Analysis
-
max time kernel
142s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2024 01:37
Static task
static1
Behavioral task
behavioral1
Sample
692759203e392d71d9dee01161280ef1.dll
Resource
win7-20231215-en
General
-
Target
692759203e392d71d9dee01161280ef1.dll
-
Size
2.6MB
-
MD5
692759203e392d71d9dee01161280ef1
-
SHA1
dd9376cdcb27e27eafce10498630c75ca1b11432
-
SHA256
3b12db2302d38fb3cb124b01f2f6bb81d2d14cc079e87406803e7883bc256a66
-
SHA512
400a6dde11da33279d426345744481ee8a790a43b017a7d510222874d83ddd9014fe9a3abbe9b2b89e1c39e9da55663484ca4fbcaea7082303fa167e6d99633f
-
SSDEEP
12288:gVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:FfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3464-4-0x00000000084A0000-0x00000000084A1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
SppExtComObj.ExeOptionalFeatures.exeBdeUISrv.exepid process 776 SppExtComObj.Exe 4300 OptionalFeatures.exe 4544 BdeUISrv.exe -
Loads dropped DLL 3 IoCs
Processes:
SppExtComObj.ExeOptionalFeatures.exeBdeUISrv.exepid process 776 SppExtComObj.Exe 4300 OptionalFeatures.exe 4544 BdeUISrv.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\OneNote\\UZh5Pkwd\\OptionalFeatures.exe" -
Processes:
OptionalFeatures.exeBdeUISrv.exerundll32.exeSppExtComObj.Exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA OptionalFeatures.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BdeUISrv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SppExtComObj.Exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 3188 rundll32.exe 3188 rundll32.exe 3188 rundll32.exe 3188 rundll32.exe 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3464 Token: SeCreatePagefilePrivilege 3464 Token: SeShutdownPrivilege 3464 Token: SeCreatePagefilePrivilege 3464 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3464 3464 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3464 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3464 wrote to memory of 4040 3464 SppExtComObj.Exe PID 3464 wrote to memory of 4040 3464 SppExtComObj.Exe PID 3464 wrote to memory of 776 3464 SppExtComObj.Exe PID 3464 wrote to memory of 776 3464 SppExtComObj.Exe PID 3464 wrote to memory of 4468 3464 OptionalFeatures.exe PID 3464 wrote to memory of 4468 3464 OptionalFeatures.exe PID 3464 wrote to memory of 4300 3464 OptionalFeatures.exe PID 3464 wrote to memory of 4300 3464 OptionalFeatures.exe PID 3464 wrote to memory of 3516 3464 BdeUISrv.exe PID 3464 wrote to memory of 3516 3464 BdeUISrv.exe PID 3464 wrote to memory of 4544 3464 BdeUISrv.exe PID 3464 wrote to memory of 4544 3464 BdeUISrv.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\692759203e392d71d9dee01161280ef1.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3188
-
C:\Windows\system32\SppExtComObj.ExeC:\Windows\system32\SppExtComObj.Exe1⤵PID:4040
-
C:\Users\Admin\AppData\Local\xtVAESF\SppExtComObj.ExeC:\Users\Admin\AppData\Local\xtVAESF\SppExtComObj.Exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:776
-
C:\Windows\system32\OptionalFeatures.exeC:\Windows\system32\OptionalFeatures.exe1⤵PID:4468
-
C:\Users\Admin\AppData\Local\RWunwh\OptionalFeatures.exeC:\Users\Admin\AppData\Local\RWunwh\OptionalFeatures.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4300
-
C:\Windows\system32\BdeUISrv.exeC:\Windows\system32\BdeUISrv.exe1⤵PID:3516
-
C:\Users\Admin\AppData\Local\6CxXERmD\BdeUISrv.exeC:\Users\Admin\AppData\Local\6CxXERmD\BdeUISrv.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4544
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
54KB
MD58595075667ff2c9a9f9e2eebc62d8f53
SHA1c48b54e571f05d4e21d015bb3926c2129f19191a
SHA25620b05c77f898be08737082e969b39f54fa39753c8c0a06142eb7ad5e0764a2db
SHA512080dbcdd9234c07efe6cea4919ffa305fdc381ccebed9d1020dd6551b54e20e52387e62a344502fa4a85249defd0f9b506528b8dd34675bc9f51f664b8fc4d88
-
Filesize
576KB
MD5f3ef1a8d6731c4d3b5f762f96d6c4673
SHA164dabc60b3e5a75d79c2769eefd25c96e97a717f
SHA2569fffa4c1033fb274a396386d36566a258cc75e97c00d152933416df00166a028
SHA51200f5a0439571c47fccb66a2ae27ba00f92d9099b0d8dd54e55000753c6ff36972c080527a8e98a42c67f2ac4eba3892cae07357381ef13b6f4d81cb10463d0f9
-
Filesize
2.6MB
MD5d2715efb10697c36ac8de95ccdbf7c6c
SHA1cd2ceaccd80c1fbb90101e5ca7b9ddca6bfff718
SHA256696467c9b00ebd6d7be92fc868ee64e708302f0f11ee95d9814eb43190ea8535
SHA512549c110f90632161b1890489457d245e71ab07945da442de881330b61299eae5cc5f21cf5d3e4c7035a8d28cb6d14e635ab1b3c2587f4e9102048b664cda9f38
-
Filesize
110KB
MD5d6cd8bef71458804dbc33b88ace56372
SHA1a18b58445be2492c5d37abad69b5aa0d29416a60
SHA256fa2e741416994f2c1bf9ef7a16b9c4dbf20c84267e3da91ae6f1ad75ee9f49b8
SHA5121bed8af2cf99a7f3bb36a34f4a71c34787904bd072ecdc731fb7498290dcf4024b956fb8b6912ad050b74aa861f0b0349081b77088f72732bda5075413b1f83d
-
Filesize
2.6MB
MD580c338b4a53003088ce9a15382f8c572
SHA1a74ec3f039125e7ddb3491f3df774ce84e954cdc
SHA256b1d7255e06d3dc1049fd9bca497ccff2b75ab0118916bc4ce7353fc33c2a9a06
SHA512ef3c10b1bda2256e76bfd672253db3ee0ae7826b3efe20856ae79d2ec27c7c17e90e184f2f9fbfa58ecde738450c740fb397a82256d992c41e9488415516bc80
-
Filesize
2.6MB
MD5ad2142dd79759943be2189182cde50f7
SHA12b1303715b08fd3e693b60b76859039ebe358bd0
SHA2560d134571e4a88855398ffc6c6e7a7db669b3a83b71a39a253f82da029520dd2d
SHA512e1f22c42c9af6326d52a07a50898beed314a1fdab84979d6980849d14bf1231dea258774ca3891fed0505c0704e033cb48890da2d48536aaa51d10f609fd6df0
-
Filesize
559KB
MD5728a78909aa69ca0e976e94482350700
SHA16508dfcbf37df25cae8ae68cf1fcd4b78084abb7
SHA2562a6581576305771044f07ea0fef27f77859996dbf66c2017e938f90bfc1e010c
SHA51222bf985e71afa58a1365cc733c0aa03dabd4b44e7c6a136eb5f9b870db14470201b4ef88a19fa3864af6c44e79e1a01d6f8806062d9d4861ba7dac77d82074f1
-
Filesize
996B
MD56344baf3f441ee7051241fb645775e29
SHA165a8e899db6ac33314718d0523b8a0476e93206c
SHA256a415f9e751c3ab90511ca31e03a8992abe6dc122e7cfe950ddcfb54eb17d82f8
SHA512adf658bbccc4c06676384466e1f5513988fb0d7116c5977fec49adc32bbf0b1e0d96b8f25f9f1d7fd4aed0284e625541baee0d10ee298ee4d9cd643b2e36d286