Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2023 07:52
Static task
static1
Behavioral task
behavioral1
Sample
103bce51e2fb20c197343aaf2d602bad.dll
Resource
win7-20231215-en
General
-
Target
103bce51e2fb20c197343aaf2d602bad.dll
-
Size
656KB
-
MD5
103bce51e2fb20c197343aaf2d602bad
-
SHA1
3df0dcccbce4abeb9639358e234e30055f569a7a
-
SHA256
b95c5ad1c557db07298ed44764a8ba2b022c508ccef0f1a4ff87bf813e3e2463
-
SHA512
31240770fd9725ba0d28450f245f28d4a1eb751067aa0252bb5c35e31ff9c8bdf406dbf2d2715d78fb8508fbfc3808a0f04ab59c195763e2b12b267ba924be6b
-
SSDEEP
12288:cKYQ5LL540CV3UIeLPrleV1F0e8gMA/9L0l3HATpKR4:dYQ5p4f0POF0nkls3opKR
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3304-3-0x0000000002A80000-0x0000000002A81000-memory.dmp dridex_stager_shellcode -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qoccyyzfzcu = "C:\\Users\\Admin\\AppData\\Roaming\\BH6a7Wl\\Netplwiz.exe" -
Processes:
rundll32.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Drops file in System32 directory 2 IoCs
Processes:
cmd.exedescription ioc Process File created C:\Windows\system32\d2sfFF\sppsvc.exe cmd.exe File opened for modification C:\Windows\system32\d2sfFF\sppsvc.exe cmd.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
description pid Process Token: SeShutdownPrivilege 3304 Token: SeCreatePagefilePrivilege 3304 Token: SeShutdownPrivilege 3304 Token: SeCreatePagefilePrivilege 3304 Token: SeShutdownPrivilege 3304 Token: SeCreatePagefilePrivilege 3304 -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
description pid Process procid_target PID 3304 wrote to memory of 2256 3304 93 PID 3304 wrote to memory of 2256 3304 93 PID 3304 wrote to memory of 4972 3304 94 PID 3304 wrote to memory of 4972 3304 94 PID 3304 wrote to memory of 4928 3304 101 PID 3304 wrote to memory of 4928 3304 101 PID 3304 wrote to memory of 2640 3304 104 PID 3304 wrote to memory of 2640 3304 104 PID 3304 wrote to memory of 1320 3304 108 PID 3304 wrote to memory of 1320 3304 108 PID 3304 wrote to memory of 1312 3304 114 PID 3304 wrote to memory of 1312 3304 114 PID 3304 wrote to memory of 3444 3304 118 PID 3304 wrote to memory of 3444 3304 118 PID 3304 wrote to memory of 3688 3304 124 PID 3304 wrote to memory of 3688 3304 124 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\103bce51e2fb20c197343aaf2d602bad.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:868
-
C:\Windows\system32\Netplwiz.exeC:\Windows\system32\Netplwiz.exe1⤵PID:2256
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\e7w4f.cmd1⤵PID:4972
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe1⤵PID:4652
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\shWw9.cmd1⤵
- Drops file in System32 directory
PID:4928
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /F /TN "Ugwggfx" /TR "C:\Windows\system32\d2sfFF\sppsvc.exe" /SC minute /MO 60 /RL highest1⤵
- Creates scheduled task(s)
PID:2640
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /Query /TN "Ugwggfx"1⤵PID:1320
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /Query /TN "Ugwggfx"1⤵PID:1312
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /Query /TN "Ugwggfx"1⤵PID:3444
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /Query /TN "Ugwggfx"1⤵PID:3688
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
237B
MD50e5fb56c50a141153e51759216fa6d65
SHA1354b56159d73316413d398fa80cbf25ec305c403
SHA25666189aa4c73cbe0d4a6ad80d84cab75cb84d09282671df02b36ec0c68ace36d7
SHA512adc3bee081d1306ae00630777d2fd34061f68e3374f6ac0a80d18990dd702172cb75d893bfd73f8c0b314de67085b7bc6217514d35eddabae199b587fbeaddad
-
Filesize
660KB
MD53d40f4374a2c93faa226f3f7b7b531f7
SHA1336d39d536a26daa8192a04e41f56beaec0d02fd
SHA256253b0ef52576aa33ad330ad903de70eab25d1720046b3628169e5ce2cd82e18d
SHA512d5647fed54573e52f2b4eca551bf80c96e71f64afbe614efa18846f0a358c97e0652baddb6d62e635d4988c1a5e987946fbcba8b09a19a66829c4f56e72eb5ed
-
Filesize
198B
MD5f7a0ef0f6df7536e5cc743a22d73d57a
SHA1a5ed97ef7cc1d58c46fbdca9d03e2347ba511320
SHA25628ff24aa6893ca4c51831d5e11fa5eaeedf9422d2443c7293f657eac63686af3
SHA51286b659eb6447242425a6c99d855b6e138202c4d81b1d3d0b0a19b8d22f9b9330133c75ea8163405f524e03d7c282687d69d5d0f708c0785dd5d2d41893330920
-
Filesize
660KB
MD5646fa71e1b3cb064ccedfd76e5a63e20
SHA1a4be0178e112a3265f1c75cf8c5a04891b4f7742
SHA25663f893e6046b43071d252d55782279575e70bd9638615886926939fd9823c8c2
SHA51286076e6302f825d80f274df44058d57b4a4d9037522c1240930cffbb75e28a6a6ad06260029748311f18a8493a6644365f912ed10f33420fa03acd90da35bbcb
-
Filesize
40KB
MD5520a7b7065dcb406d7eca847b81fd4ec
SHA1d1b3b046a456630f65d482ff856c71dfd2f335c8
SHA2568323b44b6e69f02356a5ab0d03a4fc87b953edcbd85c2b6281bf92bc0a3b224d
SHA5127aea2810f38d1640d4aa87efbbe20783fe7b8e7f588864a3a384a37c91108d906abd89b235672608c98c46ed76db2b0039462098a1064ebe4108ec37b6087914
-
Filesize
888B
MD55cbd6aa25ed9d120a7e4100552c08150
SHA1829b135bd7b2f641afd582a324cab010b82b336c
SHA256084946bc6e69ddf1afa5de57ca359ec3d479bc877865bc7f98f90f6f303bb4fa
SHA512386d39be79d884f0d2273dce9b080b15d1a44e91bf2348e1517353e25b6199f7b2abcb119e14e8bd186714bc02d764fd80d1ddfa87a33154f27fc72f9cf81c82