Analysis
-
max time kernel
151s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
24-01-2024 10:46
Static task
static1
Behavioral task
behavioral1
Sample
72069f253d65873ca37d22ed502e1911.dll
Resource
win7-20231215-en
General
-
Target
72069f253d65873ca37d22ed502e1911.dll
-
Size
3.7MB
-
MD5
72069f253d65873ca37d22ed502e1911
-
SHA1
551a0c0ea3996301997e8f133c3ab4933456b7db
-
SHA256
95675ed8705063e78d6feec16544b7d5bbe62b4bc34b13462280c0ec046f0d71
-
SHA512
113a86c3fd39d5cb43ccfbee1a8ca8a0f2c08d76439eb39c228f1a56432ab121f61696087b21df958b15b16b16c3169d5109aac638ab60b91eb4ce76b9dc52a1
-
SSDEEP
12288:bVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1K8yQy:6fP7fWsK5z9A+WGAW+V5SB6Ct4bnbKn
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3532-4-0x0000000003290000-0x0000000003291000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
bdeunlock.exemstsc.exepsr.exepid process 2664 bdeunlock.exe 4136 mstsc.exe 1408 psr.exe -
Loads dropped DLL 3 IoCs
Processes:
bdeunlock.exemstsc.exepsr.exepid process 2664 bdeunlock.exe 4136 mstsc.exe 1408 psr.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\Oj03\\mstsc.exe" -
Processes:
rundll32.exebdeunlock.exemstsc.exepsr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bdeunlock.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mstsc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA psr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 3880 rundll32.exe 3880 rundll32.exe 3880 rundll32.exe 3880 rundll32.exe 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3532 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3532 wrote to memory of 1016 3532 bdeunlock.exe PID 3532 wrote to memory of 1016 3532 bdeunlock.exe PID 3532 wrote to memory of 2664 3532 bdeunlock.exe PID 3532 wrote to memory of 2664 3532 bdeunlock.exe PID 3532 wrote to memory of 2612 3532 mstsc.exe PID 3532 wrote to memory of 2612 3532 mstsc.exe PID 3532 wrote to memory of 4136 3532 mstsc.exe PID 3532 wrote to memory of 4136 3532 mstsc.exe PID 3532 wrote to memory of 2668 3532 psr.exe PID 3532 wrote to memory of 2668 3532 psr.exe PID 3532 wrote to memory of 1408 3532 psr.exe PID 3532 wrote to memory of 1408 3532 psr.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\72069f253d65873ca37d22ed502e1911.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3880
-
C:\Windows\system32\bdeunlock.exeC:\Windows\system32\bdeunlock.exe1⤵PID:1016
-
C:\Users\Admin\AppData\Local\xW0\bdeunlock.exeC:\Users\Admin\AppData\Local\xW0\bdeunlock.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2664
-
C:\Windows\system32\mstsc.exeC:\Windows\system32\mstsc.exe1⤵PID:2612
-
C:\Users\Admin\AppData\Local\CkXWAn\mstsc.exeC:\Users\Admin\AppData\Local\CkXWAn\mstsc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4136
-
C:\Windows\system32\psr.exeC:\Windows\system32\psr.exe1⤵PID:2668
-
C:\Users\Admin\AppData\Local\pvrwm\psr.exeC:\Users\Admin\AppData\Local\pvrwm\psr.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1408
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.8MB
MD58bb25105d9d5636041ccf2ca13433658
SHA188470fc4fbfb1f4556606f5450147445f2fc2b85
SHA2568d0df2b516e3ed11d8e79855e9df02f354ca679d2b9c5b0ef19a980d993bf213
SHA51233a5e5f6e053c0215f804d62743fc12e990d1c3f3e04eb1a891fd8bad7380c37c91d56927bb51f7d8c212e864ac18cc431eebdc8eecdd6a3dedc597d8c7f5639
-
Filesize
1.5MB
MD53a26640414cee37ff5b36154b1a0b261
SHA1e0c28b5fdf53a202a7543b67bbc97214bad490ed
SHA2561d1b6b2edac7ac6494c9eecda3afb804f679d7190f4d1a80929380e85743823f
SHA51276fc70ead57ddacd3dbcec1a4772bd46924d30b30018a36b13052d2f7272cc86b63bf85d5e4ec04aac08630d4b2637ca6e7d35c08ce6b675d63ed011f7d95ba2
-
Filesize
3.8MB
MD5381797e980c95b8424c041050d038876
SHA17b1bba3615385706886afc863ebdd56e891bfd5f
SHA256795e0cbd6ca8a2e7de9c73ced032b6626be2765a991eefc56894ed61a7cd3b28
SHA512f7f39f1de9c268e2df962b9c2c4ce159952176687be8b9f9242ae01ef557761256ec4791abad6481c9db4da3ea556a72a5daaf2f9935526645c18c534e993c70
-
Filesize
232KB
MD5ad53ead5379985081b7c3f1f357e545a
SHA16f5aa32c1d15fbf073558fadafd046d97b60184e
SHA2564f0144f0e3e721b44babbf41b513942e4117f730546105480571f9c8fce56a1f
SHA512433098bd74c34fbadfa447ef45cfa9dc076aef4cf7f2a0a6fe79d5e67f2504eebe8aa31fc1b7a4c5eeb20ede2c5485f75ad0fd77b4ecba3d68ca63313e6f6ea0
-
Filesize
4.0MB
MD5684cce04b25930b040dbf691f6ff580b
SHA1ba17ae8cbf0893bd298169e0e6928d237211ec19
SHA256202e8fcf040fae82f7a4444ba2d7d2163b1e1fd24a373815746c051d66342e15
SHA512912df62be718a70c60d9d49e97595f6bdfb07ee8d005d99a29d9d6088a8d26ca8771f84290d2b9d4bdc2d8b8d2ce7917cc9ee4c78b0f9bf5c308fb56a088bf94
-
Filesize
279KB
MD5fef5d67150c249db3c1f4b30a2a5a22e
SHA141ca037b0229be9338da4d78244b4f0ea5a3d5f3
SHA256dcfdd67bf3244ff86cadaaea50b43cce5479014ea2021c0c2fb40b7c856e5603
SHA5124ded9ca87d9d30c31ab2baededaa6e26681741ea1742d80c318173536c643a01bc049e03a03c3b45b3cb8860464a855830e12e87670503e65eedcdd5e9b2d1e7
-
Filesize
1KB
MD5517a498ad016bf4c1bd8bdb48099201b
SHA1ad784f8544fdc339a0deeb22f5fd4c4649e7648a
SHA2569283110c19063c935b355035646970db45652b7d5435f8bc0fde24b7c753bc02
SHA512bb47da33c6bea430ba27ec32d90835adba7a5543bff106625a5bb073cde01e5d13fb4dd65303ca68bcf25897971e2fd80635a4d678ba56f8533cf115fd32633a