Analysis
-
max time kernel
149s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
23-01-2024 23:33
Static task
static1
Behavioral task
behavioral1
Sample
70d941d4f0bc1d1f47611a7b8ce5c05d.dll
Resource
win7-20231215-en
General
-
Target
70d941d4f0bc1d1f47611a7b8ce5c05d.dll
-
Size
2.6MB
-
MD5
70d941d4f0bc1d1f47611a7b8ce5c05d
-
SHA1
b66d763099541372aa30d4ccd5922b29c991ef3a
-
SHA256
6f1a36b2dc535c3a9a2e9611c3261d7d5970599318c0811e556b9ee731865de2
-
SHA512
5aaf75580bec3c99f034e60e8eac36b5a0f9d0921b206b17d93fd6920d0f6a3add25254e51c0605f4e8ca36e5b1573a2c7a89ae7b7c21c74b67c35b1d91a260f
-
SSDEEP
12288:LVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:KfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3420-5-0x0000000001F00000-0x0000000001F01000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
WMPDMC.exewbengine.exeRecoveryDrive.exepid process 3088 WMPDMC.exe 1488 wbengine.exe 2940 RecoveryDrive.exe -
Loads dropped DLL 3 IoCs
Processes:
WMPDMC.exewbengine.exeRecoveryDrive.exepid process 3088 WMPDMC.exe 1488 wbengine.exe 2940 RecoveryDrive.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tgnmvdx = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\IYOGOA~1\\wbengine.exe" -
Processes:
RecoveryDrive.exerundll32.exeWMPDMC.exewbengine.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RecoveryDrive.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WMPDMC.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wbengine.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3420 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3420 wrote to memory of 2228 3420 WMPDMC.exe PID 3420 wrote to memory of 2228 3420 WMPDMC.exe PID 3420 wrote to memory of 3088 3420 WMPDMC.exe PID 3420 wrote to memory of 3088 3420 WMPDMC.exe PID 3420 wrote to memory of 2256 3420 wbengine.exe PID 3420 wrote to memory of 2256 3420 wbengine.exe PID 3420 wrote to memory of 1488 3420 wbengine.exe PID 3420 wrote to memory of 1488 3420 wbengine.exe PID 3420 wrote to memory of 1192 3420 RecoveryDrive.exe PID 3420 wrote to memory of 1192 3420 RecoveryDrive.exe PID 3420 wrote to memory of 2940 3420 RecoveryDrive.exe PID 3420 wrote to memory of 2940 3420 RecoveryDrive.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\70d941d4f0bc1d1f47611a7b8ce5c05d.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2504
-
C:\Windows\system32\WMPDMC.exeC:\Windows\system32\WMPDMC.exe1⤵PID:2228
-
C:\Windows\system32\RecoveryDrive.exeC:\Windows\system32\RecoveryDrive.exe1⤵PID:1192
-
C:\Users\Admin\AppData\Local\KDDMrF\RecoveryDrive.exeC:\Users\Admin\AppData\Local\KDDMrF\RecoveryDrive.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2940
-
C:\Users\Admin\AppData\Local\KEKwB9\wbengine.exeC:\Users\Admin\AppData\Local\KEKwB9\wbengine.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1488
-
C:\Windows\system32\wbengine.exeC:\Windows\system32\wbengine.exe1⤵PID:2256
-
C:\Users\Admin\AppData\Local\QbEKq\WMPDMC.exeC:\Users\Admin\AppData\Local\QbEKq\WMPDMC.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3088
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
180KB
MD59e07dddae4fe2fac394befc7f4766170
SHA195d7869750b18f3908445f5e5bd54709fcff45d3
SHA2564e36f73a29533254cc44ec0e61714a290e4129cc66831eb6447993092c1bae1f
SHA512e93500a09e42c7e61e7ad3287adff3561c1e1fe327c5fda3655b10f19f8608f61d87f6a0a70e2fb0a565035c3d54f282620180464b1424995f45a7e6e461b2f0
-
Filesize
93KB
MD552ade092db507528dc40c142fc0e44c0
SHA12a9586f571290df73f4718ad61fd62f36032e981
SHA256c77cae909765589ea5edf000bd6cc6e47e10a321a9568f77c4117cc133cf4412
SHA5121cae050d64d046e4f7e8ba0be63aafa7d9c81af8a3a057f670a621e0fbaf421cf9c868e51bd1ba91299d0d51a3030d9a931feb31f89936e08a2928a561fe453e
-
Filesize
173KB
MD591760a547a469aa0224f80c4e94da8b2
SHA1b73b9be814ecccd1117579fff841ac56e3684995
SHA256efb5ade41a13875e68f6a8be44747c79b3859060798a879bc243d77e1d890d62
SHA512f308b7bb51be0eb043f2bac4b9d65128476ab77f8ad59d8c0c36d76ee598c88a43c2b0316c443c6b25b81721c97399879eb56a8d07b5037f7f9778cc0aca959f
-
Filesize
185KB
MD582020c7761eacda5920e6b60e99e8779
SHA1576506d82a0701fc3f9fe8b51adc80890802af51
SHA256980d6ffbc37f1efb0e7f67a97dd4b255f6597aebd4f598fe8304f06c02997d1b
SHA5126e8f0c4f6d4c0447e46ca3f26e09246468eb5ecd6789076e8abc2d78de3ce3441bbdfe1e0b0048ef72aee87b6e02230b2280c4002f2ac413936cfb494d2265e6
-
Filesize
224KB
MD5f6cbdeb7fbe098b50ada4f5f504d6cc2
SHA1bde49b91de8d72a75d45d379e84ed206c9d11933
SHA2560a7e7a21d8f3454fbf4bd74496c43e8ba98fbae8495482e734f64330bb77860d
SHA51295673344d7add14980de9531e5bc947e25149ca80001a54d92e453ba398ecba9afc794ad681eb197cfcfd33b73f2f990098b607fd5e4765299d1f24fa7e2b0a6
-
Filesize
85KB
MD5562b9ee74a341ecb582e806465510656
SHA123a4fe9db4d13a2754f4e1a249bd1cbcddc45dac
SHA2568ce831e4ffa5f3fc76c4c36b3d2a295573eec062adfc4597e29ddc8a8445464b
SHA5121ec1e45b1a42f2a0d01c2df83841178ed9eddbed66e11d6e5d6be7053144dbf14fd2147c970ec791f5ea60dacbacf822812b8350a8f73887642c54d4865a7822
-
Filesize
83KB
MD52fe2a1150f66da9fe541de948b8d0826
SHA17f73274b542d3d6c379271d1982ec63ef35f06e6
SHA256adda884b2d4a27d0815ddd9c9320595f695cbdd3229e9544a2d2bc129dce1fd2
SHA51293db05dafeb907b44dc37854d0f297a956dda032c8ed6250b13bbeb40192012eed5216053ad9e8cea258134df43df1b153b9cd7df6963b82cb1dc432a8ee4664
-
Filesize
294KB
MD55f41a263d0a325c1515dc217040bf8a3
SHA1b691b5cdc936a8e58d1ff39364987159099436d9
SHA2561e47922237744c3fb3f484a06e0a650ea61b5dc341ea200be987108521b86fde
SHA512909d4ce409d008fa3100e95dd090f3534d414779b45116e45dd1f9eed43b4762bd3434607067320f025325fabf3e2c9b33ba5efcf30fc0b5f2073bbc80a2c070
-
Filesize
338KB
MD599f1edc3e0fa63da2f400197085fbef8
SHA14dc560fe5988d3e42cc26d0f45ed37a8dae80b31
SHA2564e1fc97cac3db6120835f30787360c9c2b4544391f2880b8da28c8bf3557d026
SHA5125ab8d3c227a362c8bacc498d074f3efb1299f79d835e83501164891710b932418c2bbc060baa830e0c9204c3ed9ad01b7023eae02354c749bf52778626c6851d
-
Filesize
185KB
MD52797de3c7bea458794a05e5c3fabfef6
SHA1eacc7d7cf8faea4ab2395021fb78a14ae90321ea
SHA25663292e2c36ff19fd5bd013e16c1f98306ade84342fb3674097621bcdaede6e23
SHA5129923ca1d4c03b3ba22e4374f1b6536d2ae9ffdd5aaea529277ab68df47e3ac9a7c523bb5fce0a7cf6ad3069608381ed259b6f55582cf9ef97fbc09402ff53f9b
-
Filesize
61KB
MD549962542f81528145cd3cda238746aa6
SHA1a3ad40353c83dcab970e217d6b5835c0452e735a
SHA2564714ad5b0e6cc3054042b510e0d594a02c97f0429a3966749dfff6011631e55d
SHA5121f9f167c3274abbad7bb1875022ad55e053c00597fe8aadca9d44f9b7b4203c55c47c0060aab79b38be4d97b00df47fbad732e9e79e12fcddc263e5b84c0f3ea
-
Filesize
190KB
MD58d4184e72cf1958ba8d0801b3d1dd587
SHA1de09c8d315949b3a995a11d82ff85ed4a00bdec8
SHA256265b572d68f2424baa98c5b15d5450a50e750b57a75b8359bdb142b18a9e1b05
SHA512ecb5b9a2c99069f2e87d89f02069156789a15e1d20e976116caf9f6f6f885e234a6f2d9409308a63c98b8b2a2bed21c81fd9364eb29de20412234b9691b29c54
-
Filesize
1KB
MD52027f6d684167f0467856e4fc20814dc
SHA109364a18cf647d90c6b4b9c016ef86663a15b709
SHA256092e8c2fa6b94c6bd5d4b3bf228dbdd74d5513fa3e7f72b684401666fe72ec0e
SHA51206c9c5d3fd5262a27c9d6aa011dc1973fbfa6a152c5f9994a1f878c2042d6de8b017d1eb8bee64eeb66442f2f422cee818672b04dd6f7ebf5b29985664f995dc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\iyOgOacQ9LD\XmlLite.dll
Filesize2.6MB
MD5d8483d37fa563e49ed2a3a51a17b83cd
SHA1e63786ca7649262cb371bb7ed42bedd39f1eed59
SHA2564e8c0572f402b59aa4e05b06bc55ed4894422779fe7042ac86599369250cfb36
SHA512706f56ebc6e5af648d020fea1e23f8688344c6dd72ef9a5a036d9e60d0ce1d0a05cc0c2bcd0740978f4bd669c4651cb24e86f61cb76a61ad6c47311e310e8f00
-
Filesize
2.6MB
MD563eea6391c95980c0394cfe5a1e7ffe4
SHA174d6bb67f5a4363cb64d57a44b69bb9467b2516b
SHA256938622fb48c67b127b266b57b64e1a1e0fe00abffbf4e7f19a71610b623be4f9
SHA5124ce8b83218d794d77defe45f54fcf73d554fd9210ca23672378701fd2fe28a6471a762f223f978cbe0133cb149b5c61b3556f72eb0db94254d53a1c472c5d764
-
Filesize
2.6MB
MD555a43a93aeb047ea7e848eb9e7e7b1c0
SHA19499c7c2db525fde3771e7936e567ba0f0227792
SHA25698826b25fe1d109f1d2d9ab993fd57f9a26e6104550071a791c792d69118f692
SHA51267f2c0b2519204497a52a857dd2e352b0428bb09a9dacb841ac301c582d5f6ad9d1152092c847c09641905e796c3d1b49027f677cf51d953cbf39c90b9f6501d