Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
23-01-2024 22:19
Static task
static1
Behavioral task
behavioral1
Sample
70b4e740a07d198ec5ac903eaed6ff43.dll
Resource
win7-20231215-en
General
-
Target
70b4e740a07d198ec5ac903eaed6ff43.dll
-
Size
2.0MB
-
MD5
70b4e740a07d198ec5ac903eaed6ff43
-
SHA1
7f30bccf96428c20875a437c2995388987fa2e84
-
SHA256
718a533c6fd5cccfb5c4afd72ad1d850327a0b4e6a37aed68679e7bb4afce5ce
-
SHA512
c0e2e1771108c56358814da4618a4d6c5fdfcb3e8ad536e6ecbb1c12afb47819f7a3c5770b4033e73011dd117249474fb6ac44bb017c041b2f5c289ebd74834e
-
SSDEEP
12288:uVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1+o6:zfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3484-4-0x00000000011C0000-0x00000000011C1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
EhStorAuthn.exeDisplaySwitch.exerecdisc.exepid process 3016 EhStorAuthn.exe 2196 DisplaySwitch.exe 4492 recdisc.exe -
Loads dropped DLL 3 IoCs
Processes:
EhStorAuthn.exeDisplaySwitch.exerecdisc.exepid process 3016 EhStorAuthn.exe 2196 DisplaySwitch.exe 4492 recdisc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dturazvnnsjkgvr = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\YH\\DISPLA~1.EXE" -
Processes:
recdisc.exerundll32.exeEhStorAuthn.exeDisplaySwitch.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA recdisc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA EhStorAuthn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DisplaySwitch.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 1208 rundll32.exe 1208 rundll32.exe 1208 rundll32.exe 1208 rundll32.exe 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3484 Token: SeCreatePagefilePrivilege 3484 Token: SeShutdownPrivilege 3484 Token: SeCreatePagefilePrivilege 3484 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3484 3484 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3484 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3484 wrote to memory of 2760 3484 EhStorAuthn.exe PID 3484 wrote to memory of 2760 3484 EhStorAuthn.exe PID 3484 wrote to memory of 3016 3484 EhStorAuthn.exe PID 3484 wrote to memory of 3016 3484 EhStorAuthn.exe PID 3484 wrote to memory of 3760 3484 DisplaySwitch.exe PID 3484 wrote to memory of 3760 3484 DisplaySwitch.exe PID 3484 wrote to memory of 2196 3484 DisplaySwitch.exe PID 3484 wrote to memory of 2196 3484 DisplaySwitch.exe PID 3484 wrote to memory of 1516 3484 recdisc.exe PID 3484 wrote to memory of 1516 3484 recdisc.exe PID 3484 wrote to memory of 4492 3484 recdisc.exe PID 3484 wrote to memory of 4492 3484 recdisc.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\70b4e740a07d198ec5ac903eaed6ff43.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1208
-
C:\Windows\system32\EhStorAuthn.exeC:\Windows\system32\EhStorAuthn.exe1⤵PID:2760
-
C:\Users\Admin\AppData\Local\VkS\EhStorAuthn.exeC:\Users\Admin\AppData\Local\VkS\EhStorAuthn.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3016
-
C:\Windows\system32\DisplaySwitch.exeC:\Windows\system32\DisplaySwitch.exe1⤵PID:3760
-
C:\Users\Admin\AppData\Local\N3cxLFj\DisplaySwitch.exeC:\Users\Admin\AppData\Local\N3cxLFj\DisplaySwitch.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2196
-
C:\Windows\system32\recdisc.exeC:\Windows\system32\recdisc.exe1⤵PID:1516
-
C:\Users\Admin\AppData\Local\Yi1lYyLD\recdisc.exeC:\Users\Admin\AppData\Local\Yi1lYyLD\recdisc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4492
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
453KB
MD56e1b445fdc95d49a910990b74a810361
SHA1c2eb16c1274d667679d612d4fac674c2e30a5134
SHA256d6dbe459c91b9347d11973e61eabf1dbe6dee46c33bc85cfe3d36cd46dbcbd50
SHA512d2bc77f335e1e0a6a3bd26a06f269f25f4c0c8dddf47e83e63f025b65202618d6c6f8f09ca586e76be4760951f9aa90bf344e81d0af37c6f0b69503a6ebb3de5
-
Filesize
627KB
MD5892bc86121ff29941810ea6850712196
SHA1bc11a183354d72bb099dd6fcab66be03ff743765
SHA256816ad33e3627107def478cb9e4c96126792f51e5de362c8d7c432a22f3134529
SHA512e6fb7f2e36c7673fa9020b7c08e687ebf0e0c0714311d5354f7633bdc1afaa8c7849e5279ea1b43e73f62ca0e45a740af0d8b2fb31b8756465d17efd0d4f107c
-
Filesize
425KB
MD547d22888c4b9855ec38b6c5d0192d4c5
SHA14a7100ae1ea332176fdb9b0b35ace23952f8d8b0
SHA25626bc6232758bf094620082c441aab8ae6c9f1f658e4259ef25c6d3da6aa80bd3
SHA5121c7e9fab54f352460aa71b01c3d9530b7e0995e57662eb16933b46a1070e1ea1d611c33139a6cb944b277515a1a9a84137dc727c3a0088a063010e059fdd2131
-
Filesize
585KB
MD557774c84ab1c462e681f163bd0ec34b2
SHA18d832a6f708e9c4bc4ed9981ebd5490eca17566b
SHA25699c04229c3a4a7dc8065f61ac40d170211140b510c731328fd5bafb7f103690a
SHA512372762e8b4eb4f43a4117af2343d74d6c90fe8b995eb14e0f54fb1f275882e7830ddf87e9a43c5633b49be03d781837e1f44fe3fc4b7d64dc49f5f955abd9822
-
Filesize
128KB
MD5d45618e58303edb4268a6cca5ec99ecc
SHA11f8049fc5ea8b57bb68e19fb55cb9dc1e18e9513
SHA256d527323643be9df4d174c3169c6f2c7854a59b781654bcaebd154cb51fb4219c
SHA5125d7ae663dcfedfaf00836dc018131851e5a40778bd582b417b9f0bbd4bb6d1b2eb8f37f7f5a01cd2beed78b6037ef6eb2a3290248d5e901173b1407990a202bd
-
Filesize
546KB
MD5f19c295517a2544f0c76fd35367c200e
SHA1b687df2b1499be9d52119e5aabbee4ad2ff2a12a
SHA256d99d1066c8a403ea596b117e10551df4f5a609561f8d19efd26d54c1de39fac2
SHA512bd07e5134e2c53dc97d0b900d1cb2c20997ac81c67aab0c2e51221eb0c0702134303679d38be70f2c9bdda8ea0a969c3ac8d702b2a2aae60e4c9e3e3dd0536ab
-
Filesize
602KB
MD5ba418bb8c71b995a4bb720cbfd18cbc8
SHA1a5894fe11034def0b8d8a26544fb060ad2542cb7
SHA25653dabed7df35dc900577ca99ce018b184106655e1b98d1032af5fbfbad8537a2
SHA5125f8ac0ae0aa689f956f13e130456268a72270173998186b161d0ad68ad66db8d9f73ad29baafa50db2ed563080996a0d1672bb2aaaac644f22d932493a2ca6b1
-
Filesize
387KB
MD5bb1e752b02f68738d12685c448e6b504
SHA10e87e4b96f785a586df169cc6135ede4d0d65b8f
SHA2565b67b9cdf78e3d5c1ef5db616f777343969ec29035740bf84e3ed8c2d42dd55d
SHA5122da4283cefddeb66e5b00de36a96733ea7c250bc6bd22c89e66d2e33ee524b50ae6fe312f207228024f2dc5ec2b42b1f58be9e709025e12703ef3c98f9796fa6
-
Filesize
500KB
MD5047b3a9325bf1f9c957a70fe85784625
SHA11e4ff4d52dc4424df44f263ec8160eb83c2d9c1c
SHA2566040ff3766bcc7ce674683141273196f9b4ae0f603df3a7cf0b7a2b444c7fdc1
SHA512aaa1997275dd2aae6ae3afe8c19eb49161187f1b1e2768180c2abfdc23892c2270b7af38faf54e0202735b1d36fb1b932ab7910145e1acfb1ef96fe4b473bfea
-
Filesize
193KB
MD518afee6824c84bf5115bada75ff0a3e7
SHA1d10f287a7176f57b3b2b315a5310d25b449795aa
SHA2560787b37cf197595b8149ffe3784f9c59eacde3616011f185513ff5c075a5ac4e
SHA512517356165b401dbebf15437d3b17746aef5a6a4cc62a0afe45966abc92b4cf377eee4514a36ee28b1e88e55a22a2f8a6c997df45971e7f354b66ac7d9e141845
-
Filesize
2.0MB
MD5f27bcccd664dd381f38b2293794ae986
SHA121c054ad027086551177c14fe9206e943e8ce5cf
SHA256ff4abbf4680ecb72f085b251f3fc4de867e4d6c61dec24f6f3bb1fd80546146f
SHA51258ffa37f2d766b71c28f57e81173c3715ef0008d6c00a69f4708ebb86cd007ec319620baa094661e7974199ffaa085b2282fbf66ad542222ff6e2915c3b7768f
-
Filesize
1KB
MD562878cea522ae4fa8a542e1e69f6a774
SHA15648faa1df93a0e2fd138e4781b81eae8fe8e916
SHA256efe28dee85281e7505f8948b46181a4e21609fca751e28cb11785b9106afe2f8
SHA512f9f2a0fc33d866bca56dc594cbdec09a87329a0e4382f43b2cf76ca732b17549fddc2e5178ed7ffd757ad5f48f87e778561bdea95729e0728ab747020755a0aa
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\9Cutlz\ReAgent.dll
Filesize2.0MB
MD532c5cf7c9a788050a2a1b60b86878ad8
SHA1d45fbbd392b7155b9b63eff73343d412f13ea3f8
SHA2569f42583af85355acc2b9738b2412ae643c06895363fcb3e77e7e807082c71ec4
SHA512ca6546a319e9fa3e208c531ed6b608d5429ff5f4fed53a373bdd636e1bbfb48169827d63f230c180ef0edcf3bb09b5c5e518ab18e3645f5bbdc0cd47598741e4
-
Filesize
2.0MB
MD51ed377af627d161e726bc312332939ee
SHA114bfb3e65a023d356c1a7081a76c51a68859df6f
SHA256f3a5a198ca08eb31dbe795be2738ad3997f7d4064c8d3ffc92cd663609db1e83
SHA512bae97b3b5753fe284615e242d188a7b86ec26fdda8c05d2d2639ff6aac2a8c0cbded987e8f37f508a42f5f65cfa8b312719235aaf1567627305f2cd4b329bee6