Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30-01-2024 21:46
Static task
static1
Behavioral task
behavioral1
Sample
82a4bc5335713f3201927604dc1c17fa.dll
Resource
win7-20231215-en
General
-
Target
82a4bc5335713f3201927604dc1c17fa.dll
-
Size
1.7MB
-
MD5
82a4bc5335713f3201927604dc1c17fa
-
SHA1
0760fdf10d7b767e7b1c6c75b5a6df7fa582f2de
-
SHA256
b24b5a97da7b45c297575085b7e6a6812e70391a8460609e4ab225c8b8c421b8
-
SHA512
fdc555fae69369b3e61dae10b2e01607d5c853ed93bc403d08678447454e550ed598a3c46e4c7489e9e9626ffca57c317a92b64a3e48c6d44717667be684fe2e
-
SSDEEP
12288:hVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:QfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3396-4-0x0000000001020000-0x0000000001021000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
EaseOfAccessDialog.exemstsc.exeupfc.exepid process 396 EaseOfAccessDialog.exe 1324 mstsc.exe 4680 upfc.exe -
Loads dropped DLL 3 IoCs
Processes:
EaseOfAccessDialog.exemstsc.exeupfc.exepid process 396 EaseOfAccessDialog.exe 1324 mstsc.exe 4680 upfc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kqgfxymewp = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ADMINI~1\\FT8X\\mstsc.exe" -
Processes:
rundll32.exeEaseOfAccessDialog.exemstsc.exeupfc.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA EaseOfAccessDialog.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mstsc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA upfc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 1620 rundll32.exe 1620 rundll32.exe 1620 rundll32.exe 1620 rundll32.exe 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 3396 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3396 wrote to memory of 3896 3396 EaseOfAccessDialog.exe PID 3396 wrote to memory of 3896 3396 EaseOfAccessDialog.exe PID 3396 wrote to memory of 396 3396 EaseOfAccessDialog.exe PID 3396 wrote to memory of 396 3396 EaseOfAccessDialog.exe PID 3396 wrote to memory of 2212 3396 mstsc.exe PID 3396 wrote to memory of 2212 3396 mstsc.exe PID 3396 wrote to memory of 1324 3396 mstsc.exe PID 3396 wrote to memory of 1324 3396 mstsc.exe PID 3396 wrote to memory of 4024 3396 upfc.exe PID 3396 wrote to memory of 4024 3396 upfc.exe PID 3396 wrote to memory of 4680 3396 upfc.exe PID 3396 wrote to memory of 4680 3396 upfc.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\82a4bc5335713f3201927604dc1c17fa.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1620
-
C:\Windows\system32\mstsc.exeC:\Windows\system32\mstsc.exe1⤵PID:2212
-
C:\Users\Admin\AppData\Local\TfRbDfp4\mstsc.exeC:\Users\Admin\AppData\Local\TfRbDfp4\mstsc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1324
-
C:\Windows\system32\upfc.exeC:\Windows\system32\upfc.exe1⤵PID:4024
-
C:\Users\Admin\AppData\Local\i9gJ\upfc.exeC:\Users\Admin\AppData\Local\i9gJ\upfc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4680
-
C:\Users\Admin\AppData\Local\iEagISx\EaseOfAccessDialog.exeC:\Users\Admin\AppData\Local\iEagISx\EaseOfAccessDialog.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:396
-
C:\Windows\system32\EaseOfAccessDialog.exeC:\Windows\system32\EaseOfAccessDialog.exe1⤵PID:3896
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
141KB
MD57eeeea1f01ca1821db0cdb96fd910a77
SHA1e8f144b2775a5858026c3804b18b5b5b738473e6
SHA2561c5bfbd247b2622b83c264d8dc686ccbec524e86366183863b92d0c80c995eca
SHA51246c6a2db7c2314f4c3d5ca19a4cb1a534f9b6896f7a50a649e507ea13152224778282d84bd9344cb2b31d0e17199bfbf319e8fdb9d2b84ed381a7b3c2700a1cb
-
Filesize
117KB
MD5d4d3d6ec5bfdb05b1ef2b2eb85e339e3
SHA121fd78f4678174aae76673af507c987ce7bc88a8
SHA2565ab6fd06c55f45177b1e54c2dbd9a39f464ea12512e933e59432a2243ebb0a5b
SHA512dec142f63fd6f88036b3e8673e4c92f38018d0915dfd933d586e29e0d26fff5c4aed4f2780eb79f5a220a5850959df2d5a07bf200836c49deb8f957bcc5ca5fc
-
Filesize
1KB
MD500b508692379115ac383d92faf8d1868
SHA12d344795310f2631dc6e28edb8cf940bcac28806
SHA256bfbd64bee04fa33d1c82a49ab4ea63e3d563125c21081adc65c98d36e20de316
SHA512bf1386a868b39e3d528517f69f68ee3bb490bd1dde9112f7c311078f021e61e30c56c66ad6e83b095758cbf970213997e3ac3fc161c7f4dc9f1c788b98c9a930
-
Filesize
149KB
MD5c7d713bd4aba673c83f9fb665171cf51
SHA136fbde331b2cd8c9a807e32bef3c4932e43872f9
SHA256eec09ef1b74fed7d07f712fbd7b349afb7e4c5b5a2718547b003a7b8351d8a1d
SHA51248a9488a0abed492c52a96f5c0a17a4f4e52fb0f2e3313d64e0c29e25ee7b770501e1f5be8b7b88b5795b6306830f2d11a67b7d69e6d2d02c4038d80b1554adc
-
Filesize
153KB
MD5c94a3705212a3eabf30de321b14c2c00
SHA1a3e11603c65ce0b04ff352fb708486ca12edb58b
SHA2567abfca055c8238e3ab567aaf1cbfe41492fe1b28fa4aa100ef16a52919ecfd5e
SHA512cbf1b8b9a8eb07efc85c3e73d78c7de667d4249c620cb3c1938d75f791690324c0ca3369693301157b2da46893db0cfcc3cbeaf4e98e9d68b5c02f96b4fd20cc
-
Filesize
216KB
MD52ce0bf3feeb2e2aa8ed57a118dd919b8
SHA15ef6a589d75d4ff9fa411e6c4f995f4a0ccf64c9
SHA2566cba442d9decd238527b6711b9ad532ac8abc32574dac4c47d8bb30a0120c0fb
SHA512701dd27b066d0970564a8a6c0aa74543259d2ee420e000366344e5dc28a647915c383ec9dbe507448a3007b7b59af29cc20ebf98b23609c13a5b904fdc7cbeb7
-
Filesize
118KB
MD5299ea296575ccb9d2c1a779062535d5c
SHA12497169c13b0ba46a6be8a1fe493b250094079b7
SHA256ee44fe14df89c4e5eaf8398f8fb4823fd910c5a94d913653d6b9e831254f6cc2
SHA51202fc2b25167ebd7dfcc7b8aa74613e7004fdf33dfccccba6c3427434cca981c2eb50f4a801969b3a40c495a9bb0eac8176f4f2ec9091916cf3509a7f909b30fa
-
Filesize
97KB
MD5ccb5f8e0a3f33e175eed68d279c015b8
SHA13ed6917d81640392864b0fef440d30e124ac5fc5
SHA256c13aa7baafa38dc3f01ec647234735d3025d77ff3500ca5344f80885e808b7f0
SHA512d8dee3e115f1e110483f6c54cb850fb69ccd8b22f8f2ba4363522391197b747186dc032ea4367b2e354aa4b9588a08be11ba3b6a26ce02e70f6611fcfa417609
-
Filesize
123KB
MD5e75ee992c1041341f709a517c8723c87
SHA1471021260055eac0021f0abffa2d0ba77a2f380e
SHA2560b1731562413eaa972b373cd7388c644a3059940ce67eb89668e4073f3e068dc
SHA51248c3a8531df6bcc5077367cdf32af104c94cf7701118a85e8beabba2e9c4f511ae14e47b6d1b57d11a2bc1e8b4f6d5bacae27a8d16fcd09a8f9e0018f5a6370a
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
9KB
MD5fd14c81d8fac96acb897f5d8201089c3
SHA1d654b8eb02c7e140e01a36c7670a8eb6e61148e4
SHA256fce595c6ad60e3e9c96713b8cbf1d48cb3914e7cff99df6fb22c8d650b064deb
SHA5120c68ed7618566c70c195e7ab7f6072ac67b6c7eda4601294d6d97c6d4970202dd9f8fd48391f07b65271ea0e5fbb14a36b02d8b78b08c783c66261d2929aed2b
-
Filesize
20KB
MD51c1740535d4ea400f1cd3a3bf584480f
SHA11a80f5670ef776bec8e41d458a436ca017b2f68b
SHA256e2b2a5eb67cc86fd212e5dd2b77d979315a8f84923287e0febf21a3fb1b7a313
SHA51292b34045cc7a979dbdc378d664ea586f8628d4dc6c23c012fe8a5f1de08f739d6f130bf259cf2558068d190b8b4401a67bf91878686765262736a5f2997d68e3
-
Filesize
1KB
MD582c2d1d75cc37efe9f20f67b8cb507f8
SHA1a1d805f6a002488b70f2dbdf1afc03b8c75c1bfe
SHA2568d0d6c0b30af944fdd2784c0d36b34d7f51ffe4600ecb7be4b158bfd7672dd63
SHA51219955b2c9c7860944cdd2d9a9507a42bf9a4385334e5117f024a183341c8530f2adb456d04c2ff9811a8e0e77f20b9ac0870a73f7864878e2ad7157da325ad76
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\VKZHCQTs\OLEACC.dll
Filesize1.7MB
MD5d79e3141bde94bb765e89bab5d8dcfc4
SHA190595b153fdf35d3b688a2c12f14d0c753a27131
SHA25690973d8a881df50270951223c8690d88732424c6c4de5425ea5454404ca4bdf3
SHA512fc1bb8b19efb3a28905b1c52f15d87bf30b78c500d7abf71ec67e5a7c2c9b5c27b0d67e5967a4630321eb9b854780c2948fb0afd3b11590a3e132f18c2add786
-
Filesize
1.7MB
MD52f5265f786e6af60cef8e087ff0df9fc
SHA1a33e140859b3e6ab6707c84474e24928447eaedc
SHA256f69646382003d9e22952d91c664b8f7260333563a79d2084b23ec7b82130f5e7
SHA5123b71a1c781cee63aad873671d503e765bef5afbe1bdc997959ad5bd096af9c4d67ffc595e07bb724730157ade28bb97216aa249da6f1c4115273100794565c56
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\FT8X\WINMM.dll
Filesize1.7MB
MD57a1a7f6d034783ba95b9cbc248b94ce0
SHA1272d650eba17ef3d0fef8b2384ec0513405711dc
SHA25626e754809ec92b81b899a1ec57f818c55681f9a51cf26a586e55587f3f397ba4
SHA512450910e1f20ef61568310e9b09fbb11fa46e94500f36e9773b1ae4d41be3f8e2c5c27d400c372e7a8ad3ac4678f8e536c285eb87c58b2688b10b9cb544231c4b