Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26-01-2024 05:13
Static task
static1
Behavioral task
behavioral1
Sample
76793acc5d4fbc8010e234153b47c147.dll
Resource
win7-20231215-en
General
-
Target
76793acc5d4fbc8010e234153b47c147.dll
-
Size
2.9MB
-
MD5
76793acc5d4fbc8010e234153b47c147
-
SHA1
4b78ec6bf864956998aba727320eb629d82e15d9
-
SHA256
51148fdd8214cd04462c3c1e06dea7736dcbc85cacf0e7ed50a028df5812136c
-
SHA512
b7e5911d471a4f1a8cb882c0d1fbd07c1cfdc0368716d0ddc25872012018bed4fe574bf65543ea4196fd68c4c205b896a11375c1a38cef784fd792541579d885
-
SSDEEP
12288:SVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:PfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3540-4-0x0000000008740000-0x0000000008741000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
SystemPropertiesAdvanced.exeprintfilterpipelinesvc.exebdeunlock.exepid process 2052 SystemPropertiesAdvanced.exe 2348 printfilterpipelinesvc.exe 1728 bdeunlock.exe -
Loads dropped DLL 5 IoCs
Processes:
SystemPropertiesAdvanced.exeprintfilterpipelinesvc.exebdeunlock.exepid process 2052 SystemPropertiesAdvanced.exe 2348 printfilterpipelinesvc.exe 2348 printfilterpipelinesvc.exe 2348 printfilterpipelinesvc.exe 1728 bdeunlock.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kqgfxymewp = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~1\\LZXIZL~1\\PRINTF~1.EXE" -
Processes:
rundll32.exeSystemPropertiesAdvanced.exeprintfilterpipelinesvc.exebdeunlock.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesAdvanced.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA printfilterpipelinesvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bdeunlock.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3540 Token: SeCreatePagefilePrivilege 3540 Token: SeShutdownPrivilege 3540 Token: SeCreatePagefilePrivilege 3540 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3540 3540 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3540 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3540 wrote to memory of 1004 3540 SystemPropertiesAdvanced.exe PID 3540 wrote to memory of 1004 3540 SystemPropertiesAdvanced.exe PID 3540 wrote to memory of 2052 3540 SystemPropertiesAdvanced.exe PID 3540 wrote to memory of 2052 3540 SystemPropertiesAdvanced.exe PID 3540 wrote to memory of 224 3540 printfilterpipelinesvc.exe PID 3540 wrote to memory of 224 3540 printfilterpipelinesvc.exe PID 3540 wrote to memory of 2348 3540 printfilterpipelinesvc.exe PID 3540 wrote to memory of 2348 3540 printfilterpipelinesvc.exe PID 3540 wrote to memory of 1628 3540 bdeunlock.exe PID 3540 wrote to memory of 1628 3540 bdeunlock.exe PID 3540 wrote to memory of 1728 3540 bdeunlock.exe PID 3540 wrote to memory of 1728 3540 bdeunlock.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\76793acc5d4fbc8010e234153b47c147.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:5088
-
C:\Windows\system32\SystemPropertiesAdvanced.exeC:\Windows\system32\SystemPropertiesAdvanced.exe1⤵PID:1004
-
C:\Users\Admin\AppData\Local\tlgeDC63\SystemPropertiesAdvanced.exeC:\Users\Admin\AppData\Local\tlgeDC63\SystemPropertiesAdvanced.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2052
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe1⤵PID:224
-
C:\Users\Admin\AppData\Local\nNMrQGskp\printfilterpipelinesvc.exeC:\Users\Admin\AppData\Local\nNMrQGskp\printfilterpipelinesvc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2348
-
C:\Windows\system32\bdeunlock.exeC:\Windows\system32\bdeunlock.exe1⤵PID:1628
-
C:\Users\Admin\AppData\Local\uLG\bdeunlock.exeC:\Users\Admin\AppData\Local\uLG\bdeunlock.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1728
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
93KB
MD5ed4aaeb37f1d477538ebfe5309cc1bdb
SHA107cf8d4ce5c549ac0a575394ab78068a668a1b7d
SHA256716b0a044fd914f992936944394e1ecd2e3dc167559358f4973b2ac93c057781
SHA512b1d180fa0ac15bdb0395eea4fbef1d6cea6f7c9cfd5daabc8fdbcb6fee5f09b815227c7ddb7cac16b18823c8ea93f75a4da44a87d7cd2d2b9f3685416b0dd78d
-
Filesize
57KB
MD5cb9ab12e4567f0b1784fd441248b1fd6
SHA11bee91b559a3fa57fa48347142cbf54473779c99
SHA256362894302e95a54271c7fb05d73d4617f4e9ddde1cae90fe140928be2e7f4b10
SHA512989c0dde65eb30be4857f680f7b0b71222dc19d6f5a8516ea158d17db78061629b784b724d834a67abb5974486052653aa60580395b16a361364bb5e2eef7775
-
Filesize
24KB
MD5144f51a1af5c41117ea79d195989574a
SHA128614c6d528b585b7eb479e95dc85df9cb967823
SHA256daa3cf6c34eeef0aa71f26346f8a7ee48cc92b4942155f691e497df95e341023
SHA51282fcb9fde6ba493d6ca975839aa7605f3c568fbd5d3d1d961501e2f6afbe76b0532048647cd12f9b8e57ba4b7f1a1c4bbe28e8dcb715e3faf791e12b5a2d2bbf
-
Filesize
17KB
MD59db5c005f69e70cdabf121d7d66b2a65
SHA1b5eb0de62831a9270ace0b5c1836f593f9039a8e
SHA256d617da00f457ccc168193eef738fe6101cab94ab5e59f3c936bb373805bba354
SHA512bbe681f2e80355a3f75bb94f5ff416dd0a9aabb51b1184e1e119c0c465c90bdc5a2c4de978689bcebc4b3abbf0829051599b1b529083d000babdfe8755d90749
-
Filesize
5KB
MD5e831aa98e3d242f3f39aae4324a3e8ca
SHA1279d6dc99e1612a16cb29efe420e89738741f418
SHA2562cb7389275733145d5f21babc6548036aedeab6b572dd811af7efa47f39c686a
SHA5123af8076e6d54fe5ee1450071a2658a3cf9fb6d2dc4fad237185a780db92ed09034dad90caa0a462fae7f8d46824a023a2a1c128f9c09277269c8ed1618f5f2b5
-
Filesize
49KB
MD5b27fe2847d7aec11eaa37b39fd59f48a
SHA1a27e5bef02fd327643034c66f78e86f40134c51e
SHA2569837ca7c841c6dc0ceca8a2f15877327f9c40071a8783afe1e05a7f30bc1c44b
SHA51295b565353f9b6f12903d89ae7fb68e7a39d43d0d16750ce1d807bb52f2130250916634c76307dc21d75a85d34da92802b3cae3eb0db740dac5e99720ba2fa75e
-
Filesize
47KB
MD5ecef734e5c803f2bdbc04100ecf7d187
SHA1139d9da50692d3ecf3ca40ebc6bc4d17cdac3140
SHA25648d45c8729b4a41e6cb7c307dfc5bb51138fa2837550ec1201a662e0772c7c9a
SHA5124a9bf7b986bb4ec6b46b3f808ec7875f08d8bbc145e16bc8bbe9e72e36968d3ca1532c26df460704a70e7d495a1b7d2fe3cc6736a70aefa9ec4fe73ba492fe50
-
Filesize
44KB
MD5d3a6b64eece3b1d9c19f62c378753eef
SHA1a9314018d9415b6866afb512e8f06e31fd861a11
SHA256baae41684023bd330c3fa8f79b8c1413bdf7109370e0feb9b583e9c243a4301b
SHA51239d7f4eb16322f02ab91e1c0edc9d71db23844b6b28a268249ca90ddb892e29959f960bd9bf6ce767730802fa14eca23815b09c78aba627f42c4d129f8efbdbb
-
Filesize
49KB
MD5d5727a90b4d438997974d785da8e0a3a
SHA1574d2e20b1596a846a6849968856b255ff8ef4d9
SHA256db3f2a3d117e9eba69bf07780b313008d9129118559368daaef0ba3056f15273
SHA512af0dc3dcbc96ec77c632f166f83b2760634cc6d48428794b4b4b8a816f1ec84e21c7fba27366e015d14f6781855548a4e8e618d7afc90d548c7827669caa773d
-
Filesize
58KB
MD5e67a9f30b41780d4edd0ca7d4f030090
SHA1c4f21c0eb614e49ba1e1bc9143802932defcd659
SHA25642d0c2833f23e10f645232aef679f0e79a2576a7f2d43c8406569cafd91bad85
SHA51263d566ca25eb3d75c3e5b37c80c3d8648a3142f0a08b5c9ed51be9f924829617aa42aee1ed79bb3f21b2a64287706b00495209a491b41c624307a246c2f49b67
-
Filesize
158KB
MD53bfc227ea2ad39e7600c72e7de031911
SHA1a41adab3991c1937e0bbf1c8852a9e2e398b2672
SHA25628b9bbd39f6403a823006644667f47b95a336a5ce7fd1e5f49e3d8986e56c3b9
SHA51209dc7dcdeaa332b89ef19e399df79068f2c919d49a7196a78dabc90b22c40c638b0bab827782860f936b2325ab069f53bea9aa7491349bb3247ebeb3d7472d45
-
Filesize
66KB
MD5eca9c89256b066ecb428d4963284cddd
SHA1ba63fe0014bfb6a2ede543e866b6cd5ccee4091a
SHA25634d7de7056612992d15e20614ae785a2aae080257a31476841068b63e48947b8
SHA512203292acf050de65750da57baa627d2d15a6ac3bc7fc0064add11cd8619fabdf4a5e6e76e5f2a90560d4b09304f67c7bae917eb659df7c2ffa32955bb95bbea0
-
Filesize
72KB
MD561a41c59a8dd644dabfdba5cfa334929
SHA10b324b6e2e5e9e8d2b69fd47b26cb16ecad280f8
SHA256231de3a14afe28f135e836704cb6cd4d0d2db2ced456b5c92247fad78331fc0f
SHA5123e9795d426aaf8901b51f14abfb05eb78b610e3407ae590a8fa50f6a1b02fc3fb3d3987fedd08db1d5fbc27cdad066087151e0b1d6deed26355b94754618a096
-
Filesize
46KB
MD5430a969eaf7fb883f5ab453798c22fe1
SHA1ec4a893a20ea50433e2fa3b81f58864894ec7ab5
SHA25694969312da8ee28bc2bec1805f76ff5a04ed64e39440c785663c3d729129b1ae
SHA512733456df25ecdb37226149c1231cfc9089aa3311d9deaab000d75d0f28bb4bdfc34ee3bbe18d273e0e21d3fa238f9b78cedd9d06bcff93e8691a32b2cbea9998
-
Filesize
1KB
MD5fe8b3d14d1adde97ef72313a94ed64f0
SHA19b1fd8a838a021c0b211dc0b5dd3059a62272d34
SHA256670322299f6e038a61668930411e4237b92d0bd2dfd40c3e07561a7e1dd3f991
SHA5126417e41d2095480abcefb51604fbd6376d0022078f64aefec0bb094e3733df2680b594ac35e707a379cb44e12affff38d4a80481c4710933cdc7d2b226059781
-
Filesize
77KB
MD5b522b7201b9f98a972df9d75fc6b6d84
SHA1c2da96b48415d7571465992ee7dcb3e9a575bb9f
SHA256956e8bb1d95529f2b0ba2b2af0ee05410a502fc7743c6bfec210b1f35a11677f
SHA5123b20c97c37805697b890fb3c790f4b28316decd693aa8c69d529d832b0c4c2c73bc6893bef52e98ab3cae1556caa462b69d5df5ab204e91a4ff18e273ac5f8b7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\lzXIzLxPEi\XmlLite.dll
Filesize92KB
MD50aba01ad921a6100a9d9ca7f7c332958
SHA108e74a9d3caf916e868c66db383c4dbaf3ddec13
SHA2568dcf1743185e3bef420d937af31fa9ffa5e02ae2051753f5871a3e9754b04b16
SHA5127341b88315662057a022e0d453e2dd4ba4dea9988380783b564dbd4d08932256f90984edc09ba2ca96f86280683b4dcd2eb999c251c385f27567333f1227bd39
-
Filesize
86KB
MD5269c9e089e97b60c073c26bb14daabd7
SHA128b54c0bac1e54545198cbe809364c88ee34afd1
SHA25669674e0d0fd7a75356fa0f5357cf509a96495e38f1dea29924b0850d809e69fc
SHA512e44765e76c76e97ed6e057abab2e71132dccdf0d0818f88201971615b670eb31971590567fc4d79306a2e1f19fa6b2b059fec39015a14d09f1b2871770527745