Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2023 16:27
Static task
static1
Behavioral task
behavioral1
Sample
ef80a26b9b53544e6ece76e1f163edfe.dll
Resource
win7-20231215-en
General
-
Target
ef80a26b9b53544e6ece76e1f163edfe.dll
-
Size
3.5MB
-
MD5
ef80a26b9b53544e6ece76e1f163edfe
-
SHA1
c15d4c24a6039135c6d9c694c547afe9d5f32941
-
SHA256
3e4452a0f8ad4d71bf7fa8a9f39acd16c2dc8480781308d33208229f188f6540
-
SHA512
d5504b28d1c8197f1419f42f3f6eb3f68683facc95957a3d1b2a7e221fba07aeccdb3cfc1adb097637b8a92f7db6289ddf2a31a5a56ae02d20c108dffdc0ed5a
-
SSDEEP
12288:6VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ17dv:nfP7fWsK5z9A+WGAW+V5SB6Ct4bnbZ
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3396-5-0x0000000002CB0000-0x0000000002CB1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
dxgiadaptercache.exeMoUsoCoreWorker.exeFXSCOVER.exepid Process 1092 dxgiadaptercache.exe 4440 MoUsoCoreWorker.exe 896 FXSCOVER.exe -
Loads dropped DLL 4 IoCs
Processes:
dxgiadaptercache.exeMoUsoCoreWorker.exeFXSCOVER.exepid Process 1092 dxgiadaptercache.exe 1092 dxgiadaptercache.exe 4440 MoUsoCoreWorker.exe 896 FXSCOVER.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mmiwstgfcubwacq = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1232405761-1209240240-3206092754-1000\\uBs\\MoUsoCoreWorker.exe" -
Processes:
dxgiadaptercache.exeMoUsoCoreWorker.exeFXSCOVER.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dxgiadaptercache.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MoUsoCoreWorker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA FXSCOVER.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
regsvr32.exepid Process 860 regsvr32.exe 860 regsvr32.exe 860 regsvr32.exe 860 regsvr32.exe 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid Process 3396 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid Process procid_target PID 3396 wrote to memory of 1976 3396 92 PID 3396 wrote to memory of 1976 3396 92 PID 3396 wrote to memory of 1092 3396 96 PID 3396 wrote to memory of 1092 3396 96 PID 3396 wrote to memory of 3932 3396 93 PID 3396 wrote to memory of 3932 3396 93 PID 3396 wrote to memory of 4440 3396 95 PID 3396 wrote to memory of 4440 3396 95 PID 3396 wrote to memory of 4676 3396 94 PID 3396 wrote to memory of 4676 3396 94 PID 3396 wrote to memory of 896 3396 98 PID 3396 wrote to memory of 896 3396 98 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\ef80a26b9b53544e6ece76e1f163edfe.dll1⤵
- Suspicious behavior: EnumeratesProcesses
PID:860
-
C:\Windows\system32\dxgiadaptercache.exeC:\Windows\system32\dxgiadaptercache.exe1⤵PID:1976
-
C:\Windows\system32\MoUsoCoreWorker.exeC:\Windows\system32\MoUsoCoreWorker.exe1⤵PID:3932
-
C:\Windows\system32\FXSCOVER.exeC:\Windows\system32\FXSCOVER.exe1⤵PID:4676
-
C:\Users\Admin\AppData\Local\hRSYc8\MoUsoCoreWorker.exeC:\Users\Admin\AppData\Local\hRSYc8\MoUsoCoreWorker.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4440
-
C:\Users\Admin\AppData\Local\YhM\dxgiadaptercache.exeC:\Users\Admin\AppData\Local\YhM\dxgiadaptercache.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1092
-
C:\Users\Admin\AppData\Local\5zk8\FXSCOVER.exeC:\Users\Admin\AppData\Local\5zk8\FXSCOVER.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:896
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
32KB
MD583031cf1450e516aedc8c530151c0414
SHA17b9809a01920af7a1e452ed16081d9daa38cf019
SHA256dd3365e977ff2978959f820a75f09a91bd881a45d17dc9f2a509737f98ae7d2e
SHA512cfbafe2bfda1983bd9a44f065f0a808f471d98244bcbe64bcbeae04a18236b12da9b9b96684b0b1d72ed46836d60d119b487ee54924933938a7d22243ee1b778