Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
22-01-2024 15:12
Static task
static1
Behavioral task
behavioral1
Sample
6fc1300c924c848e73451dec1a26af99.dll
Resource
win7-20231215-en
General
-
Target
6fc1300c924c848e73451dec1a26af99.dll
-
Size
1.5MB
-
MD5
6fc1300c924c848e73451dec1a26af99
-
SHA1
356d8a25843e120f2e5974fbd4c2cb992dc4b881
-
SHA256
b18bf10683e2178f9b1f99b4ced10b08880b29eac55ba5d252c34e3b0d70833b
-
SHA512
e5ae18253c6d93810db46d694d798097c1d5706df51889f03faeaa8a12d9de9691c71914f4fc6589c863e4269ad69ec2b041d77a37ea5efe5aaf196f5914b3b2
-
SSDEEP
12288:LVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:KfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3532-4-0x0000000002CE0000-0x0000000002CE1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
dpapimig.exesppsvc.exemmc.exepid process 3844 dpapimig.exe 5116 sppsvc.exe 1584 mmc.exe -
Loads dropped DLL 3 IoCs
Processes:
dpapimig.exesppsvc.exemmc.exepid process 3844 dpapimig.exe 5116 sppsvc.exe 1584 mmc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mbfbagbrjs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\kVNM3Eq\\sppsvc.exe" -
Processes:
rundll32.exedpapimig.exesppsvc.exemmc.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dpapimig.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mmc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3532 -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
description pid process target process PID 3532 wrote to memory of 2536 3532 dpapimig.exe PID 3532 wrote to memory of 2536 3532 dpapimig.exe PID 3532 wrote to memory of 3844 3532 dpapimig.exe PID 3532 wrote to memory of 3844 3532 dpapimig.exe PID 3532 wrote to memory of 5116 3532 sppsvc.exe PID 3532 wrote to memory of 5116 3532 sppsvc.exe PID 3532 wrote to memory of 4740 3532 mmc.exe PID 3532 wrote to memory of 4740 3532 mmc.exe PID 3532 wrote to memory of 1584 3532 mmc.exe PID 3532 wrote to memory of 1584 3532 mmc.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6fc1300c924c848e73451dec1a26af99.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1856
-
C:\Windows\system32\dpapimig.exeC:\Windows\system32\dpapimig.exe1⤵PID:2536
-
C:\Users\Admin\AppData\Local\CmtDliaq\dpapimig.exeC:\Users\Admin\AppData\Local\CmtDliaq\dpapimig.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3844
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe1⤵PID:1708
-
C:\Users\Admin\AppData\Local\38pLgPaHe\sppsvc.exeC:\Users\Admin\AppData\Local\38pLgPaHe\sppsvc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5116
-
C:\Windows\system32\mmc.exeC:\Windows\system32\mmc.exe1⤵PID:4740
-
C:\Users\Admin\AppData\Local\iwNTaDx\mmc.exeC:\Users\Admin\AppData\Local\iwNTaDx\mmc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1584
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
57KB
MD5faa618074b32b1bbfa8b1b25f71c8cdb
SHA181515ad18f4948f63e04252d6fa11c46d9cb77cc
SHA2564fb17da098a95484aeb3e3f218c89552ffece405734770f102dbd0aea6e5c274
SHA51215ef82215045a55888a11c241a3ee63d4a3b7c999757f1c80a71f4bba36e78ad7c892a73943ed2445ed23a646cc89256939b2595c48944fbf2ea8b5f42fd34ae
-
Filesize
62KB
MD5107d0533c5710f99caf763bd62c39530
SHA1cf610e9361e0a1d35614da08e38e45abb5d8b68d
SHA256f0b13484e027ae77030facaac26c87e1e0985c2181afd8a72fd476ab19d6e965
SHA512d4af64372b78d56037731d85deb4b2bb99f6bd0429b0e8202bcd950a05092fbe02bfadbb34f3c8267b590f5d86143d1d8ebd836d96645e19115226f70dfd1e0b
-
Filesize
92KB
MD5164eabbf0e4c1804e1a830f760cdff02
SHA12c58b490aab45bd9900a76d3dde56206dfef3fa6
SHA256479338a06d1309d5fd9f435f43a9c1b92f26b34443ef89becbfcaad098981dab
SHA512f020253511c955898ead469a26c91c2bab01f8a8cc0a7e84b29bbcb312685d6c809475223ed573a0f9322c99b0ee85333b81ead374e7feb262a3498274cb9950
-
Filesize
68KB
MD5be2083ae719c0131123a89c0b4218fef
SHA14bb54ea4c70c70b32f8d5d91b4e6335f1f2a0dca
SHA25648ee402012f6501e23f54c373b6ce8c2c8bef908a30ab1576e155802e10394ec
SHA51246e7e9c673233b436a529d6816e0a0584e86a80fd696fd3deb3460c5ed97ce171f349cda203a0487be632763bfeb77b0627eb0894a82f79889323f66258a8afa
-
Filesize
308KB
MD51247fc3ec268fdf0feb31bd3ee4520b6
SHA1b780f108dbf1d969463b7e7a408e0ccbd02b0b1b
SHA256b6dbde4a851e09ae2e12f26127c362284e8ee096cba35e8c1c4fe6ab7ff776b0
SHA512012a5f2234e00191f54e4722b864b3bcb36b0bd11e1e021a0a3584a00e8281f30b8636a7954a19539b0e85bb0cdb4e3d40e13f63bca60d07cde3ebd0026ae543
-
Filesize
65KB
MD5dd34cc7eb08c3bf2519283502319b009
SHA181a60d3cb5f8c4f9b7b4d271339e3dbe79e3ac8c
SHA2561d46e17ebf9fa98c8b9cc31a58dbc35812c3d163cdb0044c4be3ff8d3cac3ef0
SHA512f78bf51fd21f89e25dabafaa1c1690fc2806b853267856c7269c6c4cc06055f778eae45f2432c7c1401abe98b639181abb6ca716508366e50e1e51f4d058711e
-
Filesize
76KB
MD5b6d6477a0c90a81624c6a8548026b4d0
SHA1e6eac6941d27f76bbd306c2938c0a962dbf1ced1
SHA256a8147d08b82609c72d588a0a604cd3c1f2076befcc719d282c7cbd6525ae89eb
SHA51272ec8b79e3438f0f981129a323ad39db84df7dd14a796a820bdbc74ea8fa13eee843d1ea030a0c1caeda2e2d69952f14a821a73825b38dd9415047aca597b1fe
-
Filesize
87KB
MD5ffd0c168b848f53a8fd60399ff2e291a
SHA1da951318eabead3fd5f380536a07f0b226c1e53b
SHA25678bc5f5793ea8c33ce57e3679ba555803f21eca0729109cd2cdc6331ed899540
SHA51204e46f71d6897b5fcdedd19336e8ab8594f48f88de490ae27fc6912ce75d4a723bbb42a899bc126f14c5c1c047b653852fe83f57467f5b9714f3245e307e5172
-
Filesize
120KB
MD5427526ca19978f5b1e8b65a5cd74100a
SHA1f396b3b391d6ef74fb170831194c8b3db59c7edf
SHA2569aa47dc7297c4931388596ae2746240ee853b9e32ac3b27b642de09a6f189c9f
SHA512ff4275d69bdcdc88765f904c9e7f4083bbf93a6b81c88b6d27ed381861b97075d7b1fd47e81504b89bdbb771f7e733498530c6fa22b53c41da9db6c2aaf091a3
-
Filesize
84KB
MD57900824645271a92c81898a3b54dddeb
SHA1ef7027d99914b2dc2c7bdfb562782edc5e390d31
SHA256f58fa282cf71e4beaa9ba475786c61dac50d662733e4594cc4607ee4b66d1bb6
SHA512855bb5d52d7d88b18c8336e1774ae0921f430e08d29469f4afbd48155c958aafdb93127cf0f4d4320165cdd4a468b5ff23f342571cac3c45764f5d4b147527a6
-
Filesize
80KB
MD529d13cb15d3b390dda0f49b4f13f61ca
SHA17b2260d86a4aab5fd856e3149ee44275ee49125e
SHA256bb4d7d43f1ff2f3ba8ab400199d1774eae3e04822692963a87586f92533de568
SHA5120ded9713030fe10f051fc0665dfc3f0b58bd4a2e7342da23d0024121c9399be290cec3d10b00bc36466d1f307894c751fac317bd2f8b367d6c311f027f1597f3
-
Filesize
1KB
MD52bca0a3010dc597a59a2212f7a241614
SHA14e802c8bec46f9f8827bba59e4f2a8e5160f5395
SHA2563ecac193f0a42b9a1ffa2fca13fee7feff2f8ee6b5159075e152f30ef6179996
SHA512d7e96a5039fc90e683f3e25ddd9f82a5f5c9e79c9ab6285923f774b582b59a79d3488b1a1048b91a138ea4030fa862416a233aec698e0af9775eba6cc03e85a3
-
Filesize
1.5MB
MD5668b6474544bbcc7c374c1ed002e487c
SHA1e04182530a92e09b0dade56284f8b9bee8655c10
SHA256e44ffe3d53cefa61f498885cc3ee8b0574863e16a922bbd17cc16d2596f2c25c
SHA5121f785ea8332a16aab452ab555bf842629d9ad235e6da7d4633ebfa45921e8f577f0a886305e28ade17fe442978cd62e263b2f587697f026ecb1a88dad90af4e5
-
Filesize
1.5MB
MD50edcb38193388cfa04548f1bcc526eb5
SHA1472a7b1db4605a0d392c5ff6302e1d8febfd4f80
SHA25626676f72046ae85745a316249d59a2be73211735cd665e2c703a29899f4bc727
SHA5120e4bb14feb2ec62b0c444b48755deac5764890e751327421417ffee4a626efd878e2eafb48f06a5155657bf454bdd453c1c65fd775251efcbc0b3c53e5dc92d9
-
Filesize
67KB
MD57f9b28f43e5f4a64b5e5ac02c16b62ce
SHA1503df090d1e8a646bd09117cd9327ef0932eba2d
SHA25682d8dbed51c1881750acefe0e9a276643926245800fb87f53d967c23b450005a
SHA51258aba44d90d4c7f5e2ca77b7ef5203ef56676dce5ffe39214fb19d91d9b2fe24e29e71d611ee10c2dbdf30767ae8c575cd508754cc15a40f2ae18a31c3a0399a
-
Filesize
1.8MB
MD5af861a3fb539f715253efddf648bb76a
SHA17c76372d2d22d6c3b5f8ff4bd2077a4df2ddeb60
SHA256d7ba348bf8901300e80ba192a26a358c3081a38e09931029ba9efe9fcf35243e
SHA512095b83ca161041c6eb22d5cbfc2c898ba0aad2e2f87fda8e932c9a3b62ec091aaa6a78e1382510547cb1bfa5fc118f31fda22d2e56222655cc0fb47b8d5d9c23