Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
26-01-2024 10:54
Static task
static1
Behavioral task
behavioral1
Sample
772b68bf3048024e686be386fbfe5083.dll
Resource
win7-20231215-en
General
-
Target
772b68bf3048024e686be386fbfe5083.dll
-
Size
652KB
-
MD5
772b68bf3048024e686be386fbfe5083
-
SHA1
458a9a79779cf07157ec419d9511975e2f8aa2c8
-
SHA256
7c62dc19058fca240cc5e8942a240f7691e6066aa3d59a51185ac3209e8f1409
-
SHA512
18164714b6ced7284218c0dc8c4e0013b1b08084e07f89322564bdd0bf5d37c62edcb947965e1384e26fe36dd7d613a82697a4429fc935ee1557edf3c9290d62
-
SSDEEP
12288:8KYQ5LL540CV3UIeLPrleV1F0e8gMA/9L0l3HATpKR4:9YQ5p4f0POF0nkls3opKR
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3436-3-0x0000000002070000-0x0000000002071000-memory.dmp dridex_stager_shellcode -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tgnmvdx = "C:\\Users\\Admin\\AppData\\Roaming\\s0mBf\\WerFault.exe" -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Drops file in System32 directory 2 IoCs
Processes:
cmd.exedescription ioc process File created C:\Windows\system32\KzwGYeZ\FXSCOVER.exe cmd.exe File opened for modification C:\Windows\system32\KzwGYeZ\FXSCOVER.exe cmd.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 4040 rundll32.exe 4040 rundll32.exe 4040 rundll32.exe 4040 rundll32.exe 4040 rundll32.exe 4040 rundll32.exe 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3436 Token: SeCreatePagefilePrivilege 3436 Token: SeShutdownPrivilege 3436 Token: SeCreatePagefilePrivilege 3436 Token: SeShutdownPrivilege 3436 Token: SeCreatePagefilePrivilege 3436 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3436 -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
description pid process target process PID 3436 wrote to memory of 4136 3436 WerFault.exe PID 3436 wrote to memory of 4136 3436 WerFault.exe PID 3436 wrote to memory of 1268 3436 cmd.exe PID 3436 wrote to memory of 1268 3436 cmd.exe PID 3436 wrote to memory of 2140 3436 FXSCOVER.exe PID 3436 wrote to memory of 2140 3436 FXSCOVER.exe PID 3436 wrote to memory of 4768 3436 cmd.exe PID 3436 wrote to memory of 4768 3436 cmd.exe PID 3436 wrote to memory of 3892 3436 schtasks.exe PID 3436 wrote to memory of 3892 3436 schtasks.exe PID 3436 wrote to memory of 4348 3436 schtasks.exe PID 3436 wrote to memory of 4348 3436 schtasks.exe PID 3436 wrote to memory of 1404 3436 schtasks.exe PID 3436 wrote to memory of 1404 3436 schtasks.exe PID 3436 wrote to memory of 1636 3436 schtasks.exe PID 3436 wrote to memory of 1636 3436 schtasks.exe PID 3436 wrote to memory of 3632 3436 schtasks.exe PID 3436 wrote to memory of 3632 3436 schtasks.exe PID 3436 wrote to memory of 1364 3436 schtasks.exe PID 3436 wrote to memory of 1364 3436 schtasks.exe PID 3436 wrote to memory of 1124 3436 schtasks.exe PID 3436 wrote to memory of 1124 3436 schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\772b68bf3048024e686be386fbfe5083.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4040
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe1⤵PID:4136
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\ngA.cmd1⤵PID:1268
-
C:\Windows\system32\FXSCOVER.exeC:\Windows\system32\FXSCOVER.exe1⤵PID:2140
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\PSg.cmd1⤵
- Drops file in System32 directory
PID:4768
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /F /TN "Kjaztdntfug" /TR "C:\Windows\system32\KzwGYeZ\FXSCOVER.exe" /SC minute /MO 60 /RL highest1⤵
- Creates scheduled task(s)
PID:3892
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /Query /TN "Kjaztdntfug"1⤵PID:4348
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /Query /TN "Kjaztdntfug"1⤵PID:1404
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /Query /TN "Kjaztdntfug"1⤵PID:1636
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /Query /TN "Kjaztdntfug"1⤵PID:3632
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /Query /TN "Kjaztdntfug"1⤵PID:1364
-
C:\Windows\system32\schtasks.exeC:\Windows\system32\schtasks.exe /Query /TN "Kjaztdntfug"1⤵PID:1124
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
660KB
MD57e37856e497c97ca21e397d66be195f9
SHA111e348971810c462b5dc59666e2dbdd18bed2799
SHA25657fbde9909fd7ee79f54e60e79b9e9c5bf1dbabb832ac125fb73132bc5b1674a
SHA512745fc8e5ff68897c20ac80c124e776a8aa1b2fdddb4a87abfd158d824a51a77d289bea9db2d2d617a68e6a34089d2885ff59f83319554ce70180f55a65420883
-
Filesize
202B
MD52c54eb2c47fd6a2858fa5df349a401ce
SHA1f40d125180e681baa872d1cbe0d4f0477d978761
SHA256a42fbf0d2ed7b52de4c49c6e5f022df85ead2358f9e22828ce0ec534dfbd2a44
SHA512ca194b0eb0cb2f13a1f48f70425130d223bbb0b090d4a013fdec4d49de449382933395c901c30ecf728f1bc2bc4486f5092fc105310629ad7e4a43c1222a09d2
-
Filesize
225B
MD5de7a83ce8e0cc2c0bd6a45dcda94a874
SHA1011ec12bc392664c8d94cbb897ebc94021016a68
SHA256526a0a6e92bfb44bc2a2b6f878aa139360efc8abf91466b5079d7768298915f8
SHA512f9757d8c3dd2382789bbf899a19f22fa23ffc1d88bec9b5bddac28006ac70d645bea0951ca11176d3942e1ac9fd76d9efb05fb7e368c284ff0c375de05f47def
-
Filesize
680KB
MD597c8a57cf4340f43f23b74a2170224e1
SHA155999d97bccc210b7c1ed4dbe34b347b4553c1fd
SHA256dc46fff961493ca3e6345a6d401aab9be463d06515f74dcf17f46b6d52ebf5d9
SHA512b30c49554c057fa5529668999d596e463b0a2071ae4a140c7612cd9c5cc097eee836b3cb58c128598309d057a66dbc17eaf75959d18a862ba0f3eccd4c27ef86
-
Filesize
876B
MD59f271940ab6a88c7329597b664842af1
SHA175299ba2a987e1986350a0d2c03410b330cad311
SHA2564740f076d7720b26e6f2133ae2427d55348285da6892af6f203dc287237b2135
SHA512eb1d099d0be8e1daffc7c8700ed24746304708049e4538d110359ef5357797b394ef634e5d5c4b069cfd14116e0d6f5cb3409543e0b22f0af7edd1af214b9e45
-
Filesize
555KB
MD55c06542fed8ee68994d43938e7326d75
SHA1dd5f35048d912997edb108f80c9d2ce47e3b684a
SHA256df42a4557521bacae0d4982ed804762a2815dc157723725a19304632d9b49204
SHA512329d8cca981c4f64df112830d69166aa3915c14be794238bcde363127b437c7b149ae91f372ac63f5b772c7d2b1b7591d288e9c2a3ec334839e8466e960eab19