Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
23-01-2024 23:33
Static task
static1
Behavioral task
behavioral1
Sample
70d94e86e118a27adfe3f75b8db4134c.dll
Resource
win7-20231215-en
General
-
Target
70d94e86e118a27adfe3f75b8db4134c.dll
-
Size
2.1MB
-
MD5
70d94e86e118a27adfe3f75b8db4134c
-
SHA1
252169f8b3b9f7e3187e1c25ee2e7561de450968
-
SHA256
814d959ae1800dc9c90f630f8f204a2f36fca00c3c4fe9c460b399f957e499f6
-
SHA512
815381ef381bcc883564b00866ce22a22e910d948885d107c3a679c87ddd99dc8c23723ac825ec8594ba67233622d79599ad9207d9dccc3476163703c44b3052
-
SSDEEP
12288:BVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1Web:wfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3304-4-0x0000000002D90000-0x0000000002D91000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
dialer.exedxgiadaptercache.exeAgentService.exepid process 1192 dialer.exe 2168 dxgiadaptercache.exe 5044 AgentService.exe -
Loads dropped DLL 4 IoCs
Processes:
dialer.exedxgiadaptercache.exeAgentService.exepid process 1192 dialer.exe 2168 dxgiadaptercache.exe 2168 dxgiadaptercache.exe 5044 AgentService.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qoccyyzfzcu = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\AddIns\\UhFAo1NN\\dxgiadaptercache.exe" -
Processes:
rundll32.exedialer.exedxgiadaptercache.exeAgentService.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dialer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dxgiadaptercache.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA AgentService.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 4812 rundll32.exe 4812 rundll32.exe 4812 rundll32.exe 4812 rundll32.exe 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3304 Token: SeCreatePagefilePrivilege 3304 Token: SeShutdownPrivilege 3304 Token: SeCreatePagefilePrivilege 3304 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3304 3304 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3304 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3304 wrote to memory of 4332 3304 dialer.exe PID 3304 wrote to memory of 4332 3304 dialer.exe PID 3304 wrote to memory of 1192 3304 dialer.exe PID 3304 wrote to memory of 1192 3304 dialer.exe PID 3304 wrote to memory of 3932 3304 dxgiadaptercache.exe PID 3304 wrote to memory of 3932 3304 dxgiadaptercache.exe PID 3304 wrote to memory of 2168 3304 dxgiadaptercache.exe PID 3304 wrote to memory of 2168 3304 dxgiadaptercache.exe PID 3304 wrote to memory of 1852 3304 AgentService.exe PID 3304 wrote to memory of 1852 3304 AgentService.exe PID 3304 wrote to memory of 5044 3304 AgentService.exe PID 3304 wrote to memory of 5044 3304 AgentService.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\70d94e86e118a27adfe3f75b8db4134c.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4812
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe1⤵PID:4332
-
C:\Users\Admin\AppData\Local\dObU8T\dialer.exeC:\Users\Admin\AppData\Local\dObU8T\dialer.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1192
-
C:\Windows\system32\dxgiadaptercache.exeC:\Windows\system32\dxgiadaptercache.exe1⤵PID:3932
-
C:\Users\Admin\AppData\Local\1kYp\dxgiadaptercache.exeC:\Users\Admin\AppData\Local\1kYp\dxgiadaptercache.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2168
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵PID:1852
-
C:\Users\Admin\AppData\Local\ZeCnj7u\AgentService.exeC:\Users\Admin\AppData\Local\ZeCnj7u\AgentService.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5044
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
184KB
MD5390f005f3c3837f40b0c36ad5c11c9af
SHA1f701d9368afb0d9f53e20a394e03d1d8f7fcf41c
SHA2563cf15b7971db2d84174df43dfab63cc25ccf2729e320be98fffca3474fe99dbc
SHA512cf108decfca258499181106f40d05ef83cb115e7babcd2f53805cce9963f8055fa52231332d6fa1f952150be20e3a5745fa3443b5cc734d10b9fe5e6d164eee5
-
Filesize
117KB
MD564130f620a69efaa52755c54beb53300
SHA11f571c422e322317bfb419c97fb05317893f1126
SHA2568a22f9562b4d7e5a8170a6d6a1fc3fe0566f523c030d066704430c97c66ec910
SHA512f7509cf580d1ac337b5f6af528115071e1ff8da8dd4e2e77a6a695a3229ef41c90b7e5a748feae0465ef6173790e7f6659bb621d14769b630994b85a0e192526
-
Filesize
143KB
MD5aa043d56d9f02fd33dc69aa642ea0050
SHA1cf04dcce34df71970be898678a8b13b8a87ee42f
SHA256059ebca03641f9907e8b872d2fcae4e01ca7d98b883889701a4248cce682910d
SHA51201352b3a860cb702ede03e00825e2392dc0606014bf70a24b4cbaa34874496ac896dbe6d1367ab1abc6a164a2ccdb06a449075f1fed2d30a5ae0ab0b6f05a5cd
-
Filesize
77KB
MD5ee91e5bb1a037013b1e51ada11e6b523
SHA1b790ac32f6ac13eaaf0950e104fc7be270d03fd6
SHA256857882938b2cca6054d0dcd026c7f4f98bec05f7e58aab15341bf44b48e9cf6b
SHA5128a69f123f3dbfed490a473eff3a0fea107e1ee2ac0f83d6710854e7e652ad6e5a218a70bb3cee705ce30b05c945dcdbaeef301cb263dd5760e46a218bc88ae22
-
Filesize
211KB
MD55af3821df5f10b3e9427ddee30de9ee8
SHA18b0084a20a4b279baedcd92900743dc0e0f1d291
SHA2562c54b5c8c327244a503a25edc30ab4411e2f0d9ed3f25af325bc17dd3f055068
SHA5121844b96eec4b356d5c526cb32a5d23a3eca4231b688e9cb9343d39c939b9fd9cf163fb554d6ccda0314b312aefd302b3d0cc96719f79816e52fa59bbb168eb08
-
Filesize
451KB
MD52e900fe44836e7b4c659a5fd65fb8e6f
SHA172a3c7b6f7a1ec1652d1a440fa392f7e7493f12e
SHA2561be17ef566d442bdb3df7786f21516e0b72f365f5e83e40dc931fc98332a768a
SHA512ff4471aa35d7f88b59f41650e3e501aea7a3c84e8211af40f50526b6d3affc9911c7b490ad2ea587999f19003755faaf0aa4a3adb3668f9eda64570a03d44fc7
-
Filesize
285KB
MD5b8c247cfbb54f2d783661d6861f2e9f4
SHA10c15398d26a63ffcdaccdc89f1326d019188d5a4
SHA256d7ba62d489904737d8b453e03307fa29bc2386af085f9c87b57c89d5ff800bbf
SHA51283f630c61f671e1ac5171590344255fb88a4fec8773379edf9baf0456971cca5a84173028e6c0506231e876c908ba835bfb09f98d1a484b71a0cc41f8cd10d5a
-
Filesize
29KB
MD517205ab6e5db08b01f15506d1f48e76b
SHA177c9cbeec9d517a591dc3ec56ed05227e97c7c88
SHA2567aa6b4041bc8d801c34f8c099c6c6fde7bbecc88e22899cda581c7bdc3550157
SHA512dd75545acacda8b4a8e74752aa570a623d0b3f0ad3ff6442bdb8e1cb902ae127856fb44f997be0d5beb4bf3f26d1019b3b639f6fc731bb5fc32c84471fbcdc8e
-
Filesize
521KB
MD5f19d189e42774c3b169fee6f15d7b8f5
SHA1ca96c3870891f6bcfa68a148217ad9fb44f6363e
SHA2562fe6bb5c93fdbe0d35df548cfad2cd5b31784368499b86b78104012c8deffea0
SHA5121f3de62caea2506db659a23b5658ffc06e0958f662041307b281fb07854a14723e2b834a2d01165fc41c813d5e911c608670b46c7c1711f8f29d5fbe2aa6bd2b
-
Filesize
240KB
MD518ff33271362fa7aeeccac00ed472cda
SHA13a9067b8fa660e86e411161fac7ef2664d9e09d0
SHA256d7882a450813586315ffa892fc43914680882406abc5718a9a0ad3a20849f111
SHA51227dc999ca1adf7ef93c4f73778a6f7195e8d09abee8dc63115c5f8b34cb1d901d5a5113bc7aea34efc5c7373f009523d1ee4c64adeb5f9ed2994cfa00565d45e
-
Filesize
334KB
MD5b09301c0687735309662d8fbd07b52d4
SHA1e36035771c0466cfb084f41fdab27a22182c7ac7
SHA256b7d15b24a1019e3afb95b9202bed18400942141d3584780f83a4ef9d21ce9d44
SHA512e935b022b6799fa0cad7af0e1ab975c2d86528f2a4b768049b71646d200f009a802138776a2299d1c3fb67553b6036c2075c3096786bc6b4dcd33e5061065418
-
Filesize
39KB
MD5b2626bdcf079c6516fc016ac5646df93
SHA1838268205bd97d62a31094d53643c356ea7848a6
SHA256e3ac5e6196f3a98c1946d85c653866c318bb2a86dd865deffa7b52f665d699bb
SHA512615cfe1f91b895513c687906bf3439ca352afcadd3b73f950af0a3b5fb1b358168a7a25a6796407b212fde5f803dd880bcdc350d8bac7e7594090d37ce259971
-
Filesize
1KB
MD50033d767b7d3a696616321de5a00ad6c
SHA10d38b29b91945e6841a013bd5fede12703924719
SHA2565013c3b752f514decc35e7c5a19ec43a5cf62f09483e0369d9303ba96a6b8826
SHA51280c8be8c23307fa919c33282ab726f8b7f7bc9f68a2e32ada65205ed9c3cdeee2a5ebb556524a4c2314c1f5602064756e93cdf6cb5e45979844eb26d716d86b8
-
Filesize
2.1MB
MD568e9e31081046b6caea90f472e106df4
SHA1e4dec62d59a4eb61a7aa1b4816b6276c2f9666d6
SHA256c2793e2680ffc3206cb5f933aa96363aca2270dba4d2fad5a48164dac3e32dc4
SHA51249be414f4ccd37c6a7a3a0295431666b87705168e984fedcbe7685b06fda9245f70e1677cd11fbfa3ba90ecac7e72fc14c9f6e27673b3980bce616833bcbfc58
-
Filesize
2.1MB
MD512eaa2702daa737186a435f027928272
SHA1cf7b84dca4e43e05b94a85dec7a011798acb25c3
SHA256a9291a10f6abd2e387985c8b0545fae726915dc0ec802344419d6a3784ef1e94
SHA5129878b40abd6b15e55be24865474f64983b5a37bc59c0a4d6cf4551e97230163c7727507be53908808adf1857a7047777c69162db1bcc66bb2c76d2bca36332f9
-
Filesize
2.1MB
MD5b05d3562ed4c1d95f54e558cbe271043
SHA14f470c9d0cac038993d1ddf70ad9f3246e71130f
SHA2562c52b52d2dd338aba1ce422df13decac098da4b52004314d87035bec074cbc6d
SHA5125f9fcd86dddb0a8df41dd6b751fefe480917cfa869b773fc8283810fc58ac265f4f5fdc802ea68638080b3780354095e4050527393eb008ca12acc44ba1bf92a