Analysis
-
max time kernel
147s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
21-01-2024 16:02
Static task
static1
Behavioral task
behavioral1
Sample
6d6d6e2d25e5004f0487405fdb25a600.dll
Resource
win7-20231215-en
General
-
Target
6d6d6e2d25e5004f0487405fdb25a600.dll
-
Size
1.4MB
-
MD5
6d6d6e2d25e5004f0487405fdb25a600
-
SHA1
ef4b1bba3fc0114114c00180262f1404a88e66b0
-
SHA256
6c28f1dd1c3bbf1187846af408ba671bf0fb28984469e666b284d4f4b1c3a823
-
SHA512
8a8d615f34930e4eb5d717414e3443771caff2416815ed529ba4a0a2ec7fb5fe6637198d6482626dcd3f0edd428776a637c8608cc00fcbf35eff55812bd24608
-
SSDEEP
12288:FVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:cfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3540-4-0x0000000002AA0000-0x0000000002AA1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
msra.exeDWWIN.EXERdpSa.exepid process 3324 msra.exe 3456 DWWIN.EXE 3956 RdpSa.exe -
Loads dropped DLL 3 IoCs
Processes:
msra.exeDWWIN.EXERdpSa.exepid process 3324 msra.exe 3456 DWWIN.EXE 3956 RdpSa.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\553\\DWWIN.EXE" -
Processes:
rundll32.exemsra.exeDWWIN.EXERdpSa.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msra.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DWWIN.EXE Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RdpSa.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 4680 rundll32.exe 4680 rundll32.exe 4680 rundll32.exe 4680 rundll32.exe 4680 rundll32.exe 4680 rundll32.exe 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3540 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3540 wrote to memory of 2884 3540 msra.exe PID 3540 wrote to memory of 2884 3540 msra.exe PID 3540 wrote to memory of 3324 3540 msra.exe PID 3540 wrote to memory of 3324 3540 msra.exe PID 3540 wrote to memory of 3352 3540 DWWIN.EXE PID 3540 wrote to memory of 3352 3540 DWWIN.EXE PID 3540 wrote to memory of 3456 3540 DWWIN.EXE PID 3540 wrote to memory of 3456 3540 DWWIN.EXE PID 3540 wrote to memory of 4620 3540 RdpSa.exe PID 3540 wrote to memory of 4620 3540 RdpSa.exe PID 3540 wrote to memory of 3956 3540 RdpSa.exe PID 3540 wrote to memory of 3956 3540 RdpSa.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6d6d6e2d25e5004f0487405fdb25a600.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4680
-
C:\Windows\system32\msra.exeC:\Windows\system32\msra.exe1⤵PID:2884
-
C:\Users\Admin\AppData\Local\kQjfp\msra.exeC:\Users\Admin\AppData\Local\kQjfp\msra.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3324
-
C:\Windows\system32\DWWIN.EXEC:\Windows\system32\DWWIN.EXE1⤵PID:3352
-
C:\Users\Admin\AppData\Local\MNL7M7zBh\DWWIN.EXEC:\Users\Admin\AppData\Local\MNL7M7zBh\DWWIN.EXE1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3456
-
C:\Windows\system32\RdpSa.exeC:\Windows\system32\RdpSa.exe1⤵PID:4620
-
C:\Users\Admin\AppData\Local\JjoqkoObI\RdpSa.exeC:\Users\Admin\AppData\Local\JjoqkoObI\RdpSa.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3956
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
56KB
MD55992f5b5d0b296b83877da15b54dd1b4
SHA10d87be8d4b7aeada4b55d1d05c0539df892f8f82
SHA25632f60eabe54c4d0cd0f0ec29f48f55ca1ad097bf35097247b186fd70426f847c
SHA5124f6da913af530301da1d0638aa2635ada446ebee6e27b5059db5c2b7fe439162ac3b1a595ecf4163a093890df9ac94d9085a53d8c991e48703f9d2691326e7e6
-
Filesize
1.4MB
MD5eec26e04b45dad57fafcb27ac62eeecf
SHA168029a8151014499ab334cca7d926f6ab49b3b03
SHA2568304782d65bfa7ffe4845d0b3aac4483e80a7d0b6e973952a7156b343f1baea2
SHA512bc47d142f704926fa5f5979434f99a31f647e1f51b31dbfbc04f05d08b5c822a75b3cba8eee7873f809458a9fefa486225175d8afbd8f7976296ce80af142451
-
Filesize
229KB
MD5444cc4d3422a0fdd45c1b78070026c60
SHA197162ff341fff1ec54b827ec02f8b86fd2d41a97
SHA2564b3f620272e709ce3e01ae5b19ef0300bd476f2da6412637f703bbaded2821f0
SHA51221742d330a6a5763ea41a8fed4d71b98e4a1b4c685675c4cfeb7253033c3a208c23902caf0efdf470a85e0770cb8fac8af0eb6d3a8511445b0570054b42d5553
-
Filesize
1.4MB
MD566ca5a0eaf9e1bf0a134f662fa2ce506
SHA120d8862053be86331311621939d4e6e8cb862eae
SHA2567090ac75b5724e680cfacd55fc25c64ac72024d7579225259fce7160c12e2004
SHA512c92a306c9e7ca9ba12f01e3c1f58ac6017323c2daa81a6f3c1fb5cf651f691adeb6b3fbc791bed27d1e2a12ac0bbe17a0f3a3e02889be166599372d526098330
-
Filesize
1.4MB
MD52fba5de7ba6b557726088ea7c8c84781
SHA177a388982aab793366cb89fa261c26f93b9d7ede
SHA256a365bb94cb6595eb832995201a3ae9882c24d44d7a47fb40bcce6202698a1105
SHA512da4454b10968f1d99cc1d279742b79ea276bbba1a01d21e4533baa84fa51f28713c978a32a1076498093883afbdac4eec4726ec485f3f495931bbf3814ffc66f
-
Filesize
579KB
MD5dcda3b7b8eb0bfbccb54b4d6a6844ad6
SHA1316a2925e451f739f45e31bc233a95f91bf775fa
SHA256011e1decd6683afe5f1e397fe9697f2cf592ae21766a7629e234682f721658ae
SHA51218e8c99f8b86375627aba0d2b10cf4db24ee5ac61a3d6a73d382a83ec63217c7e455570d4fa7dcdbb188dcc73988689661f8cab2337ae8c615fa6bc9a08f71f5
-
Filesize
1KB
MD5b126b6c783d8f6e63c8b79d221394148
SHA15009faaf3de959c8a367f29924d34cb576ea4189
SHA256e44c5ac9655e84335d276050144819f118ea74f05428966148e9cc0a83896859
SHA51238f60923e0a0546ac1bc047a955c137d071ae5db5e752e82fc7b37eea9d560857e4de0d02a5b2dffd90320cb38e7ac69ea51d4540cdeeac1454a9c9fcf8585c0