Analysis
-
max time kernel
62s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2023 17:08
Static task
static1
Behavioral task
behavioral1
Sample
fb8ef1d9b849463e08f469bc0ab5ab58.dll
Resource
win7-20231215-en
General
-
Target
fb8ef1d9b849463e08f469bc0ab5ab58.dll
-
Size
2.9MB
-
MD5
fb8ef1d9b849463e08f469bc0ab5ab58
-
SHA1
732ed4aaebbfce62885e91d1e76bfe60327a4454
-
SHA256
19988509d5eafd5dbd7ece29cfbe82adec569eea950c757aca5053e34c0ab652
-
SHA512
c77e066d96627df6d7ff281ca026683d32c96e13b702a27eb39a84524f816d685969c32cf70ae25af56d27a8a07a11f9da32885675dfd896bc7b7cacab4eb954
-
SSDEEP
12288:WVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:LfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3420-4-0x0000000002260000-0x0000000002261000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
EaseOfAccessDialog.exewscript.exedwm.exepid Process 4336 EaseOfAccessDialog.exe 4592 wscript.exe 3328 dwm.exe -
Loads dropped DLL 6 IoCs
Processes:
EaseOfAccessDialog.exewscript.exedwm.exepid Process 4336 EaseOfAccessDialog.exe 4592 wscript.exe 3328 dwm.exe 3328 dwm.exe 3328 dwm.exe 3328 dwm.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qoccyyzfzcu = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\SYSTEM~1\\IVdzMcn\\wscript.exe" -
Processes:
rundll32.exeEaseOfAccessDialog.exewscript.exedwm.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA EaseOfAccessDialog.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wscript.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 4308 rundll32.exe 4308 rundll32.exe 4308 rundll32.exe 4308 rundll32.exe 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid Process 3420 3420 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid Process procid_target PID 3420 wrote to memory of 3444 3420 91 PID 3420 wrote to memory of 3444 3420 91 PID 3420 wrote to memory of 4336 3420 92 PID 3420 wrote to memory of 4336 3420 92 PID 3420 wrote to memory of 4140 3420 93 PID 3420 wrote to memory of 4140 3420 93 PID 3420 wrote to memory of 4592 3420 94 PID 3420 wrote to memory of 4592 3420 94 PID 3420 wrote to memory of 644 3420 95 PID 3420 wrote to memory of 644 3420 95 PID 3420 wrote to memory of 3328 3420 96 PID 3420 wrote to memory of 3328 3420 96 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fb8ef1d9b849463e08f469bc0ab5ab58.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4308
-
C:\Windows\system32\EaseOfAccessDialog.exeC:\Windows\system32\EaseOfAccessDialog.exe1⤵PID:3444
-
C:\Users\Admin\AppData\Local\kLCxF\EaseOfAccessDialog.exeC:\Users\Admin\AppData\Local\kLCxF\EaseOfAccessDialog.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4336
-
C:\Windows\system32\wscript.exeC:\Windows\system32\wscript.exe1⤵PID:4140
-
C:\Users\Admin\AppData\Local\T5yJOKTt5\wscript.exeC:\Users\Admin\AppData\Local\T5yJOKTt5\wscript.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4592
-
C:\Windows\system32\dwm.exeC:\Windows\system32\dwm.exe1⤵PID:644
-
C:\Users\Admin\AppData\Local\ugamhhU\dwm.exeC:\Users\Admin\AppData\Local\ugamhhU\dwm.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3328
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5491b00d841270ff775380a96094227f9
SHA1740de435a8ccb85620e22065afec80889c4f108c
SHA25606a396676bae7cb0c5b785b80cb2207f0fdc56796a04128110689bd2008a1cc9
SHA512075bd44f44590e7da3357ac55f3829723164df8746cc57b94deae8515742f1f49198755369fac0ae64c7c33c0021c0df225f269684f45531d5c99d0692cd3bc4
-
Filesize
63KB
MD5d212d026e6fb7643def7dcd1723b501c
SHA11ab54c8c1ad60e4350c6029ce4c738e90e0f67cc
SHA2563424209deee7a833fc5e504d37ed282a5f287cd600dce1bffaa46b2ed78245b0
SHA512be3eb83bc0f375c838c96e221a29a7a23dfa39c5b685dabb7cec9407171458c713d9adbce8feb2ff5a3ea99b7e011ec0de63e14031b36558bc3a49bfd94f148d
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\IVdzMcn\VERSION.dll
Filesize106KB
MD5331e98defeb6cc255eb8f24afe44957b
SHA12fc7da85b0bc6194f8eec81a1156be7582710a4c
SHA25629e5d85b84dd1b7791d5f5892d786491b24a9e780924232e4c9a4e94c08973df
SHA5126be0e98269fb019c86a9ee7016ad6b1c8a500279255c390188e4374ef81c63e2f083d682c09fe30cc3287478dc2fafd3b6bd0270eb440a0553b89cc3289fc9db