Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
22-12-2023 16:54
Static task
static1
Behavioral task
behavioral1
Sample
f913bdd039587c029c16ebf46f2a7aa3.dll
Resource
win7-20231129-en
General
-
Target
f913bdd039587c029c16ebf46f2a7aa3.dll
-
Size
2.3MB
-
MD5
f913bdd039587c029c16ebf46f2a7aa3
-
SHA1
f3dc9a0c28daedbe2ed05a7f74196b9e2021aaec
-
SHA256
bb2a735d3f812793ac73c336d9f50b5925a25a1788ebc7232e19fc2e007da26b
-
SHA512
a077469ee0ffc12648c43b35fed235a64f5662444da93791fc54a61ccf0b2619e279f919221555818746d70e1039d86ae70cda2f20104bcec3087a47f0d3c51f
-
SSDEEP
12288:VVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1XVtag:MfP7fWsK5z9A+WGAW+V5SB6Ct4bnbX
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1268-5-0x0000000002D60000-0x0000000002D61000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
wbengine.exeNetplwiz.exeSndVol.exepid Process 2488 wbengine.exe 1684 Netplwiz.exe 1640 SndVol.exe -
Loads dropped DLL 7 IoCs
Processes:
wbengine.exeNetplwiz.exeSndVol.exepid Process 1268 2488 wbengine.exe 1268 1684 Netplwiz.exe 1268 1640 SndVol.exe 1268 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mjgqrtoi = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\MACROM~1.COM\\support\\FLASHP~1\\QXICOR~1\\Netplwiz.exe" -
Processes:
Netplwiz.exeSndVol.exerundll32.exewbengine.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Netplwiz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SndVol.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wbengine.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 3004 rundll32.exe 3004 rundll32.exe 3004 rundll32.exe 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid Process procid_target PID 1268 wrote to memory of 2452 1268 28 PID 1268 wrote to memory of 2452 1268 28 PID 1268 wrote to memory of 2452 1268 28 PID 1268 wrote to memory of 2488 1268 29 PID 1268 wrote to memory of 2488 1268 29 PID 1268 wrote to memory of 2488 1268 29 PID 1268 wrote to memory of 1904 1268 31 PID 1268 wrote to memory of 1904 1268 31 PID 1268 wrote to memory of 1904 1268 31 PID 1268 wrote to memory of 1684 1268 30 PID 1268 wrote to memory of 1684 1268 30 PID 1268 wrote to memory of 1684 1268 30 PID 1268 wrote to memory of 1804 1268 33 PID 1268 wrote to memory of 1804 1268 33 PID 1268 wrote to memory of 1804 1268 33 PID 1268 wrote to memory of 1640 1268 32 PID 1268 wrote to memory of 1640 1268 32 PID 1268 wrote to memory of 1640 1268 32 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f913bdd039587c029c16ebf46f2a7aa3.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3004
-
C:\Windows\system32\wbengine.exeC:\Windows\system32\wbengine.exe1⤵PID:2452
-
C:\Users\Admin\AppData\Local\G0nRpQt9\wbengine.exeC:\Users\Admin\AppData\Local\G0nRpQt9\wbengine.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2488
-
C:\Users\Admin\AppData\Local\TLTWrYu9\Netplwiz.exeC:\Users\Admin\AppData\Local\TLTWrYu9\Netplwiz.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1684
-
C:\Windows\system32\Netplwiz.exeC:\Windows\system32\Netplwiz.exe1⤵PID:1904
-
C:\Users\Admin\AppData\Local\HqmwQs2\SndVol.exeC:\Users\Admin\AppData\Local\HqmwQs2\SndVol.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1640
-
C:\Windows\system32\SndVol.exeC:\Windows\system32\SndVol.exe1⤵PID:1804