Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
29-12-2023 20:46
Static task
static1
Behavioral task
behavioral1
Sample
038fac256867b97309719d78ffada177.dll
Resource
win7-20231215-en
General
-
Target
038fac256867b97309719d78ffada177.dll
-
Size
1.7MB
-
MD5
038fac256867b97309719d78ffada177
-
SHA1
fa48e8a93c0d26cdd5f4a442655f634d7a5e89e8
-
SHA256
824b3fcc72e9e5493e7be24f46d26c1f5972846b947ce1782207faaf9458429a
-
SHA512
59ba340ca23e03f969d0f62df6a1de329a90f8084a8fcb33e6393c7a3b80df28b5d12ed3802f2eee0cbb571f70c8381774ccabdcbb3caece35c22782880b84a0
-
SSDEEP
12288:MVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:5fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3520-4-0x0000000008370000-0x0000000008371000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
sethc.exedialer.exePresentationHost.exepid Process 2516 sethc.exe 1588 dialer.exe 2508 PresentationHost.exe -
Loads dropped DLL 4 IoCs
Processes:
sethc.exedialer.exePresentationHost.exepid Process 2516 sethc.exe 1588 dialer.exe 2508 PresentationHost.exe 2508 PresentationHost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hwtkseldaftjsj = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\NETWOR~1\\9cIM\\dialer.exe" -
Processes:
rundll32.exesethc.exedialer.exePresentationHost.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sethc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dialer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA PresentationHost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 3284 rundll32.exe 3284 rundll32.exe 3284 rundll32.exe 3284 rundll32.exe 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
description pid Process Token: SeShutdownPrivilege 3520 Token: SeCreatePagefilePrivilege 3520 Token: SeShutdownPrivilege 3520 Token: SeCreatePagefilePrivilege 3520 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid Process 3520 3520 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid Process 3520 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid Process procid_target PID 3520 wrote to memory of 4628 3520 91 PID 3520 wrote to memory of 4628 3520 91 PID 3520 wrote to memory of 2516 3520 92 PID 3520 wrote to memory of 2516 3520 92 PID 3520 wrote to memory of 1272 3520 93 PID 3520 wrote to memory of 1272 3520 93 PID 3520 wrote to memory of 1588 3520 96 PID 3520 wrote to memory of 1588 3520 96 PID 3520 wrote to memory of 1048 3520 95 PID 3520 wrote to memory of 1048 3520 95 PID 3520 wrote to memory of 2508 3520 94 PID 3520 wrote to memory of 2508 3520 94 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\038fac256867b97309719d78ffada177.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3284
-
C:\Windows\system32\sethc.exeC:\Windows\system32\sethc.exe1⤵PID:4628
-
C:\Users\Admin\AppData\Local\WPtS\sethc.exeC:\Users\Admin\AppData\Local\WPtS\sethc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2516
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe1⤵PID:1272
-
C:\Users\Admin\AppData\Local\fZfLSmRY\PresentationHost.exeC:\Users\Admin\AppData\Local\fZfLSmRY\PresentationHost.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2508
-
C:\Windows\system32\PresentationHost.exeC:\Windows\system32\PresentationHost.exe1⤵PID:1048
-
C:\Users\Admin\AppData\Local\taefz0o3\dialer.exeC:\Users\Admin\AppData\Local\taefz0o3\dialer.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1588
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD574759d0e38886614ffd970ba0e00fdce
SHA149fcbd308b8313840997afe050216c6c41857184
SHA256531136979657015c6e57b5f2efbe605611437b631c97cb491b1cb0db9754fc06
SHA51292b062d4804bef6d9605b8e16afef9aa405effa372e1d5804a0976898cd404e3daf4165bead96ec7d7b583de486a635cc0bc4d3ef88168f8aa3512b298abb3f1
-
Filesize
10KB
MD55df9d83b6d6d0f42b8ab88836f0ace7c
SHA1cbea63d97174060bf1662f430bb802b1be0e50ec
SHA2563c29bc7501b0004b4195b1937d29c5f6dba294b7f43e10ccfe4d521715a478e8
SHA5120f73a97811d39835decece22a7ccd13f01ab61a5e2b7f20503ffee6b59cfa1ee0c5fc9460548d43dbaa01d9639e15eafdd96fa54ff07e989a024a97a3ea9ea68
-
Filesize
12KB
MD531daac89fabb111e93e2092414b781a1
SHA1998fbd5c4b2087cf1257b3090d01283dd6b8922c
SHA2566b7f60c9210435e8b91e19fae5f58837cbc859de091c989a072de483afce8d70
SHA51249a7f1498c80b8cb3c2b3884fa7b180f0bd8379e5e88f67fa1f3659d5e0f70a0f76ef7a48b56dd7256ab13621f873ccf9bea933943b05fdaadf25961bc9326d6
-
Filesize
9KB
MD52ddd6bd13795c1ed85a2c34cde41be34
SHA10507accf6dde2030fb7b8d5a83f097f57d7534fb
SHA2568f05b44d0b6216be1decc4f5ad105396612007118a42b5899cea183329a0e081
SHA512f1dd8fba5f804a2bc41547ad62a2a5d038916ad6b69198da592c9e5668e71c57ee9ebceba9ef6adf8362b4ebbf0f4327b731b88333215bb530ec3300dda3168d
-
Filesize
112KB
MD599a9a64f40fa8ce1d33eb86d83312dfa
SHA1648f17d5d47686fb2bed353428581bb4388437b2
SHA256f9a2675dec64e7a3b96b803568b8389195130154b04df40d3ba47d55d7871d67
SHA5128f9f3654f09ff82518ef5283381c5d9c41d9bd730315898b5f32316648fb7530ea5d637bd366e1c489dbc4afee4b81d0c6889f3326422de2954bf8e7e58ef65a
-
Filesize
106KB
MD5ee60b1ef553dceadb946520849e9faff
SHA1a95f2de4bf97e27c478a0aa8fa5525b67d993868
SHA256028e9338f7bce3545bf555c91ae705208bd8a77292b67bdd3b297548e6ae4f3d
SHA512ae6999c28989e7c189865cfdf9c7087e026eb8baa23fca205f4c715fd3bb50b6438e287564c71931f1e5f302092e865c79b3e6440244b8a6045dc425f67cdecd
-
Filesize
68KB
MD54e49d9ccd8c4a60a1df6c00003fc7d57
SHA1149ff7ef6e9b38f1c94bb3d9a51e8cf9684e0d22
SHA2563417279f0ee94a8dd3269e3eabf194247b96767e3c3daf51b4987eef05da3140
SHA5126b98f290270683116cdfc4be268dcb1b6c9d3296734038fd5f4ad00ce37ad36d68f0ac14fe311623768a9ac7957edbc64698c9e831a56ad9c3600102d600ca47
-
Filesize
187KB
MD5c0c40efe2324f16749010ad614da1916
SHA1fe57416f136b5f4a06e538d8d31b2376a4dad715
SHA2562e12f91a55d9302cb2f443e1401aca212e7cee2f75dd1f7e5ed2a4aef11e906c
SHA512d5220da3f9905144a3221397193234531336ba27d2fbfb5f25eedb9632a696399d289a872c5e11a0a7292361e7c5a40ba422fc39cef900b9dc334819074fe19e
-
Filesize
92KB
MD52fa85ce75d415e6fdcf373af8eded28e
SHA1eb2d9fffc43474a8ee35440df77cb14b74ba63b8
SHA256b921e12c1c1a0558a25fbb910eb054dcda5ad641b97a2935a770599550b6ad34
SHA512df7e302c4d8a80d02dad90f64b8650cbed92fcc0216b157b59e6a5c4c2ad1bb6f9dcd6dad2add7de4ac993ab7d0d1f97b1186d4a56eb5f04e93d73f42319d782
-
Filesize
5KB
MD51a52acad7b118ad7dd82ddc91ea25b86
SHA177db4df19f1a69e0448683c7131d7f1f6a93ecc2
SHA256726fdbf987c9dcc1076ddc4e163bf772a37d9b93bef9242a60cd6517a9938138
SHA512de1b62aada8c4703ac135aa249f3d784d4112e020a45dd1b0ab5c23dfbc61b27ffb29ccecb710b908f75ba245b45ed436ed07cff9a947326136cfaf1f87e4152
-
Filesize
86KB
MD54be7abd63212587d528572ee887338b8
SHA1c5f2824696ea3bb6d25ef08b0054f416759154e1
SHA256011c76173cfe98c345a30fc910b09f301febb497cb0ef6144eb48d43d93e127b
SHA512ae1a576630ab726151c5ddbbb0ea5a8589a84ac5c06d92317acf1386890fad265f153661abd54e5e916a145065b3f55c271e1f57c1da98fd52956eb8cc24593f
-
Filesize
39KB
MD5b2626bdcf079c6516fc016ac5646df93
SHA1838268205bd97d62a31094d53643c356ea7848a6
SHA256e3ac5e6196f3a98c1946d85c653866c318bb2a86dd865deffa7b52f665d699bb
SHA512615cfe1f91b895513c687906bf3439ca352afcadd3b73f950af0a3b5fb1b358168a7a25a6796407b212fde5f803dd880bcdc350d8bac7e7594090d37ce259971
-
Filesize
5KB
MD513443f83e72219bcce9808f725d78bdc
SHA10fd5d014e722576cf79e5f11db189f6ce3467314
SHA25632a9f8305aeb9304eaf6e47313df525b5fe8db70540ac01241b6959b0cdf35ac
SHA512ace4c879e616dc1d24985fa6fe0452628d26c63413037f03c2b9fd358e514cc668bb72fc3d38b1ddfda7ec8ef5ef6c2466cd13853360f61449a5decd3329f434
-
Filesize
1KB
MD54ff0eb7ac7c6cf76a384b9285f5e5b99
SHA1aaf1e511831dfed824cfe7f161df53a9d29b33fb
SHA25664f019d77ec06451f7abee18a165eb5fdecfeb2889b73890ee983b7cd4f66612
SHA512dfd3b48856eedaed1d1e0bdd73aeaf102519886b7caee92ca4953a60ab188ae56fa6b67be64ef635bb15777d82c5014a8a4b296a4c086c66555a1544ace07acd
-
Filesize
64KB
MD51dcc58dbe2b56cd1eaf79096f87399ca
SHA158952440b96c0f213dfd9e7f3884212d7ec37046
SHA25641d8ffacfff41e0da324f1fcc5b67c0db5495c4c2472d4337d1edc3b29bd3193
SHA512601f7c0abdaacf4e6390bd4f43371ec3d84a0e67b8d42683f93eaf4cf47250f42a12d3df1bef96c48068f984bfc008dba57590182bdc5e0564ab07cf3332f4bc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\H3wBI\VERSION.dll
Filesize318KB
MD5ef78efa8aa3022fc0ad54d5cc94bda82
SHA190053d5694d1ed1591f4ae317915d7d6d208a66b
SHA25632f6aab462897e79b41edf5265f431abc00e109ba6b3bf0325897153c63f67ab
SHA51298b33223e8be4d9a1eee073e0964937e823c0612c048acabb7e4f2c968179503398639ab3aa82e19ed1644b89961a7e1ae86d9c93d24b87d16a381eeb9dccaf0
-
Filesize
119KB
MD5629eb0eabb0ac593b7f6b4e1f1189c1e
SHA18076b64bf9b41c0f7e05dcbea1e1558931669039
SHA256afed70f54c9ad83eb061f9f1bc1cd059df9749b6a577e1d25a12741b0e356b38
SHA5123a9c794a89fc5cd2b70284d0c93d9db158e370de7f66196cdb0014b20877637e94924935cc66fe5d95fb10e736f65ce7a734cd0dfe00bed9954954afe7bfbd97