Analysis
-
max time kernel
42s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
29-12-2023 22:27
Static task
static1
Behavioral task
behavioral1
Sample
059559658c6c1cd49d30a8f43d1d45b2.dll
Resource
win7-20231215-en
General
-
Target
059559658c6c1cd49d30a8f43d1d45b2.dll
-
Size
1.7MB
-
MD5
059559658c6c1cd49d30a8f43d1d45b2
-
SHA1
56de1a741459ec1a8a18dd216ec3488229c582e2
-
SHA256
9d0e8397fb43fa3f9c5cf6cfff056b1f65f3f6634398d210c008698499967585
-
SHA512
e04306bbbd176acb8936c1ff410bbed29a4f459e25d2315ae27094c01a5e760ae278df1f086ad44c3b462aa4a1ef437cfa835b4fd0d06ee7ab737a12d381c165
-
SSDEEP
12288:UVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:RfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3572-4-0x00000000027A0000-0x00000000027A1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
sppsvc.exerdpinput.exeNetplwiz.exepid Process 2360 sppsvc.exe 3272 rdpinput.exe 1008 Netplwiz.exe -
Loads dropped DLL 3 IoCs
Processes:
sppsvc.exerdpinput.exeNetplwiz.exepid Process 2360 sppsvc.exe 3272 rdpinput.exe 1008 Netplwiz.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qoccyyzfzcu = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\srA\\rdpinput.exe" -
Processes:
Netplwiz.exerundll32.exesppsvc.exerdpinput.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Netplwiz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rdpinput.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 928 rundll32.exe 928 rundll32.exe 928 rundll32.exe 928 rundll32.exe 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
description pid Process Token: SeShutdownPrivilege 3572 Token: SeCreatePagefilePrivilege 3572 Token: SeShutdownPrivilege 3572 Token: SeCreatePagefilePrivilege 3572 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid Process 3572 3572 -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
description pid Process procid_target PID 3572 wrote to memory of 2360 3572 85 PID 3572 wrote to memory of 2360 3572 85 PID 3572 wrote to memory of 1544 3572 86 PID 3572 wrote to memory of 1544 3572 86 PID 3572 wrote to memory of 3272 3572 87 PID 3572 wrote to memory of 3272 3572 87 PID 3572 wrote to memory of 688 3572 88 PID 3572 wrote to memory of 688 3572 88 PID 3572 wrote to memory of 1008 3572 89 PID 3572 wrote to memory of 1008 3572 89 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\059559658c6c1cd49d30a8f43d1d45b2.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:928
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe1⤵PID:2972
-
C:\Users\Admin\AppData\Local\B5Beu\sppsvc.exeC:\Users\Admin\AppData\Local\B5Beu\sppsvc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2360
-
C:\Windows\system32\rdpinput.exeC:\Windows\system32\rdpinput.exe1⤵PID:1544
-
C:\Users\Admin\AppData\Local\Kd5UzB4\rdpinput.exeC:\Users\Admin\AppData\Local\Kd5UzB4\rdpinput.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3272
-
C:\Windows\system32\Netplwiz.exeC:\Windows\system32\Netplwiz.exe1⤵PID:688
-
C:\Users\Admin\AppData\Local\iGN5IX1\Netplwiz.exeC:\Users\Admin\AppData\Local\iGN5IX1\Netplwiz.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1008
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
79KB
MD5a544261814e633b30180d75cd1a42f05
SHA18ccd8e04944bd3a8cb8e975ee0ae4fc228b5f574
SHA256425864e57ea092dab46e93f2dd5c6b6f7fac7b1ef67a2a0023fa6dd722e923a9
SHA5127a1975cac4788188fda9ca0f37b47801651fe5f9239afc2081b0fd3613b148687101157f3ca2d35b5269f40e608d4bfaee7b7383d428b589eb3785e8153a7617
-
Filesize
21KB
MD5f903724267294c29208c1f69a7511d99
SHA1e320893ca3dc92cb8c6f5f74df3e1b5e912f1eb7
SHA256a3a40141f2d3a1e23084875b0de8404969a8194194f9d3595dae90b9a4d4b520
SHA5122cdcfe8d9acd773b1a481459094b7f480ea21c82a7ce3dc774150d5a17a9a877a16699ac1f2cdaffb3a3efe59dfbf436011b03f0f557fc14f422e6a9edcec882
-
Filesize
47KB
MD5254e7737e4902d9b9d93171c5aa317c7
SHA1493d0ff75f466fc53177b9d57490652fe83f6807
SHA256c64019fb450e23ced6f45d15a4a3cfc400e56b9cf3f7ee4e8bc2b4d57da853de
SHA512d748da01e76061a617263de1cf0c3afc4e59c4f2b0f9b1a91a0ca8a4f7b5efcc71705405a15e2db78b4070408a48a0f3491e985e40ca5e827ac4b600312ea43e
-
Filesize
44KB
MD582b797c8a2a9378e9672b9bc02f7a967
SHA12d0f190ef047c73d1eae28184380ac7d060d6310
SHA2562b5a135f1c1562c0767c4c0b9cc70b6212bbc2c100e6f8eb1d52ffbe3d3ffc2c
SHA51260d49ee552cdcf8e7aad66de97505beb9c8a7d16d52e116f4490d0beb0f6d804caacc0f6e408c6c3cf44e2207814b50d713e445e17b1469d0551d0a166e92974
-
Filesize
89KB
MD52f8a00456c416525d80c72bfbad08b34
SHA1f557ddbe612f4b17494dce8de4180770c340a83b
SHA256170dc36981091eac6d54c57207986c7bb8053193a7facae41b557240506ee3b7
SHA5123b243ca667154ce341190f5c769870cbc18c9062424ea1a463fa8bd5efa48a693a9da73396101b534828a823ba3a27a424d2a9767fcba84e4ef37c3fefaa1eaa
-
Filesize
88KB
MD52c19fb06ca62fd4099678c02c9fba201
SHA160af72931ba0d20d9247dc12c04d2a5869e89f84
SHA2561730a94ea0243d03ed46b879e1e7e09e0aa7dcbb39b1a64e4ddba7e0c609263b
SHA5126f307eed70b303734794c2e917aa3a501aacd5c3d8aea2ffd26d30c1475ff9f5a5b8930a50d05b1e31ca761b7ac2330589f13fe27cd3d963d6fbe94c168f1abc
-
Filesize
93KB
MD5c374d5f290695b8919b97931b27d96dc
SHA1d698d1377c00733b6c0850ccd3367ae35b126715
SHA256339a0c5209d75b92551994c83eb7ce8d40275cf7040c296f2eb1f779291bab20
SHA512eab018f8de8333193f709bb996c6a09ba447b2c40a3e52fa86a8cd97cdda0ec1d0b597931ca6eeb7f86f382347a5df04a592eaaf08c25cd7b425c6143affab22
-
Filesize
66KB
MD5fe0f4766373bd27d04cdb78726476d8a
SHA1e58c6eb469d837401a82167170a3a539157bd46c
SHA256b914d7eff271fc0492c5ebc80b3955783f295855f2a679d55bb7160e3e66f349
SHA512c027f80bb350e180323af4ae2fa895510f398d76146f710c94f8a7161c313691e1ae4afae28bac31997b55ff2cf7271f7d0cc7934a44d9b53c74f275bd4e5784
-
Filesize
37KB
MD55fe3a5ce7cbcc5fcdd58122676849cf1
SHA1e8c3eb85012b37155be0e4d7e4a9ee531bc4158f
SHA256627ab1219913c52521441a16d89547789f1093c226589d170b14b8f1515a5319
SHA512a03358bb30f7569a2fe51a5d09344e338e186f26117907185540933567353eb34632689e91f08ded9d62b1ddc44ce922ce31f5b162a4b9c5f0706ee4c5fe8969
-
Filesize
38KB
MD56ede39840bbe9203d6d5d6dce4583943
SHA18c4cceeaa05be0498fa14e1dfc00801c2085a88f
SHA256b1e933d61d9498be7375ea6126d5bfd1ea802e42f2f27f0bc526170c62b3bd8d
SHA512d11633ded412decdf8b27366c01f77980b1242b003876a756ed2d540d7d1ab117baf42b7b043d31c4fb89881915c076a0d86b4bb2b9dc6589547e7956ce6f0c1
-
Filesize
16KB
MD5fc15b372d668a4fee150206054e24a66
SHA1ef3254aba0705724b0bd972cb90fde5d92389ef0
SHA256dda4eec7fc685a73fe97b1aa43912577c3d2708556564ce03070130c1fcac6bf
SHA51257d090713435a56c1c85971638d65929c71428be99e7ba12364194c8424c3a1dffbd2d2b31f94f7cf41f148ef4f16425bdc2469d775ae114c174e508aeeedf3d
-
Filesize
15KB
MD5977ea11b8f0596f02281d94135e123cb
SHA1ba6a741f80fd805a3b251b176a7f20f74580c2f8
SHA256a268f70301ea1ec2593b160031b06420236d2e889cb33d91ff44087ae2c8668d
SHA512b8e264ce39e0bcc51bf55b5d57a1d15b1d4ae764d45b1737de15f35af18dcfb39f60197044f24c159d36120120960af2ba73cf9af19168d49f53f85d82d137ef
-
Filesize
1KB
MD5ab695c69ed6e44f9846aef603479874e
SHA1beae09d9355f4ab3f334ca7547d29ca2084bbfd5
SHA256476d9dae2e1c5229ef834d4ad1408fca121523ee96f139712bc9d161f7219d16
SHA512964f2abb90f0a21fb3dd5b92b7d6634687c4193faabe3baca083e93d4ac15534c4d5897acc3adec0242b7d1140b73cf59bca6d01800f330d5367be534fc55134
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-3336304223-2978740688-3645194410-1000\Go\NETPLWIZ.dll
Filesize43KB
MD5b6509f8611bb561cbf17996d4c65af07
SHA149ddc37cf5d9f2c5a6b28ca037ff05f8a103929e
SHA2564299ac69c5e7e0401a416eb4062d9debaa59c37bbf13caa437db5b411e7ebace
SHA5123842af66373246532c10fe8b08f95c5ad69bf8a1881a034c11ca962123e34219aca016948325edc5ecfead05a51a6b1616db9e5df4f60e74fa8a769ed808a245
-
Filesize
1KB
MD544a775d3f7d1ac832fd79638db6c6d3e
SHA100ec879ff9b8ab7131211c04f68115f8d43d8f58
SHA25641c4b8a19dea1b1e980b02eff6f4cd844c64ea1e8a504eef2ff93f0c343a0172
SHA5126d5780c5c78e6c597327b319acc3dc9866e2cb0419f629da567efe9ef7c0682899ca70081903911e839b32bef3c76991e938f82371e00724ce41831fce059159
-
Filesize
22KB
MD589b53d7c96eda3586eced5f89c3498d2
SHA186c03b853d09b1bc0cd7b4c1e5939b39fa3e2104
SHA25647fd1e2e3c3772779a2adbe84a4848244cb07cfbaed8ef61d4550ad2bd90f1a8
SHA512ed7b3571cb2138663528d948a17b53c082c483625aae3cbf4fbd3983be338f971f2aab98330259e55cf7d9f1c7144384b328210ee8ef6d87fbb6c70f9798ba6f