Analysis
-
max time kernel
106s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2023 16:34
Static task
static1
Behavioral task
behavioral1
Sample
f334c05455a23f89ee06fb59f1b9f77f.dll
Resource
win7-20231215-en
General
-
Target
f334c05455a23f89ee06fb59f1b9f77f.dll
-
Size
3.5MB
-
MD5
f334c05455a23f89ee06fb59f1b9f77f
-
SHA1
33410197fc64415e351f489720b48f0cc6ff401b
-
SHA256
0692471fb02d58c1e50832d9f74be4e0a1155b1de0d434d5c4d38f644abe1d79
-
SHA512
4c97f8d362f8256c9a2abf0785d96ceb82e451e23533aa007346f88f3f27776bee16c27fc2c76b7d09cb772f9138b1750d651c1cbbba478d8e40b87efcb07e01
-
SSDEEP
12288:PVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:mfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3452-4-0x0000000002CB0000-0x0000000002CB1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
dccw.exedwm.exeperfmon.exepid Process 4892 dccw.exe 2184 dwm.exe 724 perfmon.exe -
Loads dropped DLL 5 IoCs
Processes:
dccw.exedwm.exeperfmon.exepid Process 4892 dccw.exe 2184 dwm.exe 2184 dwm.exe 2184 dwm.exe 724 perfmon.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tgnmvdx = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3803511929-1339359695-2191195476-1000\\FXVmo\\dwm.exe" -
Processes:
rundll32.exedccw.exedwm.exeperfmon.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dccw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA perfmon.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 3864 rundll32.exe 3864 rundll32.exe 3864 rundll32.exe 3864 rundll32.exe 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
description pid Process Token: SeShutdownPrivilege 3452 Token: SeCreatePagefilePrivilege 3452 Token: SeShutdownPrivilege 3452 Token: SeCreatePagefilePrivilege 3452 Token: SeShutdownPrivilege 3452 Token: SeCreatePagefilePrivilege 3452 Token: SeShutdownPrivilege 3452 Token: SeCreatePagefilePrivilege 3452 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid Process 3452 3452 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid Process procid_target PID 3452 wrote to memory of 1924 3452 82 PID 3452 wrote to memory of 1924 3452 82 PID 3452 wrote to memory of 4892 3452 87 PID 3452 wrote to memory of 4892 3452 87 PID 3452 wrote to memory of 1584 3452 86 PID 3452 wrote to memory of 1584 3452 86 PID 3452 wrote to memory of 2184 3452 85 PID 3452 wrote to memory of 2184 3452 85 PID 3452 wrote to memory of 432 3452 84 PID 3452 wrote to memory of 432 3452 84 PID 3452 wrote to memory of 724 3452 83 PID 3452 wrote to memory of 724 3452 83 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f334c05455a23f89ee06fb59f1b9f77f.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3864
-
C:\Windows\system32\dccw.exeC:\Windows\system32\dccw.exe1⤵PID:1924
-
C:\Users\Admin\AppData\Local\a4Flf1Vek\perfmon.exeC:\Users\Admin\AppData\Local\a4Flf1Vek\perfmon.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:724
-
C:\Windows\system32\perfmon.exeC:\Windows\system32\perfmon.exe1⤵PID:432
-
C:\Users\Admin\AppData\Local\FuNH\dwm.exeC:\Users\Admin\AppData\Local\FuNH\dwm.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2184
-
C:\Windows\system32\dwm.exeC:\Windows\system32\dwm.exe1⤵PID:1584
-
C:\Users\Admin\AppData\Local\oMxwpW\dccw.exeC:\Users\Admin\AppData\Local\oMxwpW\dccw.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4892
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD5ee432ac8ce8357a17be75e03f33f5824
SHA141b1b46a31b9b38f8ecb3d17a9f5b79c8f7f57e5
SHA2561a5f68afb16ce7b7ccd157dad82454ac9070dccd45385f7db881545c927cc734
SHA5126f7b87c6f2d744d151de656dfcc8de5e64290ab64ed52c527b6eebba36776fed1eb3693d89844b26f799dbc80c4342567abf03f271ab25c0f2cfa2707f4d7d87
-
Filesize
92KB
MD55c27608411832c5b39ba04e33d53536c
SHA1f92f8b7439ce1de4c297046ed1d3ff9f20bc97af
SHA2560ac827c9e35cdaa492ddd435079415805dcc276352112b040bcd34ef122cf565
SHA5121fa25eabc08dff9ea25dfa7da310a677927c6344b76815696b0483f8860fa1469820ff15d88a78ed32f712d03003631d9aceaf9c9851de5dd40c1fc2a7bc1309
-
Filesize
21KB
MD5390e0820e5cbef89a8da9fff6204b9e3
SHA18159f31b6167646d94346b46ca2fd882a3e08f56
SHA256eb8c655ceafba69bd62142b1d3e81f562a53659d89bc73fa18b533556ef2b2f8
SHA5123458cbd3bf94aa787263110e38bfd012421af427518c1e72482550a706dca913f382cb021f7a9bb91bafc31ffee9ae651c1fbfc151624354728c6b66c9bf6de7
-
Filesize
52KB
MD564accc65d094bf1d765d068f42a7c498
SHA13e5accdb18a6c7086835257cb89b9a9d6b639fc2
SHA2567f5a37fe407689fee66d07d5fdebdb82e2e0e3182b9ea0dd8d7386be49258f17
SHA512cdfb0c5221a778d2b5ac27ed0c5e3e8ad4434bc5e74e8956b9a8dadac03979e02df69520508e224b1896778722e8ea33431c516e1e2bd9da2ec0900ac482dbbb
-
Filesize
32KB
MD58e6d9172cab806e327782a658701b31e
SHA17ff35129b8a1672653f58b87e93bbaca56afaee0
SHA2566538516c90b167966743cdc01e2a17729cded982e95945d3280040c401de2f3f
SHA5124497e865a46f0086bfff40ad5d53d05f9e82a858a7bb2a0c8b9b38422244b722cd8df8150c589a22fa840a1c16f9ccb39109ea35dea6956ab78140439612cec8
-
Filesize
40KB
MD55b8db5b1166fc6d5e2094d5346c3004e
SHA101d2b7d159f3f524b2e057e76350e30eedcb5838
SHA256758fd04d93c2ae42cbe199083f50e53d1379307546c935e740d3c6f79ff505b4
SHA512da3907c523b4bc4d7351c631a141af348eba531a4011bd759dc948f5b2e81c56c4a4c748100ef50f8b0e4537bf471487b330a21fe4e0aeb4c51f20940627e5a5
-
Filesize
18KB
MD58539a82e6b9474c7af3327bdfd972709
SHA1090b261b858c0a080f4244a0899da1e0103935bf
SHA256aecda28b8a9d8f393f982add3f6e36b7b19fe3911f1f9127eb519c156672769c
SHA512a3d53ceaa9a9f3a381792c6768916ab06fa3e5a44fd33686a148dfe5b658c7f861eb13151f6c0ec9d736bd6d60fb83cbfb178cfcad690d3fbc5f3fd727da427c
-
Filesize
29KB
MD551304f1d0ef1847b583e121f97539545
SHA15bf989194aed23a2cdb669abe2c4bc36263f400c
SHA256ee4449456bae0f6cdf3e5683361dc8fb1ff478d522c88e886b3ddb6c5a05961c
SHA5121c3d8cc5d4559fd042eebfee5a457e2e0eafab4701e398425dc14cfa893e32b48b47b564e3fe63eb4da76a333112c4de6e54233532aad3e34794126334bc64c4
-
Filesize
26KB
MD5d416de97e823a386808de0e6821b8a9e
SHA12c30b6c5422dc973438b8116648e515449e7f48e
SHA2565173f4908382aeb756c17c00d132dd9af40b81288bf828519231b25d7f4aa100
SHA512605edd65e6182f846fd46e910e027b7b3aed5a558867f6bec49929fbfc5895d9647a3308d50e0adc7e2e161b176ba7859b04970296f04228e9db1f58264a3aa6
-
Filesize
10KB
MD5f8419cdeff04a317015925559f0344ca
SHA124d094fd749b95a7a48f4e8325660f5363de1b4e
SHA256ab5923fb746dc2169195b92a3303277d88f440aa4c4db03e292dfe305e91b3e3
SHA512a45eddc82e9e58a401c2e2bfe1f4a03aa1a3237e967bf8bcb063018205fa23bdf3b67264bc7061ea312d144b0cb3bccb589124f208052c8e961e9f7aa54ed7b0
-
Filesize
94KB
MD5ed203a282fdde8d2a2f01af16066c2e5
SHA1a86c77e831a66c9ef86c4582ca11fde33271657a
SHA256bc4b4c5b0c70df0c5b8845989e4b9c83040d59999aa843c113382d54c4da525e
SHA5121ea1d57707c11e65e1988ca8a266b83e6e23481df8af6790505e088a80f3e725f3b67620a143f78bf8a4ae29640244acc634c9a96759f1ecaeea62417cd05ce9
-
Filesize
11KB
MD5f0da418c420b643ebca8c22fb543a79d
SHA105b6a9f8ea0b9841edd90ce1dfc88de518b97791
SHA256ae02f977727a808ca1718503f8bf5134e99e31a90f097681344fc955478b8e21
SHA51209eb57c7ebfe249d3db64602345195ad7a4a112dc6447df3b8d1a29c75e166e3699e0be938aa0a510a8652f95f67feec858881bf07402934dd9c3d4b8b54fcdc
-
Filesize
49KB
MD510a291f840bea76f7538b14df6fb167d
SHA1354d4c2c75db3e4441cc7288ee3ea6dafee08c8c
SHA25659159e7e08abb4712d9f2dcd3532ff6f6397e81256c812d6bf3dad59ffc014bb
SHA512c29108738f93d93742e5e9f3d594fc9add2c299386a4ca88fa4cf11c0b799c8dbc5849533d00821ca75a91b0e3b3ffe987ba1691d2bbcafcc88cb38305de5508
-
Filesize
27KB
MD5f6f0c7a8d2fa0a2301ec4e9bc29b6fdf
SHA1acbf608eaf6d5971bff29836557bd335de1f34e8
SHA256c52175e6fe7f878afa9f3b53dd4b40094b90f26c7c74822f1f85d12623ada18e
SHA51232c5bd2d531a844bbed5a5db786d89b9b10c7b0e85d0d9991edd1122ebd0f82bed5e2d66f4d92db63f1465d56f5256a2d9fc526b3363d221cfd5403cde0a392a
-
Filesize
36KB
MD53b58c6483a800a71b4d4319b36e77244
SHA1e235a653a9c8f0e10abb06a64232d1d5f53b4be2
SHA2567aaf415814e8d2ef5f8b397d8befada376cbd09f255ad64f0a368a1b9a4396ba
SHA512447f302b0d97d3ba9300f7595934cd4b0090c958479bc59cb226a28fdb482d8404e4de63ae4bb0f6b05463844b63d3924f3aef2953c0ed39ce5fadd5832df45e
-
Filesize
1KB
MD596a5d54a40a0051f4c109429c2505b2f
SHA10988ea4d3fb3976ec19e16e620354783406ec1ff
SHA2566affe85e951805b51f37d41db32629f85a9cb7874ca2eafb7f8081f7a05155da
SHA51250e04de36fd7a12e926f608c06ce327edefc937bcaab2829dc7da77ea9e8b035c8eeadec06557f75254025f4a517c099b1900a2db2effcfe2b80ee8d66c4ec0c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3803511929-1339359695-2191195476-1000\FXVmo\dwm.exe
Filesize12KB
MD5a5333ad8504a51ef532e562efc7fce55
SHA10f0f8896db7e6fbe61e3b32b9c74f48ffcdcf41e
SHA2562a482e2943880beae859a603c91fc8e0195d97cde918f830c9f90505fcb14306
SHA512d2395eb5fbb361cce892d7c955793b1728e5b4ba51c2bae1496aa9ecb89268ad9f0a7913bcfe107111c6fdd7a330586c11d66cbaf2054bc1b8a9a710aa8259cc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3803511929-1339359695-2191195476-1000\FXVmo\dxgi.dll
Filesize1KB
MD5cd068fed916674488a8a7a133c5541a2
SHA16a5b20f884f6992047131f2b22152da1647e7fb8
SHA2569add45bff3abcbdbaf767c730e7e8c2af34aa1cba8a913e78c8a9e10702866d7
SHA5129d0ca3478598a35f3deed6da47300cd5dfd7662498298feb3835b49d7fe48dbc4a7d3d581b1290c2ca2346e3c87322d70390f83eed46a073024e28606859897a
-
Filesize
1KB
MD53a9c6a07395d1873899a74ee3dbaf3f3
SHA1b6a3b9cef5dcf2bd6f5fe7bee73fb12d99b32dd8
SHA256878b4a5826bd5c3f3d2f38af896ed1a7ed28036a19b73663638cc3f9e5b30d0a
SHA5128e27972eb7acb236835927c42af77e7b2263e288116a255e09a4f516a2c6d412f9a659d85ce008ee8c087c3c0a5dd05f235a961ac30e94f4f643ab469fdc07c4