Analysis
-
max time kernel
188s -
max time network
200s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2023 16:42
Static task
static1
Behavioral task
behavioral1
Sample
f71f16a72ace0fd6a636a6008e36dc8d.dll
Resource
win7-20231215-en
General
-
Target
f71f16a72ace0fd6a636a6008e36dc8d.dll
-
Size
1.7MB
-
MD5
f71f16a72ace0fd6a636a6008e36dc8d
-
SHA1
03c376915c929e4162d388f70a6a87ab200206ae
-
SHA256
f049251053c1be586de5e8d9804dcf16ec93afa5d0641c08f31706937d5410a1
-
SHA512
2529cf8d24ff1fc38769a91077a7201bcee8097b77705dde1d7d4d4b0f60f4deeb46cb22fa950ba35e9c380e26aa29464d9b0d39a3d64ba91e8d5cbfdf0225c8
-
SSDEEP
12288:uVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:zfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3464-5-0x00000000014A0000-0x00000000014A1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
lpksetup.exerdpinit.exewbengine.exepid Process 2028 lpksetup.exe 5032 rdpinit.exe 1028 wbengine.exe -
Loads dropped DLL 3 IoCs
Processes:
lpksetup.exerdpinit.exewbengine.exepid Process 2028 lpksetup.exe 5032 rdpinit.exe 1028 wbengine.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Loeeeopgcaia = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\PPqecE0nwC\\rdpinit.exe" -
Processes:
lpksetup.exerdpinit.exewbengine.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lpksetup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rdpinit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wbengine.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
regsvr32.exepid Process 4900 regsvr32.exe 4900 regsvr32.exe 4900 regsvr32.exe 4900 regsvr32.exe 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
description pid Process Token: SeShutdownPrivilege 3464 Token: SeCreatePagefilePrivilege 3464 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid Process procid_target PID 3464 wrote to memory of 3440 3464 92 PID 3464 wrote to memory of 3440 3464 92 PID 3464 wrote to memory of 2028 3464 93 PID 3464 wrote to memory of 2028 3464 93 PID 3464 wrote to memory of 1624 3464 94 PID 3464 wrote to memory of 1624 3464 94 PID 3464 wrote to memory of 5032 3464 95 PID 3464 wrote to memory of 5032 3464 95 PID 3464 wrote to memory of 2068 3464 96 PID 3464 wrote to memory of 2068 3464 96 PID 3464 wrote to memory of 1028 3464 97 PID 3464 wrote to memory of 1028 3464 97 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\f71f16a72ace0fd6a636a6008e36dc8d.dll1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4900
-
C:\Windows\system32\lpksetup.exeC:\Windows\system32\lpksetup.exe1⤵PID:3440
-
C:\Users\Admin\AppData\Local\AJr7bL\lpksetup.exeC:\Users\Admin\AppData\Local\AJr7bL\lpksetup.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2028
-
C:\Windows\system32\rdpinit.exeC:\Windows\system32\rdpinit.exe1⤵PID:1624
-
C:\Users\Admin\AppData\Local\0Awitw7R\rdpinit.exeC:\Users\Admin\AppData\Local\0Awitw7R\rdpinit.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5032
-
C:\Windows\system32\wbengine.exeC:\Windows\system32\wbengine.exe1⤵PID:2068
-
C:\Users\Admin\AppData\Local\D64St0vTL\wbengine.exeC:\Users\Admin\AppData\Local\D64St0vTL\wbengine.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1028
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134KB
MD5bda667963d16a933cd1ec9a5082a93c6
SHA1b0363ee647486e63980f682cab44ac8f1c44ec3a
SHA256e6a6ccd3e9c3108b04b3f54b84a867521d3b59e10e32245b17a88186e9129e9d
SHA512fdb21118cd3b73cbc8f7f25d351ce72f67e6ef80e84e9d7be12fe8435cbc42a7f344b5a581a3691deb2a60c1e293c2370584f83ad7996d12350404279ffdfa1c
-
Filesize
132KB
MD5ca1b74e1d8c7ff8a5b6d592d854cb44a
SHA14e4f9da80518c7965a15fe92433803b27221296e
SHA256bcb98b83baa3d364dfdfddb38afb95536fc65cc78b65905d5061042e01edef2f
SHA5122267a9ab2d32d059c40961c53adbe896b130414fc890617ef5c408738d257cdcb1753f54fa53e15ddf27b1e1efade726a869857f2bb6f981ce758ccc8ad0c06a
-
Filesize
91KB
MD540f750473561b60a91d3dadcbd4714de
SHA142076ce9eb59c88c1eaa371eb3bb8b92284f0618
SHA2568958877143804eb2137226d11d5198321c370d1c77ba41428cf29e86ca653e7d
SHA51280df90067f3d59b6ff0bc5aa59b8b36e9da59dc7c83f7e14b0b9c90255839c883fb9df3b468c5253df96b23988de75b4b40a21e427875c58205f244138ec14de
-
Filesize
47KB
MD5d383dc1b8b3586a61409f5895db73d69
SHA156691c99e4ea0168504cd6deb1845d57367c9c34
SHA25648950b25afb9896545b1d0124fa2fa737af80fc47c8aba998b5cba3518e2e2cf
SHA512475c4b7f0563ab44ea7d1b094e801f275db10f16ec713a6ba37a5141425a13331b61c633ffc755875ad16bb095f534b4dd91aff22a43310cd577250f48d2a1d0
-
Filesize
217KB
MD578c3636ed730f18667e16e8e9eac6151
SHA1aee12fda10c79eb34bffb98d325eb3322b74d61b
SHA2561f57065243fef0721a7b344bee714e4642c0e1928ddfee5202a3509896101c3f
SHA512b86a95892e1a13f6efdfd9023a30861eadba18f60d0b98e76201b70df1e00cda675fecc8c444d6e14cf6ad423b5e16e80387a1bd53589e94cff95058e3573094
-
Filesize
234KB
MD59b0b099fd03f910ae80f210922559341
SHA15943c506f6621a538c9b6e4c7b87b7a5fcd22c8c
SHA256b43371ca81f749fb319ebd32f87ea5951ad5bba5226b73c0b2a0e1d486c883a0
SHA5129ae9ab5ece1ba1213c8f870d877a61ef0dd3389646a573f499b9af29d8e494f4786979b3eda8e4aa20d3137a0fd189eb6432c614bf14bab4cddb5113a7c36c8c
-
Filesize
218KB
MD5831e3f0b08ffd17835153edf4672f846
SHA1dbb7bb7124ede23cf8b0590fedc887e0ace8ee40
SHA256a0d25aae9482a4eb539b6efa575a91c15ee2c482d344d40bdb856de093dcf983
SHA512e0c7858f926c043d6b8a064af9386f3e7c20f9d704dbd58141bdecddf26633d413046a055218a33636e145f83daa7170c11ad5cffbccd0127b5a2384068cb97f
-
Filesize
196KB
MD5c5ba25782bee51b7afce309726eb1102
SHA1ab4e438383687ab3ccdb3eb617664dadc76e1fcf
SHA2563b7472cf94b3631f55e42e1caa5ae54bec6b256aff97264194b2b34bfdb84835
SHA5123f4f0e15a4d70452862a3c7fa88146afdd944471dbcd08ce84629ce458bb508abc97e3944b63f63af1c8458e9cfa44183b5f895068b7dfbe153126eb8b47a110
-
Filesize
99KB
MD5509233f4e6b841d9bb7f08df7f904749
SHA1bb71cba560ce7c48842b157e93318688fc398ea1
SHA256b32aa778fb9cd6e1100c9830ba30935dc9ac2731ed347f4c6b54d04d47ead6c3
SHA512c8bd60296df69656cd2466378e1690e20996a9ad79836a4f858e84848c0cc4450eee6f78e9e6cd43313be5588eae248ab098b0d113770046829c68cb2d7e7e81
-
Filesize
89KB
MD5aa466d68aea5c09f8dc52d228fd3dbb1
SHA1e127a84281aa3ed4fb5c23ea561a2334826fae12
SHA25609061081f59c04bc51c8fc2f09ff358bfee5fabd29060dae36af542ccca6bb1b
SHA512353c5374ab5d6d9457bab5e3c80732d3f984ba97250780401913a41895fe0945caccb2dfe7096ab0cb20c5f394c8eefac6ec702157cc4e484ed18ca9ff2b1542
-
Filesize
44KB
MD5705e362df90b501f5e360f9155f7337a
SHA17d7efcdf35a4a627b743b1b9621400eb1b4c16c3
SHA256bc629ef14705b00f18874fa2dd33652e30dbc43192d473044ac0e28dc0124a48
SHA5129688ae0142ed7aaa40db62ab79b96d100417e1d67821cc52f2c17183e826a0e0e338b36f14f7b1791fc941196e5bf6f38ffffd6f1689d6bf088e28128a0f0268
-
Filesize
78KB
MD50ca51c53b91a475b8404cb010237fa57
SHA1561fb8a6c73a8def7e30894fcfa69c1427c90ada
SHA2567966407a2457a0753186dde81b202b35b5288e270eed652f194bca93590970ab
SHA5121e3c3169b0d6dbcf75705ac6c4d5646e975705743402a64c7d8d98f70850e3b9a9abea53de0744f7b1d0c2aee364bb4c47b5c8f1b34531fe1f40b95ab1055a28
-
Filesize
1KB
MD56197fb436acefb76aa12bba23a573e3a
SHA16b30d239092c3983e31322b589e88b951e4e5f8d
SHA2569c4f04a8a3e8af96de25aab4b82a3aacf55c7b9db7dec171929b5aaa021337e6
SHA5126eab03ecef685489a8549fa99239f2f9e5a05e48eac341ebbdac3263b40c51c700e39cc5bf3a2b38cab03929949053d8fd22c6684bbd21fe8380f83f9a1d2d2c
-
Filesize
1.7MB
MD5aa7138c965524415f1e382dc74651c45
SHA1da0b6883cd7be4cff6d8f0cd4be9978be5cd6c51
SHA256e966070d1eb37c7d87ff3e4c835bc0ec2cfd5a114a7dd46e4fb8650abae791af
SHA5129a3f8e97331259c3e75889e2cbef27a329d6b9ee040ec5e7cb335dabff557b70193a85b4c07347ccadbf08c351ea926f3ed245224198b74e8636ab7a00a03e27
-
Filesize
1.7MB
MD520db1beaa4c3085ccb9dd2282cd694ae
SHA15154938ef118dd602dbb447f1978a7e6bc114c58
SHA256ab0fe43dbee8b4c222276b470e6bbc19a19a474af2ca812105cc2de0bf53ddc4
SHA512bf9efbd449f0a8428e51c4cb2a46bdc95d684d895464b55038cffaf9e045d453b4ecead64fbb2e16246cd8a1ff137ea49d45746bfc32d8cda7c230c45a0ab49c
-
Filesize
1.7MB
MD5ac478c4dc16b90a649b2a519d91b2032
SHA161589a833db12ca4e90b362f91749cd64f989ace
SHA256f7ad90ba837c49d082e1ac5da443d1a06fefb8831ef4d4a4391461c6d9fa3297
SHA5124e803f61bae7e4511c920853e2faff804fe075eaa26e1c56aaeb1353564c75dcb369d3c3ac9ac343948721919e1d858b50b7b3d7b1af4ea643590a1add773f24