Analysis
-
max time kernel
42s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26-01-2024 22:48
Static task
static1
Behavioral task
behavioral1
Sample
78978e5afac60e6f6b472c51b7fc6180.dll
Resource
win7-20231215-en
General
-
Target
78978e5afac60e6f6b472c51b7fc6180.dll
-
Size
3.3MB
-
MD5
78978e5afac60e6f6b472c51b7fc6180
-
SHA1
14062e7ebe696b055b7c78bf1816159cb8206692
-
SHA256
36d11f59d8e8c07bc7d44ff589ff73669cd9794257680dab506d9badb7b80a47
-
SHA512
0c5cc1cc61645539bc8d6291ac72bd98aaed32a33424dc5c1f69549034648afa75eb6b677e2dc2f71fd4ae26720195c377e7460f57ee853b508d21871db0d981
-
SSDEEP
12288:jVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:yfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3456-4-0x0000000002670000-0x0000000002671000-memory.dmp dridex_stager_shellcode -
Drops startup file 3 IoCs
Processes:
description ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\QNnZ2E File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\QNnZ2E\WINMM.dll File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\QNnZ2E\PresentationSettings.exe -
Executes dropped EXE 3 IoCs
Processes:
PresentationSettings.exeSystemPropertiesHardware.exesdclt.exepid process 3772 PresentationSettings.exe 4972 SystemPropertiesHardware.exe 4480 sdclt.exe -
Loads dropped DLL 3 IoCs
Processes:
PresentationSettings.exeSystemPropertiesHardware.exesdclt.exepid process 3772 PresentationSettings.exe 4972 SystemPropertiesHardware.exe 4480 sdclt.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kqgfxymewp = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\mi\\SystemPropertiesHardware.exe" -
Processes:
rundll32.exePresentationSettings.exeSystemPropertiesHardware.exesdclt.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA PresentationSettings.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesHardware.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdclt.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3456 wrote to memory of 1428 3456 PresentationSettings.exe PID 3456 wrote to memory of 1428 3456 PresentationSettings.exe PID 3456 wrote to memory of 3772 3456 PresentationSettings.exe PID 3456 wrote to memory of 3772 3456 PresentationSettings.exe PID 3456 wrote to memory of 4796 3456 SystemPropertiesHardware.exe PID 3456 wrote to memory of 4796 3456 SystemPropertiesHardware.exe PID 3456 wrote to memory of 4972 3456 SystemPropertiesHardware.exe PID 3456 wrote to memory of 4972 3456 SystemPropertiesHardware.exe PID 3456 wrote to memory of 2360 3456 sdclt.exe PID 3456 wrote to memory of 2360 3456 sdclt.exe PID 3456 wrote to memory of 4480 3456 sdclt.exe PID 3456 wrote to memory of 4480 3456 sdclt.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\78978e5afac60e6f6b472c51b7fc6180.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2196
-
C:\Windows\system32\PresentationSettings.exeC:\Windows\system32\PresentationSettings.exe1⤵PID:1428
-
C:\Users\Admin\AppData\Local\nYiqOsAm\PresentationSettings.exeC:\Users\Admin\AppData\Local\nYiqOsAm\PresentationSettings.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3772
-
C:\Windows\system32\SystemPropertiesHardware.exeC:\Windows\system32\SystemPropertiesHardware.exe1⤵PID:4796
-
C:\Users\Admin\AppData\Local\suukkMCsY\SystemPropertiesHardware.exeC:\Users\Admin\AppData\Local\suukkMCsY\SystemPropertiesHardware.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4972
-
C:\Windows\system32\sdclt.exeC:\Windows\system32\sdclt.exe1⤵PID:2360
-
C:\Users\Admin\AppData\Local\mRb\sdclt.exeC:\Users\Admin\AppData\Local\mRb\sdclt.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4480
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
128KB
MD51177e35d69f6fe08fdc1dde3c6641636
SHA1194249cc0af0ec01c131baff4e20740644a7b8e3
SHA2567bad7e53ef664b11c4e165260a74952d0917c75917de38e3ed0875092acc03ee
SHA51290d5f41bd01d9bd08a14be588a7fd2dd5333b391aabafc71231773b5abe8149e550c2475b332c608d208c3f36bde0a9cd46e7f935c0426be4bd026f1fd933efa
-
Filesize
101KB
MD5ccac2f4d762388488404b2d32eb97b87
SHA1bb3be19671957cc4916c4560227ed78befef64a1
SHA256964780d7b2fb7b912a3e5621be5260108face604f023e1c3e05343a90f693a4e
SHA512718f1b43af9c51d1d4ed659721f69f904937cdb2c38682038a96baaa880ac1e12bdfaa7da42f283fcaf4826c34d9849aa1125aa716b5132061aa5e23e40809c8
-
Filesize
68KB
MD58ddedf58c1953829dacbb26fd760be3a
SHA11bc115d12b8eeb49e79b7337614cc73a2930b423
SHA256a85bee1606f4e07f24cb84dd6ab540e023caca4369fd28925138a00b79d329f5
SHA51224d523c693f0b75e0b06c495ddbca269e26a6b87ecb4b021ca9c23b69e6d7f36b7c276b7020eee205ae8f92cb6c4183848ad406f38420646c7031add7f5b7679
-
Filesize
142KB
MD51b52289172a0a4ce3af4ec968ab2d4a4
SHA1f214341cb25008afa5cd084213174ca838b27090
SHA2565ff8d694cbd0cce076e760577ea29f70f5224f50edda1223948bbd5fcb09d324
SHA5128bdc8c3d41812268c2dc9f5de09bde244ef08f1bcd2e1cafa16e00d7304284b7b94c2539a53daeb9ea8374f108e786561bfb2b70a00635bed9b8d6a5d336ade6
-
Filesize
152KB
MD56c5002fa89fbd08956cc7ff5eec66e96
SHA182c2e8491ea107c5326067b8aeda6c1fa76aa48d
SHA256df5f177c06449bdf9b192ae8c8201f7e930baf2fbf310826efcb4c7f1b3542be
SHA512f653e6a3bd9ba3dfed4add719ae9633069db92fd0f8248ad00b8fb0afd762a2924ee976d1baecc2d5a61074b884c93cc4337db411f62ce7eed2cb22a2e17397f
-
Filesize
219KB
MD5790799a168c41689849310f6c15f98fa
SHA1a5d213fc1c71a56de9441b2e35411d83770c01ec
SHA2566e59ab1a0b4ac177dc3397a54afcf68fcea3c1ee72c33bd08c89f04a6dac64b8
SHA5128153b79d4681f21ade7afe995841c386bff8e491ad347f8e7c287df5f9053cae7458e273339146d9a920ceaa2ba0f41cc793d7b2c0fa80efbb41477d39470866
-
Filesize
140KB
MD5d1b910a03b8f4bfe95720558a1975938
SHA1342efe03db27b02d744ae0346718cf14b38a2cf3
SHA256f831be563e728416089006de7dae879e0bb0a0252a71c29eaa8629e3d9e1b1d5
SHA512738f5ecb27d5cb8ff768a75fab8c9d306a045ee920eb80678244c8fdae4e742daf06b99ede79923e4ad781947f8ed373584ee4a9b127db7609eebdaf79a1537e
-
Filesize
166KB
MD5854db991d8c6f587fc6f1b75b79ff107
SHA174a38fb2a32e606e9a8552927b842b645a1a00af
SHA256e7a8193697d5696c68a75e04091f5712f7040a9f45c7cde3c1776151dc9559bf
SHA512e550e53cda4dd1b80088cd4dc909d643795b290c839b42678e06f208460010da9b23bb73b6cfa976daf0e10a8d3d824e44be1ad2a0bc0df6acde7f8088524445
-
Filesize
94KB
MD5262255f1c91c1e487125efd25ef18162
SHA11d94eb0044dcb8085a60e084f725442031076f01
SHA2563986dc12dcfceb488a6cebf638ef63e47bb2769aa63537018007ca636c4bffe3
SHA512ecfb062a4634f89fe61c5d7a3bd20fdcb453121f24fbe26e7665f33285a2fda59a6f4a19a7ea6554a6aae13dc2c4815420d35f215bfdfac2e129cbf74cafbea5
-
Filesize
89KB
MD558a5a6f26575161a6a88b841b092b4d3
SHA1f6738ae79e4f654b075ee233b490705596c01058
SHA2568f68bb5ce74c600901e7f2cf9148abf8f6ac164a38e4ddfc09c37bc5562b6e77
SHA51215250eeb68234321ace7668bcbed86bcb39dff0ed893c982d95fc16a9caec6b321db409cc09a212bd9213536514218c11b9301cb90c8f97c2170e88f5e87c3ee
-
Filesize
82KB
MD5bf5bc0d70a936890d38d2510ee07a2cd
SHA169d5971fd264d8128f5633db9003afef5fad8f10
SHA256c8ebd920399ebcf3ab72bd325b71a6b4c6119dfecea03f25059a920c4d32acc7
SHA5120e129044777cbbf5ea995715159c50773c1818fc5e8faa5c827fd631b44c086b34dfdcbe174b105891ccc3882cc63a8664d189fb6a631d8f589de4e01a862f51
-
Filesize
72KB
MD5436feabfa766100fa40536199f90c569
SHA165730e06636c3ce65727e46c8d761e947e45c1b4
SHA2565cfaea2b7140c823afd6e2cc924437f1ad39d40a6fe0200c3c19a7e0ad539dd3
SHA512dc4784bb6f5f9cace0ec87ea0dba7f55a2b284bfeadc8eef6c75b701230a61e153475ddbbaef5f4e02d0843f25111e9e7abb6722a3262ad2917ac0b131465f15
-
Filesize
1KB
MD5c841f81a4a07a848f4cdcdd18ef839af
SHA1c52d4615e42be2c3dc2754d577e55473e368499a
SHA2565412350925f8cff2bdc6bcc25a4186eff6ce5f37f3b6c3b681f1d16d18561268
SHA5128fdf6ef7d05da54081446adcc1d2b3699b686b00e2f3d82ade2f85287b32fbd6a0f40776ea04539d3c94e3cc3884955fc3361a6dc425b5e450ae18a86d9bae80
-
Filesize
97KB
MD5e32320145b777baa7db3ed35d9532e8d
SHA1b34db6e329ca94abb4d56602c6410ae8ee0d5941
SHA2562cf54b07a4f510b1ff944a9368f91c585a9f976d3e9ea4d5144e88d011e4a92c
SHA5126e69da05e4a3d9756cb4b730fd0aaccdb49e1972bf5c6927a786af0c38fab8910569bacaa3e40d4cdab333596b1b4b96cd8cecc7fe6e721c3aee0c88cb5bd450
-
Filesize
97KB
MD5fa3f83acd3efccb75d8966e33172d4ad
SHA149f1025a0554bf6cf36fea8c9b8aecf8ae653326
SHA25663956becdd55ec6cc9914b47c732c008d95fb5c6a3cd6cfdee9b6f3f43fa47b3
SHA512e3d489d9474bed9cf183073c58558f27f343a001c82ce171e9f75870b41cd648174564cd6c9c55a70f05b1e8db07bd01d305def26777ac072b268c62a4393148