Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30-01-2024 08:32
Static task
static1
Behavioral task
behavioral1
Sample
81f7894d5f57875aac520d9601f29693.dll
Resource
win7-20231215-en
General
-
Target
81f7894d5f57875aac520d9601f29693.dll
-
Size
1.7MB
-
MD5
81f7894d5f57875aac520d9601f29693
-
SHA1
4d2eceac1f40f5fe233c6ba1a1653b058173afed
-
SHA256
a6f1f005d6597eeaad112e697cdc23a870332a42fd7f897df28d80450d8f1801
-
SHA512
529bdda31f96e411ef5666581d4fa91ec4e9a14eae64eb544fca05910a3eb52d53f2b3d91153489bfa19d1e87e44075a0a6c04607fd5acaf66e25fcdd861870f
-
SSDEEP
12288:kVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:BfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3328-4-0x00000000015B0000-0x00000000015B1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
unregmp2.exeSystemSettingsRemoveDevice.exeomadmclient.exepid process 5108 unregmp2.exe 2608 SystemSettingsRemoveDevice.exe 3364 omadmclient.exe -
Loads dropped DLL 5 IoCs
Processes:
unregmp2.exeSystemSettingsRemoveDevice.exeomadmclient.exepid process 5108 unregmp2.exe 2608 SystemSettingsRemoveDevice.exe 3364 omadmclient.exe 3364 omadmclient.exe 3364 omadmclient.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qzenv = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\iDoJf\\SystemSettingsRemoveDevice.exe" -
Processes:
SystemSettingsRemoveDevice.exeomadmclient.exerundll32.exeunregmp2.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemSettingsRemoveDevice.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA omadmclient.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA unregmp2.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3328 wrote to memory of 1104 3328 unregmp2.exe PID 3328 wrote to memory of 1104 3328 unregmp2.exe PID 3328 wrote to memory of 5108 3328 unregmp2.exe PID 3328 wrote to memory of 5108 3328 unregmp2.exe PID 3328 wrote to memory of 5016 3328 SystemSettingsRemoveDevice.exe PID 3328 wrote to memory of 5016 3328 SystemSettingsRemoveDevice.exe PID 3328 wrote to memory of 2608 3328 SystemSettingsRemoveDevice.exe PID 3328 wrote to memory of 2608 3328 SystemSettingsRemoveDevice.exe PID 3328 wrote to memory of 4896 3328 omadmclient.exe PID 3328 wrote to memory of 4896 3328 omadmclient.exe PID 3328 wrote to memory of 3364 3328 omadmclient.exe PID 3328 wrote to memory of 3364 3328 omadmclient.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\81f7894d5f57875aac520d9601f29693.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1136
-
C:\Windows\system32\SystemSettingsRemoveDevice.exeC:\Windows\system32\SystemSettingsRemoveDevice.exe1⤵PID:5016
-
C:\Users\Admin\AppData\Local\VdD28pZRG\unregmp2.exeC:\Users\Admin\AppData\Local\VdD28pZRG\unregmp2.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5108
-
C:\Windows\system32\unregmp2.exeC:\Windows\system32\unregmp2.exe1⤵PID:1104
-
C:\Users\Admin\AppData\Local\WvpJnY8zA\SystemSettingsRemoveDevice.exeC:\Users\Admin\AppData\Local\WvpJnY8zA\SystemSettingsRemoveDevice.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2608
-
C:\Users\Admin\AppData\Local\m4fl\omadmclient.exeC:\Users\Admin\AppData\Local\m4fl\omadmclient.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3364
-
C:\Windows\system32\omadmclient.exeC:\Windows\system32\omadmclient.exe1⤵PID:4896
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
27KB
MD508d08b3234f0495bcc9e0a437dcb570f
SHA1c590778300e7212b4ffc50f15695129d5ef3fce8
SHA2566332745a8bffe8defb44b9984a304ebc01759ed53de857fa00c31bd651e91c41
SHA512989ea470fa75f0ba0d8478d66f2235a51d7c2a39d65a87acebd12485722ad16d7d95aede765d4d15fa5cda08e69160c3a03bbd934ec3753f9180f16d0121b52f
-
Filesize
126KB
MD5797bef31f72031a86ab349a594b18098
SHA18858975c3d4e52b219fdedb46e53d440b0cecbcc
SHA256efbeee090286a8f3ad7bc706078de7e096c59df5d19a95b6f25395dd3329c377
SHA5125c26d10e8a4f45c60323ecb7f20c6f8d903e82bc6367de548967b5e3181f56541bc11a5fc3b0998d78364896dc6820ffee7b73b0650cc696530e114f41f357e4
-
Filesize
185KB
MD5d0a1b8450f44d0cb58d5bf46c7cc92ee
SHA13da138ca0431109eaade623728b4b9549124f11a
SHA256cf6408b3cf8df4f85cc22d81cc479908f2836100155a52eb42b52eb5cc3ab731
SHA5123f1321e711a87c0e97ea7855567312cd2c0f85696b7d8f4fd1e5d6417a43961f817f991026ff47e667dfee3888fb9f60f382a9e1968294251e38a17e96467160
-
Filesize
137KB
MD5d10c86d5ab418e44caf08959c5be8a65
SHA17465d53bcc1133ffc56863e328da4b6a0bf7af8f
SHA256a3278c54361b3657a6f936cbd1a0f55380c8ac74a2965d1b742b89dcbd88a704
SHA5129df5764f0b00f05c786c340cd060d899b2381ee0a67ff4185473ffad303b417d870c9fe405c343f85fed23a51846790436ff4242a434e6d80b9880d2b262ebc4
-
Filesize
140KB
MD5400a4ee39f99640d6d419ee4e59a98cd
SHA13d9f0d64a67e95b3edd3f650ab79188c068c1265
SHA25657cc9b75c19dbb579ebffac6061020e55e50ca6a5042ab60dff144365aeea37a
SHA512a457156b7e30d428cf7fe0110f5ffa9afa6302087ae7effe92bb72d08d0f5448c035eca68144f0954b20d68c6181744b899390e71d75378b7b0c038c3e5ead9b
-
Filesize
76KB
MD5f010b10b1bd8748909c7961f43389ca7
SHA18276ab24607f93368f014564894ae2a4bd70f22d
SHA256776b92945b6b1c241dc8e397d7a88089aa8db6732c93f18433f7620831b3fcbc
SHA51270f2e9101a48b6fc7d25d908dbff71cbee75dc65b3434bfe273deaafadc8c4256d41a64766b3ea15d75808c099017e4897a1352d1480aa78d89711b9b3062140
-
Filesize
39KB
MD57853f1c933690bb7c53c67151cbddeb0
SHA1d47a1ad0ccba4c988c8ffc5cbf9636fd4f4fa6e6
SHA2569500731b2a3442f11dfd08a8adfe027e7f32ef5834c628eed4b78be74168470d
SHA512831993d610539d44422d769de6561a4622e1b9cb3d73253774b6cecabf57654a74cd88b4ebe20921585ea96d977225b9501f02a0f6a1fc7d2cad6824fd539304
-
Filesize
32KB
MD5ba1cec90191f1a8b20da53334d5bfa20
SHA1bfb1fb6c9d3b3641fcf5cb4c6961bbbc5f350aec
SHA256a26eb2a5904e92846aa6d12e863ea5f1885e91d824ec83aeb30b77de38a25e94
SHA51225e548f04f164a3237a62c02c9b6680282806a7372cca234fe8ed4a751cd0fc20ccea37b824ea87344c7e5f8ad28b22cf94ecf38ba9d6fd2bbf6b77b4c23ca89
-
Filesize
52KB
MD5fb7d33ee4a20af72ecc6ea965678535d
SHA136db5d468f20aac8d632a7fa9751b23a627423aa
SHA256d5830d02ee4316c47d52bd1823ddebc2b7cfecb381777eebd738d9ccb8800490
SHA512cea51d60109dee14d05cc258e7876c08caeb415939dcbbbc2930cf7979678f3d88bde8ce876ddf76c08a5c3f630bc8e60c000e7569189fa21632f78f311409db
-
Filesize
95KB
MD5ff3f8a929746a725cf85b1d510a1e1f4
SHA13eceab234664a92ae6e98cc5a706e39f1de40bb8
SHA2566e6a004023f2f84d5def2aab053ae7f4566a01e2a5a7570c0d10d62c672e1f47
SHA512488581ace358ad8bf428f4fe2dfecf0aa3542ba797a4a1f8b7f0c0b838e486c547c912474547a791c388292b9a9d892055b0b70dfbe9959fcbf59a0e9cfff56b
-
Filesize
79KB
MD59cf34faa56f6605fe3767f11e10c1a06
SHA190a85049292d5700fdec001babc5afab6b2d8122
SHA2562fd0053e925ca9ed1ebff358cb5fdec870fcb1f414578d538f198e7d0693f7e2
SHA512a36545482bdc1383ed5e5d176cd1319a7eb333b12baadfe78a6687acfdc84c563fdae57b4f4fb981741df44bb3b55268137d003191ddba8784f8d8131dfa9f63
-
Filesize
174KB
MD5ddd43e4cd14f00464bcccac07377ef3d
SHA123fa6a289c4a0cf8bb86d80a99d86a3f19d4e83a
SHA256f9d707e837f90b461347b1b47536c2cd9fff57df93857b40db6fafb4d9995d4a
SHA5126b75f579e52488d4e4f5feb40c43bfab4b23bfdc004ee6cf22eb938519e4d29205ffe968698b0147368fb92855b6c7128dbb12063ec638c0b686e23fbcf069b1
-
Filesize
59KB
MD51ef83946bcd8823a19ddf7b4cddcd7fc
SHA1b57863d45d32d4cc7ba6d2dce4a78b48da202fd3
SHA256a3110dc6b6cd638d0c3c0d3d224db085528118001a9a54f9e8d9698d2dd7fd83
SHA512f19ac7071961bb940c74efb3641e463a8870ec07e09e110cdab2f7487718b2629d997e838a0b2214136e1a0695319ffc80baeb2346f6f8f2efd8115bcb569593
-
Filesize
1KB
MD5a7169a125d656f9894788e516f65b449
SHA15aeffdc0bf69cce74c6780d70c90fe30a026194c
SHA2564d9e9ab009c8cd607ecdddbece2b262ac261d5a3f3680c05574440152ecb0611
SHA512b74662d1b3dbb54520a775fb28aee9f235ffca65916614cd05c028afe59c92c21d931e1eb7457c053619af607a46e7071110bcd9f7e9bc537ff464ba6799a397
-
Filesize
1.7MB
MD5b03fe2b4fc5b44f3a712195fe25d01fa
SHA1eebba9382e9acfd1aec05a75791d33c0249ee960
SHA2562395e6cfba5ee8f2383907e8cc1a6db701e0005f11ae22029e24a77cd69b5c8c
SHA51286129b92d8192646065ff95086adca22fc9d4772fb5982b2db0800f345dcf60f9868966ee8c9f449383e652d1af75aefe6528a9199f6275e725796a0e277a950
-
Filesize
151KB
MD56037a7e861928571deaac5a97714c20f
SHA180e54e1d63ee2386ccb09aa5d4e1ab6926c928ee
SHA25660aec2c5caf467cff223fb899a84104ffd8fcf503e0aad95cf660db5f1148c07
SHA5120b4701b9d14b4a0cd08f0436bfb6514dc8ad6c74b1d9eff0acc29d2c07beced4f524414ce775bc1c3ed3bb29f6cb26749aaf20bfdf24a6db496099a82b8ca0e4
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e