Analysis
-
max time kernel
147s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
27-01-2024 05:36
Static task
static1
Behavioral task
behavioral1
Sample
7968f591e01c7a4a04d2d9c53d667082.dll
Resource
win7-20231215-en
General
-
Target
7968f591e01c7a4a04d2d9c53d667082.dll
-
Size
1.9MB
-
MD5
7968f591e01c7a4a04d2d9c53d667082
-
SHA1
d360ace519351b3109e26800067532b2d26ee952
-
SHA256
00a23ef486863b29a272d8b4405e375fefa0a629927a9bccd0434886b02c5cdd
-
SHA512
261007611f113167d1e3a8c9fc1d7e6867fcb82ec8c1bf0c82f5ae6d17de7abf8807834c4d6d68720ed83c6fca428d0400ca4e86119cfe80fe1315b3cb1f29cc
-
SSDEEP
12288:3VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1V:+fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3472-4-0x0000000006D10000-0x0000000006D11000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
RdpSa.exeTaskmgr.exemstsc.exepid process 3160 RdpSa.exe 4976 Taskmgr.exe 1756 mstsc.exe -
Loads dropped DLL 3 IoCs
Processes:
RdpSa.exeTaskmgr.exemstsc.exepid process 3160 RdpSa.exe 4976 Taskmgr.exe 1756 mstsc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mbfbagbrjs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\hT1PPa\\Taskmgr.exe" -
Processes:
rundll32.exeRdpSa.exeTaskmgr.exemstsc.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RdpSa.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Taskmgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mstsc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 1012 rundll32.exe 1012 rundll32.exe 1012 rundll32.exe 1012 rundll32.exe 3472 3472 3472 3472 3472 3472 3472 3472 3472 3472 3472 3472 3472 3472 3472 3472 3472 3472 3472 3472 3472 3472 3472 3472 3472 3472 3472 3472 3472 3472 3472 3472 3472 3472 3472 3472 3472 3472 3472 3472 3472 3472 3472 3472 3472 3472 3472 3472 3472 3472 3472 3472 3472 3472 3472 3472 3472 3472 3472 3472 -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3472 Token: SeCreatePagefilePrivilege 3472 Token: SeShutdownPrivilege 3472 Token: SeCreatePagefilePrivilege 3472 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3472 3472 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3472 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3472 wrote to memory of 4376 3472 RdpSa.exe PID 3472 wrote to memory of 4376 3472 RdpSa.exe PID 3472 wrote to memory of 3160 3472 RdpSa.exe PID 3472 wrote to memory of 3160 3472 RdpSa.exe PID 3472 wrote to memory of 4600 3472 Taskmgr.exe PID 3472 wrote to memory of 4600 3472 Taskmgr.exe PID 3472 wrote to memory of 4976 3472 Taskmgr.exe PID 3472 wrote to memory of 4976 3472 Taskmgr.exe PID 3472 wrote to memory of 3020 3472 mstsc.exe PID 3472 wrote to memory of 3020 3472 mstsc.exe PID 3472 wrote to memory of 1756 3472 mstsc.exe PID 3472 wrote to memory of 1756 3472 mstsc.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7968f591e01c7a4a04d2d9c53d667082.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1012
-
C:\Windows\system32\RdpSa.exeC:\Windows\system32\RdpSa.exe1⤵PID:4376
-
C:\Users\Admin\AppData\Local\7GMpuEOP\RdpSa.exeC:\Users\Admin\AppData\Local\7GMpuEOP\RdpSa.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3160
-
C:\Users\Admin\AppData\Local\6EJeq90wu\Taskmgr.exeC:\Users\Admin\AppData\Local\6EJeq90wu\Taskmgr.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4976
-
C:\Windows\system32\mstsc.exeC:\Windows\system32\mstsc.exe1⤵PID:3020
-
C:\Users\Admin\AppData\Local\glOyVHOM\mstsc.exeC:\Users\Admin\AppData\Local\glOyVHOM\mstsc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1756
-
C:\Windows\system32\Taskmgr.exeC:\Windows\system32\Taskmgr.exe1⤵PID:4600
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
192KB
MD5ba4df2e7cda214b318acd0a2f619bc68
SHA19ea8b8aec96e725e1411c37c325cf4dbc874802e
SHA256d9a76aa0ed696031ef8d1aa45e7721b1a4901a345e0128090f5c5243f725af36
SHA512965ed7ed9aab11d63764d15fcf055a17d662116082437fc58c0cd992f327d102cf6d60caf6f19e40bdf85564c20b7c34d6df860a6c4cf2361062a393023722d3
-
Filesize
21KB
MD5d151dec7a4474bac9c74d995bb23aab5
SHA1fb21b02a2cb62f7c1e75d5cb4892794c393d024e
SHA256b3853b47475ee8e54f750d8fe30c6e6d62e83db46012f2e7a393e51fe9fa811d
SHA512e75b6cb49353357ddd7530fd285e9d197926bfe29254c1a4323110ad608684f2333107393f37504978f2a07a608f7ce1e6af17e93507fedf358934ad559ec21d
-
Filesize
237KB
MD5da5b1956e5ed121e0b85bdb441bc0375
SHA1edba9f515fdc85bec1801cfc540a8f03cce0c3b5
SHA2569077cb97a0600dfc69cf803c56587d2b71e043804942a73546a74022a13a0fe6
SHA512493393ee3e4df034d651a1f9f7dff73a8e6e75bcc432dddb731e5b1114bc0c5b55e8694779cbcfde2eb39552e549c6cac2328416b04c535d58715cb78ca405f5
-
Filesize
224KB
MD53bcdc623cdce76e61ee2ebb00172632f
SHA16c71e446b281d936950f709eb55f9d41d26e95a8
SHA2565ed787a8fc60e02a4e39af5af7af2b3106cc8259c88a561c94473b4a6f7a732b
SHA512a8c387b294d0da8efb50a802a15b7500389e76b438e347f325ab8dc6c9753f35e5e04aa7dc16f1f3c6ef8fc18eea5dfa675d5cd4d89d63f29ef89ce330455f8e
-
Filesize
56KB
MD55992f5b5d0b296b83877da15b54dd1b4
SHA10d87be8d4b7aeada4b55d1d05c0539df892f8f82
SHA25632f60eabe54c4d0cd0f0ec29f48f55ca1ad097bf35097247b186fd70426f847c
SHA5124f6da913af530301da1d0638aa2635ada446ebee6e27b5059db5c2b7fe439162ac3b1a595ecf4163a093890df9ac94d9085a53d8c991e48703f9d2691326e7e6
-
Filesize
286KB
MD59b8d5f33c847938b3bba5437374d1ac2
SHA12a1c9cff9dc47e0e3f96e5f256a2b3e5e2a5e4be
SHA256c84214609f66f9c09d359a05fed610db4af4a564af2249fa562a6b645e47769d
SHA512e7190abd3f9ffdf070e0b73d36d3f892b08621a3bebf675e58a4124bfc7c5318d1967c4d61636bf9591ec9346afcd2abaeb8db28c0026b3d630235ece722a12d
-
Filesize
279KB
MD58eadc5168ad087530c70f483363d60d4
SHA10bcb3acf63a92ee1ed469a489631ebd61054f8c5
SHA2567e02b02c71039b7714064bceabd416758ad1ca3f211be928d4c0a7fdee1561f4
SHA51237724bd31d488121d51f0c851a43c001088d93b9c24087c66fe6d610855df975ba7926d97fd269cbbe0c5ba626816d4f59af1a7cbc21239e79f80c6cc2ea9810
-
Filesize
243KB
MD566aa0c66cdf33b01b2d24144003b4512
SHA12fc004d13c12225680ce402e7131950f57c46f97
SHA2566c5b2cb6ba9f81798cf519ae2a48803aeb06bc5d2daad3bd03b4593df127b2f3
SHA51222fe22cc7ee620eb5ce0aaba0f51ef3c317f3660ed2c69d8e6ee9124aa82674440b88a61aa5aeb3a68c5d167944df0f643e44b6819054559daec6b3323e1db78
-
Filesize
62KB
MD5af845f23646a5b7cf1442a5bd007b86c
SHA13c1656b6a5d5f7405af85b3ae2f8dcdbb0fd20cf
SHA2561aaec93d0522117af33476ac582daed081f5f6d0d8bc6664f3704887d17978b5
SHA51271fde2009ae3f68d4c704a7162dd7b9642314bae35d9bcb8e6829df81f8cbbf5ac9cfa7a59adf585d305ae6ae8e21c1e61fbe2ed5d0538ccbf3093c2f22b65c2
-
Filesize
283KB
MD5a789b5b578ed10d31fa4b9ff98adf2b6
SHA1010a7cd4b12bcab656c0f8c3b0cf4e77b5ea1a46
SHA2569099f5dcf5f53572fdabbf6d12ce9515ba1f2fa89369be12900a1a0dd244b494
SHA512b978f736b2cdbad381b179d4c24c28d5d841ab7d04926d3863cf764f5360c27f1bfcbf9ed113fe9557b00ede9c7d12aac8cc41ad607ddf8cd41c61cdfafff9a3
-
Filesize
236KB
MD5bfa99bd8a693a6e090dec1f56a78a2bc
SHA1791c1bab4bf016368d38def7fb788d75f1cd4d52
SHA256133893f9757f740ff7eeefbeba5db6a22ca4dc48da6c264acbb175e8f1294509
SHA5122963615a252d4d405c4bbc6cc7914be34839a4b2f092e5c29c5e1069cddad94b01a478353af61c678e1c19a31f5ecba9fa92b86ef4fcb654c2ad083cf57aaf12
-
Filesize
1KB
MD51c9d31f7b53a9a57bfd66ac004a055d4
SHA1a2490bdd9933a2abbbddbac10a27ae99a8c2c456
SHA2560c0f980af1d8ec21185e3be35c1db8f62c47c24b690d74c95d99261ef3f9c0c1
SHA512cf1f373aba37024b51688ae568624b2b7cb3cf37edad4c4af27bedb441ff94a7e8830b388ed32f6bfd730861b8e47ff25616105fb9a7a00ab4a3c22e38a43a21
-
Filesize
1.9MB
MD5cf334860cff3fcb18b627eebfd497f0b
SHA18bcdb7cf473d4e684dd539ad668547cb8b7390ce
SHA256aea7a8c764b3194fa69c3f5ced7e701c3ac8e1bc03f8731048a1ac97cf054c55
SHA512fb1639573076e9689f5ef8317d8858641d97cbc23d9762d2483c984c7d3b670cb3dac304958c287a7000e79e7d4272203f5a52619a2cc8d2f0fee897cd553b25
-
Filesize
1.9MB
MD50c075860d8a3a1db2b481c8d52a0dbfa
SHA188ea911bef105668ff00ead3d2bdba5f9b9eb532
SHA256c83a3973295b475a94e358536cefa9455eedf05e46a6a3754ce01dbbc78ce869
SHA5125715761af43d3930f28de9a1034f7c6c743b97d046fe5fc6916e65b2846fbd7e1f51c1876c9a48086d72858edb49d361a4aa20f2c27d4961173e9d3e3074a4f7
-
Filesize
1.9MB
MD507f7b67cebd6ade6b49ba150217c1d08
SHA18548b8a60091b1dfecb761101cf8c8ab5e4cfddb
SHA256243c1cf15886c8c1e92b1d9a423d8c7414112ce30aca16565c9db02fb0c8b79f
SHA512e479ae2f33ee3c6b738e2acdcc438ee04fe02b01cccfe726f946243eb5a525000e4134da84a1607e30ca2d9286e409018549a5e1a9ce3847fc6683af49f01ae6