Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26-01-2024 13:37
Static task
static1
Behavioral task
behavioral1
Sample
77810543496dc906d195460796a0219f.dll
Resource
win7-20231215-en
General
-
Target
77810543496dc906d195460796a0219f.dll
-
Size
1.7MB
-
MD5
77810543496dc906d195460796a0219f
-
SHA1
715be388b02b3699ec35b93d4ad823e6b0127c91
-
SHA256
3df740c27f3febda3ee2de2dfb8825fec9efdf4017ef648ff61b91d77f76f8ba
-
SHA512
21fc370d2143019708e8980c089ec7ab3c930b3c5040c8a05b579312ddd16295d4efeb191a7c4b3cfd6ee570b7a351052268633880bd79aa68330f1bca1c033d
-
SSDEEP
12288:sVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:ZfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3428-4-0x0000000002BA0000-0x0000000002BA1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
AtBroker.exesystemreset.exeEhStorAuthn.exepid process 988 AtBroker.exe 412 systemreset.exe 4548 EhStorAuthn.exe -
Loads dropped DLL 3 IoCs
Processes:
AtBroker.exesystemreset.exeEhStorAuthn.exepid process 988 AtBroker.exe 412 systemreset.exe 4548 EhStorAuthn.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kqgfxymewp = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\ODA5IqI97Q\\systemreset.exe" -
Processes:
EhStorAuthn.exerundll32.exeAtBroker.exesystemreset.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA EhStorAuthn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA AtBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA systemreset.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 4020 rundll32.exe 4020 rundll32.exe 4020 rundll32.exe 4020 rundll32.exe 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 3428 -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3428 Token: SeCreatePagefilePrivilege 3428 Token: SeShutdownPrivilege 3428 Token: SeCreatePagefilePrivilege 3428 Token: SeShutdownPrivilege 3428 Token: SeCreatePagefilePrivilege 3428 Token: SeShutdownPrivilege 3428 Token: SeCreatePagefilePrivilege 3428 Token: SeShutdownPrivilege 3428 Token: SeCreatePagefilePrivilege 3428 Token: SeShutdownPrivilege 3428 Token: SeCreatePagefilePrivilege 3428 Token: SeShutdownPrivilege 3428 Token: SeCreatePagefilePrivilege 3428 Token: SeShutdownPrivilege 3428 Token: SeCreatePagefilePrivilege 3428 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3428 3428 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3428 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3428 wrote to memory of 4932 3428 AtBroker.exe PID 3428 wrote to memory of 4932 3428 AtBroker.exe PID 3428 wrote to memory of 988 3428 AtBroker.exe PID 3428 wrote to memory of 988 3428 AtBroker.exe PID 3428 wrote to memory of 4132 3428 systemreset.exe PID 3428 wrote to memory of 4132 3428 systemreset.exe PID 3428 wrote to memory of 412 3428 systemreset.exe PID 3428 wrote to memory of 412 3428 systemreset.exe PID 3428 wrote to memory of 3484 3428 EhStorAuthn.exe PID 3428 wrote to memory of 3484 3428 EhStorAuthn.exe PID 3428 wrote to memory of 4548 3428 EhStorAuthn.exe PID 3428 wrote to memory of 4548 3428 EhStorAuthn.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\77810543496dc906d195460796a0219f.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4020
-
C:\Windows\system32\AtBroker.exeC:\Windows\system32\AtBroker.exe1⤵PID:4932
-
C:\Windows\system32\systemreset.exeC:\Windows\system32\systemreset.exe1⤵PID:4132
-
C:\Users\Admin\AppData\Local\QdZ5Bwt\AtBroker.exeC:\Users\Admin\AppData\Local\QdZ5Bwt\AtBroker.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:988
-
C:\Users\Admin\AppData\Local\dJgTvRi\EhStorAuthn.exeC:\Users\Admin\AppData\Local\dJgTvRi\EhStorAuthn.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4548
-
C:\Windows\system32\EhStorAuthn.exeC:\Windows\system32\EhStorAuthn.exe1⤵PID:3484
-
C:\Users\Admin\AppData\Local\5G7xm\systemreset.exeC:\Users\Admin\AppData\Local\5G7xm\systemreset.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:412
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
199KB
MD5762310ea2eca4622b44e466283371c07
SHA17dfbac795fd290b31ac89780a922bb5b3d8c74e4
SHA256f1fd6074901f0087e75c75868f8624a4d44a4340a9d2bb3c2beade7015fe303d
SHA51274501fd37804cb8ccde169449cc5bd35fce5b8f1a6996677dbe9bece901045f7b5d0feec289be5a563af4f08a7b3d5a099824a735d78d7f8d2c512877351a1d4
-
Filesize
265KB
MD5c1fdef9cb5a486cec13ab0a0b9c1ec47
SHA173050dfd82610eaf4aab94132ea987cca0c3b448
SHA256346e505adba442e4ed24ed0a5411c8cba5c1f6116d4f5d39f781577e9b4f57fa
SHA512c985ea62ab99b95de8ed2334a59e60a51f245a3d91adaa4b402fd3a646fa60d067a43d02978d339c549ace264ce17fe3c144e701c362e6362bb86535396e73ea
-
Filesize
213KB
MD57a3610f4791f1f830fd63ae3639f125d
SHA18fe74c2d138e9ee5994ccb77d51fb53815eaa24b
SHA256799e6366b1e99ea1375f36ba30a0f33f28c6ad51b0fa39c86d06d105455029dd
SHA51230724274283679377ba394adbf239fe0a3d2e4afb0bf97a081af8a33119b058b33288fc447632bdb634c7b596c94b3ff3476ab378621d67fcedd32a5d90e8982
-
Filesize
369KB
MD53a23d0827667afbdcca619b4941db045
SHA1eebb3430d31493e0ed821b34ca3add851fa66124
SHA256002413f7f9faac9b4a85fa7c937bf4808fbd665f030d7c99408ca8a9c3c92e0a
SHA512288a07c4173a714a6f49c035f7a3c80f29f2d50568e01f41a34f5f9d73fac2149af0ba60bcf0aa5b4d45b593915d946778c995cc1fe869114720b865115a85a7
-
Filesize
72KB
MD5d7316d8d8c2f6b190d064dc78ea35097
SHA1977e46dccdc9370063e3d79b72e7e3bbadc1bad4
SHA256e6c7adbeb656493e80678c39a9aeeb7f661115e9f2ef68a72c94c4ca8fe23a5a
SHA5126f225ee0c45cfc1b7497e199b2bcca1ca1302d4b36727381fce9b60f81ac6979e3a9007bf3d739baf485234396b458ca4298aaf85e5d951a52fd1a06aa4a5042
-
Filesize
27KB
MD5bbe0e6ab91825aaec6024603775d974a
SHA1005ad3b471504b42070707a8a848872e63abf912
SHA25631b14add5d9c1cbb77ac1cdaa41c27a7c01a89d628331f077f5b815a191a8212
SHA512908190231c68f2a4f4cf3886b8927ab0010f78cd4d7ac5883ae5430865c9661d7a4745af98abe192fd38da791cfb7dc2c64ad60aebe8bab202807eb3fca4d08c
-
Filesize
1KB
MD5126c0a0246f19fdd40515507e41e7150
SHA14ec21a3e2b6c14b57d577fcbfd734826604a31c2
SHA2565271c6d1548a1f0d58313f180c7d67e7a05d95cd107acd30c7362022c3756ea1
SHA512833b308332496e8bf44e84f276b0ce7aca4f9f08b1d2d097f8d36671883f1824b987dd00b633cff170b7e5030e616bad5a037b90e9fbf1a4499a6f333ff01e36
-
Filesize
108KB
MD5f92e228a04e07c36d532ce876346eef2
SHA199b5060a3bb68c0b305eace35d6a9d033fd9fdd9
SHA256152ea844ebe7e5705a7fa080ef95ddd1604d019da02f584227606c3b00559362
SHA5124390f93fbee75a956681051879d3019587c3da1b6937c1db11ab0c27a9b9c60f0636cc1782cb229bf72e9fbdf4601bb2b248d23461523b276fe50a9b5dc57c69
-
Filesize
34KB
MD57eb67f31850799483f270fc5e8aff05c
SHA1ccabf97839e6258a354baf023fbf4c84117b96e3
SHA256edd7c265d7e5d049ddb73b49bb646574b9bdab7778335c8f101685b9136b078a
SHA512b3a0d83aa03cef6431b0de4b9f06f47c6acc5e71be6d2a9f75cb5c016ce8516019a5934581a465c615ab31026a9dd180271fb8fd155888c511f9efa2911c2fa8
-
Filesize
110KB
MD544d518b25536fc18a1d557e740c5f8a5
SHA16a13afbc4246355f67d7645db3e2d22ca9c374ed
SHA25678f4d467ff54df8a57dc75297a8df123dd37796be33b6381bcf49d7e07e00954
SHA512b8929a99228a28cdb17b1f3ecc1cdabd5867a1b29b74f6d9acda254da08569d6e6e14aef63be51a867af152813104d56e9df46987d4c433c329e3a30251cc14f
-
Filesize
77KB
MD5f4a9b2db3eeeb4bda7e66eadd878931a
SHA1cfbe561b55f2ad19edf136fed14d57ac5de47b4b
SHA256d085a13dfa2a0152f0bff75dfa48cba606f1fe287f0ac67c3a2b2e9e8d17b97f
SHA512dbf9fceb00dfe264ab92d7cbb069b6b584def2f9f36557ca69d7ee271a9d0d03c765eb9a4eaf305d8f3b0f86a521f8457d3c04af724533f6522bb0732089eb80
-
Filesize
114KB
MD59883de854a2311f419bc5137c2d6e50f
SHA1eeadc55ba781bd7e0aec977b68db76c41d30387d
SHA25694acc7abc7bacfd5309ebaee5f45cb8bb80eaf61a66b4a26a99693a3fcaaaaca
SHA512b1c6a03b49fbbd76fb1a93549fad3351e6662739175d20e8c8bf66e00906d9da8704c94275475151bb031dee1f23120057f9d50f313f2e333ddee58614a7be19
-
Filesize
1.7MB
MD5c71cdf92725e5b349a59687bf85d8eab
SHA1feffb41918733c6a00cf932335da645b9bb41017
SHA2564ac0bdf4659028729ea81a27de3a4f50704fb509980ffe996028520cb1fbef6f
SHA51239855c39066e66fd11bdda2bc7db4ae9f80579bd0a4527a688279b3a21eadccaf12f3fab879305bd759cf7a3ee7129a66b2d80f11fbdc10daeff73be9cf49ba0
-
Filesize
1KB
MD5b25f89916aae7d6a8b62a8ba7dcabdb6
SHA1e86f5cc16de4e72df2d21a1f11a0ecfd0910f1aa
SHA2564fd8c91cbf481a21a8d40bd2391c620b293e857a1b223e91c4a0673684797d6d
SHA512fe00fb02de8a5754e1a1d46ad8281efcc33909d2e2f02081083e94fdbb547d7e5129de75928784bf10d88793a78e4068d1871d211a5364d3f8c869ce861ed95e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\zByGk0uRM5B\UxTheme.dll
Filesize1.7MB
MD5670dbf9a7310cb70fc963709ce8bf323
SHA146dafadd88d37da81380797f134645c9f95a5835
SHA256a5813a8bef1057eca38239a46df47526c19eff8e6185b24098a3d225501b7524
SHA5121ef536618d12cd92cb13c5ead31516d16d02134fa598ecee31e99fd7d307be67c5662df6765d658ab7f79833a9c45e51c10a0813b7596d0c6c75fa6e34e179af
-
Filesize
2.0MB
MD59e1407d0219abcbd5a5b156110b31284
SHA1e1942a4783f8153ab6169e5e5b5f6f85db37d3d3
SHA256fa67e693965b7cdede23075c6274a5dd2a41d78e60c677ef6f1c787c2c1bec4e
SHA5127c530986db1ac2253f6658d144ebcdd821963781f210d75ef4cc736cb6d09727b7d613838c5d9f4918749ba0e8fd42426977254df5855269cc2f74f7f03dd1f1