Analysis
-
max time kernel
51s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2023 14:55
Static task
static1
Behavioral task
behavioral1
Sample
772b68bf3048024e686be386fbfe5083.dll
Resource
win7-20231215-en
General
-
Target
772b68bf3048024e686be386fbfe5083.dll
-
Size
652KB
-
MD5
772b68bf3048024e686be386fbfe5083
-
SHA1
458a9a79779cf07157ec419d9511975e2f8aa2c8
-
SHA256
7c62dc19058fca240cc5e8942a240f7691e6066aa3d59a51185ac3209e8f1409
-
SHA512
18164714b6ced7284218c0dc8c4e0013b1b08084e07f89322564bdd0bf5d37c62edcb947965e1384e26fe36dd7d613a82697a4429fc935ee1557edf3c9290d62
-
SSDEEP
12288:8KYQ5LL540CV3UIeLPrleV1F0e8gMA/9L0l3HATpKR4:9YQ5p4f0POF0nkls3opKR
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3448-3-0x0000000000ED0000-0x0000000000ED1000-memory.dmp dridex_stager_shellcode -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kqgfxymewp = "C:\\Users\\Admin\\AppData\\Roaming\\yVtwNVk\\rdpinit.exe" -
Processes:
rundll32.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Drops file in System32 directory 2 IoCs
Processes:
cmd.exedescription ioc Process File created C:\Windows\system32\J0u34\WMPDMC.exe cmd.exe File opened for modification C:\Windows\system32\J0u34\WMPDMC.exe cmd.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 1208 rundll32.exe 1208 rundll32.exe 1208 rundll32.exe 1208 rundll32.exe 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
description pid Process Token: SeShutdownPrivilege 3448 Token: SeCreatePagefilePrivilege 3448 Token: SeShutdownPrivilege 3448 Token: SeCreatePagefilePrivilege 3448 Token: SeShutdownPrivilege 3448 Token: SeCreatePagefilePrivilege 3448 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid Process procid_target PID 3448 wrote to memory of 2320 3448 101 PID 3448 wrote to memory of 2320 3448 101 PID 3448 wrote to memory of 4840 3448 100 PID 3448 wrote to memory of 4840 3448 100 PID 3448 wrote to memory of 4088 3448 106 PID 3448 wrote to memory of 4088 3448 106 PID 3448 wrote to memory of 3968 3448 105 PID 3448 wrote to memory of 3968 3448 105 PID 3448 wrote to memory of 3224 3448 103 PID 3448 wrote to memory of 3224 3448 103 PID 3448 wrote to memory of 832 3448 109 PID 3448 wrote to memory of 832 3448 109 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\772b68bf3048024e686be386fbfe5083.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1208
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\wwPwGp.cmd1⤵PID:4840
-
C:\Windows\system32\rdpinit.exeC:\Windows\system32\rdpinit.exe1⤵PID:2320
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /F /TN "Mtkoqsmyqyvls" /TR "C:\Windows\system32\J0u34\WMPDMC.exe" /SC minute /MO 60 /RL highest1⤵
- Creates scheduled task(s)
PID:3224
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\XbR9A.cmd1⤵
- Drops file in System32 directory
PID:3968
-
C:\Windows\system32\WMPDMC.exeC:\Windows\system32\WMPDMC.exe1⤵PID:4088
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /Query /TN "Mtkoqsmyqyvls"1⤵PID:832
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /Query /TN "Mtkoqsmyqyvls"1⤵PID:1472
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /Query /TN "Mtkoqsmyqyvls"1⤵PID:3424
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /Query /TN "Mtkoqsmyqyvls"1⤵PID:4984
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /Query /TN "Mtkoqsmyqyvls"1⤵PID:1596
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /Query /TN "Mtkoqsmyqyvls"1⤵PID:1552
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD5483fd818df66e432f2232f4617e10d39
SHA18ec7f41d0863a05665f571fc34e4c9362153ab79
SHA2560070cd47d3c7b852db51a891fcd08c25a5e7dc049ba946700b8b9e4c30234bc0
SHA5127b55185e7cc35a674a13cfff48dc07f654a59d67b22e8c7c99532e542003e12dc420731a6e5ffeed18edf5d2e7f627372f43f71e4ac87d16322bcc140af7c68a
-
Filesize
219KB
MD579165f482d17ced2e968edd56ec75d1b
SHA1cbe4f04cb0c8d06bcff42b43716fd1a1d6096095
SHA2563bf7312b661fef1e4e6f54e866a365f096e109adca1f716257cca1b8e65b3442
SHA5126e7fb8bf5e6631fc1691298d1867492e6edd19660912a65bdbdad989817591b3d88c9cc7134b05a4a23877adb693595340f35040968ae0f687410a2ce18881b4
-
Filesize
195B
MD5933ad1e2f3e1d49ef8cd8a59f3affe09
SHA17a8a816d6d595f395b5a10043dfc868d02194f89
SHA2567245c7cdc720710c22a7af2a738b5d8e740d07e2309255af20708de7d3a73772
SHA512efaa481ce78a9d1762cf1e0443956e03d49b8ca2fde2c1db1a186acde1220ff17f18e522bff332edc310cce99ed0bd0833c5f6cba4e22579af19835ffe601e39
-
Filesize
235B
MD5c1531074ed36eb217c0ba2adc63136e4
SHA1c87f6544c63df73515e2e4c23b1d059823f5270c
SHA2563fcfc7e9c24e140b0f1754b57b3e3e10265294cbcbfb31b1314caf5017724202
SHA5126487906c1e65c04c4dfb670946791a19a0786f5ebb89652e283bb11c9b657710ef5b60952629a7e9a659cdd41807d31acf79176d63747c21e40cc9f00e2d11ce
-
Filesize
343KB
MD5b0ecd76d99c5f5134aeb52460add6f80
SHA151462078092c9d6b7fa2b9544ffe0a49eb258106
SHA25651251863097f7c80ef59606152ec59e7522881c8e3886c194c43f56bcab92e1b
SHA51216855c7db48b26297c78d37d52ad03f6af0f5a58e333e17ad83b34f5e8b200c5517c6481043af0ecf1b962af2378f38600bd968592f4e1018b5a1b9400adb367