Analysis
-
max time kernel
85s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2024 07:08
Static task
static1
Behavioral task
behavioral1
Sample
69cd7320b88e1819f445bb8db3d0e43f.dll
Resource
win7-20231215-en
General
-
Target
69cd7320b88e1819f445bb8db3d0e43f.dll
-
Size
1.7MB
-
MD5
69cd7320b88e1819f445bb8db3d0e43f
-
SHA1
5564a3813c18c1a44a3808c4f148ff3cace908c7
-
SHA256
bcdd2a40691235cb270bc9cdcf08b99de975ddb77896eb02fd19508fdd2a57d5
-
SHA512
9d357c5c0f48eac03bd63dbed69bf075054401a629e0ecd467a7a6ff6cbaa9081d90bcecb0c755361c3f0774ce43abd64463aad3230d5ba156af814e57735611
-
SSDEEP
12288:6VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:nfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3512-4-0x0000000002D70000-0x0000000002D71000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
osk.exesethc.exeMoUsoCoreWorker.exepid process 3092 osk.exe 1400 sethc.exe 4296 MoUsoCoreWorker.exe -
Loads dropped DLL 3 IoCs
Processes:
osk.exesethc.exeMoUsoCoreWorker.exepid process 3092 osk.exe 1400 sethc.exe 4296 MoUsoCoreWorker.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tgnmvdx = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\fbesmd\\sethc.exe" -
Processes:
rundll32.exeosk.exesethc.exeMoUsoCoreWorker.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA osk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sethc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MoUsoCoreWorker.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2120 rundll32.exe 2120 rundll32.exe 2120 rundll32.exe 2120 rundll32.exe 2120 rundll32.exe 2120 rundll32.exe 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3512 wrote to memory of 2344 3512 osk.exe PID 3512 wrote to memory of 2344 3512 osk.exe PID 3512 wrote to memory of 3092 3512 osk.exe PID 3512 wrote to memory of 3092 3512 osk.exe PID 3512 wrote to memory of 1604 3512 sethc.exe PID 3512 wrote to memory of 1604 3512 sethc.exe PID 3512 wrote to memory of 1400 3512 sethc.exe PID 3512 wrote to memory of 1400 3512 sethc.exe PID 3512 wrote to memory of 4336 3512 MoUsoCoreWorker.exe PID 3512 wrote to memory of 4336 3512 MoUsoCoreWorker.exe PID 3512 wrote to memory of 4296 3512 MoUsoCoreWorker.exe PID 3512 wrote to memory of 4296 3512 MoUsoCoreWorker.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\69cd7320b88e1819f445bb8db3d0e43f.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2120
-
C:\Users\Admin\AppData\Local\Lzbkz\osk.exeC:\Users\Admin\AppData\Local\Lzbkz\osk.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3092
-
C:\Windows\system32\osk.exeC:\Windows\system32\osk.exe1⤵PID:2344
-
C:\Windows\system32\sethc.exeC:\Windows\system32\sethc.exe1⤵PID:1604
-
C:\Windows\system32\MoUsoCoreWorker.exeC:\Windows\system32\MoUsoCoreWorker.exe1⤵PID:4336
-
C:\Users\Admin\AppData\Local\Y4KQ\MoUsoCoreWorker.exeC:\Users\Admin\AppData\Local\Y4KQ\MoUsoCoreWorker.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4296
-
C:\Users\Admin\AppData\Local\gxRt\sethc.exeC:\Users\Admin\AppData\Local\gxRt\sethc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1400
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:2400
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵PID:2396
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD5f826f65f2088358e8b2ef4644f5d5f48
SHA1fb2edbdbecd12878340c1b7863bfbb7d257193b4
SHA2561689525d877bc827595ffff7006f625b23265fc74a768ec61e3e4dc71b711323
SHA512a185bce98d2bb459abaafeec196388e78cfc78ae1ad23881bdb8ac54db73af0a4a732bdf34a333b6dafe21905464e2ed25ccdf23a263364f0e7aaca43f18ad9f
-
Filesize
64KB
MD5ad9266b679ec3582d0055010373a9449
SHA1345590b88092cdfe7e320a85b831fcbe5e552048
SHA256937dd979e88970ff8bbb42e6de23ac9f21611c1febcf52e0ec8b03a276efa687
SHA512285293dfa23b5cb943d19f02fe587990dd530f850a1eba024b402ca8a30ffd16d407407d5c9ec21a3576795c538557c07b6ddab9059d9d77c2f7b145b7bcac86
-
Filesize
59KB
MD5eb9834aac2bbe2ddef192b48524e4cff
SHA1efbbd4188cfde1fcd5467f72e41fb71b144fe32c
SHA256fcd3e1a94e38c73a79971e1ad1800b83fc1e5347f42908825286fa4ee70730d5
SHA512e75dc02d047405662bd64c5c398509226f11b33906e347e4029eb1d2b397421f7d3ddc6cba8c3eced336fbaafa8c2160d5e746368e7100f826688c89a90df0d8
-
Filesize
69KB
MD5c0d2d20dd90155ec20f1b11d8a953e4d
SHA1e624108769e7a4878d7171e2ef76cbb0a43749a2
SHA2565219a12c59203e4cb917d6db28b8ac0d572e7465c6dc738f024b5f36654cbdbd
SHA51204961a07b755fc8b974e84bbed3aceae71fc42e22f82dbd679327536a0fcce2b80a9ebf7a0af148e4f2a46002062f5a4bd00c43052536bc51347bdae8a87687d
-
Filesize
127KB
MD518820593b885bbc1225acdfd0206969a
SHA174e25ede6adc6629eda39f5135f26578df89e64d
SHA256811a4df6ef3bfdb4e4b2c0fbe239d1c64a4552a4f8c8678cdd60710f07229335
SHA5124e05870fe73d32275e8b8c674a3d2ee9f8aca5a28d63b3ed56e3556556ea72445baf6786e715b5909662ad3eac4e4e63600043eea9021582c524ed0ac550fc79
-
Filesize
98KB
MD5f01b4344b00b31823a90118cb2a4c344
SHA12f30c9de63a981837243d9b03797d52a18ed12ab
SHA256f0d68c1bb662400760955515e4fe3492950aeca704484df45b596d123ae1c2e5
SHA5128091818b8cd58793c7e649a7e83ade6a6c57fd72814693526cb96813b2359def75699ef7c913ea0f2f35ce49a3f71b5db42a4d182f1ad850608c9e0a8eecac4c
-
Filesize
120KB
MD5de49b3f11039816deee8f19b490a2ad1
SHA1c9551ee59b4bb8108b0bff66a534cb141c482a47
SHA256e75b494e0b082f90868b04f244a1822c247f7e4dab6fe4b3a084975a987609c3
SHA512c3188c5d13270d8bd2af8b2467893e53de69ac412c0afd98f8eb43be3e5e3ffc0707938886a06dde6459eee15cd0ae927eec5d1c8adf6dfd73d28a9bc31ea483
-
Filesize
56KB
MD544b53a7697ece831827ede0c8b51cebe
SHA136cf15f16948832c204a2aafb561651019f1185e
SHA256e9f36dcce374a22cf5d31eca269babd1636b5fc917b2fccd89c6a4913cfbb2ca
SHA512d3f517fd181587d1fd1ec9d2ec8ea74b769658fe221ed45a3e79fb586bac2c8d851af3f486171df013a386e2d0f6eeb84e38a0f9777752146ea6887bc900c3f3
-
Filesize
23KB
MD554e15f9b03ad4ca2fba2639485375705
SHA1e7331b9fa82bd62d2ce68aedc9849c64a7877760
SHA25607660569c989c6e78b848690e61dee24a83c1b38b8493f81ca9f2e108972a24e
SHA512c16c52c138dbab43af328ec1573dd957ee7f7aa66043558638a5f26c27742909b7e64d76bafe40ded077f143dfba39dd704b617d078910110297cc41903bbf5e
-
Filesize
4KB
MD5e7e12578ce6e5b94b152b634b39b75ac
SHA1960a3977ca4baecb55a142c2521f815c60a3b2e9
SHA256257533265ea1d65e50c76559f1ec8ec096d42c25b0ebf84de0f3fcba53df8c55
SHA51283aab61a34b1bf388fd60f90487366c36e9ff8b6aad7291f6d0e8d886c9ffbcd136b68e0a143e4c2c239be9698ace851deb5424f49596ae2fdb9cb5b5f94d9b8
-
Filesize
104KB
MD58ba3a9702a3f1799431cad6a290223a6
SHA19c7dc9b6830297c8f759d1f46c8b36664e26c031
SHA256615b2f2d7e3fce340839a9b54bdc3445eb2333d0fafee477d6113379e90935b8
SHA512680c216d54f4fd2a14f0398e4461c8340ac15acdca75c36a42083625e1081d5e7d262c4c12296b6f21ba2f593f92816edf1c9a0cf4cbee23588e590713b87746
-
Filesize
85KB
MD533c3a72395b0de30c1f0af7dc795f434
SHA1d3a29603195fa85bf98ac0e26869b6b189c6b57d
SHA25605af54cd21f22eecb5c1bdb24822f2ccfb5f3deec3c036fee16adccf46555fb7
SHA512458403f9943fb3421e4b57f623338990d2ce71e63522f35e8f77f757229ef581e9fe606b066755b6a11f0dbabecd2b7f21bf909f92edef1a832d3787ced9a1d0
-
Filesize
1KB
MD528e803b72f243d7ef4e105e8dbecd1b4
SHA140b0c302346fedfbc0b4946fb832385919c7c3c7
SHA25686b3d956d0531563ed549e9bf2d18585b042ec6b3f1c31fb600fbd506957186d
SHA5127cf7bb7b4c02354f3df1b4062c7a644a53d4b53ea436df8ec9e424bc7174619afb5b97852ac70ed7fe1d7fdce341792cee8be25562e0e123007a052c10dbea21
-
Filesize
2.0MB
MD53288ead7764e2685053cd5bda56ebf2e
SHA1d0b35b0e5f3b1ebd555d8707bec3d9c9ef560dd8
SHA2569a13291d39c26a2269d59044d72eef8e22b3800b0aa87ab524e693a628defb97
SHA51204c8ab52779ce8ba8b82d4cc11ce0b3a6f4781db4bf9792d79e67ae3aa6682c7c4872e3e3fd86bcb02e6e0bb1abe79fa735a961b40154fcb7aeefd17bea3e719
-
Filesize
1.7MB
MD5577c6c11ec9b41e613f5a60c0edc09c3
SHA1c6af2f166f135117b190f8c05b359ac0585674b4
SHA2567aedf07eba199ee4869d0593dde40b02b6b085fd781372692b38c5efe6140f39
SHA5126b5cd4749d4cc6b9346217511d6823179e9bd399126849bcf6e4327113de76920958a051af7bda162369c8070df53c5639cdb059f67537ec60b8ffc4d5f76f33
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\A7\WINMM.dll
Filesize84KB
MD5389d8d5fc28377883482fcee982a9ff0
SHA17ff45a6d754d257e09f9a1a8cd43918dc27346f6
SHA2568df16900f6d3119cbe26bed37fe7f98e2751b3d7b30639b59ff053a9a6f27715
SHA512ce7f24d02084d8ba5740ea8f6aaa4657361825e78d4f4897f1492491fcfb0ae88f4c67361ed86f622ae7e08e1e4822d1c02ac891c898941bacf7af04ddd319ac