Analysis
-
max time kernel
157s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
24-01-2024 14:05
Static task
static1
Behavioral task
behavioral1
Sample
726f982410725cb34272e9e44b3c0310.dll
Resource
win7-20231215-en
General
-
Target
726f982410725cb34272e9e44b3c0310.dll
-
Size
2.0MB
-
MD5
726f982410725cb34272e9e44b3c0310
-
SHA1
8450bd8609660c8fee5e0a8460e391b44ef07bfd
-
SHA256
1af3b38b228078c0c78e70ef3bf82e55635240069d5f982819899db2bf5d9972
-
SHA512
e1540efb22d0c7bf2f5a0f1a9ad38f0d78d741db0c49c4628f620f315e4a093b449628b12aabd597c89042344318b3db6dad4ca03e3390d67944c84f72cfb728
-
SSDEEP
12288:MVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:5fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3408-4-0x0000000003850000-0x0000000003851000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
dwm.exewscript.exedxgiadaptercache.exepid process 2260 dwm.exe 2468 wscript.exe 4396 dxgiadaptercache.exe -
Loads dropped DLL 7 IoCs
Processes:
dwm.exewscript.exedxgiadaptercache.exepid process 2260 dwm.exe 2260 dwm.exe 2260 dwm.exe 2260 dwm.exe 2468 wscript.exe 4396 dxgiadaptercache.exe 4396 dxgiadaptercache.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\AnOGccnwbF\\wscript.exe" -
Processes:
rundll32.exedwm.exewscript.exedxgiadaptercache.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wscript.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dxgiadaptercache.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 3756 rundll32.exe 3756 rundll32.exe 3756 rundll32.exe 3756 rundll32.exe 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3408 Token: SeCreatePagefilePrivilege 3408 Token: SeShutdownPrivilege 3408 Token: SeCreatePagefilePrivilege 3408 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3408 3408 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3408 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3408 wrote to memory of 4912 3408 dwm.exe PID 3408 wrote to memory of 4912 3408 dwm.exe PID 3408 wrote to memory of 2260 3408 dwm.exe PID 3408 wrote to memory of 2260 3408 dwm.exe PID 3408 wrote to memory of 4672 3408 wscript.exe PID 3408 wrote to memory of 4672 3408 wscript.exe PID 3408 wrote to memory of 2468 3408 wscript.exe PID 3408 wrote to memory of 2468 3408 wscript.exe PID 3408 wrote to memory of 3476 3408 dxgiadaptercache.exe PID 3408 wrote to memory of 3476 3408 dxgiadaptercache.exe PID 3408 wrote to memory of 4396 3408 dxgiadaptercache.exe PID 3408 wrote to memory of 4396 3408 dxgiadaptercache.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\726f982410725cb34272e9e44b3c0310.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3756
-
C:\Windows\system32\dwm.exeC:\Windows\system32\dwm.exe1⤵PID:4912
-
C:\Users\Admin\AppData\Local\Lon\dwm.exeC:\Users\Admin\AppData\Local\Lon\dwm.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2260
-
C:\Windows\system32\wscript.exeC:\Windows\system32\wscript.exe1⤵PID:4672
-
C:\Users\Admin\AppData\Local\QiLahXPh\wscript.exeC:\Users\Admin\AppData\Local\QiLahXPh\wscript.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2468
-
C:\Windows\system32\dxgiadaptercache.exeC:\Windows\system32\dxgiadaptercache.exe1⤵PID:3476
-
C:\Users\Admin\AppData\Local\2E7\dxgiadaptercache.exeC:\Users\Admin\AppData\Local\2E7\dxgiadaptercache.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4396
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD516c98692c5084c130b1e879d2a897d9d
SHA1251f0fc95f148648d70765dd56015b0448f35ed6
SHA2561004e2a96c12a2e36ff82b030e9e52e29709be8711692036b73ec68485393468
SHA5124ba9fabd865fdef392ccd655c94178e094fd3214d960b116f59203f27718380aa15a7eb1c536a8644b2a2fd14da15d08569c3f14952eca700894f6c81a41c1f0
-
Filesize
230KB
MD5e62f89130b7253f7780a862ed9aff294
SHA1b031e64a36e93f95f2061be5b0383069efac2070
SHA2564bea9f741fe4ca9d6262477849896b9fa6377326d11af044561c31bde2d994b5
SHA51205649d38a0b5d825bb8442549427b0ff77b139c9dd297b04d6c0fb1415504c95ed750cd79efea2ff514abfc5d1003e6251a3cd871d352dcea06be0cdeb0304f7
-
Filesize
92KB
MD55c27608411832c5b39ba04e33d53536c
SHA1f92f8b7439ce1de4c297046ed1d3ff9f20bc97af
SHA2560ac827c9e35cdaa492ddd435079415805dcc276352112b040bcd34ef122cf565
SHA5121fa25eabc08dff9ea25dfa7da310a677927c6344b76815696b0483f8860fa1469820ff15d88a78ed32f712d03003631d9aceaf9c9851de5dd40c1fc2a7bc1309
-
Filesize
2.0MB
MD5ba5bc234bab1074284c75a7a5061abd2
SHA142b69a8a48846a96dae731d35d572d91b50f5349
SHA256bf931d98854caaa34f32ad71bb0b5426f960f9dc92f13d985acafe63d7c32d71
SHA5123ee9598562262df8a422f0e5c264a70e6ccf72abc4ec436549b3acdced811ac73cf128a8dbb7abe8d8fdca0d3c46a6c044575d78d961da7c51f4eb2e570fb3d6
-
Filesize
2.0MB
MD5cdd945637df738d5e01f46dadc42150f
SHA1a2653caf9defd9c4ac10abcba29497e53c017548
SHA2565e8b2944c60588abf9dafd922207ec9d1affd026bbd90b56fdb257b95456071c
SHA5122debce4a16eda445949d2f38f1aa760b983d8a3a341c22fbdc5da4a1e66a22b3a948dac5eb27d7739cf57c5bd9956bc7aebccbb17baa74279793198030ee6fa0
-
Filesize
166KB
MD5a47cbe969ea935bdd3ab568bb126bc80
SHA115f2facfd05daf46d2c63912916bf2887cebd98a
SHA25634008e2057df8842df210246995385a0441dc1e081d60ad15bd481e062e7f100
SHA512f5c81e6dc4d916944304fc85136e1ff6dee29a21e50a54fe6280a475343eccbfe094171d62475db5f38e07898c061126158c34d48b9d8f4f57f76d49e564e3fc
-
Filesize
1KB
MD519cbd2347125c2aebda1917c9e9203ef
SHA157653a3ea430e99adc834f056101e9d0211af67c
SHA256e2cd6d8174ba1e4ebe1ca5d2e880ee9e309c62f78f7ec99b765011d380f0d5ee
SHA512cad13580d54aa26ec8cecb3a46b01c948eba5f9719cb604faf15f0038757414849e269279797d1e73d3b4114d7fd14c90f15be281d8bfd76bb34f2a1226d0f6d