Analysis
-
max time kernel
112s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2023 16:27
Static task
static1
Behavioral task
behavioral1
Sample
efedcd108046b223d56049091b408298.dll
Resource
win7-20231215-en
General
-
Target
efedcd108046b223d56049091b408298.dll
-
Size
1.5MB
-
MD5
efedcd108046b223d56049091b408298
-
SHA1
b0c68d9918ab0bfc3b2a165eafb67a5dc5de9d35
-
SHA256
1f4c47d15d65d51f2b6dd680a7318d3639e0cfbcad702ba30e93a4a301d1ac06
-
SHA512
682aa16df911870f710d7468cd87af0885572a043209797d0d092316811644e194187fdcb523502f79d30d85fa959be955eb8072e2815130f5b596d96f540f10
-
SSDEEP
12288:iVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:/fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3592-4-0x0000000002840000-0x0000000002841000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 4 IoCs
Processes:
psr.execonsent.execmstp.exeWMPDMC.exepid Process 1764 psr.exe 3712 consent.exe 4212 cmstp.exe 1868 WMPDMC.exe -
Loads dropped DLL 4 IoCs
Processes:
psr.execmstp.exeWMPDMC.exepid Process 1764 psr.exe 4212 cmstp.exe 4212 cmstp.exe 1868 WMPDMC.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qoccyyzfzcu = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\dHPI5R8WWrB\\cmstp.exe" -
Processes:
rundll32.exepsr.execmstp.exeWMPDMC.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA psr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmstp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WMPDMC.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 4296 rundll32.exe 4296 rundll32.exe 4296 rundll32.exe 4296 rundll32.exe 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
description pid Process procid_target PID 3592 wrote to memory of 740 3592 89 PID 3592 wrote to memory of 740 3592 89 PID 3592 wrote to memory of 1764 3592 88 PID 3592 wrote to memory of 1764 3592 88 PID 3592 wrote to memory of 4596 3592 90 PID 3592 wrote to memory of 4596 3592 90 PID 3592 wrote to memory of 3712 3592 97 PID 3592 wrote to memory of 3712 3592 97 PID 3592 wrote to memory of 1908 3592 91 PID 3592 wrote to memory of 1908 3592 91 PID 3592 wrote to memory of 4212 3592 95 PID 3592 wrote to memory of 4212 3592 95 PID 3592 wrote to memory of 3572 3592 93 PID 3592 wrote to memory of 3572 3592 93 PID 3592 wrote to memory of 1868 3592 94 PID 3592 wrote to memory of 1868 3592 94 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\efedcd108046b223d56049091b408298.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4296
-
C:\Users\Admin\AppData\Local\G6u9N\psr.exeC:\Users\Admin\AppData\Local\G6u9N\psr.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1764
-
C:\Windows\system32\psr.exeC:\Windows\system32\psr.exe1⤵PID:740
-
C:\Windows\system32\consent.exeC:\Windows\system32\consent.exe1⤵PID:4596
-
C:\Windows\system32\cmstp.exeC:\Windows\system32\cmstp.exe1⤵PID:1908
-
C:\Windows\system32\WMPDMC.exeC:\Windows\system32\WMPDMC.exe1⤵PID:3572
-
C:\Users\Admin\AppData\Local\nyjLiKKi\WMPDMC.exeC:\Users\Admin\AppData\Local\nyjLiKKi\WMPDMC.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1868
-
C:\Users\Admin\AppData\Local\Po1\cmstp.exeC:\Users\Admin\AppData\Local\Po1\cmstp.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4212
-
C:\Users\Admin\AppData\Local\sXDkX4\consent.exeC:\Users\Admin\AppData\Local\sXDkX4\consent.exe1⤵
- Executes dropped EXE
PID:3712
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD55c24e5c416b6464e9adfd2ef9d01dfa3
SHA14cc4394a157a4f05f1dfe50798f039e12b92e098
SHA2560073789a4c5f98836fa5c6aa23bdfb52bca5ee4cf225e136f9ed69f0f560c494
SHA5129729639a659a86010e4e6bd790611c839844091efee25793ecaa723486245670cff20cab1237a577c47317de9498b477e0314b05122ff06a546a75f39cb4c86a
-
Filesize
476KB
MD5c2aee7fa9af9979c0685facb8299592e
SHA177467de9dce252b3269b2dde2de1dd93cd430054
SHA25653bd034cb1037dd238a0330c8bac414b7b56aa67d43fd359b6b13b785e8869a3
SHA512f601d278e8c8ab9178894460b5cd6c53636018c40db87eea9ec5094f303303c778d319973f67b07e8f56a8fb0db3b5280996c3ce716ef827b1be5a715c29042e
-
Filesize
65KB
MD5873d7c7365bf9d16f87288d53486c55a
SHA13d650722ae3a768e16ddf92c6f8414f5750a2ecf
SHA2565170c71d21d18b619a818fd5757a239121d2fea4599c0e7cb66744b926aed809
SHA51253e95bbd69a6d628863509d3c095f981fc61e5ec901712d3c51c7fee700e06431bcdfb3cb7ed9217d88f08e878064a8e30e1df359f0334bdb94f814740c4fe3f
-
Filesize
179KB
MD53241a80ef412b683e95bc61c2c435566
SHA168785fc1cb12f130868ba47810045ed5aa275bd4
SHA256aabe43d3ec4514fc3db5e032b3b241c5a5e2aa7b641a907e997380d1a3186b46
SHA5128b9ab43f84bacea22d26afdc8f519e7c301d7e1c47e94bd3da55151c4589262012763b81def64fa266c5b10f1fbecb90130f1ec58ff44b192bb444e935670529