Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2024 01:00
Static task
static1
Behavioral task
behavioral1
Sample
6913c976717f771261d42365e9ed8940.dll
Resource
win7-20231215-en
General
-
Target
6913c976717f771261d42365e9ed8940.dll
-
Size
2.5MB
-
MD5
6913c976717f771261d42365e9ed8940
-
SHA1
de6623f60ec96e264ee873aaf2ceeacf81313405
-
SHA256
f3ca4c539c12c3d56e02f61e3aa2def83515305b89bcbe17274ac895313ad46a
-
SHA512
68ee9ec13b10596eb96f2fb0a0b66a93149c49ac922aff3830ff81234af5f6b8c4326aa188c3f26a43809d10f2cb40da40e7d01957459526b858ce5a21b3a934
-
SSDEEP
24576:zfP7fWsK5z9A+WGAW+V5SB6Ct4bnbcs+:DDW/e+WG0Vo6CtSn
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3368-4-0x0000000002960000-0x0000000002961000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
wscript.exeFileHistory.exeRdpSaUacHelper.exepid process 4404 wscript.exe 1920 FileHistory.exe 2740 RdpSaUacHelper.exe -
Loads dropped DLL 3 IoCs
Processes:
wscript.exeFileHistory.exeRdpSaUacHelper.exepid process 4404 wscript.exe 1920 FileHistory.exe 2740 RdpSaUacHelper.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dturazvnnsjkgvr = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\UbAqzoaRr\\FileHistory.exe" -
Processes:
rundll32.exewscript.exeFileHistory.exeRdpSaUacHelper.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wscript.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA FileHistory.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RdpSaUacHelper.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 3368 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3368 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3368 wrote to memory of 4180 3368 wscript.exe PID 3368 wrote to memory of 4180 3368 wscript.exe PID 3368 wrote to memory of 4404 3368 wscript.exe PID 3368 wrote to memory of 4404 3368 wscript.exe PID 3368 wrote to memory of 2808 3368 FileHistory.exe PID 3368 wrote to memory of 2808 3368 FileHistory.exe PID 3368 wrote to memory of 1920 3368 FileHistory.exe PID 3368 wrote to memory of 1920 3368 FileHistory.exe PID 3368 wrote to memory of 1628 3368 RdpSaUacHelper.exe PID 3368 wrote to memory of 1628 3368 RdpSaUacHelper.exe PID 3368 wrote to memory of 2740 3368 RdpSaUacHelper.exe PID 3368 wrote to memory of 2740 3368 RdpSaUacHelper.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6913c976717f771261d42365e9ed8940.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2364
-
C:\Windows\system32\wscript.exeC:\Windows\system32\wscript.exe1⤵PID:4180
-
C:\Users\Admin\AppData\Local\j72g\wscript.exeC:\Users\Admin\AppData\Local\j72g\wscript.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4404
-
C:\Windows\system32\FileHistory.exeC:\Windows\system32\FileHistory.exe1⤵PID:2808
-
C:\Users\Admin\AppData\Local\HhFcEWh\FileHistory.exeC:\Users\Admin\AppData\Local\HhFcEWh\FileHistory.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1920
-
C:\Windows\system32\RdpSaUacHelper.exeC:\Windows\system32\RdpSaUacHelper.exe1⤵PID:1628
-
C:\Users\Admin\AppData\Local\wEeE7UHW\RdpSaUacHelper.exeC:\Users\Admin\AppData\Local\wEeE7UHW\RdpSaUacHelper.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2740
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76KB
MD56fff8baa880c9fe7f4444fd7ae9c7663
SHA1918a6474d9e9df22c00be6f5b528c47dbbcbf4e9
SHA256774efb39deba8ecf1cb96e3f7b35ab12e7ac8284136e7398213f7004d48ebc6d
SHA512c715b8cc14c620451eabdb65b8a01f2d4c5996831a7aa299902619ae7aefbb54ff63997c68f304e719dfb872a94a375ab026a0398545c86ddcb4bee3c36ba068
-
Filesize
199KB
MD571c68c1755a51168a641b72db88e21f0
SHA1753b07aa014cad800684e28656044b4c8ebf5e7d
SHA25662231cb8fa31621b1672fd9c3365005143ba2b839bb3ecf1aa389a4fd1e780e2
SHA512c5a4b2068a10f773169557d64f4f5351ad617f973b3ae62c226b392fd13143e143be8bf3eff0dda5bc40ed25a3b115c830939b60b8453f95a5faa16bab0f551c
-
Filesize
143KB
MD5c0e2989a972a0fd1d863741a30c8d16a
SHA14629c7156e11c138a8df21343498a5d88d4db6d8
SHA2562dcb4f1052cad7d06e2f9a467a238befb230ab769c948b75a0272cbe7dca85b7
SHA51290d2b252c4ad761f02f80b34bc2203733bc10418c591bcf82b8cb2a5c261fe82d6850e8431f5ad02e470ba55c1dd659f99a10ff9afde7f30ea2b7188339d26c7
-
Filesize
136KB
MD5e0a462cbc5d21ecbe2c1ed4cd4d00fe4
SHA173e86bccfcd35662d4ad390617bde1eb4cb30c35
SHA256b256e55e0e5a2b76867661090fd0bca5e0b8b74bb9dd8dadae86b1bdd9e3f52b
SHA51286eed1fcf56fb48ac300973e9ad6d6fb90a436c74e85552b3f2b53d067e983c781e5e156cf670f04611eb61f0ca8bb4e825446a8af8f69826cfd2b0480a18dbc
-
Filesize
11KB
MD5f860d9536a778bd6847453c8dff01b33
SHA16982321f1ee69078ff24b6dbf1ff673183bb296b
SHA256d6e6faad725b215cd10aa1b31727a6a0bc474cd8702b71e1480e8afceb6b5ac7
SHA512c185e4f53a7f2c85e0035191aceee6585af7b750df5dbceafbdf93d099b258a25af9a45998fc2f34545cd9504a70f4bce5fd405e2230afadcbcb166e0069c575
-
Filesize
11KB
MD533cfc1a00fd09b900c9ca572409494ba
SHA1448741a0dda54d729b7925ce0b10a7398c7eeba1
SHA2562b56731e4390c3d88821cb3c20057219cf9e3d1a2affad8ae9c4470993d103dc
SHA512b880b4ac89ca6fae9e448070d40d0212350d47e43aece4670817e9b27624ffd16f4f18de879947493eb55680454bbf7a81bc1ab60c9f3923e94e4e2369295344
-
Filesize
13KB
MD513551f0e862ff11791f590fbfb6c168f
SHA14bc640fc6714ac477a52409085988eeea3111a7a
SHA256d7ca3b728722ae4e2b1cc75b689b989f4938c2f333f8715bb5931743368d2156
SHA512a4ec387c4755c26921e241e5fedc3f8f94a611c91c849e630383761bc431e4657095d0b6900e6d8e5826b6b38cd73ab39f7e66cca7c1cd90243bc1c3ea028a56
-
Filesize
33KB
MD50d5b016ac7e7b6257c069e8bb40845de
SHA15282f30e90cbd1be8da95b73bc1b6a7d041e43c2
SHA2566a6fdd834af9c79c5ffc5e6b51700030259aeae535f8626df84b07b7d2cee067
SHA512cd44d8b70fc67c692e6966b4ad86a7de9c96df0bade1b3a80cb4767be159d64f3cc04dc5934f7d843b15101865089e43b8aecabddc370b22caf0c48b56b3430e
-
Filesize
206KB
MD51466064bbfdff42e043f14a00f4cb2f6
SHA1d119cf2d43815d2fc9fafcae94e26736ab821153
SHA256ba47d9b2408117b7f48abadd4ff36f20a7358dfb34d9db221a28c3c9111cf3b8
SHA51271808dcb377ebda24d4914e4351649ba8b1ebd26887c5a620bbfea74717dcbfb1ac3ea9d9d9211966bb26bbb75c70e3ce3ebf89559efd55af488226691df3f8d
-
Filesize
113KB
MD50bc6f42d8f922c774b7ee4d90d99cfd9
SHA116e71eb1bd9a777875f3c45fcf2f0c9580691e21
SHA2566520e561cf1f811574e23922f559e580742407796caf1c5100c55639b2e79a7e
SHA51210fcd908d21cb225dda27e3809dd69c0e4582f74ed5ea5f2fba8b8bfe47125582b4d650c6ce1b2c2e282f7aadb64f0929a8247ad649ac8e21b31f281d0f73485
-
Filesize
2.5MB
MD5aa8f6f8e186b92078204d1cb5c1459b0
SHA1fe520c2e4e9eac5e73dd09ce0757a75281c5f32f
SHA256c0c038a51c9d7c53ce5dfd505c421bc92e7931cd201a5374c6cae3965c0780cb
SHA51267ee8c0e59f00584501afee58b10e3d466bb1d110b85fa2ac98f0e4befe0d4b8a039ddf2ceec52b5bbf16cfbd17ecaf1aab7fc3503e5e410e6825c72731c9644
-
Filesize
1KB
MD51084a0430bc74734cb9de98d321905f2
SHA1bfe1d4da7470285f2597a9ee9fac717743718aa0
SHA256685120edca3b6d6c6ed9866ebf8a591fab07a77dfe22d436f2d10bb5f84dce58
SHA512e22ba8da75c090b1b305a48e9fb9121a17c1c88417b1bad65e5ba2fc20ff9e6c60ad024501f6f446c9631e72ebc15ef0f3815496efd48505ae20fa8e758e502d
-
Filesize
2.5MB
MD5de56ccf2370e278c425c1585c3cfa7d5
SHA120b97859173fc6b89997501d29b800acf4579c8c
SHA25607a2781482a4cc8e88fc4eb4189be00dc1cf7d7f05d52f9257865a35a8e2a7bc
SHA5129ae0e3b0227ed95b28254b52cb972408e2a79011b0b230a530e9b3d2af3b70b55dbe71bacc986f2599e29aa1c81be78fb74ceddd9d2a671bb9d2a3acbb610d1f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\D3S4bU\VERSION.dll
Filesize2.5MB
MD58469e2e301699c9872ab52a393213a8d
SHA1c0e3f6110939983923ca9958fd0171f52ab99d7b
SHA2563f7df7b9d11eb43a173a4d5aef3003004c2e89071b7148495f2cf4ba689521ab
SHA5128add8e569aa0c97a76a4cdaed6dc59c0ae28c1461157b92678fe77e5d4bf99cf47204f6ac8913f723fe3a2ed7e29d7d5f34f109ebef7e40eb4f97f9eca709853
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\D3S4bU\wscript.exe
Filesize166KB
MD5a47cbe969ea935bdd3ab568bb126bc80
SHA115f2facfd05daf46d2c63912916bf2887cebd98a
SHA25634008e2057df8842df210246995385a0441dc1e081d60ad15bd481e062e7f100
SHA512f5c81e6dc4d916944304fc85136e1ff6dee29a21e50a54fe6280a475343eccbfe094171d62475db5f38e07898c061126158c34d48b9d8f4f57f76d49e564e3fc