Analysis
-
max time kernel
151s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2023 02:15
Static task
static1
Behavioral task
behavioral1
Sample
4c0c037a083e2b1f6b5fcb9c68263c5a.dll
Resource
win7-20231215-en
General
-
Target
4c0c037a083e2b1f6b5fcb9c68263c5a.dll
-
Size
852KB
-
MD5
4c0c037a083e2b1f6b5fcb9c68263c5a
-
SHA1
5b4abfb3aeaf1c1fa6658f6d8fc3b14c17bc931d
-
SHA256
7c710407ba8ed2c0d2f970a81715d7982ddd44ad0838bfefdca8119350325bc4
-
SHA512
6d1237fdc0187e7f2385a02e44d0e8ec4124b1bd1a340bf8c089bc79db8b212ad2b7831cd187ac15060a4aaed4e3587688cce508a11aeecc9b903ca94b838b3e
-
SSDEEP
12288:4kbQEkWqv+157EYfxarhwLNuR7ek1tHffB/HzTyNQ6NIeGYr/R:4kbHkWfzZ5adwLNGeStHntqN7v
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3260-3-0x0000000002860000-0x0000000002861000-memory.dmp dridex_stager_shellcode -
Processes:
resource yara_rule behavioral2/memory/4412-0-0x00007FF993A00000-0x00007FF993AD5000-memory.dmp dridex_payload behavioral2/memory/3260-20-0x0000000140000000-0x00000001400D5000-memory.dmp dridex_payload behavioral2/memory/3260-27-0x0000000140000000-0x00000001400D5000-memory.dmp dridex_payload behavioral2/memory/3260-38-0x0000000140000000-0x00000001400D5000-memory.dmp dridex_payload behavioral2/memory/4412-41-0x00007FF993A00000-0x00007FF993AD5000-memory.dmp dridex_payload behavioral2/memory/3764-53-0x00007FF984370000-0x00007FF984446000-memory.dmp dridex_payload behavioral2/memory/3764-49-0x00007FF984370000-0x00007FF984446000-memory.dmp dridex_payload behavioral2/memory/4468-65-0x00007FF983720000-0x00007FF9837F6000-memory.dmp dridex_payload behavioral2/memory/4468-69-0x00007FF983720000-0x00007FF9837F6000-memory.dmp dridex_payload behavioral2/memory/4904-85-0x00007FF984370000-0x00007FF984446000-memory.dmp dridex_payload -
Executes dropped EXE 3 IoCs
Processes:
BackgroundTransferHost.exeusocoreworker.exeMDMAppInstaller.exepid Process 3764 BackgroundTransferHost.exe 4468 usocoreworker.exe 4904 MDMAppInstaller.exe -
Loads dropped DLL 3 IoCs
Processes:
BackgroundTransferHost.exeusocoreworker.exeMDMAppInstaller.exepid Process 3764 BackgroundTransferHost.exe 4468 usocoreworker.exe 4904 MDMAppInstaller.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qoccyyzfzcu = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\45T68C0\\usocoreworker.exe" -
Processes:
rundll32.exeusocoreworker.exeMDMAppInstaller.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA usocoreworker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MDMAppInstaller.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 4412 rundll32.exe 4412 rundll32.exe 4412 rundll32.exe 4412 rundll32.exe 3260 3260 3260 3260 3260 3260 3260 3260 3260 3260 3260 3260 3260 3260 3260 3260 3260 3260 3260 3260 3260 3260 3260 3260 3260 3260 3260 3260 3260 3260 3260 3260 3260 3260 3260 3260 3260 3260 3260 3260 3260 3260 3260 3260 3260 3260 3260 3260 3260 3260 3260 3260 3260 3260 3260 3260 3260 3260 3260 3260 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid Process 3260 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid Process procid_target PID 3260 wrote to memory of 5060 3260 97 PID 3260 wrote to memory of 5060 3260 97 PID 3260 wrote to memory of 3764 3260 112 PID 3260 wrote to memory of 3764 3260 112 PID 3260 wrote to memory of 4400 3260 102 PID 3260 wrote to memory of 4400 3260 102 PID 3260 wrote to memory of 4468 3260 104 PID 3260 wrote to memory of 4468 3260 104 PID 3260 wrote to memory of 5080 3260 106 PID 3260 wrote to memory of 5080 3260 106 PID 3260 wrote to memory of 4904 3260 107 PID 3260 wrote to memory of 4904 3260 107 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4c0c037a083e2b1f6b5fcb9c68263c5a.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4412
-
C:\Windows\system32\EhStorAuthn.exeC:\Windows\system32\EhStorAuthn.exe1⤵PID:5060
-
C:\Users\Admin\AppData\Local\1PI\EhStorAuthn.exeC:\Users\Admin\AppData\Local\1PI\EhStorAuthn.exe1⤵PID:3764
-
C:\Windows\system32\usocoreworker.exeC:\Windows\system32\usocoreworker.exe1⤵PID:4400
-
C:\Users\Admin\AppData\Local\ES0Ap6L\usocoreworker.exeC:\Users\Admin\AppData\Local\ES0Ap6L\usocoreworker.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4468
-
C:\Windows\system32\MDMAppInstaller.exeC:\Windows\system32\MDMAppInstaller.exe1⤵PID:5080
-
C:\Users\Admin\AppData\Local\lBF5IK\MDMAppInstaller.exeC:\Users\Admin\AppData\Local\lBF5IK\MDMAppInstaller.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4904
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3764