Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
28-01-2024 04:57
Static task
static1
Behavioral task
behavioral1
Sample
7c364a9cc46fabb61560e9bb9ef588ce.dll
Resource
win7-20231215-en
General
-
Target
7c364a9cc46fabb61560e9bb9ef588ce.dll
-
Size
1.6MB
-
MD5
7c364a9cc46fabb61560e9bb9ef588ce
-
SHA1
1a755f4b3d03b6bce41ebb26bd8d15e3e6dfe96f
-
SHA256
ac5e42f699e4e1efc7f7cd1f1b6516c4ff8405ff1e82aba21ed18cc8cf26efd7
-
SHA512
807cbefe2206e54c26929f9868c6f8a0340d324d18a63e0da216ab6e523109cf6012b41676cd5552f0ee8681875065d8ad021632e80129089070317737dda75f
-
SSDEEP
12288:GVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:bfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3532-4-0x0000000003600000-0x0000000003601000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
bdechangepin.exesigverif.exerdpinput.exepid process 696 bdechangepin.exe 3292 sigverif.exe 1456 rdpinput.exe -
Loads dropped DLL 3 IoCs
Processes:
bdechangepin.exesigverif.exerdpinput.exepid process 696 bdechangepin.exe 3292 sigverif.exe 1456 rdpinput.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\x1CaK4j\\sigverif.exe" -
Processes:
sigverif.exerdpinput.exerundll32.exebdechangepin.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sigverif.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rdpinput.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bdechangepin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 4264 rundll32.exe 4264 rundll32.exe 4264 rundll32.exe 4264 rundll32.exe 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3532 Token: SeCreatePagefilePrivilege 3532 Token: SeShutdownPrivilege 3532 Token: SeCreatePagefilePrivilege 3532 Token: SeShutdownPrivilege 3532 Token: SeCreatePagefilePrivilege 3532 Token: SeShutdownPrivilege 3532 Token: SeCreatePagefilePrivilege 3532 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3532 3532 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3532 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3532 wrote to memory of 2464 3532 bdechangepin.exe PID 3532 wrote to memory of 2464 3532 bdechangepin.exe PID 3532 wrote to memory of 696 3532 bdechangepin.exe PID 3532 wrote to memory of 696 3532 bdechangepin.exe PID 3532 wrote to memory of 1772 3532 sigverif.exe PID 3532 wrote to memory of 1772 3532 sigverif.exe PID 3532 wrote to memory of 3292 3532 sigverif.exe PID 3532 wrote to memory of 3292 3532 sigverif.exe PID 3532 wrote to memory of 5060 3532 rdpinput.exe PID 3532 wrote to memory of 5060 3532 rdpinput.exe PID 3532 wrote to memory of 1456 3532 rdpinput.exe PID 3532 wrote to memory of 1456 3532 rdpinput.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7c364a9cc46fabb61560e9bb9ef588ce.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4264
-
C:\Windows\system32\bdechangepin.exeC:\Windows\system32\bdechangepin.exe1⤵PID:2464
-
C:\Users\Admin\AppData\Local\e4H5E1a9\bdechangepin.exeC:\Users\Admin\AppData\Local\e4H5E1a9\bdechangepin.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:696
-
C:\Windows\system32\sigverif.exeC:\Windows\system32\sigverif.exe1⤵PID:1772
-
C:\Users\Admin\AppData\Local\3Ka9vS2\sigverif.exeC:\Users\Admin\AppData\Local\3Ka9vS2\sigverif.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3292
-
C:\Windows\system32\rdpinput.exeC:\Windows\system32\rdpinput.exe1⤵PID:5060
-
C:\Users\Admin\AppData\Local\cooXj\rdpinput.exeC:\Users\Admin\AppData\Local\cooXj\rdpinput.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1456
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD57b44685af911f7c2f6a3c32620b6f507
SHA1d62866d5ad8108491800483c3bfc55a0402d139c
SHA256ec4348bbed2c277f83ec6cfec96ab69189566b96a6142255138baa22186cf7c9
SHA512cff566111c4cac5c30051eb8c2f1e98f5f557e65f721d261285b192316a1e2220d65d5dd0b7a51c6a70673d5cdd55ee66d24eab27ee02f4e8fee7c02cbda49be
-
Filesize
77KB
MD52151a535274b53ba8a728e542cbc07a8
SHA1a2304c0f2616a7d12298540dce459dd9ccf07443
SHA256064de47877b00dc35886e829a697e4adb3d3cfdf294ddba13b6009a0f415b1bd
SHA512e6fd520ee1bd80a5fe8a7c2ae6446dcaabd4e335a602c36356f85305abef751b7dffa7eaac1ec13c105ccd8c3e9070bd32ed4b14bc8a9e52dc5f47b936d69a9f
-
Filesize
1.6MB
MD5055c59f871d022ecd63bc526ffb986dd
SHA18e6bb2984aacad5879a7d283cf313f3d1e3e4d2d
SHA25666ad6848a419087de8c869fd36f2c5c3b07a79ff222dbc28ae4f596db86f19ad
SHA51289609c71eb723f208e11129cbb227da5b0fd54892d3ff05515642f1a8ae11094940f60678ecbd3a3847d3b3d83b1b9fa903473918d4c0b8ef6089d6a0f4c0e86
-
Filesize
180KB
MD5bd99eeca92869f9a3084d689f335c734
SHA1a2839f6038ea50a4456cd5c2a3ea003e7b77688c
SHA25639bfb2214efeed47f4f5e50e6dff05541e29caeb27966520bdadd52c3d5e7143
SHA512355433c3bbbaa3bcb849633d45713d8a7ac6f87a025732fbe83e259ec3a0cb4eabb18239df26609453f9fc6764c7276c5d0472f11cf12d15ef806aa7594d090e
-
Filesize
1.9MB
MD5101d8ae3751729fb93e7efde486c5ad3
SHA1ac033f5c12b59972a2244e12c09080037c2006c3
SHA2560806086d7f0d2ff2283e1050e2cece86ac849fb13e682f8a0c3139f88969f3eb
SHA512d790e85c57644ae901fb8c8bc4ff64105fe4b51e2f3033f04cc2c1bb3d9db4da11593f56b11b1605208241f1593b28806c7a3a814661c7269411a36a2bb20600
-
Filesize
373KB
MD5601a28eb2d845d729ddd7330cbae6fd6
SHA15cf9f6f9135c903d42a7756c638333db8621e642
SHA2564d43f37576a0ebbaf97024cd5597d968ffe59c871b483554aea302dccb7253f6
SHA5121687044612ceb705f79c806b176f885fd01449251b0097c2df70280b7d10a2b830ee30ac0f645a7e8d8067892f6562d933624de694295e22318863260222859d
-
Filesize
1KB
MD5d1a450e0c55cf7406a7479a23ef16012
SHA1ee91d83e92febeb5833075057746f4616969f9b1
SHA25663ae22c6f78759aafab1e04c2869e67fed48b6ce66e25f77001eb86a79c03407
SHA5121ccabed7881057b8757522f8530f2c9677b0bb9a77c34aadfcd69fc3209e878e76ccd750f22dd1c3f96ebde1dc1c5f0401df139ba327ad568434c0617ce55bf6