Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 10:36
Static task
static1
Behavioral task
behavioral1
Sample
74792d6438fe27a6b4efb9c1142f875c.dll
Resource
win7-20231215-en
General
-
Target
74792d6438fe27a6b4efb9c1142f875c.dll
-
Size
1.7MB
-
MD5
74792d6438fe27a6b4efb9c1142f875c
-
SHA1
df86d55db627c71dfda71d31b9120875b4763655
-
SHA256
91f4e0d55b25c852d48512dcc4852c2aa7d950cfb08fbcc53c1f373202032dae
-
SHA512
c273b6b6e722fed5ebc10f107cce93c97bb4d32fdd89547ce1bf1392f02e1647d4eedfccd9a92cbe7cb0e239897fdce905ec15fc833f0be604856963792aa2b4
-
SSDEEP
12288:5VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1kt:4fP7fWsK5z9A+WGAW+V5SB6Ct4bnbkt
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3512-4-0x0000000003390000-0x0000000003391000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
msdt.exerdpinit.exeRdpSaUacHelper.exepid process 3400 msdt.exe 4524 rdpinit.exe 3476 RdpSaUacHelper.exe -
Loads dropped DLL 3 IoCs
Processes:
msdt.exerdpinit.exeRdpSaUacHelper.exepid process 3400 msdt.exe 4524 rdpinit.exe 3476 RdpSaUacHelper.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mbfbagbrjs = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\SYSTEM~1\\SOP45Z~1\\IRBIIF~1\\rdpinit.exe" -
Processes:
rdpinit.exeRdpSaUacHelper.exerundll32.exemsdt.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rdpinit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RdpSaUacHelper.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msdt.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 4692 rundll32.exe 4692 rundll32.exe 4692 rundll32.exe 4692 rundll32.exe 4692 rundll32.exe 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3512 Token: SeCreatePagefilePrivilege 3512 Token: SeShutdownPrivilege 3512 Token: SeCreatePagefilePrivilege 3512 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3512 3512 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3512 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3512 wrote to memory of 1140 3512 msdt.exe PID 3512 wrote to memory of 1140 3512 msdt.exe PID 3512 wrote to memory of 3400 3512 msdt.exe PID 3512 wrote to memory of 3400 3512 msdt.exe PID 3512 wrote to memory of 3412 3512 rdpinit.exe PID 3512 wrote to memory of 3412 3512 rdpinit.exe PID 3512 wrote to memory of 4524 3512 rdpinit.exe PID 3512 wrote to memory of 4524 3512 rdpinit.exe PID 3512 wrote to memory of 716 3512 RdpSaUacHelper.exe PID 3512 wrote to memory of 716 3512 RdpSaUacHelper.exe PID 3512 wrote to memory of 3476 3512 RdpSaUacHelper.exe PID 3512 wrote to memory of 3476 3512 RdpSaUacHelper.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\74792d6438fe27a6b4efb9c1142f875c.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4692
-
C:\Windows\system32\msdt.exeC:\Windows\system32\msdt.exe1⤵PID:1140
-
C:\Users\Admin\AppData\Local\wFCjt\msdt.exeC:\Users\Admin\AppData\Local\wFCjt\msdt.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3400
-
C:\Users\Admin\AppData\Local\FfnzqlJK\RdpSaUacHelper.exeC:\Users\Admin\AppData\Local\FfnzqlJK\RdpSaUacHelper.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3476
-
C:\Windows\system32\RdpSaUacHelper.exeC:\Windows\system32\RdpSaUacHelper.exe1⤵PID:716
-
C:\Users\Admin\AppData\Local\OTzaI\rdpinit.exeC:\Users\Admin\AppData\Local\OTzaI\rdpinit.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4524
-
C:\Windows\system32\rdpinit.exeC:\Windows\system32\rdpinit.exe1⤵PID:3412
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD50d5b016ac7e7b6257c069e8bb40845de
SHA15282f30e90cbd1be8da95b73bc1b6a7d041e43c2
SHA2566a6fdd834af9c79c5ffc5e6b51700030259aeae535f8626df84b07b7d2cee067
SHA512cd44d8b70fc67c692e6966b4ad86a7de9c96df0bade1b3a80cb4767be159d64f3cc04dc5934f7d843b15101865089e43b8aecabddc370b22caf0c48b56b3430e
-
Filesize
245KB
MD56d0581515307fc6b7e26202d77b4e063
SHA162090e1859ee09d8994b0c42d9195f385d9d934a
SHA2567a06114c305de2940833e12b62940cac8a3c2256979b49f1b88b0e61a91797a3
SHA512247974de8d24e2767693b36f3adc270c2b6844fa3549cd38c0df70dd8eca1a06f7559727bb23190ecdfa136f87f26ed31949e66c88c851a639b3a8e0fd901a8e
-
Filesize
123KB
MD59d0681089dfd83a892eeb6cc29b021a7
SHA1f115ec028ec7824df238bbc3d5ff901d76a36000
SHA256af2f19e1756e9df9f182ddc6deebd5129ded534d0ca032d3c64acb483f1ffdc9
SHA512f5952d9ad122f44636861f5d83275f407654a84a8c179f0f4b407072064a9adec785cd431f2a41fc5a74504e39be97fe7265207573cf474208a397a0ce7a2f41
-
Filesize
8KB
MD5389d09e01fb9184888d04112f16bc466
SHA16a13f97f998cbace5050baa06bcd21d496e8a435
SHA256e55df530bdb56471f87431b481e9042a739ce68eda871148099d389388102698
SHA512a0c64576a32cc654cbd902244b12c26f4f80c1eed0a9e90e0d07851e19be70fd3c7b356c91720552a9c02835664fb915b632dd7b1b26340e1c2dab639fdfd333
-
Filesize
39KB
MD55aac2c1f8045fe332460af9584dfa868
SHA15022435fe9f0f40d6749a72f8482215336c2219a
SHA2567481672e5828384dcc3a01b5410a97bbcfded7cfd656014af01aea09d08b0cac
SHA5125e70e64f91738ec79f61414416e9bf2f4961a562ceca566321adc340ea8a6c9ef440133b46642fdf27e32d57ff2a5d0747bee91b01c6be69d638333f46494f4d
-
Filesize
258KB
MD5416ba0e9f3f62db4bde9b94d580d5223
SHA11ea83ba6ed5e7a2efd31ee84b3586b873160ae50
SHA256173a296ee7a3908135016746a171ab7c4ddd77fb6831270d9162891f5325be66
SHA512338ab600b46ea44ed7d6b7873b59a7cd12cce5a2781ca86d55d289daf83cdd30214c98ce623b0e80f724cfc719fd4bc58b0009d14d719bf908847fadcc207b41
-
Filesize
128KB
MD538aa845daa16cddd9556f16ddbb4fabf
SHA137231f69e432cd55fcf654c16557762b96b9a70c
SHA25621218dacba7caf5c9fa53c1fff4996d25ea018e2391c9d625616467f67886b0d
SHA512264ab0d3bf1060f8ff2090c80f3799e45ac60a100e1edb2c0cca28ce74a02c64b9d49d77bdf44e9784f863d220d4bd067f43838528d5d19bc71d074fa193cba5
-
Filesize
174KB
MD51dc6a652c33b05a63a9b85d14b292623
SHA1e5df0ff8400a0dfaf19894614abe5bd34d8624af
SHA2564eee00466b15e374522456e2cafec9449c6582b6d1eb0687f5e3b1d969b20f28
SHA51252da262c5e34ec56fbd5f6c61482db639ddcb9c865062f902b768eaa12a98643395bc361c84ef057b82e941f8ce5626d6c58c1a453f793a1e88874caea43d51d
-
Filesize
285KB
MD5dccd8dd3a5c247d80602e949aa2772d9
SHA11b635cc5629f2c7ede0f06970170d36e42ecf831
SHA25690b80b978416f2276ae418e03ccc29c55b14fb2cd8161398761305a88a8785d6
SHA5127011d8674b80951417a7d83900da38f283abe37087e1c6fac792afae6cff086156be4a2151642fab692f9c6989c06b7173386f011cecbb6e7411984375aec2dc
-
Filesize
81KB
MD5855d1850dbadfdc6641f2c011d69269a
SHA19dcd844a81972566621b4736e869dcbfa3a7cc29
SHA2564690875a323e8ca0081c1f6ae1b49a90e96be025922ed9712e571bf9d99428fb
SHA512a715e246869988d6cb057b042bc3441d96829fd130f9a5f17a93ccdf46e1f994535feaa76b2f87e58f68c5788a53184ed5fc6465b31f5c28044c1fee99e1deb4
-
Filesize
322KB
MD53196a3d3df9e20023f534b81348e2e9c
SHA1cc9a4912655657ba6b779e88936287b83cce9303
SHA256e237ad3108e8f9b5027247381e8ffc96e922621a643afa5b1d61a2c023083ff2
SHA5128a7b7481024a507eabc4df318e65f85bfc904eab20a00e530d414f3a7636b2895ae8b51dd9fad31ed1ed5d7b538f555b5a880dfc1778e640af20d0bd16267fe5
-
Filesize
1KB
MD5d5850ddea424a6a861fe5e4af86f0537
SHA1662909397e3d155c790168b1a089b94dca7c145f
SHA256f363a2ec38f3a8d4df28df2216c75057cf4dae836c5dd8bca6b46d2f16aecdb7
SHA512762506c97ca35198f14c11de67b503cbeaf0803bf0ff331ae923655d15218a21e2c53a330e08021b0cf8043bb995734ac00ad139fcb235c995c8808cad63c618
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\sOP45Z1AI\IRBiIF9rz\dwmapi.dll
Filesize1.7MB
MD50b562cc32bc649840aa297a0edf3b589
SHA176d4d5be8737b37548db0be0ae7830ac7e3179cc
SHA256f2990ec7cf3d3499cd0dd1e421f9e45f491830a1241c8fa4b42cc12a8bb2f7db
SHA512f0e7ef0e95207f190ecfc0060109829681a2f30561b0f6aae596a73f23c4aa4ab999c8f773dad8c6a0b946de284b88cac083f35a4a2cc7700dc97f39b0eff25f
-
Filesize
1.7MB
MD50def2204fca1bc7279d41059036d6d4e
SHA140a0df8a2af05667101da2a41b29d1140da4ffb3
SHA256cb6c4db8e86f4bf044c9e5f1b122cbf5d678cf4513e63471f1e1013afa1c2ece
SHA5127a90b68caaba96c6f4f27c9606875528e470e9ac1f60782c961b02353ee07c7264705f558e3a9cb20406d3ffb77b52688e3b64776b6cc1fdba203da3d169f582
-
Filesize
1.7MB
MD515245ed1a2eab75e90beab958e2efc76
SHA154242bb7bf665e07d3c7f82ec89d353531ec5096
SHA2564fb6083df9dd0c0a6d61f9bc5c04781fcc82209955d194987af5e76329765002
SHA51206cdbbe63aede531e02ebd4849e15033938f7680e4510a35026c185d9aa58219e468187204ab87d493d577a2cb6dd219b0a026b555c3f074edfc242eb4b1bcf6