Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
21-01-2024 09:39
Static task
static1
Behavioral task
behavioral1
Sample
6cf99878a472700f873bfe4ba861b27e.dll
Resource
win7-20231215-en
General
-
Target
6cf99878a472700f873bfe4ba861b27e.dll
-
Size
1.6MB
-
MD5
6cf99878a472700f873bfe4ba861b27e
-
SHA1
0b3c08f07d5cdc9b5d916ac6588361d426bc0d5f
-
SHA256
770fabafd2e9368ab8dfdcce39b8dfde8df9439be93f5fc9184c90206dae4d16
-
SHA512
bed1c895105fca948804d5cdb88b5146a13d03eb1dde422c21810e055a94ec7a10898b2d0b79827a0dbd404fc8b50f7474b0f5acb759bf0d843d4d56cc4d1513
-
SSDEEP
12288:4VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:tfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3440-5-0x0000000003680000-0x0000000003681000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
quickassist.exeDWWIN.EXEmblctr.exepid process 1160 quickassist.exe 4048 DWWIN.EXE 3260 mblctr.exe -
Loads dropped DLL 3 IoCs
Processes:
quickassist.exeDWWIN.EXEmblctr.exepid process 1160 quickassist.exe 4048 DWWIN.EXE 3260 mblctr.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~1\\wFYO7\\DWWIN.EXE" -
Processes:
rundll32.exequickassist.exeDWWIN.EXEmblctr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA quickassist.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DWWIN.EXE Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mblctr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 3952 rundll32.exe 3952 rundll32.exe 3952 rundll32.exe 3952 rundll32.exe 3952 rundll32.exe 3952 rundll32.exe 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3440 Token: SeCreatePagefilePrivilege 3440 Token: SeShutdownPrivilege 3440 Token: SeCreatePagefilePrivilege 3440 Token: SeShutdownPrivilege 3440 Token: SeCreatePagefilePrivilege 3440 Token: SeShutdownPrivilege 3440 Token: SeCreatePagefilePrivilege 3440 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3440 3440 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3440 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3440 wrote to memory of 2060 3440 quickassist.exe PID 3440 wrote to memory of 2060 3440 quickassist.exe PID 3440 wrote to memory of 1160 3440 quickassist.exe PID 3440 wrote to memory of 1160 3440 quickassist.exe PID 3440 wrote to memory of 928 3440 DWWIN.EXE PID 3440 wrote to memory of 928 3440 DWWIN.EXE PID 3440 wrote to memory of 4048 3440 DWWIN.EXE PID 3440 wrote to memory of 4048 3440 DWWIN.EXE PID 3440 wrote to memory of 1812 3440 mblctr.exe PID 3440 wrote to memory of 1812 3440 mblctr.exe PID 3440 wrote to memory of 3260 3440 mblctr.exe PID 3440 wrote to memory of 3260 3440 mblctr.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6cf99878a472700f873bfe4ba861b27e.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3952
-
C:\Windows\system32\quickassist.exeC:\Windows\system32\quickassist.exe1⤵PID:2060
-
C:\Users\Admin\AppData\Local\85KW\quickassist.exeC:\Users\Admin\AppData\Local\85KW\quickassist.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1160
-
C:\Windows\system32\DWWIN.EXEC:\Windows\system32\DWWIN.EXE1⤵PID:928
-
C:\Users\Admin\AppData\Local\FqtjT5EE6\DWWIN.EXEC:\Users\Admin\AppData\Local\FqtjT5EE6\DWWIN.EXE1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4048
-
C:\Windows\system32\mblctr.exeC:\Windows\system32\mblctr.exe1⤵PID:1812
-
C:\Users\Admin\AppData\Local\nGSSjjB\mblctr.exeC:\Users\Admin\AppData\Local\nGSSjjB\mblctr.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3260
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD5f0023d97c9b777bac1f115ac01afed64
SHA14d9558a9e07b2c8575aab6cfef2787b1e7d64433
SHA256a43125a1c812376d5bf61ab9cc38c2933335f7a9c2a340392bf1e1007a140223
SHA512672fc416ad2d3f169877160670f952e2f6bd9d15ba5e7089dbc229e1a02fc1064190b1d561a956af7861ab55eb84e57b078ec3ceb7e010a2e47b1d53e103f8f7
-
Filesize
665KB
MD5d1216f9b9a64fd943539cc2b0ddfa439
SHA16fad9aeb7780bdfd88a9a5a73b35b3e843605e6c
SHA256c1e8fda00da574e8759ba262d76b6edc1d5f4a80620730ef0be7527e0d803db2
SHA512c5fd7d81d1d478056fcbed0ba887ce551832f0104e7c31753c3c8760b4d63f38324f74e996684042acc8f9682fce8a8c85172741a868257e87d5e0f988c4e567
-
Filesize
229KB
MD5444cc4d3422a0fdd45c1b78070026c60
SHA197162ff341fff1ec54b827ec02f8b86fd2d41a97
SHA2564b3f620272e709ce3e01ae5b19ef0300bd476f2da6412637f703bbaded2821f0
SHA51221742d330a6a5763ea41a8fed4d71b98e4a1b4c685675c4cfeb7253033c3a208c23902caf0efdf470a85e0770cb8fac8af0eb6d3a8511445b0570054b42d5553
-
Filesize
1.6MB
MD56e2870da5d8fcb41cb744071f4c5adae
SHA103cf0a58405c394baf8021d5a0702f18801c699e
SHA25661a54e740f5fb0620408b131a424fe4271799e5b2c9553bd2a531f2bc60bd4db
SHA5126f6765ca268535e1cc584c5950890fea3def6cd740eaee6112467ea868d261c291973625a2a573089b33d6eabe024fc0cded0ff5cc7c316d6993ed179dc57ea8
-
Filesize
1.6MB
MD5239f513539b485b114d9a0815ae4afe9
SHA1762bda55c5556f8972fb65856244dbff6fc20e47
SHA25627ed7ff3725fac4d5eb83234e880e544dd3c2696edcd84f20b25921409d4a9d0
SHA5123d3a6ba168afb20a01834966329f2d683e380e2aee124b79def7ff9eab10592515fc61eae4de7d09131552b84eaa020299975ee004b813311a9a5035fe0122b4
-
Filesize
790KB
MD5d3db14eabb2679e08020bcd0c96fa9f6
SHA1578dca7aad29409634064579d269e61e1f07d9dd
SHA2563baa1dc0756ebb0c2c70a31be7147863d8d8ba056c1aa7f979307f8790d1ff69
SHA51214dc895ae458ff0ca13d9c27aa5b4cfc906d338603d43389bb5f4429be593a587818855d1fe938f9ebebf46467fb0c1ab28247e8f9f5357098e8b822ecd8fffe
-
Filesize
1KB
MD53251cc23f2eeaa910c71ee60cfed9ffa
SHA103cf67d9afcdab0055d0cd443031053a15e1fe0d
SHA2562e1cbdcfabec6a5183e49064abbb92a8f2f18702dd4aaa7d219a218f0a104dbb
SHA512d3767959d706215a971535633f03c3ad459fece525907e3345658d055c8db37c6d0f0dbbc1d108d8789b7c35a0a399d43ceed52923a2adab5fac7e3185ca43e5