Analysis
-
max time kernel
130s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2023 16:11
Static task
static1
Behavioral task
behavioral1
Sample
ea6796cf6fd3dd169db3dec29b9eb1ca.dll
Resource
win7-20231129-en
General
-
Target
ea6796cf6fd3dd169db3dec29b9eb1ca.dll
-
Size
2.0MB
-
MD5
ea6796cf6fd3dd169db3dec29b9eb1ca
-
SHA1
10b004395f869122c0643b6db854997bed8b8d4a
-
SHA256
8e2e8778ef549228680a2702f07127d29b07b708df8977a09db0caf592bb5a88
-
SHA512
545476f9585013ba6b9152d1372bf1cc40a35cfee479a69fec3f7a9022122c96194125b9263325bf5ab4d11f46572bebce706d9fe1ba2bdd413d3bbeea98f16e
-
SSDEEP
12288:gVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:FfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3488-4-0x0000000002C20000-0x0000000002C21000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
SppExtComObj.ExeDeviceEnroller.exeRdpSaUacHelper.exepid Process 1020 SppExtComObj.Exe 2280 DeviceEnroller.exe 3180 RdpSaUacHelper.exe -
Loads dropped DLL 3 IoCs
Processes:
SppExtComObj.ExeDeviceEnroller.exeRdpSaUacHelper.exepid Process 1020 SppExtComObj.Exe 2280 DeviceEnroller.exe 3180 RdpSaUacHelper.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hwtkseldaftjsj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\TFXi\\DeviceEnroller.exe" -
Processes:
rundll32.exeSppExtComObj.ExeDeviceEnroller.exeRdpSaUacHelper.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SppExtComObj.Exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DeviceEnroller.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RdpSaUacHelper.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 4536 rundll32.exe 4536 rundll32.exe 4536 rundll32.exe 4536 rundll32.exe 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid Process 3488 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid Process procid_target PID 3488 wrote to memory of 748 3488 92 PID 3488 wrote to memory of 748 3488 92 PID 3488 wrote to memory of 1020 3488 97 PID 3488 wrote to memory of 1020 3488 97 PID 3488 wrote to memory of 5100 3488 96 PID 3488 wrote to memory of 5100 3488 96 PID 3488 wrote to memory of 2280 3488 95 PID 3488 wrote to memory of 2280 3488 95 PID 3488 wrote to memory of 4064 3488 94 PID 3488 wrote to memory of 4064 3488 94 PID 3488 wrote to memory of 3180 3488 93 PID 3488 wrote to memory of 3180 3488 93 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ea6796cf6fd3dd169db3dec29b9eb1ca.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4536
-
C:\Windows\system32\SppExtComObj.ExeC:\Windows\system32\SppExtComObj.Exe1⤵PID:748
-
C:\Users\Admin\AppData\Local\U8HyjVJc5\RdpSaUacHelper.exeC:\Users\Admin\AppData\Local\U8HyjVJc5\RdpSaUacHelper.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3180
-
C:\Windows\system32\RdpSaUacHelper.exeC:\Windows\system32\RdpSaUacHelper.exe1⤵PID:4064
-
C:\Users\Admin\AppData\Local\9xZjz\DeviceEnroller.exeC:\Users\Admin\AppData\Local\9xZjz\DeviceEnroller.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2280
-
C:\Windows\system32\DeviceEnroller.exeC:\Windows\system32\DeviceEnroller.exe1⤵PID:5100
-
C:\Users\Admin\AppData\Local\WvL2\SppExtComObj.ExeC:\Users\Admin\AppData\Local\WvL2\SppExtComObj.Exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1020