Analysis
-
max time kernel
151s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2024 17:41
Static task
static1
Behavioral task
behavioral1
Sample
6b0a5e806359b4b92fc00861e1bf8bff.dll
Resource
win7-20231215-en
General
-
Target
6b0a5e806359b4b92fc00861e1bf8bff.dll
-
Size
3.2MB
-
MD5
6b0a5e806359b4b92fc00861e1bf8bff
-
SHA1
a4fccec989a80717b2561e7ee9e049406e6d8449
-
SHA256
7687e9f3abc61ee051493a66f54044eea80c149788100ff4295211af104676cb
-
SHA512
491512bfc8cf2ceabe5d36137820711af46091bbbf64751eb93f0a90361ee8a347959b6227a77285ebf8528d9e12ff9f1d2175df9039c99f3586070859bfae66
-
SSDEEP
12288:rVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:qfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3516-4-0x0000000002E70000-0x0000000002E71000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
ddodiag.exeEaseOfAccessDialog.exeSystemSettingsAdminFlows.exepid process 4996 ddodiag.exe 1832 EaseOfAccessDialog.exe 1436 SystemSettingsAdminFlows.exe -
Loads dropped DLL 3 IoCs
Processes:
ddodiag.exeEaseOfAccessDialog.exeSystemSettingsAdminFlows.exepid process 4996 ddodiag.exe 1832 EaseOfAccessDialog.exe 1436 SystemSettingsAdminFlows.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Loeeeopgcaia = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\CAS2M1KTt\\EaseOfAccessDialog.exe" -
Processes:
rundll32.exeddodiag.exeEaseOfAccessDialog.exeSystemSettingsAdminFlows.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ddodiag.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA EaseOfAccessDialog.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemSettingsAdminFlows.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 4040 rundll32.exe 4040 rundll32.exe 4040 rundll32.exe 4040 rundll32.exe 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 3516 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3516 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3516 wrote to memory of 4528 3516 ddodiag.exe PID 3516 wrote to memory of 4528 3516 ddodiag.exe PID 3516 wrote to memory of 4996 3516 ddodiag.exe PID 3516 wrote to memory of 4996 3516 ddodiag.exe PID 3516 wrote to memory of 1724 3516 EaseOfAccessDialog.exe PID 3516 wrote to memory of 1724 3516 EaseOfAccessDialog.exe PID 3516 wrote to memory of 1832 3516 EaseOfAccessDialog.exe PID 3516 wrote to memory of 1832 3516 EaseOfAccessDialog.exe PID 3516 wrote to memory of 2868 3516 SystemSettingsAdminFlows.exe PID 3516 wrote to memory of 2868 3516 SystemSettingsAdminFlows.exe PID 3516 wrote to memory of 1436 3516 SystemSettingsAdminFlows.exe PID 3516 wrote to memory of 1436 3516 SystemSettingsAdminFlows.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6b0a5e806359b4b92fc00861e1bf8bff.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4040
-
C:\Windows\system32\ddodiag.exeC:\Windows\system32\ddodiag.exe1⤵PID:4528
-
C:\Users\Admin\AppData\Local\2iF5zG\ddodiag.exeC:\Users\Admin\AppData\Local\2iF5zG\ddodiag.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4996
-
C:\Windows\system32\EaseOfAccessDialog.exeC:\Windows\system32\EaseOfAccessDialog.exe1⤵PID:1724
-
C:\Users\Admin\AppData\Local\ygDgV5C1\EaseOfAccessDialog.exeC:\Users\Admin\AppData\Local\ygDgV5C1\EaseOfAccessDialog.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1832
-
C:\Windows\system32\SystemSettingsAdminFlows.exeC:\Windows\system32\SystemSettingsAdminFlows.exe1⤵PID:2868
-
C:\Users\Admin\AppData\Local\duSHcq\SystemSettingsAdminFlows.exeC:\Users\Admin\AppData\Local\duSHcq\SystemSettingsAdminFlows.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1436
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
158KB
MD5deee50d10ae72bb742b42cd7c86edaed
SHA181d5b748bd2b429245e62b34b3c7939e68c115d8
SHA256407f88db24b1106e95975f81ad1bf515d3d6dd06f8e8bacbd3c2562301ada020
SHA5127288ae0da2a7ba51ddbcf288aca80d0ac96b8546013d27bdc7ad9ccd8f21b4841db962290012f7c4e472321c3d0bf3aa04772270fe757e2a5482259f1ad88d6a
-
Filesize
5KB
MD515167b9af8291e0d6af123ffd20d44d1
SHA16ee6cec69aabc5c95b2c63ea6b3941e664aaa3d1
SHA2562beaeb66bcd73a79fe997cd971bdd67a9cb3ce0c13cb595db27417a83578ed91
SHA512c3022bcaefd79e3b2aae01f576b5f77c2a436aa8d2171339bc03facde98d1fdab3e81046f4c3e8b933cf423013c5ad5930748002a820237f9906f83be348a5c0
-
Filesize
39KB
MD585feee634a6aee90f0108e26d3d9bc1f
SHA1a7b1fa32fe7ed67bd51dea438f2f767e3fef0ca2
SHA25699c63175504781e9278824d487da082da7c014e99f1024227af164986d3a27c6
SHA512b81a3e1723a5180c5168cd7bb5181c631f4f57c59780bb82a502160b7874777f3eef1ebe1b14f66c97f9f1a4721af13b6fbcdff2045c8563c18b5d12540953ff
-
Filesize
167KB
MD5cbec2db00a4bb653a1c5b8c69edea31d
SHA192c2d6dc9351da341a80003da9de54a28aab1ab4
SHA256acee873d72b1f06f59a1a6f0959af82a025464148bb740cf0a6a9bb5e76945cd
SHA512558aae5f1f75367702474ae3d33c68a01de85828c9c01b38e16ae23accd22e9c69b5c929abd66de523cfab18191532485a67afe73a80bc9a669308cdeb470aa8
-
Filesize
321KB
MD5fb0849152995b0a98c3868357292c623
SHA17e315b0d28e5803bf3fe3a4bc6081658371f0648
SHA25623d44719b42de6bd2c4da2d10a2a8ac8d32f9ef44a4434cc852f69d062ba6dae
SHA512e7703d2c64f492ebe8446d905fd4cb259b616a8c6917860937aeff6a3f558b31aa0911d8add2b74e1746705756f45c79bec8da0491cedcddd575709cad33cdad
-
Filesize
237KB
MD5325562720d6aa6eb20cc2b8ecef49884
SHA1c8424c2c4c14870c75d380cbf80f4ade68ccc38e
SHA256620bef9fdd5b589960ba4d75a6feb214eb75bdfba21b25869ddbe3e38777d082
SHA512c0b8e7a77ae2dcec09d1268c7d9ea7fec4d804bf1afab781aa6910116b1cbe6e9f7b92ee153d96f5458f1d9d88d3831687763ee862deb0f92a3361d7fd3d24aa
-
Filesize
57KB
MD5094e356c4b9a9e7bf90cb827f93ead3a
SHA141f1f988ad7a36c232b45dc6fddd1f5e892b008c
SHA256e3d0982cbf71c6f758f8327fe6a2e5d2dcb382436497151ce6ae48e384cfc22d
SHA51220104e2c187213bf6be4edca24efaf25caee3977db7810ec29c15a564e76d951a6f63f9a1afa1f68d1af1a65a170bd857a55d26472a836182da489c164d7ecfb
-
Filesize
418KB
MD5ad67707c1856cf3a6bb04027e6489c96
SHA1fce271e41241ff67cbb2de8a09b3d618bff1e093
SHA256755e3a45ee17b6e45f9e0ac221bbd4e05dca3f373725b55d87355a16063d76a4
SHA51268b027d7f6f847b30ee654a2bada172e587fb6237532c2380d388215b3276ce53a6a0f68cad39f8aa47d7dd0f82f284ffc36b183bf64e35872cca488de1abbac
-
Filesize
271KB
MD5ea2f7ed0798f4795e8dfdfa1b3af4caa
SHA1b14e38afa9ad8c4d369eea9bee26d1b4cc245c5e
SHA256d26f41e8d6afda3eade338bf4416c05ecbe13f82446288f56f5230791619f15b
SHA51202b010bce82fc2cfb1f68e8449c2fe828a361d43153b1d41213594ada22836c3669f6aca27d93b7da781dc2c3b0865630b80fd9c67404a7f6771d54c858deceb
-
Filesize
123KB
MD5e75ee992c1041341f709a517c8723c87
SHA1471021260055eac0021f0abffa2d0ba77a2f380e
SHA2560b1731562413eaa972b373cd7388c644a3059940ce67eb89668e4073f3e068dc
SHA51248c3a8531df6bcc5077367cdf32af104c94cf7701118a85e8beabba2e9c4f511ae14e47b6d1b57d11a2bc1e8b4f6d5bacae27a8d16fcd09a8f9e0018f5a6370a
-
Filesize
1KB
MD55adbbd74eee1417a342568bdd1650b3a
SHA1a55df6a2b7a57fc52e35396ebc6740a5b03da675
SHA256be5cd6627b0b1c9762b5144179cdc458835fcf5f0232a00baf65d3321fc935d1
SHA51226fcbd3edc0652c849c551213820c58dff7134ef230e49de9e1f1943ebac041ed4d5e45f09cea687b02671d2d0141b3cc2ed0f363c7062220242233d3b1ef4ac
-
Filesize
3.2MB
MD56c7e663925c2f6c65bb904a9b3721f9b
SHA1d225029169cb8e05fb64cdd1bdcb1802b1694c3a
SHA2561a1b07837db7cc5adb87ca41e27e268b0812db8d165dc32bd5892f7e38e6e966
SHA5125defad9db3376f70bd0637c696a9d062d6efcfbb7e26d6e77b446db69ccffa6cbd64df1e0cac3b5928ce40c01a785c7bf3366664d39fc4c61ac2d0742d622cb5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\8148Is\9fEWSgBS\DUI70.dll
Filesize3.5MB
MD50cf106ac4ef4e179eb1f6046ed11cca3
SHA1b47bc9af1d4851a639317fd73f8adb0284663b9b
SHA256e43254c2bd6f9fc83024e530948fb4ec32614fd2b2f7f1073580c966ff42f130
SHA512036169370627843be89d6a59c3351f0f5f937247fd7cbca1d96deb1cc1b56665ce09e396923f9890056505075a0f72aaae8ea321eef37aac7e7084daaaf56323
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\8148Is\XmlLite.dll
Filesize3.2MB
MD5fd9ef5b903a08c01a5f580e32d522fa8
SHA1dc5b9bf88ee193391e12e3e155f3a740f5521654
SHA256ad21945b2d63a28f639c6db66262b3ea8f21fe9c49c76ae7f30963e3ce238fc3
SHA512cb6ee74565f019177048c5c61c9af1f03753a7e4ed69f244cb74f9a3de8d673aeb20ffe8393bd5258bd8b387cc70879afe2291f6626c073713e6304c2828fe9a