Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19-01-2024 19:20
Static task
static1
Behavioral task
behavioral1
Sample
686ead54f11ad7a199730fa54bd87917.dll
Resource
win7-20231215-en
General
-
Target
686ead54f11ad7a199730fa54bd87917.dll
-
Size
3.5MB
-
MD5
686ead54f11ad7a199730fa54bd87917
-
SHA1
c45300b31ef01134e50004809d5e945c10ef6f21
-
SHA256
157dba446a7b409cd3c0b7b59b764fde1820a4c8c7431a2ea28e841ec9ea5056
-
SHA512
46cb02ef280e20b25201edb1d7fb0ab7752ea573c492e23c49421a931a60bd8ab700cd5fe851bbf71232cbe3627ac903a6133aaccd53111b8f8cc4d06caf2e39
-
SSDEEP
12288:2VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:rfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3372-5-0x00000000036C0000-0x00000000036C1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
mspaint.exesessionmsg.exelpksetup.exepid process 4288 mspaint.exe 3932 sessionmsg.exe 3692 lpksetup.exe -
Loads dropped DLL 3 IoCs
Processes:
mspaint.exesessionmsg.exelpksetup.exepid process 4288 mspaint.exe 3932 sessionmsg.exe 3692 lpksetup.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\u4Ui4\\sessionmsg.exe" -
Processes:
rundll32.exemspaint.exesessionmsg.exelpksetup.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mspaint.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sessionmsg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lpksetup.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 4332 rundll32.exe 4332 rundll32.exe 4332 rundll32.exe 4332 rundll32.exe 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 3372 -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3372 Token: SeCreatePagefilePrivilege 3372 Token: SeShutdownPrivilege 3372 Token: SeCreatePagefilePrivilege 3372 Token: SeShutdownPrivilege 3372 Token: SeCreatePagefilePrivilege 3372 Token: SeShutdownPrivilege 3372 Token: SeCreatePagefilePrivilege 3372 Token: SeShutdownPrivilege 3372 Token: SeCreatePagefilePrivilege 3372 Token: SeShutdownPrivilege 3372 Token: SeCreatePagefilePrivilege 3372 Token: SeShutdownPrivilege 3372 Token: SeCreatePagefilePrivilege 3372 Token: SeShutdownPrivilege 3372 Token: SeCreatePagefilePrivilege 3372 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3372 3372 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3372 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3372 wrote to memory of 3000 3372 mspaint.exe PID 3372 wrote to memory of 3000 3372 mspaint.exe PID 3372 wrote to memory of 4288 3372 mspaint.exe PID 3372 wrote to memory of 4288 3372 mspaint.exe PID 3372 wrote to memory of 3636 3372 sessionmsg.exe PID 3372 wrote to memory of 3636 3372 sessionmsg.exe PID 3372 wrote to memory of 3932 3372 sessionmsg.exe PID 3372 wrote to memory of 3932 3372 sessionmsg.exe PID 3372 wrote to memory of 1644 3372 lpksetup.exe PID 3372 wrote to memory of 1644 3372 lpksetup.exe PID 3372 wrote to memory of 3692 3372 lpksetup.exe PID 3372 wrote to memory of 3692 3372 lpksetup.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\686ead54f11ad7a199730fa54bd87917.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4332
-
C:\Windows\system32\mspaint.exeC:\Windows\system32\mspaint.exe1⤵PID:3000
-
C:\Users\Admin\AppData\Local\raRvDY1c\mspaint.exeC:\Users\Admin\AppData\Local\raRvDY1c\mspaint.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4288
-
C:\Windows\system32\sessionmsg.exeC:\Windows\system32\sessionmsg.exe1⤵PID:3636
-
C:\Users\Admin\AppData\Local\APG\sessionmsg.exeC:\Users\Admin\AppData\Local\APG\sessionmsg.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3932
-
C:\Windows\system32\lpksetup.exeC:\Windows\system32\lpksetup.exe1⤵PID:1644
-
C:\Users\Admin\AppData\Local\ACqx4XaS\lpksetup.exeC:\Users\Admin\AppData\Local\ACqx4XaS\lpksetup.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3692
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.5MB
MD5f39d4b64ad8035f15eb7c25e6ee41449
SHA132e6178d819a25d88a6b46ebcf36118dd08e8834
SHA25665ae0849104a1c8f19589cc0bb34c9567358a7d64c69020f0874a8bc5c29de35
SHA512c467fd4539c8964e8fd6c2fd394d28c345d8a8ac60616c6eb52671afbcddb6744e660056d5152a27b2c840c0d6a442b99b24e3c0d2c9b4aa17b88fed183dae6d
-
Filesize
728KB
MD5c75516a32e0aea02a184074d55d1a997
SHA1f9396946c078f8b0f28e3a6e21a97eeece31d13f
SHA256cb3cbeaaff7c07b044f70177e2899a87e80840d177238eb7dd25b8d9e20bef22
SHA51292994fdb75b15742e33e6d7a499664b722e45b9c160d8cc42d30bc727044063d589f45853692b5b754df6ff0fd21294dc32fed985b153f93f4bcf9f8c89a5bcc
-
Filesize
3.5MB
MD5702bc27161117d7a8294c608a32534bf
SHA1ef183fb21eb03fa1db51bb2ee189e381dc50fef7
SHA2562efd5495fc23c28e4ecc1b127c6a47e04965a72b45cd1a50ebfab037a22ac0f7
SHA5122b7b75b3c46384c6979bf2244e78f7173bd917da153f2e5d74425e7cd7a60a9ce36a3893531920dcb1e73ad7029f9cc1d9a6fe7bbca9b8a2caa5fe81c9656204
-
Filesize
85KB
MD5480f710806b68dfe478ca1ec7d7e79cc
SHA1b4fc97fed2dbff9c4874cb65ede7b50699db37cd
SHA2562416cd4aa577dbb2f8790a61e36fbab2b30bff81a4e1f67a5151c2fec29585bc
SHA51229d3d234ebc45049a533b6a91b246ac043a56b9af67276aaf493b014ae34d73000f99a6b0c0b85d2dfb7fba54811cf8bbdfd167a9eed01a8617b7f05bf2971db
-
Filesize
3.5MB
MD55f13b4c62f85ab2c01ff5c8c6a10bca4
SHA1ed1ea0ebe89c4276daef66407588b3132e6c6736
SHA2561544154c1bba837590a9b9833c8a86bf4d8a2354e2e22fbfb4c650de4d232038
SHA512670b41600c19a5b906da2f496d3b441412990440d607e8642b94d70e330e845d215f99366ebb319f59e85f61726c91808b70bc3842572c09f8db9a7018a5359c
-
Filesize
965KB
MD5f221a4ccafec690101c59f726c95b646
SHA12098e4b62eaab213cbee73ba40fe4f1b8901a782
SHA25694aa32a2c9c1d2db78318d9c68262c2f834abe26b6e9a661700324b55fdd5709
SHA5128e3f4e4f68565ef09f5e762d6bb41b160711bbacac9dfcbe33edea9885fd042e6ce9a248bfcc62f9cffdb8e6bbe1b04c89bd41fcd9a373a5c8bc7bbff96dceaf
-
Filesize
1KB
MD5747032d2cb3d6ce256b6ab17a9317405
SHA1a726ffd1ed4cd189c030641d8751adbfa4026d57
SHA25612c5c86243289459ac6362ad6651f9dc0286cf64c42ecbf1f08db92ee61e10d3
SHA512249e570fc2ba1abf53e0e2ab890374359bbd5bfee23cea8dfacfeda84f8707d1d85d9cb3938f850804a02c44f60a2ae558fd540379f84df3f1457a744ada30ac