Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
26-01-2024 21:07
Static task
static1
Behavioral task
behavioral1
Sample
7862e1e052ba3eff8d397f0c28d8fea7.dll
Resource
win7-20231215-en
General
-
Target
7862e1e052ba3eff8d397f0c28d8fea7.dll
-
Size
3.2MB
-
MD5
7862e1e052ba3eff8d397f0c28d8fea7
-
SHA1
9573a33a7a67bda2f5d4a1177397e544efb6d829
-
SHA256
eeebc052be55ded532fd74517fae12e73ab5054eb3c0d61f000ec87ccb16f526
-
SHA512
4a37ff3116311eefa256610e65ecff791334baa682cd4a50691be10be630ba095df4beac5ee351f4efddf9c1d850ad0250050fbdab48d7b58fed8e1630b64a3b
-
SSDEEP
12288:zVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:ifP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3556-4-0x00000000081A0000-0x00000000081A1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
AgentService.exeDevicePairingWizard.exeSystemPropertiesHardware.exepid process 1668 AgentService.exe 2924 DevicePairingWizard.exe 4160 SystemPropertiesHardware.exe -
Loads dropped DLL 3 IoCs
Processes:
AgentService.exeDevicePairingWizard.exeSystemPropertiesHardware.exepid process 1668 AgentService.exe 2924 DevicePairingWizard.exe 4160 SystemPropertiesHardware.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mbfbagbrjs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\AddIns\\XF4kfc\\DevicePairingWizard.exe" -
Processes:
rundll32.exeAgentService.exeDevicePairingWizard.exeSystemPropertiesHardware.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA AgentService.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DevicePairingWizard.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesHardware.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 5080 rundll32.exe 5080 rundll32.exe 5080 rundll32.exe 5080 rundll32.exe 3556 3556 3556 3556 3556 3556 3556 3556 3556 3556 3556 3556 3556 3556 3556 3556 3556 3556 3556 3556 3556 3556 3556 3556 3556 3556 3556 3556 3556 3556 3556 3556 3556 3556 3556 3556 3556 3556 3556 3556 3556 3556 3556 3556 3556 3556 3556 3556 3556 3556 3556 3556 3556 3556 3556 3556 3556 3556 3556 3556 -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3556 Token: SeCreatePagefilePrivilege 3556 Token: SeShutdownPrivilege 3556 Token: SeCreatePagefilePrivilege 3556 Token: SeShutdownPrivilege 3556 Token: SeCreatePagefilePrivilege 3556 Token: SeShutdownPrivilege 3556 Token: SeCreatePagefilePrivilege 3556 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3556 3556 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3556 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3556 wrote to memory of 3404 3556 AgentService.exe PID 3556 wrote to memory of 3404 3556 AgentService.exe PID 3556 wrote to memory of 1668 3556 AgentService.exe PID 3556 wrote to memory of 1668 3556 AgentService.exe PID 3556 wrote to memory of 916 3556 DevicePairingWizard.exe PID 3556 wrote to memory of 916 3556 DevicePairingWizard.exe PID 3556 wrote to memory of 2924 3556 DevicePairingWizard.exe PID 3556 wrote to memory of 2924 3556 DevicePairingWizard.exe PID 3556 wrote to memory of 1008 3556 SystemPropertiesHardware.exe PID 3556 wrote to memory of 1008 3556 SystemPropertiesHardware.exe PID 3556 wrote to memory of 4160 3556 SystemPropertiesHardware.exe PID 3556 wrote to memory of 4160 3556 SystemPropertiesHardware.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7862e1e052ba3eff8d397f0c28d8fea7.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:5080
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵PID:3404
-
C:\Users\Admin\AppData\Local\c5zN\AgentService.exeC:\Users\Admin\AppData\Local\c5zN\AgentService.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1668
-
C:\Windows\system32\DevicePairingWizard.exeC:\Windows\system32\DevicePairingWizard.exe1⤵PID:916
-
C:\Users\Admin\AppData\Local\mLoe0plH\DevicePairingWizard.exeC:\Users\Admin\AppData\Local\mLoe0plH\DevicePairingWizard.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2924
-
C:\Windows\system32\SystemPropertiesHardware.exeC:\Windows\system32\SystemPropertiesHardware.exe1⤵PID:1008
-
C:\Users\Admin\AppData\Local\0orjyp\SystemPropertiesHardware.exeC:\Users\Admin\AppData\Local\0orjyp\SystemPropertiesHardware.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4160
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD59d5dd1fc6428022c50bfef95b57ca6cc
SHA10152092a47af26b0ee2b044274b7dcd63b2e8e7d
SHA2562ba9fa0364b0db2e7053d2b3a8742c310e5ab86ea3f49ae6ccea460fba4fb274
SHA512a19c95f45acaf21012c82aacf5f751ce0c0904b5df912feb7e8eb9273b387a2095db17db9d445100de55258b68ad69d63ed2992f3899d9a149c2fca863ce8c36
-
Filesize
96KB
MD55799dad79a9acfcd465008f31eb1921d
SHA12e7b82882fe9336a334614f1d23a09db5bd1ae0d
SHA256ae3cccb970c41f2fc15687b3a2c6478903d631cd774ae254078c9fa37a155f52
SHA51206ffe71b59470adbf918f9ce97cc0ead3e1095fecbe5e465c8040238eaeb430073ae08b7f9071ced18684001f4d7a012c6b161bb3eafbabdfffc2cecdbaecb09
-
Filesize
82KB
MD5bf5bc0d70a936890d38d2510ee07a2cd
SHA169d5971fd264d8128f5633db9003afef5fad8f10
SHA256c8ebd920399ebcf3ab72bd325b71a6b4c6119dfecea03f25059a920c4d32acc7
SHA5120e129044777cbbf5ea995715159c50773c1818fc5e8faa5c827fd631b44c086b34dfdcbe174b105891ccc3882cc63a8664d189fb6a631d8f589de4e01a862f51
-
Filesize
5KB
MD5f82e6c45eeaf80be3ab6cfad8c9d4ce0
SHA10fcfe4e71827c498bf4bc846ac88c948dffe67de
SHA25688731c259a1182fb35003d97dcd9f00134ac70ee2b2db727a9fd1de636032f89
SHA512fef9be224f89319cb8515f795f4d45c37ca39bde58417b185bfae9c0419871954f2de0c460d007502c0373440d3033a7df2e65076e5af5801d6e8d7c9e456752
-
Filesize
70KB
MD5581296c51dd70f3c928a784024accda8
SHA11bf4b39f28384de79c48e6812935a86a84f063ae
SHA2563f786e6cd5ccceb6f97b277a022e60aee0c00ee3e67397950cd6033aace5e5ac
SHA5125cb5303e5b79c11df7535eda37ac291c8bd39934c505e0c969dc996adcc3d252c6df75804d19905b4b90076997b70ed4532964a4ec99dd67e6e1dc72857448f2
-
Filesize
93KB
MD54300e9f66cff7dc91fdba571c766ed21
SHA1031857b5c4f6f50edc6e03802a2bda609cc8249c
SHA256a2b4593d1e784eb8245e90b7251579c71045a540f6b84de0447f43ff7c424d5e
SHA512f776e8989b204a5b2299ad16c0919aa5dd230b679cadd61372cd2c2fa3c3d9cb69c21146e83a2e56de80a803eb126dcb15ac5e5a41abc005b419c6cceb0320d4
-
Filesize
63KB
MD5d24cf666d82522cf733bfb410d7a2f35
SHA1b47a49cfbd9e02c45a1c72656a4091d18e906481
SHA256ef9ac15c64d05084a7be9d16d2d244a2591fa3d2ed7b5f2f4d9054d63f71ee41
SHA512dfdd04bf32057a358d619c9dd0ce46664fdfd004eb3f906ed5f2f674c0277c70cb79c4ea43175ba1bab0dff251616605ffc3bc8eadf6a87e717be8e605889bb0
-
Filesize
33KB
MD51e0a022467dba626c731b4823b9d7b68
SHA12e30c40e0a9caa5b1eab2c5f8455d679e2ad3359
SHA25674393143401ccce505dad174e64fdb654e447f84fe0d38735c6f245b5669d48b
SHA5126310fd0e333a46b6a191731c85aa33ec91010bbca26eb38a69c69b45ee7ceb4697cf39947aa33e14a5d6ea7b456caf87bfd2030d5b3ef6e3da164a0d95c1d74a
-
Filesize
93KB
MD5d0e40a5a0c7dad2d6e5040d7fbc37533
SHA1b0eabbd37a97a1abcd90bd56394f5c45585699eb
SHA2562adaf3a5d3fde149626e3fef0e943c7029a135c04688acf357b2d8d04c81981b
SHA5121191c2efcadd53b74d085612025c44b6cd54dd69493632950e30ada650d5ed79e3468c138f389cd3bc21ea103059a63eb38d9d919a62d932a38830c93f57731f
-
Filesize
78KB
MD59712efbc7c8bc6ddb8614cb72dfe13d1
SHA16e366d39bdf433debc811aa70dc212ae75dc47df
SHA2565ba95695d46ab4005a962c69404f1a292e79250383561e61836dd53bfac71146
SHA5122b6e7cceb09a3798bcd4ebd7ca8abd1a08f994edbe2d49f3bbf921a23e579a0dff4658c25278678eee63e194c2ecf364466b1ee501be07169e95b0b3e0245203
-
Filesize
167KB
MD5e5afc672aee3b692364f445d2d7adb6f
SHA1de3029979f635ce2b2f2e07a3e46fd32c7fc896b
SHA256350da1906ebd85f49659e0bef26985095275386201dff95aa56c4f33a3654881
SHA51293d166b757bc3258849ed6de55e9891fdb48b8b132ba6a8bff37dd41b3c8891bc93552a13eb68120ea2018711e55fcab5a43a82ea3777feab3bc0a83cff2d6ac
-
Filesize
83KB
MD57420122424c76275a8042b1e0a0ac0c1
SHA13d58ee071169bf03fe868301986a90c172c8a7e7
SHA2569a8ddfd28c762ea64b5146449e7ca2917c5d6f03a8f285e56497b01afc692593
SHA5124cb67c8beabbe6775e7115a64f62e5e7ab31fcae5ec4fd70e6bf4b36479a7dbe75cc8c53da12dab2a6937b516c02e3bc07f783212bbabbb294819a54c2861631
-
Filesize
1KB
MD5131ed5fd730b1d258735e0d1e2bac999
SHA1dee3d486196464d3ac5a65b0d311a2d0d94cf87f
SHA256e218398df57ed69b562ce2793a109cc840255ff53877351461b980d2a06a7cb3
SHA512e6fd21ede1082c711480f4ab6f0fb68cc271a36e44f2fe66f94ac53b5952cb00a69ba5d470f738b9870b6d27da9d435a9ce88eb54b0b65b1e6cb09fc922bd81a
-
Filesize
213KB
MD5ec02758b0b29364ece3172ece700d37b
SHA14945bec190e9b453f4554412c0303a49c82cf178
SHA256aca9ba9664a8d6871509e404bca7a48ce06c063663eb187468282774873ca8be
SHA5129ab5cdcfafd4a0531dfb619d5da64ab738d0d71c701d47b007c427961150605b61b90ed5d1606ab946c821d25d0d74fbdd66ec6a2728c9fb29c500ba46602aca
-
Filesize
121KB
MD5e551bd3a48f599cc243d08665e325db8
SHA1094a21c54326de967fee71e4598448d7cfcb90fe
SHA256c48ccb609c70a735c0e1f472a34c95ef0fa6df5ea1742791eed71bfdac529eb9
SHA512c8b07bce487ed79ef41affe27eb10fd173cbf6f6f1e8e74c160c5f20a4b574ac6a64379bbf28144b267540687fc2f0db8e897f2462f232d4d629c50084820f2d
-
Filesize
5KB
MD5da944b012cc14dd24573c629808d245d
SHA1fc9bc07be113c666befc2779c0ebc7ba00f0b269
SHA2565190dd1d76c28ba43814b085c06fc040589fbebd205c5d7447f7cf981ab8687f
SHA512b9c045d09381b7ab33b01d5e329bc06124a4dcc83a0177b799bd2076da91807b3908c743953fbe180983238d506d99d6543bf78179c660b414c5a13f4d7ebe09