Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
29-01-2024 01:01
Static task
static1
Behavioral task
behavioral1
Sample
7e7645b86e265b69aed08c4852fe6291.dll
Resource
win7-20231215-en
General
-
Target
7e7645b86e265b69aed08c4852fe6291.dll
-
Size
1.1MB
-
MD5
7e7645b86e265b69aed08c4852fe6291
-
SHA1
0e39986ca509db0826c81ca3693fecb375726dcb
-
SHA256
e0980b4994c3d61ec8c3ab1db13ef837487bd2e209e97a4ad4708211d9d4d712
-
SHA512
2f2f7e96591bf49bec9e3b56f7457ee00ca85bd7812c6de3a27097fdfda3beb9b42467b7e0f11b01036704c635e461bbf3a2f12877f672a7de1af462611b26ff
-
SSDEEP
12288:JkbQEkWqv+157EYfxarhwLNuR7ek1tHffB/HzTyNQ6NIeGYr/RUX/ShJ:JkbHkWfzZ5adwLNGeStHntqN7vaP
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3520-3-0x00000000088E0000-0x00000000088E1000-memory.dmp dridex_stager_shellcode -
Processes:
resource yara_rule behavioral2/memory/2224-0-0x00007FFC45730000-0x00007FFC45849000-memory.dmp dridex_payload behavioral2/memory/3520-20-0x0000000140000000-0x0000000140119000-memory.dmp dridex_payload behavioral2/memory/3520-27-0x0000000140000000-0x0000000140119000-memory.dmp dridex_payload behavioral2/memory/3520-38-0x0000000140000000-0x0000000140119000-memory.dmp dridex_payload behavioral2/memory/2224-41-0x00007FFC45730000-0x00007FFC45849000-memory.dmp dridex_payload behavioral2/memory/2296-48-0x00007FFC35C80000-0x00007FFC35D9A000-memory.dmp dridex_payload behavioral2/memory/2296-53-0x00007FFC35C80000-0x00007FFC35D9A000-memory.dmp dridex_payload behavioral2/memory/216-64-0x00007FFC35C80000-0x00007FFC35D9B000-memory.dmp dridex_payload behavioral2/memory/216-69-0x00007FFC35C80000-0x00007FFC35D9B000-memory.dmp dridex_payload behavioral2/memory/3548-80-0x00007FFC35AD0000-0x00007FFC35BEA000-memory.dmp dridex_payload behavioral2/memory/3548-85-0x00007FFC35AD0000-0x00007FFC35BEA000-memory.dmp dridex_payload -
Executes dropped EXE 3 IoCs
Processes:
DWWIN.EXERdpSaUacHelper.exeProximityUxHost.exepid process 2296 DWWIN.EXE 216 RdpSaUacHelper.exe 3548 ProximityUxHost.exe -
Loads dropped DLL 3 IoCs
Processes:
DWWIN.EXERdpSaUacHelper.exeProximityUxHost.exepid process 2296 DWWIN.EXE 216 RdpSaUacHelper.exe 3548 ProximityUxHost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mbfbagbrjs = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Extensions\\1CCHU\\RdpSaUacHelper.exe" -
Processes:
ProximityUxHost.exerundll32.exeDWWIN.EXERdpSaUacHelper.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ProximityUxHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DWWIN.EXE Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RdpSaUacHelper.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2224 rundll32.exe 2224 rundll32.exe 2224 rundll32.exe 2224 rundll32.exe 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3520 Token: SeCreatePagefilePrivilege 3520 Token: SeShutdownPrivilege 3520 Token: SeCreatePagefilePrivilege 3520 Token: SeShutdownPrivilege 3520 Token: SeCreatePagefilePrivilege 3520 Token: SeShutdownPrivilege 3520 Token: SeCreatePagefilePrivilege 3520 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3520 3520 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3520 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3520 wrote to memory of 1808 3520 DWWIN.EXE PID 3520 wrote to memory of 1808 3520 DWWIN.EXE PID 3520 wrote to memory of 2296 3520 DWWIN.EXE PID 3520 wrote to memory of 2296 3520 DWWIN.EXE PID 3520 wrote to memory of 3312 3520 RdpSaUacHelper.exe PID 3520 wrote to memory of 3312 3520 RdpSaUacHelper.exe PID 3520 wrote to memory of 216 3520 RdpSaUacHelper.exe PID 3520 wrote to memory of 216 3520 RdpSaUacHelper.exe PID 3520 wrote to memory of 5528 3520 ProximityUxHost.exe PID 3520 wrote to memory of 5528 3520 ProximityUxHost.exe PID 3520 wrote to memory of 3548 3520 ProximityUxHost.exe PID 3520 wrote to memory of 3548 3520 ProximityUxHost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7e7645b86e265b69aed08c4852fe6291.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2224
-
C:\Windows\system32\DWWIN.EXEC:\Windows\system32\DWWIN.EXE1⤵PID:1808
-
C:\Users\Admin\AppData\Local\GiWUxvIo\DWWIN.EXEC:\Users\Admin\AppData\Local\GiWUxvIo\DWWIN.EXE1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2296
-
C:\Windows\system32\RdpSaUacHelper.exeC:\Windows\system32\RdpSaUacHelper.exe1⤵PID:3312
-
C:\Users\Admin\AppData\Local\bwhVLvW\RdpSaUacHelper.exeC:\Users\Admin\AppData\Local\bwhVLvW\RdpSaUacHelper.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:216
-
C:\Windows\system32\ProximityUxHost.exeC:\Windows\system32\ProximityUxHost.exe1⤵PID:5528
-
C:\Users\Admin\AppData\Local\Vm8g\ProximityUxHost.exeC:\Users\Admin\AppData\Local\Vm8g\ProximityUxHost.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3548
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
229KB
MD5444cc4d3422a0fdd45c1b78070026c60
SHA197162ff341fff1ec54b827ec02f8b86fd2d41a97
SHA2564b3f620272e709ce3e01ae5b19ef0300bd476f2da6412637f703bbaded2821f0
SHA51221742d330a6a5763ea41a8fed4d71b98e4a1b4c685675c4cfeb7253033c3a208c23902caf0efdf470a85e0770cb8fac8af0eb6d3a8511445b0570054b42d5553
-
Filesize
148KB
MD55222057fb8c4786be60f0d66735e79f3
SHA1695c2f7e81c221993c69e0c69f62c52057fca147
SHA256dd88a5890a4bb9b8600965a03aadedbe3e8c8819edbb9abb8906f16ff8e390fb
SHA512167990f36275a2ea4c7cb70c2ab2a229042d687f68c7fbf496e6720b3226a698136463fd30418cc794f2671c61cb2da3000485cd454da88ff8662f535b58bbe9
-
Filesize
1.1MB
MD533e013d7911ff83a083efb3894b23c5c
SHA179838ef66683c637dbac0094639a9ae35f0d9ad8
SHA256e4bd549a1c8550a96b9f20e6cba5e1d959a703f373593285501fe236efa071cf
SHA5125226081172206d947ad83764077aa7b3881496b273dd0a5e7588a31e7f3ae1a7a8de733a81cc7ed1e54251b6f092ec8a428e1d6c2ff3b660da28f63aad9421b0
-
Filesize
315KB
MD5e8aaef56c57a679ef815de5f6aca1f81
SHA1055adb07be39221eb3ce92d967864f0d39093f55
SHA256284b65f1e293ba9b0c9ae1ba74b02b07edeb9d55e12d86320e285a35ba6f97a5
SHA5120ec51733d528d9a0fd7dec7967582bdab4da132e2ad8f59a64468a2e70f028020a8774e0fdcef032fada42fca1b0763b4857579647a6cdbc9bbcf42dca027c80
-
Filesize
263KB
MD59ea326415b83d77295c70a35feb75577
SHA1f8fc6a4f7f97b242f35066f61d305e278155b8a8
SHA256192bfde77bf280e48f92d1eceacdc7ec4bf31cda46f7d577c7d7c3ec3ac89d8f
SHA5122b1943600f97abcd18778101e33eac00c2bd360a3eff62fef65f668a084d8fa38c3bbdedfc6c2b7e8410aa7c9c3df2734705dc502b4754259121adc9198c3692
-
Filesize
1.1MB
MD5f4c011f4530e49417abd363a08e25233
SHA16612c5e73e311ec04356012b4b7605047576ca10
SHA256f1f12bc24ec33dd794070ccb9d304b37ae97300fc2fbc7adf1db23a2f8d68b5c
SHA512711aa53d6ce876bd103036a9a34448221cc220d58e393c7a838c4b82907541f396e27607d9c79e8fcd3c0f8c96a3506a80ebc8f5a7f279cdbb0cad6f4cd690eb
-
Filesize
406KB
MD57e90daaee4ace2dc75364eb542c33db3
SHA13d779d3f4757a6fb6fff6ba1cb9fe667168e3f35
SHA256f173bdceed2f7cc9c0cdc5ae915b2b77a1efaaee5777953648159ffc597d9091
SHA5123812b24fffca82764ee474e358e0c2a13ff3c669d6bddc9d7ea3171cbb12881979c1c00c74d4a299ed993062e7d8dd42534400dc69f4a090e9f22bbf908278c3
-
Filesize
33KB
MD50d5b016ac7e7b6257c069e8bb40845de
SHA15282f30e90cbd1be8da95b73bc1b6a7d041e43c2
SHA2566a6fdd834af9c79c5ffc5e6b51700030259aeae535f8626df84b07b7d2cee067
SHA512cd44d8b70fc67c692e6966b4ad86a7de9c96df0bade1b3a80cb4767be159d64f3cc04dc5934f7d843b15101865089e43b8aecabddc370b22caf0c48b56b3430e
-
Filesize
1.1MB
MD5230cc394556247623b32f9f673344d72
SHA199e79d80fb52eb5d9fa0a9f2557ce07961e1c8be
SHA2565606cdecf6a69ea58d5405ab9329f1cdd3a88a6f7d6b4adc2803060a1583e80a
SHA5124dfa95e91deaf73188c1e55e98a67fa2403fd9b6abefc254b53c2b4500bcc940534ba0d92d64f90cd6a307f9bc4f6a64ad796ac9afd8ce1262e7de98e80b1367
-
Filesize
1KB
MD5c41c00732b23aa91749f4a0b93758a19
SHA1a3052dca3768cdbde1201fba28a824b524cda54e
SHA25686cc84c83da0526d768919b1b6775275af9f548e1ceec3a32c712c40b54bd85c
SHA5129f8d3ee5edbe73d4ee8247ace3962e507c6d4873dff7f73b9022cb6c2d11dc7294c5b705bc582644295f01d02d97e4c3ccae9d9a00fc4546d813ba129c159bf2