Analysis
-
max time kernel
151s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30-01-2024 09:15
Static task
static1
Behavioral task
behavioral1
Sample
820d38a0c687ab0b550fe547c7bb1d6a.dll
Resource
win7-20231215-en
General
-
Target
820d38a0c687ab0b550fe547c7bb1d6a.dll
-
Size
1.7MB
-
MD5
820d38a0c687ab0b550fe547c7bb1d6a
-
SHA1
cf838d2bfcdc092fc2ed5d91225c487dbeaa0c54
-
SHA256
9ddd12552dc5850ed10c847816d6e5f80272a66117d765587662065ede3435c5
-
SHA512
a0786486bf985c7872c50c7e6a5af21ecee4295ec3fff1cae965d59422004bc00ce346e31c66a2af0c0481db634aeb87393dff80795f6a57903ee3f17426ca4e
-
SSDEEP
12288:jVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:yfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3444-4-0x0000000001080000-0x0000000001081000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
sessionmsg.exedccw.exeMDMAppInstaller.exepid process 4576 sessionmsg.exe 4332 dccw.exe 1260 MDMAppInstaller.exe -
Loads dropped DLL 3 IoCs
Processes:
sessionmsg.exedccw.exeMDMAppInstaller.exepid process 4576 sessionmsg.exe 4332 dccw.exe 1260 MDMAppInstaller.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3073191680-435865314-2862784915-1000\\iyIaUtBpiiz\\dccw.exe" -
Processes:
dccw.exeMDMAppInstaller.exerundll32.exesessionmsg.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dccw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MDMAppInstaller.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sessionmsg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 808 rundll32.exe 808 rundll32.exe 808 rundll32.exe 808 rundll32.exe 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 3444 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3444 wrote to memory of 3884 3444 sessionmsg.exe PID 3444 wrote to memory of 3884 3444 sessionmsg.exe PID 3444 wrote to memory of 4576 3444 sessionmsg.exe PID 3444 wrote to memory of 4576 3444 sessionmsg.exe PID 3444 wrote to memory of 1824 3444 dccw.exe PID 3444 wrote to memory of 1824 3444 dccw.exe PID 3444 wrote to memory of 4332 3444 dccw.exe PID 3444 wrote to memory of 4332 3444 dccw.exe PID 3444 wrote to memory of 5048 3444 MDMAppInstaller.exe PID 3444 wrote to memory of 5048 3444 MDMAppInstaller.exe PID 3444 wrote to memory of 1260 3444 MDMAppInstaller.exe PID 3444 wrote to memory of 1260 3444 MDMAppInstaller.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\820d38a0c687ab0b550fe547c7bb1d6a.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:808
-
C:\Windows\system32\sessionmsg.exeC:\Windows\system32\sessionmsg.exe1⤵PID:3884
-
C:\Users\Admin\AppData\Local\wpn\sessionmsg.exeC:\Users\Admin\AppData\Local\wpn\sessionmsg.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4576
-
C:\Windows\system32\dccw.exeC:\Windows\system32\dccw.exe1⤵PID:1824
-
C:\Users\Admin\AppData\Local\R1h0gsZFF\dccw.exeC:\Users\Admin\AppData\Local\R1h0gsZFF\dccw.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4332
-
C:\Windows\system32\MDMAppInstaller.exeC:\Windows\system32\MDMAppInstaller.exe1⤵PID:5048
-
C:\Users\Admin\AppData\Local\qVQpmj3\MDMAppInstaller.exeC:\Users\Admin\AppData\Local\qVQpmj3\MDMAppInstaller.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1260
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
101KB
MD5cb9374911bf5237179785c739a322c0f
SHA13f4d3dd3d58c9f19dfbb414ded16969ebd9f74b9
SHA256f7f3300b78148a34f6a35796c777a832b638b6d3193e11f4a37f45d4c6dfa845
SHA5129d47521538148b1823c0a17baa86ddf932f06f46d5d8b63fa87b2cc220fb98ce3f933e32d771222937bb8e41c88030839d489d1cd78b062bffeb2980dc6864be
-
Filesize
1.7MB
MD58032a92f3ede3f3542a8802771de4d7e
SHA1300a1d579bd19d70d0a4d199fa99b63d422207f9
SHA25621b8c24ffc372558361325d00e4525b8d51c52d0354019b9ef2e7297566f003f
SHA5128331352ae78bb534e52d16fbc4b4825e61f0fb8c1803a29a878ff92c9d2c26033ae70cd2a872296646f7067c557ce49f53322d55f4d90c6e6db3f9bbb11b3602
-
Filesize
151KB
MD530e978cc6830b04f1e7ed285cccaa746
SHA1e915147c17e113c676c635e2102bbff90fb7aa52
SHA256dc821931f63117962e2266acd3266e86bf8116d4a14b3adbebfade1d40b84766
SHA512331923fa479f71c4c80b0e86ea238628666f95b6cf61cf4d741ae4a27ea2b8c636864dfac543d14599b4873f3b2ab397d07c4e4c17aca3f3b4e5871e24e50214
-
Filesize
1.7MB
MD5e75203ab9f762c9852de779891c2ddca
SHA17c9001ab6b7dba99c54fe1a352a54c6676666155
SHA2569c75e61519315306935d5b3f0173cfd82ebe89144a19ec7c45f5096532c481a0
SHA512bd234c922234dc86eee62588537a09662f675414a3340c29d7cd5b92a45f217e093a5dedc03d71fdaccc9f1eaa0f2c1862d64199ab8456e0f441a0a0dbbb21e1
-
Filesize
2.0MB
MD58ce13a32b1bc8d8bb19d1981b63cc083
SHA161f2d66a79d35dcda913dfcb9878011e2b07d95f
SHA256be23c8c28d6e2930f67e78af7230c2dfaf40219e2f6e7d982abb82981b8b4d34
SHA5127e2136aa018c06703e0d35dab08796419d3859202651836c42cac033234cb67238c535966c280eadd5edb0a9e8b891023a74e195a97b3165ab3319c3db289ff8
-
Filesize
85KB
MD5480f710806b68dfe478ca1ec7d7e79cc
SHA1b4fc97fed2dbff9c4874cb65ede7b50699db37cd
SHA2562416cd4aa577dbb2f8790a61e36fbab2b30bff81a4e1f67a5151c2fec29585bc
SHA51229d3d234ebc45049a533b6a91b246ac043a56b9af67276aaf493b014ae34d73000f99a6b0c0b85d2dfb7fba54811cf8bbdfd167a9eed01a8617b7f05bf2971db
-
Filesize
1KB
MD5550d3b2e73425dba59bbd3a29ce1ec65
SHA1154f363d646ca05959bafec385ef3b480fa8f2b0
SHA256e706e5d87e304e17747815909027c76296b61f63d477e33e2627dbca187e3194
SHA512183c416b9ac67dddc11379bce8578eda851a56ce8f29cc02281a55029428185d23c617083ec2b2cd1a8d5e0b069ee09ff21d93039d4509f206f6724eae0e4c65