Filesize
2.2MB
MD5bf9a17ce86dbb712af7cd31e568550b9
SHA1cb0cd8e9610c06e7cf347758d33cf201bd8934c4
SHA2564c611e666f651895ceadda12c5c3f54c855d6b7d9be6f5ef74a61aeab41b9540
SHA512e765c2ea7f13ab0bf8a0855f0d2e5b379cce4dda0496e5ec94dc6d85e00d4a4df337294128a9da9c80d4a07fdb6684f40e14e94c08d8e113bd4ce010eefbd24e
-
Filesize
1KB
MD5bcd1ca51b957bad9b160dcfded6fd60d
SHA1a5b600e71579631fc0dbe73c2b117b3156f96e10
SHA256320a1615c71b1584727b74ac34875a1cee63e9f48399ed7e0ec6a93157993454
SHA5120c3a5515d20251dfb5dbe9468ef3801a44361d684a4ce064243a19017a59fb65190cb3b127be4765f3aac4bc314712dc8c852299e6baae7f5dae307d6175f81b
-
Filesize
2.0MB
MD5074c4dd42afb8446724008996816ba27
SHA15ec696d6bd1d90f66b34bf5b8fe118cb9e8bc9b9
SHA256dc51e10986e8b174b096465fce284882e0aecbd10d3ada1c915e12a02b055e0d
SHA512966795267d850b738639cddd42291896ba5c7bbaba8b3ec9e249dee7f45c6206c1ac7be69d1d67252bb0cdbef39ee9af5d569ac455acbeb528207dbad28be95a
-
Filesize
2.0MB
MD59b41958e31ba398589e40028e2a604d4
SHA1234426d184c1b01bf3db5d2fdc2d7f004249c7bb
SHA256f697ec5ce715758599fdc6d6324682f5ee503b800fc0cbbb49c77636fbfeb16a
SHA51283e8523080389b24a28fddda62472317a128a91f8fb10a29bc3ad14a645a6c6f612ca96d0ffa2cc8f6ddd54c55be6fd5673d4d9a726d1b745ea5d4d8c40bd49e