Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
24-01-2024 02:55
Static task
static1
Behavioral task
behavioral1
Sample
7142569287a29d07ca328243db7a1f74.dll
Resource
win7-20231215-en
General
-
Target
7142569287a29d07ca328243db7a1f74.dll
-
Size
1.7MB
-
MD5
7142569287a29d07ca328243db7a1f74
-
SHA1
0bb092d2cf5779d598f619d801bb1eda19a7f883
-
SHA256
6d6b79a6bb6023fd10ffe393db35e78b77bc403f068b5ac7cfece64692b2edc1
-
SHA512
9df2653a5f920d62b6d72d2f1e199d503e3328e63b7d0611fbcbcc1a084ac2b59a82739aedf665cdd64b6b08260e9b212e7d9ed20de363261dce6d2d2b4eb06f
-
SSDEEP
12288:JVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:ofP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3304-4-0x0000000002D90000-0x0000000002D91000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
FileHistory.exesystemreset.exeWFS.exepid process 2240 FileHistory.exe 3844 systemreset.exe 2828 WFS.exe -
Loads dropped DLL 3 IoCs
Processes:
FileHistory.exesystemreset.exeWFS.exepid process 2240 FileHistory.exe 3844 systemreset.exe 2828 WFS.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qoccyyzfzcu = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ADMINI~1\\NW7CDrfd\\SYSTEM~1.EXE" -
Processes:
rundll32.exeFileHistory.exesystemreset.exeWFS.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA FileHistory.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA systemreset.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WFS.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 4812 rundll32.exe 4812 rundll32.exe 4812 rundll32.exe 4812 rundll32.exe 4812 rundll32.exe 4812 rundll32.exe 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3304 Token: SeCreatePagefilePrivilege 3304 Token: SeShutdownPrivilege 3304 Token: SeCreatePagefilePrivilege 3304 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3304 3304 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3304 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3304 wrote to memory of 4824 3304 FileHistory.exe PID 3304 wrote to memory of 4824 3304 FileHistory.exe PID 3304 wrote to memory of 2240 3304 FileHistory.exe PID 3304 wrote to memory of 2240 3304 FileHistory.exe PID 3304 wrote to memory of 3700 3304 systemreset.exe PID 3304 wrote to memory of 3700 3304 systemreset.exe PID 3304 wrote to memory of 3844 3304 systemreset.exe PID 3304 wrote to memory of 3844 3304 systemreset.exe PID 3304 wrote to memory of 3660 3304 WFS.exe PID 3304 wrote to memory of 3660 3304 WFS.exe PID 3304 wrote to memory of 2828 3304 WFS.exe PID 3304 wrote to memory of 2828 3304 WFS.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7142569287a29d07ca328243db7a1f74.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4812
-
C:\Users\Admin\AppData\Local\WzbTceo\FileHistory.exeC:\Users\Admin\AppData\Local\WzbTceo\FileHistory.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2240
-
C:\Windows\system32\FileHistory.exeC:\Windows\system32\FileHistory.exe1⤵PID:4824
-
C:\Windows\system32\systemreset.exeC:\Windows\system32\systemreset.exe1⤵PID:3700
-
C:\Windows\system32\WFS.exeC:\Windows\system32\WFS.exe1⤵PID:3660
-
C:\Users\Admin\AppData\Local\6GS\systemreset.exeC:\Users\Admin\AppData\Local\6GS\systemreset.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3844
-
C:\Users\Admin\AppData\Local\l4fQZS\WFS.exeC:\Users\Admin\AppData\Local\l4fQZS\WFS.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2828
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD592f5e99a4a522a8909911485e63143a6
SHA16114b6105c17695a3880613e07d1ae15f452acbe
SHA256982e5cc7a5620d5b0b46c8194de3137d409f02b47ae8b35beaec674f34ca7d5e
SHA5122660319c8b848e37f3dac0c7c2ad3f90073b59ec43d08ecaabca095910cfd02bb65624babafffda81180595d284943534e31caa1520f2f715d8cc11d20e32fc9
-
Filesize
110KB
MD5527f3aaad52f2930a2e8da15135e74fd
SHA1315e1cf40d9728f5ef596f035c350831f54f2206
SHA2562e46587067b9b8a3a19a4b6bc3364009599cb36df99eedf3733b7ab077bdba78
SHA51282af0626490fcaabe8ec617b3217c2f6ce9be942b959706c87262c0bc37ee5ea7b9254423aad947cd52557a2860b4fb76ac74d4ce8adc1828c4dde383ca6a9a5
-
Filesize
294KB
MD58f99945e5223e90e81efd8e72eb3f452
SHA1b85fd92e3363e5dbbe57b415ead3b54ee68fd25e
SHA25633374307d0c9eebf3901afebf1ca437c8aff9986d9f7595b3ff94b390eec757a
SHA51283d6ebc08714a8a8500cae571d4aeb2ef660e9fbf1d25d770990108119f41428ac87a3ccddaef40a339bf4c89c08b73cd4842e4268d0849d55b7763f9cc87944
-
Filesize
89KB
MD552e879fb51b863a6dbe7eb3036cce68e
SHA112d26c7684a5d946fe3bc5273342ef762d1eae2a
SHA25603da89c6ba52f123fa5683784a5a852ab0a8785ceaa8f12aef372acdd2f61055
SHA5122cd17b6b16d7585f994f3e0144ed2bcb8649c334c3d65b8524ea4de5cffcdd4b3845060efe857c5e080e3e764995c43a5165735c40cb4bf5b7358b94f8b6a619
-
Filesize
34KB
MD59c89a8c52e1e7b9af55df36ee6ee9b06
SHA1a302aee07e67c112cdb83ba24ddf2e454642d39f
SHA25690f277f3d3082ad84b2269197eaaf933a82c685f9b697e781258d1838957eb5e
SHA512d7cf08c3a5a5dfeca089d2e8bfb452b419c226125ce408595158f35951f236f1ff6d1493411dcb118d8f0cd6b95363fdc89f3107aa8ae36fcaef09e823a364f3
-
Filesize
244KB
MD5eeba3dd643ced2781ec1b7e3cd6fa246
SHA12d394173e603625e231633fc270072e854bac17b
SHA256bee0799a52fe65b8dc291de32f0c8b03b5a067915b1868bc8ba2a1b139c90b87
SHA512222d4fbc7ee57d75889698a0660996293a0143518fdecc1b222618796d76d40f2d3b00b071f92ab917ac8847f195d7de02df55b5e89dad8a80d110e464cd3271
-
Filesize
90KB
MD50110bfdbd98d5d71e2151d428fb5b509
SHA104934c22cb9fc4fce48d50e48d51730133921bf5
SHA256668aa0e521c016871b166b9613a36fa623c72ce29700e96e46e33714b4c1b06a
SHA51205aed0f37627ad4875b677bf708f947c984f82b534f16e5c3ec808515c622cb7679f422e92ac13ca13b7aed2cd6795682503449c7750288b47c386940ea48b63
-
Filesize
10KB
MD5fa27cf48d0e5c6b98a06f57b8c1aa4d5
SHA1fef062c25c82718d3044ec4c74ee68795e3fd1a2
SHA25635ed88b10eecffe46bcc900ada74b722e899e826218b01343fecde47fd91232d
SHA5124e1ba7505fd157d1bbd8fe4cbe9f3657e31dea98369d0308ac1c153d1096a5c6f07d6dd0e06cf0ad74d985f6b6482690eb5167f386e08045a87bd063880d6696
-
Filesize
109KB
MD5c54554a391b230327222f6646e08740f
SHA1c8f21f2eeb9ad4dc725ad02b0e78ff39718b7f60
SHA256cdd95cfee1c5e10ca66dc7b11519c107b10cc52e7057a734ace44485526fff72
SHA5123cbae839160804c35f070cd6bd93d416a1414c6a95e70ef61bb9f51fc2a5ce5a75b70c36f25ffc6f8aea38b8f38c9138f50b519f3f0dc8abe01e3b1387a0abcd
-
Filesize
57KB
MD5da297fc614602b88d02353ff1bf8e08f
SHA1d1c24b248e3fea81aaea1c76b04b29896f63b513
SHA2560285df44856608f6d342fda8847e9f361cac65d3590bf7d1c02a3b541aceef52
SHA512cf0cb8f4f8a64343b66ab4c8e060f425e4b08001f0075cccb4c2a636bf172fcbd39e276a649e380b9f183ff94de3fe55ecae4ec0147da706e91a5359c793901c
-
Filesize
96KB
MD508082633606d27676c9a3d3f8c3d82b9
SHA12f0854d72a34f6b2f8c2dc8bde7d4080dcf544d2
SHA256fa10e3bc6dd79970b4ef1f5bed292329eaa1727aa50c53c8b54ee1dae7679a43
SHA512052935a56d5811bec180a2ad275abe97e97ace2f4fceaf58d930741038f71511f0b66d89949a724a6a682e24d2f49090cf0599ed8b832d411d75afc2487a86e3
-
Filesize
108KB
MD5367f85df1166a09707e78a1b06f339fa
SHA1f9c4b2e589c5c32b1af2fb12ff604e51606f69dc
SHA2560cad7785ad5c70810a6efa05ce4330a3474705879985469bb4a0e641a3954656
SHA51251a5a215bc9fc3d6fcf913794df297bfbaa2b97b76deff1fa2104e19fd3c09ed18da861ab6e27214b6e81c9f62126da3dcdbd2520ed7b6c47251e322d1f199fc
-
Filesize
1KB
MD5214d5f9c37fe233401959b9cd51258e2
SHA1c284c61f3a0c810be628ea353fa78bd14f06b38b
SHA25600317b4cd8b40fd3ce6ca51d4ca53688b5beaa8015add7dfa8e6a75326c1538f
SHA51253f6172096ad0bca09fef9961a2369568d14fff6e2b61b14230ff3141b7e473cd02ef8d5e2de6447c8a8fbe1722ac67cf0171461e3488804cc1d62a98f835674
-
Filesize
1.7MB
MD5fb47cdbfc9ffb6f91f9637ca9d533bc3
SHA1c423635f166c15224c9dd62418c4cf9345ab485f
SHA256ad4ce9f173e7c91f00a61bfd48b3def22b93c63afe4096cf07f526f3d2d7c9e6
SHA5121bcde188fa8b51124560474e05da71bf12255d5da9d55a7336bb6302e3028a00a3f521be52dbf4d4c1d0705d26c0c8f61f42fb0dc332a86a384c8032621819a6
-
Filesize
783KB
MD57f02ca767aa8fbd52b0d3d6169e81361
SHA11cd2d25d308e8c7223ee22917e10c2fa3a5e1fcb
SHA256c7969081a4c2119650fe5d49c6bce14a0921c5060a5998a50fd6e07605feb77c
SHA512174d385e832298a2004efe70ac7c4f9c6df614b34064cbf1704fb9c97581d84ecd1e0e07af5226ae10131890dffe391aef8f3a88f1406259400da107b856b9be
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\NW7CDrfd\DUI70.dll
Filesize2.0MB
MD592ba508ae41108aff9383af2f2106e20
SHA135a4a9cd6c601797f1ad8072c808504b285d6b4d
SHA25673f2496461fd8e3988a0782eef3ed63e16418f1c87ce91f7d6e63a310df2027e
SHA512f28c5799c085afe2e888cd932a078dd9f93f4d73629358efd42c42fbad994f77130e9320da4f8ec20bbad5f68320a69a25b2507523d9734eeefa37c896b64224