Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2023 16:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
eaf0253303d762297bfe8a16d4011c06.dll
Resource
win7-20231215-en
9 signatures
150 seconds
General
-
Target
eaf0253303d762297bfe8a16d4011c06.dll
-
Size
2.1MB
-
MD5
eaf0253303d762297bfe8a16d4011c06
-
SHA1
0d4f0dadb228828861593e2582044e6160edd443
-
SHA256
eee23c7594dadc97d779a835a31eaa189bcbb14273cdffebc64e7fef7e5ff036
-
SHA512
ea25b83a26e1a07782c6a88828ddc437bca8659429163ae21f53025e6f253f314244851acf176ed31746e6cd1a5e36f5186d91e531d25ee35dcb17c732e8ab9f
-
SSDEEP
12288:hVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:QfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3444-4-0x0000000002470000-0x0000000002471000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
ApplicationFrameHost.exesvchost.exeSystemPropertiesPerformance.exepid Process 4568 ApplicationFrameHost.exe 3032 svchost.exe 2132 SystemPropertiesPerformance.exe -
Loads dropped DLL 3 IoCs
Processes:
ApplicationFrameHost.exesvchost.exeSystemPropertiesPerformance.exepid Process 4568 ApplicationFrameHost.exe 3032 svchost.exe 2132 SystemPropertiesPerformance.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mmiwstgfcubwacq = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\079\\shrpubw.exe" -
Processes:
rundll32.exeApplicationFrameHost.exeSystemPropertiesPerformance.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ApplicationFrameHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesPerformance.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 4460 rundll32.exe 4460 rundll32.exe 4460 rundll32.exe 4460 rundll32.exe 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid Process procid_target PID 3444 wrote to memory of 2316 3444 84 PID 3444 wrote to memory of 2316 3444 84 PID 3444 wrote to memory of 4568 3444 85 PID 3444 wrote to memory of 4568 3444 85 PID 3444 wrote to memory of 952 3444 91 PID 3444 wrote to memory of 952 3444 91 PID 3444 wrote to memory of 3032 3444 104 PID 3444 wrote to memory of 3032 3444 104 PID 3444 wrote to memory of 3844 3444 87 PID 3444 wrote to memory of 3844 3444 87 PID 3444 wrote to memory of 2132 3444 86 PID 3444 wrote to memory of 2132 3444 86 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\eaf0253303d762297bfe8a16d4011c06.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4460
-
C:\Windows\system32\ApplicationFrameHost.exeC:\Windows\system32\ApplicationFrameHost.exe1⤵PID:2316
-
C:\Users\Admin\AppData\Local\Bg7M\ApplicationFrameHost.exeC:\Users\Admin\AppData\Local\Bg7M\ApplicationFrameHost.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4568
-
C:\Users\Admin\AppData\Local\09WwKjxp\SystemPropertiesPerformance.exeC:\Users\Admin\AppData\Local\09WwKjxp\SystemPropertiesPerformance.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2132
-
C:\Windows\system32\SystemPropertiesPerformance.exeC:\Windows\system32\SystemPropertiesPerformance.exe1⤵PID:3844
-
C:\Users\Admin\AppData\Local\wKxM8\shrpubw.exeC:\Users\Admin\AppData\Local\wKxM8\shrpubw.exe1⤵PID:3032
-
C:\Windows\system32\shrpubw.exeC:\Windows\system32\shrpubw.exe1⤵PID:952
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3032