Analysis
-
max time kernel
152s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
27-12-2023 13:02
Static task
static1
Behavioral task
behavioral1
Sample
b122a91caaad5f9133a910107ab182f2.dll
Resource
win7-20231215-en
General
-
Target
b122a91caaad5f9133a910107ab182f2.dll
-
Size
728KB
-
MD5
b122a91caaad5f9133a910107ab182f2
-
SHA1
df8ac36b8382ec1a7cd5c52decdca2330fc57af1
-
SHA256
f2ded2615a9ec37198c3ae0042de5ddb999eda4d0d89b5469d20c4b047e8759f
-
SHA512
f9a9311958fbffcfbf5a6b71168add5e585a0d09daa4e748617aed1180eef1c0bbd997adda57561ed21106f4d4e62c64d99fa5dee4ce7dafcc3ba452a4b709f5
-
SSDEEP
12288:G6BBWGJW6eC85Df97+yXUj7SncCxj8iHGo59S1WQSCtEdFO7YKJf6:G6BQBjlc728jo7S1bl6FbK
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3512-4-0x0000000000630000-0x0000000000631000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
phoneactivate.exeWFS.exedpapimig.exepid Process 3580 phoneactivate.exe 2336 WFS.exe 3920 dpapimig.exe -
Loads dropped DLL 3 IoCs
Processes:
phoneactivate.exeWFS.exedpapimig.exepid Process 3580 phoneactivate.exe 2336 WFS.exe 3920 dpapimig.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\AddIns\\zRxVPbtoC2k\\WFS.exe" -
Processes:
rundll32.exephoneactivate.exeWFS.exedpapimig.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA phoneactivate.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WFS.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dpapimig.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 1848 rundll32.exe 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid Process procid_target PID 3512 wrote to memory of 2348 3512 96 PID 3512 wrote to memory of 2348 3512 96 PID 3512 wrote to memory of 3580 3512 97 PID 3512 wrote to memory of 3580 3512 97 PID 3512 wrote to memory of 3116 3512 99 PID 3512 wrote to memory of 3116 3512 99 PID 3512 wrote to memory of 2336 3512 100 PID 3512 wrote to memory of 2336 3512 100 PID 3512 wrote to memory of 3568 3512 103 PID 3512 wrote to memory of 3568 3512 103 PID 3512 wrote to memory of 3920 3512 104 PID 3512 wrote to memory of 3920 3512 104 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b122a91caaad5f9133a910107ab182f2.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1848
-
C:\Windows\system32\phoneactivate.exeC:\Windows\system32\phoneactivate.exe1⤵PID:2348
-
C:\Users\Admin\AppData\Local\zoZBJC\phoneactivate.exeC:\Users\Admin\AppData\Local\zoZBJC\phoneactivate.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3580
-
C:\Windows\system32\WFS.exeC:\Windows\system32\WFS.exe1⤵PID:3116
-
C:\Users\Admin\AppData\Local\xFx1yOt\WFS.exeC:\Users\Admin\AppData\Local\xFx1yOt\WFS.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2336
-
C:\Windows\system32\dpapimig.exeC:\Windows\system32\dpapimig.exe1⤵PID:3568
-
C:\Users\Admin\AppData\Local\5iWWlGY1R\dpapimig.exeC:\Users\Admin\AppData\Local\5iWWlGY1R\dpapimig.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3920
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1008KB
MD50d945fb531da801c8a13e7c5d1346e5b
SHA125585ab94362e7c6b57981f11df2a96db4bd87d8
SHA2564b900740e933d61f05abc2bb6f3f3273d558d7f15b26e9ffadfbfe4cd23e25eb
SHA512ded6c44aa897aadb167cff5b65fb7d3f4fb5061cb86475675e8473fb565790b26386be31ffb91d4b11f0b90fac6f770b8b915c6334f3288464b561aa052cada3
-
Filesize
76KB
MD5b6d6477a0c90a81624c6a8548026b4d0
SHA1e6eac6941d27f76bbd306c2938c0a962dbf1ced1
SHA256a8147d08b82609c72d588a0a604cd3c1f2076befcc719d282c7cbd6525ae89eb
SHA51272ec8b79e3438f0f981129a323ad39db84df7dd14a796a820bdbc74ea8fa13eee843d1ea030a0c1caeda2e2d69952f14a821a73825b38dd9415047aca597b1fe
-
Filesize
944KB
MD53cbc8d0f65e3db6c76c119ed7c2ffd85
SHA1e74f794d86196e3bbb852522479946cceeed7e01
SHA256e23e4182efe7ed61aaf369696e1ce304c3818df33d1663872b6d3c75499d81f4
SHA51226ae5845a804b9eb752078f1ffa80a476648a8a9508b4f7ba56c94acd4198f3ba59c77add4feb7e0420070222af56521ca5f6334f466d5db272c816930513f0a
-
Filesize
732KB
MD516082cd7084cd0a2422862d1d08fd303
SHA128da451426d2663c5ffd7ac1f9146bc8c59e13df
SHA256ba917a5e69d008aecb7630eededb9daa9520b9a613d5ad68a537554fd5ee668c
SHA512d9c51da2c24fa77c447870c9786d368ff9533941031a855e601cef621aaab249f30ef65661e03603e03de32b260bde5782d00a4fb455be31c5af7ed9e12f6dc4
-
Filesize
732KB
MD57ff15326fc377b6423911e72e2649c8e
SHA1e67f27ebbc0668b7a00cfd502cc96228fc9b6f5b
SHA256eaf571769be6508c887d887ccf4da10aaec1860530b2a302f5ee59cb4cc1e350
SHA5124796da4499c00ae3155ddf91955bbc664f8ba0abf388d53530fd43043c4ff5e2313ee27795ec427d7441c95f8dddc91b947f714953905251b34dc9996910df04
-
Filesize
107KB
MD532c31f06e0b68f349f68afdd08e45f3d
SHA1e4b642f887e2c1d76b6b4777ade91e3cb3b9e27c
SHA256cea83eb34233fed5ebeef8745c7c581a8adbefbcfc0e30e2d30a81000c821017
SHA512fe61764b471465b164c9c2202ed349605117d57ceb0eca75acf8bda44e8744c115767ee0caed0b7feb70ba37b477d00805b3fdf0d0fa879dd4c8e3c1dc1c0d26
-
Filesize
1KB
MD5497cfe49ccc51a232548f21de8e0c9c7
SHA1ab28381097759d4a86f5bcde328be1ffd3079db6
SHA2561ca9a90614120b0bcb3d2cf3f5a9f89233ea01e96742d770a042865106867a0d
SHA512407f17dee85d2e61d5356732ee49f4b6dd3aab00ddb343d65466804b846cb8b5c4afcca28a33eb030d8529be0e80fb96cb91c2bb9bdcfa081ad0f3ebecc23e1d