Analysis
-
max time kernel
122s -
max time network
92s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
26-01-2024 00:55
Static task
static1
Behavioral task
behavioral1
Sample
75f65720fe58821d96cea7f4f1f6f530.dll
Resource
win7-20231215-en
General
-
Target
75f65720fe58821d96cea7f4f1f6f530.dll
-
Size
3.5MB
-
MD5
75f65720fe58821d96cea7f4f1f6f530
-
SHA1
2a9ff7f107e3feda0a0dfece7a475e0950b023b8
-
SHA256
dc652ba2912e47491ce16ba0da31998a4f7f8e30dc968203b5ed070fcebbf887
-
SHA512
cf57fd4f1285344ee520906509c946f0416ac4e85b4fff18f308b8cfbb65fc7fb4dac573a9c65a90ef1c95f131592b11011a53117225a19c1e88114ad830b2f3
-
SSDEEP
12288:PVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:mfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3652-5-0x0000000004B30000-0x0000000004B31000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
phoneactivate.exewextract.exeWMPDMC.exepid process 4640 phoneactivate.exe 1044 wextract.exe 1120 WMPDMC.exe -
Loads dropped DLL 3 IoCs
Processes:
phoneactivate.exewextract.exeWMPDMC.exepid process 4640 phoneactivate.exe 1044 wextract.exe 1120 WMPDMC.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mbfbagbrjs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\yUSLvNi\\wextract.exe" -
Processes:
WMPDMC.exerundll32.exephoneactivate.exewextract.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WMPDMC.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA phoneactivate.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wextract.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 3652 3652 3652 3652 3652 3652 3652 3652 3652 3652 3652 3652 3652 3652 3652 3652 3652 3652 3652 3652 3652 3652 3652 3652 3652 3652 3652 3652 3652 3652 3652 3652 3652 3652 3652 3652 3652 3652 3652 3652 3652 3652 3652 3652 3652 3652 3652 3652 3652 3652 3652 3652 3652 3652 3652 3652 3652 3652 3652 3652 -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3652 Token: SeCreatePagefilePrivilege 3652 Token: SeShutdownPrivilege 3652 Token: SeCreatePagefilePrivilege 3652 Token: SeShutdownPrivilege 3652 Token: SeCreatePagefilePrivilege 3652 Token: SeShutdownPrivilege 3652 Token: SeCreatePagefilePrivilege 3652 Token: SeShutdownPrivilege 3652 Token: SeCreatePagefilePrivilege 3652 Token: SeShutdownPrivilege 3652 Token: SeCreatePagefilePrivilege 3652 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3652 3652 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3652 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3652 wrote to memory of 4684 3652 phoneactivate.exe PID 3652 wrote to memory of 4684 3652 phoneactivate.exe PID 3652 wrote to memory of 4640 3652 phoneactivate.exe PID 3652 wrote to memory of 4640 3652 phoneactivate.exe PID 3652 wrote to memory of 3440 3652 wextract.exe PID 3652 wrote to memory of 3440 3652 wextract.exe PID 3652 wrote to memory of 1044 3652 wextract.exe PID 3652 wrote to memory of 1044 3652 wextract.exe PID 3652 wrote to memory of 4372 3652 WMPDMC.exe PID 3652 wrote to memory of 4372 3652 WMPDMC.exe PID 3652 wrote to memory of 1120 3652 WMPDMC.exe PID 3652 wrote to memory of 1120 3652 WMPDMC.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\75f65720fe58821d96cea7f4f1f6f530.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4900
-
C:\Windows\system32\phoneactivate.exeC:\Windows\system32\phoneactivate.exe1⤵PID:4684
-
C:\Windows\system32\wextract.exeC:\Windows\system32\wextract.exe1⤵PID:3440
-
C:\Users\Admin\AppData\Local\Txq\WMPDMC.exeC:\Users\Admin\AppData\Local\Txq\WMPDMC.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1120
-
C:\Windows\system32\WMPDMC.exeC:\Windows\system32\WMPDMC.exe1⤵PID:4372
-
C:\Users\Admin\AppData\Local\GEsNSdan2\wextract.exeC:\Users\Admin\AppData\Local\GEsNSdan2\wextract.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1044
-
C:\Users\Admin\AppData\Local\CDXq33\phoneactivate.exeC:\Users\Admin\AppData\Local\CDXq33\phoneactivate.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4640
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
52KB
MD5e2422f9100ea03d12fdd5906c93483d9
SHA1628e8de4f4f60d360b9e87a7dbdb767265d13d71
SHA256d253a1e3c0cfa9919909e1bbb293bf94be6069f48ead2140afcccdea9143747e
SHA5129de459b32638261056551e917c950012f1baf08aa967caf27b8d32f2d76e9aa9f9947103515b434f361073b3d5dcc2801a6cd1886cf37e85f2f6df0884a0a08a
-
Filesize
13KB
MD5f2c7c736a4837f8a0efc5491de91c3dc
SHA1d54475c6e808106738a618d72f68ef258735cf57
SHA256e95ed93d0280ac44d818501425932cbb365750830309f738a7a67652a779bf98
SHA51228e872653ce4c0c7b77a8137f295a80f6d14504427219d525a186a50f80bff4aa93221c1249a4ce099874bab651ab0745ebbd3795aaad9149046b68ab667c125
-
Filesize
54KB
MD57ad504dc7701ee129aa1e33043183a20
SHA1b6d8727b288459b97a0aeeea86efc21be2539698
SHA25657918dfb236e21c0fd016467932976dbcdcf73947740ec6a017c635e93a61478
SHA5129628ad1c5ef799e5f3eaa766b794bff12aed0e4af98cdc2aec0c5419a4844b9c0a44326594655cbb7e8f560db9b3b2ac6eb5d02e1c654337a55ec52b371e9cd8
-
Filesize
107KB
MD532c31f06e0b68f349f68afdd08e45f3d
SHA1e4b642f887e2c1d76b6b4777ade91e3cb3b9e27c
SHA256cea83eb34233fed5ebeef8745c7c581a8adbefbcfc0e30e2d30a81000c821017
SHA512fe61764b471465b164c9c2202ed349605117d57ceb0eca75acf8bda44e8744c115767ee0caed0b7feb70ba37b477d00805b3fdf0d0fa879dd4c8e3c1dc1c0d26
-
Filesize
84KB
MD534ee9012b1540335fcb296f0df6c5e51
SHA1429a90e55c707f98eb0f44f6fea8100d93f75300
SHA2569a0499a7249516f19bdf7c77b24af55f68c1bf90fef9ab2aecf0c28465a628ff
SHA512bf348923f605794415a394ea07da596b1057f53e290edec41b0ad3e279e13e2af456a0ef9acf2c6ec4814042092fef29b95f2fd10561468072b2b86940661784
-
Filesize
68KB
MD509e72bb11bfa628ce933b1594fe350a1
SHA1dec397a57c51faf2dde475091013e83f7195c411
SHA256047eebac18b182e01bb4c3d03956a0df7d1fee7281d8685d36eb7e5b223ac1d2
SHA512b14bc3c8c06d3ccd2bd98251b5f849c97e0ec2a811f44d00a8153a0ee86f1e73feb4540acf631e413970fc31ca13ab26a87eafe5971fa5027a27f3796c7cab41
-
Filesize
143KB
MD556e501e3e49cfde55eb1caabe6913e45
SHA1ab2399cbf17dbee7b302bea49e40d4cee7caea76
SHA256fbb6dc62abeeb222b49a63f43dc6eea96f3d7e9a8da55381c15d57a5d099f3e0
SHA5122b536e86cbd8ab026529ba2c72c0fda97e9b6f0bc4fd96777024155852670cb41d17937cde372a44cdbad3e53b8cd3ef1a4a3ee9b34dfb3c2069822095f7a172
-
Filesize
107KB
MD549bb0cbe45cdaa3f10a444164c991403
SHA144a8a0c1ac9e300fde4360859adb41309d1a9f2c
SHA2569fda567a529cae072f1759ad570a048f3d837426f52fd29f15c700c0405384cd
SHA512fe758a62875c52a862f4b6d82c1794502a587f531b7a4e57464ee13336ca3761d1754b921af65702444d70fc0c9a668019cb60bff079894fd9aba8b310db7b77
-
Filesize
88KB
MD52b6457c9685bf3a1b3a6e2b1db6ec18f
SHA1c56be9acf87ed424e1393e401765d502564d5acc
SHA256bee63d44f7177d63203dca2e09f6fb88887f551a3e328a77f9caeb06c0158d0e
SHA51217ddf9bcb8789fc2462c5a3fe287846602cff7944a084e6a31f2dfcc9fbcbddbb62e2dd528383f5f6e97cd03b736aaadef46a84c5dfab3cb74108ade76c80d5e
-
Filesize
87KB
MD52c4519a48e4829d2ba784e8855707ade
SHA1b86938d7a3e698a219b6af02097f1a954b8569cc
SHA256385b79f361105d8a2ab16a3f5c6cc7567e8986afe7760eb6c4b54813845ec98a
SHA5120b4ea483824a79dcab9cf6a15f56db2b334a1e34b1ffb7ad0f937c5b7a6b97fac9a9e2bdb178c72e289f998822a26106b11a14157c039af3d905884d8a75f682
-
Filesize
63KB
MD551876ebf9f1939c3a72d31088522bb39
SHA1fdceb970cc5e274832ad8322389e31ed2ceb79fd
SHA2567eb113dca728acc8291722f4c706999e05dc089b27e75e94d1a8a2b98047e9d3
SHA51228383fa3f04d00fd13c6c166fea4371d8219ae81cefc234e669b3660ecb63af6671bf4e21aea3517cbbdccbbd500ac1c29afc79c4dca0db94872c9a27187c9d4
-
Filesize
99KB
MD532cf9b369779ff090acd86648e81ccb4
SHA1205fce7e77505fe44ffddec4c7668f7f852fcbd9
SHA256c803f4abfea92b07bc078dff1b8039c72ae5245d5e22d8a547d8e025090d319f
SHA512d0bc6efe840162153b69222bf8b35dfde2fc0a86799f58d65264311548c62a930dcba60b473e2d773176cb206aad778bedf413d0f472a29d7713957412d212f0
-
Filesize
1KB
MD5c3262b8cc19249b9acb932c1235f9917
SHA1b37c2e50c865d3c193eee7366dc37b6d9ac5ae25
SHA256ff8e4c81bbc532cef2f2c940b19906c5e2338288766029fb3c4345f456d60d9e
SHA512eb7a6638b440ec695a1efb08d74b75972dcb4f8139ca203d004d22a76fc79739fa09173fd25f45c53b9daa9bb379c328b9fa6362bf61e7c1e46c57227925da63
-
Filesize
24KB
MD5765d6d164086e191f416f006271d6ccf
SHA1c0a76e61189f94b6d053f5e1ced726e4fdcc6e79
SHA256a0c583eb13d44e8675d4fbe1fd8d8aaf1a0cfe189012407c6a7161dc2b618b70
SHA51245baf874bd4ce3077e5274c0959d6b96dddb10ebb7e66d505f08ed301f026a33ce285be9ad4967fa3ebc7b5dc85aac0efc734934c17e0cbf9519b4800481983b
-
Filesize
149KB
MD5ec6b20bbc60f060622d287f7cece84c2
SHA11abfcd185f4430538da1d034bf0bf10adfb54b59
SHA256b6004765d5ad36e46f44a2134e216faac1c8fb5409be06b0f2aa8b7d98d7b49f
SHA512f1b17e03265c9fda1475d92307974b77dbd8a3cc84456650f12a034a685d11e2ab40a76fe18f5d206a1d95ac7fd215a061b5f98b2045a23b88f7e780552464c6
-
Filesize
1KB
MD5e80189df97f304af3e8f878c0f9950c4
SHA1f668ff7538d8a3a18a3ce63a1de04c21efd1f3d6
SHA2560a63c6b7620c900dec2f6526d91945852b1a95dd710cf7579768f00b75da4280
SHA5128b10de32cdf1b4517948d9301a8116761de833f41bf91935bd95677f89bf6cd6ca0b38cf9718bdc47c7955acabbb1ffff4d643baf7f95c4ace8ef3b6e17759b5