Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2023 17:21
Static task
static1
Behavioral task
behavioral1
Sample
ffc534d7f4ae842b482459d6c9bdf83b.dll
Resource
win7-20231215-en
General
-
Target
ffc534d7f4ae842b482459d6c9bdf83b.dll
-
Size
1.5MB
-
MD5
ffc534d7f4ae842b482459d6c9bdf83b
-
SHA1
df4a15d08f9d32f13438cf5b5f517f435efce2e9
-
SHA256
edd5115e384baca646c21047b643317e71d268059851bb97426d07b1b9db9c23
-
SHA512
7d5a0725bc4c191101647e0d979acc647c500e52fb8c4986a7ffff44224d5b5f331079acf77c734169a84e6c248c5f1661f74a5c1e9348d15c3392bc3cc69d78
-
SSDEEP
12288:ZVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:YfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3480-4-0x0000000002A80000-0x0000000002A81000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
BdeUISrv.exeOptionalFeatures.exeBdeUISrv.exepid Process 3996 BdeUISrv.exe 2212 OptionalFeatures.exe 372 BdeUISrv.exe -
Loads dropped DLL 3 IoCs
Processes:
BdeUISrv.exeOptionalFeatures.exeBdeUISrv.exepid Process 3996 BdeUISrv.exe 2212 OptionalFeatures.exe 372 BdeUISrv.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tgnmvdx = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\tpA1kPMd2Z\\OptionalFeatures.exe" -
Processes:
rundll32.exeBdeUISrv.exeOptionalFeatures.exeBdeUISrv.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BdeUISrv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA OptionalFeatures.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BdeUISrv.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 1016 rundll32.exe 1016 rundll32.exe 1016 rundll32.exe 1016 rundll32.exe 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid Process 3480 3480 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid Process procid_target PID 3480 wrote to memory of 1108 3480 90 PID 3480 wrote to memory of 1108 3480 90 PID 3480 wrote to memory of 3996 3480 95 PID 3480 wrote to memory of 3996 3480 95 PID 3480 wrote to memory of 1008 3480 91 PID 3480 wrote to memory of 1008 3480 91 PID 3480 wrote to memory of 2212 3480 94 PID 3480 wrote to memory of 2212 3480 94 PID 3480 wrote to memory of 680 3480 93 PID 3480 wrote to memory of 680 3480 93 PID 3480 wrote to memory of 372 3480 92 PID 3480 wrote to memory of 372 3480 92 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ffc534d7f4ae842b482459d6c9bdf83b.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1016
-
C:\Windows\system32\BdeUISrv.exeC:\Windows\system32\BdeUISrv.exe1⤵PID:1108
-
C:\Windows\system32\OptionalFeatures.exeC:\Windows\system32\OptionalFeatures.exe1⤵PID:1008
-
C:\Users\Admin\AppData\Local\htQW8tzp\BdeUISrv.exeC:\Users\Admin\AppData\Local\htQW8tzp\BdeUISrv.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:372
-
C:\Windows\system32\BdeUISrv.exeC:\Windows\system32\BdeUISrv.exe1⤵PID:680
-
C:\Users\Admin\AppData\Local\RTZOS2I\OptionalFeatures.exeC:\Users\Admin\AppData\Local\RTZOS2I\OptionalFeatures.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2212
-
C:\Users\Admin\AppData\Local\RfD0a\BdeUISrv.exeC:\Users\Admin\AppData\Local\RfD0a\BdeUISrv.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3996
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD53ba651f6b3bbb38bccc32c3bff684283
SHA1e81292ce436222cefef3f25053ddd2a690eeba32
SHA256be82f9afdd7d813bf1846970d4c97e2e0c48592ef9c2737456780036cf50c282
SHA5123d7ae8ade1039c7a879636a7daf124079f452e5d1da6648d914d646e32389498672d4e38ba3890b0462e641892f5da0dce4d8d37c63059609dd4b879346dae56
-
Filesize
31KB
MD5e168c6143af8d783b72b5ae4db230796
SHA17c4d30a7ffb00662e7f38c96ddc73043114ece61
SHA256d64f277a1cb27338dc9bf0a5a5c6f47311bfc6bfb59766d32e6e46e582463b88
SHA51240e9ab9258c3861a90c3d8e7c8fca7afcb9a088597215952f7e08a190e6603321a31b872e57d66f5dc6a4a1df3a1c71853872972c392671693b8d7f9e2d90827
-
Filesize
65KB
MD57c02cfef846d97270949979d0e3c141f
SHA128311ee286528cb22b287e976b3f5cbbf84da106
SHA25679ddfcba287936c9f38b914791522b9d017383462c6ffdc3f0b0dfff4186063a
SHA5128b8cc6e6986bda48d038b03bb0bfa74de4193132e2cbbd5d70149530d5d5f290bbb949b34b8537a23dc679a858f44966208059bb3872f621ef502a4f6867985e
-
Filesize
15KB
MD5b5b11dd493cf110be72334454aba433b
SHA1f868b2fd29cc081403c036e730105386280b1e4a
SHA2564f9257ed3c4c95726bfa6eb868b27fe977e64210cca7f0b54f84b7a46df01f83
SHA512a81afcab7f5473eebd2b29c4ca74b867f78776074ae626752dd1edb4464f0146b9f9991fad776c529d51a54a9b2470495d554c77dd590cf8de77e271e3b9122b
-
Filesize
54KB
MD58595075667ff2c9a9f9e2eebc62d8f53
SHA1c48b54e571f05d4e21d015bb3926c2129f19191a
SHA25620b05c77f898be08737082e969b39f54fa39753c8c0a06142eb7ad5e0764a2db
SHA512080dbcdd9234c07efe6cea4919ffa305fdc381ccebed9d1020dd6551b54e20e52387e62a344502fa4a85249defd0f9b506528b8dd34675bc9f51f664b8fc4d88
-
Filesize
38KB
MD5e3a89c145fab99bf047c84aaa89799c7
SHA1f5a0430cf9e7148dc8f03b1bdff79dfd098ea33b
SHA25624ff0db52cbf8d8a3a77f6e4e07de74c74d0f4e710c1dd70fd81f9db83e47578
SHA5124b51dc600446087aac4113f5df288aeef66a9a269f2f027ec78b1b93820566a4f3ab1af3aad5cf0880c428dd1241b2b7d8749060b5448ee5d911f37b4ce3631e
-
Filesize
85KB
MD5b59f83d06e0b518473c4af064bc292aa
SHA1dadcc26b02ab1527392f892f6045c4b6f1f07ac3
SHA2563a6ef09cb6232b0039bddfa5c27e0d6cb8c2d2b876dd711c0f2943bb51f7869b
SHA5124e830e711ebb7bad83801a0dd141de33ae42e0ffaddb0afa5ebe5a6db244f14646575107f255550dd20ad1f76e1dcb968652371dccc87bdd9605af640c62cc9e
-
Filesize
58KB
MD5c4b2edf7d7f0e9c6fad896bd8856e174
SHA186c6a875909b585a696700e6af5be3474ea3b4fa
SHA25666b3859cc619c44d3216aecb6babccb94107a27e5fd8a6e6a9b15034f5421f7d
SHA512ab4f14f6e922c91eb13ce72f4530c6cf7ac1fa9d0cb1c47fd1120fe0173d673f37d3f3c7a317bbea797f52551eed5c8d5493047e1b7a6419bb554cdee2764eb2
-
Filesize
19KB
MD54018ec8a19c0795c624e2e111f90b535
SHA12fd2365b6e5ce56d1dcfa00ea1694a8682c5861a
SHA25636c1153dbe32c2d5d77e44608c665745aa6ebda83ed3b5dfa23bf804993b61f2
SHA512b677046bd6e390bfd026f37f405b46c37e671253a1e2c29ce4ac25a2a5edf86ae8b71de2e7b6efcfa1531d2c293cbf2f61b3128a0a71b9cdf721f03189d7cf7b
-
Filesize
14KB
MD57359ae495306f5507ff51feb48a5137c
SHA172dc4034d43fecd85874ca24c13003c0ae9f959c
SHA25616a2688b065671665850a18ca421fd44444f34f57da908082e2fdebb386d988a
SHA512788d87f075a648b87dfbd4b898b713ea58759bca1e62a1166fe98430fb1c606c66d696816c3748ae7e7366bd08a25e66834200cc520d862749ed2a14345e0a02
-
Filesize
71KB
MD5c875d6faaee649a20a3d72de6cd29b45
SHA113e1cbd9bf686a9c64ad8ff99cffca7a8b50db47
SHA2560b19482925e8d882dd2555f6fbb1f22a82095f0cb8ee42a60daf6f5edd8507d1
SHA5129e38449033acbc6aeb218aa3773c2448280596ffb7ff9ad2f3f0058b2341ac5dd2addd3dd59f0c9bbe22db0b86112118a09444d973e36e544125d22d6448da3c
-
Filesize
32KB
MD5b2e7e217a8d999fee7a86b4ecedec76f
SHA1d53096479daebe9e73bcc655fb6aff8c5ec3f70e
SHA25624d8e92753921a8a011acea957a9f9d3e9032d8184a146c6ae36b856a5f0096f
SHA512834458b7d349345a8d26372da72b5954dd4c61cecdde47a2689dde12e825311eaa88bcffbe111a3eb349006467b1ebc832ec1cee26bfa486861f66cf051db7e0
-
Filesize
1KB
MD59116abcd6aaaa5747234ba0b5801ae2b
SHA165a5282e6858f800bc3a21807b52b009245a3f26
SHA25674744fc1150dd6c488bc56453fd01ee1b6f88e376aef8a9896a879d0711934cc
SHA51260c94678a610d56c29de3033c6ce952fc08a59d2fb7ceab1a1805cb1001b63acf80cb10d07249d76a5b4bdb07a316244c60d54ded8ff511cc702cfd20df22a40
-
Filesize
70KB
MD5ce17b59c0a46de6a8ab566af8007a84e
SHA1e573c479ea1b60160cb8bb85c7cb5ccc9fe99af1
SHA2563df35ab28f39191c3c756763c1c8a0495693322248648a32b4f8d29721966d27
SHA5122bb08ba8589d18decf2cdd04f8a0cb90d8c4181f89abe7c710f614d87ba646c98da4b97cfe4cfa062d075d342a6cac06c1b2a2a5ce30cd61fbd1c9a73e4a2461
-
Filesize
52KB
MD51a0c5ee0911774f20bafedde4ad8d25b
SHA16408f911329b3ba8ba2d6b1f979be923e7ef5ed2
SHA256009e30ac140775de5f78c8fe0effac7072f6b8d648978a9dfe936c9c6dd47f5a
SHA512bc33e3f6df5df7f7cdc0f8628d77be8af55fea76eabe0e23246a1dc27ba71b8541595fe371e66d8c6d828f06f904aa73a37e093445c1f4d6b5fa766dc33de29c