Analysis
-
max time kernel
116s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
22-01-2024 03:23
Static task
static1
Behavioral task
behavioral1
Sample
6e98953bf2fdd7c3a404f182f3070944.dll
Resource
win7-20231215-en
General
-
Target
6e98953bf2fdd7c3a404f182f3070944.dll
-
Size
1.1MB
-
MD5
6e98953bf2fdd7c3a404f182f3070944
-
SHA1
e547a54cfbc50fcfc2bf78c348984e7b6b1183ce
-
SHA256
995bc9b977d5419139f29029dd2d9df2ce41f3a0496ec39a37946620a20d877a
-
SHA512
e50c9ec714413a89c14492af9d1dffa90e20be98411b44c6df78d0b751ade15cef5476aae6b4d6f3b143146fddc0345366dbda75593926d97e05b23ec9a4521b
-
SSDEEP
12288:JVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:ofP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3428-4-0x0000000007290000-0x0000000007291000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
WFS.exerstrui.exesethc.exepid process 5068 WFS.exe 228 rstrui.exe 3216 sethc.exe -
Loads dropped DLL 3 IoCs
Processes:
WFS.exerstrui.exesethc.exepid process 5068 WFS.exe 228 rstrui.exe 3216 sethc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tgnmvdx = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\z3\\rstrui.exe" -
Processes:
rstrui.exesethc.exerundll32.exeWFS.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rstrui.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sethc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WFS.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 3456 rundll32.exe 3456 rundll32.exe 3456 rundll32.exe 3456 rundll32.exe 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3428 Token: SeCreatePagefilePrivilege 3428 Token: SeShutdownPrivilege 3428 Token: SeCreatePagefilePrivilege 3428 Token: SeShutdownPrivilege 3428 Token: SeCreatePagefilePrivilege 3428 Token: SeShutdownPrivilege 3428 Token: SeCreatePagefilePrivilege 3428 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3428 3428 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3428 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3428 wrote to memory of 1124 3428 WFS.exe PID 3428 wrote to memory of 1124 3428 WFS.exe PID 3428 wrote to memory of 5068 3428 WFS.exe PID 3428 wrote to memory of 5068 3428 WFS.exe PID 3428 wrote to memory of 4944 3428 rstrui.exe PID 3428 wrote to memory of 4944 3428 rstrui.exe PID 3428 wrote to memory of 228 3428 rstrui.exe PID 3428 wrote to memory of 228 3428 rstrui.exe PID 3428 wrote to memory of 1880 3428 sethc.exe PID 3428 wrote to memory of 1880 3428 sethc.exe PID 3428 wrote to memory of 3216 3428 sethc.exe PID 3428 wrote to memory of 3216 3428 sethc.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6e98953bf2fdd7c3a404f182f3070944.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3456
-
C:\Windows\system32\WFS.exeC:\Windows\system32\WFS.exe1⤵PID:1124
-
C:\Windows\system32\sethc.exeC:\Windows\system32\sethc.exe1⤵PID:1880
-
C:\Users\Admin\AppData\Local\Kkz\rstrui.exeC:\Users\Admin\AppData\Local\Kkz\rstrui.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:228
-
C:\Windows\system32\rstrui.exeC:\Windows\system32\rstrui.exe1⤵PID:4944
-
C:\Users\Admin\AppData\Local\sdxSbZFdt\sethc.exeC:\Users\Admin\AppData\Local\sdxSbZFdt\sethc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3216
-
C:\Users\Admin\AppData\Local\iut\WFS.exeC:\Users\Admin\AppData\Local\iut\WFS.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5068
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
22KB
MD57d50517077b285bfad935a11fe7bc83e
SHA114140af2234709a1149bb2c35280926b10929fbc
SHA256740997aeb4debbc4e4d4299a6c4a825ce38c87df1b3886a255d884b4fdef42eb
SHA5124074569f38d9d26435791c41829bd5a665b2a1d72b7dadf40fe03eef690e6ba5100db53ba395cf2d15ff51dae07b8a63f7d2a17aad578a0870d9b4de23672fb4
-
Filesize
64KB
MD5bff8e34c2f6492620d8a0979713eae54
SHA156d36a11ed6905d7d50d837fe0ed954d08ef1f47
SHA256f7901d2ff0b1d6b68f67c80d7dcecbaca57a1615d14ca518823ee8006bc3d08d
SHA512d0a1b96b7a6a525d5d1d28c973726689d6e21b5ddba9d70b5b90cabd1bf09209c5f5af1407951bed10507029c1422a7c8af74d73dd1e7a70922c27d8b273c478
-
Filesize
24KB
MD50ba8f09df2fd0e2e9148bd0d1de9b1cd
SHA1fe87d619c5f49bd36b0f7d7474fabf420278ed23
SHA256ac224c01bb348fc4f0e670438cd1d0a62298107652d2e43050a4a11615010bde
SHA5126c44482211d372ab1cf02fe6624c1b74232e19b8dcf668a89bc1482368491dea19c1bc3591351a16ddbf351be83472530bdada1ffa965c5c9dc3524b536697cb
-
Filesize
54KB
MD532d6cf901d7752735367b4976844974a
SHA1765f14689e961116ffe99abe3ebe7a40fc33f8af
SHA256b47e91523630573637d7b5c9ff6b824efe9047990710b9901704b57c01dab38c
SHA51272b078498bcb523a58db1165ca683a94090f297a122249832f00b7f2e1b7088148b9654b3a838436831804c73a34c31e20a4ef8147a88ebb781f8933f35bea55
-
Filesize
277KB
MD5400e259a1f4eb109d00825933098f5ef
SHA16c9921cd911dca95ca7cca3fc2a0c7019f83b363
SHA256b06420b9a5627b5d76d619a9b8a25dca7e65f8661e69560614bb4f528879ad6b
SHA51213190b6bd688307fc2937019dacdba81beb5fc9f7eed1291cec6ef481f2804ff5fbfafefd2303e241e27f0f7d26560ac8a00b748d647b29c9e733be4c0af9fec
-
Filesize
102KB
MD590d5823c587ea2c8ec7a695ed239a0cc
SHA13ad791314004950982731e42412fd293d83ce570
SHA256d14a8db9d7b7a36aa79e0c3102f6bd4d40761e072653eeb7bb102cd05fdfcf25
SHA512e605beef8c526de28f1c6289232532d784e4f0ac955fca19f7b7e88deb3d72cb23d69622c117cf0cb73b2c73a7dc1976ebc714a859abc2545a0f095418bd15a2
-
Filesize
64KB
MD5bf397bb1b7969a6f5514eaaa4be3bd9a
SHA1572a5c0814f42488c00104bf26e0ee91cc7c95a4
SHA256fe0ac2411e671428ffe12b560c7b6635267e838f2614cb6550ef75aae6208236
SHA512019396ba7b297160d019fd4e7724e8a10f277cb254f89418335dd8050e6bd186164f4dd66893fff0d5eca4a351cb086d63e114056f649ed40f2decee6379b8b9
-
Filesize
88KB
MD5a7f65e73a6fe5c9c783e64fe43e4424d
SHA141a71b82252bd43565e7876713306aa14e5875b0
SHA2560a98d055822bdf0c80035e9909746f5d40d7ff9970e3b5b3e0f719c86e33b30b
SHA512bf3c0e00006bf142c0db4a1ea8a0b5121363a12d149abb1d2ad120059f08dbfa1f8b2eacc07b8f2b7172ac5601230bf77c424010d0b8ad87a5018c718ac0a24d
-
Filesize
33KB
MD55d4247c9f46145d42de830b374803126
SHA1f9f9a4a67bc7bc7d1f91957ce5331db74bbb9603
SHA2560ea9e20c36abbbedf665d781e0fc2bf32f1e2e601b7b22ae6fe4f87986f872c1
SHA51234b819bcc43d8e670599aea3bdedb488bc5c61e502653d19f7bee3e5e2f802774d106850c6dfb957a34da90cba60554a9ef1631741007a23b53e731c69c8a754
-
Filesize
51KB
MD5decbafee4625fbc38334eb6de3ec3515
SHA1ebb9697316988b224a6c06359bdabe925153e3fb
SHA256832b056b9efc9c43af6575747209f21fd3daec97ffd3e683256467bacc899ae1
SHA512c906cc250d27dba098f54506bb6717eb4719de614c41ac0bb53c21c383586aba0523dea934976c272267fa35dd41c2dafe1832c5ef0d7c06ad19e290f496be38
-
Filesize
7KB
MD5d5dc2bac66aca20a282e040c1d5040b9
SHA1405fcef1afc13b586ac35bfa9f3e51299a4ea31e
SHA256f0b2410d617d485982c420a72becb1098ac3012e3feaa62d7c9e2be7556f0a7f
SHA512cb1f6d02be59789fd90be2f8b167b79daf7c3f0189f9e967c88675971667739d987011f3c737966466cdee0f5ec4fef3ac6a28c51066c1ebc2f2e277e8c0cc84
-
Filesize
27KB
MD5d59cdf3b56d8298752630036c5cc0727
SHA126a437b816a57ce279c686f4a7e596f2749cf096
SHA2560c3476bda52dfd750cf7ccf017999a3c1060234c3733caf3620f90042716846b
SHA512d1aba923152fc066982458e9219cf51d7f4b87fe745d922e9355a4d107a7ce22d1275116f1922110297ef5b197969d598af1aa0764a1cc2d6707926d741e7d4d
-
Filesize
1.4MB
MD5ce2bd648fc67d6dc71627ff45ade3bca
SHA1069a0c102297721ec616cdf9c971f65062023c60
SHA2562aa109b99d14a1f011a5fd822309bda49451b71c9012870157c41c36c0c8066c
SHA512f5eb4d7f7ac5b85f91eeb7ceb3f455a6f099bee0378cddd4824b8b1a21ac37e6c3332882d01415c869a52c4e66b35d2c72107b5074d73c7b338041ed823e9deb
-
Filesize
1KB
MD52cf347ef0a14b8e3a1854c76180397e0
SHA15f32c7fb474f16a97dc0a0537f3a4175cc36314c
SHA256b6dcb0eea0c46997fde5016b80429f57cedbbff09b22169ab5df7af0f890c68b
SHA5121b7ceb988093521321016c774f8468433b1e830b8600d87e555898ce1649373e10b983700011f1615d4aefad82242e69dc46ed0c6a71777e92a3c4d7beb7c6d4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\W5d7b\WINMM.dll
Filesize1.2MB
MD5286f203d81e85c5a2bed2b5351cd16bd
SHA13090ea425abee75bfcbb9ecbb279b3bff3a4eeb7
SHA256c3af4909612fb7ac7fb92c36e5adbf4e87be347d6bfa212e5ff47a68d2d34ffe
SHA512aea9f4343f556c29edf286599fc47c5ab38d93faffa3b5ef77a6fa7647bf08484d2d244365510aa04cc186877ceb4a154354c3ff7e14a0a7a414ae23ff3af40b
-
Filesize
1.2MB
MD59eb22c096730416b3c514dee8f66498a
SHA172537d2c1dea46e341e432a8356646271315b746
SHA2565bcc524dbf9d8aee8d61444a3787d5975e508be359e4bb4f39f1183a8c082ab2
SHA512269da078294ebd140a8b90d3de7961998b400f5f82e7a1bb91d60e9a4bfcc32a366f5f602228a4c8f79d34140e6a573b3dcb528dbcd5f5aa8c549ccc58f7bfe7