Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26-01-2024 22:07
Static task
static1
Behavioral task
behavioral1
Sample
78833dc80091e76f426f64b576358fef.dll
Resource
win7-20231215-en
General
-
Target
78833dc80091e76f426f64b576358fef.dll
-
Size
1.9MB
-
MD5
78833dc80091e76f426f64b576358fef
-
SHA1
73bf7b969ae33dfbf064bd0ae6eba9e5caf12a49
-
SHA256
c004c89e8e9190bf7629831fa4b9f1a6a90510777e4d233e119b0f4902f66222
-
SHA512
083b730c34431022a4cea13721af99a789820de1b135a9eff815bbe7a7a8f4e7162576c3c821fb781a2366ab78d83c5382744de3a032b3af02e3db2320557a28
-
SSDEEP
12288:9VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1Mt:kfP7fWsK5z9A+WGAW+V5SB6Ct4bnbMt
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3500-4-0x00000000076F0000-0x00000000076F1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
raserver.exeGamePanel.exeSysResetErr.exepid process 968 raserver.exe 4832 GamePanel.exe 1612 SysResetErr.exe -
Loads dropped DLL 4 IoCs
Processes:
raserver.exeGamePanel.exeSysResetErr.exepid process 968 raserver.exe 4832 GamePanel.exe 4832 GamePanel.exe 1612 SysResetErr.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mmiwstgfcubwacq = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\KgQgoP2It\\GamePanel.exe" -
Processes:
rundll32.exeraserver.exeGamePanel.exeSysResetErr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA raserver.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA GamePanel.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SysResetErr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 4952 rundll32.exe 4952 rundll32.exe 4952 rundll32.exe 4952 rundll32.exe 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 3500 -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3500 Token: SeCreatePagefilePrivilege 3500 Token: SeShutdownPrivilege 3500 Token: SeCreatePagefilePrivilege 3500 Token: SeShutdownPrivilege 3500 Token: SeCreatePagefilePrivilege 3500 Token: SeShutdownPrivilege 3500 Token: SeCreatePagefilePrivilege 3500 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3500 3500 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3500 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3500 wrote to memory of 1808 3500 raserver.exe PID 3500 wrote to memory of 1808 3500 raserver.exe PID 3500 wrote to memory of 968 3500 raserver.exe PID 3500 wrote to memory of 968 3500 raserver.exe PID 3500 wrote to memory of 4124 3500 GamePanel.exe PID 3500 wrote to memory of 4124 3500 GamePanel.exe PID 3500 wrote to memory of 4832 3500 GamePanel.exe PID 3500 wrote to memory of 4832 3500 GamePanel.exe PID 3500 wrote to memory of 4816 3500 SysResetErr.exe PID 3500 wrote to memory of 4816 3500 SysResetErr.exe PID 3500 wrote to memory of 1612 3500 SysResetErr.exe PID 3500 wrote to memory of 1612 3500 SysResetErr.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\78833dc80091e76f426f64b576358fef.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4952
-
C:\Users\Admin\AppData\Local\EfSUafuH8\raserver.exeC:\Users\Admin\AppData\Local\EfSUafuH8\raserver.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:968
-
C:\Windows\system32\raserver.exeC:\Windows\system32\raserver.exe1⤵PID:1808
-
C:\Windows\system32\GamePanel.exeC:\Windows\system32\GamePanel.exe1⤵PID:4124
-
C:\Windows\system32\SysResetErr.exeC:\Windows\system32\SysResetErr.exe1⤵PID:4816
-
C:\Users\Admin\AppData\Local\pkV\GamePanel.exeC:\Users\Admin\AppData\Local\pkV\GamePanel.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4832
-
C:\Users\Admin\AppData\Local\3eOQ\SysResetErr.exeC:\Users\Admin\AppData\Local\3eOQ\SysResetErr.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1612
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
246KB
MD56798a21b27de1172afab7aded7a877d6
SHA1d3447fe4c629ada17528c904bc4d972fc4fcc9f3
SHA256ec5e433e03a536a8b71da1d75d1c5adf92429f7e90baa9a47a919e72a68cc039
SHA51230977999f20facec53004cdeab1581f2648fc80a274578271af6a61b90fb2aff93d6bf88258932c531e4d14a912d79abdbe413d7e981119d2dd0909b80236154
-
Filesize
187KB
MD5464d7756b0ba689188afe23bc84f7fe2
SHA17a56ebdab7204fa7691a9e162048df067724afe8
SHA256820292c0646218c37225b12c2786fdcca6e892338cc6dc92f70f66b52a4c1d16
SHA512a4824d0504165f14d551825117b5c4370617e9bb6dae523dddffbe91a2f01c345355aafdcf24aa424a47772c5cd333d460fb4eb008a7d5c3a3b180c6bdb71bfb
-
Filesize
41KB
MD5090c6f458d61b7ddbdcfa54e761b8b57
SHA1c5a93e9d6eca4c3842156cc0262933b334113864
SHA256a324e3ba7309164f215645a6db3e74ed35c7034cc07a011ebed2fa60fda4d9cd
SHA512c9ef79397f3a843dcf2bcb5f761d90a4bdadb08e2ca85a35d8668cb13c308b275ed6aa2c8b9194a1f29964e0754ad05e89589025a0b670656386a8d448a1f542
-
Filesize
85KB
MD53030c7a79d30887b4b19dd6c2ee26d30
SHA10020569b12db5247ff878909e7aa6b0f769f11cd
SHA256e5905aecb74d8be2f0e681125d0d36f97e3526acd38ed10b6d904569a7c8b274
SHA5126a47e06f332b5f40161063692688fe34c05a66af59cdc0ac2d6860d8d5d7c066b064130b3b9d614a36a2f595244570e60501244b591f2bc80f2d01e6ab343d0a
-
Filesize
64KB
MD559e4ea7cdbbb854d81910c2d7d03441d
SHA1f880cb5424edb7fce5609177b5736d406d8b404a
SHA2566ef3893145af64466e50f7e4b3bb798235591c16d6dbc0eeab287d416dfe6f39
SHA512ed43cfe9fef58687319d4954d6b1aa6e2df4bd7c9f8a40b77eef07844c65d52d0a6c5cc02bf6338b5993c0b351118ac82c84f5d735d8ed14cf6a07fc993be8a5
-
Filesize
112KB
MD5a84f020d6ae51dc4c481bb34c286eab2
SHA14ad094ab6d1b874e709d9a34dca5663bc2198982
SHA256a110e2f03030fd67752cdfbae6e940ae0d25b2e347ed716ca9017016d794e51c
SHA512662373c646f20bf9f9f0de397c2f3432b6bb4743d3be58da56284c94b72c7737c9cf14ef8c148a62276fe74ea48c3446df1600f48eaed996b3f360df99d845a5
-
Filesize
45KB
MD51d3c0ed6df6157ccd8e6262dfa8d2cbf
SHA145cccd41b9f86dbf1c87e95fedfae1c7dd192c13
SHA256eef504fa8d830f50b825744c862a0535f8d8342705b23a50dc21be117d21191e
SHA5125f35587f3862f782b488acfe67823c9a5a34a89a35acad1a0a5acfaffc5268daf527d9d3743817a8f80afae909bd9ba0ee50f006f738048d0b3a4cb38b81c4ee
-
Filesize
39KB
MD59d7a80f85fcd59e9a4a922bcf704ab34
SHA1596095995886fbb7510dd3086140518c5e95e537
SHA256f69e4e96d88817e14d8a39fd46254414e09a3b902517fe04ebd685882a6765a0
SHA5121d1c084ed775cc2fabdc9bb6372be46c4c416a83e9bef7ffba170c934a1f4c991f6f6fda4a04800079815a848f60583b4050d11bd9bc34e60aa813a5afbfb937
-
Filesize
10KB
MD56a31226e58e7b5ee99f21a24f3806638
SHA1009258799d942dbe201a341e2431ef6d79911390
SHA256a6aba25e59a74efc5154132ceda2b623c5b502ddf9106cf1e1a4b91304521b89
SHA5121fe278c1baafd6a227e7ac4b8cbddef80109be22dd04d2a87c76e03d14f21c533fe459c397f6b15e53400f9d83c05e7a08ce38815b2b79c51810bef5ecaeff58
-
Filesize
18KB
MD512b9b88ce623fe85f14bdd7ee72d1dbb
SHA17e08a05d0995c30fc67ae1107fe9d9b57633cd0f
SHA256df609eaa3be0bebc9c52aa62f188bcea66eec4c69739f0d627dd3aabb74e1258
SHA512a815529c7a9c7b2a877b43ed4d8c704d957d10637e190616f1c8eab67e52572f1d50e413c83611bcaf0899976af859d84ade7602a41759ac836bf5700ca2cdfb
-
Filesize
35KB
MD5b9ab24e201d12db5f0bf6b5e716d6052
SHA128ff7d6e9208d0d2898368f580929a0f00fb5700
SHA256b3a9f362a0ebbe3c8c85b786623065a02947a754101b2c14bb86512407e65a27
SHA512cee665127bacf0cfbe568509615e4b63f48ff464085c884b1b86a49449b1163958c17059338b5ffe4b61136199c2bf80daeaa0fd8d82200500d936a52de747dd
-
Filesize
24KB
MD57d1f628d1f668220ed87aec090bc681a
SHA1b812eff8c75c97181f380bce0eabc90776c59761
SHA256abeb23abe628b376f34cb29b8d3562564ba38024f15b8e12a8a4ff2afd8a6683
SHA5123935a1840480d61a3413fe7942c28b93b91693b1243a5fb24e1802eea407b3d6902a21133c1834ac5e0285564c858aac5120040908bdea7fd3e95272ac5c01c1
-
Filesize
1KB
MD57d3f334965a186468615510866ab2e5f
SHA14cf613b15680ec187605c97620a2a7bee95b1e6b
SHA2560d2cb745c05cf01188b266eff3db913ebc759d935513b79cc385c33729046164
SHA512458dbc2fdd0d294d64b5dbdb0a9ceab2efa43b1196943a12ef401b34a562fe92a173d8ecc15ca1f88ee91bb89df54d5cb8f3fd9c5ce4cd4533b6d097d7d30e39
-
Filesize
2.2MB
MD588dfc57ad7075b8598558a61875ff9c5
SHA19e00c3955a5f7ec13482f87ee9cba297468afddd
SHA256ddda48d78fd7deb18a50715908b49c9db2f56156b9ebe7ce3de2c39912b894c5
SHA5121a81b17656196a9d5faf9a1ecc1c0cd342ae9d5ded303d98c2f10d39238aa89e9945f39671d512ff6314f7ee4fe83ad926f73c32f9380b922980f9e297c9f503
-
Filesize
2.0MB
MD55ef51b80863f71f789e43a80be38db7c
SHA1a571ab4bf059d23f295d884b557a6e796ea34314
SHA256b52a774125737d484ccac47e99733d1f9ba800b0e0e4681755e03145450d7c9d
SHA51277e5333e5858d489e33c155df30ff38147275e99fe2d331a0bc19a0fcb4111b725586743bb1b49d0c6debd742032f4aefb36721a47a257e2c7da368d4ad95a1e
-
Filesize
2.0MB
MD5fdc1e4e892c1f5bfd5239fddb5072a35
SHA1832d0dd6b8af960f4f42f38059aef2431de28e01
SHA256ff301db9fe1dc94f0c67ec9588919efe15e40a8f9ffa66ad5c7a3f82b91a36fc
SHA512bf0b760482a601224201d8795cacbb41e2067d051b53f7e7b8b2a61fc4a42749905a23bab050830434d59aa40bc4e343fc162391782e339fe1f3de88f135c631