Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19-01-2024 15:40
Static task
static1
Behavioral task
behavioral1
Sample
6800149dece7def1ad1cd84f715f4837.dll
Resource
win7-20231215-en
General
-
Target
6800149dece7def1ad1cd84f715f4837.dll
-
Size
1.7MB
-
MD5
6800149dece7def1ad1cd84f715f4837
-
SHA1
640fca273f248d6a72d3265dea4a3f774c6aa64f
-
SHA256
b0d4e0d901760c1879169db38ef00435f986e19dda97a46b8797d55e379eb1ac
-
SHA512
f93a6f187f01bdac3af4abda5a11d040f4633296db46cbf2d19eb22c0e369129939e3d5aeaef5f67b44b9140fb13ad6971df7847c78a975cc86259e336da50e2
-
SSDEEP
12288:bVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:6fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3428-4-0x00000000077F0000-0x00000000077F1000-memory.dmp dridex_stager_shellcode -
Drops startup file 3 IoCs
Processes:
description ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\xU File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\xU\SLC.dll File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\xU\phoneactivate.exe -
Executes dropped EXE 3 IoCs
Processes:
phoneactivate.exebdechangepin.exeDWWIN.EXEpid process 4104 phoneactivate.exe 1628 bdechangepin.exe 1836 DWWIN.EXE -
Loads dropped DLL 3 IoCs
Processes:
phoneactivate.exebdechangepin.exeDWWIN.EXEpid process 4104 phoneactivate.exe 1628 bdechangepin.exe 1836 DWWIN.EXE -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kqgfxymewp = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\AddIns\\gGXcOXyJ\\bdechangepin.exe" -
Processes:
DWWIN.EXErundll32.exephoneactivate.exebdechangepin.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DWWIN.EXE Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA phoneactivate.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bdechangepin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 1956 rundll32.exe 1956 rundll32.exe 1956 rundll32.exe 1956 rundll32.exe 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3428 Token: SeCreatePagefilePrivilege 3428 Token: SeShutdownPrivilege 3428 Token: SeCreatePagefilePrivilege 3428 Token: SeShutdownPrivilege 3428 Token: SeCreatePagefilePrivilege 3428 Token: SeShutdownPrivilege 3428 Token: SeCreatePagefilePrivilege 3428 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3428 3428 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3428 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3428 wrote to memory of 2528 3428 phoneactivate.exe PID 3428 wrote to memory of 2528 3428 phoneactivate.exe PID 3428 wrote to memory of 4104 3428 phoneactivate.exe PID 3428 wrote to memory of 4104 3428 phoneactivate.exe PID 3428 wrote to memory of 2140 3428 bdechangepin.exe PID 3428 wrote to memory of 2140 3428 bdechangepin.exe PID 3428 wrote to memory of 1628 3428 bdechangepin.exe PID 3428 wrote to memory of 1628 3428 bdechangepin.exe PID 3428 wrote to memory of 4504 3428 DWWIN.EXE PID 3428 wrote to memory of 4504 3428 DWWIN.EXE PID 3428 wrote to memory of 1836 3428 DWWIN.EXE PID 3428 wrote to memory of 1836 3428 DWWIN.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6800149dece7def1ad1cd84f715f4837.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1956
-
C:\Windows\system32\bdechangepin.exeC:\Windows\system32\bdechangepin.exe1⤵PID:2140
-
C:\Users\Admin\AppData\Local\bmk\phoneactivate.exeC:\Users\Admin\AppData\Local\bmk\phoneactivate.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4104
-
C:\Windows\system32\phoneactivate.exeC:\Windows\system32\phoneactivate.exe1⤵PID:2528
-
C:\Users\Admin\AppData\Local\dOQmhEld\bdechangepin.exeC:\Users\Admin\AppData\Local\dOQmhEld\bdechangepin.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1628
-
C:\Windows\system32\DWWIN.EXEC:\Windows\system32\DWWIN.EXE1⤵PID:4504
-
C:\Users\Admin\AppData\Local\CiCbzs\DWWIN.EXEC:\Users\Admin\AppData\Local\CiCbzs\DWWIN.EXE1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1836
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
47KB
MD50421f6cf16b6f260f7abb192eabe7908
SHA148fd7a3323d0e74b43f04ab302130533e0524683
SHA2562d87807ae42d5dd9495333af481e04e4e2d6b367f6037cb30f6d6dfc51ce2c21
SHA512a65483167481b7aebdc0c20da59e9b2beede817cc4c850515afbf56fd7bbe05b7032844efefc1f2700e37ef2c36ff1068264ba1f5d7522326d4de22303ad6a1e
-
Filesize
84KB
MD53fbe6d48bba609e9268e3addcfa90116
SHA17baaac0830008aef9d7b10e0b3758c4726067ef4
SHA25610e05afa65984a980ba6ae38f7e0214b107a5ad7b9b39b973ce77fd0e90b9800
SHA512bfea52ec1c57d0a06b217d16ab11b544fb7615c6222e12a82038dadcdcb98216c84849049be1b63d772bd8d948a57b5db95e9867b3d2ef0dd13e6750651bfb49
-
Filesize
109KB
MD5d480acdfe977d360f9240ebb0d028b6a
SHA1bf1f30e76973e6e075f573509e69651aef93ba2d
SHA2566fc1cf20c924d5e8852c76ff9092417c44f5cf8adffcf741873cf6769a806e83
SHA512ea77618f67ed3ac928edaa451790837a4058f51047e9967d3406391536bdfae74774912d8455fb5c55efbdc25c4be2c2b457ff72b966d8368c171862a82e3595
-
Filesize
12KB
MD5fd8991c07d66cf67388aa51bc97e0fb2
SHA14e3e84da81a7184765ff77b716c4614227943b7e
SHA2563c81d339f0797cb88ea3750a3c27bfcfde78e491d2c426ca53082741f2ace1ed
SHA51247605197a8f036f136a412a309840ccce3896b07ac3299d2bae9118393bb48c9fe2ce46d47b2b5005b1c776aac643e16dd943690c889b2f022d566dc69ca07f2
-
Filesize
73KB
MD534b2388b1dbc77a73480bd5a22e9f9bd
SHA183f9cdfdc011daba7f6d9a7fb97d6f995d16edcc
SHA256c0c474d0a4123405fc005afaf1907f4f20cd03566c6d1d5a50143171bca0b1d6
SHA512041fe27943bb5d83d1e1aef5616d2c264569fac94217f2d07196d19cf6907f68c271fe4bf5e94d684d15526a5f98133b82ab5a5eb702baa2ed4014c937ba5588
-
Filesize
70KB
MD5c72f181b52fa983f304f0279bcbb6cf7
SHA176db629a11ba51b8bc8622f45dc70007b068a59f
SHA256252ddbdeb49b8ed5e62316bf6e052449495e5bb1564fb48fe7b6a42a07247846
SHA51244aed362c3e78eb6f07f7bd27771f718e87b259919a7065bd9277f726427da807a456aeaf43b64fcebef458c66f55f193c3abdcf4077a47a9958992cef9fd8e3
-
Filesize
36KB
MD58f1da0a9a064426a6abe855bef44f086
SHA13f55f4e8b6a33093955d2ca1c2664cdde2aa418d
SHA256fc3d186e41115ca5f78c8f4f0816ea17fd0bbb6a3ea6c2509469b6f05cd17fc1
SHA5125e99cf117a3c37c9384adc87f08bf7b2f24de06350b420c3ccd8d720c57596e700d96dbeb655a6bd5a68d31deec7ab8bd85ab905346a581bd2bb98e4d8ab9c9d
-
Filesize
75KB
MD5f0fced4adb6c801fb0c064919de13a81
SHA14e3b949f3c34a239ef1585ef72faeb9b2d1ce7b4
SHA2561cef17759dafc96cf9c0bcc05597e82e58d93fb993bb89380d70601073116d3f
SHA512d40cda5b686918242ac426111201975d295e045c20c47873e0a7292ede4de9e1681f83cce5c5c739953039cf4d975d19df81178e02f0bce8a7f3319ec85a26ec
-
Filesize
104KB
MD53227be4321a5f6d1b0c60692bbb4f840
SHA1503c060d94ac2394da63d2737dafa0195033ecc5
SHA256f909140f1bac5c07ceaac5db8fb8d56c03f69856742992ea05474fba3f7aa59a
SHA5128734b43da0af5b53de3b67706ead70d30b6dad9750135475adcc93ab3407313ecf3e07656af558b99c198d0f82fc90e6005449e3fd2769a9099ef8e3117c26d1
-
Filesize
42KB
MD5cfd8e95f8287d61a786e276d8e97c3bb
SHA1dc4cf6140b00526abf22ad108a081f05842203ab
SHA256822e443ebcebf17e43860c51f347f53af6d987f7426ab8542f47185352ad0dfa
SHA512b77cddbcbb1a9b3e1c91843fabab16b17d47959c25a8bb29a057953e3889e12ce867a8594376ded9d3e12878689b4910adcd9fe6862ac9385697906f3f37af30
-
Filesize
143KB
MD582ecf388046d1bcc111398fa74338241
SHA1e82e91fc24907fc1a0727313cc2ebc4693fb9a11
SHA256ac6afa17b9b9e4c6f3d186974f8e545c7bd3750b8522ecf360205d92cb490817
SHA512e6fb2d85afed172dec5a43b8962d7e8c7cfc133d0d964036d9568a2b6d8c8039bc0aa4e56f4711683bbb3349674e9280faba872a57d808a03de661ece48885e6
-
Filesize
113KB
MD52ddaceb9329188df81d152827c522ff2
SHA16ad57236b9282dce9c06d31da8ef3e5a93dd6765
SHA256055e933059f86654e278de23a894b217a5d598909365b3e53c887dbe5ea1bb41
SHA512c6204bd909069a2468d379fdc43aac1fe1e410b238f87b229713db25c1274c565fb00aa1dd7192c42736210004d699bf20e53ca7d1b6cb65f687b7ea5595af58
-
Filesize
1KB
MD5f44bd0b55c65be5607fff43bd9e72750
SHA12072a34bf47ed9c364d76504b06f8226fa822cdb
SHA2560f590bc99ae423cccb129e420bb1b5654b656fa949a3907abc0f16e455f08c03
SHA5121e868c977b782d2ed487eba7cff826475286d3e4b0553de3e195f30aff89b11dc5d0edc267796b0e66772056034593835877b8a2c4e5ec41749c9321fa904c7c
-
Filesize
317KB
MD54a10af8e204db7bd5bb623ca53a2f4c7
SHA1e7278518b7d911ea86a405f01348c813ace0092f
SHA25619d00ce8600447410f84e4184ecd1ca4ee7ae8933cedfa9439e817f025623ef2
SHA5126ee30f4b5294f1b99df6ca74bec3084c8281e7e24f7d2f2b587d6eb5cb69118b69e8a355d200ef8a53977ac86e072aa192e43b489b7182ca0635e6b2784abcee
-
Filesize
226KB
MD54302d04da11f6efd9a6b042c92fd45fe
SHA1b4325a898c03b286fa58aefe6146fe3533c2bc88
SHA2568ae4b9e68fb3327910f4b537e9a318947058b67aa1ff8baf54cf2fb0dbac465e
SHA5128bbe2c5fe5fc7fc09843852729c1b9c407eee59aeacfe50e6ea23f4e09b8d7304fc748d9928509b89ad7fd288121528ae932ee9a848a754d39ef6d8c99f00836
-
Filesize
71KB
MD59526d3ba3d00af14a6dc4382d106dee6
SHA18f6e94bcd940fae4d14b9e53aaf0f71d55247d02
SHA256a332e44ae5bd9f4639a0fe935bd2e57860ecd6511619fbc81d539b3f7598f05d
SHA512d7a5bab2ddbb9ae0c102d3ae729152a3d0c85af1503bbcdd753cb947db037c8f40bc935214eb95c87e3d9fa126d143c9a6d5abbfbd3abf06456a187b1770b147