Analysis
-
max time kernel
151s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26-01-2024 06:57
Static task
static1
Behavioral task
behavioral1
Sample
76afafbe9ec4d9c894720599f9812cee.dll
Resource
win7-20231215-en
General
-
Target
76afafbe9ec4d9c894720599f9812cee.dll
-
Size
2.0MB
-
MD5
76afafbe9ec4d9c894720599f9812cee
-
SHA1
3258bddf1f2dafc5b70b134ccddeab342a32fafc
-
SHA256
44e96f3c81f9089ec61e412623a4f0b474893a9f84acef4e32b318f1d2bbc15e
-
SHA512
52f4944a4be7ede4951aa3b29ffb160e62832d62c3cb446bf68c43faaa9e8d06d0a3df44a9301d2d382c08931f8e57409493f507f3fe93d738e865527344d613
-
SSDEEP
12288:cVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:pfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3480-4-0x0000000002FA0000-0x0000000002FA1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
SndVol.exeTaskmgr.exesppsvc.exepid process 5072 SndVol.exe 2128 Taskmgr.exe 5080 sppsvc.exe -
Loads dropped DLL 3 IoCs
Processes:
SndVol.exeTaskmgr.exesppsvc.exepid process 5072 SndVol.exe 2128 Taskmgr.exe 5080 sppsvc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\316QUO~1\\Taskmgr.exe" -
Processes:
Taskmgr.exesppsvc.exerundll32.exeSndVol.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Taskmgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SndVol.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 3532 rundll32.exe 3532 rundll32.exe 3532 rundll32.exe 3532 rundll32.exe 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3480 Token: SeCreatePagefilePrivilege 3480 Token: SeShutdownPrivilege 3480 Token: SeCreatePagefilePrivilege 3480 Token: SeShutdownPrivilege 3480 Token: SeCreatePagefilePrivilege 3480 Token: SeShutdownPrivilege 3480 Token: SeCreatePagefilePrivilege 3480 Token: SeShutdownPrivilege 3480 Token: SeCreatePagefilePrivilege 3480 Token: SeShutdownPrivilege 3480 Token: SeCreatePagefilePrivilege 3480 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3480 3480 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3480 -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
description pid process target process PID 3480 wrote to memory of 4784 3480 SndVol.exe PID 3480 wrote to memory of 4784 3480 SndVol.exe PID 3480 wrote to memory of 5072 3480 SndVol.exe PID 3480 wrote to memory of 5072 3480 SndVol.exe PID 3480 wrote to memory of 2168 3480 Taskmgr.exe PID 3480 wrote to memory of 2168 3480 Taskmgr.exe PID 3480 wrote to memory of 2128 3480 Taskmgr.exe PID 3480 wrote to memory of 2128 3480 Taskmgr.exe PID 3480 wrote to memory of 5080 3480 sppsvc.exe PID 3480 wrote to memory of 5080 3480 sppsvc.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\76afafbe9ec4d9c894720599f9812cee.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3532
-
C:\Windows\system32\SndVol.exeC:\Windows\system32\SndVol.exe1⤵PID:4784
-
C:\Users\Admin\AppData\Local\kTVDvnN\SndVol.exeC:\Users\Admin\AppData\Local\kTVDvnN\SndVol.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5072
-
C:\Windows\system32\Taskmgr.exeC:\Windows\system32\Taskmgr.exe1⤵PID:2168
-
C:\Users\Admin\AppData\Local\3ez\Taskmgr.exeC:\Users\Admin\AppData\Local\3ez\Taskmgr.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2128
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe1⤵PID:2036
-
C:\Users\Admin\AppData\Local\vqhiCH42\sppsvc.exeC:\Users\Admin\AppData\Local\vqhiCH42\sppsvc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5080
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD558d5bc7895f7f32ee308e34f06f25dd5
SHA17a7f5e991ddeaf73e15a0fdcb5c999c0248a2fa4
SHA2564e305198f15bafd5728b5fb8e7ff48d9f312399c744ecfea0ecac79d93c5e478
SHA512872c84c92b0e4050ae4a4137330ec3cda30008fd15d6413bf7a913c03a021ad41b6131e5a7356b374ced98d37ae207147ebefd93893560dc15c3e9875f93f7a9
-
Filesize
2.0MB
MD5d198ac7636df150271f4f8958a7d97cb
SHA13ad52d13f8ba452e1a472c16fc63ca3c895a61e5
SHA2566c809f81b32e0847f6f87289731bd0bb89485fda35225c7704571a1374e3bd89
SHA512559b5f873f3bbd10aac85ca2cc020c1715345994c2a730355b7f5853c328ba80d04a8f7f4eda78f86e869b2e41ad5a972eedf25e3a64040fce976161ee231ce3
-
Filesize
269KB
MD5c5d939ac3f9d885c8355884199e36433
SHA1b8f277549c23953e8683746e225e7af1c193ad70
SHA25668b6ced01f5dfc2bc9556b005f4fff235a3d02449ad9f9e4de627c0e1424d605
SHA5128488e7928e53085c00df096af2315490cd4b22ce2ce196b157dc0fbb820c5399a9dbd5dead40b24b99a4a32b6de66b4edc28339d7bacd9c1e7d5936604d1a4f0
-
Filesize
2.0MB
MD5f92e8877bb11abf5a9dcd950e5f54fd1
SHA1e81d87e4eb930785b80919d3adb2efdcb65ddc69
SHA256a98d28ea0275d964c43297da2484b1fd87017a273b68aa36fc2b84216b9a8e14
SHA5126bcf5be17a610cdd4b1470146feb3e990116538863c7b05bd4b6777e135c468d6a2643a8bab6b56076b92161ae7acb6f9f91389ca92f876967ad5d10d3b7fce0
-
Filesize
1.8MB
MD5bed68b881ce0a0b91fc64d9c6fcfa6aa
SHA1cd8061e25e6acb1259609147b5cd2583b074e07b
SHA256d73fe5039f8b5ab0a6c0c5d060c9427d82f83e0982138592289c9963b38fbe68
SHA512d9128f4e628a8db849a13f3d39cfecc3aa5f4f83bfaa0d896d588d900aafbf8dec788e03e99f36602f9e542486fa92d90fd80ea8b281a79fdf7f2b2077a059ba
-
Filesize
2.0MB
MD5f1c60684c8dcba059b64a0da6addc5d2
SHA114259fdd8acfa50e23ef20a922f28d9908c45833
SHA25631eda860e668751895fa9429fe9b8291b0f8bff44d5c4cc100810b5394130e86
SHA512757c1baf1d1987c43838e19a1eb33cf757c1b24e7428201df82fc898eaa69092ec9adf825bba9232095b8968e59a4a2071bfb849afb62c0f6079fd4241f3786c
-
Filesize
1.4MB
MD5c98c6acb6522abafe9245092cfa8b6cb
SHA11722bb062305c170e9cf4370ad7e5799d6c0e1fe
SHA256623dcec2806c69b7a5b5e4b765df9eb6fcd108567bd5a190efd36f7b4601581e
SHA512f60a97882c4ccff7131736fbc5252bb8101103a8dd321c140f17b7fb0f9bb9b9983e84a1665fb7c19fc73064afe71bc1e569615f1d00d52afab5229154921e12
-
Filesize
4.4MB
MD5ec6cef0a81f167668e18fa32f1606fce
SHA16d56837a388ae5573a38a439cee16e6dde5b4de8
SHA25682c59a2f606ebf1a8a0de16be150600ac63ad8351c6bf3952c27a70257cb70f8
SHA512f40b37675329ca7875d958b4b0019082548a563ada217c7431c2ca5c7f93957b242f095f7f04bcdd6240b97ea99e89bfe3a003f97c43366d00a93768fef7b4c5
-
Filesize
1KB
MD535bc9e968597de377f592b8dc97f86cf
SHA1538eb30c2a0cb31412e9eb3b9bb15f68b3756e04
SHA2565ae7616aa43b21f18420f6b19156bf03637a1cc40c7d34b3d93be0a0b32ec701
SHA512079d89059d08f3b1e2145dd8baa7f2e7a9ef8958d525d4e86d4b94cb9d91e9acaba0daaf1299c4906943cceca79b8bce2a70104265b6bc75e0331d5396ae65dd