Analysis
-
max time kernel
175s -
max time network
185s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2023 14:04
Static task
static1
Behavioral task
behavioral1
Sample
2419b291711b308d6179fc8b0f354260.dll
Resource
win7-20231129-en
General
-
Target
2419b291711b308d6179fc8b0f354260.dll
-
Size
1.3MB
-
MD5
2419b291711b308d6179fc8b0f354260
-
SHA1
d0a1b025a83a51d6a55f4bfc6f1920053bb40d81
-
SHA256
b01ea30dce81bda2d39cd626a731e698910e9e51576dce55487d5df791fe8f94
-
SHA512
158640e0e3ba1a7a0e2e70ced3f56b20dd1743cbb29f64e55ba3e0ce72e5168900180534e7e4fd8b7988f2150e755b561b2d946c84a908beb089d37b33bc0083
-
SSDEEP
12288:fXBQ3fMQyWV0rbDxyBWZh2TvtgHoiemIKI1ydX7wmqzq3wkgJ:vB/Qn0rbD8UZUDtgIiemI51Mwtewkm
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3512-3-0x0000000002510000-0x0000000002511000-memory.dmp dridex_stager_shellcode -
Processes:
resource yara_rule behavioral2/memory/1684-1-0x00007FFBF53D0000-0x00007FFBF5519000-memory.dmp dridex_payload behavioral2/memory/3512-21-0x0000000140000000-0x0000000140149000-memory.dmp dridex_payload behavioral2/memory/3512-28-0x0000000140000000-0x0000000140149000-memory.dmp dridex_payload behavioral2/memory/3512-39-0x0000000140000000-0x0000000140149000-memory.dmp dridex_payload behavioral2/memory/1684-42-0x00007FFBF53D0000-0x00007FFBF5519000-memory.dmp dridex_payload behavioral2/memory/1664-50-0x00007FFBE5A00000-0x00007FFBE5B4A000-memory.dmp dridex_payload behavioral2/memory/1664-54-0x00007FFBE5A00000-0x00007FFBE5B4A000-memory.dmp dridex_payload behavioral2/memory/3208-70-0x00007FFBE5C50000-0x00007FFBE5D9B000-memory.dmp dridex_payload behavioral2/memory/3208-65-0x00007FFBE5C50000-0x00007FFBE5D9B000-memory.dmp dridex_payload behavioral2/memory/3776-86-0x00007FFBE5AF0000-0x00007FFBE5C3A000-memory.dmp dridex_payload behavioral2/memory/3776-82-0x00007FFBE5AF0000-0x00007FFBE5C3A000-memory.dmp dridex_payload -
Executes dropped EXE 3 IoCs
Processes:
SystemPropertiesHardware.exeRdpSa.exerecdisc.exepid Process 1664 SystemPropertiesHardware.exe 3208 RdpSa.exe 3776 recdisc.exe -
Loads dropped DLL 3 IoCs
Processes:
SystemPropertiesHardware.exeRdpSa.exerecdisc.exepid Process 1664 SystemPropertiesHardware.exe 3208 RdpSa.exe 3776 recdisc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qoccyyzfzcu = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\OSS\\RdpSa.exe" -
Processes:
rundll32.exeSystemPropertiesHardware.exeRdpSa.exerecdisc.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesHardware.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RdpSa.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA recdisc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 1684 rundll32.exe 1684 rundll32.exe 1684 rundll32.exe 1684 rundll32.exe 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
description pid Process Token: SeShutdownPrivilege 3512 Token: SeCreatePagefilePrivilege 3512 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid Process procid_target PID 3512 wrote to memory of 808 3512 94 PID 3512 wrote to memory of 808 3512 94 PID 3512 wrote to memory of 1664 3512 95 PID 3512 wrote to memory of 1664 3512 95 PID 3512 wrote to memory of 2944 3512 100 PID 3512 wrote to memory of 2944 3512 100 PID 3512 wrote to memory of 3208 3512 98 PID 3512 wrote to memory of 3208 3512 98 PID 3512 wrote to memory of 1412 3512 103 PID 3512 wrote to memory of 1412 3512 103 PID 3512 wrote to memory of 3776 3512 102 PID 3512 wrote to memory of 3776 3512 102 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2419b291711b308d6179fc8b0f354260.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1684
-
C:\Windows\system32\SystemPropertiesHardware.exeC:\Windows\system32\SystemPropertiesHardware.exe1⤵PID:808
-
C:\Users\Admin\AppData\Local\dSczJEr\SystemPropertiesHardware.exeC:\Users\Admin\AppData\Local\dSczJEr\SystemPropertiesHardware.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1664
-
C:\Users\Admin\AppData\Local\axcv3\RdpSa.exeC:\Users\Admin\AppData\Local\axcv3\RdpSa.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3208
-
C:\Windows\system32\RdpSa.exeC:\Windows\system32\RdpSa.exe1⤵PID:2944
-
C:\Users\Admin\AppData\Local\BgZukU7U\recdisc.exeC:\Users\Admin\AppData\Local\BgZukU7U\recdisc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3776
-
C:\Windows\system32\recdisc.exeC:\Windows\system32\recdisc.exe1⤵PID:1412
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
82KB
MD5bf5bc0d70a936890d38d2510ee07a2cd
SHA169d5971fd264d8128f5633db9003afef5fad8f10
SHA256c8ebd920399ebcf3ab72bd325b71a6b4c6119dfecea03f25059a920c4d32acc7
SHA5120e129044777cbbf5ea995715159c50773c1818fc5e8faa5c827fd631b44c086b34dfdcbe174b105891ccc3882cc63a8664d189fb6a631d8f589de4e01a862f51
-
Filesize
99KB
MD5fd849056744b51d2b6892f1eb09dd40a
SHA1657889d07014f091ba852a297b618ac794e2267d
SHA25673c5ca075996825efd8e6854e30ecb6089c78feed1d023c1bce227582a2e99c2
SHA512a41dc4b5635ba6ace4a5c4e67dd59a374c68b17d3d07f90d6a29204c0db976be8079c61f487bdf2fed644d1d0734252118d52f79b6a865157e5dc12accc1cc2c
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e