Analysis
-
max time kernel
145s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
24-01-2024 08:37
Static task
static1
Behavioral task
behavioral1
Sample
71c41494c927e33c33dadf1925c47cd5.dll
Resource
win7-20231215-en
General
-
Target
71c41494c927e33c33dadf1925c47cd5.dll
-
Size
1.5MB
-
MD5
71c41494c927e33c33dadf1925c47cd5
-
SHA1
d9522d823725eced87e847799aac6e00e0d9c985
-
SHA256
6a19ea54058dfc1a9678abc823f1ed3697c8e77fba5279d998dadaef5e7ebf04
-
SHA512
1e0f16a9f44cbe3f6a807a86b6d0a45fa8186463bb4fd17aa76792d532d7695017442642d488fd43ba725b8a5dece1bafae44ae512d897252d5dde90184a1ee4
-
SSDEEP
12288:FVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:cfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3528-4-0x0000000003150000-0x0000000003151000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
CameraSettingsUIHost.exeSystemPropertiesRemote.exemsconfig.exepid process 4588 CameraSettingsUIHost.exe 2404 SystemPropertiesRemote.exe 5076 msconfig.exe -
Loads dropped DLL 3 IoCs
Processes:
CameraSettingsUIHost.exeSystemPropertiesRemote.exemsconfig.exepid process 4588 CameraSettingsUIHost.exe 2404 SystemPropertiesRemote.exe 5076 msconfig.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tgnmvdx = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\hI5\\SystemPropertiesRemote.exe" -
Processes:
msconfig.exerundll32.exeCameraSettingsUIHost.exeSystemPropertiesRemote.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msconfig.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA CameraSettingsUIHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesRemote.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 1568 rundll32.exe 1568 rundll32.exe 1568 rundll32.exe 1568 rundll32.exe 1568 rundll32.exe 1568 rundll32.exe 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3528 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3528 wrote to memory of 3256 3528 CameraSettingsUIHost.exe PID 3528 wrote to memory of 3256 3528 CameraSettingsUIHost.exe PID 3528 wrote to memory of 4588 3528 CameraSettingsUIHost.exe PID 3528 wrote to memory of 4588 3528 CameraSettingsUIHost.exe PID 3528 wrote to memory of 4956 3528 SystemPropertiesRemote.exe PID 3528 wrote to memory of 4956 3528 SystemPropertiesRemote.exe PID 3528 wrote to memory of 2404 3528 SystemPropertiesRemote.exe PID 3528 wrote to memory of 2404 3528 SystemPropertiesRemote.exe PID 3528 wrote to memory of 4164 3528 msconfig.exe PID 3528 wrote to memory of 4164 3528 msconfig.exe PID 3528 wrote to memory of 5076 3528 msconfig.exe PID 3528 wrote to memory of 5076 3528 msconfig.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\71c41494c927e33c33dadf1925c47cd5.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1568
-
C:\Windows\system32\CameraSettingsUIHost.exeC:\Windows\system32\CameraSettingsUIHost.exe1⤵PID:3256
-
C:\Windows\system32\SystemPropertiesRemote.exeC:\Windows\system32\SystemPropertiesRemote.exe1⤵PID:4956
-
C:\Windows\system32\msconfig.exeC:\Windows\system32\msconfig.exe1⤵PID:4164
-
C:\Users\Admin\AppData\Local\3iD\msconfig.exeC:\Users\Admin\AppData\Local\3iD\msconfig.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5076
-
C:\Users\Admin\AppData\Local\BwtEj9usD\SystemPropertiesRemote.exeC:\Users\Admin\AppData\Local\BwtEj9usD\SystemPropertiesRemote.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2404
-
C:\Users\Admin\AppData\Local\ScD4cQi\CameraSettingsUIHost.exeC:\Users\Admin\AppData\Local\ScD4cQi\CameraSettingsUIHost.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4588
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144KB
MD51aee5b4955fd78d91f15bdff3a89cc88
SHA1b831931db52930b8163bd68b00518a70c5621aa5
SHA256409eca704520ac2423fe0b0b8aa45de7ada4ee964e07e2013de1fdf4848ffca7
SHA512f8633404f9b172f9fb0fb8984872998f445dc0b37cfbda0ceebb5185b2edadacb143eaa413f9e8901b993a6789797310f098ddecdc10008656af0d92385d337f
-
Filesize
218KB
MD5280a008cc497b3756d267e129590f935
SHA1f504575191a04be79f51b3bf94d7034559d579f3
SHA2561543de373d133b7711a1bb32e171edef9e0f1f3cb514171b1c708e188619a8af
SHA5126efec5e86239e1d82e94f4aadacbd7ebdcdca41b96a0c4e6aaa1402925982103c3f7147c28480670c7db473c087b1259868d00649fc40a9847f446481e519b94
-
Filesize
102KB
MD5f576ed4f0a554be5e398a2d7b311b479
SHA16220bc8c54a11245d8fd2ff6840ecbf1d1e39bd8
SHA2566e979a8f00f11e4d472af88282fce095998f541f00662085e0e417aca32379d7
SHA512f91e1eedb94b99c185e35e8edb4c7040397b1f31a5bed155fe9018858f3d840da9bb83bcce222ff571a8b15d54b41afee6ce1910f6b6b34b23cb75db663cfb2b
-
Filesize
107KB
MD51dc9e45df7a22351dbe5835170a6a03f
SHA1a4afb671dd9137e0ff7c7c4775dd9c5131fe4dfe
SHA256a5967098ed910c84a610fb6bc796fb192dfd116a59e1e9530b037cddbad661d6
SHA5123bbb431a8b671850ad36446e282c679ab0390adff1a7e3eafe6fef720f86531670d760cf5de631f3601d1df31f999c096f7298ec4530c779542751b50e9c627c
-
Filesize
65KB
MD5dfef82c0eace71cca863f867aacb9cda
SHA18baa0574d4de5faefd9698d59817e840cb506aca
SHA2567ab5f1cf80a172b74faafb21723ba85db97ab1caad5dcd22afce4cac1bd3ad90
SHA512a17a4af5ba253b7b7bcfce27260af245e43feffb1bcfc39126ce73702ddf1eceb034578494c662e5d6dcdf4aeadee2880be409ea22c34c819c94165239d0bfc9
-
Filesize
137KB
MD59722cb2b36f7d441efcf3b72196e210e
SHA11ae58447b27384adc631eaecda83900ca8eb60cd
SHA25679bbe56abdf96a2c37f1253e03b91dafabd5672fdbc0482ddb61ba2035f3e5cc
SHA512e1c8a743e4668ab74187d22e911ee2ecae4692590df10826b8a94bb3db8821de816ff1155861e99eff37d5c3f61c5dec826b29b4f3f2fc5474ac657748323b08
-
Filesize
82KB
MD5cdce1ee7f316f249a3c20cc7a0197da9
SHA1dadb23af07827758005ec0235ac1573ffcea0da6
SHA2567984e2bff295c8dbcbd3cd296d0741e3a6844b8db9f962abdbc8d333e9a83932
SHA512f1dc529ebfed814adcf3e68041243ee02ba33b56c356a63eba5ef2cb6ede1eda192e03349f6a200d34dfab67263df79cf295be3706f4197b9008ccdc53410c26
-
Filesize
31KB
MD59e98636523a653c7a648f37be229cf69
SHA1bd4da030e7cf4d55b7c644dfacd26b152e6a14c4
SHA2563bf20bc5a208dfa1ea26a042fd0010b1268dcfedc94ed775f11890bc1d95e717
SHA51241966166e2ddfe40e6f4e6da26bc490775caac9997465c6dd94ba6a664d3a797ffc2aa5684c95702e8657e5cea62a46a75aee3e7d5e07a47dcaaa5c4da565e78
-
Filesize
15KB
MD5f92f1050d95019205d5f7f87c2d80d25
SHA1b86df951973b15cf890a8ba4fbb03d095583529e
SHA256ba45548f7d48b0cba559cd7137751133dee9c2169a7e055d2861a4f59917e89a
SHA5123d47ddb87660c4365eaa91b99082003236179ad948188f3adab2bf3b06ac3f5506cf2801ad8a2aa3d80b3407407236e05dcfca91780a967d9f39b847ee1608a1
-
Filesize
188KB
MD58c092427a27850dc9a24e96f3e2e6194
SHA1753eaf9238dd26f7076197ffe0833153f5b7b8d6
SHA25638305049e4dc03c426eec8267e625b21f2df4920b0bb94855c07665449604ca3
SHA5124fd1801a3845008af8aed403df9c05e68d350fd48cb752f35b973456fca89d4623942aad84a5a0f2df4d4f5c09fa2398834fbb82dcb5a6eef8e6cf44946d901c
-
Filesize
1KB
MD5cd0819c619a82d965f36ee93b53e2e5e
SHA1b91df3556970c43b15260a150cef7dd621c3c62a
SHA2564f6cca3a1433386c9be275b6b6ec4b872d84e2ba728cb514dbcb5778cf5eaae9
SHA5129133b873a0226c939229885fc2919f969befecf99b0c6bf9dd73e6de5cdecaefe463046cd498dafd2b2241a3440f7c0027f4d73bfe9d33c791d55347dc8ffce5
-
Filesize
1.8MB
MD543dee0324e066addfb97533de3b2c21b
SHA19e46139a484b0e93b4d062fa0efd82ccad426ca0
SHA256f196e624cb7627d4fbda346f215b82c3e4adbbb9df9cc03d9c0a98a2f55ab8a2
SHA5121932487dc84f289948949fc98542235fb438f91c6c7903ac0d26c7bb6c0a7e6ca1ed777ba5796a8555e6ec883b8e51a7c9d73016bb44fab1afc1ff1c56ab2e29
-
Filesize
1.5MB
MD5ab75a06fa6df3c7d7592a7bd6fe1fe4a
SHA1cf766e66bb1d13a3ce4d0e576de41e7c1e817f75
SHA2564aa91b86986e2be027d32294d0dafab16f9ec1b787b73b0a5aab372cf39fabdd
SHA51293708e84d562971f8b93b6c3a28e72f3d23b67f4cb42dbb388556934e11193ee518d1b5e9928ddc2a2d288271fe70184e8d4c077f5db9b133032e077a9684e02
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\QFFMG\VERSION.dll
Filesize1.5MB
MD582dd187e5474fae89c3f5a71157b0075
SHA1e0034fdd7141826f7bcc27cbd6d05d1e45ae2b6f
SHA256a267c62bddb6b58f7f363c527df7632f4b8ab83b36a9b9b55b196b20dcb6f26a
SHA51201343992b1a84e7a0d4ea515d6b49da1195bd9cafa481798ce48181719b113f70615c06b7f8a37475ed8699b9c7d1b0aa758e11c9b9da40992b756199797d0c2