Analysis
-
max time kernel
177s -
max time network
198s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
29-12-2023 22:49
Static task
static1
Behavioral task
behavioral1
Sample
06194ae42efb4403b501d255e4ee8a4e.dll
Resource
win7-20231215-en
General
-
Target
06194ae42efb4403b501d255e4ee8a4e.dll
-
Size
2.9MB
-
MD5
06194ae42efb4403b501d255e4ee8a4e
-
SHA1
865df6831aee519d1619f07d5bfe5474fd5d5d26
-
SHA256
3c710eec70ecf93ecdf44c999dafdab9edc3552a0c7a546116441691499be7b7
-
SHA512
299da5d167d66a68f2ae5bbdf7bc64921840aa1a1a7bcbb9226bb8863fb8ba05ac383589eb6275e107c89ee5c130bef616f85fb2c1c28fb06aeb5efc915d6cf3
-
SSDEEP
12288:hVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:QfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3392-4-0x0000000000B90000-0x0000000000B91000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
EhStorAuthn.exeApplicationFrameHost.exemfpmp.exepid Process 1264 EhStorAuthn.exe 4088 ApplicationFrameHost.exe 4872 mfpmp.exe -
Loads dropped DLL 3 IoCs
Processes:
EhStorAuthn.exeApplicationFrameHost.exemfpmp.exepid Process 1264 EhStorAuthn.exe 4088 ApplicationFrameHost.exe 4872 mfpmp.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Loeeeopgcaia = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\7qU\\ApplicationFrameHost.exe" -
Processes:
rundll32.exeEhStorAuthn.exeApplicationFrameHost.exemfpmp.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA EhStorAuthn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ApplicationFrameHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mfpmp.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 4680 rundll32.exe 4680 rundll32.exe 4680 rundll32.exe 4680 rundll32.exe 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
description pid Process Token: SeShutdownPrivilege 3392 Token: SeCreatePagefilePrivilege 3392 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid Process procid_target PID 3392 wrote to memory of 4880 3392 89 PID 3392 wrote to memory of 4880 3392 89 PID 3392 wrote to memory of 1264 3392 92 PID 3392 wrote to memory of 1264 3392 92 PID 3392 wrote to memory of 4560 3392 93 PID 3392 wrote to memory of 4560 3392 93 PID 3392 wrote to memory of 4088 3392 95 PID 3392 wrote to memory of 4088 3392 95 PID 3392 wrote to memory of 4020 3392 96 PID 3392 wrote to memory of 4020 3392 96 PID 3392 wrote to memory of 4872 3392 97 PID 3392 wrote to memory of 4872 3392 97 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\06194ae42efb4403b501d255e4ee8a4e.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4680
-
C:\Windows\system32\EhStorAuthn.exeC:\Windows\system32\EhStorAuthn.exe1⤵PID:4880
-
C:\Users\Admin\AppData\Local\qmAdyM\EhStorAuthn.exeC:\Users\Admin\AppData\Local\qmAdyM\EhStorAuthn.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1264
-
C:\Windows\system32\ApplicationFrameHost.exeC:\Windows\system32\ApplicationFrameHost.exe1⤵PID:4560
-
C:\Users\Admin\AppData\Local\vQmiFV1Lw\ApplicationFrameHost.exeC:\Users\Admin\AppData\Local\vQmiFV1Lw\ApplicationFrameHost.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4088
-
C:\Windows\system32\mfpmp.exeC:\Windows\system32\mfpmp.exe1⤵PID:4020
-
C:\Users\Admin\AppData\Local\8lAFZBk\mfpmp.exeC:\Users\Admin\AppData\Local\8lAFZBk\mfpmp.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4872
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
85KB
MD53e992f0f68c795140c61100a7fd0080d
SHA141aacf759ef77d997d1776e4bbb00d1a4cf9ab46
SHA256ee88848b89ff36325e41a0f8c4026d41d8c49bbfc2305f1eff59d9210bb0a540
SHA512db92325858c6dc06a55117a1f09c71990d04a0030d4d9d9a4f76226c12244dfeeed2fb4727485741667f53d6041ec0b5480e0e2c81d2cf2e5ed089e3b2946e7a
-
Filesize
1KB
MD51e5bd3f7c36cbb84c41ff517d1ff7514
SHA1dd98f08d7e5bd5765a10a6f60c76db8e28b08e7e
SHA2568b3716af27bd0286565cf50a01d343ec682fdfd7a4ffde135ac8076ce1dbac9f
SHA512d3b7fdc47009be255ea802f6bc8e8b79969f8868048d78ee747061782db9a427d22270021899bd8d32d365d26dec81bfeb6a2c60759823a47d61d1d6a3b8421e
-
Filesize
46KB
MD58f8fd1988973bac0c5244431473b96a5
SHA1ce81ea37260d7cafe27612606cf044921ad1304c
SHA25627287ac874cef86be03aee7b6d34fdc3bd208070ed20e44621a305865fb7579e
SHA512a91179e1561168b3b58f5ca893bce425d35f4a02aec20ac3d6fb944f5eb3c06b0a1b9d9f3fb9ea87869d65671d2b89b4ae19acf794372bdbd27f5e9756c5a8ab
-
Filesize
66KB
MD5d5dd933f87f85da9a49cc8eaf960dac1
SHA168dbd76bdc407bc3c030adbdc7a784799f1a7f49
SHA2567750e4b587d621fe7460beba02bd3dd7042e90f387b77519548f88bfaafb6805
SHA5122c76115ee52d7a008eee3a342eb21292a4b0ecfa48b0e6989972ceba7afd9e924a06364243de32632c828081c2af6e392cb36003add59abc2abf05df3e009cc5
-
Filesize
128KB
MD5d45618e58303edb4268a6cca5ec99ecc
SHA11f8049fc5ea8b57bb68e19fb55cb9dc1e18e9513
SHA256d527323643be9df4d174c3169c6f2c7854a59b781654bcaebd154cb51fb4219c
SHA5125d7ae663dcfedfaf00836dc018131851e5a40778bd582b417b9f0bbd4bb6d1b2eb8f37f7f5a01cd2beed78b6037ef6eb2a3290248d5e901173b1407990a202bd
-
Filesize
64KB
MD5e2bc315fe93a548a5bc091ae9c3e4dd4
SHA140361fee1dd75b0cc2539cc01cfc1e729312ff22
SHA256a870e2f978dfef59ae232c67dc99e3dc9c211e74cd47ab1b4c7388c446cceb84
SHA5120315cc6ec5173825df02acb1948db7e9ff9507135e59e50356042e7d2474be11842aefd87cc05716263ee244ca3dfae954c9554dfd0402ebabc8a4ab30fa18be
-
Filesize
84KB
MD53eed248130b0f1def63d2ada10f78e5f
SHA127c85e8e39923bc1764c220b41873c8343dba9b2
SHA256c9ceb24db21d96a73ed7926f7d43dbeeea3c52f3b1281c5cf7d91377ffa6dd4d
SHA5122d19f48c31e4d961bd3d9b2e97fefcdf2e6c7d92175a885b23e186c70a78942c5370d4577ff0d757c0474434a7434fd62c260e6d3919c3c8566baca2d087fecd
-
Filesize
24KB
MD5df8444700ff72bd5ccf27e1d53482417
SHA1dd0ac516981738a7fd1ddfc569e08dd654e6dc25
SHA256f6f82258b7b5d2f11ae28785da7bd6977b6dc1dc602e099c678a88ee5ea1f4fd
SHA512727e0b609b15d5f866850d1569169e9d10dc5f03d3bf2c358274801cf4c52390ba17e96865e611e92f6061f764c01b2adfdc518364b94a001171030d90e45e22
-
Filesize
37KB
MD531b1fb3d888cce11106938d665b7961b
SHA11e50131d9d0f251063d1101cdccc0a05a4807d2d
SHA256132c41b280166439ae97d722563199c27a704a007f37ae98d03772c1027a6d11
SHA512dd5ac4281d06c6f6dd38bb639de6248730909ce191745406ec15ad9a79ec737bbe87ccd225483bcb13da81bd674ace8134ef402d77ad540850ae729aec4f209a
-
Filesize
62KB
MD544fb402e4f32c6868321de7f46d41b73
SHA1eef643e30df9ad7c72e98da479566e5218107997
SHA2562ba814d9a055618db133e4233aedb571ee2b2720fd6631953a6c81567a1402b6
SHA5128a0c8627e8407e7ae5a58f24d94bc6b0e85587d1eb48328910f4cab2ef09e7ca8cf47971513cc6eaec37f69c91dd06dba89285b9f48e2fd187cdac4f0ddd5f8b
-
Filesize
62KB
MD5de947c40ca30bfd7d9f388afa5215aa0
SHA1743e567ac597208da85fe1da01920f94ec8664cf
SHA256899dd0d8859f16e47bb2f85aee89255422c78d180cfaf50b2729dafd6e084dc6
SHA512d06f30c727f664ccdc99bef82dd599f294298238762857cc3864796091f094bb14433135e10fb31882f1a6b8239bc216b09f23ba0c3f4e4dcf20a9bb6b485b61
-
Filesize
1KB
MD5445bc00b13cdff20d8d04d0a8abd3b32
SHA1ca9c9b76613af939f7ade8fcf74f78442dad292f
SHA2564ea2619be6e686e7ab2d545ff1697e1d96b246f8e9afe4365a50abb148584cae
SHA51216a9167938d41d6d7d8ed7473749642698f5d6ebf69d443204b23e1ef6ed58dbc4ce7a74b82ecf499aec5018752753022d4f8c3c5c3488ee2d28dacd4232f3aa
-
Filesize
2.9MB
MD51f57124fd5fdeec75f0fe7c1835f821b
SHA1b675fbc70dcfacb8369af153d1af0081ae41d850
SHA256d0e73ad86e08777a01ada69cb3cc5874b7c22bfc252d0a5ecc5a63bda9383ce2
SHA512015f28072be2cfba4cbec29a8f541f996dd230253d3813b8cc1077c488e3542afb59182074f08571ee2775f5dd55ea966bf1fe7d55aab0d7fcafce96f0a6ba68
-
Filesize
2.9MB
MD5f97a43b370fcda37b3d958d1b1805f45
SHA1429980224fd6bb0d7d5b91c2754c05ab840ad755
SHA256198a9fe5b810ae5546b4f0da3ef3fdfcdb03d14edd3f37c711b50d8d2408eee3
SHA5120dd975a440d74162d12a60e4040e95b287c4deceecf341acf76701664752a52b805a2264b7ae2147b2b038ba11604722d0d4b704b01eb5f460eb681d5375d74b
-
Filesize
2.9MB
MD5c96141c20681f65ddf0512bdc444e583
SHA135df2daf2cc9d137e2d51656c3296e9a9cf2a83f
SHA256f5d328585fa70be47339ca5979822314ad15c7b81c177618d8c79dfe98c4231e
SHA5121eac86a805636c646a5f27b08a52549d18ba6734b26482487390bba1ad404749171367095fc667a14d62949e2e77c4496f5cbcc26218a439748d355a884bbcb3