Analysis
-
max time kernel
155s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2023 16:54
Static task
static1
Behavioral task
behavioral1
Sample
f913bdd039587c029c16ebf46f2a7aa3.dll
Resource
win7-20231129-en
General
-
Target
f913bdd039587c029c16ebf46f2a7aa3.dll
-
Size
2.3MB
-
MD5
f913bdd039587c029c16ebf46f2a7aa3
-
SHA1
f3dc9a0c28daedbe2ed05a7f74196b9e2021aaec
-
SHA256
bb2a735d3f812793ac73c336d9f50b5925a25a1788ebc7232e19fc2e007da26b
-
SHA512
a077469ee0ffc12648c43b35fed235a64f5662444da93791fc54a61ccf0b2619e279f919221555818746d70e1039d86ae70cda2f20104bcec3087a47f0d3c51f
-
SSDEEP
12288:VVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1XVtag:MfP7fWsK5z9A+WGAW+V5SB6Ct4bnbX
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3536-4-0x0000000003490000-0x0000000003491000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
unregmp2.exeSystemPropertiesDataExecutionPrevention.exePresentationHost.exepid Process 1416 unregmp2.exe 2916 SystemPropertiesDataExecutionPrevention.exe 2804 PresentationHost.exe -
Loads dropped DLL 4 IoCs
Processes:
unregmp2.exeSystemPropertiesDataExecutionPrevention.exePresentationHost.exepid Process 1416 unregmp2.exe 2916 SystemPropertiesDataExecutionPrevention.exe 2804 PresentationHost.exe 2804 PresentationHost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Loeeeopgcaia = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\34HqLHkCE\\SystemPropertiesDataExecutionPrevention.exe" -
Processes:
rundll32.exeunregmp2.exeSystemPropertiesDataExecutionPrevention.exePresentationHost.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA unregmp2.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesDataExecutionPrevention.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA PresentationHost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 4664 rundll32.exe 4664 rundll32.exe 4664 rundll32.exe 4664 rundll32.exe 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid Process 3536 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid Process procid_target PID 3536 wrote to memory of 1636 3536 94 PID 3536 wrote to memory of 1636 3536 94 PID 3536 wrote to memory of 1416 3536 96 PID 3536 wrote to memory of 1416 3536 96 PID 3536 wrote to memory of 4460 3536 97 PID 3536 wrote to memory of 4460 3536 97 PID 3536 wrote to memory of 2916 3536 99 PID 3536 wrote to memory of 2916 3536 99 PID 3536 wrote to memory of 2524 3536 101 PID 3536 wrote to memory of 2524 3536 101 PID 3536 wrote to memory of 2804 3536 102 PID 3536 wrote to memory of 2804 3536 102 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f913bdd039587c029c16ebf46f2a7aa3.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4664
-
C:\Windows\system32\unregmp2.exeC:\Windows\system32\unregmp2.exe1⤵PID:1636
-
C:\Users\Admin\AppData\Local\bHti\unregmp2.exeC:\Users\Admin\AppData\Local\bHti\unregmp2.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1416
-
C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exeC:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe1⤵PID:4460
-
C:\Users\Admin\AppData\Local\Bv36x3nm\SystemPropertiesDataExecutionPrevention.exeC:\Users\Admin\AppData\Local\Bv36x3nm\SystemPropertiesDataExecutionPrevention.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2916
-
C:\Windows\system32\PresentationHost.exeC:\Windows\system32\PresentationHost.exe1⤵PID:2524
-
C:\Users\Admin\AppData\Local\Xk6\PresentationHost.exeC:\Users\Admin\AppData\Local\Xk6\PresentationHost.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2804
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
85KB
MD57c0a028fc05e9f7b75472b63c0d377db
SHA1714eacb879a5245fcab91c5cf5bdaf6a1e8c9568
SHA256d545a3733827a9e3d7b6a66d508882d1edfd168a44d44f82ff8465b5a18d5313
SHA512e7c7f7916f76357f9418c70b0810365cdda426aff34fe83e321da82f52f52de36b02da2c82575c0fae68edc27ca4682ad61b48a0580d2bff0ddd1bd006aef391
-
Filesize
78KB
MD5a16879296d0b96aea8f19ef9c131cfd3
SHA17c8b8504596b4186530138fb14668a74e34493b3
SHA256c464b4e8b4f0df471fd3baab66069159d2a34e17d63c8b92c0b8fcaabfa59119
SHA512e9f9c6fca6af397d5eb8e57f79a42a984b2e8bfe6b97d095d4b7b3ab613847b16db950732800321f0416fea396cbfcdd6c54f648213a5ac6603cd4c4e624264e
-
Filesize
82KB
MD5de58532954c2704f2b2309ffc320651d
SHA10a9fc98f4d47dccb0b231edf9a63309314f68e3b
SHA2561f810658969560f6e7d7a14f71d1196382e53b984ca190fa9b178ac4a32acfb3
SHA512d4d57cc30d9079f4e9193ba42631e8e53d86b22e9c655d7a8c25e5be0e5e1d6dfff4714ddc23e3e392809d623b4f8d43c63893f74c325fc77459ac03c7a451ed
-
Filesize
57KB
MD51e6ba1a53e4f793138878b5fa93585ef
SHA1aa055c7f831bc1aec16ae21e265c967c1fa207a2
SHA25692f38a109114a23b43996150ef5c53eb91c1390da259f742a6249dd40ee2fefa
SHA512028c7d3faa735080d8424707642cd23c4bf2866050b5ff2b6ffe70e0d901ca4320f6ed66870dcd06f18579f4619aa34c0a9cb56566cab149a674161feac1e6a6
-
Filesize
25KB
MD5cf4b84c8568020da54bfc4481c1cc115
SHA102eee5515acfd2e20220e75269fe71f13dedc938
SHA256e9325f6c7a28417e3c224eaedf672cab77b68b93f91a75e49aa57960e54423f9
SHA512000ec4c33e53eb334a072ff3e3c1f29b88ed2283715390b88da4cda356a8a7e10fe816335bc2ed7ff6e5af92df187ecddd092e24c1353b47264f4460d5526135
-
Filesize
166KB
MD5ece6ed2d4a39db18536a212ac2d11c39
SHA1d0a4fba83ff4961f99a26740c7cc3eacdc863ef0
SHA256f2dd1b7944c04dde1676260a552bfdc03f653d0d9b92ecf568c5e44e237ac00c
SHA512d76555d725180fae9d4624a44f0e456e9d5c10302803048506a7059b85f57b6c1a6b40be9f29b1ce229bda7fcdb4acfaaa6d1c8845101fd6aa3811825e35a620
-
Filesize
92KB
MD59334cf43c0b41427ed1097db33352fad
SHA1836033895cc1739ecfc37588affd6f4867b5af9d
SHA2562739d7c20f6d8549979aba70c7de71238a2da9e067b71d5df138fe7c969e1533
SHA5121f9aeda357da4f0938bd9f2ffbcfd8622e49f056d7d6569d975efe91a108cab17ca6f6fcf5f2b271ab4840e3e8ff38274c6bde0b857a303ecb02731238290166
-
Filesize
149KB
MD57105d18403596578c72ac790156a4f78
SHA1319d6cdb431c63c229f010d9b0fcf12bec2d9d0a
SHA2563f97bf5c22aad698a2a63b708052e8eab89d0e23c45472cddde03758018e640b
SHA512f5cff107c2dcc31be5c2ef68773d8e3b5e364fc98287b478367916fd98a950d9f397c3dab00ca3cb62a9f0cb0921b51634c0f7482738b805dd04fa968ce226b2
-
Filesize
259KB
MD54b61bc934de9b2f6b67b35b5a26a96fa
SHA14012d66936c4f05a01ab5e047e732894b1b3acdc
SHA256d9e7183d3f4b39351c6e25633b6cd019f22bbf4bcd0644141452a6d0c77609cc
SHA512833bcc85c9732bf1761fdc0d92c924cdfed6de6977c3b7a96096a1a681b0096e0a2f00175a9552a9299dbc2d103e088b5ad1a30c32c9af92a8770b1be21382f4
-
Filesize
157KB
MD5a88baa8ca4898c8db7976407ca71db73
SHA104d6a6296a819011497115be4194f728885da5fe
SHA2560329c59c933f067dea2bff037416b979587905678c68cd8e06b8d0c3d10e8321
SHA5121d6ac00f7c952135c0eb3e5cbd89487c6720058a469e8a5e81a69e6afab85af26349cef0b0366a161983d2016019478e974f66bbb0bbcf3bb4f4797bd9c448a2
-
Filesize
102KB
MD532f00fa6bc91aa712b00765693bf27f6
SHA18e36d7b60f5319a9fdd58cefe8722b680a9746e2
SHA25645023db3ef9aec7506a25f51cd644fcdea841a1a265f0b8bcca85f06fc4f4523
SHA512c6cfb0ee278f4f20cf2a29bcde5d592d9e3021ac3c9d554c6fa66332ee89a6d61a39159e189b10c0849eeff18cee8fa405ac573eec13442c0a1543983cf8aebf
-
Filesize
1.3MB
MD521806e1e6fd4d973d1aad8022ff20555
SHA1549fe8e6bdba4809b7d5f932237ca53a93b84558
SHA256ca7c055629d7eb343bc77954438ccbb6566b4c8d44cc80d638a908ded212f5af
SHA51221732354f9e70f35e91df96d9a2819563db33c99d2555576514664084c1413776841925a520ffbe89fe6ed3b2cf1294f82bc64d1c741358b6e85b79c0e323585
-
Filesize
1KB
MD5f4cc64aa779e0c5827695fa57ac6e59d
SHA1080282c895f44ab22c89a4339d7e9d3894cb1a62
SHA2569bf0e4f3d073e3068344d2587e067aa7b7a166ba3d287604a129ae6d39be32bf
SHA512dd6f886d8e20805ef39a6b32f1d22ebab91053b45c937974a5e2412328f709bbab0fc7b1e6e0dbcee8ff93c960f7f4f4980fd288dbd9ca1c875b4266b106737d
-
Filesize
2.3MB
MD5ca65f4f663506c3bab3c4be29f6f4e56
SHA180cd87fec2602dc9eeda1ce68a0c0a9ce76a6d55
SHA256c1db4dd88925a52f5dcf86b8d31cecf91f8a37c0a0bc208441dd93b6c1f91fca
SHA512f1e61fd1470144e7eaa9c219af6690188ac7d5ca4818a6dc0cbff4d35d3356e3ce8ca66eba300337490079bee2a26b450694660c2791d068752c8c73d4902810
-
Filesize
1.7MB
MD5090f382cbd955a049c55471b2aa7c68b
SHA1a3c21dc010d0dccacde7ce4bf5778a945abc6cca
SHA2564e372768c1f3bed2f0b2ea3c17a34a223d7f41c2e45a7217d96abf321a2a02e5
SHA5121c25df05965b4d1a23c5a82f9a40ded5417cda105d1c5e3bd417a3b0f7cb6fa20412093f0cbec3215b44987d69cd9f3c91a69996aca32ee8a2bc96e3b1468b89