Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2023 17:05
Static task
static1
Behavioral task
behavioral1
Sample
fb1badc1eca5035ae1b98513d0cfef32.dll
Resource
win7-20231215-en
General
-
Target
fb1badc1eca5035ae1b98513d0cfef32.dll
-
Size
2.8MB
-
MD5
fb1badc1eca5035ae1b98513d0cfef32
-
SHA1
86c4360f82192f01f05460d7ec2c70ebe8682ef1
-
SHA256
a5c474972a6ac68a91e311ba343163c82cd7762e663ddf5b030c5bae06d1e9eb
-
SHA512
d863d9e1b7c5b2a57de8992797fc09357c6af64611bb05af78fa37bd5db7179b77c32267c7ee39c3c7cf4923369ee067493f1849e0a08bcf93c67efe83eb8254
-
SSDEEP
12288:YVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:NfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3492-4-0x0000000002920000-0x0000000002921000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
SnippingTool.exeDxpserver.exeDWWIN.EXEpid Process 4516 SnippingTool.exe 1472 Dxpserver.exe 3948 DWWIN.EXE -
Loads dropped DLL 3 IoCs
Processes:
SnippingTool.exeDxpserver.exeDWWIN.EXEpid Process 4516 SnippingTool.exe 1472 Dxpserver.exe 3948 DWWIN.EXE -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kqgfxymewp = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\NETWOR~1\\9K\\DXPSER~1.EXE" -
Processes:
rundll32.exeSnippingTool.exeDxpserver.exeDWWIN.EXEdescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SnippingTool.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Dxpserver.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DWWIN.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 2024 rundll32.exe 2024 rundll32.exe 2024 rundll32.exe 2024 rundll32.exe 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid Process 3492 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid Process procid_target PID 3492 wrote to memory of 2148 3492 100 PID 3492 wrote to memory of 2148 3492 100 PID 3492 wrote to memory of 4516 3492 95 PID 3492 wrote to memory of 4516 3492 95 PID 3492 wrote to memory of 400 3492 96 PID 3492 wrote to memory of 400 3492 96 PID 3492 wrote to memory of 1472 3492 99 PID 3492 wrote to memory of 1472 3492 99 PID 3492 wrote to memory of 3524 3492 98 PID 3492 wrote to memory of 3524 3492 98 PID 3492 wrote to memory of 3948 3492 97 PID 3492 wrote to memory of 3948 3492 97 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fb1badc1eca5035ae1b98513d0cfef32.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2024
-
C:\Users\Admin\AppData\Local\RrnBa\SnippingTool.exeC:\Users\Admin\AppData\Local\RrnBa\SnippingTool.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4516
-
C:\Windows\system32\Dxpserver.exeC:\Windows\system32\Dxpserver.exe1⤵PID:400
-
C:\Users\Admin\AppData\Local\lfiHlTu\DWWIN.EXEC:\Users\Admin\AppData\Local\lfiHlTu\DWWIN.EXE1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3948
-
C:\Windows\system32\DWWIN.EXEC:\Windows\system32\DWWIN.EXE1⤵PID:3524
-
C:\Users\Admin\AppData\Local\TzCq8\Dxpserver.exeC:\Users\Admin\AppData\Local\TzCq8\Dxpserver.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1472
-
C:\Windows\system32\SnippingTool.exeC:\Windows\system32\SnippingTool.exe1⤵PID:2148