Analysis
-
max time kernel
4s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2023 20:15
Static task
static1
Behavioral task
behavioral1
Sample
103bce51e2fb20c197343aaf2d602bad.dll
Resource
win7-20231215-en
General
-
Target
103bce51e2fb20c197343aaf2d602bad.dll
-
Size
656KB
-
MD5
103bce51e2fb20c197343aaf2d602bad
-
SHA1
3df0dcccbce4abeb9639358e234e30055f569a7a
-
SHA256
b95c5ad1c557db07298ed44764a8ba2b022c508ccef0f1a4ff87bf813e3e2463
-
SHA512
31240770fd9725ba0d28450f245f28d4a1eb751067aa0252bb5c35e31ff9c8bdf406dbf2d2715d78fb8508fbfc3808a0f04ab59c195763e2b12b267ba924be6b
-
SSDEEP
12288:cKYQ5LL540CV3UIeLPrleV1F0e8gMA/9L0l3HATpKR4:dYQ5p4f0POF0nkls3opKR
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3428-3-0x00000000027D0000-0x00000000027D1000-memory.dmp dridex_stager_shellcode -
Processes:
rundll32.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid Process 2644 rundll32.exe 2644 rundll32.exe 2644 rundll32.exe 2644 rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\103bce51e2fb20c197343aaf2d602bad.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2644
-
C:\Windows\system32\dpapimig.exeC:\Windows\system32\dpapimig.exe1⤵PID:964
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\kwI.cmd1⤵PID:4828
-
C:\Windows\system32\PresentationSettings.exeC:\Windows\system32\PresentationSettings.exe1⤵PID:1360
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\0GSMzy2.cmd1⤵PID:8
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /F /TN "Krslmbwtruyscx" /TR "C:\Windows\system32\97eoV\PresentationSettings.exe" /SC minute /MO 60 /RL highest1⤵
- Creates scheduled task(s)
PID:1776
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /Query /TN "Krslmbwtruyscx"1⤵PID:4264
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /Query /TN "Krslmbwtruyscx"1⤵PID:1412
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /Query /TN "Krslmbwtruyscx"1⤵PID:2712
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /Query /TN "Krslmbwtruyscx"1⤵PID:3704
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /Query /TN "Krslmbwtruyscx"1⤵PID:2860
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /Query /TN "Krslmbwtruyscx"1⤵PID:4536
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206B
MD519c4a594c4258d5f0a4c75df6e32afed
SHA1b238eb1e53fdbd225fd7c7dd57adc50dee5b4e1d
SHA256413fc6e4876c72fbb6095106c1d3e3238fd1bb58d726943839ce770cd5aee608
SHA51228281f22d28b5471dd05af8f0ca1551930097e40ed5531367ced55d9144161563143689fc9a072379165a538078f95a4ea3fe8c6c7c0387b1fc69df3f5a9a605
-
Filesize
57KB
MD5b2f4c950ca137c633323384880f7f69b
SHA1c90d591fba714190eb031928f059420c07c086ab
SHA2563f62dd0b8d197a0d4dcf4a23534908959424f532816acb36229cb41959970b7f
SHA512cb3af6d99793b9b16591986c1e37dfdd81434125b58d6b8802f177edcf17513cd284568ea309bc2587ff81d42cca08a39add0b2eafa99427418774c83e8129db
-
Filesize
29KB
MD599f79a59767a632249d0e7ea17efabf0
SHA102e7fb149bc10d0ae2b5ced261480732e4105caa
SHA25660a8b11c9d4d958866c87fb4eae4c0f8643be221a8a8892d84ffcbfcb6f4c9f9
SHA512ef467ec29606997fd3ed14580b7f67d86468aa227eaa447dfa030df469a64bc3ca76411f534bcfdb87b695dbb387fe4e52742e72974ca459328a0f88f2c783ab
-
Filesize
230B
MD5c335a703293c2b18690629e4dd20066b
SHA1f27b13a37e71ba9064b0508d9794d2de7c97c2c5
SHA25657b179272554fb5af6af739fd4826d78cd66e484fcf6d5fcd09e8eb78b2285e2
SHA5125080383881498cc9e3473e0ff0ed765639eada485c9547401a964d3c8bc7cb6f93b13d2b173c750c8e126e9a9f17832111a7c5223cc865c5acb7d6618202c238
-
Filesize
883B
MD5a7d8c82f584d22939a0d2d5416c26486
SHA1ceb05d0e556eac81e08e26f6dce72a90d329c499
SHA25614cd707f235a93e618e8e74bc2f12cc0fb94b3ff647eab0ecf64ef805fcec713
SHA512fae233c464a7cb8d3fa594f0d2ab6d7bbce206eebb09681ec197d317916ef31ed83830c01c700b184be996f61a245f5b2b4bb7acd41a049731845b9a94735747
-
Filesize
53KB
MD5608f84b28217f8769689d40266494ea8
SHA107240d04a9c61390252f09e5d9334e17ae0842c3
SHA256df98e51672e195aadba7c774adcc87ff4bf00973596cb758cfd73bd2856332ce
SHA5129674f36777709874dc76139977c5556504af556f3b50560175756f3c583c8d4ae4adce4f92d6db6e7188ca6ac97bc6733c064606456755f48829f2796373d38d