Analysis
-
max time kernel
145s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 10:34
Static task
static1
Behavioral task
behavioral1
Sample
7477fc39b45ddb88b4ff0de5a954889a.dll
Resource
win7-20231215-en
General
-
Target
7477fc39b45ddb88b4ff0de5a954889a.dll
-
Size
1.8MB
-
MD5
7477fc39b45ddb88b4ff0de5a954889a
-
SHA1
b89770175d0845d1aa7615fc346bcf6d9dd755ea
-
SHA256
1bed54ab01a098e8eefee909a56a0ce2b4ffc50208869d313501680c11e05798
-
SHA512
f4369eb6c97714d9409f67598022fab36555405a4b4a2fcac31b8b8a631a19280c0204e32bd9c46a33d44a77c31134f129e3b7295dfc0c6470c612e62b352296
-
SSDEEP
12288:zVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1Kt:ifP7fWsK5z9A+WGAW+V5SB6Ct4bnbKt
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3464-4-0x0000000002BE0000-0x0000000002BE1000-memory.dmp dridex_stager_shellcode -
Drops startup file 3 IoCs
Processes:
description ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZOYqG7sjK File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZOYqG7sjK\appwiz.cpl File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZOYqG7sjK\OptionalFeatures.exe -
Executes dropped EXE 3 IoCs
Processes:
PasswordOnWakeSettingFlyout.exeOptionalFeatures.execmstp.exepid process 3884 PasswordOnWakeSettingFlyout.exe 3876 OptionalFeatures.exe 3348 cmstp.exe -
Loads dropped DLL 4 IoCs
Processes:
PasswordOnWakeSettingFlyout.exeOptionalFeatures.execmstp.exepid process 3884 PasswordOnWakeSettingFlyout.exe 3876 OptionalFeatures.exe 3348 cmstp.exe 3348 cmstp.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\Startup\\ZOYQG7~1\\OPTION~1.EXE" -
Processes:
rundll32.exePasswordOnWakeSettingFlyout.exeOptionalFeatures.execmstp.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA PasswordOnWakeSettingFlyout.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA OptionalFeatures.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmstp.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 4488 rundll32.exe 4488 rundll32.exe 4488 rundll32.exe 4488 rundll32.exe 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3464 Token: SeCreatePagefilePrivilege 3464 Token: SeShutdownPrivilege 3464 Token: SeCreatePagefilePrivilege 3464 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3464 3464 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3464 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3464 wrote to memory of 3616 3464 PasswordOnWakeSettingFlyout.exe PID 3464 wrote to memory of 3616 3464 PasswordOnWakeSettingFlyout.exe PID 3464 wrote to memory of 3884 3464 PasswordOnWakeSettingFlyout.exe PID 3464 wrote to memory of 3884 3464 PasswordOnWakeSettingFlyout.exe PID 3464 wrote to memory of 3880 3464 OptionalFeatures.exe PID 3464 wrote to memory of 3880 3464 OptionalFeatures.exe PID 3464 wrote to memory of 3876 3464 OptionalFeatures.exe PID 3464 wrote to memory of 3876 3464 OptionalFeatures.exe PID 3464 wrote to memory of 2384 3464 cmstp.exe PID 3464 wrote to memory of 2384 3464 cmstp.exe PID 3464 wrote to memory of 3348 3464 cmstp.exe PID 3464 wrote to memory of 3348 3464 cmstp.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7477fc39b45ddb88b4ff0de5a954889a.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4488
-
C:\Windows\system32\PasswordOnWakeSettingFlyout.exeC:\Windows\system32\PasswordOnWakeSettingFlyout.exe1⤵PID:3616
-
C:\Users\Admin\AppData\Local\eGcMl\PasswordOnWakeSettingFlyout.exeC:\Users\Admin\AppData\Local\eGcMl\PasswordOnWakeSettingFlyout.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3884
-
C:\Windows\system32\OptionalFeatures.exeC:\Windows\system32\OptionalFeatures.exe1⤵PID:3880
-
C:\Users\Admin\AppData\Local\6ndyrWFGr\OptionalFeatures.exeC:\Users\Admin\AppData\Local\6ndyrWFGr\OptionalFeatures.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3876
-
C:\Windows\system32\cmstp.exeC:\Windows\system32\cmstp.exe1⤵PID:2384
-
C:\Users\Admin\AppData\Local\8o9\cmstp.exeC:\Users\Admin\AppData\Local\8o9\cmstp.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3348
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
110KB
MD5d6cd8bef71458804dbc33b88ace56372
SHA1a18b58445be2492c5d37abad69b5aa0d29416a60
SHA256fa2e741416994f2c1bf9ef7a16b9c4dbf20c84267e3da91ae6f1ad75ee9f49b8
SHA5121bed8af2cf99a7f3bb36a34f4a71c34787904bd072ecdc731fb7498290dcf4024b956fb8b6912ad050b74aa861f0b0349081b77088f72732bda5075413b1f83d
-
Filesize
1.8MB
MD51e975a810a1010763c4ef98476955171
SHA13ea2206a4dd2139d2b024c7c9f4b0a88c803b370
SHA256076a0adc4110fe04316bc651cd4126bab6c32492808799a27acb15c4fb7d002d
SHA512acc180480e2cfd8ac2d22e16d9317e41e8009a0e4721547b119eae26b2a4809fec2ea558a31b5b8e8420a8b304f2429cff2d63a4542345df134cd1bacb22795f
-
Filesize
1.8MB
MD59ecc2bc6779cae37cfff6282dbec4a7a
SHA1e82b199fba7a58953e6cc4b1f9af252a3a516e97
SHA256367ad3c11f6e4cf326f01efcc53271622af851d4bc16baeb6136dbee5a1ac231
SHA51299d3c18cf1e9096a1cc458ae5fe36b01a338de7105b280409206ecb0f9a681ce3e9d330e712111e29230eee5090df33f55aa3f6cd6f29fe7b41deea3d532fe86
-
Filesize
96KB
MD54cc43fe4d397ff79fa69f397e016df52
SHA18fd6cf81ad40c9b123cd75611860a8b95c72869c
SHA256f2d3905ee38b2b5c0b724d582f14eb1db7621ffb8f3826df686a20784341614c
SHA512851ef9fa5a03ec8b9fea0094c6e4bfa0b9e71cee3412ee86b2dfc34682aa5fb6455fefe7fc0092b711956d7c880cf8a5761b63ee990aa8e72f3473086ac0f157
-
Filesize
44KB
MD5591a98c65f624c52882c2b238d6cd4c4
SHA1c960d08c19d777069cf265dcc281807fbd8502d7
SHA2565e6ed524c955fb1ea3e24f132987143da3ec81db5041a0edcfa7bf3ac790eb06
SHA5121999f23c90d85857461f8ddc5342470296f6939a654ac015780c2977f293c1f799fc992462f3d4d9181c97ab960db3291b85ea7c0537edcb57755706b20b6074
-
Filesize
1.8MB
MD5dd3d42654d5f0a2160f50089ada77961
SHA160ce289ee7e076688b1e74ef7c459cafba44987f
SHA2562d051fca8b065f47662cab970fab271145aa8d1086d82f87d0cd7ad75044321e
SHA51245f04399ebfb5bbc2e5fa13b7181630cc3d98c6e3a1d005305410d924fd137653547f3b505601462b7d7035c20fc7cb798876b65c066aa853a22a929a0e06202
-
Filesize
1KB
MD56dc4ebc4985c890b24ca556dcac9798f
SHA1cf3d795cd026bf5316a7c24630bae5f08a4df1bd
SHA256b9e35a0df8428f3c3f8cbb05f26f45fad317c57b9e4606a3317fc13c116fdc86
SHA51288c104335e70e72a17d776ae97844b10ffc6ef06312db20afccae75c46c2552b571ee086bd3ae28a7d3f6f8bb86b0e250b77003a6527c04941b893429b45e266