Analysis
-
max time kernel
152s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26-01-2024 20:54
Static task
static1
Behavioral task
behavioral1
Sample
785ce10521b549ee5b635b6aaebf7f7f.dll
Resource
win7-20231215-en
General
-
Target
785ce10521b549ee5b635b6aaebf7f7f.dll
-
Size
1.6MB
-
MD5
785ce10521b549ee5b635b6aaebf7f7f
-
SHA1
abe7c72eef2d7414f84b0ff9811cfea344a35078
-
SHA256
2841518b5acc66a9fdbea00ba90c5775124fca822a3ae725b7dc86d68bfe4689
-
SHA512
eeb6d2c24914bef11cd8e74a1703fd65dda1d9d3fedf78bc9958c970ab69c28fd7d9963300fecc5d0076e082516d275ae8213a3cdfeb085d744b25bd447fb525
-
SSDEEP
12288:7VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:afP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3520-5-0x0000000002E20000-0x0000000002E21000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
SystemPropertiesProtection.exeMagnify.exeunregmp2.exepid process 4532 SystemPropertiesProtection.exe 4936 Magnify.exe 1380 unregmp2.exe -
Loads dropped DLL 3 IoCs
Processes:
SystemPropertiesProtection.exeMagnify.exeunregmp2.exepid process 4532 SystemPropertiesProtection.exe 4936 Magnify.exe 1380 unregmp2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\OQAs9mgz\\Magnify.exe" -
Processes:
Magnify.exeunregmp2.exerundll32.exeSystemPropertiesProtection.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Magnify.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA unregmp2.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesProtection.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3520 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3520 wrote to memory of 864 3520 SystemPropertiesProtection.exe PID 3520 wrote to memory of 864 3520 SystemPropertiesProtection.exe PID 3520 wrote to memory of 4532 3520 SystemPropertiesProtection.exe PID 3520 wrote to memory of 4532 3520 SystemPropertiesProtection.exe PID 3520 wrote to memory of 636 3520 Magnify.exe PID 3520 wrote to memory of 636 3520 Magnify.exe PID 3520 wrote to memory of 4936 3520 Magnify.exe PID 3520 wrote to memory of 4936 3520 Magnify.exe PID 3520 wrote to memory of 2064 3520 unregmp2.exe PID 3520 wrote to memory of 2064 3520 unregmp2.exe PID 3520 wrote to memory of 1380 3520 unregmp2.exe PID 3520 wrote to memory of 1380 3520 unregmp2.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\785ce10521b549ee5b635b6aaebf7f7f.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2428
-
C:\Windows\system32\SystemPropertiesProtection.exeC:\Windows\system32\SystemPropertiesProtection.exe1⤵PID:864
-
C:\Users\Admin\AppData\Local\jvy\SystemPropertiesProtection.exeC:\Users\Admin\AppData\Local\jvy\SystemPropertiesProtection.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4532
-
C:\Windows\system32\Magnify.exeC:\Windows\system32\Magnify.exe1⤵PID:636
-
C:\Users\Admin\AppData\Local\sr19H\Magnify.exeC:\Users\Admin\AppData\Local\sr19H\Magnify.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4936
-
C:\Windows\system32\unregmp2.exeC:\Windows\system32\unregmp2.exe1⤵PID:2064
-
C:\Users\Admin\AppData\Local\VmImW0n4T\unregmp2.exeC:\Users\Admin\AppData\Local\VmImW0n4T\unregmp2.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1380
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD5f5b89e13278cbc8bb4eda6b6a65acd49
SHA12a31a6d51d8db015713113f6937f2263b801368e
SHA256b64ed8b5e6cbc720ce824bea0ae48e1ef9851501c99617a651ea39962371dc40
SHA5126fbc016d6f18b1d5c00f58ce7694da194969621285687b227308d96399c0a856fe0d7f8a91e3c030be8e1b87a4da1454e2237196b4d02826cb8f55c8fecc93fb
-
Filesize
259KB
MD5a6fc8ce566dec7c5873cb9d02d7b874e
SHA1a30040967f75df85a1e3927bdce159b102011a61
SHA25621f41fea24dddc8a32f902af7b0387a53a745013429d8fd3f5fa6916eadc839d
SHA512f83e17dd305eb1bc24cca1f197e2440f9b501eafb9c9d44ede7c88b1520030a87d059bdcb8eadeac1eaedabcbc4fe50206821965d73f0f6671e27edd55c01cbc
-
Filesize
1.6MB
MD54687de80f22c03b182cd5eaa50fd7547
SHA10cd5e596ef4a0a7f7f19878c6ceedb5288e71d06
SHA256ff14a9e36a7e4b88cc53ef1150a1a897e41936947f8acd3076a0758380def005
SHA51257771a509fffce35de8b0686528ff2852539c27b14663acb5d7546b9ee14df5d8b0a69126aa142dfc5496d10052a3bb20223d8909a7ba5c0c01002436135e4e1
-
Filesize
82KB
MD526640d2d4fa912fc9a354ef6cfe500ff
SHA1a343fd82659ce2d8de3beb587088867cf2ab8857
SHA256a8ddf1b17b0cbc96a7eaedb0003aa7b1631da09ebfe85b387f8f630222511b37
SHA51226162a3d9d4a8e3290dbcf6fe387b5c48ab1d9552aa02a38954649d877f408cb282e57580f81e15128e3a41da0eb58328d1d6253e1b57232f9a8cecdd99991dc
-
Filesize
1.6MB
MD5b8b52c9e3c69c8de33ad11d612750590
SHA1c2728c121a80fd03e75c1c4fd75dae89d9817ddf
SHA25630f688aff1efced9538ce4f663de74f55c2525d81d93103aefeaa620077f570e
SHA512037a736a4ec06b40c1d4a7a0fb11afeaf6134da4c9a53d92e34e1239d617b4bc4f98a1139a4aca2543a067e81ea4195295c583833da40ba225fe8eb5826da609
-
Filesize
639KB
MD54029890c147e3b4c6f41dfb5f9834d42
SHA110d08b3f6dabe8171ca2dd52e5737e3402951c75
SHA25657137f784594793dc0669042ccd3a71ddbfedeb77da6d97173d82613e08add4d
SHA512dbdc60f8692f13c23dbed0b76e9c6758a5b413bd6aaf4e4d0ba74e69c0871eb759da95c3f85a31d972388b545dcf3bb8abbcbedd29a1e7e48c065130b98b893d
-
Filesize
1KB
MD532faeb7a0ba72a4f700326c6e8f5d3b3
SHA1005395b4585649b331888953560da24517623ad8
SHA256de71595fd4a6d05503a7cb0161139db6bf1ff23a4c922eb841b71a7e13c3955b
SHA512cde5a8e50d0d0967fd9f30f4a021ff3164018ad42d7e2f089a79ff95399aacef5a9eb3be9505a40ca1e6892e91ea3677f168bb3056bf1f324ebd8812a73b7cc9