Analysis
-
max time kernel
143s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
29-12-2023 23:37
Static task
static1
Behavioral task
behavioral1
Sample
0724ac274c2aa56ae735cccf77b3f98e.dll
Resource
win7-20231129-en
General
-
Target
0724ac274c2aa56ae735cccf77b3f98e.dll
-
Size
1.8MB
-
MD5
0724ac274c2aa56ae735cccf77b3f98e
-
SHA1
de36f531d90ea25637d0601ef4aa0695120baedb
-
SHA256
c1c4df943e9c4ec308cef81052e29707a94810f3c3a018a0be8072d4e2a59cd5
-
SHA512
f488a0c0cac2bd9f594933a663cdda07d54643da5b51eeab5709107d584c60728dc1279c114644310a4b39e7824a41e65d051b0bac56b0c5356e8c5f3963330f
-
SSDEEP
12288:RVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:gfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3416-5-0x0000000003290000-0x0000000003291000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
wlrmdr.exeRdpSaUacHelper.exemsdt.exepid Process 2820 wlrmdr.exe 1696 RdpSaUacHelper.exe 1632 msdt.exe -
Loads dropped DLL 3 IoCs
Processes:
wlrmdr.exeRdpSaUacHelper.exemsdt.exepid Process 2820 wlrmdr.exe 1696 RdpSaUacHelper.exe 1632 msdt.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dturazvnnsjkgvr = "C:\\Users\\Admin\\AppData\\Roaming\\Sun\\xomBt95Pr\\RdpSaUacHelper.exe" -
Processes:
RdpSaUacHelper.exemsdt.exerundll32.exewlrmdr.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RdpSaUacHelper.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msdt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wlrmdr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 3500 rundll32.exe 3500 rundll32.exe 3500 rundll32.exe 3500 rundll32.exe 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 3416 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid Process 3416 3416 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid Process 3416 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid Process procid_target PID 3416 wrote to memory of 996 3416 92 PID 3416 wrote to memory of 996 3416 92 PID 3416 wrote to memory of 2820 3416 93 PID 3416 wrote to memory of 2820 3416 93 PID 3416 wrote to memory of 3384 3416 97 PID 3416 wrote to memory of 3384 3416 97 PID 3416 wrote to memory of 1696 3416 98 PID 3416 wrote to memory of 1696 3416 98 PID 3416 wrote to memory of 1736 3416 100 PID 3416 wrote to memory of 1736 3416 100 PID 3416 wrote to memory of 1632 3416 103 PID 3416 wrote to memory of 1632 3416 103 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0724ac274c2aa56ae735cccf77b3f98e.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3500
-
C:\Windows\system32\wlrmdr.exeC:\Windows\system32\wlrmdr.exe1⤵PID:996
-
C:\Users\Admin\AppData\Local\hKpXJ\wlrmdr.exeC:\Users\Admin\AppData\Local\hKpXJ\wlrmdr.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2820
-
C:\Windows\system32\RdpSaUacHelper.exeC:\Windows\system32\RdpSaUacHelper.exe1⤵PID:3384
-
C:\Users\Admin\AppData\Local\9ijXD\RdpSaUacHelper.exeC:\Users\Admin\AppData\Local\9ijXD\RdpSaUacHelper.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1696
-
C:\Windows\system32\msdt.exeC:\Windows\system32\msdt.exe1⤵PID:1736
-
C:\Users\Admin\AppData\Local\3iF5Y\msdt.exeC:\Users\Admin\AppData\Local\3iF5Y\msdt.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1632
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD5658f82507b5fa9445a83a38312af28bc
SHA1fc7a89399847b65de4459bc34bbb7b53f9af9904
SHA256fe8dea4166d614d0103e02bb257fa4f6e5f2946ae59a15cf4aa506f53f476efa
SHA512cb63fb22f3a54fc65c279fb771e25ef854e298e8ae3ba1b9d65a725f4616284850b0f0cfaf4e773ab4711c04daaedba020e9858fb52798bc58436972724cba2b
-
Filesize
421KB
MD5992c3f0cc8180f2f51156671e027ae75
SHA1942ec8c2ccfcacd75a1cd86cbe8873aee5115e29
SHA2566859d1b5d1beaa2985b298f3fcee67f0aac747687a9dec2b4376585e99e9756f
SHA5121f1b8d39e29274cfc87a9ef1510adb9c530086a421c121523376731c8933c6e234e9146310d3767ce888a8dce7a5713221f4d25e5b7b6398d06ae2be2b99eadf
-
Filesize
33KB
MD50d5b016ac7e7b6257c069e8bb40845de
SHA15282f30e90cbd1be8da95b73bc1b6a7d041e43c2
SHA2566a6fdd834af9c79c5ffc5e6b51700030259aeae535f8626df84b07b7d2cee067
SHA512cd44d8b70fc67c692e6966b4ad86a7de9c96df0bade1b3a80cb4767be159d64f3cc04dc5934f7d843b15101865089e43b8aecabddc370b22caf0c48b56b3430e
-
Filesize
1.8MB
MD5e7da7ef61ca915d5346deddef7316a09
SHA14f166900b88086a201818337295b00cde7bbab08
SHA256d752b79d9df6f7fe13405a1c6862a92a93e086c7c89e6178979fd8a1a050204c
SHA5127331bac2e61f391d0ecdd48192e0aee7a546663ef7d4b99172d7d0cb16eded840242406fb7d857d5bf05db9ef37ea173d07c722c990f918f702d3236dea24cb7
-
Filesize
49KB
MD54e4f4e4a13e0d17a792824f22679e305
SHA1983aae98a73b55ec9ba7545180c19cb3db91d6f7
SHA256eb059c47f0492143581a566e5464fc14cf38c4e542688102dccdc2401b5cd69d
SHA512046da1ca89c66ab12a9f1f27197c5f2cfe41ca5231456a40627ee508044a6cb4e69e7172a63897dce4f903a1883c3d8471f96195c3f4e99d70935083b6af55d0
-
Filesize
94KB
MD5d572895cebd24e9d61357ef48497a083
SHA1b48e519d03220fb78f7f5b75c25a235fdcdcc1a6
SHA256304b562f9ed4dd95be477826cd828c6fd38e9fb59af7901585116ced012f5685
SHA512f5a8828cf0e7e166340c299b1c8cd97771b34e0b19479a544251bbb011db5165d2e9ac947422e7a8cc75b46a247b7688d88a581d181eec0034e06376a6561d36
-
Filesize
1KB
MD5dabbfef50f731f12f346b83f567cecea
SHA14904741f17a2afd395f7a58e704d237b2192e93e
SHA25666cf68b465172eed24459e28d0b74f66fc23d73ad7723fe1e56ae4c529677e17
SHA5126c0896ec991b1eac89dd7870ea2696e2b350fdadd6f880839fd2a61a242ce82367016a1279e62e018f2a919f07bf87ef768e43f10132214ee81c527db01be24f
-
Filesize
66KB
MD5ef9bba7a637a11b224a90bf90a8943ac
SHA14747ec6efd2d41e049159249c2d888189bb33d1d
SHA2562fda95aafb2e9284c730bf912b93f60a75b151941adc14445ed1e056140325b1
SHA5124c1fdb8e4bf25546a2a33c95268593746f5ae2666ce36c6d9ba5833357f13720c4722231224e82308af8c156485a2c86ffd97e3093717a28d1300d3787ef1831
-
Filesize
984B
MD56379441ac0d453219c6637e229a6bb2c
SHA12c8931504af11cbb91965dd703bcce8c784435d5
SHA256ef54baf12291f7eee44e67b55d557ab3d9edced6d3d99677a729ad5ba544ee8f
SHA51257038fb05926d807ce88b9133f7bec770362a079eba6d653debeb0ffd0539c480c8a1a65fa65aaa589204caf462258b5453e09f4b8c5798a6a212727e385c9da
-
Filesize
2.1MB
MD55e90060a71a514ec725c8ee66b905b3b
SHA1e22584625f27adb071c7da6363c68bc23fab42d4
SHA256daaf7376615b0897b36e083930a1a6508e82b528dd0b7d444f79b50838ed5b33
SHA51260072412b53253ca78bffe731ee22d153adf1f242de53ee5b170a7278ada7bd1ce8b19476f4ce4977d1fa13d0bebc38004d2099fca3ab403c2d7a35b5d846dcb