Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31-01-2024 12:18
Static task
static1
Behavioral task
behavioral1
Sample
846540a9573e476e30b92db75daf0040.dll
Resource
win7-20231215-en
General
-
Target
846540a9573e476e30b92db75daf0040.dll
-
Size
1.7MB
-
MD5
846540a9573e476e30b92db75daf0040
-
SHA1
855922518de0270d786c73a8fff57122dcd0c91b
-
SHA256
5e53ece48ca9fe32af72a2718f10fe2dd25db88a393f7011a3805115f6b6bd46
-
SHA512
697f7c5a25e285d8d308d94e7172851083ea0e51a791ff9838c5999c560667a2850d3912593e3c94ec4eef256577487b008a5aef5448d56d1c437d4cd4e4646c
-
SSDEEP
12288:zVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1a1:ifP7fWsK5z9A+WGAW+V5SB6Ct4bnba1
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3424-4-0x0000000002EE0000-0x0000000002EE1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
tabcal.exeTaskmgr.exeSystemSettingsRemoveDevice.exepid process 3528 tabcal.exe 2888 Taskmgr.exe 4104 SystemSettingsRemoveDevice.exe -
Loads dropped DLL 3 IoCs
Processes:
tabcal.exeTaskmgr.exeSystemSettingsRemoveDevice.exepid process 3528 tabcal.exe 2888 Taskmgr.exe 4104 SystemSettingsRemoveDevice.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qzenv = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Word\\AD23jVrT\\Taskmgr.exe" -
Processes:
rundll32.exetabcal.exeTaskmgr.exeSystemSettingsRemoveDevice.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tabcal.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Taskmgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemSettingsRemoveDevice.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 1632 rundll32.exe 1632 rundll32.exe 1632 rundll32.exe 1632 rundll32.exe 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3424 wrote to memory of 4904 3424 tabcal.exe PID 3424 wrote to memory of 4904 3424 tabcal.exe PID 3424 wrote to memory of 3528 3424 tabcal.exe PID 3424 wrote to memory of 3528 3424 tabcal.exe PID 3424 wrote to memory of 2884 3424 Taskmgr.exe PID 3424 wrote to memory of 2884 3424 Taskmgr.exe PID 3424 wrote to memory of 2888 3424 Taskmgr.exe PID 3424 wrote to memory of 2888 3424 Taskmgr.exe PID 3424 wrote to memory of 4788 3424 SystemSettingsRemoveDevice.exe PID 3424 wrote to memory of 4788 3424 SystemSettingsRemoveDevice.exe PID 3424 wrote to memory of 4104 3424 SystemSettingsRemoveDevice.exe PID 3424 wrote to memory of 4104 3424 SystemSettingsRemoveDevice.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\846540a9573e476e30b92db75daf0040.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1632
-
C:\Users\Admin\AppData\Local\FCo\tabcal.exeC:\Users\Admin\AppData\Local\FCo\tabcal.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3528
-
C:\Windows\system32\Taskmgr.exeC:\Windows\system32\Taskmgr.exe1⤵PID:2884
-
C:\Users\Admin\AppData\Local\P7i2fm7d\Taskmgr.exeC:\Users\Admin\AppData\Local\P7i2fm7d\Taskmgr.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2888
-
C:\Windows\system32\tabcal.exeC:\Windows\system32\tabcal.exe1⤵PID:4904
-
C:\Windows\system32\SystemSettingsRemoveDevice.exeC:\Windows\system32\SystemSettingsRemoveDevice.exe1⤵PID:4788
-
C:\Users\Admin\AppData\Local\djC8\SystemSettingsRemoveDevice.exeC:\Users\Admin\AppData\Local\djC8\SystemSettingsRemoveDevice.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4104
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
197KB
MD5e16b852ad225cfe8701bbf96c5066fd6
SHA12236213edc4a9d9f0510d113f058936a477b44e4
SHA256555a00014e686c391f976ca4d40642575242aa92e2c9316183f2bb270f16b622
SHA51258b566a792be5a2aba451120356c88fd6593418ea53f2d349bd47a64d8dfb915e18a0ed4778cdc77a4794bf941a00719899874c52abc757c1a7b592c0ad79f32
-
Filesize
116KB
MD50d92f5dde6d48b3ccbb1f23b5e50725f
SHA1fd9c9078cabc2bef9ece6e61acb5443a3cdda4d6
SHA2563e187888153c2970d3f1011fcebc7b84e7deee708090194da9d28d038c0db229
SHA5121bcaf6f258cafb97795c860c8671a2aac8c92070f3adbb46c955b5f97b5a4448c57af040d2d4484444356a240bd4f2365555dca2621c4cac69ef1f4eb8dd37f1
-
Filesize
84KB
MD540f4014416ff0cbf92a9509f67a69754
SHA11798ff7324724a32c810e2075b11c09b41e4fede
SHA256f31b4c751dbca276446119ba775787c3eb032da72eabcd40ad96a55826a3f33c
SHA512646dfe4cfe90d068c3da4c35f7053bb0f57687875a0f3469c0683e707306e6a42b0baca3e944d78f9be5c564bb0600202c32c223a770f89d3e2b07a24673c259
-
Filesize
64KB
MD5f775f99812e3478654cfe51c7624a3e1
SHA1596a9265f299a6d2fcf9a6f26f34a16fc0381d43
SHA25658d03f748eea6b8ee9defdb3e4822682550afb5437fbdd234e0752e90d785caf
SHA51215c84af025ed5e54e3bf746a45c0d5b4347082cd09cd2298d604db255f6fa91b7b9f03dfb52cf3613c7fbd2e1c1935a34d11ac3ad8903b8ca25ef88dd6ce2b30
-
Filesize
92KB
MD57b091b311e32e4247470225bfb6c5e8d
SHA19cd0dcc0719d1aa94ba94027512a2df490ec5791
SHA25678b9de939e411b18e43dd381d5258317f1a3e189a10c549751aac1dcd9f55cbb
SHA5127edf82ea12a6960031235ae13b8acfd4fe7ce81906d1c8f336ea80d94dfe9f32e46adaf98ea85933c8a3ac0e2b06b1d3a98a83ead6ad4a721e2b0e630e742882
-
Filesize
553KB
MD541c865e0ed719e994dbe76d727b911c3
SHA19611f367db454a09df2a01e96a83eea4e28276e3
SHA256f6d0fc8250c8ca6a647d9d5154fc8131301b0866e143afd6ea221ba4333aefdf
SHA5123305041629b52eea474608d2b398e82a6c9eff6be6da60ac61f1aeae78b2bc0adf238a60f8c50c16703b71277c050b8426d5fb981a0695bccea2954c9f44b8d6
-
Filesize
52KB
MD5da13880c91a4a3e754d74d84e1b96f2a
SHA1b10854057c7cd9617e5a2a85c316f65b638f3a40
SHA25628486df92c1480bacc636d113d2d1de6087188e38e74ec4f420dad86278ee9b6
SHA512317540c6b3e3727c40c5dc9cf43e459b10d1555536ec8d57326b0c440f6708e2e876206a811a9c5f923f1c3cad4ec1533b0fe25a30a7ef5691bd3fce76aad7a4
-
Filesize
50KB
MD5ddc4b8cc8f081cb550dacf29c3ed98da
SHA1c7a81bded3091196d1bca25f6f0e2dc3564edcd3
SHA256e02527e87dbd68e7cf5946e2af0663371769d209282c56a081b2daa2d2b14351
SHA512ab89959ad05c64c9843f2211b158432553b08843e73528b5e48bcb2bea27828956597384bedeae71796c707a2fe72691bf490d617bae873256e5b244126d04f0
-
Filesize
236KB
MD56873d168d1b157ce0306fca408ab51b0
SHA1eb02734b0845d4e56c42bc6bc7672877e44d6c96
SHA25642e201f86c65c03ea848b815eecd036ae7541aca573cd2066419aaba52038352
SHA512f32f1c28ae938c4e0629954eaf2b5870cca0b92a3d61d16dccff39d23589caadaa8752e27c78acb02e80f77d31a8219efdd7604974a20e10117a81324ddaefba
-
Filesize
450KB
MD5ef4619bc348e58fa377280e819c3ba8a
SHA18a3bdeb739454f5d33b9a09e2dde787aa81831e3
SHA256cb6bb444012aad5b160828b25a1453d88f21805a4559d8f03df4e1622e53a0be
SHA51273e73ebb65a1c673ad814c5160e6987cfb840182aee318126ced81a5d872775c28f75bbc40d9687860868d25586fff7b74d662e881f3a0b52e4b18c7a9e390c0
-
Filesize
39KB
MD57853f1c933690bb7c53c67151cbddeb0
SHA1d47a1ad0ccba4c988c8ffc5cbf9636fd4f4fa6e6
SHA2569500731b2a3442f11dfd08a8adfe027e7f32ef5834c628eed4b78be74168470d
SHA512831993d610539d44422d769de6561a4622e1b9cb3d73253774b6cecabf57654a74cd88b4ebe20921585ea96d977225b9501f02a0f6a1fc7d2cad6824fd539304
-
Filesize
1KB
MD521b3f963cd5bce3a3f89ba85a17a7252
SHA1684c759d568130ad9281a12f4e16907c24d64504
SHA25627ed215a8b71a6a6efc6aca911708144a1e5f215b7a96d9b76689ac15c8c7a7a
SHA5123203be0f6f546fa95a30d64f59cdd64839f5ed08a28d501490833a750074c3830a82ee3fcb97016afc9a19db554e55c9413d2b0328a2ef199b433546894bba55
-
Filesize
1.7MB
MD5c613576a44366b8c492b68951e2dff47
SHA11f719649578fbdc34ed9d626473fe58470c736b2
SHA256b4ba1ae0c083849c449ddc9b0723846769ca68c841ba058552fd7ea9d829213a
SHA5128e0fb3dc4725f3f143eeb42c63bc4c99294002f090046e54224d02b3ffd13a19f076366b2b89b4ece9e8b438b46443a1ca3bd986e535170633dbba63865ff14e
-
Filesize
2.0MB
MD5ec2ed4ce93f96b5b29c337f3d2d887b0
SHA1a7d326ae5d06f2066e9e4b11a647682ce6729ff8
SHA25618437cd52a2a4cbcbf3b61c65c024348655cc8be54227f415a95b4b94cfb33f8
SHA5125ec3abee2195e15c921eccd3d0960c7bd7d6aeed4d17aac5c6e87fb179310029251862aa334c7aa6cc7440f1049089a00cca928185a3998767575b907eefe95d
-
Filesize
1.7MB
MD5f1954dc28c2666fef391397468703799
SHA182ffe18308f183f0ba2621ae7d20f89c7cccd4d4
SHA256258372d47d52d302d28a9857ab253fd110bab5997f0299e95307025b8c2a4b94
SHA512877052fd9ae1b7d15b2e5026aefd8a25dc298a6e24e6e4a263bd8d36b7af5dda6054cf770dc576f9d68faadb5c0d2c555aead3299e4d190253ac0372c068001f