Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
28-01-2024 07:43
Static task
static1
Behavioral task
behavioral1
Sample
7c8beaa0420a5e1596bd7da96586b811.dll
Resource
win7-20231129-en
General
-
Target
7c8beaa0420a5e1596bd7da96586b811.dll
-
Size
2.1MB
-
MD5
7c8beaa0420a5e1596bd7da96586b811
-
SHA1
ba39edf8926c0666f12d85ae5cb2dbb4c507bd02
-
SHA256
0f35ac401b512fd1dfd8434325a834942af1b28bd25d7b39dc76e457569cb08d
-
SHA512
ad8ebf3f33240e18c5be247bfcc65d59ca2e46528a66dcd2e768d474c9c2eabe2932b7583c306c75e63cd3ed89aab2bcdd579f89bc5d21ca38b44fc9b94a9799
-
SSDEEP
12288:OVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:TfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3468-4-0x0000000002E60000-0x0000000002E61000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
DevicePairingWizard.exeLockScreenContentServer.exewscript.exepid process 1232 DevicePairingWizard.exe 1684 LockScreenContentServer.exe 4784 wscript.exe -
Loads dropped DLL 3 IoCs
Processes:
DevicePairingWizard.exeLockScreenContentServer.exewscript.exepid process 1232 DevicePairingWizard.exe 1684 LockScreenContentServer.exe 4784 wscript.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tgnmvdx = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\Luh\\LockScreenContentServer.exe" -
Processes:
rundll32.exeDevicePairingWizard.exeLockScreenContentServer.exewscript.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DevicePairingWizard.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA LockScreenContentServer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wscript.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 1496 rundll32.exe 1496 rundll32.exe 1496 rundll32.exe 1496 rundll32.exe 1496 rundll32.exe 1496 rundll32.exe 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
pid process 3468 3468 3468 -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
pid process 3468 3468 3468 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3468 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3468 wrote to memory of 2464 3468 DevicePairingWizard.exe PID 3468 wrote to memory of 2464 3468 DevicePairingWizard.exe PID 3468 wrote to memory of 1232 3468 DevicePairingWizard.exe PID 3468 wrote to memory of 1232 3468 DevicePairingWizard.exe PID 3468 wrote to memory of 3812 3468 LockScreenContentServer.exe PID 3468 wrote to memory of 3812 3468 LockScreenContentServer.exe PID 3468 wrote to memory of 1684 3468 LockScreenContentServer.exe PID 3468 wrote to memory of 1684 3468 LockScreenContentServer.exe PID 3468 wrote to memory of 3540 3468 wscript.exe PID 3468 wrote to memory of 3540 3468 wscript.exe PID 3468 wrote to memory of 4784 3468 wscript.exe PID 3468 wrote to memory of 4784 3468 wscript.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7c8beaa0420a5e1596bd7da96586b811.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1496
-
C:\Windows\system32\DevicePairingWizard.exeC:\Windows\system32\DevicePairingWizard.exe1⤵PID:2464
-
C:\Windows\system32\LockScreenContentServer.exeC:\Windows\system32\LockScreenContentServer.exe1⤵PID:3812
-
C:\Users\Admin\AppData\Local\R5mIsRN\DevicePairingWizard.exeC:\Users\Admin\AppData\Local\R5mIsRN\DevicePairingWizard.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1232
-
C:\Users\Admin\AppData\Local\DkPEivbGH\wscript.exeC:\Users\Admin\AppData\Local\DkPEivbGH\wscript.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4784
-
C:\Windows\system32\wscript.exeC:\Windows\system32\wscript.exe1⤵PID:3540
-
C:\Users\Admin\AppData\Local\VRs7vDeY\LockScreenContentServer.exeC:\Users\Admin\AppData\Local\VRs7vDeY\LockScreenContentServer.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1684
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD53a75bbf7ad38a41a59c6f10e9bc6fe0d
SHA15fec5b0fc55f917a84b77a85af9f71bc8c02ba3c
SHA256e380ae768861c1a96e66e2f164726d733e415636444f84d85304b2e34adf4fd6
SHA5122416581bfb6567d935d28e675f33c4c4db13fdcb81065c08d2e5b775c21e56f194d51c3d7b3e1b5b4b89dde7f2583e56754c69586adc1df62649dc7e7c272c72
-
Filesize
84KB
MD5d21bd2498ae1b7addc6eb7fa91dacb87
SHA115761a950885b99d97160068fba32647d1e614cb
SHA256f22352087ad21eaa5a43d45dad393d1849ae41c0dcf02e3a2c1df4e89c01a1e1
SHA5123c37c470abd80c9ccac9c0cee64e04e041e52a9a1b5cf3c41c89dcc5eeeb2fe409668ff1a3be178cbc6ca2f38690074fa8f926ff4dd11d44e17aa527a5e42b8c
-
Filesize
64KB
MD52d91f316e59a34013a094e832888740b
SHA1e337935c2d57ed9849083b681f74c784cfdf3f1e
SHA256ced0f33ce911f5033deceab826b95d6db3650e2ec3c9748a532f767f5fa34327
SHA512e7adaa5b76007d7586e0fca3830cb6dfc63b0e2320e1321e1ebc7a476e04971eb8300d3c893cc8edfca21d860b629b90aa65456572b1a3f99b2a98a9c98cae9a
-
Filesize
57KB
MD5f4f896e675956554dfbbc3819137c259
SHA1c42593b63c1d653cec310300a8055b8fbf81408d
SHA25679a714d60bf7572924d7bdc233300b35eff1a16342a1170d20977af3c7f4c8b6
SHA5121d3eb2c6b77c767ec92e3c9d0c4ac06d052ac09c2ae137164c379922da9f55224047c8416d55f83ce7aa7b714da6fded2d0054d0ff4705226e2ee89812d1a026
-
Filesize
40KB
MD5fb9244619da2c455b35d4e9999d27f60
SHA1725f7bee3db5bf71ec502e05a9f4e7d0193374db
SHA256172667cd4f99083e0a414fd02bf28b42fbf2962d71e8c70c58c3c83ae3c5a2c4
SHA512740dfe014af35c1eaade576a9854c982ab08d85f3c2267732bf6b579142f323493bd6824c59bd299af382be62051ddb63115980d8f4369b4315521fd2d5c5a99
-
Filesize
93KB
MD5d0e40a5a0c7dad2d6e5040d7fbc37533
SHA1b0eabbd37a97a1abcd90bd56394f5c45585699eb
SHA2562adaf3a5d3fde149626e3fef0e943c7029a135c04688acf357b2d8d04c81981b
SHA5121191c2efcadd53b74d085612025c44b6cd54dd69493632950e30ada650d5ed79e3468c138f389cd3bc21ea103059a63eb38d9d919a62d932a38830c93f57731f
-
Filesize
75KB
MD54a5a55ac826919bbcd8f7d5040806fac
SHA130ebbf016f529deb1eb4a797c0e2cf8bf14c94bd
SHA256286e41f6750449af377af3fdcea9923ce0d9bb65d971a24a864b10df5e3a9537
SHA512cbe656f5a568146dd0659f68977e0d0f8d118b3e999b7b555754a5799e7f8fd9296b7ff6f8e6c85ddcada681518bdd06332bc505e0d940cd153a9372ac3517f0
-
Filesize
153KB
MD5fe6ec32645ad414945132d3ab9b0dc1b
SHA16a8f32053ba59f291b9f87cc698b035ac720220a
SHA256d57f8f59bcca3d0e363b787e4e4a70dc928871b14610f15bfdf2c6a17e95ebc3
SHA51243887276af57d1bdabbc9edb72fbd748a1e0d24f3ee163984e7bf59a66d4af4bd741c12cf32cb306659ecd1cec9c6a77e83676849baf10d09b4fd76ff4fb893f
-
Filesize
108KB
MD5f00cf02cc221297262bfc295e7e948ed
SHA1d2644f0883da7718bd526ddfed9441c22d8768ea
SHA2561155096269011bfd14dfc1bffcde7f7c3665c030c8bc243c1e9c6197518fdff9
SHA512ce220f65adfcd56eaa1670524ea7bd223c5592c5265ba9fc9d38ce710686d14f02110980c5ae2aae53673bcc99d32e0410f0705fc658360d7e5809bebf794b33
-
Filesize
55KB
MD50366f1b70ea20b3bad86d58a851b48de
SHA190ca3b94f22a41926217d16e80cc0991ca73660d
SHA25602d286e601812fd9c8dcb01ead012ad6db2208510fc2f5017a413cf3473cd652
SHA512a23f0987b37ed52d8f73f82a2c89de88ab3feb7472b6b82d061fa2e984191638a2bca70cac97f80d3617df7f9eb1398ae30066d4842ff2ac69e3a408a99dd36d
-
Filesize
47KB
MD5a0b7513c98cf46ca2cea3a567fec137c
SHA12307fc8e3fc620ea3c2fdc6248ad4658479ba995
SHA256cb2278884f04fd34753f7a20e5865ef5fc4fa47c28df9ac14ad6e922713af8c6
SHA5123928485a60ffa7f2d2b7d0be51863e1f8197578cfb397f1086a1ab5132843a23bbc4042b04b5d01fafad04878bd839161fa492d0cf1a6bac6be92023cdee3d15
-
Filesize
28KB
MD5ef68d21df2bdc31b0c73de35c619388e
SHA1f0005382d215162b77bca349c49255c7247009db
SHA256a60316652877737528052e912df759817a148524db7907b9d2f20183320d3a0d
SHA512846636175a9e0397acc2eba3471665457f66fd57f2f7196209c9856485fcec85afad1f181ca3c423364d6a4190d84bb31791ae74fd5bdce5b7c603df6db9d96c
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
706KB
MD5a145a17157aefa571b5ea874950b01d9
SHA1988c2c9143a0e701e1807429e3e5ae59f6f24cc9
SHA2566cfb5e55ab2a1e085af3338f4d172445eb658dda4cc9ccc4b32134b07b9ca972
SHA51256e79f88579856875b24d768962d615f91621bdab372c341fdb5455a5157e6d220bcd9b463053572a784fcd270984e512e1297329387bbdea90c4d56cb2b9827
-
Filesize
2.1MB
MD5a3984db5d7e176238d6c0dcacea16463
SHA173b22c66d778dbd48e8323a9559efae0a5c6f178
SHA25613e5012f0fcb557af17f8176bf0a8f0b087bce1c809fc40f84e0fe994e2f663a
SHA512a1dd6b9a18e3828699d4bae04387d5b7614c8cda092584c65d8fed42c4ec509bdc86f1be6e3d0b63d506bcf1ec50a50f7fb34fdc3116203a6196a860748f7e34
-
Filesize
387KB
MD5ac4a2cf852041592d2faa8c71a7995e6
SHA1e54491e3408884c59ac35db3490c8101d3a12dc3
SHA256b79aad0daab95462dc691ee7c378da2a4e0095aeb9090a427027271b88b3e06b
SHA51228c3c54c16e1b7607372a0bb4aa6b340e34e572f006d74b3a6303e033b64819db68aa6ff136c2604d34cdb71d7418104df3c14dfde6733ebd0faaa0ead2d0a07