Analysis
-
max time kernel
131s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30-01-2024 05:15
Static task
static1
Behavioral task
behavioral1
Sample
818f6364c18d61853f5e7875c46b41b7.dll
Resource
win7-20231129-en
General
-
Target
818f6364c18d61853f5e7875c46b41b7.dll
-
Size
2.2MB
-
MD5
818f6364c18d61853f5e7875c46b41b7
-
SHA1
0996afc6bdf46c9714f85894e9501c31573d80d0
-
SHA256
354581ef623c4841ef267fae935ea55b0aa622c1de1aec7c31d3fbfe05005e00
-
SHA512
4d4c4029cc74ea98745a605b7e1bd0cf5cc5aa05c77bb9ec6ff71a01797a5347cc7be07ab2c414e4c23128655f4eb4f30e80d76520e189e359487e30380a5866
-
SSDEEP
12288:DVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:SfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3492-4-0x0000000000D60000-0x0000000000D61000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
rdpinput.exewlrmdr.exesethc.exepid process 972 rdpinput.exe 3652 wlrmdr.exe 4692 sethc.exe -
Loads dropped DLL 3 IoCs
Processes:
rdpinput.exewlrmdr.exesethc.exepid process 972 rdpinput.exe 3652 wlrmdr.exe 4692 sethc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kqgfxymewp = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\8nbxRuK\\qCrs054\\wlrmdr.exe" -
Processes:
rdpinput.exewlrmdr.exesethc.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rdpinput.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wlrmdr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sethc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3492 wrote to memory of 3140 3492 rdpinput.exe PID 3492 wrote to memory of 3140 3492 rdpinput.exe PID 3492 wrote to memory of 972 3492 rdpinput.exe PID 3492 wrote to memory of 972 3492 rdpinput.exe PID 3492 wrote to memory of 2432 3492 wlrmdr.exe PID 3492 wrote to memory of 2432 3492 wlrmdr.exe PID 3492 wrote to memory of 3652 3492 wlrmdr.exe PID 3492 wrote to memory of 3652 3492 wlrmdr.exe PID 3492 wrote to memory of 3980 3492 sethc.exe PID 3492 wrote to memory of 3980 3492 sethc.exe PID 3492 wrote to memory of 4692 3492 sethc.exe PID 3492 wrote to memory of 4692 3492 sethc.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\818f6364c18d61853f5e7875c46b41b7.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2280
-
C:\Users\Admin\AppData\Local\XSLR4F7mS\rdpinput.exeC:\Users\Admin\AppData\Local\XSLR4F7mS\rdpinput.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:972
-
C:\Windows\system32\wlrmdr.exeC:\Windows\system32\wlrmdr.exe1⤵PID:2432
-
C:\Windows\system32\rdpinput.exeC:\Windows\system32\rdpinput.exe1⤵PID:3140
-
C:\Users\Admin\AppData\Local\x85\wlrmdr.exeC:\Users\Admin\AppData\Local\x85\wlrmdr.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3652
-
C:\Windows\system32\sethc.exeC:\Windows\system32\sethc.exe1⤵PID:3980
-
C:\Users\Admin\AppData\Local\swX7\sethc.exeC:\Users\Admin\AppData\Local\swX7\sethc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4692
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
62KB
MD5f31e1ea3f455c9cf77ff62594370396f
SHA153596b8971fdd53080b3d6e8cfce87b6834ada57
SHA2561946cd25b41870560867b984fa88e61aa81b2e9c55fb5cd9d904e78d31ac739d
SHA5127641921136dfb34b6b395038f8a4320ea288e3a0496538e96d9a421d40a71f9b21e11df7c04b99288f80b317ef55a2b66f5c9a513da920c4a2c5bcc7f3e104fa
-
Filesize
79KB
MD557bb8b24d89cc7e9266107503113cd3d
SHA139126cff71e10501cadac8c50453324c1ca31a73
SHA256694d883da6561b9ab8cd2b22262062ead9c06e35e7e20fbd8f4266cb05fe676c
SHA512b17158a64a84ba826445d2bfc85445ba3754eccdcf7a174988df55cf93414d869de0aa065a21bd6c8b99f85cce0e19eda1e11b1990f77548d446f650764a784a
-
Filesize
180KB
MD5bd99eeca92869f9a3084d689f335c734
SHA1a2839f6038ea50a4456cd5c2a3ea003e7b77688c
SHA25639bfb2214efeed47f4f5e50e6dff05541e29caeb27966520bdadd52c3d5e7143
SHA512355433c3bbbaa3bcb849633d45713d8a7ac6f87a025732fbe83e259ec3a0cb4eabb18239df26609453f9fc6764c7276c5d0472f11cf12d15ef806aa7594d090e
-
Filesize
4KB
MD598db82126c29023e05ec1bb6c3351ce1
SHA13cd19753b1bfc047c7fcf3bdd83d1d6ff5f5bea5
SHA2561baab8693d6fbbc472085ba171736c459d4ad66e923d5e1b48f939331c7a6d10
SHA5123fd10735098f66a4fb7f30e23a35c4ba202ce396026cdb8b8659559b6c0a926f9141a2e09cc3365240b08451141f48043f8bf07e62235e6c8f32ea884da6f6f9
-
Filesize
25KB
MD571e1d5254bf334ee4527ef6cad795dec
SHA14c0ea7d705abf262e4e3e27b76feb41b83b7e28d
SHA256b4c782e10187bde171527a1228679acc9c49be4b122c810e70b9afc4ee5c8f93
SHA512e8e2e7fd0aa2987b33a3df65f2a87904a909f18ec8160b99be2d45876fc43b9bdb1f03728d349450c822e7393e76178d3602e00733ba32e576e5cc0f016759e8
-
Filesize
85KB
MD503ca70b4315eba71c70020823ed8fa49
SHA19fd3a4692c0951239e3743184207e2b326368f90
SHA2565437745dd8bd5a1e06eb644fe1bebd5d7d5f9d2d6dea6d2e850817d91d104518
SHA512f6b4144eed2dc97be9b5bdb1d5a7bea4464d490e5cf329395e387149a11a83eedbd05c7d6ad3b049cfcd9bbf7e28f03ea2e12ee478fa46db01366319e912b190
-
Filesize
29KB
MD59a188a8b9116b1a59f437328821716d4
SHA1c4940ffe21ec20155c66a4a6ae42b7bf48933486
SHA2561642cfac46db4da96d73a1f94af537bd22458e441f0e5dd7a8834f465488c96d
SHA512a7f92717716e2e76c0a004964063a59f5cd829920c44b7c5fc64419b4c1bb0d4c33ae9ddf5a9dd72db5ba27c6f7ab25ee0857ff617c1899aaede310370165684
-
Filesize
1KB
MD52adf4668a6b0cf1eca412b90f9a3aeb9
SHA18b993639c8629672f8efe1fd063b02e6dce4eefd
SHA2561ec0517370cc05c441fb90423d26280b5ab2951b40388d3187cdec3f968c0590
SHA5122861928dab32130cf1408e3cb0a601bdd1f666c096bd9e2270dce176be32921342adf6a1d8d35f3cb57b52ec3be72bf701e8ebd884e421bc3be3c58179e7d895
-
Filesize
100KB
MD5a5c31dee2a20ed09c68956f3d989067e
SHA19303e302dcf793ae5f49e967445d222225a40628
SHA2565306b7bd81386fe03f0f6771533a57e5ee59676e59c8e90893c45d562df1eb1d
SHA51256b589bc7a62d30a56989c0c9487e109cc7087e469b1fcfed04556e6575089ac00432104ad45a98bf1041a04d42aeebd34ab32ffc48920dc7dd106d608e77ced
-
Filesize
93KB
MD5019247d3a01d27e400006bf4014c4a6c
SHA1f9f889fda9beb81c5574e948021de16187efb423
SHA25614b540a4a62283e0c084852fe2e614c84fa63c7a0b457196bd93fc92da88d602
SHA5127984a14973bb462acf8537585a84cc60179edc6a5e4dcbb6af71f9410b27543dae2c6e258930dab23d69b0a3ef08b874e3b7aab659ad88b041b3e61fcc5d49eb
-
Filesize
63KB
MD5d7f43233c53ad1dc2a51e13a05f2afd7
SHA1f2178d40939e7526a3cf1744afb2f436f6940e2a
SHA256cbdc9b0468082c8d87184fc0489771ac32d02cc6ce69bbcdc7eb022e7ab66fb3
SHA5127a79ecb474985b0d590939080b6a302d4aba9809c28e98aea8a54fdb4c1c808232672ad8e44bd896146d0753fd9445059cf585aaa00ab73dd9ca6c04252e39ab
-
Filesize
66KB
MD5ef9bba7a637a11b224a90bf90a8943ac
SHA14747ec6efd2d41e049159249c2d888189bb33d1d
SHA2562fda95aafb2e9284c730bf912b93f60a75b151941adc14445ed1e056140325b1
SHA5124c1fdb8e4bf25546a2a33c95268593746f5ae2666ce36c6d9ba5833357f13720c4722231224e82308af8c156485a2c86ffd97e3093717a28d1300d3787ef1831
-
Filesize
1KB
MD5c34f3b22688936ce3efd547744de53e1
SHA1e13613447cece208c13d49d8ff6c46d5f45bc6e6
SHA25641c1560c983eff74da4fb86d54e9e3f6e3c362bb9c15c4c7883ffb8dfab05db7
SHA512914bb6ba14c3cb6b251bf5187aa33b1f20048755a5e193c8e7152e1cf08f76d3c4a33242ef85ad44da1c477e011c5b60ab1de3050123c033532a90c48bb0628a
-
Filesize
207KB
MD52cf421d2c3d3a370a1401b89393b6ea7
SHA14325ff38ef271661a9cee55d4272c815bfe6ab3d
SHA2567cb24762facf1071281d189d05efaefe6c08ef46caea218a188bc1a6cee1fd45
SHA512a006ce3b0e8e725e43c8237e1505c24f64acf584d81ccc847b4704278debd23670ff5c4828b5d6a98f4288ecdcef5e8dafafe469a5445d84e57984a75e5ae3c3
-
Filesize
182KB
MD57f14c5294024b823314f71296a351800
SHA17781568f4cf91c2471314a42f4d8b98967a425ff
SHA2562e74be119835cbd098c2009ebe51bc30bc0bdb3c72f186c8f13b110055f7bc4a
SHA512ccb23e533e1f8a0dc954a3bcd9530cb94ef6a476718ab510ab19bfb837943fbe3f67ae71ac3f4a43be1a798e51ad03e50b2abbd5b28f37baddc29c278d55366c
-
Filesize
2.2MB
MD533cf460b026cf971050fdbf216bbb959
SHA1f7b384fd0897affc96b93bd86da41bb507c16ad1
SHA256a78c37a86f012e0c56096575622afa201f12c39a6d3d72c60d1589f3bef550e6
SHA512b2677f6403d42525e284ac17dcdc705612d6107df0b9bfb61ced506cf8f74b3a06482e7a11d6b5c2c976b70a525174dbd662a85ae1372b25a1f84cff639d787a