Analysis
-
max time kernel
0s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2023 15:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e3ddd19537fbfe6e4dd6fd445c3f6e3c.dll
Resource
win7-20231215-en
4 signatures
150 seconds
General
-
Target
e3ddd19537fbfe6e4dd6fd445c3f6e3c.dll
-
Size
1.5MB
-
MD5
e3ddd19537fbfe6e4dd6fd445c3f6e3c
-
SHA1
f9a944568c74a806d93ce6315e0db57dc5cbd86b
-
SHA256
688f0f9ec8429037d5775788166500e6dac955c36caa2eab4e6b16d88c07d370
-
SHA512
0320184082b47982b2fdec30094002cdbed0cebaf83299fa089a612d06117581f7206116ac76e656674e8c08d6f55db890465b7b4ee53687d1e901fadc2cfb1c
-
SSDEEP
12288:oVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:9fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3416-4-0x0000000002BC0000-0x0000000002BC1000-memory.dmp dridex_stager_shellcode -
Processes:
rundll32.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid Process 996 rundll32.exe 996 rundll32.exe 996 rundll32.exe 996 rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e3ddd19537fbfe6e4dd6fd445c3f6e3c.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:996
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe1⤵PID:2220
-
C:\Windows\system32\mspaint.exeC:\Windows\system32\mspaint.exe1⤵PID:3584
-
C:\Users\Admin\AppData\Local\O8AcsueOC\WMPDMC.exeC:\Users\Admin\AppData\Local\O8AcsueOC\WMPDMC.exe1⤵PID:1500
-
C:\Windows\system32\WMPDMC.exeC:\Windows\system32\WMPDMC.exe1⤵PID:1768
-
C:\Users\Admin\AppData\Local\UEo\mspaint.exeC:\Users\Admin\AppData\Local\UEo\mspaint.exe1⤵PID:2856
-
C:\Users\Admin\AppData\Local\9je6\wermgr.exeC:\Users\Admin\AppData\Local\9je6\wermgr.exe1⤵PID:4816