Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 12:10
Static task
static1
Behavioral task
behavioral1
Sample
74aa7a7b1a55a686da6fb64c99496b53.dll
Resource
win7-20231215-en
General
-
Target
74aa7a7b1a55a686da6fb64c99496b53.dll
-
Size
3.2MB
-
MD5
74aa7a7b1a55a686da6fb64c99496b53
-
SHA1
baf7fcf0fe7a57031c1285f02cb4a0814e54fa31
-
SHA256
e12d72cce77128cc87490c508bb9e32003d1141cf5ccc962117961d65c2d71ab
-
SHA512
6e7d2349024ceb235cb85ddc9c88695796197d9dd84f19518e0639f93f5cd0cd713c216d04f85e961be6115b93e34e4fc39912b8b9262b2f8b69ed7d68ef05b1
-
SSDEEP
12288:4VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:tfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3488-5-0x0000000008B20000-0x0000000008B21000-memory.dmp dridex_stager_shellcode -
Drops startup file 3 IoCs
Processes:
description ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\OVcMs File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\OVcMs\OLEACC.dll File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\OVcMs\Magnify.exe -
Executes dropped EXE 3 IoCs
Processes:
EhStorAuthn.exeMagnify.exeDisplaySwitch.exepid process 2656 EhStorAuthn.exe 4080 Magnify.exe 2804 DisplaySwitch.exe -
Loads dropped DLL 3 IoCs
Processes:
EhStorAuthn.exeMagnify.exeDisplaySwitch.exepid process 2656 EhStorAuthn.exe 4080 Magnify.exe 2804 DisplaySwitch.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tgnmvdx = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\OVcMs\\Magnify.exe" -
Processes:
rundll32.exeEhStorAuthn.exeMagnify.exeDisplaySwitch.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA EhStorAuthn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Magnify.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DisplaySwitch.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 3424 rundll32.exe 3424 rundll32.exe 3424 rundll32.exe 3424 rundll32.exe 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 3488 -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3488 Token: SeCreatePagefilePrivilege 3488 Token: SeShutdownPrivilege 3488 Token: SeCreatePagefilePrivilege 3488 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3488 3488 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3488 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3488 wrote to memory of 1740 3488 EhStorAuthn.exe PID 3488 wrote to memory of 1740 3488 EhStorAuthn.exe PID 3488 wrote to memory of 2656 3488 EhStorAuthn.exe PID 3488 wrote to memory of 2656 3488 EhStorAuthn.exe PID 3488 wrote to memory of 5112 3488 Magnify.exe PID 3488 wrote to memory of 5112 3488 Magnify.exe PID 3488 wrote to memory of 4080 3488 Magnify.exe PID 3488 wrote to memory of 4080 3488 Magnify.exe PID 3488 wrote to memory of 2532 3488 DisplaySwitch.exe PID 3488 wrote to memory of 2532 3488 DisplaySwitch.exe PID 3488 wrote to memory of 2804 3488 DisplaySwitch.exe PID 3488 wrote to memory of 2804 3488 DisplaySwitch.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\74aa7a7b1a55a686da6fb64c99496b53.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3424
-
C:\Windows\system32\EhStorAuthn.exeC:\Windows\system32\EhStorAuthn.exe1⤵PID:1740
-
C:\Users\Admin\AppData\Local\yXJ\EhStorAuthn.exeC:\Users\Admin\AppData\Local\yXJ\EhStorAuthn.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2656
-
C:\Windows\system32\Magnify.exeC:\Windows\system32\Magnify.exe1⤵PID:5112
-
C:\Users\Admin\AppData\Local\DWMDW\Magnify.exeC:\Users\Admin\AppData\Local\DWMDW\Magnify.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4080
-
C:\Windows\system32\DisplaySwitch.exeC:\Windows\system32\DisplaySwitch.exe1⤵PID:2532
-
C:\Users\Admin\AppData\Local\33RqMbJFy\DisplaySwitch.exeC:\Users\Admin\AppData\Local\33RqMbJFy\DisplaySwitch.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2804
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
102KB
MD5c456f9456ab2c10e6a450774a0c5f12d
SHA1ef1a4693f0422b5e33fe05607a40efdac223291e
SHA256304e4bee3e97ee224f61ee69586117de32c4aee6a1d4670d7bc5ac4fdf877407
SHA5128d690cf8b403111dcedbadbe72768c2d22f3d83dc2ed7e6d734c6d142d6ee008baa5062dff8450d5ce9ba4ea4547a1d3c966975528c184d84c8f9e8cdd22c2f0
-
Filesize
105KB
MD5927469bd68cffc984c7d8a4f70d3e27a
SHA11816a60271cf6ed0e33b0698375ba6e8481135bb
SHA25670cb5ab064921c435646b71c3e4f8fb2a58abf6b9d91f63a7e105250d77d76a8
SHA5124e8c34a3b915f79fcd4b8124f1f1b778aa067f617ff08f1a44ec965ccb91a4beee225ce4d5b05b03cb14bc692c20ab7e364de7849ef9770eb00f10454c746fd5
-
Filesize
44KB
MD5299a69a9d497dd1412d3ab0b9dd19842
SHA13f6f3d975d3f80b940fa5e20357973980a8b59c1
SHA25671a6f6a1270be185841f216578a12d4bcf4da3124c856c299c99d421cef058cf
SHA512187904f53fb9d29fe18bfee786e9dcd640da801fbb16f1377af5001579d7240d13b17a0d6a044ef4251a5866aa230077c01fe0fce00faefdd98fc7af782df70e
-
Filesize
125KB
MD5f1db6aa239bc086024781eec7677854b
SHA1b77e055837df699913e3fb0d1b865897e3716677
SHA256201315ec402af52015717be57b18d8849d30b0faed1c2d97519e8ebee42323ad
SHA51247556054bce21112365e59341e857c8138dabcdc9098c4c2da9ceb6fed2ae4573010a38fcc46a82b6e22f5cc8953b60ed8149ceb5f3d9feb001d26e77571afa1
-
Filesize
2KB
MD55da5e2cbe72d985f0f1292ed1bafacf0
SHA141d36867961c0693e187e018e077e7b49aaab87f
SHA2569774bc5d8dc26260232a7b7d692c6b2d4b6ebaab95e31e0eaf0d198b98039676
SHA512d55a522cf064ba879f32d29240d22fe99ad209f56ff026197a4202838d74f662ba431f3259cc756aaeceb31fb755f56134c6ddf651332d7f5ed862aa38fe52b4
-
Filesize
88KB
MD5899e3acc33ebad157869cca44f246c17
SHA1fb7bc664dcb05c8b374a6a6975fe98d1ff759c3a
SHA2565e82e2db83b30234e55f53d6f9e515732035dbd6fa8429c5523d73b8bdc5f753
SHA512c7c1ff5cb58509042553b186c7fbd2f9a52804a3b87c75a45a977efa6b3d1b7ec5edf97cd7fe5d104e8d1b33087b76cba601efaba1f67c70e06c61817ea29b2a
-
Filesize
1KB
MD53daf82f38febfb846ff31d2fde3d0261
SHA1752df68973e944cce9bc108aaffdf169e9e0c344
SHA25675df4874486770d9e9e8009b2b6c884c3d549763361a707b9f4f710cfd4f8b3a
SHA51215e4b87da1091985b015eac0502fe7d07463fdc5a8e02aa6d93a939707f6909025a51dce32d8903292c9eab61d385c4083151fef720143391929c9fa329be58c
-
Filesize
13KB
MD59ab6a16141a441aedfb775e91d706e70
SHA18510537bac495fac273a287efde91f833cccc1f4
SHA256ddacfa9e484fe133c55055210cf24f48625cfbaa07a3cf26801df41fe78a1adb
SHA5125a1e3607a9f5966fb4157f7fabadf02e65cd74e6be39c03f8484ce90448200030acc0874b3d00d0b891b9f9682fe91726448b8db539744f0b2735c3142b7b2e6
-
Filesize
17KB
MD5714add8cad098e4cc8b5b6ea6243b468
SHA16dc8eea3cfdb9b3d1b0bc9127760eb5573c55462
SHA2560e05f2799dc5044c228f6a5ac3d9cd84b6139005da26c5be1b95f883b716204a
SHA512c9baef1d4417e88eb36e6555632ac53ad6f8ccf9c84e06e369335507c7539c320b994eb12e7d497266fa3c29ad22a49b6bddfccb529b8883af1871ba077394f2
-
Filesize
128KB
MD5d45618e58303edb4268a6cca5ec99ecc
SHA11f8049fc5ea8b57bb68e19fb55cb9dc1e18e9513
SHA256d527323643be9df4d174c3169c6f2c7854a59b781654bcaebd154cb51fb4219c
SHA5125d7ae663dcfedfaf00836dc018131851e5a40778bd582b417b9f0bbd4bb6d1b2eb8f37f7f5a01cd2beed78b6037ef6eb2a3290248d5e901173b1407990a202bd
-
Filesize
27KB
MD591f7a3214f77b36e2d11f29a64912313
SHA190fa67b99df3606dbd33bcf84ec6f6d3155539ad
SHA2567c0fa92783d3d91f3251484ad04f08cab55c6c4a857e5f21c72658b4e13ce282
SHA5127726c9fd2ee4bb7683fdaed48d121d6a47e0112e1eefc2d96f787cf1c1dfcba5b4d4d37fe186271ffee081f325d85e6a3c83f1a410ed7376575c94962b6bc786
-
Filesize
29KB
MD518de228734bda5f4204c6017d039eefb
SHA10bce34d79a07fbf533e59440e985088d37dbdf36
SHA256e63fe511780c3adb2cbddb95ea3c728d0ac37d85d3fd91a44a88d12f930cfb83
SHA5121ffb4affdbe439994868b4c007f96c75f9cc5033d4cf3d255a7f971cb563d9289f43cf3a45ef6e56b95db7d022bf0d4a33ebb60eaf41008d7bb81d8d28dfea65
-
Filesize
1KB
MD5a544a2705e4b77593278b9533df83d7b
SHA1df08981052acc2dca538d693e708470d0664d315
SHA256a265f133e04ee2c60277e2098f22365cdb43073df8af45f36d0af24808dab6a4
SHA5128f1abe3b1226688c65728a01ec8d3fcdda7970907f7bcea9d3f30e02471d7d367952b135d512d64b557aae766227606e58a274c4c47564ac478b77b6e7af64e0
-
Filesize
72KB
MD550490958d2000be16f9095e1680e966a
SHA167490d6b8a704912b75ae843e5a63218cfef5a74
SHA25684acc5efc3f82c8864f391b7aaa617cac870e08aadf555d1cee9add153f1c693
SHA512e0a4e9b6a58184b743594e9b75034d6042f37d0b0aa1cf17b6c3f1dad2f09b433c21eb562be3d0f631fd2b0a78a1ab8a7eac82728c29a5349096f64ad699f36b
-
Filesize
6KB
MD51ec502e4532cf2074eac46988cd8e261
SHA1bc9246ba7381da74c2d39db7f44da27550c79c0e
SHA2560a0b4f0d748b8867dcab18d84195dccab762394134ebc504a72ea33f42a243b9
SHA5121396b4369bb562f9f955ec86b6bab2c65d870ed4ac84a0b45a0b0471b73483db26f16657dee0c7a8425de0eb2ca7f7bc744400812b58632385d77f37682a055f
-
Filesize
9KB
MD53c6e5614b2e26c85b365d150c874b67c
SHA176b2dab45ec1a217a9189fd2296a9781b9312781
SHA2568023573b7c19dc8120d712a9f1f4cb3526532f6a89d76b39048b45c1bff98496
SHA5122394f07628f7dc0c8e7aa9016937de5bdbfb3d4194ae02f3f16da1f1d23753e85e465a32152b8a3b95a198676b4f947b215d68ef0d2859e51e869b034c340919