Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26-01-2024 06:47
Static task
static1
Behavioral task
behavioral1
Sample
76ab58fddc3a0bfc0befb9c1840e58c0.dll
Resource
win7-20231215-en
General
-
Target
76ab58fddc3a0bfc0befb9c1840e58c0.dll
-
Size
2.0MB
-
MD5
76ab58fddc3a0bfc0befb9c1840e58c0
-
SHA1
af815a39e30a201a65f0669e7b957072e57939de
-
SHA256
1476d58e91f48e2f1a549b08316ea6a465b85edd954d01b4d33a8c86ac56898e
-
SHA512
c14eec86c7ac0a9a869b559e7078326cf11961d9252f2075acc55263494e2ae1c0263f491fc018f8c8482023904a9656806f3bb71aeb682faffb09321f0e971c
-
SSDEEP
12288:2VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:rfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3600-4-0x0000000003070000-0x0000000003071000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
Magnify.exesdclt.exemsinfo32.exepid process 4276 Magnify.exe 1088 sdclt.exe 2708 msinfo32.exe -
Loads dropped DLL 3 IoCs
Processes:
Magnify.exesdclt.exemsinfo32.exepid process 4276 Magnify.exe 1088 sdclt.exe 2708 msinfo32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hwtkseldaftjsj = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\YoSD0KT\\sdclt.exe" -
Processes:
sdclt.exemsinfo32.exerundll32.exeMagnify.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdclt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msinfo32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Magnify.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 1568 rundll32.exe 1568 rundll32.exe 1568 rundll32.exe 1568 rundll32.exe 3600 3600 3600 3600 3600 3600 3600 3600 3600 3600 3600 3600 3600 3600 3600 3600 3600 3600 3600 3600 3600 3600 3600 3600 3600 3600 3600 3600 3600 3600 3600 3600 3600 3600 3600 3600 3600 3600 3600 3600 3600 3600 3600 3600 3600 3600 3600 3600 3600 3600 3600 3600 3600 3600 3600 3600 3600 3600 3600 3600 -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3600 Token: SeCreatePagefilePrivilege 3600 Token: SeShutdownPrivilege 3600 Token: SeCreatePagefilePrivilege 3600 Token: SeShutdownPrivilege 3600 Token: SeCreatePagefilePrivilege 3600 Token: SeShutdownPrivilege 3600 Token: SeCreatePagefilePrivilege 3600 Token: SeShutdownPrivilege 3600 Token: SeCreatePagefilePrivilege 3600 Token: SeShutdownPrivilege 3600 Token: SeCreatePagefilePrivilege 3600 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3600 3600 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3600 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3600 wrote to memory of 4196 3600 Magnify.exe PID 3600 wrote to memory of 4196 3600 Magnify.exe PID 3600 wrote to memory of 4276 3600 Magnify.exe PID 3600 wrote to memory of 4276 3600 Magnify.exe PID 3600 wrote to memory of 4868 3600 sdclt.exe PID 3600 wrote to memory of 4868 3600 sdclt.exe PID 3600 wrote to memory of 1088 3600 sdclt.exe PID 3600 wrote to memory of 1088 3600 sdclt.exe PID 3600 wrote to memory of 2828 3600 msinfo32.exe PID 3600 wrote to memory of 2828 3600 msinfo32.exe PID 3600 wrote to memory of 2708 3600 msinfo32.exe PID 3600 wrote to memory of 2708 3600 msinfo32.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\76ab58fddc3a0bfc0befb9c1840e58c0.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1568
-
C:\Windows\system32\Magnify.exeC:\Windows\system32\Magnify.exe1⤵PID:4196
-
C:\Users\Admin\AppData\Local\ZJE\Magnify.exeC:\Users\Admin\AppData\Local\ZJE\Magnify.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4276
-
C:\Users\Admin\AppData\Local\vs1F3kfd\sdclt.exeC:\Users\Admin\AppData\Local\vs1F3kfd\sdclt.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1088
-
C:\Windows\system32\sdclt.exeC:\Windows\system32\sdclt.exe1⤵PID:4868
-
C:\Users\Admin\AppData\Local\rYGJ\msinfo32.exeC:\Users\Admin\AppData\Local\rYGJ\msinfo32.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2708
-
C:\Windows\system32\msinfo32.exeC:\Windows\system32\msinfo32.exe1⤵PID:2828
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
149KB
MD5915851f133bd9c0e431e73b1cbd21550
SHA124c0cf0aecbf709ec0a178006ebd05ed560f582f
SHA25607f5b6960262f063136e017384557643df57e073d7d8c7bdb812af09da64140c
SHA512ee67b1913ec5d92316b0106be2b089d34797af158c7266fb6205885438c79e390e9f269152ccf31a26d375f4bbc52f9e26224bd8090c47fbac2af5931f498e8a
-
Filesize
168KB
MD52287a38a76fdaa3ccb60ade49f67d862
SHA1f85f513abd19d9b4569cb54c6767ec03a1d0d0d1
SHA25647fbd9ec6608008ae27e3f50e7e46f6ead13416bd80ac02278cf0ebeae3fdf8a
SHA51293fb74f26f220b2a487736ccabef3836cb9fcf234ab8c841dae41788a497c562939d5813fe1b12d05b6cc24d51d7195b2314ff4b1b3558dabc4a1e290e244335
-
Filesize
149KB
MD595beb85ebb3d9feecfc5fd2e0eed5884
SHA1454a35c9d1e44f53d3e16eadbfacc055adecd697
SHA2564770f8c5b23b07bf72b7944da99731922b28ad3ed08a2b2a98515d091c0ae019
SHA512bb5624f85f367af7b328bc89dbdf7c3bf835e975a3cc45fcbceca1f229d2029df2a9fd1b1496b841ecba71cbbcce9cd5d498b3cde33d822679ea7c69ef7ede11
-
Filesize
81KB
MD5be301255ab82f72a9acc9b65fe784ab6
SHA1db0ebba36a4685b08542eb201926f52ac5fb112a
SHA256dfc7b330c65ec66cfc9413eff06ac5bd7fd0ef7d88e76a3e9882b22af1dabd32
SHA512f77e1c407963725ca8b2a611fb4ca73b44d30b765e6eec450d2bd1d8cdba0c6dc6aca57377e0df7740256588a52d4ee80a075dee666089a5f21beca25d1b5c89
-
Filesize
61KB
MD5b913937015b92cbde1ad3b0471a76b28
SHA133272e40934a81e62d5a9813633042ff1fd731b6
SHA2565c88d69b72e77eca7fcb7b77c896d5c2880737147f2880b58b5f153c3e29760f
SHA512f7b8ef56e64c95d526264f6499b42c9081a60ee0019794471d8d9f31436729f921a1e64746f022ac4de7730e161bbc123f13c2eca333277e8bd5d6e3a6d20572
-
Filesize
56KB
MD5ee7c92dbb5f2c94e227637dec29c4f0a
SHA12de6d2c2b6c3f0bb6779a7b60b20fe6da8a119a5
SHA256e034865d69650c30f02c0054b594207d35ff72358ac479503d08aa829f505e74
SHA512b7d484994f7cc42e7f01c7c92b4cca154a0ba049298b17cd5e644e18a16f52758ad22c548df6aeaf6a2fbd59af490f85688080677d0499f8ecdf9ea387803aca
-
Filesize
346KB
MD554501828e12542a579b8b18e238401f8
SHA1e09586b324df680ba85ac31fc757556df8b5555e
SHA2560a8864c458a49fa0c01c3c257726ddd30182ceaed7a1714884213922975f49bb
SHA51239f36ddf4481255f4bfee933e2cd748e7245a487e688ff36877b8ddb01c635be827f2a280f78392ffd842428cf342be725cb1481a2cf06a4ef087813c99250b3
-
Filesize
103KB
MD535196c56a058582ccad07a996ed9b024
SHA1abd05efff5c91a1c6fbd7476c9a1f57322486f60
SHA2569d7111bb2c827c08535978d480d115939a78ca19c4a804c887b37c349a41cbc2
SHA512560f44495b84136d873836eb47ce30d2f989f7294680a2f0ada77f202354efd4a503429ec583c1e20a47e4a57f1cd5030b3f81bc57ae29cb84026980f4916b03
-
Filesize
140KB
MD55994182c37adc884cccbc50f16e5bcd2
SHA1653452f3bfc779492258e1f763d56a855ef66e9f
SHA25676bb5136a60f8b38417ef1b59f9d21904c3bbdc2d1dc6bdd40acb6553ee50772
SHA512cfa2a2b283964b2a2f8676cf8c2bb2b58800ce7644e8cf2273c841baccdb4d91cab3ef99ebf7c8da40a2cba4c89570ddb0b7cd4b4141145ad101aa825d60a7d5
-
Filesize
133KB
MD546f63a256874f0851cb07386ce5c43e2
SHA11dc73fa9e6771df0ac20ff10e3e64a3abd369dd7
SHA256a55e6266f8477403232f160134ea9d399b93b9da17e4582e1ccf83d2c6eef113
SHA512bf53443044ddaf6491472120799963925a87d31e92b6a0c53892953e9ab40ed0f1522356d631abd4556ab16f14ed88fb59876721f22e911bccea77bd2858a438
-
Filesize
149KB
MD5dfa53879ba72970e4d284b6d5f8a50e1
SHA181d25825f1fc03052ca177cce6f9da5a307c0405
SHA256d044b2b516a51f1288e4ff126831b5072c0e5413bfc59d85de5c0e3f8f7f1eb7
SHA51265b0d99f69c16112e6611d69d88ed65998c3c5d58b262221bf0a46ee7e74bbdb3149a6f43daa865acccd89bd6f54b5d505f532cbeea55f620758683aea43fc72
-
Filesize
1KB
MD56909f4fe13b480ed47992f0309f9ccb7
SHA1f0d4cedc0ef187449bcd071b71bc04e0841c7319
SHA2560fde514a5ec438f487a507930265f48d171749f2d6b73eda03fc0adab6b55e20
SHA51238a1eeece6f63b4a8b1abad3ee3bc7c4f3905bf61a17abff3fe268d2ba466685fc529ca7c399dac76bb242e41042ae735c3e5a42ba7c309d5a325fbb9acc1f7b
-
Filesize
2.0MB
MD56f36a8cb34f492831b93691b1ade1ab6
SHA1df71e34d69f116d16b626542a0239474568aa05d
SHA2565e37e9525728379d5987677e8cf73091d43ec9f8538c95512bbe0f7598893824
SHA512a00d71b8163ecc9e40c2bf9ba3f05cb51dc3f614510390427f4dcc4e4a44e3a627ceb0ddf63af74d98d06aaed6230a210c8d3c692da4461ce9cf1ba490dd5ed7
-
Filesize
2.0MB
MD5567f432979d582531f403ca45bd5f6f3
SHA1b8568ca8bba311fff33aa90f636800e44eb5e14c
SHA256cbd61e6a2b6a2815d38e7f48e7f97012215ac10509657ad6c30752e1c24397fd
SHA512741362cffd484a51864e12bb1a51b4e33de6af649f580ac11f250cfb215f5339346bd47b2db0497ad59208c7c98a2f8980a289de69e843fa7fa82cc4d154d3bb
-
Filesize
2.0MB
MD50b1e6a95de1b74c3c47c54ef2efc10e1
SHA1f72e212a29b2fd16c0bf3ee52266d43f19b5599c
SHA25620a3e395b16491cc0bc177f786144edf93a991c5415d08d1c4aa8d17ea96644a
SHA51254e4b5e432b35809b7f69364e316d0c61b88ff76c06c92da996b91ecabe4a6dd46609117c38981aafc1984284fbba16ea1cce5180b19c6b0603c3ca56444c97b