Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
01-02-2024 02:35
Static task
static1
Behavioral task
behavioral1
Sample
82a4bc5335713f3201927604dc1c17fa.dll
Resource
win7-20231215-en
General
-
Target
82a4bc5335713f3201927604dc1c17fa.dll
-
Size
1.7MB
-
MD5
82a4bc5335713f3201927604dc1c17fa
-
SHA1
0760fdf10d7b767e7b1c6c75b5a6df7fa582f2de
-
SHA256
b24b5a97da7b45c297575085b7e6a6812e70391a8460609e4ab225c8b8c421b8
-
SHA512
fdc555fae69369b3e61dae10b2e01607d5c853ed93bc403d08678447454e550ed598a3c46e4c7489e9e9626ffca57c317a92b64a3e48c6d44717667be684fe2e
-
SSDEEP
12288:hVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:QfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3420-4-0x0000000002380000-0x0000000002381000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
OptionalFeatures.exePasswordOnWakeSettingFlyout.exeSystemPropertiesDataExecutionPrevention.exepid process 4564 OptionalFeatures.exe 1840 PasswordOnWakeSettingFlyout.exe 1900 SystemPropertiesDataExecutionPrevention.exe -
Loads dropped DLL 3 IoCs
Processes:
OptionalFeatures.exePasswordOnWakeSettingFlyout.exeSystemPropertiesDataExecutionPrevention.exepid process 4564 OptionalFeatures.exe 1840 PasswordOnWakeSettingFlyout.exe 1900 SystemPropertiesDataExecutionPrevention.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qzenv = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Proof\\Wqv1ITs6vhQ\\PasswordOnWakeSettingFlyout.exe" -
Processes:
SystemPropertiesDataExecutionPrevention.exerundll32.exeOptionalFeatures.exePasswordOnWakeSettingFlyout.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesDataExecutionPrevention.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA OptionalFeatures.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA PasswordOnWakeSettingFlyout.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2536 rundll32.exe 2536 rundll32.exe 2536 rundll32.exe 2536 rundll32.exe 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 3420 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3420 wrote to memory of 4072 3420 OptionalFeatures.exe PID 3420 wrote to memory of 4072 3420 OptionalFeatures.exe PID 3420 wrote to memory of 4564 3420 OptionalFeatures.exe PID 3420 wrote to memory of 4564 3420 OptionalFeatures.exe PID 3420 wrote to memory of 796 3420 PasswordOnWakeSettingFlyout.exe PID 3420 wrote to memory of 796 3420 PasswordOnWakeSettingFlyout.exe PID 3420 wrote to memory of 1840 3420 PasswordOnWakeSettingFlyout.exe PID 3420 wrote to memory of 1840 3420 PasswordOnWakeSettingFlyout.exe PID 3420 wrote to memory of 4604 3420 SystemPropertiesDataExecutionPrevention.exe PID 3420 wrote to memory of 4604 3420 SystemPropertiesDataExecutionPrevention.exe PID 3420 wrote to memory of 1900 3420 SystemPropertiesDataExecutionPrevention.exe PID 3420 wrote to memory of 1900 3420 SystemPropertiesDataExecutionPrevention.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\82a4bc5335713f3201927604dc1c17fa.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2536
-
C:\Windows\system32\OptionalFeatures.exeC:\Windows\system32\OptionalFeatures.exe1⤵PID:4072
-
C:\Users\Admin\AppData\Local\mf5Sd4IMu\OptionalFeatures.exeC:\Users\Admin\AppData\Local\mf5Sd4IMu\OptionalFeatures.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4564
-
C:\Windows\system32\PasswordOnWakeSettingFlyout.exeC:\Windows\system32\PasswordOnWakeSettingFlyout.exe1⤵PID:796
-
C:\Users\Admin\AppData\Local\zPf2pb\SystemPropertiesDataExecutionPrevention.exeC:\Users\Admin\AppData\Local\zPf2pb\SystemPropertiesDataExecutionPrevention.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1900
-
C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exeC:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe1⤵PID:4604
-
C:\Users\Admin\AppData\Local\avzwyZY9\PasswordOnWakeSettingFlyout.exeC:\Users\Admin\AppData\Local\avzwyZY9\PasswordOnWakeSettingFlyout.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1840
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
85KB
MD551d3e554d3cce3434b641294651ff811
SHA1e23df17221045165335b1983aaf3cdd4d6194540
SHA25689d24e39a7da3552f521ed68287c30de1b40b37771e4128c7782df8a00808f0e
SHA51218cbc1a17c4a6e79be8b5becd1a6b5994cc59e2dcd299cf9178641e5f7e9af6ba766e904f33c941be16db9728bffa3fca8eaea87280073f84cd98b0c220f8b7d
-
Filesize
41KB
MD5584dd31ef5a32657deb402ee7cdb9b1f
SHA16845258f3a192fcff0a8e68f2a966fd66b982a94
SHA256aeecaf1c69ab6346eb463a8af04e8afd35b9e812725d41aef9464548cd55923a
SHA512839ae7a40d627d5de29865c8ea573ecd3cbfd89a6ae1b890f697c95e9d9216d7414515ab99c5f8254178fb1d289055b69f5a06d6c9b7301dc28502dee580376d
-
Filesize
44KB
MD5591a98c65f624c52882c2b238d6cd4c4
SHA1c960d08c19d777069cf265dcc281807fbd8502d7
SHA2565e6ed524c955fb1ea3e24f132987143da3ec81db5041a0edcfa7bf3ac790eb06
SHA5121999f23c90d85857461f8ddc5342470296f6939a654ac015780c2977f293c1f799fc992462f3d4d9181c97ab960db3291b85ea7c0537edcb57755706b20b6074
-
Filesize
110KB
MD5d6cd8bef71458804dbc33b88ace56372
SHA1a18b58445be2492c5d37abad69b5aa0d29416a60
SHA256fa2e741416994f2c1bf9ef7a16b9c4dbf20c84267e3da91ae6f1ad75ee9f49b8
SHA5121bed8af2cf99a7f3bb36a34f4a71c34787904bd072ecdc731fb7498290dcf4024b956fb8b6912ad050b74aa861f0b0349081b77088f72732bda5075413b1f83d
-
Filesize
57KB
MD5ee13a233eb959951089a6f3851ca156f
SHA10c7c8f3b8d59b71e18b945ea87b4f6aa8f8e0155
SHA256d99b2316d6acf0cd88e588ea20c5bad648db2e83ba88ca2e7644123510ecd5a3
SHA5126e196f4454dfb4f09adf35425f477b95eedb82695f72ad0fc510710c1acb1cf1481aeda0ba2c4b18ebc0959afd34bf9521643b7ea4f7a8b500b8be927255a190
-
Filesize
191KB
MD59ee1da5125f3f7d341e616024a605d3c
SHA1dde8933554566af7ee66685c50df2aa43ca61932
SHA256881b7239eaa5a7fdf6b1b1b0341dbb9ef7f02b6673331eadf3b21fa7f5b39f14
SHA512014e590126dec698c413fbbbc07113945eeb63669de981553ad5f51091fb269022846a88d1a9ec2568a7a7e4679aef6f2c41d986b0004dc5d6be2b75e8dae37a
-
Filesize
156KB
MD5d64959f0f7f89bf75ae055a344a1162e
SHA16a76396db0582d618b9faee4e92f80c779ff35eb
SHA25681795d242b08b7dc4e7b4fe058cc2d35e4157187faee0e010785163e3cc1002d
SHA51292e400d4d71b5d9f6dcad972b4c1e97bfab2686ecc283c109e3d231dc6287b55ad1696ee1e3fc205f057358e1317903f32791ffe91ebe44dce96b7d7e97c86a2
-
Filesize
135KB
MD555b8a5d916e3fe90fc82b46c2dbb6d7d
SHA1e73b72a0bb092d3e5a2d0dbe4ffaf2baa95399db
SHA2561a62114627c6bfcd97b3fe94bf3cd9b7be60878b193f21ae0cb094bda6107c38
SHA512c56da37a79aa1a272154c2e6dbdb8dfec3ccb349f27a3bf85bf6116b3b7f104380f2888f97047764ba25febb3b0d54f2a58915130fc763d8f8f5d06eed1c1258
-
Filesize
89KB
MD5b640622fbb50e4d66f5a5e245a0aef53
SHA10ba5d7149672b2ff51a756b6fde24fc8a0c5e1b3
SHA2566be3250b25c77ae554dbabdb2a660833860effb9989b8415a3cacd9370b00176
SHA512799ef005df268ef7be612d1028b077da133ec7cbcb7d1d1edbc2a0cf87d3a822b6e73b26287ed4bd40c7ab76f96b10e09e64e3760d2734f761c50fb7a77b5b84
-
Filesize
52KB
MD505aa388eb8cce0f37a3754810e607d00
SHA19d3a3bfd41895679b244ad15a98b799f2559c6b0
SHA25681140bbf67740e130f099262b0f8cd46dc875ba1634d3480d8eacc4593d38e7d
SHA5126829a51d9a022815f2df9a64cbc7b599c6a6e0f635e116e8ebb54449a67423ca493f6c40c1ab8eb17984376db3f651c59f6838761bb7620f45ea9d9b7e46ed25
-
Filesize
71KB
MD50765ec61d6cda10698e0232b87a88792
SHA1b00a117fc66e9406d4448b1198c00a0900cd20f3
SHA256b12a18dc7e44954a5f51155855711fb06294aadba0eafb034260fd1507e79c7d
SHA512a661bd514166c8762aa5d6cf07929836bb2a72c706d76072c6b8342e4c9709798a462b4031a216503ccfde93fc911390ee92845bac7390cf0b3d77f5aa8a717d
-
Filesize
1KB
MD5861ea6a963fcb20355fb7a82c608ac48
SHA1fb4e2fd8bcede2b17857b2aa2467948894128172
SHA256c5d23876c9444273da162b6e07f24bfc526df6578a2fef20cf834f710dbb1249
SHA512b6d511aab58b66397852d79dde1061ab52dfdc2122021ee8c809770b1053d02589cb5e916095ca428591345d30440bb750b71d86cc73a880fa5c38303ef1c516
-
Filesize
380KB
MD5d9e01f89c61a44ea98d1b6df2a3ceb11
SHA12f1f538c1426bf63c2eccbed8f45a014186857e3
SHA256664b261f47100910102c47cbeb63baa5a6c0ee53a5ff87086ff7ff448b187f1e
SHA5120cf2c988bc7bdb598ac91fb7c6973a0f9f0eb0ab01f4b5b560599ebee7a9f3f76b9228635d79c9ad8e273c6d25273a9be73faf18d1bed4f044319f5d57b11621
-
Filesize
1.7MB
MD5aaf9507719f363ef66a61bcb78bfafa8
SHA1d6593e049f46484679e9e220b030a96a49b49321
SHA256cf2b65fe1a16299ad7ac668b6b596d4d3e36e39244a3203639df272b81ba2156
SHA51251df54d5b713384fde72e03761620cd1c4d78afb6b1f39f83accd162a8f88d2fdc8f4ff1389a5d924bdba70ab077173bfa4a9236306cb0b58083e77eedb80af9
-
Filesize
5KB
MD536f7b03ace3ec17ed612922a4eebc4e8
SHA1bfc840d631bc69b5ace2dd14656a35b8eb329bcb
SHA256fd3f8a16a4a3e42711ff5878523cd00ad12ab83728e9b147780408f5a893b3c1
SHA512e0bf8837aa2c55932acb958079ca1d28a2e287c3757007123cc0b8d91a7392332303e5878d6841ed461a9fb467e3e36697e4f33bad9abc3396686e39d53fb86e