Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22-01-2024 02:52
Static task
static1
Behavioral task
behavioral1
Sample
6e878d3bec87e1562cd7b8f267d6511c.dll
Resource
win7-20231215-en
General
-
Target
6e878d3bec87e1562cd7b8f267d6511c.dll
-
Size
1.4MB
-
MD5
6e878d3bec87e1562cd7b8f267d6511c
-
SHA1
5babe29f33e7fb0f4d7327d937e71373645490e8
-
SHA256
9e34e48ce49ec56aa42b037c0bb4dee15418333d5374dbb3084a0787d254f2a5
-
SHA512
6358e14c1008bc891540650adfaf3afe328ce4306e30f5b4e9363f5609c090c13caa106322e0b64e17158d881aacd545e8d03b0e1f9a3652d0e7968539df67cd
-
SSDEEP
12288:lVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:8fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3428-4-0x00000000077D0000-0x00000000077D1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
iexpress.exePresentationSettings.exesppsvc.exepid process 3344 iexpress.exe 964 PresentationSettings.exe 1072 sppsvc.exe -
Loads dropped DLL 3 IoCs
Processes:
iexpress.exePresentationSettings.exesppsvc.exepid process 3344 iexpress.exe 964 PresentationSettings.exe 1072 sppsvc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kqgfxymewp = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1497073144-2389943819-3385106915-1000\\aZoD\\PresentationSettings.exe" -
Processes:
sppsvc.exerundll32.exeiexpress.exePresentationSettings.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA iexpress.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA PresentationSettings.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 4288 rundll32.exe 4288 rundll32.exe 4288 rundll32.exe 4288 rundll32.exe 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3428 Token: SeCreatePagefilePrivilege 3428 Token: SeShutdownPrivilege 3428 Token: SeCreatePagefilePrivilege 3428 Token: SeShutdownPrivilege 3428 Token: SeCreatePagefilePrivilege 3428 Token: SeShutdownPrivilege 3428 Token: SeCreatePagefilePrivilege 3428 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3428 3428 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3428 -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
description pid process target process PID 3428 wrote to memory of 4500 3428 iexpress.exe PID 3428 wrote to memory of 4500 3428 iexpress.exe PID 3428 wrote to memory of 3344 3428 iexpress.exe PID 3428 wrote to memory of 3344 3428 iexpress.exe PID 3428 wrote to memory of 4660 3428 PresentationSettings.exe PID 3428 wrote to memory of 4660 3428 PresentationSettings.exe PID 3428 wrote to memory of 964 3428 PresentationSettings.exe PID 3428 wrote to memory of 964 3428 PresentationSettings.exe PID 3428 wrote to memory of 1072 3428 sppsvc.exe PID 3428 wrote to memory of 1072 3428 sppsvc.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6e878d3bec87e1562cd7b8f267d6511c.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4288
-
C:\Users\Admin\AppData\Local\MBgUMg\sppsvc.exeC:\Users\Admin\AppData\Local\MBgUMg\sppsvc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1072
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe1⤵PID:4408
-
C:\Users\Admin\AppData\Local\PQqov1cz\PresentationSettings.exeC:\Users\Admin\AppData\Local\PQqov1cz\PresentationSettings.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:964
-
C:\Windows\system32\PresentationSettings.exeC:\Windows\system32\PresentationSettings.exe1⤵PID:4660
-
C:\Users\Admin\AppData\Local\ezYJC353\iexpress.exeC:\Users\Admin\AppData\Local\ezYJC353\iexpress.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3344
-
C:\Windows\system32\iexpress.exeC:\Windows\system32\iexpress.exe1⤵PID:4500
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD56ccf6a79fc28fa8ad7ff7b2661857b20
SHA1cf2c252d988cfef3d1aeddb5ba58a98cc79336ec
SHA256e81ca3ec82b01b356de2e97384170078b79c639298ac3d273a45bfafdcbf033c
SHA512fac018ed23426274f4d6bb3dc6bf8535a89f7dfcaaec750a93f4b772088edbad9a3b7809e2cbd504f5f85932744f701623b17c1cabad05a5478a4c32f3bb1b1c
-
Filesize
83KB
MD5cb3ce286a419de18e1173f93d2c33a71
SHA1468ed1de78c4d1c3909cd2a89fcdfef1b4aaecde
SHA25614f6a21e3bcc7ac278fedb846fee706e46ceab9686e79f979b08eca5ab496e64
SHA512529af8f87f5ad72583aa16cec30a7ac59fd1521fb7897dc96ac78eb3340528019d164b2ea6422373e35493dd3540a8ace7995b8a8ae9914a8af16668564bfce9
-
Filesize
225KB
MD5e5d03fae6ea5c4d8da6526b33cafa629
SHA1a3c90ffcb09fb35c942cf3257d45e63d5901c339
SHA2568e63128e5214ec38961354d5ee71111d646aa97347de7d84030eb36df242d750
SHA51220db70d65c9371174f76b1d43963761e491f7489152ffb88d80ed665ff1e460579a22ea2b81708d7e8554b4914e80ef82199c65e5b78b430328360642ef59f10
-
Filesize
18KB
MD5f241a076703c4cfd3df3f696c2efb8c5
SHA1d35fc72b4fded6d272f0b40b8b8e137027d2ceef
SHA256fd5656a8d642a5ea12d0a19f6fd548317254dfb78678ad444d5631cd5fe13558
SHA512ea05b367be375fe51b19b4a26b11d823cfd72f975be8b9939b7ddfb66ce3eda60cf2aa1b6d7239fffc104ec0f8d6332e737dd3fae4b5c545e1fdcb582fd39296
-
Filesize
195KB
MD5c20e3a56a7506e9d91b1faf1dcfdfa17
SHA1cd26be6402ed237df9a7cbf8e0cf42b236dd227f
SHA2566d3ac00ae0c65bdb30a8b73d01e22c78ff066909eff01c7433a78c8c65274d50
SHA5127abf166bcd7813b370307b716c8a75d2340c625f901bef0fa9be6f7b64bb48e035f3975c9c96a236ce8ac6a133c49a724864d4328595964f81da7fc2e7802e6e
-
Filesize
219KB
MD5790799a168c41689849310f6c15f98fa
SHA1a5d213fc1c71a56de9441b2e35411d83770c01ec
SHA2566e59ab1a0b4ac177dc3397a54afcf68fcea3c1ee72c33bd08c89f04a6dac64b8
SHA5128153b79d4681f21ade7afe995841c386bff8e491ad347f8e7c287df5f9053cae7458e273339146d9a920ceaa2ba0f41cc793d7b2c0fa80efbb41477d39470866
-
Filesize
184KB
MD5319e9808480025caf44584a9699f0497
SHA111d7608e02690bfa1126669677c10f173a981900
SHA256a68e22e3a20b4c48004c331e2c37235db6caa3989f59cdc2414d2893f2cf8125
SHA512b51930d5b223cf252960bbf2273d62d3165ac951c2dd64a202733f1d14faa013ee59b611112353c259188235cddd07bedb2e4c700b06bf9c1ce0c63cd8d77e7b
-
Filesize
197KB
MD5ba212c13629b1a61a00678e9f0927582
SHA15ee028481369a46508418a7aa20560e4aac526ab
SHA256296943936c7d4f50d46a8206b213e0dd385080bc9b53a1762559b45fdb32b796
SHA5120f3fdf5f0f09d7b5c83983deb7f50f13dc24375b75c57a20264aeda3a955909306eb4cf579e4536f3002f4b1c7a35b831b0cf6cd5b57f3c52b1e3e49a84751f0
-
Filesize
282KB
MD53cb7cd97bd5fe4fbc2d5f200adea5640
SHA1a1214f51b1a30dbd50fa9451250bd759df745b94
SHA256b5bd2c438892acdd6afd040a61fe783575d59243b466123240a0221b9c081bc4
SHA51243dafe59af48f79fe60eb2a73205f76a3b451f12c423cf56c199693e5088493299e300372b80436ac2857abdb197817bf39f6ea2081cda6246f9363a548ba653
-
Filesize
219KB
MD58bbae7de49d4fe00ff2c522fd604bc0f
SHA17bb347e970c53ee0b7cd4c5a3638c1ac86754606
SHA25688184dac299e4beefa6ca629baeab429f11d09cff6a91685fbab0e90766a834f
SHA512ce58f35a4fc6340636c71b9a65ec58040414d00b6e7011d15fc0ae1af91f513b1bda7ae56ca06e4a07df7d355f10012e26f488789145015e5639f582da8d8bf2
-
Filesize
166KB
MD517b93a43e25d821d01af40ba6babcc8c
SHA197c978d78056d995f751dfef1388d7cce4cc404a
SHA256d070b79fa254c528babb73d607a7a8fd53db89795d751f42fc0a283b61a76fd3
SHA5126b5743b37a3be8ae9ee2ab84e0749c32c60544298a7cce396470aa40bbd13f2e838d5d98159f21d500d20817c51ebce4b1d2f554e3e05f6c7fc97bc9d70ea391
-
Filesize
48KB
MD59628f4dd25aa5d67e93b21484740c90b
SHA1157074aa985ba87a1fa081ca7cab9ade40785a9a
SHA25601826493a7d3614863dabaf8f9ceec306d6db6c5b8a4240cdb1729bbfcf74f43
SHA5124446d338c668772316c43b7a7effec4c0eb30f47a2250a410c860fbad454b3a6dc3a543beda8c1b0fa061b3361aa662cdc92220228cec51c8860a7f695f513f7
-
Filesize
866KB
MD524dff759c5233259d1114739a46f0a24
SHA14a2a2a8850995a2a003afd31a1c40c3e28b23467
SHA256f41a281c2c544e8008e999c65369f1d08ac705bc323426773f6744928b70385c
SHA51233ceef2689d25d4a6858b444b329c05de1c86b213e2529b66126f8768418bf6b0ba921aec20a76cc0442b1280e1bdbf1f4b8b9b3749a0866d86759801f6ee251
-
Filesize
1.4MB
MD56c2a27d94d2badac2d50c3496deaa634
SHA1845214c7a0e21b644c1039f49eb65116dd91541d
SHA256d34290a63a913aacb222498dfaea0a986ec223ef9a0b32d779bba8ec894f6c76
SHA512a939e8aec6dc43471fa32a93ef321d4b1bd2aae11f675353ef3092fa6425be5b6bc510ea685b6c1285d1767bcdcd3373a2f907983621a6ec5d778fc39f663890
-
Filesize
1KB
MD5c28575f02ff23f5b71621a21a093d195
SHA1c8a32774801a436c9d20d465cf784eae6341a6df
SHA2568600d9ce653e440d0a42b793f552d50367e72e0c581f90bdeb3d9743fc1f5e92
SHA5120bee8cd3ded4020ab041e8e27c7d9efa8742bd3fc55aea133a633f49c48c59e60e36423e30c9fd4ee670ff6d504491d731545c73437e1335e70722d7f3e7b540
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-1497073144-2389943819-3385106915-1000\aZoD\WINMM.dll
Filesize1.4MB
MD54f3ea92220678c3e1fe8f73e5a1b184f
SHA17e2f5b111f2c46b05f02702eae5b90bf41e9e770
SHA2563ecc73fdfa853b0bef95ede5cb23ce62be78e213024eaf39ddc9c48eaad1e454
SHA5126d975b663868dc2355289c1318b42cd889332ec207f6153fbb92f3f972b57b4f1e4754cb1f896422300e1cb8146e08d057ebe6409725c4090843722c541eaa84