Analysis
-
max time kernel
139s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2023 09:01
Static task
static1
Behavioral task
behavioral1
Sample
61f2627485987b4054ff97050f0dfe2b.dll
Resource
win7-20231215-en
General
-
Target
61f2627485987b4054ff97050f0dfe2b.dll
-
Size
964KB
-
MD5
61f2627485987b4054ff97050f0dfe2b
-
SHA1
8ba24c683a74e29248653e465d46c5b244adb246
-
SHA256
771e168408b17e5f7ae16bd3a878820d0e0a844f25d549507b6d2b9c8ed0c9e2
-
SHA512
4caa9fd59cc8a9cca7edf9e9174ecde4b6cd5c235ab0d141c9ed7c933850526a3c6a443c5fee0a505154d47780badab326da15a86f65b49758c671ac292c1e0c
-
SSDEEP
12288:3tCtvNv+h26xiWZu8xDPtgPuSYAuXIPY2wKg7oGviTVp7OC0aO1/ixB:3tChNv+ceiWjDVgyAurCg7osJ1
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3500-3-0x0000000002F70000-0x0000000002F71000-memory.dmp dridex_stager_shellcode -
Processes:
resource yara_rule behavioral2/memory/5024-0-0x00007FFD67970000-0x00007FFD67A61000-memory.dmp dridex_payload behavioral2/memory/3500-33-0x0000000140000000-0x00000001400F1000-memory.dmp dridex_payload behavioral2/memory/3500-22-0x0000000140000000-0x00000001400F1000-memory.dmp dridex_payload behavioral2/memory/3500-14-0x0000000140000000-0x00000001400F1000-memory.dmp dridex_payload behavioral2/memory/5024-36-0x00007FFD67970000-0x00007FFD67A61000-memory.dmp dridex_payload behavioral2/memory/3248-48-0x00007FFD58BE0000-0x00007FFD58D17000-memory.dmp dridex_payload behavioral2/memory/3248-43-0x00007FFD58BE0000-0x00007FFD58D17000-memory.dmp dridex_payload behavioral2/memory/1704-64-0x00007FFD58B80000-0x00007FFD58C72000-memory.dmp dridex_payload behavioral2/memory/1704-60-0x00007FFD58B80000-0x00007FFD58C72000-memory.dmp dridex_payload behavioral2/memory/3360-75-0x00007FFD58C20000-0x00007FFD58D12000-memory.dmp dridex_payload behavioral2/memory/3360-80-0x00007FFD58C20000-0x00007FFD58D12000-memory.dmp dridex_payload -
Executes dropped EXE 3 IoCs
Processes:
dpapimig.exeUtilman.exeNetplwiz.exepid Process 3248 dpapimig.exe 1704 Utilman.exe 3360 Netplwiz.exe -
Loads dropped DLL 3 IoCs
Processes:
dpapimig.exeUtilman.exeNetplwiz.exepid Process 3248 dpapimig.exe 1704 Utilman.exe 3360 Netplwiz.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mmiwstgfcubwacq = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Extensions\\YCW4X\\Utilman.exe" -
Processes:
rundll32.exedpapimig.exeUtilman.exeNetplwiz.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dpapimig.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Utilman.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Netplwiz.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 5024 rundll32.exe 5024 rundll32.exe 5024 rundll32.exe 5024 rundll32.exe 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
description pid Process Token: SeShutdownPrivilege 3500 Token: SeCreatePagefilePrivilege 3500 Token: SeShutdownPrivilege 3500 Token: SeCreatePagefilePrivilege 3500 Token: SeShutdownPrivilege 3500 Token: SeCreatePagefilePrivilege 3500 Token: SeShutdownPrivilege 3500 Token: SeCreatePagefilePrivilege 3500 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid Process 3500 3500 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid Process procid_target PID 3500 wrote to memory of 4356 3500 100 PID 3500 wrote to memory of 4356 3500 100 PID 3500 wrote to memory of 3248 3500 101 PID 3500 wrote to memory of 3248 3500 101 PID 3500 wrote to memory of 1368 3500 103 PID 3500 wrote to memory of 1368 3500 103 PID 3500 wrote to memory of 1704 3500 102 PID 3500 wrote to memory of 1704 3500 102 PID 3500 wrote to memory of 4268 3500 113 PID 3500 wrote to memory of 4268 3500 113 PID 3500 wrote to memory of 3360 3500 104 PID 3500 wrote to memory of 3360 3500 104 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\61f2627485987b4054ff97050f0dfe2b.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:5024
-
C:\Windows\system32\dpapimig.exeC:\Windows\system32\dpapimig.exe1⤵PID:4356
-
C:\Users\Admin\AppData\Local\ehB\dpapimig.exeC:\Users\Admin\AppData\Local\ehB\dpapimig.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3248
-
C:\Users\Admin\AppData\Local\cY4\Utilman.exeC:\Users\Admin\AppData\Local\cY4\Utilman.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1704
-
C:\Windows\system32\Utilman.exeC:\Windows\system32\Utilman.exe1⤵PID:1368
-
C:\Users\Admin\AppData\Local\AygmKefh\Netplwiz.exeC:\Users\Admin\AppData\Local\AygmKefh\Netplwiz.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3360
-
C:\Windows\system32\Netplwiz.exeC:\Windows\system32\Netplwiz.exe1⤵PID:4268
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵PID:4268
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD5603bedca38c1e59c5a49117bbe725e3c
SHA14274698f08110944de9859a2329dfafd32f4c211
SHA2566f01557d006b423f898b40b0845787e3aacf04d56adedeb01d5a9d9428fca0da
SHA5128845cabe5eab951c7426b74b48f83d9dff8eeb47399b012231aa1c8a0541749f42cc6066aa1eb679f8da6e22a9b242b6d58682c92dca41716bc8ecf347230682
-
Filesize
968KB
MD5f37e4c44fa9ef56cf5166248d227f17e
SHA184ad32cc6b7e61d35321e8bdb45a47abc2266fc7
SHA256d0a58ce0c8bcfe06b35e1bd56e075f48caee1ef8423dc47f07b8c95953fa11b4
SHA5127606328375df617355429fdbe6f90952dc27397899df051b4fd224072ac260bff82575c763ff0dfebfb984b5c04b1ee0a794e9becf9b40c0e621db369e817d8c
-
Filesize
512KB
MD5fc91963f9914095408400cbf68c7e63c
SHA1ff4ee0a0e39adf602ccd607ead80381ecbc28c62
SHA256d68dd9b61cdf6ff4f541556eb151bf6fb5a90c1661723fe6687508ba808677dd
SHA512156b011224dd568834a48ff728d1beed53781dad993bc4e57cd08fde36e54309603f13aab930849a965d1698401a89e3c5a686fc9729045d6990b778d5108a08