Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
26-01-2024 14:01
Static task
static1
Behavioral task
behavioral1
Sample
778d4730d5f23525661b573a83f5a65f.dll
Resource
win7-20231215-en
General
-
Target
778d4730d5f23525661b573a83f5a65f.dll
-
Size
1.7MB
-
MD5
778d4730d5f23525661b573a83f5a65f
-
SHA1
b4363f418266b63f4036546ab4a54e52fd530c2d
-
SHA256
72ab82c1cb0c63ec0a02f3bd9061de964700d7490d0704cafc3eb3459b0e906d
-
SHA512
0ae77c82fb95805277f52235354ae296455ffb7c33a863dff46b6245738fadec923dfe742c2554bdbb53cebc664c58630cbce935c5ddf714ca1bf55f9ae105cd
-
SSDEEP
12288:CVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:ffP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3524-4-0x0000000007EF0000-0x0000000007EF1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
FileHistory.exerdpinput.exeCameraSettingsUIHost.exepid process 1584 FileHistory.exe 4612 rdpinput.exe 4736 CameraSettingsUIHost.exe -
Loads dropped DLL 3 IoCs
Processes:
FileHistory.exerdpinput.exeCameraSettingsUIHost.exepid process 1584 FileHistory.exe 4612 rdpinput.exe 4736 CameraSettingsUIHost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mbfbagbrjs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\62wNgUSp4K7\\rdpinput.exe" -
Processes:
rdpinput.exeCameraSettingsUIHost.exerundll32.exeFileHistory.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rdpinput.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA CameraSettingsUIHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA FileHistory.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3524 3524 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3524 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3524 wrote to memory of 4048 3524 FileHistory.exe PID 3524 wrote to memory of 4048 3524 FileHistory.exe PID 3524 wrote to memory of 1584 3524 FileHistory.exe PID 3524 wrote to memory of 1584 3524 FileHistory.exe PID 3524 wrote to memory of 3716 3524 rdpinput.exe PID 3524 wrote to memory of 3716 3524 rdpinput.exe PID 3524 wrote to memory of 4612 3524 rdpinput.exe PID 3524 wrote to memory of 4612 3524 rdpinput.exe PID 3524 wrote to memory of 2776 3524 CameraSettingsUIHost.exe PID 3524 wrote to memory of 2776 3524 CameraSettingsUIHost.exe PID 3524 wrote to memory of 4736 3524 CameraSettingsUIHost.exe PID 3524 wrote to memory of 4736 3524 CameraSettingsUIHost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\778d4730d5f23525661b573a83f5a65f.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4616
-
C:\Windows\system32\FileHistory.exeC:\Windows\system32\FileHistory.exe1⤵PID:4048
-
C:\Users\Admin\AppData\Local\ILOlUnA\FileHistory.exeC:\Users\Admin\AppData\Local\ILOlUnA\FileHistory.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1584
-
C:\Windows\system32\rdpinput.exeC:\Windows\system32\rdpinput.exe1⤵PID:3716
-
C:\Windows\system32\CameraSettingsUIHost.exeC:\Windows\system32\CameraSettingsUIHost.exe1⤵PID:2776
-
C:\Users\Admin\AppData\Local\3EQz\rdpinput.exeC:\Users\Admin\AppData\Local\3EQz\rdpinput.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4612
-
C:\Users\Admin\AppData\Local\OR365dd\CameraSettingsUIHost.exeC:\Users\Admin\AppData\Local\OR365dd\CameraSettingsUIHost.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4736
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD5aaca957bea06f0c413cc43d373278ab9
SHA14ed5c08126eaa86d41131da65b35d47d739bb23f
SHA256de606ff3d0ced095a808df46c2710351284ba3eadc19ccf730068c7f88769ef9
SHA5129b599c9dc4b776d24fe162409891773fc46db741a28e3c15ed3054165d83929409cccb65d7508ec1f1222d657c6a2cb417c2e77e486c95277a199fd81b566213
-
Filesize
64KB
MD5d1e14d377e3852932b064e68815b4bdd
SHA17ccbce62539a4208fdb4cd1b9de25a88db55b57b
SHA256b343b47ddfb95a6ba891f1ea0c32861fd129ee35fdb9bd6be6233afd8d649e1c
SHA512719c3ddf2e7abdaa2294d5e6cf425587a6e8150219cfd2d55ae1cfba6d5bd226a393e30ed8236b6fc493562147f6133793fde89a1e5d8fe60a72d96e7101bdab
-
Filesize
53KB
MD5047a1fa4b4508077b121c33b0e8961bb
SHA188d45575be36637302b0c80fc5b17ed57f1e07d8
SHA256dd720f2e1f97263342dc49385ddf2331ade65e548d487532d1084dd9dfeb4e27
SHA512abecc0aab398226efb5a92cb7f8765844ed64353aaf035ac3a7697ebcd3c7339d431b48112a5dd959e49e3e395771198debff784ead63d799912482ef62d8d59
-
Filesize
28KB
MD5df819096c593e0eb4517065091fa539e
SHA1fbd453245c324a9a725ed09a2739ff21eda32e65
SHA25677894be49ef07bc2bcc9fdd0b543d96eeb86a6bd6dfdb423617b8dd6b20e71c1
SHA51279765a71bdd13f5b386f47dc6af23668fc45792110d8244b02ec8b73d30e543e9afafcd60a9a98e8e9601f6646f8215e6f0faf001232c262321362539a57f1b9
-
Filesize
45KB
MD598422fa6e3634d976bb2113bffeeded9
SHA10ebbdbb8e85659bfbd5ced0d84e01a634c156611
SHA2563723fd1be24117d4cdc283fbaf7b13ea62aa9ba72496263b9e3f9a3363506d4a
SHA512ca654412f5c6efc2bf2b1f391e3b1bd007029b297c53a9fd4d7db903b563d3b2ab9c85c38ea1d423194ad8da2f971c6b4d8ac9a34f470253d39106a829c79697
-
Filesize
39KB
MD5b259bfc10b1eb89c109bc840c5927a33
SHA1ea8e883bd8628573a695f5e7316a2174fd9b2b77
SHA256198b2485ef951d552a22fec9e3c7250f94a7dd3ffd3db63909556e4cdf817387
SHA51296ad9dc137062221f1813df79540fcb6e593e5597b756d7c60b92362c78485cef8527260d5b28e9e9e71ab1e2896217d89ab229051b2fc296ba8135a9080c421
-
Filesize
26KB
MD59a629552bd220598094051e6add8a3dc
SHA106885d1056dbd4483b1a098ea6ce2483d30337ac
SHA2568a16472dbe08d90b5e0a56815c72c66f751dea047ef898f58ae4e93242c43850
SHA51289c23451c6e5deff2386e040466b30c831e5862605da0e5271f57f1278d48eb78333d15ae83863fd1214e7f13c1c473cc58a70da543599217de773e75dbae988
-
Filesize
64KB
MD570d7d8564f5e8f6764e8ba01efe2c9aa
SHA1b688e28edbb3b3587ddadea0497d29bcef5b1b87
SHA256f205ed9943460fcd660e59ddc69f56d4f0d2d4befdfc1e1066c8937231446ecb
SHA512e089d4849833b508cb3dee0854f1d83202cca5c32f91ff088e08dff78b8d2cf8070fe3c53cd541dbd255a5eb657aa437cb5128daaddc85c1a1eaeff5b494d21f
-
Filesize
23KB
MD5da17a6a7d6e3ff35a7f5984ce97be49c
SHA10a2664f81f50e4e179210bb1cf128d4001f504fc
SHA2564c02e14d02c38996e0579860808befb6d4a3e713d84e73e1647009a9483fef1f
SHA5122cfec5fc388dc7cc8f6ffacbb08061989b2b5dbbe1019b6d461b4d5ad7472f4f0db550c5d9bdb40c5e37fe094552ab1246ccc3dc977d0199a9827aae22bbf335
-
Filesize
5KB
MD5d84edd8bffdca396bc4c10344b2154c9
SHA14e54b42f487e588fdfc6ffeb8fef28aefc582215
SHA25695631f91287943b0bb91f39831e4b0151065707df2dd1e545471dccaafc731fd
SHA5125fea155287c3e3d9a24ef33189c433a70caf71f4cc1502f614619c1d46d37aff18bad07c02dc5e39e7dd5145ac008f4f60d95b4da1d8383dbdfed294af524822
-
Filesize
17KB
MD502d76c496c9a36de55e8900443319258
SHA1e4a982ba7779ac895375ba79b7c8dc94fb55405a
SHA256e141019b34848238b47bc7c43418c5f3341b531f9b06cf31bcf921a8328636ec
SHA5129d70bb58422029c424040be6ab29960d344ea0bc9270c8dde1f0786345b79d710495782abb063458c3005fa2a57c25c89d4ecb0622cd59c30d92f0c78a9ba51f
-
Filesize
30KB
MD5d699e2eb5e20f8280f69215d180cfa86
SHA1bdd47d3ffaba4d1fb7ed7b23edf11deb264b93ed
SHA2563a67b4d27805e686e45dafed6cdec6c95b59848dc844f43a0c400b03a9d9bbb5
SHA5120d0f9154094780da1d22da95a9b74e96c1028dea7fca536497a38fc6a5d79c3c771d05acc1e1750209b480d8dfc35e0df243d4367349f39c680e623466ed5cb3
-
Filesize
1.7MB
MD56d39d78de04f93b4d647cbb566b4951b
SHA14bbd6fd6e77de810f09e336e790f7dc7e4423049
SHA256a380cc7170ae3d265161b3fabba51d01dbafbb7a96ba3b424e537ef31b34e4e0
SHA5129f5796173b9f66dc48ca16e213b3eb3e99a0ba427840f6b975c8fbfaba46b0752426542d58c463db309698167dc688130a2da7d4e48af3565841a1942cf6bec4
-
Filesize
1KB
MD5b43be7c81b662e32f94928d5a3c48512
SHA1547a724a447ed3c8597d7f8fc2a138d27ffcb0e6
SHA2567e2e42dade5620715d8e2d4d011a1869014e285eb63d0621b17a9326e12ae9c9
SHA5124e919334a5d6369b1e4529dfcc119655a8a195d3705cdbd4569322d36098440a6bf51278e9d28b58f8d0ed40986cd9640c5bfe1639feb5ff438911fa93a69b88
-
Filesize
1.7MB
MD5c3f5b04fd3f9dd4e9b637973e8fe6dfd
SHA1251267a5660413fe4a60f057d19cac21c2050ee8
SHA25683fbe09fa0d77634fc78b4cdaf85b7b47558c80ddff3cfec915a756a9a24b144
SHA5120f846191d996d32dc3a7cd84eaaf1ee27c3815060c214221b5cf97829fe0325340086b4de809e9871cf524dbddcbbe172228d1e93ffad11941b7783b2b5c9c0d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\yNfEYmKGrv\DUI70.dll
Filesize2.0MB
MD5b45d5f3b3fe2668c50b4e6ffd24bc60b
SHA128ffc6d8c05a45bb2babac05ab89c08ea808ebcb
SHA256aaae862c980f4907ec442c109d24fa5f80abd0682086de34b4bf19f64a641218
SHA5129435891efa832ff363d5accc6e5e8f7a931bb7cb3e87497f01580e2364a610bbdb3711082dfcd3e4c27e188e43247deed7314d0b12d8d7187f14b46d6f49df04