Analysis
-
max time kernel
149s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
26-01-2024 14:31
Static task
static1
Behavioral task
behavioral1
Sample
779ba17cb5ed3bb94e1d07aa171986a5.dll
Resource
win7-20231215-en
General
-
Target
779ba17cb5ed3bb94e1d07aa171986a5.dll
-
Size
2.2MB
-
MD5
779ba17cb5ed3bb94e1d07aa171986a5
-
SHA1
058718b265fcc9798876a651e78bc532bc472e8f
-
SHA256
be9b2a400439006f513f0980901a98e17cc45eb12faab2c4bf9dbb87615049fb
-
SHA512
8063b1a68cd965b671b943e7b90306df0c62726b31a0a8cbdb6b8bac2b68644fa73f559c5780682a4f6562fec46819610d8fa0016a22935b1faf85f9434db256
-
SSDEEP
12288:KVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:XfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3628-5-0x0000000002B00000-0x0000000002B01000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
rdpinput.exeSystemPropertiesComputerName.exeFXSCOVER.exepid process 4624 rdpinput.exe 3048 SystemPropertiesComputerName.exe 2544 FXSCOVER.exe -
Loads dropped DLL 3 IoCs
Processes:
rdpinput.exeSystemPropertiesComputerName.exeFXSCOVER.exepid process 4624 rdpinput.exe 3048 SystemPropertiesComputerName.exe 2544 FXSCOVER.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mbfbagbrjs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\mcJSBCfEbv\\SystemPropertiesComputerName.exe" -
Processes:
rundll32.exerdpinput.exeSystemPropertiesComputerName.exeFXSCOVER.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rdpinput.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesComputerName.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA FXSCOVER.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2920 rundll32.exe 2920 rundll32.exe 2920 rundll32.exe 2920 rundll32.exe 2920 rundll32.exe 2920 rundll32.exe 3628 3628 3628 3628 3628 3628 3628 3628 3628 3628 3628 3628 3628 3628 3628 3628 3628 3628 3628 3628 3628 3628 3628 3628 3628 3628 3628 3628 3628 3628 3628 3628 3628 3628 3628 3628 3628 3628 3628 3628 3628 3628 3628 3628 3628 3628 3628 3628 3628 3628 3628 3628 3628 3628 3628 3628 3628 3628 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3628 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3628 wrote to memory of 4004 3628 rdpinput.exe PID 3628 wrote to memory of 4004 3628 rdpinput.exe PID 3628 wrote to memory of 4624 3628 rdpinput.exe PID 3628 wrote to memory of 4624 3628 rdpinput.exe PID 3628 wrote to memory of 844 3628 SystemPropertiesComputerName.exe PID 3628 wrote to memory of 844 3628 SystemPropertiesComputerName.exe PID 3628 wrote to memory of 3048 3628 SystemPropertiesComputerName.exe PID 3628 wrote to memory of 3048 3628 SystemPropertiesComputerName.exe PID 3628 wrote to memory of 4656 3628 FXSCOVER.exe PID 3628 wrote to memory of 4656 3628 FXSCOVER.exe PID 3628 wrote to memory of 2544 3628 FXSCOVER.exe PID 3628 wrote to memory of 2544 3628 FXSCOVER.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\779ba17cb5ed3bb94e1d07aa171986a5.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2920
-
C:\Windows\system32\rdpinput.exeC:\Windows\system32\rdpinput.exe1⤵PID:4004
-
C:\Windows\system32\SystemPropertiesComputerName.exeC:\Windows\system32\SystemPropertiesComputerName.exe1⤵PID:844
-
C:\Windows\system32\FXSCOVER.exeC:\Windows\system32\FXSCOVER.exe1⤵PID:4656
-
C:\Users\Admin\AppData\Local\5kcC1y\SystemPropertiesComputerName.exeC:\Users\Admin\AppData\Local\5kcC1y\SystemPropertiesComputerName.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3048
-
C:\Users\Admin\AppData\Local\fyEfBO9cR\rdpinput.exeC:\Users\Admin\AppData\Local\fyEfBO9cR\rdpinput.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4624
-
C:\Users\Admin\AppData\Local\CvGX89V\FXSCOVER.exeC:\Users\Admin\AppData\Local\CvGX89V\FXSCOVER.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2544
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
327KB
MD5b828b9327cc57e4aaf82f919b804f7de
SHA1ce3fcf0a6c08029bc919f1cd794d100a82b1cdc9
SHA256b18c656d611ab58537305bd13a0bc7ed030e298f2c5a6e9a90cdfe059aa936af
SHA512b791a0602a451f98672dda3cc72c8397e5ed411f3c0226c9ac3523eb159bccaee97430afbc37c032eaf87ae9351e73ed2bf0daabb75678b9328bec0bff6ca5a4
-
Filesize
214KB
MD598709fa8e58635ac4ded425d9386d86d
SHA10860e8dd30c150aa0143ff0853c1ef7dd44343f9
SHA256a275dc59b9b0d487379166f7a6a48f884c5ba1969b2ea08b9f71de2a11f6165d
SHA51255e243a0f96224a45e64dc6eced8586579f5b98b449ffc9d285a4ea6e99e737b5e3e78f5baa8e9f69cd566c4a24e08a4542f50b3984a1c1842f1c2d1813bb753
-
Filesize
82KB
MD56711765f323289f5008a6a2a04b6f264
SHA1d8116fdf73608b4b254ad83c74f2232584d24144
SHA256bd3a97327326e2245938ec6099f20059b446ff0fe1c10b9317d15d1a1dd5331e
SHA512438abd282d9d1c0e7e5db2ce027ff9522c3980278b32b2eae09c595884a8dcbfd5178bc5926b1d15f03174303382e13f5d5ecab9a5d8e31fc07ef39e66c012e8
-
Filesize
120KB
MD571fabda854453b29722b0b8e1c6499d8
SHA1ee0364e9f923c41aa2d303c39df5fbeaee7bb198
SHA256c4bc06478eb59c4dbdb6ec2b5f583595b070ede423e5313337d4409ac40b5c19
SHA512e5c485b31b7141587841eda6ecbe317ff8f6f62291036401eaab15c620baf93fd7bda137ca194eafde5de5eb9fed20f27bb0b3700d54b2bfcbd3d420fd3f148c
-
Filesize
197KB
MD5979f3680b37d31380aa93c2d0268c7f4
SHA13669d896f70a22942ef8eb94f20decbd10897893
SHA256852c6104b621e755c7638ccf5d357f41142f47221382c380ffd3b91882d64808
SHA512013c430b35fb51bc461b5507a2aae6f135cec424e0c507e9ba2904595d7cd8f05a43df2eb4d09e8376253799814e5019fb1512642f7943da42a438cd774fadba
-
Filesize
77KB
MD5f213dbae3c43ef5443e591fc0070dc03
SHA1bb0fa97b9ed5e9e3190da17a5aee584e23b11a50
SHA256924fdeeaec56007031f720f87e4d1031f10097efcb178ab0922fb3745cdf6f00
SHA512033b3da367b7050907785d8e58bf62ffd472eeee4f22a16c5465203745db0d5a2b32c2a25514b851610c50f1370d96bd1cdcadf680559700e29512fa92d0c4c1
-
Filesize
74KB
MD5e8d49534b90f6a525ed02636f3acf536
SHA1945901dd6674f58c3149e5c216e1f38054982d74
SHA25676f97124851efa940f9c7ec141e8804ee704b00503c6bfc2118b046a69266c42
SHA512ad9e8e643bb5879608b56fbb554abb1381522fe63263cf47eba29853050f546d563739fe0e4353eeadb3f64bfeabff1b4b3e7cbaed1fc003cca08ba55fe5d0fd
-
Filesize
279KB
MD5ebb5f0d6faec9c94981bebad96fcb5ea
SHA1a0b6962bac724922acbb12bd67f1affc08bfb4f1
SHA256c2af4805346b14b6f9c12364ea38345ba728dace585cc85026ebe7cd38f823ec
SHA51248102691cd1673582be9a804653fe891b4f687b3f9473d2076d5221feca46e32c1657fe7970e47530e13c217f0ca9e2809a3041d9bdf71a6f6fc9349970b2b19
-
Filesize
329KB
MD5e8ac224d0dd1cb202e1ce850765b0965
SHA1b9ecfb2fb96e6d4933049813b0f9e8bbd75e7c33
SHA256cecd041061f80a06b689a08ae45a78a6504148e8e7f47914657c8dffc1797bb0
SHA512121526c6e833eb93dbfdc979b25028268f994d9d9a41fe576ad7a39450d0a0587bb503a4d85f5d29e048e19840861c959fba7d55b717524ab65207af60131160
-
Filesize
100KB
MD59fb7dfdb15ae38a9fe3cd14b4ad2917b
SHA1c5efbe902bfe7fbd7d5448681ff1d512516ebe3c
SHA256f4b0fb857862ff143b8fba3f44f01bcb95392c85b1c9b0abda505821a57f4c2c
SHA5126d691979cfd239fac25cd00d9a998400e313e8631564495e84e086cb8ce3b5ca29a1bc4ff347f23c796ab4a2ebe7b1e0ed122f0148a306563199c7cdaf321829
-
Filesize
180KB
MD5bd99eeca92869f9a3084d689f335c734
SHA1a2839f6038ea50a4456cd5c2a3ea003e7b77688c
SHA25639bfb2214efeed47f4f5e50e6dff05541e29caeb27966520bdadd52c3d5e7143
SHA512355433c3bbbaa3bcb849633d45713d8a7ac6f87a025732fbe83e259ec3a0cb4eabb18239df26609453f9fc6764c7276c5d0472f11cf12d15ef806aa7594d090e
-
Filesize
1.1MB
MD59c77ecd87759126614a82a7fc961b4b4
SHA1c294e4f30d244b57e8fe4ae0d3bced1442024609
SHA256c11f6fdae7c4f9b65a59650006f38c1fb20d9197ac8d6cf800891dd6fda9d44a
SHA512d25370ee899926fd96701ceb4333ad6e2eab57c4e345c64693017eb748508eb1b197774670205c8c965c7178aebb94164757e3fcc022985fd805db2930e88644
-
Filesize
194KB
MD507215a8ad602c7c6d229eba9dbfdd5a3
SHA1a32adbb46778080aa76278b0b4418c6937cddd14
SHA256ef824b45c3d8ea684ed2ec08d2d0076eeedc7062bd2afd82b38b27c52a2358d2
SHA5123f08daf276d4c5ccf40f4f06e658343ef2f899637cc6c4215fe2532a992c09c992a156b22fec1b2773b12da3169def3c2fa17b8fdc09b60f9dab85e281317cbc
-
Filesize
974B
MD50d96c6fbaf821e534f898eded76ad57e
SHA17692c8a2e70e764cb3160c483032cd10ec72fff3
SHA2565580dd9aeac75e2d6c5958d8b0b197286dcd2b329d48ce09b1635d40ea896cf8
SHA5125dca6dda7a11ea95df5a4476e167c25d3fc815f5f2213398028079ce7e9b5b60c4609fe04dfe90e29f27ebfd82a6676f1289381c4dfa6d67d91f05a722c15a06
-
Filesize
2.2MB
MD55f5eccc8dd887d6ca400c496810470a1
SHA1cc966825acfbed6e7799f0f8995b9e58b1f322fe
SHA256ff72417f278a7028c812013cddd4ddf6a75abaf7c5169f548a0f4a049321e026
SHA512c49c4b3774aa4fc5695a95a165a9dd4beb47591a0eb23f5ff1f99ba6cb6f777495cc3b2bd2ba2287baaa4f76b25fbeaa5e4c83c48967a2113ec96cf70a6681ca