Analysis
-
max time kernel
125s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19-01-2024 04:33
Static task
static1
Behavioral task
behavioral1
Sample
66b58767a74baad1c7515631dc19f40d.dll
Resource
win7-20231215-en
General
-
Target
66b58767a74baad1c7515631dc19f40d.dll
-
Size
1.4MB
-
MD5
66b58767a74baad1c7515631dc19f40d
-
SHA1
ee1d09e46fcb9cf0a71d4a055a82fd1e7b18580e
-
SHA256
cf999aa80ee97169297cb4ba12d751d3b0bf3195f85022adf03933d10cb43641
-
SHA512
d625c635b29537eba27e37d403515685f1cc8730906e749c5fdc08c78bef80b5dbf89ee31c5579a581aaa3f5cb76797f30c26540d4ef8bab6e00882cea45d060
-
SSDEEP
12288:OVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:TfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3488-4-0x0000000003610000-0x0000000003611000-memory.dmp dridex_stager_shellcode -
Drops startup file 3 IoCs
Processes:
description ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\p0RlpZzK6gn File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\p0RlpZzK6gn\XmlLite.dll File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\p0RlpZzK6gn\ddodiag.exe -
Executes dropped EXE 4 IoCs
Processes:
SystemPropertiesHardware.execonsent.exeddodiag.exeomadmclient.exepid process 4636 SystemPropertiesHardware.exe 2916 consent.exe 3612 ddodiag.exe 2248 omadmclient.exe -
Loads dropped DLL 3 IoCs
Processes:
SystemPropertiesHardware.exeddodiag.exeomadmclient.exepid process 4636 SystemPropertiesHardware.exe 3612 ddodiag.exe 2248 omadmclient.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hwtkseldaftjsj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\p0RlpZzK6gn\\ddodiag.exe" -
Processes:
rundll32.exeSystemPropertiesHardware.exeddodiag.exeomadmclient.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesHardware.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ddodiag.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA omadmclient.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 4120 rundll32.exe 4120 rundll32.exe 4120 rundll32.exe 4120 rundll32.exe 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3488 Token: SeCreatePagefilePrivilege 3488 Token: SeShutdownPrivilege 3488 Token: SeCreatePagefilePrivilege 3488 Token: SeShutdownPrivilege 3488 Token: SeCreatePagefilePrivilege 3488 Token: SeShutdownPrivilege 3488 Token: SeCreatePagefilePrivilege 3488 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3488 3488 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3488 -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
description pid process target process PID 3488 wrote to memory of 3312 3488 SystemPropertiesHardware.exe PID 3488 wrote to memory of 3312 3488 SystemPropertiesHardware.exe PID 3488 wrote to memory of 4636 3488 SystemPropertiesHardware.exe PID 3488 wrote to memory of 4636 3488 SystemPropertiesHardware.exe PID 3488 wrote to memory of 388 3488 consent.exe PID 3488 wrote to memory of 388 3488 consent.exe PID 3488 wrote to memory of 2916 3488 consent.exe PID 3488 wrote to memory of 2916 3488 consent.exe PID 3488 wrote to memory of 3024 3488 ddodiag.exe PID 3488 wrote to memory of 3024 3488 ddodiag.exe PID 3488 wrote to memory of 3612 3488 ddodiag.exe PID 3488 wrote to memory of 3612 3488 ddodiag.exe PID 3488 wrote to memory of 1144 3488 omadmclient.exe PID 3488 wrote to memory of 1144 3488 omadmclient.exe PID 3488 wrote to memory of 2248 3488 omadmclient.exe PID 3488 wrote to memory of 2248 3488 omadmclient.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\66b58767a74baad1c7515631dc19f40d.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4120
-
C:\Users\Admin\AppData\Local\xk8h71GN\omadmclient.exeC:\Users\Admin\AppData\Local\xk8h71GN\omadmclient.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2248
-
C:\Windows\system32\omadmclient.exeC:\Windows\system32\omadmclient.exe1⤵PID:1144
-
C:\Users\Admin\AppData\Local\DmqfV6ms6\ddodiag.exeC:\Users\Admin\AppData\Local\DmqfV6ms6\ddodiag.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3612
-
C:\Windows\system32\ddodiag.exeC:\Windows\system32\ddodiag.exe1⤵PID:3024
-
C:\Users\Admin\AppData\Local\ckaxRDN\consent.exeC:\Users\Admin\AppData\Local\ckaxRDN\consent.exe1⤵
- Executes dropped EXE
PID:2916
-
C:\Windows\system32\consent.exeC:\Windows\system32\consent.exe1⤵PID:388
-
C:\Users\Admin\AppData\Local\5MWKwBHYC\SystemPropertiesHardware.exeC:\Users\Admin\AppData\Local\5MWKwBHYC\SystemPropertiesHardware.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4636
-
C:\Windows\system32\SystemPropertiesHardware.exeC:\Windows\system32\SystemPropertiesHardware.exe1⤵PID:3312
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD51657cfc067fe91de086c24bb726d1943
SHA187dfc38e2fa660c9372d2a63aa38f55cb7f8360e
SHA256fc83d91b4daa487294f38fb3bb02c48fff9f7332a4e84d8c6a89dc5d9056d875
SHA512a117a086eb8cc1863aa617032d3aab86b2ff99198e7b18f2e5af05071245d201d4794a4d94e57dd6ae0880ad58a23c611362ba288fd39d71d80d212b9fe335b7
-
Filesize
18KB
MD59becf0eaa466f93349b296fe95f50d03
SHA1f05eab6b4a041e386236d42275494a7d6dadd84c
SHA2568d1d4a632313502f85e46ab4e3cfbc44a5fd0ae6cb8b52625de2ce9295f4ab95
SHA51234ae90015af7e25c6a16dfad264cfebd1c3fd4e0bcc0ab8be5b56c1687daa8f3304367e186f46e671e551a827430b1a6acbc3f19f0534ac7d663134333a9c8e5
-
Filesize
82KB
MD5bf5bc0d70a936890d38d2510ee07a2cd
SHA169d5971fd264d8128f5633db9003afef5fad8f10
SHA256c8ebd920399ebcf3ab72bd325b71a6b4c6119dfecea03f25059a920c4d32acc7
SHA5120e129044777cbbf5ea995715159c50773c1818fc5e8faa5c827fd631b44c086b34dfdcbe174b105891ccc3882cc63a8664d189fb6a631d8f589de4e01a862f51
-
Filesize
75KB
MD5fbe63f65c62052165e3cf82ef7d80873
SHA1ab62f39145b01a38135efcbc448d858da8f05614
SHA256452964b5b653d9ca566597388dfdd33a02dbf9bf2a78c6b844886528908b0399
SHA512608b519d59f1241d37baaea9706b177e2454c5b48247b04fc64c12002bbb2fbf46c2037cce33df6948702e4c6e95e68c6e0961f01b40de303bed55b77aa3db04
-
Filesize
34KB
MD51389c23b07c8a25e292e12e66310f2c1
SHA18000969b9af4e9704e83f7ab292723da43009575
SHA256556ebef22cd0d80cd2b016fe10efd5b0ed15a597ae1488b190f0b1f02cb9a0cb
SHA51255001a5b13ae66a306a00f1b6f367518e58d724e3ae83187df05fa0dfcbf34194adbbd9d355e809ff09f0190960824c318ee928cdf1fa774fb9d1d95ee9bd4a6
-
Filesize
39KB
MD585feee634a6aee90f0108e26d3d9bc1f
SHA1a7b1fa32fe7ed67bd51dea438f2f767e3fef0ca2
SHA25699c63175504781e9278824d487da082da7c014e99f1024227af164986d3a27c6
SHA512b81a3e1723a5180c5168cd7bb5181c631f4f57c59780bb82a502160b7874777f3eef1ebe1b14f66c97f9f1a4721af13b6fbcdff2045c8563c18b5d12540953ff
-
Filesize
149KB
MD5f14012de9453de18090da57482efec44
SHA1b10d3693d20ac487d8a7ad72aef59069b6dc1cee
SHA256e14bb8a9d2a3151e46de16134a3f5ba3d83d4b93c7c2ff7ffce9dc3cec807afe
SHA512d0e96411cf6e95cbe5408cd5270df36c92325918356ce77bdd523ad07973abbcac465a7599086df696ea0f2d446f9d646480446c9e3295296928cc7aa6d35fa1
-
Filesize
92KB
MD5edc45517be95f74758fe159ba9ece7a1
SHA16df1203e21d6cc555befe6b430312376f9cdc90d
SHA25653419f9de09773f0dd34a28038380286d4474c14436f921abfad4388501752c0
SHA512856e132fd0c636fb4e7fd40f4672ea389fe14dc1d587f1f23299459482686ad725c113209f6d3561c1aa139369cfb43bd2bb52fdcbb365b121e5eefb7f8dc9da
-
Filesize
107KB
MD55490b284ae504f3d5ad748235c40910b
SHA1e007becbe5f93356918d6e316ce551d391430024
SHA25627c3fb87ae5346c8d340b9ccce3445690cba919396a788229395372adc5b4230
SHA512c2b2a67386d40dabfc5aafa39b6e3638a7c11cdad03aff9e729a45a0f015c7c8a04002fa516288ae38e9d64136baad42f957d4846e0167e5a98fd792aa50c5ff
-
Filesize
50KB
MD5f0ef277737dabf16b52a4acf60ed5146
SHA187698ce0ba58280fde00f2be1e7eab850fe9a460
SHA256cc596f2277b883f2740326d2c9183c99d232f80977b8d30b82892e7c30819cd5
SHA512cffb294814e23c8aaef768712da2d62af17c9d9a7c3ece6384d65c7feaf15416716019bf92fe3a1f4022ba7ec204c84695a2bd35f378311f29d2bc03897be922
-
Filesize
73KB
MD5403ea46a5b216dbada5b9a66b3031aa4
SHA1af659f65b7e37339b111c4ab06dc9b9b49c37361
SHA2569237f05192661b89a20c0b5ed9581d489585c982783a81d0970aaba635b89249
SHA512d590d7101a52b9647d08b4ab5c47e07f2a244527ff01d9e8f44ab63911ffe7e803e35155c6d42c2a8590ef8de7561564de6c1b1510bdd3846cee420078810c5c
-
Filesize
1KB
MD5a3abddca61a5fb5258a83b9d6fc20f73
SHA19297f8df9f10d11bf095f5fae9b0bfd9eadccf60
SHA2564216b3df40cb5d026fe68e59a91db42b09fd0215e4b96491612d93d676ce838a
SHA5122958eab3a794e0986e4cd2af1646ed5f0f3f38345cd4118d68fe5d6540879d97b029ac8f57aa243ef46b07812d88f64a53cd9e1ca7c0eea6745a9256c87c0329
-
Filesize
1.4MB
MD543f9b2ef10806ed46c67166e6d37c016
SHA1b5f82510b57a6b059df2040cfbd4a1bc5e862ffd
SHA2562cfac8ff17ba180fc77b9a20debc0b37c98add4fb24221aadb4379485c1b4ffc
SHA512195dd8613448d2f975b2a59eac1b3ea3a3b9eb9797f404c07ec17938e07c361b8e928885096c72cd25a5b0a89f758dd75b35cfaab3b54230df615776eb5ea452
-
Filesize
1.4MB
MD58368c263236aa10ca231e0edbe61723a
SHA1232be5f5b0063e7cda0de861a2ad4f6101f307e0
SHA256cc75253244aedf7ca8c10dae6e34454b510dc9a8c21e122fb5141990df02ada2
SHA512b7db184dcc37a3e4586842d0a14d38ef57bd83e6af1bce785388ca03bc47aeb8b3bca3b3cf3fd33783cc924b7c5f905b31df6bbce5aa3006b69dfd6cf71c99fb
-
Filesize
1.4MB
MD56260f862cfa3ac0298b5db3f15b30f25
SHA1bc3912e439abf603c64b9bd4d62d7a7872e25d4a
SHA2563244578bdf3a5b079fbb4fb86a688b4037b048d3d1b237b1c301dcc4a2b60c10
SHA512c6ec558136887d3c8b62b27e0b856701a28bfaaed2b7e28c17f0f10047a0148231cf29cef5b003b563a44fce5a077a83ba2b54cb6f16fd444d5dad0cb03bfc05