Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2023 07:26
Static task
static1
Behavioral task
behavioral1
Sample
5c73ce8acd26a01655041010b2d4ff6a.dll
Resource
win7-20231215-en
General
-
Target
5c73ce8acd26a01655041010b2d4ff6a.dll
-
Size
848KB
-
MD5
5c73ce8acd26a01655041010b2d4ff6a
-
SHA1
d8781699300176bbbbd36489a1c82725c33edcb1
-
SHA256
03691ec0a206c672022cbf25d02a4b0ab1f67bd6acf5782de498977d88e41474
-
SHA512
9d73f66eb48fa1265751d612ac745f97780d97361b4ab864b8e9f37cbe3eb801fd85857191e0d0bfc10ec0add00e892a5b7a8c1b27ea5d378e277b713fbe384b
-
SSDEEP
12288:3kbQEkWqv+157EYfxarhwLNuR7ek1tHffB/HzTyNQ6NIeGYr/R:3kbHkWfzZ5adwLNGeStHntqN7v
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3512-3-0x0000000003120000-0x0000000003121000-memory.dmp dridex_stager_shellcode -
Processes:
resource yara_rule behavioral2/memory/4332-0-0x00007FF8D2900000-0x00007FF8D29D4000-memory.dmp dridex_payload behavioral2/memory/3512-19-0x0000000140000000-0x00000001400D4000-memory.dmp dridex_payload behavioral2/memory/3512-38-0x0000000140000000-0x00000001400D4000-memory.dmp dridex_payload behavioral2/memory/3512-27-0x0000000140000000-0x00000001400D4000-memory.dmp dridex_payload behavioral2/memory/4332-41-0x00007FF8D2900000-0x00007FF8D29D4000-memory.dmp dridex_payload behavioral2/memory/2264-53-0x00007FF8D2760000-0x00007FF8D2836000-memory.dmp dridex_payload behavioral2/memory/2264-48-0x00007FF8D2760000-0x00007FF8D2836000-memory.dmp dridex_payload behavioral2/memory/2020-69-0x00007FF8D2650000-0x00007FF8D2725000-memory.dmp dridex_payload behavioral2/memory/2020-65-0x00007FF8D2650000-0x00007FF8D2725000-memory.dmp dridex_payload behavioral2/memory/4504-85-0x00007FF8D2650000-0x00007FF8D2725000-memory.dmp dridex_payload -
Executes dropped EXE 3 IoCs
Processes:
rdpclip.exeApplicationFrameHost.exepsr.exepid Process 2264 rdpclip.exe 2020 ApplicationFrameHost.exe 4504 psr.exe -
Loads dropped DLL 3 IoCs
Processes:
rdpclip.exeApplicationFrameHost.exepsr.exepid Process 2264 rdpclip.exe 2020 ApplicationFrameHost.exe 4504 psr.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qzenv = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\XYI5FJ~1\\APPLIC~1.EXE" -
Processes:
rdpclip.exeApplicationFrameHost.exepsr.exerundll32.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rdpclip.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ApplicationFrameHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA psr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 4332 rundll32.exe 4332 rundll32.exe 4332 rundll32.exe 4332 rundll32.exe 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid Process 3512 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid Process procid_target PID 3512 wrote to memory of 3632 3512 99 PID 3512 wrote to memory of 3632 3512 99 PID 3512 wrote to memory of 2264 3512 98 PID 3512 wrote to memory of 2264 3512 98 PID 3512 wrote to memory of 636 3512 101 PID 3512 wrote to memory of 636 3512 101 PID 3512 wrote to memory of 2020 3512 100 PID 3512 wrote to memory of 2020 3512 100 PID 3512 wrote to memory of 752 3512 102 PID 3512 wrote to memory of 752 3512 102 PID 3512 wrote to memory of 4504 3512 103 PID 3512 wrote to memory of 4504 3512 103 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5c73ce8acd26a01655041010b2d4ff6a.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4332
-
C:\Users\Admin\AppData\Local\sWNt\rdpclip.exeC:\Users\Admin\AppData\Local\sWNt\rdpclip.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2264
-
C:\Windows\system32\rdpclip.exeC:\Windows\system32\rdpclip.exe1⤵PID:3632
-
C:\Users\Admin\AppData\Local\gBDkrt3qY\ApplicationFrameHost.exeC:\Users\Admin\AppData\Local\gBDkrt3qY\ApplicationFrameHost.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2020
-
C:\Windows\system32\ApplicationFrameHost.exeC:\Windows\system32\ApplicationFrameHost.exe1⤵PID:636
-
C:\Windows\system32\psr.exeC:\Windows\system32\psr.exe1⤵PID:752
-
C:\Users\Admin\AppData\Local\EmvH\psr.exeC:\Users\Admin\AppData\Local\EmvH\psr.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4504