Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2024 10:27
Static task
static1
Behavioral task
behavioral1
Sample
6a2f78fd728fdf56e1674632e7f5a5ed.dll
Resource
win7-20231215-en
General
-
Target
6a2f78fd728fdf56e1674632e7f5a5ed.dll
-
Size
1.5MB
-
MD5
6a2f78fd728fdf56e1674632e7f5a5ed
-
SHA1
ff8ef932fc913e7f6affbaf71c85ef9e39651c7b
-
SHA256
7cdb42626487138e394194e7d97f06affc9a4cba685fca6d1a496bd1765140f9
-
SHA512
355a81750538976caaac04368d5bcfe05f31f8e22cf993a45e8ba54e113770c16a4ee36cf57f1b7b625bbd5d02b8c8c7d5e70f330e7861907844496ed23a9a44
-
SSDEEP
12288:lVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:8fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3568-4-0x0000000002EC0000-0x0000000002EC1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
perfmon.exeAtBroker.execmstp.exepid process 4820 perfmon.exe 4844 AtBroker.exe 2112 cmstp.exe -
Loads dropped DLL 4 IoCs
Processes:
perfmon.exeAtBroker.execmstp.exepid process 4820 perfmon.exe 4844 AtBroker.exe 2112 cmstp.exe 2112 cmstp.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mbfbagbrjs = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\AYHA\\AtBroker.exe" -
Processes:
cmstp.exerundll32.exeperfmon.exeAtBroker.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmstp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA perfmon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA AtBroker.exe -
Modifies registry class 2 IoCs
Processes:
description ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2496 rundll32.exe 2496 rundll32.exe 2496 rundll32.exe 2496 rundll32.exe 2496 rundll32.exe 2496 rundll32.exe 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3568 Token: SeCreatePagefilePrivilege 3568 Token: SeShutdownPrivilege 3568 Token: SeCreatePagefilePrivilege 3568 Token: SeShutdownPrivilege 3568 Token: SeCreatePagefilePrivilege 3568 Token: SeShutdownPrivilege 3568 Token: SeCreatePagefilePrivilege 3568 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3568 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3568 wrote to memory of 2540 3568 perfmon.exe PID 3568 wrote to memory of 2540 3568 perfmon.exe PID 3568 wrote to memory of 4820 3568 perfmon.exe PID 3568 wrote to memory of 4820 3568 perfmon.exe PID 3568 wrote to memory of 4592 3568 AtBroker.exe PID 3568 wrote to memory of 4592 3568 AtBroker.exe PID 3568 wrote to memory of 4844 3568 AtBroker.exe PID 3568 wrote to memory of 4844 3568 AtBroker.exe PID 3568 wrote to memory of 4756 3568 cmstp.exe PID 3568 wrote to memory of 4756 3568 cmstp.exe PID 3568 wrote to memory of 2112 3568 cmstp.exe PID 3568 wrote to memory of 2112 3568 cmstp.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6a2f78fd728fdf56e1674632e7f5a5ed.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2496
-
C:\Windows\system32\perfmon.exeC:\Windows\system32\perfmon.exe1⤵PID:2540
-
C:\Users\Admin\AppData\Local\k2pQ\perfmon.exeC:\Users\Admin\AppData\Local\k2pQ\perfmon.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4820
-
C:\Users\Admin\AppData\Local\xF7yl\AtBroker.exeC:\Users\Admin\AppData\Local\xF7yl\AtBroker.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4844
-
C:\Users\Admin\AppData\Local\Aonz8\cmstp.exeC:\Users\Admin\AppData\Local\Aonz8\cmstp.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2112
-
C:\Windows\system32\cmstp.exeC:\Windows\system32\cmstp.exe1⤵PID:4756
-
C:\Windows\system32\AtBroker.exeC:\Windows\system32\AtBroker.exe1⤵PID:4592
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
43KB
MD5b90297b55e8f8c637eb7d69795195ab0
SHA11c9b28d28835dff3f0e0eb43f85ba1fa646289f1
SHA256504cb151da1368d82c2ba240e157b8a86c98f40c63447227728f2e64caa8e237
SHA5129ce702783670a58ff360afb1a32e7f2ce021a83ec063f7fe670b1a975bf31a1e7463551021cc1e24acc0c0103af956b4df9c127d167e4443c75052ed8eef3faa
-
Filesize
83KB
MD5584dfebea572ae3cf1b7e86444963dd0
SHA1d6b00c19149cc1a46b5db72875b9aa578c853a53
SHA25640d5f163eacb49949668fe59ef34c6d251f7e77d8d55ed7928fb40dfe0874ec7
SHA512645864e6d6ca61b261d19bd76989a2091e672172a69332a587d6d38cfe54959a79afb7a61095e685448cfcb61c23139be8f8e26a416a734878dd227e75acbe2d
-
Filesize
11KB
MD524b7cb24c31a13bc43668da56c5f4583
SHA16419166cecf5de471b2d07c6b43ec74be376089a
SHA25685916e2a2cf525ed8d90f7886ac3be6a0d0b5f9230a5585cf0271014e247b462
SHA512db3a08a024f70f3fd338d03ff313d30394555754387c356da99ff0b40a49c0656b39c09971d0fb53c19c495ad3b97b52c49bc059823e8a478a646cdedad9bf81
-
Filesize
34KB
MD5b978cea86173c8e1916fb7a8fe2703c5
SHA1a21c5bb3ed04eb271e8c9be4057aaaeb02d1fcd2
SHA256c9ba7e6c7ec87ef7b9da3cf9520c3825b1f5997185420eaf8b19a73441c05557
SHA512edfc6b3f8bca0daa63cdcc1965d308a9697527dcb12c96119f93b9f661561387f4f123c9cac3cd0a0d9767a16c6b79273daa67c57f2ab3249a42965dc9d256e3
-
Filesize
4KB
MD5b45b65c2b646c1b3f60b02d798e0f794
SHA1f7a30ce65dcfb17d265802e30a501d876431fdee
SHA256360155289b81affce160e03140f70289b1173d82aeef971811263434693d7e1b
SHA512696c57611c21353594cd903324add7662064d63fcb9940c2832f742f74ba8a54f23e852f0c650afa3953aa4ad4c558cc0a491e975685a857e0c9637b8e72700a
-
Filesize
20KB
MD53760b4ea0beca7a8f82aeafe3a3acc7b
SHA188e9e6a9e3979a264c7858f598dbc3cde69990d7
SHA25664b78af1cf1743871ea11ce608ba31a7a072de29bd0c030105912e313b4c3a4b
SHA5121cb0f17db28f32dff47092d34e94e0322de597d8876dda04b74a131373ec3493ceeacec6bb43d894b38ae3ae50f6e764e0f9436d70789dea011653f7830d6c18
-
Filesize
101KB
MD535994a6de72e4b12cfdbf1b08d80ba68
SHA112f586b6e4d1fe7266a62569305fc324aa329b12
SHA2565a28af788f16d8c45593a685ddc68d6cede3271ce5c5a60c81adb1bfcfbf8a5f
SHA51243d169b7c58c3f91fe9bc63fc3491e7fd47c79c751e6988b4cb659493af7e57ba0b222afb2154cad865b01825cc1dc837511f0398a5add6f823dd23a16f0ecf7
-
Filesize
104KB
MD5b591ca152d217c558a45a190c3d966eb
SHA1888babdb6f0ff8251310c70fbc493a42c05d7d95
SHA256d0b6a45781a6c75412ddf1c27bf2a10b190bd3dc98e78bb550385435a2a95fcb
SHA5129044c76e92bd5cc0be44f3ec95680ad684d2042ba6dda690d47cfcc22c5cd11a5927290097cb9d1a06acd59a75eb874d7453f053c1667846b5a17c9e3ae1a498
-
Filesize
47KB
MD50c9766f959a6116c1aa38266151d8e7b
SHA159ea5062a442a3f6d78a4b834dfc9c5c256bd950
SHA2568214b63c77618690bfcfef9c6dfaf031f3bedc77dfdcf87d729b14fa343fa466
SHA51255295727c28204f5280adbe74defc55dcba1e58b300733ad7ca200fa043238b020e511320a5776936c541549cad192e6af8b74ba6af9e7d05094627e45d0e234
-
Filesize
22KB
MD52c89af2c66a3c4087d0005788a4cdf4b
SHA141751daf5f1f351a59b2dd11d8741e6165ba5efd
SHA256345484aa84a45191c057f46a596ceffce17b7931c80e3319cd0d03483defada3
SHA512d768ed78f7d24d325ae17abc5476f1cd8085f056b4dbebbc4932673bcaa90e27cbc1f14f097d5655d406d83e3b775955048f9ca0dc1d597ca2c60789a2a6ef05
-
Filesize
1KB
MD51ecc7c9e10dcf56cf55472a777d953c4
SHA13ee5ff4e545f76a82bd1e6ecc99149af871140f5
SHA2561b3d2e66d1e333e6796f6af5a481fb6a6dc1838dd4c902f54c6c595a6a55ee89
SHA5121b5cc9b633c25ba33f69c8eacfc38cdf983cc3ee71a8cca2b6df0b3ecb3cc1b0eb7d34c8b1b111e1a89c2162bef3ad447688b5f7a5b70ebe3d8b8664528a3c39
-
Filesize
26KB
MD54844e2b1fd9854b0adc44d37fe1b0243
SHA13b47f5bdfbd135bc77ebe22c923a9b81c5a885b3
SHA256c437b3cf5c8db623f193cdac6f36ebfe8ce49177386f09b30b4c8f81c7fb3fb3
SHA5128fa9599dea6750fe695d92d53a4366713bebadba0e3916f05c18779f8c0e341db7037fd697916d08994bea0a04f009e39ab33d79cd9fd908940e71b2babdbaaa
-
Filesize
31KB
MD5cd462add91a35db5e427296fac96165b
SHA15c590d013d1af81cd6ca260e27947e0e837fd502
SHA25661bc182737c670fa68bd81efb5beeb36f8023a4eadc6400c6a72c7ddf6b4361b
SHA5127945c9830d16dab5d96a97a35bc611ed72386a19048c1361eaac055f305f4859a84eb24a81c1181b9bae31c0ad77103cd7b4f1b8bdbb3aa6957063e72a564c63
-
Filesize
1.5MB
MD52d8de8c9e3b2ecc4242ae9ecf3f81e51
SHA11ddfd5c948a75b20b643c0ce1e67f8e92357a73f
SHA256db3f808790f7ba90df5dba62df5b320219acfc436e555c7df3643c222163ac20
SHA5120a39c72abe8f1d02e7c2d52ab5c3856111251f6b3de0036b1b69ce2d43c9829339af52dfba1fd9c6d9ba8b41da5b4900cb23fcaf1d76a965768cd3a58e5fe58f
-
Filesize
1KB
MD53417e097af440429e40c69c5d3f5c95b
SHA11bb85e2a69bb76503da3a10b5048995ffbd2a5fb
SHA256217fdbec5a1b720b4e60fc921d18ca71ab65fb6fa30ad3ef2cf9ba0aa07b8849
SHA51231e0ec7a15307dd16968c63d06c2b2d01f419b11243152fb4d4d6e6c02bf0200d782226e31de48d17329d7960556af3f7cb88f0475f95c4a68683a1fb0a53d93
-
Filesize
818KB
MD5dacdbaff0663f5d7f5e0098c535c696c
SHA170012ae3c924161af945d127353c733e99ccdcb6
SHA2567ffe97f8175627bb8a55be101bb90cdf4737ef88945127502495e0751a05893c
SHA51211331174a8085dd7263180cd28f38080f0c3c01d11d2909b12f9cab8ac37036d7f989d93e2ef52c6fece67cc338809218d95b9488d4e03cb31a3b3e9fade11ea
-
Filesize
1.5MB
MD5206792accb4bb6603c5d5f7c2194f8e3
SHA1d53c824de2793907b934ec94c0510b425aa5dc6f
SHA25639ec527367bb28256012c31f928c9d224a933173b716ac62deeb916f388e7a3b
SHA51233923cb50f8a52dde17727585c7111aab875d0a83a68030856fe05d90aea0d3a750ad155155f9bf1ce338bd197f7e571202bbf68a38f31848a85b486cfa3d6f1