Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2024 16:15
Static task
static1
Behavioral task
behavioral1
Sample
6ae01647123bf97071130c123fe77e97.dll
Resource
win7-20231129-en
General
-
Target
6ae01647123bf97071130c123fe77e97.dll
-
Size
1.6MB
-
MD5
6ae01647123bf97071130c123fe77e97
-
SHA1
b60d8943baf640b7bbc58e9f3639db832e430d2f
-
SHA256
2432a727b7612212c6c75b5114e832254e05720df6fd9d38b7993973e74efd9f
-
SHA512
79c82da530496865a77cd0bce988fe1e9e6b85ea71a951b478fbac3ff45ff86fe30c7aac23c5bcb33932e8ac9ff94899f33a40233fdaaf32b45ec66efdacc9c2
-
SSDEEP
12288:FVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:cfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3488-4-0x0000000003310000-0x0000000003311000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
DWWIN.EXEmmc.exeAtBroker.exepid process 5108 DWWIN.EXE 412 mmc.exe 4268 AtBroker.exe -
Loads dropped DLL 3 IoCs
Processes:
DWWIN.EXEmmc.exeAtBroker.exepid process 5108 DWWIN.EXE 412 mmc.exe 4268 AtBroker.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\gaWd\\mmc.exe" -
Processes:
rundll32.exeDWWIN.EXEmmc.exeAtBroker.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DWWIN.EXE Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mmc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA AtBroker.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 3460 rundll32.exe 3460 rundll32.exe 3460 rundll32.exe 3460 rundll32.exe 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3488 Token: SeCreatePagefilePrivilege 3488 Token: SeShutdownPrivilege 3488 Token: SeCreatePagefilePrivilege 3488 Token: SeShutdownPrivilege 3488 Token: SeCreatePagefilePrivilege 3488 Token: SeShutdownPrivilege 3488 Token: SeCreatePagefilePrivilege 3488 Token: SeShutdownPrivilege 3488 Token: SeCreatePagefilePrivilege 3488 Token: SeShutdownPrivilege 3488 Token: SeCreatePagefilePrivilege 3488 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3488 3488 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3488 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3488 wrote to memory of 5012 3488 DWWIN.EXE PID 3488 wrote to memory of 5012 3488 DWWIN.EXE PID 3488 wrote to memory of 5108 3488 DWWIN.EXE PID 3488 wrote to memory of 5108 3488 DWWIN.EXE PID 3488 wrote to memory of 4552 3488 mmc.exe PID 3488 wrote to memory of 4552 3488 mmc.exe PID 3488 wrote to memory of 412 3488 mmc.exe PID 3488 wrote to memory of 412 3488 mmc.exe PID 3488 wrote to memory of 2144 3488 AtBroker.exe PID 3488 wrote to memory of 2144 3488 AtBroker.exe PID 3488 wrote to memory of 4268 3488 AtBroker.exe PID 3488 wrote to memory of 4268 3488 AtBroker.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6ae01647123bf97071130c123fe77e97.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3460
-
C:\Windows\system32\DWWIN.EXEC:\Windows\system32\DWWIN.EXE1⤵PID:5012
-
C:\Users\Admin\AppData\Local\BwMpPT\DWWIN.EXEC:\Users\Admin\AppData\Local\BwMpPT\DWWIN.EXE1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5108
-
C:\Windows\system32\mmc.exeC:\Windows\system32\mmc.exe1⤵PID:4552
-
C:\Users\Admin\AppData\Local\3KR2I7E\mmc.exeC:\Users\Admin\AppData\Local\3KR2I7E\mmc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:412
-
C:\Windows\system32\AtBroker.exeC:\Windows\system32\AtBroker.exe1⤵PID:2144
-
C:\Users\Admin\AppData\Local\XYO\AtBroker.exeC:\Users\Admin\AppData\Local\XYO\AtBroker.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4268
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD579356d312d8d82f29775db59d6b3f0f3
SHA1af939287a3b83078d20c3a76624b61b77d01f7c2
SHA2568d2c77ac85ae39384819db2caff342c55089445b5686dd18afdcd08e4171b324
SHA51279903fdca6f3163a87d10398b591209c0d47f3faf727aafd12d76a63eb5b632640b6e3eed7ccff5f0e85e8b8ab5c8f9f848652a6d04253817bad0709fedf58c4
-
Filesize
1.6MB
MD54ea09ad9dd9bf86c096c31f2e513cab4
SHA1fc8e89996202619a69d546866841dcea5cecc9ee
SHA25673d72fae7459949885c15baa739548c9cbfb1824a1ccaf54dfd6865c4612603c
SHA512a48142a526ac6ec28f1ae2f12869fbcabef8718ed0f4f77253518a161b38e3dd0f88ff303760eb5f94762c121f0899d41b7b1097c7e06dcb77976534e592aa60
-
Filesize
1.8MB
MD58c86b80518406f14a4952d67185032d6
SHA19269f1fbcf65fefbc88a2e239519c21efe0f6ba5
SHA256895eef1eda5700a425934ae3782d4741dfefb7deafa53891bde490150187b98a
SHA5121bbdaa3ae8b5716ad2bd517055533e286ddb8a6c23cbc7aa602143dbb1ae132b513088ab61527c49737c554269c51416cceb80206ac8128ac6b003f1864eb099
-
Filesize
229KB
MD5444cc4d3422a0fdd45c1b78070026c60
SHA197162ff341fff1ec54b827ec02f8b86fd2d41a97
SHA2564b3f620272e709ce3e01ae5b19ef0300bd476f2da6412637f703bbaded2821f0
SHA51221742d330a6a5763ea41a8fed4d71b98e4a1b4c685675c4cfeb7253033c3a208c23902caf0efdf470a85e0770cb8fac8af0eb6d3a8511445b0570054b42d5553
-
Filesize
1.6MB
MD5ccdbf456658a76a14f62060d4f43e782
SHA178cac76bbb25d74e2d13c354b913e23d88f271c8
SHA25615205a8606a06e34f634bdda476b6bcc85dba604b7c66f6c8e65316bba2aba67
SHA512f804f88e0fadf7d8de500bea71a0792deac2c8aa39367b9f80ad496f2aba73f595924b85f6ab37bc37d963e51a0a2fd736e1df382e432f6725e6a287348028fa
-
Filesize
90KB
MD530076e434a015bdf4c136e09351882cc
SHA1584c958a35e23083a0861421357405afd26d9a0c
SHA256ae7b1e298a6e38f0a3428151bfc5565ede50a8d98dafaa147b13cf89c61f2ddd
SHA512675e310c2455acf9220735f34fa527afe87dac691e89cc0edc3c4659147e9fd223f96b7a3beea532047aa0ebc58880a7010343019a50aa73ce69a038e3592024
-
Filesize
1.6MB
MD54688097bc6ef275a2d6f2dfc3dc55bb9
SHA126c86fd3d84d95eff280a0f48f3f1f51cb31cc5e
SHA256be8a087a996543004b43b90976489810c4ece1f81c9ef92162a8ff3cb7309063
SHA512975abb809ce9033d1d2fe771e5a691ef693357f9d77e637a8e8ec122fa6e0868d92a0929bf65f4abd2f1a73cf7acacbf186ea82eb203ad274143fcaf0d75cc1b
-
Filesize
1KB
MD5df627a190baee262a53ae4f2949c68de
SHA117bf53425d1906f3c83eb60f656be61f528d409d
SHA256b45471affdd73f637fd9c0f593c5dabc6844397c4749d69d75c305c8c4a5e9e0
SHA5126a22bf776c2c7e5a2d9f7acdd25f61c1f22bef0cf296633f78f01ae7a52a04aca465ebf553cbe61bae298a8e906425bd5944d5d539eccfe134b3f008b1ff5123
-
Filesize
1.6MB
MD5fe91051803ed3d19c397aec8f8336a21
SHA1ae1bb9ce42489d7ec5ce86b7565283f51ff393e5
SHA2565e36fe1acb0ebe3ed421982333dd9a4d625a61ca8a50531ec38e5d0ea1a4fc45
SHA512b47ec126be30aa78cb8a3f6022994ce2f1295a33839a9c93ad4d491d74f8afe1a11dfbc1c83ea91fdded40b1e217cddac23453ad8d5adf8f104819119c263375