Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2024 18:50
Static task
static1
Behavioral task
behavioral1
Sample
6b2fb57199a0f55f49fc0b789c648d8f.dll
Resource
win7-20231215-en
General
-
Target
6b2fb57199a0f55f49fc0b789c648d8f.dll
-
Size
660KB
-
MD5
6b2fb57199a0f55f49fc0b789c648d8f
-
SHA1
e2f1f1f40061ab510d2660fae69a78718eaf2afd
-
SHA256
91e3ce41002c675b3c1fb73ecb4b2c055d2560a0c909753a9ad1f26f47d1d2b0
-
SHA512
b4dbf4859b61a180b6d1473b065e7fc76153679e505f4cf9896a4757c34d088c4cb335421880aa702cb82ed29ae79b14f71045b56463d64f72741d99c39a84c4
-
SSDEEP
6144:a34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:aIKp/UWCZdCDh2IZDwAFRpR6Au
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3492-3-0x00000000079E0000-0x00000000079E1000-memory.dmp dridex_stager_shellcode -
Processes:
resource yara_rule behavioral2/memory/4480-0-0x00007FF9BCB90000-0x00007FF9BCC35000-memory.dmp dridex_payload behavioral2/memory/3492-14-0x0000000140000000-0x00000001400A5000-memory.dmp dridex_payload behavioral2/memory/3492-22-0x0000000140000000-0x00000001400A5000-memory.dmp dridex_payload behavioral2/memory/3492-33-0x0000000140000000-0x00000001400A5000-memory.dmp dridex_payload behavioral2/memory/4480-36-0x00007FF9BCB90000-0x00007FF9BCC35000-memory.dmp dridex_payload behavioral2/memory/3972-43-0x00007FF9ACE20000-0x00007FF9ACEC7000-memory.dmp dridex_payload behavioral2/memory/3972-48-0x00007FF9ACE20000-0x00007FF9ACEC7000-memory.dmp dridex_payload behavioral2/memory/4332-59-0x00007FF9ACDE0000-0x00007FF9ACECB000-memory.dmp dridex_payload behavioral2/memory/4332-64-0x00007FF9ACDE0000-0x00007FF9ACECB000-memory.dmp dridex_payload behavioral2/memory/2184-88-0x00007FF9ACE20000-0x00007FF9ACEC7000-memory.dmp dridex_payload -
Executes dropped EXE 4 IoCs
Processes:
DisplaySwitch.exeWindowsActionDialog.exewermgr.exeRdpSa.exepid process 3972 DisplaySwitch.exe 4332 WindowsActionDialog.exe 1616 wermgr.exe 2184 RdpSa.exe -
Loads dropped DLL 3 IoCs
Processes:
DisplaySwitch.exeWindowsActionDialog.exeRdpSa.exepid process 3972 DisplaySwitch.exe 4332 WindowsActionDialog.exe 2184 RdpSa.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kqgfxymewp = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\qNY6\\WindowsActionDialog.exe" -
Processes:
rundll32.exeDisplaySwitch.exeWindowsActionDialog.exeRdpSa.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DisplaySwitch.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WindowsActionDialog.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RdpSa.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 4480 rundll32.exe 4480 rundll32.exe 4480 rundll32.exe 4480 rundll32.exe 4480 rundll32.exe 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3492 3492 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3492 -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
description pid process target process PID 3492 wrote to memory of 2648 3492 DisplaySwitch.exe PID 3492 wrote to memory of 2648 3492 DisplaySwitch.exe PID 3492 wrote to memory of 3972 3492 DisplaySwitch.exe PID 3492 wrote to memory of 3972 3492 DisplaySwitch.exe PID 3492 wrote to memory of 4176 3492 WindowsActionDialog.exe PID 3492 wrote to memory of 4176 3492 WindowsActionDialog.exe PID 3492 wrote to memory of 4332 3492 WindowsActionDialog.exe PID 3492 wrote to memory of 4332 3492 WindowsActionDialog.exe PID 3492 wrote to memory of 3780 3492 wermgr.exe PID 3492 wrote to memory of 3780 3492 wermgr.exe PID 3492 wrote to memory of 1616 3492 wermgr.exe PID 3492 wrote to memory of 1616 3492 wermgr.exe PID 3492 wrote to memory of 2276 3492 RdpSa.exe PID 3492 wrote to memory of 2276 3492 RdpSa.exe PID 3492 wrote to memory of 2184 3492 RdpSa.exe PID 3492 wrote to memory of 2184 3492 RdpSa.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6b2fb57199a0f55f49fc0b789c648d8f.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4480
-
C:\Windows\system32\DisplaySwitch.exeC:\Windows\system32\DisplaySwitch.exe1⤵PID:2648
-
C:\Users\Admin\AppData\Local\QUMqo\DisplaySwitch.exeC:\Users\Admin\AppData\Local\QUMqo\DisplaySwitch.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3972
-
C:\Windows\system32\WindowsActionDialog.exeC:\Windows\system32\WindowsActionDialog.exe1⤵PID:4176
-
C:\Users\Admin\AppData\Local\7T2ZMC\WindowsActionDialog.exeC:\Users\Admin\AppData\Local\7T2ZMC\WindowsActionDialog.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4332
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe1⤵PID:3780
-
C:\Users\Admin\AppData\Local\UCxVWA\wermgr.exeC:\Users\Admin\AppData\Local\UCxVWA\wermgr.exe1⤵
- Executes dropped EXE
PID:1616
-
C:\Windows\system32\RdpSa.exeC:\Windows\system32\RdpSa.exe1⤵PID:2276
-
C:\Users\Admin\AppData\Local\WwQmMvro\RdpSa.exeC:\Users\Admin\AppData\Local\WwQmMvro\RdpSa.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2184
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
940KB
MD5b37803173a15e02626fb9e093f49b610
SHA17f5451bc32410aac999e84f3d24d7b86e5d43a0c
SHA25652b29c4abbbd3743e1249fd7e93ec4d09816e3ea305a6c840ad57947d4ad2bb1
SHA512951a0653b6f9a6d689fd8e671487591b4e813efb688c39d9a00a5044ec5b488613d9c11f5595c72ecce8f5db6df47cdac0fb04aabd364252f781cb72ed44a7c7
-
Filesize
642KB
MD5ec55b891bd2b159dc0c2b5e1ae1ebe9b
SHA1958813aa3864dca17099a853bbe5fd0d5e1b8f81
SHA256b9acdf1463d2c13ec20b623355fd808f4a7d9bb6be4426110e594c37b633ee84
SHA512e4f68f545b9da3a94a3fe253311f63cf2ca171e2175e943407d89841b7f5e032ee7e77798ea9d84151bd3c880bc1d00b14de3ecec3407fd984ed4fe80638b0f4
-
Filesize
61KB
MD573c523b6556f2dc7eefc662338d66f8d
SHA11e6f9a1d885efa4d76f1e7a8be2e974f2b65cea5
SHA2560c6397bfbcd7b1fcefb6de01a506578e36651725a61078c69708f1f92c41ea31
SHA51269d0f23d1abaad657dd4672532936ef35f0e9d443caf9e19898017656a66ed46e75e7e05261c7e7636799c58feccd01dc93975d6a598cbb73242ddb48c6ec912
-
Filesize
668KB
MD52605b9de89f3edcdd8fd058adddbcd99
SHA11e71cb29249cec1bc6ddbda164e9cba92397b9ef
SHA25636eeaf4907071cac6d4614b9f50f9fd1e73454678564461dd4b3237cc2a7deae
SHA512a01ebb7995bafe98dfafc99419b57a59e4d296192eb2a1d545745e890044f29f64200e0537d7a0742a5cb2b369c2ca4a185a251ae403ef2ec58805d4afbee99c
-
Filesize
580KB
MD54c39e82694057109ead90a9bbd4cba08
SHA1e43aa69cceb23435f4d1adf813603f0f4ed1dd94
SHA256fb865caf3e62cdffa37a1df63fe3da429212a772f7157df8b78c8f664c600e82
SHA512b6bd6fa8a5ba0474bc8695549195ad7fa922c0dca7afe3eac5acf0363b6fa463c94a4a3f2e37537ba1294f6aba22d943e14cdda09c4aa129c8c1f387d68e0603
-
Filesize
1.2MB
MD5ce0cd72771ba121f3635b4df8e11f879
SHA16dae247f51326ec6261817bbf3dc27ccfb4230e6
SHA2561d9fbed21056ea7084ae6c447380de1bc8939d5281fe46e8da5a7e88c0bab26c
SHA512e27ebe28452f9376e7bd0acc3b12065dab52a7d711aad7cfd371d4fbf5d426a32dcb4b4dc4d78f07ba4be2bdeed1e4dbacbba20ae54cc63503a5ba7fa7b3db53
-
Filesize
223KB
MD5f7991343cf02ed92cb59f394e8b89f1f
SHA1573ad9af63a6a0ab9b209ece518fd582b54cfef5
SHA2561c09759dcd31fdc81bcd6685438d7efb34e0229f1096bfd57d41ecfe614d07dc
SHA512fa3cf314100f5340c7d0f6a70632a308fcadb4b48785753310a053a510169979a89637b8b4fedf4d3690db6b8b55146e323cad70d704c4e2ede4edff5284237d
-
Filesize
56KB
MD55992f5b5d0b296b83877da15b54dd1b4
SHA10d87be8d4b7aeada4b55d1d05c0539df892f8f82
SHA25632f60eabe54c4d0cd0f0ec29f48f55ca1ad097bf35097247b186fd70426f847c
SHA5124f6da913af530301da1d0638aa2635ada446ebee6e27b5059db5c2b7fe439162ac3b1a595ecf4163a093890df9ac94d9085a53d8c991e48703f9d2691326e7e6
-
Filesize
668KB
MD568716a010cc7093f10b36d0c886ae030
SHA175ffb8693bcbf4cafa0fba09a5302f2e0f2c1df6
SHA256ff4144c8cc33129e3e51eb87174bb82e62597373df4f0a70832d3a598b473b8e
SHA512b33b8fcd34e3a96097d428944e886d25dbe43638e098d45dbe1d883d144ff3398a7877b6d3915a19298294c2b3b1029faca642ebf41223ad63e6d0fea827c406
-
Filesize
1KB
MD5d8308189d11779b292aa535ae20751ad
SHA163a4d20b5a20d2a578b763dcd043833be28bd5cb
SHA256e07bd49f88b12fdc70fd13ea1867cb05b33310448964dca0ccc5ece142b7d99b
SHA5127e4b95c03497fdd7d215f15b87007f1b0263b6d48097c28f6d24aac2f3da339cc1219bd298c889918ac70ecb4fccf03117f0d9094e5b58aaf1406eb14eba6167