Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2024 02:11
Static task
static1
Behavioral task
behavioral1
Sample
661942dec5f555ea16390ab0b8805570.dll
Resource
win7-20231215-en
General
-
Target
661942dec5f555ea16390ab0b8805570.dll
-
Size
848KB
-
MD5
661942dec5f555ea16390ab0b8805570
-
SHA1
1c0cf8507b8ab448424fe88f164143291e17f4d8
-
SHA256
9fc724df4f2ae0f2d2b3a04540cf737782e0b77e296a03ec25418f3f36f05a6b
-
SHA512
09353633455251bb230592ca21328a63cee419b11b2d28ff9d2ad0da6b3b55d6a4c9614e3f99502001b6444e0e19ed8d0dcecd7a079bf5cd30f148f455be4606
-
SSDEEP
12288:wkbQEkWqv+157EYfxarhwLNuR7ek1tHffB/HzTyNQ6NIeGYr/R:wkbHkWfzZ5adwLNGeStHntqN7v
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3424-3-0x00000000076C0000-0x00000000076C1000-memory.dmp dridex_stager_shellcode -
Processes:
resource yara_rule behavioral2/memory/3696-0-0x00007FFDD21C0000-0x00007FFDD2294000-memory.dmp dridex_payload behavioral2/memory/3424-19-0x0000000140000000-0x00000001400D4000-memory.dmp dridex_payload behavioral2/memory/3424-27-0x0000000140000000-0x00000001400D4000-memory.dmp dridex_payload behavioral2/memory/3424-38-0x0000000140000000-0x00000001400D4000-memory.dmp dridex_payload behavioral2/memory/3696-40-0x00007FFDD21C0000-0x00007FFDD2294000-memory.dmp dridex_payload behavioral2/memory/5028-48-0x00007FFDC1D80000-0x00007FFDC1E55000-memory.dmp dridex_payload behavioral2/memory/5028-53-0x00007FFDC1D80000-0x00007FFDC1E55000-memory.dmp dridex_payload behavioral2/memory/1136-64-0x00007FFDC2450000-0x00007FFDC2525000-memory.dmp dridex_payload behavioral2/memory/1136-69-0x00007FFDC2450000-0x00007FFDC2525000-memory.dmp dridex_payload behavioral2/memory/1508-85-0x00007FFDC2450000-0x00007FFDC2525000-memory.dmp dridex_payload -
Executes dropped EXE 3 IoCs
Processes:
osk.exeie4ushowIE.exeSystemPropertiesProtection.exepid process 5028 osk.exe 1136 ie4ushowIE.exe 1508 SystemPropertiesProtection.exe -
Loads dropped DLL 3 IoCs
Processes:
osk.exeie4ushowIE.exeSystemPropertiesProtection.exepid process 5028 osk.exe 1136 ie4ushowIE.exe 1508 SystemPropertiesProtection.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mbfbagbrjs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Proof\\9T5KEHd\\ie4ushowIE.exe" -
Processes:
ie4ushowIE.exeSystemPropertiesProtection.exerundll32.exeosk.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ie4ushowIE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesProtection.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA osk.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3424 Token: SeCreatePagefilePrivilege 3424 Token: SeShutdownPrivilege 3424 Token: SeCreatePagefilePrivilege 3424 Token: SeShutdownPrivilege 3424 Token: SeCreatePagefilePrivilege 3424 Token: SeShutdownPrivilege 3424 Token: SeCreatePagefilePrivilege 3424 Token: SeShutdownPrivilege 3424 Token: SeCreatePagefilePrivilege 3424 Token: SeShutdownPrivilege 3424 Token: SeCreatePagefilePrivilege 3424 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3424 3424 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3424 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3424 wrote to memory of 1484 3424 osk.exe PID 3424 wrote to memory of 1484 3424 osk.exe PID 3424 wrote to memory of 5028 3424 osk.exe PID 3424 wrote to memory of 5028 3424 osk.exe PID 3424 wrote to memory of 4376 3424 ie4ushowIE.exe PID 3424 wrote to memory of 4376 3424 ie4ushowIE.exe PID 3424 wrote to memory of 1136 3424 ie4ushowIE.exe PID 3424 wrote to memory of 1136 3424 ie4ushowIE.exe PID 3424 wrote to memory of 2972 3424 SystemPropertiesProtection.exe PID 3424 wrote to memory of 2972 3424 SystemPropertiesProtection.exe PID 3424 wrote to memory of 1508 3424 SystemPropertiesProtection.exe PID 3424 wrote to memory of 1508 3424 SystemPropertiesProtection.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\661942dec5f555ea16390ab0b8805570.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3696
-
C:\Windows\system32\osk.exeC:\Windows\system32\osk.exe1⤵PID:1484
-
C:\Users\Admin\AppData\Local\jdg52\osk.exeC:\Users\Admin\AppData\Local\jdg52\osk.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5028
-
C:\Windows\system32\ie4ushowIE.exeC:\Windows\system32\ie4ushowIE.exe1⤵PID:4376
-
C:\Users\Admin\AppData\Local\HZCcvCJSG\ie4ushowIE.exeC:\Users\Admin\AppData\Local\HZCcvCJSG\ie4ushowIE.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1136
-
C:\Windows\system32\SystemPropertiesProtection.exeC:\Windows\system32\SystemPropertiesProtection.exe1⤵PID:2972
-
C:\Users\Admin\AppData\Local\bkdi\SystemPropertiesProtection.exeC:\Users\Admin\AppData\Local\bkdi\SystemPropertiesProtection.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1508
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
852KB
MD538dea28f7bb585d0b83c3fcead8eeba8
SHA1f8f5d24fef8ffdf7a3a73a7b11f05899a421feb5
SHA25672f582e9fe1c1f09a9596af39879991e745eafdf64c67e5c5983c0f1f190bab6
SHA51216b87ebcdb7d23720a16fabb27cb28b7b9f13fb2e26e5842644d07ed40dc34ec440cd6bbf5b19a1f264b2810ace509ef2aa60be5f163f9bf5398ccc38590ae4c
-
Filesize
76KB
MD59de952f476abab0cd62bfd81e20a3deb
SHA1109cc4467b78dad4b12a3225020ea590bccee3e6
SHA256e9cb6336359ac6f71ac75af2836efb28daa3bafd10a1f0b775dcdc2ec8850a6b
SHA5123cbe50a146ca50b0657a78a2d89a34630c69823005668906785b2d2015cc6139c8dbbf7aefa5fe55957ef55ae06e758933b3b41eaf822e49dba3b7700582e2c9
-
Filesize
852KB
MD56f2e519200543f1da0aec2371fccd7c4
SHA1c463608ab6f6fbba6edfe9040037651282b1e4a8
SHA256f4658446fc238e4fa1bc740287ee5bab25035e00f60c027029d9fd060d53bf40
SHA5128105a181d79df8fac16a2b2dc734f1ec0015bafdf488db229b1f13a5f1f7b5c653d557165abb555c32f05771de281d981b0af33331be2e127188894cbddafd90
-
Filesize
82KB
MD526640d2d4fa912fc9a354ef6cfe500ff
SHA1a343fd82659ce2d8de3beb587088867cf2ab8857
SHA256a8ddf1b17b0cbc96a7eaedb0003aa7b1631da09ebfe85b387f8f630222511b37
SHA51226162a3d9d4a8e3290dbcf6fe387b5c48ab1d9552aa02a38954649d877f408cb282e57580f81e15128e3a41da0eb58328d1d6253e1b57232f9a8cecdd99991dc
-
Filesize
150KB
MD5b6512551747e9876b9547c207dfd8389
SHA1cfcb0bf5ff3ae088451234a75a7760d3337266f4
SHA2566f6c948500d789448cddec12de1510f9e997f9b524733d2eeecc3cf83aee7297
SHA5121afdcd620d220d5d04296e15a0c6f75fc988e2d29dc0b75d6ca0f027e11a38c03decaccf393fd3cd3c2d05eaf23d57c90f9ebbd4252aa90b9edbbb89812803ab
-
Filesize
554KB
MD50db40375dc6678268d93ffbfa66c7cb1
SHA1a0af55217b7107291ce53919f2458f4f467403ba
SHA256cddf7a539b857707e8b56331aef92cf0306a13aabbb857b450e5b0c0d5784da5
SHA51232e4cf959a5b70f910abc8c68b25ffe4d7397d42bf45495e6a204d9e33e64a40ddec8fd606804b9d6512d99939c43c93cd9fb096ad99bdf82e44ddc700fed2d0
-
Filesize
638KB
MD5745f2df5beed97b8c751df83938cb418
SHA12f9fc33b1bf28e0f14fd75646a7b427ddbe14d25
SHA256f67ef6e31fa0eaed44bfbab5b908be06b56cbc7d5a16ab2a72334d91f2bb6a51
SHA5122125d021e6f45a81bd75c9129f4b098ad9aa15c25d270051f4da42458a9737bff44d6adf17aa1f2547715d159fb621829f7cd3b9d42f1521c919549cc7deb228
-
Filesize
1KB
MD5d4d52807eaa3fb768472736871747537
SHA17fd876f4421cc8e7aa3f80ffbd8ce304704c496e
SHA256313912c765533400afc64b0ccd7750ef28d6dc68ec948dd8041a18140478651d
SHA51217964e68ac55527df2c33a86188e9ce908d379624499b04abbe70bfbaf0c4c135c4c099ec9e78426da5edc26bc79e1f4a29f7a761c7af1dee8320abb47a5e203
-
Filesize
852KB
MD598dd877f454ff7b4ad0cbd50464ba354
SHA1c4f49bf8ddf5179e7d650d78b5b1f9d9d50eec42
SHA25610e751e35a5505418729ebc4143b05c1c947494a9d5c79d5353b585eeba179a2
SHA5129024715f684cf20cd2421fb10484d660735459c1070e48e72ee0fa6377577c15903d91c7f236e13d4b626026cf50e050297480ca8f1fb5a110091f4d6ed28cf4