Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31-01-2024 11:13
Static task
static1
Behavioral task
behavioral1
Sample
8443322739870ab27a1db14eabc12b55.dll
Resource
win7-20231215-en
General
-
Target
8443322739870ab27a1db14eabc12b55.dll
-
Size
1.4MB
-
MD5
8443322739870ab27a1db14eabc12b55
-
SHA1
5481baebc9122bcd4c65e1afb7f02547f568f3f9
-
SHA256
caebc606f9cc00c645b3cc46aa6f0fc68cf20a2b832175b14965f5777b5981ca
-
SHA512
14f20116050d45e6bd7d91e38f87896c0c60c62b80e932325124835ded394e5984b938b544c434934a73bc4deb983e28723524d3223b376e32c5f2e8958cf925
-
SSDEEP
12288:cVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:pfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3528-4-0x0000000002D40000-0x0000000002D41000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
GamePanel.exedwm.exeTaskmgr.exepid process 3620 GamePanel.exe 464 dwm.exe 1736 Taskmgr.exe -
Loads dropped DLL 6 IoCs
Processes:
GamePanel.exedwm.exeTaskmgr.exepid process 3620 GamePanel.exe 464 dwm.exe 464 dwm.exe 464 dwm.exe 464 dwm.exe 1736 Taskmgr.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kqgfxymewp = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~2\\MFLRTN~1\\dwm.exe" -
Processes:
Taskmgr.exerundll32.exeGamePanel.exedwm.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Taskmgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA GamePanel.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 1180 rundll32.exe 1180 rundll32.exe 1180 rundll32.exe 1180 rundll32.exe 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3528 wrote to memory of 2612 3528 GamePanel.exe PID 3528 wrote to memory of 2612 3528 GamePanel.exe PID 3528 wrote to memory of 3620 3528 GamePanel.exe PID 3528 wrote to memory of 3620 3528 GamePanel.exe PID 3528 wrote to memory of 2576 3528 dwm.exe PID 3528 wrote to memory of 2576 3528 dwm.exe PID 3528 wrote to memory of 464 3528 dwm.exe PID 3528 wrote to memory of 464 3528 dwm.exe PID 3528 wrote to memory of 4900 3528 Taskmgr.exe PID 3528 wrote to memory of 4900 3528 Taskmgr.exe PID 3528 wrote to memory of 1736 3528 Taskmgr.exe PID 3528 wrote to memory of 1736 3528 Taskmgr.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8443322739870ab27a1db14eabc12b55.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1180
-
C:\Users\Admin\AppData\Local\OSuYS\Taskmgr.exeC:\Users\Admin\AppData\Local\OSuYS\Taskmgr.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1736
-
C:\Windows\system32\Taskmgr.exeC:\Windows\system32\Taskmgr.exe1⤵PID:4900
-
C:\Users\Admin\AppData\Local\htILz\dwm.exeC:\Users\Admin\AppData\Local\htILz\dwm.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:464
-
C:\Windows\system32\dwm.exeC:\Windows\system32\dwm.exe1⤵PID:2576
-
C:\Users\Admin\AppData\Local\7VPBQXWmA\GamePanel.exeC:\Users\Admin\AppData\Local\7VPBQXWmA\GamePanel.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3620
-
C:\Windows\system32\GamePanel.exeC:\Windows\system32\GamePanel.exe1⤵PID:2612
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
62KB
MD51e835f3b85741f25b8038c0ed4060d9b
SHA1680b0082da4cfbaf33318dd049a5417c6aa96729
SHA256ca5dc844975162d6f721e790b5ba85e31ecca6400bd225c78b19be6379fe9c98
SHA512afc3a79ae45133d8e4f474108ffd2abfd8a71f02718880fbca678ce9ce931755fdfcce9d732ba0daa549126c8c22f973a67ff1a363c9b7984210bfdcd5ad0c94
-
Filesize
5KB
MD5bcdc4c163bd2bd0135feb539a92926b9
SHA1be578f402a1731303ff8aa5836a86afb7ba512c8
SHA256e6ea49ae0d54b0090cf8bd8480a570a016205c59ad049cafc16a7732472e9656
SHA512605f5b71a1e0b7caa1c50a922abe9e17f7ffc840a2f0e5cad76c065cb48a79f916fc10f0a3382d4324bca5d11ec65076ae64429068d20031dc5da58994278fe4
-
Filesize
39KB
MD5456cd9acd64c2171db5ffe1b203aff61
SHA1b9297f3c771f9ded20cd7ea2591897822f0f3452
SHA25632989794afa11e4226bec989f2d6118aa1e7c2fea6f2398e995ec9a22a433237
SHA512201f6e7dc40257f6ad5164511f99e8cf2fa943da07b3e15a967b227c9c37b8c7430cf5ade8a4e0c57e81079f72024837b03a12188488ef5fd52dc9d547310543
-
Filesize
266KB
MD570c1f61a7b5d316f00b84c6669f5ebc7
SHA12a69b2293dd8c8fff6d03129bf7462e7671068cf
SHA256990fe76a9376244f7bb5d693fe5ac42bbf185679673c7c4fb070b76c72886f42
SHA5128d2c24f1eeaeefcc6fee80a3dd46a79c54e1e8d3d6592921ae63b163f7bc98c3fad07f595a5056ee897830b997c7ef684d543f8dc6a547b0bd55dd8a7f89a4bb
-
Filesize
164KB
MD53bb852559f4c04f46644fa5e6d4f0945
SHA17252263020fdac58814e32264bf2fafb7d4558c3
SHA25658624d22df1162bb765c9601b276f3d7ecb5ba8ce5d1ce1c8392cdec3b41c7a7
SHA512836487a0e40f0e1205a91332d2f967556c4a93d64f6453a8abbbeb02f2de9a80373d95a04835fe4f84fdbcc4122c229ff54cd60364a4dab7cf6585db1396e355
-
Filesize
127KB
MD575d2ea39cdca6178c0b7471d641e6596
SHA146ba904760a383d3b407aced83af36ecf4891b1a
SHA256292921a89e323c7f38751e34f43d6af35b02c68ef6f49665a718e367c18ccc72
SHA5126b2b869134059fa86f4f976fb92a7082479ee13bb4edb5aa17e5069800292350866b8cf184b9792d6fdf458b41c04617358e2ff95e6bbe7b52ee8f3b79c2104c
-
Filesize
146KB
MD5c21c4ddd0c5a346c912204cf17dd885f
SHA14a81bafcb690038298fd386ae82b71b2855d089a
SHA2562891ec65c660283c1f422475ac26ad7ab6601b794abaf30a4c753290b13c67aa
SHA512b1314bff80f0191892250c7236c780e2683e565d42b6247d904461d6735420f5fcd9440cd03a1d6158be37f409720e1893d1229eef84a312c9dd46deeebb15b4
-
Filesize
128KB
MD569daa7a2622592fdac3ddb45a17d82cc
SHA1978d75544fd942a5bd0777cde1799bd2bc84514c
SHA25640d6bb940e9d21ada5208dd1c3ec08b955a2c6ec0571b27edff0a5aaeeef4d7d
SHA512f5cded6e045bd242755764d25a81d68d8d44adfe2a641133d25b21340678e321078b980242a4f97920f88b1f92a52710d327b9bae51597ea5212dff114019e0c
-
Filesize
70KB
MD59123d6bfc2c6cc8268a09dfac95cdeb1
SHA16a11e75f48f5e9123231298a824210c821abfb2d
SHA25643750b68ccb21e1351451c0490d80d75835b1fcbdeee5e3c38d916e4a7da24f0
SHA51282e03bcaa5fa7bb0450dd00b426592aefb815c5c7cad72611895cbb037c6b8455e455110315c6e6185faf1332f4162e92ca605f3c227dc39249d51778c27273e
-
Filesize
92KB
MD55c27608411832c5b39ba04e33d53536c
SHA1f92f8b7439ce1de4c297046ed1d3ff9f20bc97af
SHA2560ac827c9e35cdaa492ddd435079415805dcc276352112b040bcd34ef122cf565
SHA5121fa25eabc08dff9ea25dfa7da310a677927c6344b76815696b0483f8860fa1469820ff15d88a78ed32f712d03003631d9aceaf9c9851de5dd40c1fc2a7bc1309
-
Filesize
220KB
MD53c8cd65dd2ef708ec61db5110e88bc5e
SHA19bb6ab27f7ca21b55c002b7bb16cfda890bb814e
SHA256b3cc96d9936f4cbf62ab5e22997b80f193fe32d4444d174f602ec7e0b0100046
SHA512d59d37557685bfa5736875c089bffdcf515db5947d3054c0cdde477942c7d6cf90197bbac2feba71f0b560f1ade4a72b950ae282c02284b8abf1cc2dc00201ff
-
Filesize
115KB
MD55542547040d260e40c47d795dccb5019
SHA1d6c22f169d2e263ed703db7dda0cc4814333c5d1
SHA25605f2fb8d80c173e992783cdaac0dabb3fa4f689cba092800dc047d2f395b2339
SHA5127a20102d7a3a973700eab464fa0ea0ef5f8f58d571d2648d4bc8b44fe2fb3ca2a61109d873a52ae713faffcbc74fca2a015052ec6cce9895dbb9ec1faa13e778
-
Filesize
136KB
MD50add18f63b4d84f65bc9164328e5829d
SHA165eeef41bb27b5f041062e8e3666fa7516a5eb85
SHA2565c74b67d720b97a69c6bcbb5d749b7a1e2477ed0c15443bf618a1b90bd38d9f2
SHA51243dd2b633e7e3619043ee7f18176fa905bfeb7d0ceb77a9a1fa0255a15f9d1e940f27d3e0dd5c8137b0c74dad7d96cfdc8d0174a1e9806f1fb6449ccca760290
-
Filesize
10KB
MD5122258555cae8c0d93e0ac38d8262948
SHA1a180596fafa2a0dfbdc13ec6be248b5d6559c5e9
SHA2562523eaa9102ec0b80117a7c739fadad48619904dee8188745d60c22cfad0a93b
SHA5126760da5f6ec6de48b22261993c3958c43973341fbd2c6d62a966ac52a8d0ab2fd3e0cb22d5144407f1201399667cabd614b1f889c051d5db6f40f2fce01b3e11
-
Filesize
8KB
MD5e94c6cd36a9762948523962e88c0b1e4
SHA18547feb561c90b82475922a740d4f9b0b2a8c8c3
SHA256d3bfd01bc45d72c049f695bcd27507dbf6b08b7a68f475592412d0d1854735ae
SHA512f30b273822003d059e2732aa0010264d2a39eefcfb93b3ce9324957d7f9a322afe1b632a2b4847422d2abfaefa4a635ca5e55e520c387da9990dfcf1fb8fa652
-
Filesize
1KB
MD53a1917d44a437ad074509fa866eb62f0
SHA19858d0245e109b6dc30847f99167c0650c2bee0a
SHA256fa31a3ee521dc153671434c80510d690c8afc7161fd35df0f811f89c600888f9
SHA512a5e84c4eee9662f67d558cce901a5b9d2e8081afed7fe23b8c66644509a4d08ee9dd1872b3fc5f52427326063c2edf42ac3e80520eba6b915b2022df65942167
-
Filesize
1.4MB
MD592eb4eab19aed31d463b4465687e30b6
SHA1d7a326feeee658440f6b639f244c99f2008022d1
SHA2569d6f28b82029059378a70fd35bb21a9e4bf5063b90a57352843c01bfda504df2
SHA512fedc93df62b5f8a044ce65daf237222176fb9a83b54cb2c0d09fbb1e316172652684d50cf6838e8848a168f9d349d2ee9d0e5498c1118ea144bb76596c9e0fd6
-
Filesize
1.4MB
MD535e661bcad34693cabd180b875efab3f
SHA1ac6289eed7f0b254556490596772032f58c68c51
SHA256d81fd4ce85074493218866012f351e7f7cd02e09d6e5d138bfb6d65dc7101131
SHA51203cd6a120961373014a9eae1d9d021c6376caee23b3cb307d80661fa13826f3b23d510b0b66e56d1ddd03482550b39c3ac72e6bc414f233edb895ed4d036c3fc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\MfLrTNicR\dwm.exe
Filesize31KB
MD532580fa4ce5829d9174405e8ed106c07
SHA1f6d51f5ba5c3ded1e6369f7580e5b8270898ce4b
SHA256221e44df28ec38e4d550a7a12e1f8525ddfb53f83b9859b5d55b5765259dc3ad
SHA51284a8c17d3d240cd08f5056a48d5c42a5293e84471465d0104652425775959c6ddb3c9d21049eb79e38f420e2da81b7a941e8107b3d73e395cf48baf2506ce4c8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\MfLrTNicR\dxgi.dll
Filesize1.4MB
MD5fc42867378cdb2888c7810897937f847
SHA172859c10295eab63bbe1ee6881fbbe6b30412b9d
SHA256c37d8a23fa03a10f9ee41325099576b448aadfabfb0f2e6aca07f685f1b0a739
SHA51271050e68c5628fbcfc48314dd9c0858545391e3b5f04b5643b7ea627733e834913af496782483801145816444031a879b8c8326801daca8befcb7d501e77acc9