Analysis
-
max time kernel
151s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
27-01-2024 04:12
Static task
static1
Behavioral task
behavioral1
Sample
793df85f287f06c4764a229b404e0a7f.dll
Resource
win7-20231215-en
General
-
Target
793df85f287f06c4764a229b404e0a7f.dll
-
Size
660KB
-
MD5
793df85f287f06c4764a229b404e0a7f
-
SHA1
454ad7fe4ede68aeffa2144dc95d22618a17a17e
-
SHA256
823691284d6b7786dee73b7315b3cd146eac4160d5f7fca663cab821b66698fa
-
SHA512
e20fce0797127f695247109fa01d39db3304fee14aa34441cc5f88c3ea38c18bf8d013b2207c57dd56b542dc9eaee0100a3c3c58c326be54677e760dd7f50c9f
-
SSDEEP
6144:Z34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:ZIKp/UWCZdCDh2IZDwAFRpR6Au
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3552-3-0x0000000006EE0000-0x0000000006EE1000-memory.dmp dridex_stager_shellcode -
Processes:
resource yara_rule behavioral2/memory/3280-0-0x00007FFD9EC90000-0x00007FFD9ED35000-memory.dmp dridex_payload behavioral2/memory/3552-15-0x0000000140000000-0x00000001400A5000-memory.dmp dridex_payload behavioral2/memory/3552-22-0x0000000140000000-0x00000001400A5000-memory.dmp dridex_payload behavioral2/memory/3552-33-0x0000000140000000-0x00000001400A5000-memory.dmp dridex_payload behavioral2/memory/3280-36-0x00007FFD9EC90000-0x00007FFD9ED35000-memory.dmp dridex_payload behavioral2/memory/1208-44-0x00007FFD8F020000-0x00007FFD8F0C6000-memory.dmp dridex_payload behavioral2/memory/1208-48-0x00007FFD8F020000-0x00007FFD8F0C6000-memory.dmp dridex_payload behavioral2/memory/1576-60-0x00007FFD8F080000-0x00007FFD8F126000-memory.dmp dridex_payload behavioral2/memory/1576-64-0x00007FFD8F080000-0x00007FFD8F126000-memory.dmp dridex_payload behavioral2/memory/3988-80-0x00007FFD8F080000-0x00007FFD8F126000-memory.dmp dridex_payload -
Executes dropped EXE 3 IoCs
Processes:
SystemPropertiesDataExecutionPrevention.exewscript.exeAtBroker.exepid process 1208 SystemPropertiesDataExecutionPrevention.exe 1576 wscript.exe 3988 AtBroker.exe -
Loads dropped DLL 3 IoCs
Processes:
SystemPropertiesDataExecutionPrevention.exewscript.exeAtBroker.exepid process 1208 SystemPropertiesDataExecutionPrevention.exe 1576 wscript.exe 3988 AtBroker.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\wI1WHJWu\\wscript.exe" -
Processes:
rundll32.exeSystemPropertiesDataExecutionPrevention.exewscript.exeAtBroker.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesDataExecutionPrevention.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wscript.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA AtBroker.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3280 rundll32.exe 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3552 3552 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3552 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3552 wrote to memory of 2472 3552 SystemPropertiesDataExecutionPrevention.exe PID 3552 wrote to memory of 2472 3552 SystemPropertiesDataExecutionPrevention.exe PID 3552 wrote to memory of 1208 3552 SystemPropertiesDataExecutionPrevention.exe PID 3552 wrote to memory of 1208 3552 SystemPropertiesDataExecutionPrevention.exe PID 3552 wrote to memory of 4376 3552 wscript.exe PID 3552 wrote to memory of 4376 3552 wscript.exe PID 3552 wrote to memory of 1576 3552 wscript.exe PID 3552 wrote to memory of 1576 3552 wscript.exe PID 3552 wrote to memory of 3356 3552 AtBroker.exe PID 3552 wrote to memory of 3356 3552 AtBroker.exe PID 3552 wrote to memory of 3988 3552 AtBroker.exe PID 3552 wrote to memory of 3988 3552 AtBroker.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\793df85f287f06c4764a229b404e0a7f.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3280
-
C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exeC:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe1⤵PID:2472
-
C:\Users\Admin\AppData\Local\G25\SystemPropertiesDataExecutionPrevention.exeC:\Users\Admin\AppData\Local\G25\SystemPropertiesDataExecutionPrevention.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1208
-
C:\Windows\system32\wscript.exeC:\Windows\system32\wscript.exe1⤵PID:4376
-
C:\Users\Admin\AppData\Local\ObVqq\wscript.exeC:\Users\Admin\AppData\Local\ObVqq\wscript.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1576
-
C:\Windows\system32\AtBroker.exeC:\Windows\system32\AtBroker.exe1⤵PID:3356
-
C:\Users\Admin\AppData\Local\V62s\AtBroker.exeC:\Users\Admin\AppData\Local\V62s\AtBroker.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3988
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
664KB
MD526561066087142861def65355f08e1e0
SHA1ce93999f2bb742b6b3e6417dc94fa5b51b010e90
SHA256623473f9ceafb0a7410e5b96b196789587567fee2a2507923c9d4907abfb165e
SHA512c4e120d5f7fb2f5c6de306d56959c63c8b3aa58f3f8be6d10f18294cc481540f4eeab87ee3d22f993c6a1e55e523acaa7289715630e621bd8e042888de7a237e
-
Filesize
82KB
MD5de58532954c2704f2b2309ffc320651d
SHA10a9fc98f4d47dccb0b231edf9a63309314f68e3b
SHA2561f810658969560f6e7d7a14f71d1196382e53b984ca190fa9b178ac4a32acfb3
SHA512d4d57cc30d9079f4e9193ba42631e8e53d86b22e9c655d7a8c25e5be0e5e1d6dfff4714ddc23e3e392809d623b4f8d43c63893f74c325fc77459ac03c7a451ed
-
Filesize
664KB
MD5b2645ebd75dcc17de3ee4a29f12deb95
SHA11cfd8481ddb7f3a537081c98bbf76006e3344998
SHA2567cfa69cc2a42b04130edb59e3951fce79a21a0d3582094aa3d1d26e35f278ee6
SHA512fa25593a09d95b44c5208b087e24a933014e3921e551644791c6cbd964335274b294249219e579e26e1baf8fef79924c38aad4f408b8de134aa1cc270a51dbc1
-
Filesize
166KB
MD5a47cbe969ea935bdd3ab568bb126bc80
SHA115f2facfd05daf46d2c63912916bf2887cebd98a
SHA25634008e2057df8842df210246995385a0441dc1e081d60ad15bd481e062e7f100
SHA512f5c81e6dc4d916944304fc85136e1ff6dee29a21e50a54fe6280a475343eccbfe094171d62475db5f38e07898c061126158c34d48b9d8f4f57f76d49e564e3fc
-
Filesize
90KB
MD530076e434a015bdf4c136e09351882cc
SHA1584c958a35e23083a0861421357405afd26d9a0c
SHA256ae7b1e298a6e38f0a3428151bfc5565ede50a8d98dafaa147b13cf89c61f2ddd
SHA512675e310c2455acf9220735f34fa527afe87dac691e89cc0edc3c4659147e9fd223f96b7a3beea532047aa0ebc58880a7010343019a50aa73ce69a038e3592024
-
Filesize
664KB
MD55d537207a55057c222855dc117960e80
SHA1a3e602f1c377a31a46c68c1d597915bf6200e6e1
SHA256517903c6645634501126e88ba2e36f84d2d194b2f3f5749eeecec9751584c075
SHA5121a3f645de4602e41734dee5ecde1b582e01e743f16326b5e8a40f572da94b40169ecc41d183a360314a157cd9e45acdbbe7e3380ff2fbedf817f526be06b7a03
-
Filesize
993B
MD560fae643256f7135fe98b2508796722b
SHA10cbb0eada5ecadf5cf51902e6bcf4911be577bf2
SHA25629488f31d96360e878a89082883f24d15764ff691d45519c16b844309fa0dffd
SHA51203993eb85553d6ecd042d912c6ca4ea98f9a29a9c407aaa553c14489ab89b74465ad50f05bef2fe492d9f914f79b79d3e2d17366001266687955ed400416ad9b