Analysis
-
max time kernel
71s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2023 15:34
Static task
static1
Behavioral task
behavioral1
Sample
da5e3cb85be5b54edb1e3b5ff9d733a2.dll
Resource
win7-20231215-en
General
-
Target
da5e3cb85be5b54edb1e3b5ff9d733a2.dll
-
Size
3.1MB
-
MD5
da5e3cb85be5b54edb1e3b5ff9d733a2
-
SHA1
e93524cf92f6c04fad09162a1462920dd0d48ec1
-
SHA256
e441dc66366d37c4598e91b6779169dcbc71f386ca494b9d6c9d8137b45233f7
-
SHA512
640fffd35412cc5100aaf4c14ce6359b7c6fcb4df6e22bf3d501b342cc16fe65dc07ad431d22544f49ba0b37b2da7e2c0c7b121d64cb078ccdb4a1d66da60c33
-
SSDEEP
12288:hVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1po:QfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3592-4-0x0000000002840000-0x0000000002841000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
eudcedit.exerstrui.exeeudcedit.exepid Process 1448 eudcedit.exe 4752 rstrui.exe 4900 eudcedit.exe -
Loads dropped DLL 3 IoCs
Processes:
eudcedit.exerstrui.exeeudcedit.exepid Process 1448 eudcedit.exe 4752 rstrui.exe 4900 eudcedit.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qoccyyzfzcu = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\sd\\rstrui.exe" -
Processes:
rundll32.exeeudcedit.exerstrui.exeeudcedit.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA eudcedit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rstrui.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA eudcedit.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 4280 rundll32.exe 4280 rundll32.exe 4280 rundll32.exe 4280 rundll32.exe 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid Process procid_target PID 3592 wrote to memory of 1672 3592 94 PID 3592 wrote to memory of 1672 3592 94 PID 3592 wrote to memory of 1448 3592 96 PID 3592 wrote to memory of 1448 3592 96 PID 3592 wrote to memory of 680 3592 97 PID 3592 wrote to memory of 680 3592 97 PID 3592 wrote to memory of 4752 3592 98 PID 3592 wrote to memory of 4752 3592 98 PID 3592 wrote to memory of 2880 3592 99 PID 3592 wrote to memory of 2880 3592 99 PID 3592 wrote to memory of 4900 3592 100 PID 3592 wrote to memory of 4900 3592 100 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\da5e3cb85be5b54edb1e3b5ff9d733a2.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4280
-
C:\Windows\system32\eudcedit.exeC:\Windows\system32\eudcedit.exe1⤵PID:1672
-
C:\Users\Admin\AppData\Local\noEX\eudcedit.exeC:\Users\Admin\AppData\Local\noEX\eudcedit.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1448
-
C:\Windows\system32\rstrui.exeC:\Windows\system32\rstrui.exe1⤵PID:680
-
C:\Users\Admin\AppData\Local\woR\rstrui.exeC:\Users\Admin\AppData\Local\woR\rstrui.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4752
-
C:\Windows\system32\eudcedit.exeC:\Windows\system32\eudcedit.exe1⤵PID:2880
-
C:\Users\Admin\AppData\Local\WQwAmR\eudcedit.exeC:\Users\Admin\AppData\Local\WQwAmR\eudcedit.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4900
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
41KB
MD5b2d4a1b709b522de5f766fdd6b766114
SHA1cd40cecdda37254dd0d52a0b4a6ded6bb8dcc381
SHA256d2c54c5e4f6e0186245f69b623ce1cd247151115c84e80165e577e5cdae54fc1
SHA512a36063f05fa05faec3ff965861513a67774fbb0c171ade7a335a629273849c0ca7ec9711ff54304de8f5c4659b0337abdc551cbaae90a963e6b97ae56e68d696
-
Filesize
32KB
MD513dfab471f8eae58a30844196c8ca24e
SHA1a3f8115cc7b8a4223eb0574a5ebbb3847432f9f9
SHA256a2a29c6788c1b183213aca51284ef230f2bd1cfbd0b17456ef7a2ded802db4b3
SHA512720df1e62fb49b9240e8ebdbe42d5fb76d2f1cc4291fe4346d503fced77eee6e20d7301de1feaaea1da68c76c498c6e7c9f7c298fa35131e369ccf2a9b384780
-
Filesize
25KB
MD5d141d882718adaa3f18bdf7a1af8cd95
SHA1cd888c8ef54afe88f8eb99911aba9a1d573e9920
SHA256a4d055f651b3392dc396048cf9b6a41b642d2484c56286368229cfff9d8dd9da
SHA5127ad71697542bc2fd192631574604948eb3ea1ef922df40340055827688919295239b7a61dd2253c122796d94a203651167d8a3808f0008b3f072299392672ca4
-
Filesize
66KB
MD5cfe8884f2d0581ecf0024a61196d410f
SHA1ad38edf91c18c60189f8fc8cafd8e62cac3fed6d
SHA256b3268b3f733bdeafd0c838eb7810d76bca805c5b6e7d5c1eb35fcacd3afc1230
SHA5127c34f66b35209e3dd3b2e110241ff70cf06e8a76b691b5c248b2d8438207eb44444057430602fbcaf4b8a9622e49be0c19c3c8fa1b568648a43a50b7865f4429
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
119KB
MD5b2e70143e96ca258fe509de8c0bd5252
SHA19a99cf3eabec3d150f9d89b5babf957f0dbaba4e
SHA256329ae169b853c63cfde285654e7250fab309a5c3ff56b56a263b7094c20011f3
SHA5122b26046f2c57bce7407e5f0a652af24781d1b8b616b47896a51044ba3d2e4e0e2903359cfd4ee4616267f1c5cfa8c9b9c3bcb3bf4364596d781af9677196bd2a
-
Filesize
59KB
MD5c93e8ec9692e480cc64cd6259821d14c
SHA1eb143813ab8f9ad6b54437be11440c9d8deef817
SHA25624c25a652e51d0a278456f597607c7ca2b4bbc03f6400b19cbe859a680dcb593
SHA512629b87c391d33fec4d4ede16452342569ba926d12907882a71478dc98ca86cc97c3eae1e1f977abba3577574e499a6427b97fe033a4d6845dfb31bc56d3ef160
-
Filesize
73KB
MD5b8d4c96c38905c4ed333cedc14d72abf
SHA120c895abbaa3b6e095382b9c9d3ad4019443af60
SHA256761c61a695a47670f8cba59e5eba92d247e41d4fa00eb5589526be0d3b52c5b7
SHA512a8f9f8e322c389a59e0e414b57347ef96510f77ab317ce2511907b365172d76ff954159c9a54d35cb95fab6fd80e567677001c4cc80ec6d0479a96cef2115467
-
Filesize
41KB
MD5095a5605e9bbad4c76d802aa64155c26
SHA177a8fae3e7d46891214a4f63418ba84017e358d1
SHA2565dfce9bb5edf4df92dc0ce90834e8955f91a721dafb043d86091933c95d23758
SHA51221e79263bfda2e72efe130a359d4ef199429b6ee357c9724dba129ab267ec93fcc2a6caf7fa47fdf201e11657d5661661d52e079ecbe84963086edc54246322e
-
Filesize
1KB
MD5063e22842275df69be0a388c7e873f05
SHA11391e203eb80389796fae5ff4d4a7c6b2011d796
SHA2563634416a117c2450e29ad35f46a137ce8ca757fd1d9cc106f5c5683eef35f117
SHA512df1d7d4fd910532cb3a9c5b194165d84fae44291a9680535326ebda7981e3b42996b8279d0e08ae0d40bdef8a64fc884967e7582fb8007f5ad5071d4e1987fed
-
Filesize
3KB
MD53a36da183cb988bc13c0b692f2418b97
SHA16991621db676efcaf1947e32a3c5d881ffba5322
SHA25604d728650db03e69b90d652d35d74e3ecb758396ebf874be71dc5b123176a96f
SHA512a3462eb5f25ac6e3da1b7dcd49a5a240e69ab538aecf0227aaa3839ccdeeb23310db090472fdb5daa46a4ccd6bf8e7f8ac700fa8480f0494fda2ff00cce74ebb
-
Filesize
92KB
MD59c89e2bee3ec7b4ab2b1016f31002865
SHA1ee79dd89a2ce9605419d322daac3bbec487ca72b
SHA25643c8441cd33e20c1deea2e49aaf2f6e61c7f021cb79436b683c105a37b75eb73
SHA5125de06f72f929821a04b62977337d97e74ced5c8b0096c9e823d1a5d086b7946bce073a9fa865ed6c909a024b81504bf6244bd4b3385fddf819760c62fff30dd7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\O45n\MFC42u.dll
Filesize61KB
MD5c2837e78c070ce6901faf62ff922e200
SHA121a6da721f522237c588e52d81371aff97fb974e
SHA2569223012600d279faafd29d2948b5ae06d9a5da6f2d14864c93c837ba2a0cc597
SHA512bd0df03afc86ed23233eb4eee051131dcb7e0273ae9dae956d7e840659164dc00298f82fc6df7f36576e17d4645f3dc59a421332e64bf9ca7b7346cf0d254745