Analysis
-
max time kernel
105s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
29-12-2023 21:00
Static task
static1
Behavioral task
behavioral1
Sample
03e11938813980f4ee92eafaa1ef0941.dll
Resource
win7-20231129-en
General
-
Target
03e11938813980f4ee92eafaa1ef0941.dll
-
Size
1.7MB
-
MD5
03e11938813980f4ee92eafaa1ef0941
-
SHA1
e38ff61eaaee9fd598dc696034625b95a6e8e444
-
SHA256
fb7090afa187d1404a763ce8352a48a9c6fa47da4f1c0dd1b0cbfb87a59c56e0
-
SHA512
4066cb8ecfaf9fdf0badc021d3d1c21d632d9242a7e9a5ccbe5e6683fd21802ea8e780428ce87b745d2241efe2e45b58e341f63b65dd2fb432eca1e9714cf418
-
SSDEEP
12288:DVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:SfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3500-4-0x00000000027C0000-0x00000000027C1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
SystemSettingsAdminFlows.exeCustomShellHost.execttune.exepid Process 4888 SystemSettingsAdminFlows.exe 1476 CustomShellHost.exe 4712 cttune.exe -
Loads dropped DLL 3 IoCs
Processes:
SystemSettingsAdminFlows.exeCustomShellHost.execttune.exepid Process 4888 SystemSettingsAdminFlows.exe 1476 CustomShellHost.exe 4712 cttune.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qoccyyzfzcu = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~2\\u3eN\\CUSTOM~1.EXE" -
Processes:
rundll32.exeSystemSettingsAdminFlows.exeCustomShellHost.execttune.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemSettingsAdminFlows.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA CustomShellHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cttune.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 4136 rundll32.exe 4136 rundll32.exe 4136 rundll32.exe 4136 rundll32.exe 4136 rundll32.exe 4136 rundll32.exe 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid Process procid_target PID 3500 wrote to memory of 1584 3500 93 PID 3500 wrote to memory of 1584 3500 93 PID 3500 wrote to memory of 4888 3500 94 PID 3500 wrote to memory of 4888 3500 94 PID 3500 wrote to memory of 464 3500 96 PID 3500 wrote to memory of 464 3500 96 PID 3500 wrote to memory of 1476 3500 97 PID 3500 wrote to memory of 1476 3500 97 PID 3500 wrote to memory of 4996 3500 99 PID 3500 wrote to memory of 4996 3500 99 PID 3500 wrote to memory of 4712 3500 100 PID 3500 wrote to memory of 4712 3500 100 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\03e11938813980f4ee92eafaa1ef0941.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4136
-
C:\Windows\system32\SystemSettingsAdminFlows.exeC:\Windows\system32\SystemSettingsAdminFlows.exe1⤵PID:1584
-
C:\Users\Admin\AppData\Local\mc03LfmPq\SystemSettingsAdminFlows.exeC:\Users\Admin\AppData\Local\mc03LfmPq\SystemSettingsAdminFlows.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4888
-
C:\Windows\system32\CustomShellHost.exeC:\Windows\system32\CustomShellHost.exe1⤵PID:464
-
C:\Users\Admin\AppData\Local\69ktdcgS2\CustomShellHost.exeC:\Users\Admin\AppData\Local\69ktdcgS2\CustomShellHost.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1476
-
C:\Windows\system32\cttune.exeC:\Windows\system32\cttune.exe1⤵PID:4996
-
C:\Users\Admin\AppData\Local\C6enDh\cttune.exeC:\Users\Admin\AppData\Local\C6enDh\cttune.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4712
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5f92199156cf1f91aaa5bff734aed09b3
SHA1ae5bc3f2e43b3a8617143e5850c834f7235c34d4
SHA256380aff4cd080732de58063e52a72d265423af4a1f0b32dcd9183b1469cf11c95
SHA5129e671bf56f7e52b89e312f7f8d8bd418132b30ee00832d6e3cdf98ca5eec533dca0c86f40b3d5389933055076cd3858c13ee3e178eb68d55130636a441dfd74f
-
Filesize
68KB
MD5bfdbc5b5b29614128f3e38c8f321661b
SHA19847f223504df6bd8a0ddeb4e791e4417aad3075
SHA2568a7cdc52f090909e03b7e8ddfb07a1fdb177bff4daee55da056b43cf16cb6156
SHA51296e3f6562a1995eedb5815e19424314b9757da1106f481674a5b9b17b89beead3efb37c8d55f1aa0dd95493502ce61c622348317c245f753ed75c5ab791c3363
-
Filesize
15KB
MD530fe2af7022f5bd6a4cdf59970538af4
SHA1189e096dde55d0039e0e55682b99d6a6fc91d594
SHA256a00381d88b901692acb722fb5f1bdecdd4ddd40a31669fe2565ebd2e1fad4260
SHA5127e1c8a8300ee96b9f8585dbecfc03013b9bcc711ad07b064d72d7d6c893f75dfca03aa77f5a5d6bb235e4e542070a32184145d37f9c078abea187eb5e626a770
-
Filesize
132KB
MD53e030ced6c50f647839ff6c367839c69
SHA1503291061fc8cdda51da2051e089028c446e47be
SHA256bbb1282167f5c24fd7c05c93888a02ca7eeeb9ceab43ddc92d43056654feed05
SHA512bb95627d5338714da2698d7b3810defcc5b925a17c4b7091d389764816301d7056e688298568556a7035dfd3a861e6c32539c835874206540b079ca95bd6365a
-
Filesize
96KB
MD572fb66357c41065b83cb6096a4f26c6d
SHA121d574a7c31d3bbb34e8074d253fd649083ab3fd
SHA25681ae209331dde4dfa56c9de7c1ee90925a5c064192882d43478b3eecc60422b4
SHA512d1a39781baefe71c80102fb4cce166a49a626b1839aa90e81a8378b435170d42399734f26f94fdd73094ac1981adab7c4238d1536d329004607723b2424b5387
-
Filesize
57KB
MD51909445d25f24955ff2bf6cf97f239f1
SHA1ac63b002be40252f7d18b5672acc441dc163196e
SHA256f75ceee749224959bff78ff564eb306aacc99f89c78be4072e3b0ce1965a123e
SHA512019f059585eee03afc987e8d8cc49bb7db46031efb1e2655516d94d2a4ecd63b88e18d0c727cf0ed8868fa06e50031e646a637ba49dc24a3c506579a30ad256b
-
Filesize
90KB
MD5fa924465a33833f41c1a39f6221ba460
SHA1801d505d81e49d2b4ffa316245ca69ff58c523c3
SHA256de2d871afe2c071cf305fc488875563b778e7279e57030ba1a1c9f7e360748da
SHA512eef91316e1a679cc2183d4fe9f8f40b5efa6d06f7d1246fd399292e14952053309b6891059da88134a184d9bd0298a45a1bf4bc9f27140b1a31b9523acbf3757
-
Filesize
74KB
MD5a2c3492d5f3c512821243ba4c3df9937
SHA1c5a38116ac10675c5db6350867b968cc6fe8ee3e
SHA256b23733ae85cb215f5e09b75d69647fd85d4cda38117bfc7084674a7bfe7ae9aa
SHA5121a036a9716cd127f018567c714eddea10342143ae55a23b2d54fe691c69c2ac0d59e13f079f309fa8f3ee6a259d630ad376a26bdb0e0fa8ebf69e9d6ae0cc43a
-
Filesize
201KB
MD56c77b777852436bd0b8549df3e1a6c70
SHA130da76f742f03d354234663427c25f99fca31f9d
SHA25661e8db8a339a3303589a56211c4053aa1026e382d8e22dbb32142d798d2731b1
SHA512e2fc39101b3ce2187c4c46b73e8a904fa64a04d488c47f20534136a7c1d90856026802c9b55516e1105caeb548f9e70022da840f44ee1394fbd4a7dada932074
-
Filesize
5KB
MD55e6007d6992d12d473dca484430c85a3
SHA118c51555a796075691ec4424c75806c0c8524f3e
SHA25695604438e448b4dce62cf79a346bbc6a1e0aae364d9944531e6d6606084802c2
SHA5128b2d24781ea56dd94393aa3d450aac2a2ab65b23ea9f791cd2a75e7c067c65b61cb0d8470773b1d1f7ad696e0a3a70e15d96b7cecf950ce11c0d0b9b29a2729e
-
Filesize
90KB
MD5dad49a2ed8b860e5132a500545f3e6b1
SHA1ccb5f1fc084d030c383e75837d52a24bc7951b9c
SHA25665eb3b20af11e155bf01c267737a954685b57dd4bfc6c730250a313a237ba57a
SHA51208d42d8e6b9800e6374eeca38fbb1365fef07f70731967fa55d3e81f8c995c1a6890c3faa98859b66168133e2e56760a8263cceb77fb77734ab0cf1faf16d7bf
-
Filesize
119KB
MD50c1e303490ba876cbbb9d6ff0653f159
SHA161cca6c175fed82e0c1d3143dd8934bb448f2a15
SHA256083a30206190a4649d2c9cda0b22934d3c039d134dcb4c2a9a7040a9feaee315
SHA5124cfbf2df0c065eeefb053e514873fb296641462a8048a36e05cb7decbcb76c4c105908b714e42cb45badf028e6fd970f6da23d2b462ac3c62d155de8b83b4647
-
Filesize
1KB
MD5b22a54f73944d54d9d21d0fc7394b040
SHA176101561d9280f164efe28496c3021886354755a
SHA256e1650353c967cc8b28ce17862b89136b8e6be44044d9cd25a0927a0a12a72535
SHA5121f93433716462f806e8aa693396519e94f8af28cc8282dd832c0682a997f231d26dbf404fe7f52c79e25635ae5a8e43cae1bba7ee0e4f7e86780ecb6171463c4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-3336304223-2978740688-3645194410-1000\NSDXXy1QSco\DUI70.dll
Filesize56KB
MD55813ba8feb8a25732f8999fdfa0ababd
SHA11c9b31ea650c84ad001c9be1176226c0a4af3e27
SHA2561014d30df4656aade879ef019409cacc575156d9a4fb71417d4005e27a45c33e
SHA512cea22ed8553c707af97d19edb7e3913947631d0a77a0220f0ed345dfccd7a9086b4f250eade04f01c4be81f28c372e99d964b2abb3fb85057ebfc3c0ab4a6dc6
-
Filesize
846KB
MD526fd07b60df0f06d9a3d8ec388a1e8b0
SHA1c05a3918a3628447ba0d6573c3a01809dee231c0
SHA256660708beff7a57349fdd815626df83215daa16228ee2e1a1b263eefd1b97b799
SHA512c511cb328b3dccb28d3e61b4a676effd6de997f9a63ee4234561c3fbf6f13d72cf8b3eedbffc123fbfbb7cbd38059681ddbf3e0520845f4a1113ed6939398b63
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\u3eN\WTSAPI32.dll
Filesize178KB
MD5f1b451dd604cf008840b23ae41fcd211
SHA1aae8670b778330c42f02f07711133bf8cf41691f
SHA25684821a3dbbeb12add62ec98e566afc1789a57aabbf3d7e9feec6a4ccb9adf4e2
SHA51240a4a5b1e9cb4d7d4e2b09705242d3a8caf5112cbe2300df60d86aa0fc88809dd6417b5fe76134406e41fc1b4a4d57e152addf2db19f514c28ff5ddfbbf0b641