Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19-01-2024 07:50
Static task
static1
Behavioral task
behavioral1
Sample
6714db2df8a6f6b5c50d59629ec34c6c.dll
Resource
win7-20231215-en
General
-
Target
6714db2df8a6f6b5c50d59629ec34c6c.dll
-
Size
3.2MB
-
MD5
6714db2df8a6f6b5c50d59629ec34c6c
-
SHA1
a4b2879a300b905a63dce5114092208d4d1dec9a
-
SHA256
d86ef2b5b3a29c907febf6d15d8f3fa781e1d5314549fed66df51d00db694818
-
SHA512
7b6f0a5a4ea204821d3e513cb9a5c2926f06ab2ae2aea9d5baba857ec82867bf912edf75ab8e0250364ca81e015114d71b3e26dc9918ee734103fbc7456d1d56
-
SSDEEP
12288:yVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:vfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3412-4-0x00000000078D0000-0x00000000078D1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 4 IoCs
Processes:
cmstp.exesppsvc.exeSnippingTool.exeRdpSaUacHelper.exepid process 4864 cmstp.exe 560 sppsvc.exe 2228 SnippingTool.exe 4848 RdpSaUacHelper.exe -
Loads dropped DLL 5 IoCs
Processes:
cmstp.exesppsvc.exeSnippingTool.exeRdpSaUacHelper.exepid process 4864 cmstp.exe 4864 cmstp.exe 560 sppsvc.exe 2228 SnippingTool.exe 4848 RdpSaUacHelper.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ddiqrdu = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\4J4NzkY\\sppsvc.exe" -
Processes:
sppsvc.exeRdpSaUacHelper.exerundll32.execmstp.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RdpSaUacHelper.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmstp.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 800 rundll32.exe 800 rundll32.exe 800 rundll32.exe 800 rundll32.exe 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 3412 -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3412 Token: SeCreatePagefilePrivilege 3412 Token: SeShutdownPrivilege 3412 Token: SeCreatePagefilePrivilege 3412 Token: SeShutdownPrivilege 3412 Token: SeCreatePagefilePrivilege 3412 Token: SeShutdownPrivilege 3412 Token: SeCreatePagefilePrivilege 3412 Token: SeShutdownPrivilege 3412 Token: SeCreatePagefilePrivilege 3412 Token: SeShutdownPrivilege 3412 Token: SeCreatePagefilePrivilege 3412 Token: SeShutdownPrivilege 3412 Token: SeCreatePagefilePrivilege 3412 Token: SeShutdownPrivilege 3412 Token: SeCreatePagefilePrivilege 3412 Token: SeShutdownPrivilege 3412 Token: SeCreatePagefilePrivilege 3412 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3412 3412 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3412 -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
description pid process target process PID 3412 wrote to memory of 4436 3412 cmstp.exe PID 3412 wrote to memory of 4436 3412 cmstp.exe PID 3412 wrote to memory of 4864 3412 cmstp.exe PID 3412 wrote to memory of 4864 3412 cmstp.exe PID 3412 wrote to memory of 560 3412 sppsvc.exe PID 3412 wrote to memory of 560 3412 sppsvc.exe PID 3412 wrote to memory of 2848 3412 SnippingTool.exe PID 3412 wrote to memory of 2848 3412 SnippingTool.exe PID 3412 wrote to memory of 2228 3412 SnippingTool.exe PID 3412 wrote to memory of 2228 3412 SnippingTool.exe PID 3412 wrote to memory of 2776 3412 RdpSaUacHelper.exe PID 3412 wrote to memory of 2776 3412 RdpSaUacHelper.exe PID 3412 wrote to memory of 4848 3412 RdpSaUacHelper.exe PID 3412 wrote to memory of 4848 3412 RdpSaUacHelper.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6714db2df8a6f6b5c50d59629ec34c6c.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:800
-
C:\Windows\system32\cmstp.exeC:\Windows\system32\cmstp.exe1⤵PID:4436
-
C:\Users\Admin\AppData\Local\DbMLLK\cmstp.exeC:\Users\Admin\AppData\Local\DbMLLK\cmstp.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4864
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe1⤵PID:1000
-
C:\Users\Admin\AppData\Local\Gkdmb\sppsvc.exeC:\Users\Admin\AppData\Local\Gkdmb\sppsvc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:560
-
C:\Windows\system32\SnippingTool.exeC:\Windows\system32\SnippingTool.exe1⤵PID:2848
-
C:\Users\Admin\AppData\Local\vOm174L7s\SnippingTool.exeC:\Users\Admin\AppData\Local\vOm174L7s\SnippingTool.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2228
-
C:\Windows\system32\RdpSaUacHelper.exeC:\Windows\system32\RdpSaUacHelper.exe1⤵PID:2776
-
C:\Users\Admin\AppData\Local\q25ZD\RdpSaUacHelper.exeC:\Users\Admin\AppData\Local\q25ZD\RdpSaUacHelper.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4848
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
233KB
MD5b485bc2c938b7ef3b7d634563eb26eba
SHA144d826673d5736b0c92ef9d6eca9d12d4a6b3aa1
SHA256d1ea149e973d18c97de7ce48b4775f09ada300235189150c0af99ad71aa32bbc
SHA512f47c8039023206cc43ba105cc83eafb30435ed5823165be2040eb39666627289bc21fde9423bf188b61fb473fcd0feb112fa56f41ffa15e20c5f70acfbd2fc73
-
Filesize
129KB
MD5aac63ed7382e87e3796b8b38cd27658d
SHA1a779b1c352d959c1fbac59a5bcce47df68619b61
SHA256d79ba099bcef2fa569d032f00e84739400ef66e9bdb96a08eab4dcb61f5405c5
SHA5126e54bbce3f136e673687d1ecc20c22b0a3e559155f80c719a28cc59c0015960b317f911819a582087ccb5d4729cf543c82b54b6ed42d2456d42559e2597e1379
-
Filesize
125KB
MD58d12cc5ebd1dc117c2350334c64e51a6
SHA13eff9980a31999a3a34185a93f142226f3086b27
SHA256fe9523e6386913d82d6c2803ce6539ea50bb6bee898ac595e9a0a7e4395e7ff6
SHA5122806dfb03c560edb48a11e5b7896088542215efdc5b5496f9188ccd5f95f357bf66cf85b876d0e453d47a7a13cc59297b8ad08ffb7ae33cb31bbb9acec049a2a
-
Filesize
38KB
MD5121dfc2fe6f6a84b06eb0d6f0dbc2c8e
SHA17e322b5a7003dd7370c330a4179f91bd50d4b07a
SHA2562651ec3fa204d1ff89595fba5dbd8b1565cb32bf0b4e91623202f2d8097bbe09
SHA512c5b9c4b641d8486c8e6e65c047d8292f5a44bc9341bae65b2588f4b5694ce5495feb54ff11ec5b58ebb4d9cf2aaecab586ebf0bc58bf6b9161d17b1b9db58f59
-
Filesize
96KB
MD54cc43fe4d397ff79fa69f397e016df52
SHA18fd6cf81ad40c9b123cd75611860a8b95c72869c
SHA256f2d3905ee38b2b5c0b724d582f14eb1db7621ffb8f3826df686a20784341614c
SHA512851ef9fa5a03ec8b9fea0094c6e4bfa0b9e71cee3412ee86b2dfc34682aa5fb6455fefe7fc0092b711956d7c880cf8a5761b63ee990aa8e72f3473086ac0f157
-
Filesize
7KB
MD575fef8ec2da7e712ea0b8c3d60af413f
SHA1a52255558de36a60d022ea5af621320bfee36d83
SHA2561444f5be0608bab20c0302d860f81aad105ef22fd4afdf722577cef9c1aa0221
SHA512c5f207f9dba1c010f00652bf0c10d2942aaadea10ccdb114d6ac4c612cdc13e098d13c0b189a23f24a7a3d4e8a3f02ba3cd3fa73c499dd95de1caa79c19c8af0
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
68KB
MD576522df15475f02bf7dc0aa202f4c9de
SHA13ec68f95f83365e73f4a85f1cf97787ce6e75eef
SHA2565125f542dd7dbda0c2ea920d9e4090ded59cdcfd29e87e28a9dae7554089bcf9
SHA5120aad23389328c3cb5f77e93834f0cfcb0666282fafe56db935146a606da63b27d748757ac34be865c328fa2103dc60389017c4f3a88bb61e791e8014e33604b1
-
Filesize
33KB
MD50d5b016ac7e7b6257c069e8bb40845de
SHA15282f30e90cbd1be8da95b73bc1b6a7d041e43c2
SHA2566a6fdd834af9c79c5ffc5e6b51700030259aeae535f8626df84b07b7d2cee067
SHA512cd44d8b70fc67c692e6966b4ad86a7de9c96df0bade1b3a80cb4767be159d64f3cc04dc5934f7d843b15101865089e43b8aecabddc370b22caf0c48b56b3430e
-
Filesize
137KB
MD587f3487d9b3609ee8d85309b202eba23
SHA1fad9cb70114f31a30b82a3941b9aeebf8b9e0ab5
SHA256aaa3ec4df10df7c46ede712624eb3ba8289e4548226a59bb28f9608a409b87ac
SHA5129586b528dcc2c91dd2149dbb426280f825b50c6ecd21c9f578aafb9097f94ab23e7b09d32276ecf0bf5c75e8726d88b74e9e72b6aaeccbc2391379eb13b8edd0
-
Filesize
128KB
MD5276eb57200c0063186402a4304451536
SHA1f78ec17fcb7a398ab1bd31a86af18a416665e4e6
SHA25617ffe57e068eacabc091356a90c75dbf10a60fffaa8e37177adcd425be6257b5
SHA5127e71b25f20fad100206a2132dbd0e03accaaabd40b53878fc7b32a862dbbc62c692234be78f2ffa93fd591a471d1a479bf23170ad5ffa80ba61e6c65cab3dd9b
-
Filesize
68KB
MD56ececee18c82ad304b1d06b10208d2ff
SHA156988e12e06fab7cc3a1baab7d78979c2dc8d290
SHA256fb2200e5ed55b7f2f2324ce5656dd73f589c4dfd5ff568776825e7bc81a6595e
SHA5121a951a7971619537dbf26dc35cb6524986fce572850fa0ef117e0ac4f91e6b642a0027adf29979e98ef2380e6d201a06cc410565a8db34c482e0f3e11311a90f
-
Filesize
90KB
MD5a9cd11bed2c07f798caedf4cc013acb4
SHA1c115955839c6b4f52deedeecd5ce45b1d640de12
SHA256eaa2de2fc193015e81ac575cd06fb082b1db4331456b26ae5fcbe66147c290bd
SHA512bade396ddbbc49f363761d4adb96c474290963721ff113a6d25e980602425557345a3fa10e2229fa6f3de5e5e81d0fd9f856a36868db1ecd9b0716fdcca655b1
-
Filesize
57KB
MD5047fb5fba00720f7c8d0e86f3f48a04d
SHA1da35002a111a7f4a6492ca3635187b9f1de80bdc
SHA256359d6a91ed1ec5722202458f04c50592a64ad2ff10378c961a46e53d34f6072a
SHA512394c0bf917725063ff1c160f4335b1d9ee8b18838b14a0fe1a43f05b016930e6cb04fe26120fb605ab9ca0242a5345acf429a7ba8712c06f6d0dbfc9e58cbb1b
-
Filesize
1KB
MD59b4f8d1a23abf25112971055d616d32a
SHA134b759178210de08deed06055eb0989224997872
SHA25633021467e2df029a97a6f2db4f45ef9f0fcb146052cfd4b0fde1a09f63a79289
SHA51231677224c0b088f91c03daedb2303644e425c0c0c0528521510e2fd08ce01876c9568cbf5d62f6fe19443222e57d75e927024c9f35b3a1bbb27126619c0475f5
-
Filesize
258KB
MD585a51b315a1959ac8a2bb1814a53bbe5
SHA19da4c3ec46b1fb5858113650564e826038bf0500
SHA256135c94d666f3cd4b401cf35d43680713f689c4eef286bee3cbd81478cac4e39d
SHA5123a44cd1736d26e0bf3707be3ec3a123bbc849f6576c8e70a50949c8c892896fcef38937de3e2c9d0083f03e18e2bbadfa3559336a64f399486e7d3b541cca5ee
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\ymOch4b3\VERSION.dll
Filesize73KB
MD56428df938670ba9ba8e8f3b7e5e4afbd
SHA13a9c3cfdf58aac25e9ab7edcc5a8d9120ccdf6c6
SHA2563b24bc5c24dcb54d77de8156f5ba38ca71c50b5fcd72d39c76064d536fe06521
SHA512191d1bd87d81039e031b9ea7c2f5a1ec492b3a2b384ff2509fcdaaf51f86f3e821bd51d947974c924b339910df73b6d3d35c6a645c2b5d2bd724ed1c9321ea87
-
Filesize
347KB
MD5b4561c365bf82b197da05111c811ff56
SHA1057ba2ca7045af2e900fb32fa43876855dad7515
SHA256dab1ebd0f5ff1202c3c2a4a755f6b04f0cce18340a618435f15ffee8fdf4ac22
SHA5129aba6501d0023f100a3cf38a44cf468bc139a57b19593b61788e03d191f4f14db35efe73a2214797b272e2a4ea4c05d249bf0784dce24204bb91d389c7e9eb80