Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2024 03:30
Static task
static1
Behavioral task
behavioral1
Sample
69602855143bf25085262765aa2cd991.dll
Resource
win7-20231215-en
General
-
Target
69602855143bf25085262765aa2cd991.dll
-
Size
1.7MB
-
MD5
69602855143bf25085262765aa2cd991
-
SHA1
0d84b772f3bb26d79fb722330554563a667b4c04
-
SHA256
14c81cca53cfefe7eaaad66283b38b081c7e31c5bda2f3f0e0386f68f1d6c216
-
SHA512
b4801df13a886b77038eae6b4472dc8e4665c3cd2a3ada39e9bd25c921d0832ba76fcb68ede443c9cce5199225d09bcd173341629b1bb6ed810c708b22f8a912
-
SSDEEP
12288:9VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:kfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3528-4-0x0000000007F60000-0x0000000007F61000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
SystemSettingsAdminFlows.exeSystemSettingsAdminFlows.exeunregmp2.exepid process 2124 SystemSettingsAdminFlows.exe 2056 SystemSettingsAdminFlows.exe 3400 unregmp2.exe -
Loads dropped DLL 3 IoCs
Processes:
SystemSettingsAdminFlows.exeSystemSettingsAdminFlows.exeunregmp2.exepid process 2124 SystemSettingsAdminFlows.exe 2056 SystemSettingsAdminFlows.exe 3400 unregmp2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tgnmvdx = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~2\\AlVTlz\\SYSTEM~1.EXE" -
Processes:
rundll32.exeSystemSettingsAdminFlows.exeSystemSettingsAdminFlows.exeunregmp2.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemSettingsAdminFlows.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemSettingsAdminFlows.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA unregmp2.exe -
Modifies registry class 2 IoCs
Processes:
description ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 4488 rundll32.exe 4488 rundll32.exe 4488 rundll32.exe 4488 rundll32.exe 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3528 3528 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3528 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3528 wrote to memory of 3684 3528 SystemSettingsAdminFlows.exe PID 3528 wrote to memory of 3684 3528 SystemSettingsAdminFlows.exe PID 3528 wrote to memory of 2124 3528 SystemSettingsAdminFlows.exe PID 3528 wrote to memory of 2124 3528 SystemSettingsAdminFlows.exe PID 3528 wrote to memory of 2084 3528 SystemSettingsAdminFlows.exe PID 3528 wrote to memory of 2084 3528 SystemSettingsAdminFlows.exe PID 3528 wrote to memory of 2056 3528 SystemSettingsAdminFlows.exe PID 3528 wrote to memory of 2056 3528 SystemSettingsAdminFlows.exe PID 3528 wrote to memory of 4124 3528 unregmp2.exe PID 3528 wrote to memory of 4124 3528 unregmp2.exe PID 3528 wrote to memory of 3400 3528 unregmp2.exe PID 3528 wrote to memory of 3400 3528 unregmp2.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\69602855143bf25085262765aa2cd991.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4488
-
C:\Windows\system32\SystemSettingsAdminFlows.exeC:\Windows\system32\SystemSettingsAdminFlows.exe1⤵PID:3684
-
C:\Users\Admin\AppData\Local\PNg2Ui\SystemSettingsAdminFlows.exeC:\Users\Admin\AppData\Local\PNg2Ui\SystemSettingsAdminFlows.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2124
-
C:\Windows\system32\SystemSettingsAdminFlows.exeC:\Windows\system32\SystemSettingsAdminFlows.exe1⤵PID:2084
-
C:\Users\Admin\AppData\Local\q0lJQO\SystemSettingsAdminFlows.exeC:\Users\Admin\AppData\Local\q0lJQO\SystemSettingsAdminFlows.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2056
-
C:\Windows\system32\unregmp2.exeC:\Windows\system32\unregmp2.exe1⤵PID:4124
-
C:\Users\Admin\AppData\Local\RkSgnqjiZ\unregmp2.exeC:\Users\Admin\AppData\Local\RkSgnqjiZ\unregmp2.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3400
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
169KB
MD5d0546c4830e096ef58606e641e47dbb4
SHA1219f75fbd6a89378719257eefa19505a1f031d2e
SHA2562abc9984f2f6eee4a599810235e7a5323d59bce18147c9353ef10736458c0c4e
SHA5121b9b5129ef804b18a316fd8d8cf6b8c6903c16a111c64bc533c9fd38f6ddaaf4f66c75ee98571737acf5cb697896b0c1069cbae28fbf79bfbcb07515901b71c5
-
Filesize
99KB
MD51cd118ffa0726cc6d52ba3a30e54ca02
SHA14c6f5fbb731e0db7d6bec435068f7840032019c0
SHA256288edd6eedb0a59875afe9f298c8c3093622c82eaf5ad5f62409bdc77435ac58
SHA512f591b15f6431c820ce91cf07af6c5fc8cf214578f9049f36828a6357acaba8425c658f10ceab1eb8a863d56ee445fb06be615a60fff1f59e9a560d9f27f6f73d
-
Filesize
26KB
MD54d3ffb15f5fbb365f44e4311f01c0be3
SHA13260bc68775cc3f8cbcad735569156444f714a2e
SHA25684f457e0dd7e4b222eeeb65f7516eed279d372052799c305812def75511a8e70
SHA512ecac7bce370a4c0fd40b9bad4ed9ad9a45e956e1b930f71d4c126b04e64595e75f70ed0c7066c1ba014be61b932e22151e8394e5882d20a8a75c842055634db6
-
Filesize
17KB
MD5a16b33ad0238bfcc1dad29120617c303
SHA13511ec7169d7c273d28647c6bd81ad516aa85ba6
SHA256a2750ddccd49739d1896114d3784d90310d8f51eb63846870c79a03421626437
SHA512e9664e1fd61cee27177ebd6cc4bd8bebbe268dad5f5e1d149d7ffdadabc5c21ba47e8c282dda921e563dd93a39fb4e548921171f1f10ba3fbcd5621576ad36ff
-
Filesize
56KB
MD5753b4eb952ef4ad40fff6d629e7375b4
SHA1a43f513da158fc08b6ca3d6ed7386d5f1e546467
SHA256a0035356841a033d2b7008a777a84623e93d6df75a33ec9466e258c0e16ea86d
SHA512338f143ade45da7d8e39372bf5c7ce6fe57ee45663f3c781b4d3e5008a6c3a7cd0eb2952b1e66b573db2ec2ac4ad5772bad0a35b5f6ca22a8366d873bb6e86f2
-
Filesize
90KB
MD50eb7db93e6f576aefe118320067e2ee8
SHA1ad654f9b9c95bf0dd9649bcafde5f38eba5f21ea
SHA2561fd6d15a91f6baf16a620415b2fb7fcd688d721abd46c8d7916b481c315e558e
SHA51230e1478e75020f0332891fba3e80b855ad9476c68f5b12185467b7f3069c7172b53e2504b3300f8414e0370c5963eb8c0dc207ba7474b6a6e3132bd6532705d9
-
Filesize
33KB
MD52d0e30b9e231693f77bec57dc601d6f6
SHA141e7115645ca8b04efea9e962b776a38f4e93d41
SHA25669072c074b3ce44686c8aeef212334beef5e231c29c30b70303ae262f09b53f8
SHA512a8544c7a6c911930467febc9433a99374f7594e476960ab242469c40672aa422a5b2b4cc12cba96b588998d818c7ca0a7bde711782e21cb836cdf608af7eceb0
-
Filesize
64KB
MD5af7c83528bc2dc5fc085efb7ec613155
SHA146b6d23ee308a5990f3620dc68672ea5294039a2
SHA25645a34430795632cd804a5bca3017038e62ee9cd4e0c09a1ffd5d7f25785c2a37
SHA512f2d1a6e440749a063665f89bf8706dd12ac2b53907e0ebee7ea6a8ff20e59cdaf22fb44a214a27dbd1b6568b28915fed184168f0bca20e4ac04602c6591e523a
-
Filesize
74KB
MD5dc10a29f073f93375a5eb6f90d24c88a
SHA1e030546d41fe236a79f75b39d8f7d3d2e917a991
SHA256a0a04956e01750079f378892788cdaa8faa6f173a1bd2fd81685f28249823b18
SHA512a07fd0dcafde5cebb6df020533e4e160b7cfe13e16f196d737899dc47ea2079d1529504dbdc41f826e10ef32d5c002f2b65fbb2ae58118631bd00dcd26b79c21
-
Filesize
149KB
MD541f2b2f8cb3cdf4bca07ebe606ae60a2
SHA12f2d288d8333ee031aca20387c2bd3da3e1f27c2
SHA256af8d26d35ad4e0044c713a8c13335397772e0031259916a2962b78c018999765
SHA512f3854907f0608740f88199fe950a754b14623e579b10bbd59750fcb8c153402c631a197bda50ce84d8d31708d0099c00ccc0ab868d5b74afe7f935dd4d05754e
-
Filesize
76KB
MD5e1f715b91192831cca3f8cd9a57151cd
SHA1508afaef0c7f952f6049eb1a8c75e30293f9e1a3
SHA256643cb338930be76c88919152f1b11d17e8685bb83a6f7d7127969ccfe9d736b7
SHA512f9114bafc5b251926a8468f4770219b94b39d7e2c11fa2050dfe661fd002070db6333ca76697a03db58610ed018ba6f7f4fd4081f1b71bc1efce063c6d522f33
-
Filesize
1KB
MD58575ac6dee2801b196a8ce3b655cb8f8
SHA1c3bb53f1cfe1361a6d1856c3d8b03f384200de1d
SHA256019ad295c9d8d9515d62946fc8197814471f8dba5082b90835d84a52a8a7589b
SHA512459e3b168c3fcee642a3253963405ec4e2684c0d9128a0f80117fb27ed1d2f36463640435c5677c491c31c470246dc2644c9874d665831714f4a1fa5a4bea78f
-
Filesize
1.7MB
MD5dfab52fcc9773b6a2fdd39bf7fb50eb9
SHA12571c9c39478766c20e2b989279a3dc9c410239f
SHA2569159cf35b5dc3f86899215a89284c72b3cc14e238c2c832226456550b87638c3
SHA512f7a4169cb6a96edfefaf66a57d3fb9b74088c21ce44fb2a490a955a566ce60ab33febe664a08cfe3f00ea3821762def33e4e0124470f63211c8327abee086b69
-
Filesize
1.7MB
MD54645e2975c4cdef057efdc23dad89f77
SHA1acf8701415557b830856269feb774efdc52da38e
SHA25654cd89b456a69c574c6a12bdcce634a5b2c53b0e525d420c034026545b95c23b
SHA512cf17e1814a30350dfb352d9e01e392b012259469ae772ceee3404ba17d11a672dc0ce551bc6193c83c48670e3bab7773124c7adef3109c838e61fb45500a00a1
-
Filesize
2.0MB
MD568d6a67e801da4c0ce1cd46bb9140c08
SHA1cb6fc02e6ced75d2b8453ee7bedb6ad71ef2d4ad
SHA256157b4dc55b8355a7949a6f6f2ee7b7df542b6dcc138cf916639a87a6aaee3021
SHA512a1de5b291fd36be5dafa8dc6900b68ed13ab273b33ccbc365f90d2d4c31ae34318649ab4bc38c3643c748cc456029306b4df016b94dcdcfb6ca8725d73bff453