Analysis
-
max time kernel
148s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
21-01-2024 16:15
Static task
static1
Behavioral task
behavioral1
Sample
6d744bbf016772634f87aa5fdf2fc9c5.dll
Resource
win7-20231215-en
General
-
Target
6d744bbf016772634f87aa5fdf2fc9c5.dll
-
Size
1.4MB
-
MD5
6d744bbf016772634f87aa5fdf2fc9c5
-
SHA1
e1b3f458533b0b13502b8fdf2d07d05eb228b467
-
SHA256
d0c33dbcd2bc26465a2cdf232d5cfea8a77135f9572037c8a0fbe21ae5cd0c2c
-
SHA512
a7f14f70607bc4b4169427c833c0bb6b7aac746c13f7b990314d01086d4a2d0df2b57b8826afd2812543032484f37b737d652449784a12e8e9852782d5419410
-
SSDEEP
12288:mVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:7fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3512-4-0x0000000003390000-0x0000000003391000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
CustomShellHost.exeSystemSettingsAdminFlows.exemmc.exepid process 4036 CustomShellHost.exe 1124 SystemSettingsAdminFlows.exe 3028 mmc.exe -
Loads dropped DLL 3 IoCs
Processes:
CustomShellHost.exeSystemSettingsAdminFlows.exemmc.exepid process 4036 CustomShellHost.exe 1124 SystemSettingsAdminFlows.exe 3028 mmc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mbfbagbrjs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\pCYK9kIMWpy\\SystemSettingsAdminFlows.exe" -
Processes:
rundll32.exeCustomShellHost.exeSystemSettingsAdminFlows.exemmc.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA CustomShellHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemSettingsAdminFlows.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mmc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2664 rundll32.exe 2664 rundll32.exe 2664 rundll32.exe 2664 rundll32.exe 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
svchost.exedescription pid process Token: SeShutdownPrivilege 3512 Token: SeCreatePagefilePrivilege 3512 Token: SeShutdownPrivilege 3512 Token: SeCreatePagefilePrivilege 3512 Token: SeManageVolumePrivilege 3536 svchost.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3512 3512 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3512 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3512 wrote to memory of 2292 3512 CustomShellHost.exe PID 3512 wrote to memory of 2292 3512 CustomShellHost.exe PID 3512 wrote to memory of 4036 3512 CustomShellHost.exe PID 3512 wrote to memory of 4036 3512 CustomShellHost.exe PID 3512 wrote to memory of 732 3512 SystemSettingsAdminFlows.exe PID 3512 wrote to memory of 732 3512 SystemSettingsAdminFlows.exe PID 3512 wrote to memory of 1124 3512 SystemSettingsAdminFlows.exe PID 3512 wrote to memory of 1124 3512 SystemSettingsAdminFlows.exe PID 3512 wrote to memory of 4916 3512 mmc.exe PID 3512 wrote to memory of 4916 3512 mmc.exe PID 3512 wrote to memory of 3028 3512 mmc.exe PID 3512 wrote to memory of 3028 3512 mmc.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6d744bbf016772634f87aa5fdf2fc9c5.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2664
-
C:\Windows\system32\CustomShellHost.exeC:\Windows\system32\CustomShellHost.exe1⤵PID:2292
-
C:\Users\Admin\AppData\Local\P3idB\CustomShellHost.exeC:\Users\Admin\AppData\Local\P3idB\CustomShellHost.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4036
-
C:\Windows\system32\SystemSettingsAdminFlows.exeC:\Windows\system32\SystemSettingsAdminFlows.exe1⤵PID:732
-
C:\Users\Admin\AppData\Local\8DdDb\mmc.exeC:\Users\Admin\AppData\Local\8DdDb\mmc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3028
-
C:\Windows\system32\mmc.exeC:\Windows\system32\mmc.exe1⤵PID:4916
-
C:\Users\Admin\AppData\Local\aN6s\SystemSettingsAdminFlows.exeC:\Users\Admin\AppData\Local\aN6s\SystemSettingsAdminFlows.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1124
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:2052
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3536
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
323KB
MD566d8bc9a5115e649edd1255682546285
SHA16cc32f03971c35b761c1beb37582f83641aa2bba
SHA256140366a66d6fd7a27b79d1535c6c9fb45bb0d79942f99c4eac15ef29638ceb39
SHA512a242b45946378bae379f78b71a36a5abd2e85d7ebc7f7044e0868898582dd402ce51bdca6bab2dcece934200309151a110641df31b90ba8ef759347d63e60725
-
Filesize
1KB
MD5a87d1d6dfe2c58a21e385a08c93f59ab
SHA1f99c29d76d72df4905ad6f0aec8d7a156db679a9
SHA256f18b073b85e18b852c9f9309e26e0ab1ec819cf5c44e6f88ebfac4847f35ec4d
SHA5123e0ae91de351014195f523fa9bd1d8e4b5eb9ef69cd79546f6aa01375545207344710086044baf11fd36112afd8d615c8a211b3bdacc6e89c8063d0fcf59c70d
-
Filesize
279KB
MD53e3a22ceb99c26c4c69fa685002510e3
SHA1d130ba8fdc12dd888a7ac4552e5b77f7240e476a
SHA2568547aff38416da1be2359bc2bb7c49df90e070821748215334f750b985b0f3db
SHA512df1cc8ca9ed2e930f33859ca4e4099cc93233cb0d33b2160c0294ed618fb2aed6eadfc6727103719beb71c09b24996546d758b36bc953acc18d3c499ff5c1e6b
-
Filesize
235KB
MD587fe2610a68552750f9046712660d8b7
SHA1e807cbd8f418a9d1f3ff5ed732892a6831ff0a7d
SHA256f439441b81a728d6b23ecd1322a4299a81a1c08cc8c95063bf56c8840eb894c7
SHA5122f87552cccd34b0eb84e450b61d619ba63c55dd1c9440d7c5ade0ee7efabc5e79a3ce50bd4e39e00f8e322cbfa6cc486a5099916e4f9a3fca7a55ccd4eb79d4a
-
Filesize
141KB
MD54f823b02373183704aafba71fd7f2f8b
SHA1061232659e8367069deb4dd9659117a542bf8659
SHA256bb8ba795b4afefd5398c06c75de12756fb439bfe30ab71ea9adadd46a4519d57
SHA5121eae94e6cc8fe8462ee5feb6af791446cd37aafb9ecdcaefdc863e624bdf53be7c2c68ba0472942cd184daa4f1f7b6ad7def74b8fe2613a14c72d9edb3b0f06b
-
Filesize
92KB
MD5fc6f6f006f0baf6dee8ab1d07695684b
SHA17d079fc485b394f12ae8a12e1975e1c50e00eb3d
SHA2565c7bfba9ab039bff5da77c99df2e9c3e6a8841eb5d18c09656bd786a64fea66b
SHA5123c53c5742bfe1348d7d7fae2b339fbc8f1fe485430cb5f9979bcc19edd590ed7232c0d4ebc3f121918984249552ffe5016a43c877eead7eb885dbfee7c29dc19
-
Filesize
122KB
MD51d4a429d23a09561e355dfd4fcba6f95
SHA195aae76d594c648aa3294c6076d39511831aa8ce
SHA256af71a4ed80432703f2c242c95b846863c2673013fb4dd4dc206e0480bc5b6d5c
SHA512bbe1e326613560cb86eecc9440547872b2b246428a01c796be63e69e55bc1c109f1801ea94a0393181a364a9ce3a69e2d618378bd56f45407a12d1f7b20ee5ac
-
Filesize
154KB
MD501e94816a651a7fade4cc4d6bad61e9c
SHA118daee1c251f6475a63a62b31083b912fe12503c
SHA256b87646b99ca3441265ffdedb70cfcd40a7683fe2dd08a675585b1bebef0a26db
SHA512b6267b13fc054444b31ffefb432ed0e369fb14110970c8342029cde0aaaa3e53891632b4a24a2b274244bfdac8f0233f5df901d6cfced753bcdc9f361c2d8827
-
Filesize
170KB
MD5e145906ef931cec3d9dee3dab719a424
SHA13fc735c0d0a0dcf6799e71b0746df2f9ae99219a
SHA2560d42385abf0891086720003cf511e96682f1b8f37a8707b3b1fdb51f4f396113
SHA5121ca08daa1e71c18c4da5463c04bc1a93f5e662d9699f255a5c2b3f2fce93a7e0703d45e7a419ce87638a98213af699bb05c1af9e1ef7c9b0a3ba7e5aa05a2550
-
Filesize
124KB
MD55c633b86bf6bd0bea888d2c23656728b
SHA10271bce2016448adaf53e7c08844674918f2108a
SHA256e1d9928f9586a92216909b2bc70308730d00783bb4891d986aa9947cad3bac92
SHA5125334fc109c35379f1ed79b818fb0ff2f0d53031e3e079ba42c31fb5cd502f4963fcad6af929d1d7261bf97a75ee5a87d8d228d713bcd1093c2d2f7dc2a556481
-
Filesize
133KB
MD58a7cbf4160d0c27242d1688324926255
SHA1fbfb7c54131d58d0e03cbbc91753e0a5f7b2d9c3
SHA2568dcf399ecdd5a47fc36004fa20547b3f5e6c8be6172e932c1e9bf30755cbbea6
SHA512e58687e917f98c07f1bfca55ccecb516c1a61547958e66f36f8f33fd0e82d7237d99da208cd4742662b183b75890d2ff85060dfcb0edc3cd2085a36d6fbe0c7a
-
Filesize
100KB
MD5f776d493cf1209729850adaab83970a0
SHA1beb5f0d58447c5d579d751a212a6d52b6ef3f9ec
SHA2567f121b1315bee099ea92093fb3403b5bf6171970e0ee2760beb40eda78eeae53
SHA5129b76fdebc9b7b7f1af0b263daf73d4e81e2387a865e21aef3cb12c0728d9836bb3b9cbd3a6f837cdf2f526c6579017bed8e536645f05183cdef7e8a69ef92e17
-
Filesize
1KB
MD58f5c75ecdc71ee2dde698a5bf4bd3be5
SHA180f320f8a24a1b4a81424d4c68cb58c2c489998c
SHA256d9ccb600a92ae4ca0c2277dcc01e6f5312d48dd16235c7f232ce829f8bbc6df7
SHA51204e7fcac25be3f954a521dde6da931be9fc62bf1ef89190a4759e2733b49922adba406279bf02550fa3e44981b31ef6a62d9831215ae33c73b948c6031095f12
-
Filesize
1.4MB
MD574d4e14b1e1ed6486b8e2db9f13ba2e4
SHA14f24278e6f378f29858468ff870d53c51e4baefe
SHA2563cda882d10fd0d4201412339f09a2069b4bf11ed9b4fd9ae7820a4208d10160c
SHA5124f16b33a5ab4cedff64e51554d1622077a031c59cc4c65f54533b4f279f177b1823351432bd943dacfd7df06958d2fe23ee445e219754124d3decf304648dbb3
-
Filesize
1.4MB
MD5d0391dc12fdef7ccc1f2e18d246c4320
SHA147c13787044c5bdb1f36f69a9f9eecca8a70430c
SHA256bf8f16a4884ba0fb4898a7bb6602aca615148e58df207a3030f014eed4bb2387
SHA512cb254a4561fd1bfe2024458ca91fa23b9405e5529120a43d1f61a5c18694f840aa8047cef127ea3bc394a88049f320263593212a54e12488c4ec8f687cc5cd40
-
Filesize
133KB
MD54f934448978b57ead4c1490821d19a88
SHA10a7a426897d0d33893ca201de045174cc51da636
SHA256c60004f0b6a6f046d6a5526d65ab74dd90d6eff96caf691f394d9984941b5253
SHA51273ad605305a7a9e99e6ccd0bd5f2b41c5c83bc342b7948ecc875e8e5db5c31cd400449de6e720dfbc7c14ee9675c50ac8c37b8cf6e888913e506bb4c2c652192
-
Filesize
308KB
MD516adbdebeba837320007478e082c2565
SHA1244ea71b4c11f982e4d1f0744355cd8217451e89
SHA2568f3d913afd92151d511b1285168db26c98751a140b38c7d8b3d9161145be11f1
SHA512f4a140fd8f33dae3f6903dc2d2a30dac2ca47e15169d6f53afbe791c339a6c6e78040a3946c552e09423d659d68d452bb2b1645773f869684424193c658c19c5