Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2023 16:37
Static task
static1
Behavioral task
behavioral1
Sample
f518a4dec5de3386e7aa4a19fd0f8ac1.dll
Resource
win7-20231215-en
General
-
Target
f518a4dec5de3386e7aa4a19fd0f8ac1.dll
-
Size
1.8MB
-
MD5
f518a4dec5de3386e7aa4a19fd0f8ac1
-
SHA1
0ef8670d9d1e4184daba2959bb6ac675e9ece0b5
-
SHA256
89423c76e59074527f58059a7fbc88c65fb85fa4404b809f6f481d2bb3b602df
-
SHA512
fd16896a386b8f23fa834f37c492d427be4a38cbc474e6264461fd0461cf0143db56cdfb6eed6835117f4debaf9c5237c8694104abe56ca53e34be8a8785f680
-
SSDEEP
12288:LVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:KfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3460-4-0x0000000002080000-0x0000000002081000-memory.dmp dridex_stager_shellcode -
Drops startup file 3 IoCs
Processes:
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\yi4Q3lXai File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\yi4Q3lXai\VERSION.dll File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\yi4Q3lXai\ie4ushowIE.exe -
Executes dropped EXE 3 IoCs
Processes:
DmNotificationBroker.exeie4ushowIE.exeUtilman.exepid Process 5072 DmNotificationBroker.exe 4524 ie4ushowIE.exe 220 Utilman.exe -
Loads dropped DLL 3 IoCs
Processes:
DmNotificationBroker.exeie4ushowIE.exeUtilman.exepid Process 5072 DmNotificationBroker.exe 4524 ie4ushowIE.exe 220 Utilman.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dturazvnnsjkgvr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\yi4Q3lXai\\ie4ushowIE.exe" -
Processes:
rundll32.exeDmNotificationBroker.exeie4ushowIE.exeUtilman.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DmNotificationBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ie4ushowIE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Utilman.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 2324 rundll32.exe 2324 rundll32.exe 2324 rundll32.exe 2324 rundll32.exe 3460 3460 3460 3460 3460 3460 3460 3460 3460 3460 3460 3460 3460 3460 3460 3460 3460 3460 3460 3460 3460 3460 3460 3460 3460 3460 3460 3460 3460 3460 3460 3460 3460 3460 3460 3460 3460 3460 3460 3460 3460 3460 3460 3460 3460 3460 3460 3460 3460 3460 3460 3460 3460 3460 3460 3460 3460 3460 3460 3460 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid Process procid_target PID 3460 wrote to memory of 2336 3460 95 PID 3460 wrote to memory of 2336 3460 95 PID 3460 wrote to memory of 5072 3460 96 PID 3460 wrote to memory of 5072 3460 96 PID 3460 wrote to memory of 3084 3460 98 PID 3460 wrote to memory of 3084 3460 98 PID 3460 wrote to memory of 4524 3460 99 PID 3460 wrote to memory of 4524 3460 99 PID 3460 wrote to memory of 4316 3460 100 PID 3460 wrote to memory of 4316 3460 100 PID 3460 wrote to memory of 220 3460 101 PID 3460 wrote to memory of 220 3460 101 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f518a4dec5de3386e7aa4a19fd0f8ac1.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2324
-
C:\Windows\system32\DmNotificationBroker.exeC:\Windows\system32\DmNotificationBroker.exe1⤵PID:2336
-
C:\Users\Admin\AppData\Local\4Jzo13c\DmNotificationBroker.exeC:\Users\Admin\AppData\Local\4Jzo13c\DmNotificationBroker.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5072
-
C:\Windows\system32\ie4ushowIE.exeC:\Windows\system32\ie4ushowIE.exe1⤵PID:3084
-
C:\Users\Admin\AppData\Local\n7RuIB1\ie4ushowIE.exeC:\Users\Admin\AppData\Local\n7RuIB1\ie4ushowIE.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4524
-
C:\Windows\system32\Utilman.exeC:\Windows\system32\Utilman.exe1⤵PID:4316
-
C:\Users\Admin\AppData\Local\IoKui7\Utilman.exeC:\Users\Admin\AppData\Local\IoKui7\Utilman.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:220
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
47KB
MD51d7e6b18e09acd28c4dbe51eb52b6abb
SHA1ed1b5357bae847e9432c7618faa365c71eb2e2a1
SHA2566b9a58aafa5015fb4c84403fe4b05618ecd18ff65192df364b49532dc2f1a224
SHA5126a59c09de5ea489c01f07fbe1289fd895ba31abc93b5eff186676048fca7c555ea816831a6cdf24579ff071ddcd1ec105e6d6b3c550ae9e87f3d59122dd80293
-
Filesize
67KB
MD5fe666220d48d3d4f781de128af227725
SHA136d2fec7080b218951eee00bc8d3ac0a161db12e
SHA256a50feb1ae5423de432e1368370f034ed9bb3979b313a17298cf1e0fa78fa7299
SHA512ab417881d5a7184d7ec1d974b594afe8997d6082fbb8e88275c6c3becf907f37283d321dc7083f7047173fdb2690c7cfababe45d07024c2fd91379e6318e5da8
-
Filesize
23KB
MD595b98bda6ce9006a5a187fb8ec58b222
SHA17c6e67b83ec8ee3dd0814410433be6104894adb9
SHA256b2084912919f42f5051d50b76955bf4de4283c7a68bdc889ff9bae83a9fa0de8
SHA5127c98e5e85fe57a4ffea66a01766c75e4b59116b536b1ab1c94c3785a714ed121dc2b6deb770aea8516d3a6b4c366c63173d4fd9961134eb58b62b30a9e9f5b73
-
Filesize
5KB
MD56bfdaf07e48351e167fd0d373419bf29
SHA1d535bf0a1b0bdda1e0230726300cef1e7a41c84e
SHA2560d53612b8c87468f38d9e9b91357bb05bf1c5cd11524e0c6d44345a4b6aa6d75
SHA51201ad89e25a4fd0ffe835a60a73fa916c666e5602a08a86785eeb68f81b0f92f76b4638b23b89f459fac4b2e59c10d195bddc07777609f0e1581219437fb81da3
-
Filesize
32KB
MD5dd8144d6dd4df0c5511a6daf61d11298
SHA1de0f9dd9b9b54dbf2eb83f4f5fccf328165778bf
SHA2565a6c38de64d6331ba79a68f149d7d10e7026256594ca04b5dc9322544dc2fb71
SHA512456c4714ed7d7a8b195acd2f8f7cc6f3ae7c4f2ecc1d8dab276fd076bdb029fb72c99bbf251f2d3396eab2c8c5a08c588161afa21e36466247e6299deb7fecd1
-
Filesize
45KB
MD54cc7bcd184563aa4556031a08a48ef66
SHA14b228f73ff2507cd51e148134bc122f22d9099b7
SHA256dcd246d625d0a4230084448b9b969bfffc18e2d5aa1abcb94ba01789125e3e9d
SHA51284697db6d1bbd07e06b9556beb017406cd3775d939972a1d7c5d7a1760630948a396bb14c3a0732d95db5842e264f6388e9a2f29d077db1ade74a59058755ec2
-
Filesize
123KB
MD5a117edc0e74ab4770acf7f7e86e573f7
SHA15ceffb1a5e05e52aafcbc2d44e1e8445440706f3
SHA256b5bc4fce58403ea554691db678e6c8c448310fe59990990f0e37cd4357567d37
SHA51272883f794ff585fe7e86e818d4d8c54fa9781cab6c3fac6f6956f58a016a91f676e70d14691cbe054ae7b7469c6b4783152fbb694e92b940d9e3595fe3f41d97
-
Filesize
36KB
MD5e9a598e1ffd49c3988c3747a9f23c9bf
SHA14b808df14e38b7a46a001e37da9a87dae3c4b7f3
SHA256fb62d6e0322edf5cf705a3e5a181f7b3adae648b387f24ed6479b11658b10c4a
SHA512f8aa8d529c6dfecefa844e3e7b02a3b0593400bdcdc66824becf2e50ead2494ae4b108ccebcaa4df34e21fb4eed39c273a9b0a9bff69637e771d50913081f556
-
Filesize
200KB
MD5e7180b507e12d1394f66539f590be8ea
SHA15f3473a7b0d5f6016b3181aac27155655dc6adb1
SHA25658a5a094a2444331b255367dfd29515db0ebeb237b11e3325e7ba5e3b37df80f
SHA51262a64b2b35c6a1313e57baf645f1f6757d0f2ba4ccff8283cc434cb7d4d9ec3b15db367088aeb2d7fa705ff81de212689173d2adc0cf69c8f36f9f4fddc43288
-
Filesize
225KB
MD59e31924645529bd81958c0289bf67fa5
SHA11c9603f1b559d35f0b3f464de67386b1b5fbf7d0
SHA256abaf8362d04d97c53238c3d04e1f4bd6326a297c61fc7a7613658da4366b3dc5
SHA5128c2229463f775a3d859a762f1b42fd1aabf51df1a80cbffc6e2e7e9891066a6d0473b7702500cc319f6f3186add28e46ead61390bc42a94bbcdef27dd84952d0
-
Filesize
76KB
MD59de952f476abab0cd62bfd81e20a3deb
SHA1109cc4467b78dad4b12a3225020ea590bccee3e6
SHA256e9cb6336359ac6f71ac75af2836efb28daa3bafd10a1f0b775dcdc2ec8850a6b
SHA5123cbe50a146ca50b0657a78a2d89a34630c69823005668906785b2d2015cc6139c8dbbf7aefa5fe55957ef55ae06e758933b3b41eaf822e49dba3b7700582e2c9
-
Filesize
1KB
MD5649740c52874e75f85388b85ec7174e2
SHA1d30e325e0582fad695adc30c68e81e16634bec71
SHA2567b7fe45d83d3c049f7d30717d314fec3b50fb76564d81915951db8a71cf0e5ac
SHA5129b7b99dc327b083121a39d70e0564b91b9b414561086f502e8d2e2e1f921109d79a6df2fb15a39f486020e6cc9e07e776419f3134a3a6b69701555a2b02ddb7f
-
Filesize
2.1MB
MD5e97dee7d404ff65f8a16a2f3335a5462
SHA11cdd8062570ae9e81ef5de50c579f13aa5dffd48
SHA2561629c1af956df2c51ea9439551be536818fed0786e5785d014e5a6d7c2e89231
SHA512dc2af906666a6dd4803f02bd73cbb131cf139030539c77138b0c92962ed1fdc8c578aa7c7d62dcaaea8a5158fb43fd9c758b9257feb9136259002527b5307b97
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\mXeefoD3Qb\DUI70.dll
Filesize2.1MB
MD5984279825598b907281251d5b2f342c3
SHA19d686f4c3ebdd6047142306c5ba5942a79b2a9ae
SHA2568045dd7e4dae5175c7f019b48eb69ad5aa349d205f23b2a13dfddf34fd7caa0b
SHA512b839a4919a8e36c85cce58559fb1e871bf743a6886da962688389055dfdd8c642fb2607cc48b15eee5e3507408671a446259b3f87ad995ff15bf8e1946388cdd
-
Filesize
1.8MB
MD5a2648ef04ab16cfd6c30cb898ca83070
SHA10f401e5946c4d9d792d1b4ab6b6f98b0343173d9
SHA256aa08eca91487ed4816f60181954eb6a624d838e10a7759ad0162763bf811466e
SHA5123da82eb9506e96ffcd1d7d02c761220690bd4d18271b7e3fac8dc10953854b115948e06716d67e58c6779ffbcfd16ad213d0c8c09df8f4c6c104eae77c645186