Analysis
-
max time kernel
148s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19-01-2024 22:28
Static task
static1
Behavioral task
behavioral1
Sample
68ca805df0c74e02d25c86dd7d49303e.dll
Resource
win7-20231215-en
General
-
Target
68ca805df0c74e02d25c86dd7d49303e.dll
-
Size
1.5MB
-
MD5
68ca805df0c74e02d25c86dd7d49303e
-
SHA1
e62170c551c0f1edf022e1c6c8b2f54b755977b0
-
SHA256
f613f68232c24e7b4c0e5a49431a159dbffb259080f66d7e773de9649da7235d
-
SHA512
ab5f9da7cc894d7cdb6f07152b99cf3c284752d3078810eef4f2438170d2618ea35a869a71e4b486d081bfe312ab7942d2583f5bac15734491eb993ee732963b
-
SSDEEP
12288:fVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:WfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3520-5-0x0000000002E00000-0x0000000002E01000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
msconfig.exeunregmp2.exeWFS.exepid process 5096 msconfig.exe 3912 unregmp2.exe 4404 WFS.exe -
Loads dropped DLL 3 IoCs
Processes:
msconfig.exeunregmp2.exeWFS.exepid process 5096 msconfig.exe 3912 unregmp2.exe 4404 WFS.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\MQhXWatA\\unregmp2.exe" -
Processes:
rundll32.exemsconfig.exeunregmp2.exeWFS.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msconfig.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA unregmp2.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WFS.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 3144 rundll32.exe 3144 rundll32.exe 3144 rundll32.exe 3144 rundll32.exe 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3520 Token: SeCreatePagefilePrivilege 3520 Token: SeShutdownPrivilege 3520 Token: SeCreatePagefilePrivilege 3520 Token: SeShutdownPrivilege 3520 Token: SeCreatePagefilePrivilege 3520 Token: SeShutdownPrivilege 3520 Token: SeCreatePagefilePrivilege 3520 Token: SeShutdownPrivilege 3520 Token: SeCreatePagefilePrivilege 3520 Token: SeShutdownPrivilege 3520 Token: SeCreatePagefilePrivilege 3520 Token: SeShutdownPrivilege 3520 Token: SeCreatePagefilePrivilege 3520 Token: SeShutdownPrivilege 3520 Token: SeCreatePagefilePrivilege 3520 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3520 3520 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3520 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3520 wrote to memory of 908 3520 msconfig.exe PID 3520 wrote to memory of 908 3520 msconfig.exe PID 3520 wrote to memory of 5096 3520 msconfig.exe PID 3520 wrote to memory of 5096 3520 msconfig.exe PID 3520 wrote to memory of 1720 3520 unregmp2.exe PID 3520 wrote to memory of 1720 3520 unregmp2.exe PID 3520 wrote to memory of 3912 3520 unregmp2.exe PID 3520 wrote to memory of 3912 3520 unregmp2.exe PID 3520 wrote to memory of 4684 3520 WFS.exe PID 3520 wrote to memory of 4684 3520 WFS.exe PID 3520 wrote to memory of 4404 3520 WFS.exe PID 3520 wrote to memory of 4404 3520 WFS.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\68ca805df0c74e02d25c86dd7d49303e.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3144
-
C:\Windows\system32\msconfig.exeC:\Windows\system32\msconfig.exe1⤵PID:908
-
C:\Users\Admin\AppData\Local\I8rluJUF\msconfig.exeC:\Users\Admin\AppData\Local\I8rluJUF\msconfig.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5096
-
C:\Windows\system32\unregmp2.exeC:\Windows\system32\unregmp2.exe1⤵PID:1720
-
C:\Users\Admin\AppData\Local\aZ0Y\unregmp2.exeC:\Users\Admin\AppData\Local\aZ0Y\unregmp2.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3912
-
C:\Windows\system32\WFS.exeC:\Windows\system32\WFS.exe1⤵PID:4684
-
C:\Users\Admin\AppData\Local\6Mzww\WFS.exeC:\Users\Admin\AppData\Local\6Mzww\WFS.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4404
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
944KB
MD53cbc8d0f65e3db6c76c119ed7c2ffd85
SHA1e74f794d86196e3bbb852522479946cceeed7e01
SHA256e23e4182efe7ed61aaf369696e1ce304c3818df33d1663872b6d3c75499d81f4
SHA51226ae5845a804b9eb752078f1ffa80a476648a8a9508b4f7ba56c94acd4198f3ba59c77add4feb7e0420070222af56521ca5f6334f466d5db272c816930513f0a
-
Filesize
1.5MB
MD565293ff42f366605266adad27cd72fc7
SHA106bfc7c014a5df95f197ef64ad6092b51111637c
SHA256e623c841b82256ad9937b95b7c8d882be53e3c7925c8cc6229c9f6432c3ceaa2
SHA51252eab9c9408f425a1ee72a6b79fda726e28ced85e0325c056b74296289ffd15320a819e9179c62337257d1758960910175e191d63e472fe355c72f12e4e825ea
-
Filesize
1.5MB
MD52ad5b7439dbe6a97dfc43b5829f52ce9
SHA1ccefce149c33c98abf204e6d73c788c9bc36c0f2
SHA25672414d48b0b646f0ddd1b2aa7c5124788fe9983f328f2104f7f6236719c31ea8
SHA5126e51c3d481d1b5a6cb8c82208da5ff2226e1cd4bc6edebdd8938834162166172a2694214f6c40aae1acfea5056ffaa4e4c3788882626129438d35d2b903f3bda
-
Filesize
193KB
MD539009536cafe30c6ef2501fe46c9df5e
SHA16ff7b4d30f31186de899665c704a105227704b72
SHA25693d2604f7fdf7f014ac5bef63ab177b6107f3cfc26da6cbd9a7ab50c96564a04
SHA51295c9a8bc61c79108634f5578825544323e3d980ae97a105a325c58bc0e44b1d500637459969602f08d6d23d346baec6acd07d8351803981000c797190d48f03a
-
Filesize
1.5MB
MD5d3724fd4d7c38463e033ac98278fbe78
SHA1f0f1cacb271c0caa69588eea5fbd98eb31a38092
SHA256d55eed4ed5fefaa8e0726f832e24e5791ad9b9c20cf7a7c016a5be803206836b
SHA5125494408f15ee981fed3deb0452ec7110dcad29d5beacac9e59312186a372cb70cd107dc6b5234d3800d29d79e85b5f6222d62955f564119b8ebe45cdd7cbda70
-
Filesize
259KB
MD5a6fc8ce566dec7c5873cb9d02d7b874e
SHA1a30040967f75df85a1e3927bdce159b102011a61
SHA25621f41fea24dddc8a32f902af7b0387a53a745013429d8fd3f5fa6916eadc839d
SHA512f83e17dd305eb1bc24cca1f197e2440f9b501eafb9c9d44ede7c88b1520030a87d059bdcb8eadeac1eaedabcbc4fe50206821965d73f0f6671e27edd55c01cbc
-
Filesize
1KB
MD55fa0617b3a65b0cbdb0ac88d17f188c8
SHA16a1444f2bce967ee7b820ffd81426df6a5abdeb4
SHA256575f534dbe27f16511454e4fe9c48821e7c373203baf7cf1cba031cb9e3b39f5
SHA51201dc9a84c9d98402e0c7f0e12c23600a227805a96b8fe4d12b06167dd564deb9ecc6cad2e8a834ee643e207ec3096eef0eb7d82b683d4e76ae899ef0741a6fdc