Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31-01-2024 12:09
Static task
static1
Behavioral task
behavioral1
Sample
8460ca6c008df062af50bb935cad86e0.dll
Resource
win7-20231215-en
General
-
Target
8460ca6c008df062af50bb935cad86e0.dll
-
Size
2.7MB
-
MD5
8460ca6c008df062af50bb935cad86e0
-
SHA1
c7d9a2b3fa86c6f68c1afda5ebcd80fbb52fc42b
-
SHA256
b656eba38e60d3e5cf61d0f7ee76348ec9053509d5c3fe2c3256eee34993cccd
-
SHA512
40ce6d2e128b77057347d484a3549c06441fb132a837956c412efe90e39e4314eaaaf8b7de092acb7d6ffc5ae2e5886016b956ca29c8607b6dbb8665adb92a38
-
SSDEEP
12288:4VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:tfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3344-5-0x0000000000B60000-0x0000000000B61000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
rdpshell.exeDWWIN.EXErdpinit.exepid process 3852 rdpshell.exe 3728 DWWIN.EXE 1776 rdpinit.exe -
Loads dropped DLL 3 IoCs
Processes:
rdpshell.exeDWWIN.EXErdpinit.exepid process 3852 rdpshell.exe 3728 DWWIN.EXE 1776 rdpinit.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hcbfaqn = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\HliaK1KxLc\\DWWIN.EXE" -
Processes:
rundll32.exerdpshell.exeDWWIN.EXErdpinit.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rdpshell.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DWWIN.EXE Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rdpinit.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 3252 rundll32.exe 3252 rundll32.exe 3252 rundll32.exe 3252 rundll32.exe 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3344 wrote to memory of 3036 3344 rdpshell.exe PID 3344 wrote to memory of 3036 3344 rdpshell.exe PID 3344 wrote to memory of 3852 3344 rdpshell.exe PID 3344 wrote to memory of 3852 3344 rdpshell.exe PID 3344 wrote to memory of 3584 3344 DWWIN.EXE PID 3344 wrote to memory of 3584 3344 DWWIN.EXE PID 3344 wrote to memory of 3728 3344 DWWIN.EXE PID 3344 wrote to memory of 3728 3344 DWWIN.EXE PID 3344 wrote to memory of 2316 3344 rdpinit.exe PID 3344 wrote to memory of 2316 3344 rdpinit.exe PID 3344 wrote to memory of 1776 3344 rdpinit.exe PID 3344 wrote to memory of 1776 3344 rdpinit.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8460ca6c008df062af50bb935cad86e0.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3252
-
C:\Windows\system32\rdpshell.exeC:\Windows\system32\rdpshell.exe1⤵PID:3036
-
C:\Users\Admin\AppData\Local\8WDc\rdpshell.exeC:\Users\Admin\AppData\Local\8WDc\rdpshell.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3852
-
C:\Windows\system32\DWWIN.EXEC:\Windows\system32\DWWIN.EXE1⤵PID:3584
-
C:\Users\Admin\AppData\Local\hxE\DWWIN.EXEC:\Users\Admin\AppData\Local\hxE\DWWIN.EXE1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3728
-
C:\Windows\system32\rdpinit.exeC:\Windows\system32\rdpinit.exe1⤵PID:2316
-
C:\Users\Admin\AppData\Local\F1m9fi\rdpinit.exeC:\Users\Admin\AppData\Local\F1m9fi\rdpinit.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1776
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
293KB
MD5bebfb94035272a21a3ba28763cd024c9
SHA13fd59d52c33a6cb392411ddb1af8fbc0537aecb3
SHA256ec306971b953fe7f0b53528991f9183f8e2ce0bcadb03ea36609aba501e1937e
SHA512689df3977476e9f589971bf648dae72821f8aaacd506a26c0986186295d59ca8edac59e7766bbffe87b425fb71c442ea5393881351ddec74669afc6f9401011b
-
Filesize
167KB
MD50db629ff51f6b29a540419f15d0463ef
SHA1cda2e6c24856293b9e3d282115004cde0ceb39c3
SHA256ef139179e68155572a71976b580eac530c5bf3fd1bec18e3f2613b8cda7ce07a
SHA512571aeb83df72958d78a58b6d1f27bdb78ec1eb04cd200f837967ab78e6a2482909fcaaf9fda76cc8a0bbd6f6ad3890f32f5f553a3490cfe28e01ba1a80c1f7f0
-
Filesize
170KB
MD5f8f15bf82b501fc5413dca96a5f5ac70
SHA1831cfa1414a14ec005a9fb123fd40cfdb8b6ddad
SHA2566688a6d6d130a6f8ecbe07d654cca2921cb24f01320e92a8ce801b27f992250e
SHA512cfc53925f7bad418cbb44a40ad0eec7119d9f2732b3a25d6b9ec57883d8cc23557647b9c5b3d0297413e22268972436868668b7a609e87128a0a70d304580e74
-
Filesize
265KB
MD5cb37a40b2ac07e3dd2a8aa26824b9bcb
SHA1ec98fb90ca897bc7f02e772c38545673da3af525
SHA2568da28b2e62e464ff697b8063ffcce3222a15536de99de2f30b48ff10fea2916d
SHA51268567d1e7f891894a646bc9ec1f091e27a15c3b7d063711cea22a3e9c7064b0b5b77ecdbb3f7ce9ff4dc37f9ed297928df527edd4299af3223ad80199e8bfe35
-
Filesize
88KB
MD57bcbaf864e9eacc88e4d541d17ef22e7
SHA11666efa591fb88ba3af27dcef88bd8215debb634
SHA25615a71ebdb7b0d59c91b60d227b04d98168be51b2293168414895db79041c2887
SHA5127d61325d1da78195ebec621e38dd4d2ff69f459a4c6dde0a0757c2767c8a1c389cc51410af01b13a145d5b6c718bc04fd2de3d7b747cb4afeda6efc2d428224f
-
Filesize
321KB
MD5c17db059e439fb3b0da6ecc6c9c030a6
SHA1b7dab8c100da81729b423dcf90c31e735b35b518
SHA2565d74000b954645e577a89a8b067416924d01ef96d7c37a80f7ff52dd690d4468
SHA51204fb12a75e73ca421b1e8b2a32738179f8450c520065239a54fe9b679d59f689a66ea5faffdfa9b455dc1f27de16d0363d8f0eb528943ca4f8a02b1b6a1516b7
-
Filesize
46KB
MD534832c2d300b89e20757c1939c3ebab4
SHA1ac0a96a0d5217fefb4cbce1f56870115cd7ab8ba
SHA256b5e53d261f029f8dd4d00c2ecf2c4d8eda722dd9fdda8e27f8e9704fade583e5
SHA512b23673020505189dc5594975f6abbb2ee408d486c261afc3ce8e913e3f484ad65037ff12b8a6b6841391de15e6cafa25efeb088fd03090d3f52ba50653638162
-
Filesize
219KB
MD5186826c42b6f0d65daae6f003b79890c
SHA1f68d4cfbd936c8bd9f80c59df34607ea55446605
SHA25658679986da41f6a5466832365b0d76d2641bf4ad7cf5e40a8eb7e959065294ff
SHA51277e18941bbd2132e824a4ddd117c541aae2fa7179b528fa47db4b717e00c8b5ed02d199786a09458d71868f21062af005110061dc384f032f813fc39686cbd35
-
Filesize
198KB
MD5834be95372b0aebc0393ef7cc6e198f8
SHA113831b3999fa5473f687e751ce5d729e6c06922c
SHA25663311b274be14a353cb0e935954cabbbcc4b4742748d97bd0b85ab50f39dbd86
SHA5129ba9abadb89cf5c419f1290a402a710cb3f13aea7bbe40127313342cd0a94d702f9a1cd662dffaecad19cd0a082f3913c8c78e729f731142421221c572e18a29
-
Filesize
93KB
MD5635b6a05d5f9f72f0e9b7d8a45b704c9
SHA10c9783c7ff8715668806e6ba4538eeca823ed40f
SHA256651066e7bfe7dcfe60feb60def1b1986fd3f6b012f9cff3e74111dde6c29a23f
SHA512b9a9ceba97a9c393a444cae1c6ce96fd6aea17d37eb33e33152d171dccc25a899f11c512f752378a15a724180eaa86bfaeb4e21e6608463c25e94aba7f29595f
-
Filesize
92KB
MD539f00bc67d94f532383ede7117a127ed
SHA1001ce32beb24cc7dc6c92187582d92e3cf5c118c
SHA25670cbaa79fb603c3522529597473ffa333f1d308d44fbcce11f257348f5032a49
SHA5122eb7d9b3133666a97a1aab61b388e94616f3a5ef8a1bbf9d0ab01598db6eca722dbc08060c9cb1587819be8d17925e28e169ce2525c666f5ebb3adeb1a2c56f3
-
Filesize
34KB
MD532df6889d05ee3c0c8c926e3e4e3cab1
SHA146ce2d92a58b499113b4689c608999bff0e4e009
SHA25663b83e1a99e7be60f5090351615b655cf53799cdba8a0252517273c3a32f87ab
SHA512709c2ed0d279761ea48b970d8d481410d834b60db698dd23bf0edca8ca9237d3550654c5d6003e545e7900814746db416bf6db740d9c501b3fb651d1764b26f7
-
Filesize
962B
MD5585090cd6fa8e9b1d0fa5fbd47a64dd7
SHA149a0610b7a2508c37b3edf8507fb17a97037e04d
SHA256f481f461a7d5839cc56f7900cbd01bbe930a551d77576c98d9747aa8b3e2c81b
SHA512da5662505d6d6bab34abc4ebff998e1f734088f5437e089c8ce3dc9ae2db5a56a0956b1532c9dd7c329d7e44dc7ebcd7ef105456b71a5e8be9620ce602ffc05e
-
Filesize
2.7MB
MD5ff15024e50290f1b8461e6439d97fde8
SHA183dbeb0f7be1d6be3428dc9ecd6824c95d35d968
SHA256aa0fe4b6df92813a8c569a4e6890e0e7656ff6d2aa935f336092db92dc09c73b
SHA51271657c013814d27b62a4b5bc80e01a5acd5375024510ff7b3105075159f744126a5d18dcdf44e6e08642a672d1adba479c809ff88e366f500c7ee903cd22946c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\men\WINSTA.dll
Filesize2.7MB
MD5ee77f57fd4540d4bcbfb721f3ee5fc58
SHA12abd50088ea29c58ce762918ca603f174d36aeab
SHA2566687b4e2fa0b43f96bce1944404c469630c1b5edc927656b5d7911fe3f2371ba
SHA512df1a1c4e6dcf45dd5fa121c649b481a6c328e7f64ef2386fd726ad4cb0b8482869e9e0392170778fff0e7f7a5dfb8606e181f96a871d6d2e8d73e82933c0ad7e
-
Filesize
2.7MB
MD50c7249515aaa01e6931f9cc374452752
SHA1c8b7779e3a96d51def81445e2599b52ebf83ee1a
SHA2565a96efb4d92ceff6db68dc2eef9abd852baf9753ceaab3b72ed9b171cd520dee
SHA5126acfffcca0bf7bd11dde93834f1df75cbd0180d6136d1358e598c1613748f6afd077dbbdcda9c2942833376792b9c7ac1f29327919dbdcc389222f559bb0f775