Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2023 18:39
Static task
static1
Behavioral task
behavioral1
Sample
3526a594f157e00abe6d9baf2c84e361.dll
Resource
win7-20231129-en
General
-
Target
3526a594f157e00abe6d9baf2c84e361.dll
-
Size
652KB
-
MD5
3526a594f157e00abe6d9baf2c84e361
-
SHA1
08c79f37fa9c70dcae933bb77d8711ce083ea91c
-
SHA256
8ee1f2fa3582a791cdfc6bae5a3282b82ac28ab60683d968041a4f39584e4d57
-
SHA512
76b4432bb65d66d1725d7901973afe973e7a5120686b2dce8d4482eb9b97ab829cede0faf1839de61901203e2fc8ec9cc7fbbc050c2d60f9504db94fa8963158
-
SSDEEP
12288:gKYQ5LL540CV3UIeLPrleV1F0e8gMA/9L0l3HATpKR4:ZYQ5p4f0POF0nkls3opKR
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3528-3-0x0000000001240000-0x0000000001241000-memory.dmp dridex_stager_shellcode -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tgnmvdx = "C:\\Users\\Admin\\AppData\\Roaming\\gpvk7P\\sppsvc.exe" -
Processes:
rundll32.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Drops file in System32 directory 2 IoCs
Processes:
cmd.exedescription ioc Process File created C:\Windows\system32\Bnk0\SystemPropertiesRemote.exe cmd.exe File opened for modification C:\Windows\system32\Bnk0\SystemPropertiesRemote.exe cmd.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 4488 rundll32.exe 4488 rundll32.exe 4488 rundll32.exe 4488 rundll32.exe 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
description pid Process Token: SeShutdownPrivilege 3528 Token: SeCreatePagefilePrivilege 3528 Token: SeShutdownPrivilege 3528 Token: SeCreatePagefilePrivilege 3528 Token: SeShutdownPrivilege 3528 Token: SeCreatePagefilePrivilege 3528 -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
description pid Process procid_target PID 3528 wrote to memory of 4436 3528 93 PID 3528 wrote to memory of 4436 3528 93 PID 3528 wrote to memory of 5048 3528 98 PID 3528 wrote to memory of 5048 3528 98 PID 3528 wrote to memory of 1696 3528 97 PID 3528 wrote to memory of 1696 3528 97 PID 3528 wrote to memory of 5056 3528 96 PID 3528 wrote to memory of 5056 3528 96 PID 3528 wrote to memory of 4124 3528 102 PID 3528 wrote to memory of 4124 3528 102 PID 3528 wrote to memory of 4432 3528 104 PID 3528 wrote to memory of 4432 3528 104 PID 3528 wrote to memory of 3488 3528 106 PID 3528 wrote to memory of 3488 3528 106 PID 3528 wrote to memory of 3172 3528 108 PID 3528 wrote to memory of 3172 3528 108 PID 3528 wrote to memory of 3140 3528 110 PID 3528 wrote to memory of 3140 3528 110 PID 3528 wrote to memory of 920 3528 112 PID 3528 wrote to memory of 920 3528 112 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3526a594f157e00abe6d9baf2c84e361.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4488
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe1⤵PID:2332
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\SdINbYD.cmd1⤵PID:4436
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /F /TN "Kjaztdntfug" /TR "C:\Windows\system32\Bnk0\SystemPropertiesRemote.exe" /SC minute /MO 60 /RL highest1⤵
- Creates scheduled task(s)
PID:5056
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\62D9sJX.cmd1⤵
- Drops file in System32 directory
PID:1696
-
C:\Windows\system32\SystemPropertiesRemote.exeC:\Windows\system32\SystemPropertiesRemote.exe1⤵PID:5048
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /Query /TN "Kjaztdntfug"1⤵PID:4124
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /Query /TN "Kjaztdntfug"1⤵PID:4432
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /Query /TN "Kjaztdntfug"1⤵PID:3488
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /Query /TN "Kjaztdntfug"1⤵PID:3172
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /Query /TN "Kjaztdntfug"1⤵PID:3140
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /Query /TN "Kjaztdntfug"1⤵PID:920
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206B
MD5d76e79315d745c67bf9c705242767932
SHA1079ba584885d3b830cf692f589a9e35b66ee7db2
SHA256780169848e2d5ddef9f1944d64e1c4ec2a5caedb7ed68325b4de40eeabdb2ddb
SHA512027f24b210a227dec32672fe138d49fd6f2eecd0b2b60df83fd037e91b1da421849ae53f567dc3956b84b00727de5ab0d41f7151bc29b39d85a29ef8e138fee0
-
Filesize
232B
MD52846fb0f6e0b1931523fd625a8ebfa3d
SHA184b1aff0130d18724797b49a04ec48fe2af55e74
SHA256958a4b41185ae1701dc7b73efecf97431343f8ec06e0bf6deeb03d9bcfb4d995
SHA512b8b31a8ffb249183c4b44c35e8cdaf9679591da8bbac7fa8c6c1420aa260f3791d96a9c6c121bdaa0c56e53f4b2db60191496424a1f6048d44541b6fbf86b7aa
-
Filesize
62KB
MD5e9f50f4d6d5322e741e559d7ab7a3835
SHA1479eed370f7b136a46c9c729de3c6751951aa4f5
SHA256dc4d21cdf98ab842af45a186838dcae5918fdd2cec26c98f0daccaf0d1e638e9
SHA51289323db0f8b73b784d422fe20c7f95e3996397b4475b4a22f40016bd2fabdc2cd31425a105feb8c4da3828f36763a43dbf968f88668ba73aa01ae6dc6b62af0d
-
Filesize
11KB
MD5bbcbb2c70ad66cd3be378276d1138309
SHA1dd06411b0c1210710053b2e530c5c77701d61cff
SHA256298cc817d625df06ec00caf59a156113041337b6c55f3b4bcf4e98b26e14a0cc
SHA51222b179e52f801043042bc55d1f77840d221c8b4b69bc36d334d596220823988633853004fc8d9014944277a22b79f921ba190cff74cee156b57a88913eaed08b
-
Filesize
871B
MD531aaae295237a98f000213ca13ad1567
SHA1cd793fa1198f768f288fdecf88b7c60bd5660879
SHA25611e0961b3369f278c4ba7811c03d8b8370a1f273fe29fe049cb1b6c8d76b399d
SHA512274a34146174ed2e2f99ff484fee85d4946dbef3a3ae5e74d856757ab87895ad65eeebbdd20300223a2e7b4abbadc9248282855bc8598e7a28e925cf3b337309
-
Filesize
149KB
MD558c5c8cf49c408f955dfc82e419ec514
SHA12b00197c781ebb51c049e47a8e378464183496cf
SHA25632e24438eec43bde7a66ede9f24e18537ae81acfe6cf783626db6509c5e572b0
SHA512a586ccc118ee7a05c510aac0aa9ed85ee9005f4aaa4bab8921acb718846aba6b5564d339ccd5be442b4e11720e0d5d83d83c1df7bdce18c077be960eb0b0f89a