Analysis
-
max time kernel
12s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
19-01-2024 08:44
Static task
static1
Behavioral task
behavioral1
Sample
672feea11a362219307b071df8f2dfa3.dll
Resource
win7-20231215-en
General
-
Target
672feea11a362219307b071df8f2dfa3.dll
-
Size
2.2MB
-
MD5
672feea11a362219307b071df8f2dfa3
-
SHA1
580f8a932ac435b2b29011b922f9e75316e15398
-
SHA256
2ba43678d9bb9bc374a126ea5792659d1b09bcb9ecb21dcbc233889a27082eef
-
SHA512
36bb2bf5572df4cd8e33042a08e3bc7b2c22cce687ecb61feb254f04c6c486a0228cb8d747d7833bbbb6300fa51b0aed24b19f6a23bf7ba34a5ae03a7519147c
-
SSDEEP
12288:4VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1Yt:tfP7fWsK5z9A+WGAW+V5SB6Ct4bnbYt
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3480-4-0x0000000002A80000-0x0000000002A81000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
OptionalFeatures.exesdclt.exeSystemPropertiesPerformance.exepid process 392 OptionalFeatures.exe 856 sdclt.exe 2496 SystemPropertiesPerformance.exe -
Loads dropped DLL 3 IoCs
Processes:
OptionalFeatures.exesdclt.exeSystemPropertiesPerformance.exepid process 392 OptionalFeatures.exe 856 sdclt.exe 2496 SystemPropertiesPerformance.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tgnmvdx = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\6HDL\\sdclt.exe" -
Processes:
SystemPropertiesPerformance.exerundll32.exeOptionalFeatures.exesdclt.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesPerformance.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA OptionalFeatures.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdclt.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2548 rundll32.exe 2548 rundll32.exe 2548 rundll32.exe 2548 rundll32.exe 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3480 wrote to memory of 5088 3480 OptionalFeatures.exe PID 3480 wrote to memory of 5088 3480 OptionalFeatures.exe PID 3480 wrote to memory of 392 3480 OptionalFeatures.exe PID 3480 wrote to memory of 392 3480 OptionalFeatures.exe PID 3480 wrote to memory of 4288 3480 sdclt.exe PID 3480 wrote to memory of 4288 3480 sdclt.exe PID 3480 wrote to memory of 856 3480 sdclt.exe PID 3480 wrote to memory of 856 3480 sdclt.exe PID 3480 wrote to memory of 3284 3480 SystemPropertiesPerformance.exe PID 3480 wrote to memory of 3284 3480 SystemPropertiesPerformance.exe PID 3480 wrote to memory of 2496 3480 SystemPropertiesPerformance.exe PID 3480 wrote to memory of 2496 3480 SystemPropertiesPerformance.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\672feea11a362219307b071df8f2dfa3.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2548
-
C:\Windows\system32\OptionalFeatures.exeC:\Windows\system32\OptionalFeatures.exe1⤵PID:5088
-
C:\Windows\system32\sdclt.exeC:\Windows\system32\sdclt.exe1⤵PID:4288
-
C:\Users\Admin\AppData\Local\0p2z\sdclt.exeC:\Users\Admin\AppData\Local\0p2z\sdclt.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:856
-
C:\Windows\system32\SystemPropertiesPerformance.exeC:\Windows\system32\SystemPropertiesPerformance.exe1⤵PID:3284
-
C:\Users\Admin\AppData\Local\dwTv\SystemPropertiesPerformance.exeC:\Users\Admin\AppData\Local\dwTv\SystemPropertiesPerformance.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2496
-
C:\Users\Admin\AppData\Local\F1VHZ\OptionalFeatures.exeC:\Users\Admin\AppData\Local\F1VHZ\OptionalFeatures.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:392
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:4632
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵PID:3248
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD5f392fc7b9488c69211b3345bb09a088d
SHA122defe211b720986599d8606011b15a5d1fb3c56
SHA2562e45eba40ce65c0e058fda982db1f39314a7ef136a99594a8adda5db39f72733
SHA5129ac2028760d3ab17b872ba25c51dbf9c1f6c354035476c8cf7099f14b1177a7575bccf2793a8839f719215bc8a59df66dacf5ee60654d6168a985c1e06612717
-
Filesize
52KB
MD534e57bafae0c49cd80f075b36372f33e
SHA194e7c85607b6daa3e5c3f925e269cbe8a0e58d0b
SHA25635a441466aa17e7d6925a58067809a4525d2ea8be319b83c978bda068e4414db
SHA5120165bf956a0da41e17c6a977ba68f80fbc29543d325c844e50acbb60e1a0e2bf93c630ae9a2a52deb5a1f9bcd05d135e7a207a6cd43f8c21a4b300eec1e1c149
-
Filesize
345KB
MD5bee2b9320a12b32e08f6be8e3b501690
SHA17b1fa8fa04b7f740cc13bbe381833d1446795f1b
SHA256a87533b814add5d8cb20ad07c49046721d8a201e635330902c9e74717e753837
SHA512e228e43bd0887acb47af6e2fba0d40967f8f4ed661e8b43871915cfc2da8398e141eb16d085ffc26434925adaecc505fdd513976b83773a524bb6e9302f57aa6
-
Filesize
194KB
MD5f15b88ea80441442ddc20635f134a286
SHA1b642cffc9932cd8f21c5f79015eebea4495c9cd9
SHA256b34bac9deb33f119c044c39bef743fd0a8b25a0dde3103a5277b73a67ca68b2a
SHA512587ab788cbdd87dc6c25bd2b15aaca827342d759c4360b22c11a8c9da2fbd773df277fa85e379020ea333016568a3cbf26d74550ba5aa3d60c18b19a3ba405da
-
Filesize
64KB
MD5ccb77de7fc80373670ad5b6909bc328c
SHA1a7cd84914eb982a2762c56acc5f55350646a2030
SHA25676e3b50a1e4497ab5e713d4a932e4152481840b1316a86d884a11ffc273ac5e4
SHA512df410ebbe928ed1f6a35c09fe30e4e0cd24bc826fac585b387c8b8e55e1e28702435f4f9b1568fd8b43d90d254e92431bb0babdff77d689275e331ff91f29694
-
Filesize
34KB
MD5b4fd8631d5d22c5949827b00b2aa0fd2
SHA1487bcb33a7db1e75d6767b91471e56581b13070b
SHA2561aa7d6e54fb487bee82e663acad8b7ff7ad8999985fa05ff14a56270e14233be
SHA51295ab0ec59b253f4f979051711322ae8f00495d9bb08dcd4480475ab9474db959579ba245cc24ed96e2c3c19429dba2780fe26aae4073301c673fc8f6d5adcf65
-
Filesize
73KB
MD59a1db82ee3994e92a5fd98a605e124e2
SHA10a525a63a56d3312fbf74003121a5133bf52ce33
SHA256c653de50b15784f2723be8990fe9340fc0f1fe70320af2f11cb26418935779bd
SHA512547f13da603dc166218d0ac39b9e288b6c031d5b49317b73b960a9703bd03993503acb184336f3091b20f34d264cdf31379a8674c36a6355b0c648362f775c9b
-
Filesize
71KB
MD5ba52e79913a7fd82e1c31fcdafa17b10
SHA14bdeffe109abe2ef513d8586832d26fd13d02266
SHA256f78254132eaaac423188da551b4f52a16a3a0a2f4ce54c6dffa427737d3875f0
SHA512042b60fe88303d63b629954b265ebb017b08f3f2ed8777da4d316c0ac65c4373f22f7cb4cdb95f02e9aad1d5d41dfbdc6b68d63da45ad67aa1ff9a3c5d9b4ad5
-
Filesize
149KB
MD5008db85b1cbaa9fd6f37bcab0b100d9e
SHA1d643cb700ab8b8612a1c78e926e284a7ac9b77e1
SHA256c354d6eb5ddb91df8decaa84da31fced1174bd4955073503a95f4b5f0f112be4
SHA512a3ea402314bbeae45119187ac561c372e83e7815f2588517aa7761be1f2842fecdf5ed959fd20d4ceb6133f9c8bff92bccd15d3544531773dc10e570ee868c47
-
Filesize
185KB
MD5646cea338c8b39c63b12ef4f55c68bc7
SHA1c2efd39bd114024cd83a7f6d301611981cc591fb
SHA256cd7278233deb875805654e006bd1cc787ad5d0656aefede62af55b1028861cd1
SHA5125910a6fe2db5d786aa14ee578186158f6f7084a04e6d2c6bba89615bddc2ff113a9443fee738c18855f5793772b3637db6a42ca45887c288352ca458d19b09d5
-
Filesize
82KB
MD5e4fbf7cab8669c7c9cef92205d2f2ffc
SHA1adbfa782b7998720fa85678cc85863b961975e28
SHA256b266318d45a4245556a2e39b763f2f11eca780969105f6f103e53dd0a492bb30
SHA512c5c62578d04133352d6cb7b018df96a7b55c18d6111ab8bf2bfe232a3315a63b07047fa5b0b88551d152085776c66169b47566242c8c4c5e0333c55adc64e1b6
-
Filesize
2.2MB
MD568306cd11ee5ed2a8021be7065890012
SHA1e7b33e4d42790d07a3e8bf4c6ce641968938bf08
SHA25679951f3d11a47777e33a50e5dc3a3c80a5d0d5c341435e371b81fe7bc24be6a6
SHA512638375ca73172551d44c6f32290c44ff20b2816a151b78aedf01a409f5f328acefa365dd92e1445034712419e1a0a4626e3203d03577add1099580dbddeb8cf3
-
Filesize
1KB
MD51cb25593f5d8b79daf20d9e6dde59b1f
SHA18ee574b66c9d32b2f5292c8667a69b86d6269e09
SHA25624a1b783f4032148ca2abfcf7558beabeefdeb62aee0647fef244ad09f94791d
SHA512984064945696488a32e39b623673d38667ba9fe0abee025e01888e98e7942b2a195aa08946f04b6e38657e9406dea1c1fe708789066366674c63f6378686c24e
-
Filesize
34KB
MD5a27bd4f099e29a79b536d9efedc4a501
SHA1b5dda25f1c692033cc771c042fba85a5843a91b9
SHA256e920d1963206a756292996b326fcbb7ca2a9cc5e0905ecd9329365ba4fce9015
SHA5120ba0e57a55385276c4cbbf390d97f168ed1100a5c62991f139bb39b5c1d3da86e830b703fc72e87ac24b694ed91b6426f116f6fcbea564099214db67f28fdcea
-
Filesize
957KB
MD5d8a95693d30c1a242e63679ce566875c
SHA1af29b9a8a4ebdb9a9e6c129ed605a1daac162079
SHA25603859996f4e90b11f513617d577cfc92335b8bb18f14ecffe12ab2e87c4f88e0
SHA5124931c782e191d41f14c26e9c0b623aabf50a18677b66af78390ad68549322628585d797acc35d495d21c534b6b7ad4248c694c34eb7f35d91d02bb9ab8f595d5