Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22-01-2024 05:38
Static task
static1
Behavioral task
behavioral1
Sample
6edcb3e9a95b87f3dd31d12871219ad1.dll
Resource
win7-20231215-en
General
-
Target
6edcb3e9a95b87f3dd31d12871219ad1.dll
-
Size
1.4MB
-
MD5
6edcb3e9a95b87f3dd31d12871219ad1
-
SHA1
0f9808dbdb07056ce6154ff9ec192a829382527e
-
SHA256
fcec9ee59606ca5763dd3f779b2fb2e60ec8a2382cf095b0b00634a4c5ff6bee
-
SHA512
eae92f278b0b7d945a43c8eed204f8bc86e62713fc1700b6f04962361d1c76400b43e955ec168f20aeb4895984e9789654ad7c4cdc4b40bc741f623e617aa802
-
SSDEEP
12288:jVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:yfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3520-5-0x0000000003770000-0x0000000003771000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
MDMAppInstaller.exeSndVol.exeSystemPropertiesAdvanced.exepid process 4676 MDMAppInstaller.exe 2064 SndVol.exe 3200 SystemPropertiesAdvanced.exe -
Loads dropped DLL 3 IoCs
Processes:
MDMAppInstaller.exeSndVol.exeSystemPropertiesAdvanced.exepid process 4676 MDMAppInstaller.exe 2064 SndVol.exe 3200 SystemPropertiesAdvanced.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\pO\\SndVol.exe" -
Processes:
MDMAppInstaller.exeSndVol.exeSystemPropertiesAdvanced.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MDMAppInstaller.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SndVol.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesAdvanced.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
regsvr32.exepid process 1248 regsvr32.exe 1248 regsvr32.exe 1248 regsvr32.exe 1248 regsvr32.exe 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3520 Token: SeCreatePagefilePrivilege 3520 Token: SeShutdownPrivilege 3520 Token: SeCreatePagefilePrivilege 3520 Token: SeShutdownPrivilege 3520 Token: SeCreatePagefilePrivilege 3520 Token: SeShutdownPrivilege 3520 Token: SeCreatePagefilePrivilege 3520 Token: SeShutdownPrivilege 3520 Token: SeCreatePagefilePrivilege 3520 Token: SeShutdownPrivilege 3520 Token: SeCreatePagefilePrivilege 3520 Token: SeShutdownPrivilege 3520 Token: SeCreatePagefilePrivilege 3520 Token: SeShutdownPrivilege 3520 Token: SeCreatePagefilePrivilege 3520 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3520 3520 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3520 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3520 wrote to memory of 4800 3520 MDMAppInstaller.exe PID 3520 wrote to memory of 4800 3520 MDMAppInstaller.exe PID 3520 wrote to memory of 4676 3520 MDMAppInstaller.exe PID 3520 wrote to memory of 4676 3520 MDMAppInstaller.exe PID 3520 wrote to memory of 400 3520 SndVol.exe PID 3520 wrote to memory of 400 3520 SndVol.exe PID 3520 wrote to memory of 2064 3520 SndVol.exe PID 3520 wrote to memory of 2064 3520 SndVol.exe PID 3520 wrote to memory of 3616 3520 SystemPropertiesAdvanced.exe PID 3520 wrote to memory of 3616 3520 SystemPropertiesAdvanced.exe PID 3520 wrote to memory of 3200 3520 SystemPropertiesAdvanced.exe PID 3520 wrote to memory of 3200 3520 SystemPropertiesAdvanced.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\6edcb3e9a95b87f3dd31d12871219ad1.dll1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1248
-
C:\Windows\system32\MDMAppInstaller.exeC:\Windows\system32\MDMAppInstaller.exe1⤵PID:4800
-
C:\Users\Admin\AppData\Local\SgnCfEIg\MDMAppInstaller.exeC:\Users\Admin\AppData\Local\SgnCfEIg\MDMAppInstaller.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4676
-
C:\Windows\system32\SndVol.exeC:\Windows\system32\SndVol.exe1⤵PID:400
-
C:\Users\Admin\AppData\Local\KamUETej\SndVol.exeC:\Users\Admin\AppData\Local\KamUETej\SndVol.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2064
-
C:\Windows\system32\SystemPropertiesAdvanced.exeC:\Windows\system32\SystemPropertiesAdvanced.exe1⤵PID:3616
-
C:\Users\Admin\AppData\Local\5TsC3\SystemPropertiesAdvanced.exeC:\Users\Admin\AppData\Local\5TsC3\SystemPropertiesAdvanced.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3200
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD51711c3466ef66b7807cbcdb475de4ae5
SHA149ef7be73198a3d7bd2d0f4c1377dde94f24af28
SHA2564f5d8f6b202ad81721a8f868db46a594c7d7933b2c67fdf7e3ac51a784e88f1b
SHA51246263a26a5dd9288868a29128e29099796b051cbe83e5ffba775bbc176bd897f7c83750ea87e1c5a6a25381dcee00d1374f0430f5aa263dfc3dde9ce2c38f6c5
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
82KB
MD5fa040b18d2d2061ab38cf4e52e753854
SHA1b1b37124e9afd6c860189ce4d49cebbb2e4c57bc
SHA256c61fa0f8c5d8d61110adbcceaa453a6c1d31255b3244dc7e3b605a4a931c245c
SHA512511f5981bd2c446f1f3039f6674f972651512305630bd688b1ef159af36a23cb836b43d7010b132a86b5f4d6c46206057abd31600f1e7dc930cb32ed962298a4
-
Filesize
269KB
MD5c5d939ac3f9d885c8355884199e36433
SHA1b8f277549c23953e8683746e225e7af1c193ad70
SHA25668b6ced01f5dfc2bc9556b005f4fff235a3d02449ad9f9e4de627c0e1424d605
SHA5128488e7928e53085c00df096af2315490cd4b22ce2ce196b157dc0fbb820c5399a9dbd5dead40b24b99a4a32b6de66b4edc28339d7bacd9c1e7d5936604d1a4f0
-
Filesize
1.4MB
MD5fce50cd6005d45803b4248f34e1d5ea3
SHA152b0b323d2c8b925dc166468e62149ea1a347ee0
SHA25690f6973bb526879942b1fcb1aa26edd9f733e9a78ace866886bad6a8e5ab319b
SHA5123c8420751e9d57639f91d96feb652167990ff0c0f61dd6ddde4c7e74a3dd67341740cae70fb7b72f2fa10a123d1f57e40abad0e448c8294b0b944d7d2ae8e503
-
Filesize
151KB
MD530e978cc6830b04f1e7ed285cccaa746
SHA1e915147c17e113c676c635e2102bbff90fb7aa52
SHA256dc821931f63117962e2266acd3266e86bf8116d4a14b3adbebfade1d40b84766
SHA512331923fa479f71c4c80b0e86ea238628666f95b6cf61cf4d741ae4a27ea2b8c636864dfac543d14599b4873f3b2ab397d07c4e4c17aca3f3b4e5871e24e50214
-
Filesize
1.4MB
MD5a97d39df8ff8322318214005dc458fc0
SHA1bcff69ced685479fc2efb6716453c88fd17456a5
SHA2564aabb487058eb9ed69b4371fe9dad0aa002ef1e16b529b965f9068550eff70a8
SHA51212b2d88cc44a317715a0743d6dc1f54736e4dc24121d719877365552cb8b4520bda3e198460dbd2a0bbf7fd6e49d58aa76cd8a5ba6b2b6932121331276867422
-
Filesize
1KB
MD503cedeaf4a2f8e931de5bad67087852d
SHA126f1c7eb1f3fe50caba78bb6b8351b57d64cc4bb
SHA25624c2e13b77aeeffb39c598ad0321e4d1267c73d792114a61a5a509927636e479
SHA5129649b5f9ac0f56b8be3502388c487058b3e19b45814ca8c7c69ef9bb3efca2b1c99494e6a362fc3f0c71e4ccd9d9dc89d7986dbdc0d1ae4045dcd8c6b90f90dd