Analysis
-
max time kernel
25s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2023 16:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f9e085979ac5b10ef9a83a6f8868e1fc.dll
Resource
win7-20231215-en
9 signatures
150 seconds
General
-
Target
f9e085979ac5b10ef9a83a6f8868e1fc.dll
-
Size
1.7MB
-
MD5
f9e085979ac5b10ef9a83a6f8868e1fc
-
SHA1
7c42dbd22414ee2aae7b3f49caec1c0445e508fb
-
SHA256
a671bbc23d90a0c52a986365e1622ccfcdbe1cfc3eb4f6868ad8a11739351287
-
SHA512
f185aea760b9910b08b631a997c644fcc01f4a803a794e150b1254cccf07e6c779191028c242ac0237d3e295910c3e0d9a6a7d1f49e4fe130b772b21f292f101
-
SSDEEP
12288:HVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:ufP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3480-4-0x00000000007A0000-0x00000000007A1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
bdechangepin.exeunregmp2.exeSppExtComObj.Exepid Process 3300 bdechangepin.exe 3244 unregmp2.exe 2308 SppExtComObj.Exe -
Loads dropped DLL 3 IoCs
Processes:
bdechangepin.exeunregmp2.exeSppExtComObj.Exepid Process 3300 bdechangepin.exe 3244 unregmp2.exe 2308 SppExtComObj.Exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qzenv = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\lnKh\\unregmp2.exe" -
Processes:
bdechangepin.exeunregmp2.exeSppExtComObj.Exerundll32.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bdechangepin.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA unregmp2.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SppExtComObj.Exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 1652 rundll32.exe 1652 rundll32.exe 1652 rundll32.exe 1652 rundll32.exe 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid Process procid_target PID 3480 wrote to memory of 1596 3480 73 PID 3480 wrote to memory of 1596 3480 73 PID 3480 wrote to memory of 3300 3480 80 PID 3480 wrote to memory of 3300 3480 80 PID 3480 wrote to memory of 3704 3480 78 PID 3480 wrote to memory of 3704 3480 78 PID 3480 wrote to memory of 3244 3480 77 PID 3480 wrote to memory of 3244 3480 77 PID 3480 wrote to memory of 2452 3480 76 PID 3480 wrote to memory of 2452 3480 76 PID 3480 wrote to memory of 2308 3480 75 PID 3480 wrote to memory of 2308 3480 75 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f9e085979ac5b10ef9a83a6f8868e1fc.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1652
-
C:\Windows\system32\bdechangepin.exeC:\Windows\system32\bdechangepin.exe1⤵PID:1596
-
C:\Users\Admin\AppData\Local\ndH\SppExtComObj.ExeC:\Users\Admin\AppData\Local\ndH\SppExtComObj.Exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2308
-
C:\Windows\system32\SppExtComObj.ExeC:\Windows\system32\SppExtComObj.Exe1⤵PID:2452
-
C:\Users\Admin\AppData\Local\f3da3fCG\unregmp2.exeC:\Users\Admin\AppData\Local\f3da3fCG\unregmp2.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3244
-
C:\Windows\system32\unregmp2.exeC:\Windows\system32\unregmp2.exe1⤵PID:3704
-
C:\Users\Admin\AppData\Local\kte0mD\bdechangepin.exeC:\Users\Admin\AppData\Local\kte0mD\bdechangepin.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3300