Analysis
-
max time kernel
154s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
28-12-2023 05:07
Static task
static1
Behavioral task
behavioral1
Sample
c60920a9c292aa669035396b03965a08.dll
Resource
win7-20231215-en
General
-
Target
c60920a9c292aa669035396b03965a08.dll
-
Size
932KB
-
MD5
c60920a9c292aa669035396b03965a08
-
SHA1
c6005bcff4c1a3161bdc681b68ddadb2b771a5b6
-
SHA256
4e37a17479c456a66c1b5bbc8204e65e2a7049852836df593d3cffad7ea546c9
-
SHA512
e5b79d76ea45af823612782d5c1c6426084c6cfab908d5bb5db4134b24e9f91ee3bd291e1da2dbb9b3801483926b767b2ad1b9c35c02d7ab4177893d630a2797
-
SSDEEP
12288:yPVKLvdxQPKSoVXxTaGcb68Uzx2TBeOWhZJpK88:ytKTrsKSKBTSb6DUXWq88
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3520-3-0x0000000002DE0000-0x0000000002DE1000-memory.dmp dridex_stager_shellcode -
Processes:
resource yara_rule behavioral2/memory/4888-1-0x0000000140000000-0x00000001400E9000-memory.dmp dridex_payload behavioral2/memory/3520-22-0x0000000140000000-0x00000001400E9000-memory.dmp dridex_payload behavioral2/memory/3520-33-0x0000000140000000-0x00000001400E9000-memory.dmp dridex_payload behavioral2/memory/4888-36-0x0000000140000000-0x00000001400E9000-memory.dmp dridex_payload behavioral2/memory/3800-44-0x0000000140000000-0x00000001400EA000-memory.dmp dridex_payload behavioral2/memory/3800-48-0x0000000140000000-0x00000001400EA000-memory.dmp dridex_payload behavioral2/memory/4700-64-0x0000000140000000-0x00000001400EA000-memory.dmp dridex_payload behavioral2/memory/836-82-0x0000000140000000-0x00000001400EA000-memory.dmp dridex_payload -
Executes dropped EXE 3 IoCs
Processes:
dxgiadaptercache.exemsra.exemsconfig.exepid Process 3800 dxgiadaptercache.exe 4700 msra.exe 836 msconfig.exe -
Loads dropped DLL 3 IoCs
Processes:
dxgiadaptercache.exemsra.exemsconfig.exepid Process 3800 dxgiadaptercache.exe 4700 msra.exe 836 msconfig.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3073191680-435865314-2862784915-1000\\YbbL5OVY\\msra.exe" -
Processes:
rundll32.exedxgiadaptercache.exemsra.exemsconfig.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dxgiadaptercache.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msra.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msconfig.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 4888 rundll32.exe 4888 rundll32.exe 4888 rundll32.exe 4888 rundll32.exe 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid Process 3520 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid Process procid_target PID 3520 wrote to memory of 3500 3520 97 PID 3520 wrote to memory of 3500 3520 97 PID 3520 wrote to memory of 3800 3520 98 PID 3520 wrote to memory of 3800 3520 98 PID 3520 wrote to memory of 1068 3520 99 PID 3520 wrote to memory of 1068 3520 99 PID 3520 wrote to memory of 4700 3520 100 PID 3520 wrote to memory of 4700 3520 100 PID 3520 wrote to memory of 4384 3520 102 PID 3520 wrote to memory of 4384 3520 102 PID 3520 wrote to memory of 836 3520 103 PID 3520 wrote to memory of 836 3520 103 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c60920a9c292aa669035396b03965a08.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4888
-
C:\Windows\system32\dxgiadaptercache.exeC:\Windows\system32\dxgiadaptercache.exe1⤵PID:3500
-
C:\Users\Admin\AppData\Local\a1Ac\dxgiadaptercache.exeC:\Users\Admin\AppData\Local\a1Ac\dxgiadaptercache.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3800
-
C:\Windows\system32\msra.exeC:\Windows\system32\msra.exe1⤵PID:1068
-
C:\Users\Admin\AppData\Local\EP6w\msra.exeC:\Users\Admin\AppData\Local\EP6w\msra.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4700
-
C:\Windows\system32\msconfig.exeC:\Windows\system32\msconfig.exe1⤵PID:4384
-
C:\Users\Admin\AppData\Local\XuPoT1\msconfig.exeC:\Users\Admin\AppData\Local\XuPoT1\msconfig.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:836
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
936KB
MD54643581cd4fdac26ac9eb7bb39bfb132
SHA154821b1e6bf4f614dd3c2fc405421da5ab080f96
SHA25600daa76f3862d79a2a87fe0a29bd163527d4b29cac23d5a5adc4695a829738c9
SHA51275dda9fdb887bca25b75cbc71ed5acff8879ecd8e8f48aa4af8ba2809a9bbd6976113abb87f27fb9500e92087c490d4ca45c50126c7f13cdaff6df37c0462add
-
Filesize
579KB
MD5dcda3b7b8eb0bfbccb54b4d6a6844ad6
SHA1316a2925e451f739f45e31bc233a95f91bf775fa
SHA256011e1decd6683afe5f1e397fe9697f2cf592ae21766a7629e234682f721658ae
SHA51218e8c99f8b86375627aba0d2b10cf4db24ee5ac61a3d6a73d382a83ec63217c7e455570d4fa7dcdbb188dcc73988689661f8cab2337ae8c615fa6bc9a08f71f5
-
Filesize
936KB
MD57c2d965c2208841f24d43a575b828f8d
SHA1233308ffddd2e06d0511d0ff2b5808f3ec44ab9a
SHA256afb59f464f1ec5d2b8fdae055110f2ecafa57e779ba347a04d041be5b1487d6f
SHA512c78d2195f6771b2b2b5004319d6a9df3f921a9bb949ccfc55142397e004d2d864be962a78bdaa525227fbae81679a2d020d7e13bada7f443bf108b073fd2e87c
-
Filesize
193KB
MD539009536cafe30c6ef2501fe46c9df5e
SHA16ff7b4d30f31186de899665c704a105227704b72
SHA25693d2604f7fdf7f014ac5bef63ab177b6107f3cfc26da6cbd9a7ab50c96564a04
SHA51295c9a8bc61c79108634f5578825544323e3d980ae97a105a325c58bc0e44b1d500637459969602f08d6d23d346baec6acd07d8351803981000c797190d48f03a
-
Filesize
936KB
MD5492ecb555b3aa4793f92bafb27777acf
SHA19cd923cac995853122f5d6eeec53664bae1c6792
SHA256f5bf9f7c186ff381cd0c79591596fe4f1be00cf825750896137594505d5804cb
SHA51257e31e9430c375896ad720a72cbb18ab75e544fe33403def39267459d0a928f51ecb9309f3a5617e0a1f24ec135b2537935994d5a0d4332fd4b95dbaf27c5223
-
Filesize
230KB
MD5e62f89130b7253f7780a862ed9aff294
SHA1b031e64a36e93f95f2061be5b0383069efac2070
SHA2564bea9f741fe4ca9d6262477849896b9fa6377326d11af044561c31bde2d994b5
SHA51205649d38a0b5d825bb8442549427b0ff77b139c9dd297b04d6c0fb1415504c95ed750cd79efea2ff514abfc5d1003e6251a3cd871d352dcea06be0cdeb0304f7
-
Filesize
1KB
MD5b19b6b82aed04484820ea294493ff734
SHA154b6b4de35057a2e147d1d70363bda8f6c033b56
SHA2563577dab3edb4915b972be78450db1bcfa2a57e9c2afdeaf4b05a8d0add899968
SHA5125f143e7bd16979c39d10bfc9d92bb4a4af78a8e7dcebdbae0c20c5c26b50cd3c62fdd622d10dbc64bf09bab3c04dd4379e79ab0fa39b550091b84fba9cb67088