Analysis
-
max time kernel
153s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2023 16:11
Static task
static1
Behavioral task
behavioral1
Sample
eac2738515d0292a80e97bdd871ae3f8.dll
Resource
win7-20231129-en
General
-
Target
eac2738515d0292a80e97bdd871ae3f8.dll
-
Size
1.4MB
-
MD5
eac2738515d0292a80e97bdd871ae3f8
-
SHA1
bd8ef231bfeb6635d869210f39b36f77b691c9e6
-
SHA256
96761af2af2e82740682729fe36feb508fc90cdc60771957e4583f853a873709
-
SHA512
c7033b905fd46d55c0dac1629905196c5c09d933957ac5ec13f496397b5a55fdb07a0821d93c394cc0f4b58b8af092ee54388552a7f8c58eb36b91c6083c8711
-
SSDEEP
12288:2VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:rfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3204-5-0x0000000002450000-0x0000000002451000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
SppExtComObj.Exewlrmdr.exeusocoreworker.exepid Process 1352 SppExtComObj.Exe 1012 wlrmdr.exe 2420 usocoreworker.exe -
Loads dropped DLL 3 IoCs
Processes:
SppExtComObj.Exewlrmdr.exeusocoreworker.exepid Process 1352 SppExtComObj.Exe 1012 wlrmdr.exe 2420 usocoreworker.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hcbfaqn = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\lG5H\\wlrmdr.exe" -
Processes:
rundll32.exeSppExtComObj.Exewlrmdr.exeusocoreworker.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SppExtComObj.Exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wlrmdr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA usocoreworker.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 1484 rundll32.exe 1484 rundll32.exe 1484 rundll32.exe 1484 rundll32.exe 3204 3204 3204 3204 3204 3204 3204 3204 3204 3204 3204 3204 3204 3204 3204 3204 3204 3204 3204 3204 3204 3204 3204 3204 3204 3204 3204 3204 3204 3204 3204 3204 3204 3204 3204 3204 3204 3204 3204 3204 3204 3204 3204 3204 3204 3204 3204 3204 3204 3204 3204 3204 3204 3204 3204 3204 3204 3204 3204 3204 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid Process procid_target PID 3204 wrote to memory of 2284 3204 91 PID 3204 wrote to memory of 2284 3204 91 PID 3204 wrote to memory of 1352 3204 92 PID 3204 wrote to memory of 1352 3204 92 PID 3204 wrote to memory of 3552 3204 93 PID 3204 wrote to memory of 3552 3204 93 PID 3204 wrote to memory of 1012 3204 95 PID 3204 wrote to memory of 1012 3204 95 PID 3204 wrote to memory of 1408 3204 94 PID 3204 wrote to memory of 1408 3204 94 PID 3204 wrote to memory of 2420 3204 96 PID 3204 wrote to memory of 2420 3204 96 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\eac2738515d0292a80e97bdd871ae3f8.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1484
-
C:\Windows\system32\SppExtComObj.ExeC:\Windows\system32\SppExtComObj.Exe1⤵PID:2284
-
C:\Users\Admin\AppData\Local\IzGAuc6\SppExtComObj.ExeC:\Users\Admin\AppData\Local\IzGAuc6\SppExtComObj.Exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1352
-
C:\Windows\system32\wlrmdr.exeC:\Windows\system32\wlrmdr.exe1⤵PID:3552
-
C:\Windows\system32\usocoreworker.exeC:\Windows\system32\usocoreworker.exe1⤵PID:1408
-
C:\Users\Admin\AppData\Local\rwLmv\wlrmdr.exeC:\Users\Admin\AppData\Local\rwLmv\wlrmdr.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1012
-
C:\Users\Admin\AppData\Local\aIXs\usocoreworker.exeC:\Users\Admin\AppData\Local\aIXs\usocoreworker.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2420
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
211KB
MD5a318feb17d6a84e54464e6689737e388
SHA147df28fc9ca2bd5713950ec6fcb93e881c07cc7a
SHA25697e75c5c2e6354fde18c9fe524bedae5862cb6e25b02c590531f74f5d7431a5e
SHA512b76df3850a7096f4cfa056c19f5156e0cbd20e0a83a849942f981424b1cfded2ed7e6004736a95dade04c1c718ecf83672fdb6e52b3faae6755a61826ea9ee6f
-
Filesize
139KB
MD5a83af39f7e14225220b04ff766f57bd2
SHA14e02da7198a644c162041680b54461a21d3c1063
SHA25603cbd6f92b49ad1d84c4f012c55621682abd9f33bd0a3d1b29a547fdfc3b49d4
SHA5126dd9e83da86f85a6d7603e762c172ea31d04e7b11973d617b9ee0b3781b8cd562c8f4c3879cae43202d08618a60dc93f08278011055e041c7a7bc3627261846a
-
Filesize
250KB
MD5f59c74622079feed96bc0185097fcc01
SHA1f04b1fd0ac2aec018f8f49e61403c838e2cef766
SHA256af4056f97747b613f348a46268d8902fc43ced13c8d9c1bde7d21882548fa459
SHA512daee87e8f2bd4d90c8af669a22f7773cd83ecdb0ebbdceca4315f4ca0b5159467e6473c87adbcfa1c00e3803a480205d0a6116e1e25b8f3858a8a30df9c67d62
-
Filesize
57KB
MD549e2d90487ec20ae7f700b4270cf8f38
SHA1d71db232ff51823bcb3e31cfc865edaf57332a76
SHA256f238087a1f0683c2342b74ac2dbfce96b534e70b2a68b88e8093945d4461ce6e
SHA512a85b2d24da46ab508478a667ca350504c746f4a7583439cfed8d5db2b253d68602e3c42edb891295320ffddb46aff4480c91c588dcac92d03b5e29d94cb51c4d
-
Filesize
45KB
MD58dcd0ed7ab6b2b3926588309af6afe51
SHA1403e646863b87a23acfdf4c7419f1a71231a9b0c
SHA25683a6173ec62628d29981bfc39328427a3b540dded5ab7add727029e452ab7adf
SHA512becd1e38f5b473b49228214006ff59b02da39f0e219349f4005863408a3bc95020ae909bb5f405d60c8e7cfc515ae4a92e20172e292eb8a4faf04ac86851fd25
-
Filesize
309KB
MD5716c09394203f418654b40117379572d
SHA1a399b13966a70ab9705d96e81f00d73085d9b46c
SHA2561b8643affc82517b07a15e7bf2cbbe4747e55b20e214de8e0e5bf34125c4d5fc
SHA512998ccbdb27a07d1a7ce1aaca29c3f3138081ecfce00c3e6ec3697a5dceec0c70f00dfb4ce99d8c20b1aa88e088542990d27edafdfac340e336213973a42a50df
-
Filesize
282KB
MD55c6e2cecd1f16c40f57013b98504163b
SHA1aacf975a6c58e6fd96e6c05bd77868277cb36b42
SHA2564bc67989fb7a5bcf5975d9c7aebd56e4cd266e26793c88e2ee32a3279f1fad48
SHA512cd2d84e554d1c2b6b213f9992de6c13ec0bfc0f10264958bbe0d3be213e144b703f4e5e5ae97d50c8f9d5027bf0cfcdc16c9a1b518c2f402736d56dee0a09c75
-
Filesize
149KB
MD55f383cb710878712b04682956991cbca
SHA1ff1ed7c0be94d2ef1d20d7768841a8e90a7a3547
SHA256b6eae8e6f9ade312d526c59a376254e95bd314fe7dbc46c338c3fd5addc0c968
SHA512514a83a4d225dc8c68401cc4d2d68280254cf0e265d5d9e37e9b7f637cba8ee346514a99d4f0aa0c01390928a117e74511aa0886e33b06bb17026ad1745a78af
-
Filesize
77KB
MD54e58b00f69ebea2fb721b4d0635f6326
SHA1310242008b32131fb79a82da91533714799b5c7f
SHA256d66947e0eec4084df0a2f4175fe25f361866b18dbcbf20dd9eb2901351099bf6
SHA5123117c56b1d24051b729acb84ca8f7a571074f08ec466db3b673b4e401d127e1436903663e5bc3ed47d746967bcf09ccb55188cc2842893ec04a19ddd773860e1
-
Filesize
66KB
MD5ef9bba7a637a11b224a90bf90a8943ac
SHA14747ec6efd2d41e049159249c2d888189bb33d1d
SHA2562fda95aafb2e9284c730bf912b93f60a75b151941adc14445ed1e056140325b1
SHA5124c1fdb8e4bf25546a2a33c95268593746f5ae2666ce36c6d9ba5833357f13720c4722231224e82308af8c156485a2c86ffd97e3093717a28d1300d3787ef1831
-
Filesize
1KB
MD5f139298ff33ba64bdfb68696aebc68de
SHA13d12e811cec64a05171da5e21a9ed2090544ea78
SHA256e39039899c531517947ce43585965a1540b99f03ad578bc7aeb45c50424bef1a
SHA5126e509becc31cb153be744c76fa81e3da32696b918df3a9a7eba9ec2dbe4085369b9e203e8e23dc6b095746f84640c06f1e0bad1db7ae7f1dcc3f78e8bd492d78
-
Filesize
1.4MB
MD58ec9398de90aef60a32b5ad9d7abee3e
SHA13ae78d31dabee8fd949ffc918c2ffb16d426bc75
SHA256964019b78622fb75a3d8fe111efdeb6c22a45358e6f35288f124b9ad1b8ed310
SHA512f51d1a822bd8ad62b2d8a6b03e399926ac8f344de2be5c598f699d2a94ea7651207161ab4530448bd6950b784c38b0978b1a06e2b35ea8a21fe8a9b0f0dc1f4a
-
Filesize
1.7MB
MD5261b4e979e0bada275f257bb59c6f96b
SHA11060f6892f7d690b0aa6312edc21c05fd98592c8
SHA2569853b7cee55b639113e3ac2e064d7bf2ae94924b760660dbbd36f25e510ed3c8
SHA5127f5edb4076dc9a79a2920d9e5b92cfa868448b8f389dc2004c2e36a6388dc94be7b00ab8be4fddfbec95e93696e29d30f41070ef9575dfc39dd61351d81c3fee
-
Filesize
1.4MB
MD5b8fe45c4f23902cec11c760e8c5a1235
SHA16fc433bc822009294d0d531591137c2494486969
SHA25616c96d3f6d5828eeeb58ede2b7744ac907e56fd09f39e867d40632593a220481
SHA5124da4fd3991e6bf240f996001943573cda38826b347dedeefb5e8b693a485646da282e34a78c748f9372077384ad742985302ecb531fe8f8a999e858007d42ac9
-
Filesize
92KB
MD580f0961b215c40fe96860564b134c644
SHA1b8e81bd87fd6450c146c13da2aca016a930b601c
SHA256870f9d8d3392c70919a61074af4b51e7e76958b6db9d40df15e3be85cc77f637
SHA51247877e273efa82ead0117141f520dbad9bfe7dda03e620b7b240e2f8195db3ab66cfece3ddbf69dc7f784be1e7a7bd1dcb423ff24ffc918480ae1c9dc6cd83a7