Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
01-02-2024 09:36
Static task
static1
Behavioral task
behavioral1
Sample
868df0fad643001bb45bb8b38cfd7ec2.dll
Resource
win7-20231129-en
General
-
Target
868df0fad643001bb45bb8b38cfd7ec2.dll
-
Size
2.2MB
-
MD5
868df0fad643001bb45bb8b38cfd7ec2
-
SHA1
3d4d21cfb078c2c8eed5adcef1a16b919f2e3b5b
-
SHA256
35a57a2f4ae0a954f51d0b5da7bbebd60fbd047b7d9dc92da62bc442eb26429e
-
SHA512
58e116d1627baf816257f2eaddcb01617b2d540b310bd3b9f0a34798bf78dd5631b873ad783bb50fb7f76f573c272445f938aeb9ba171f540c69c92cdb4c3f1d
-
SSDEEP
12288:7VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:afP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3408-4-0x00000000015C0000-0x00000000015C1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
wermgr.exerdpshell.exeCameraSettingsUIHost.exepid process 4692 wermgr.exe 1616 rdpshell.exe 1400 CameraSettingsUIHost.exe -
Loads dropped DLL 3 IoCs
Processes:
wermgr.exerdpshell.exeCameraSettingsUIHost.exepid process 4692 wermgr.exe 1616 rdpshell.exe 1400 CameraSettingsUIHost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mmiwstgfcubwacq = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\0gF4kz\\rdpshell.exe" -
Processes:
rundll32.exewermgr.exerdpshell.exeCameraSettingsUIHost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wermgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rdpshell.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA CameraSettingsUIHost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 3236 rundll32.exe 3236 rundll32.exe 3236 rundll32.exe 3236 rundll32.exe 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3408 wrote to memory of 3444 3408 wermgr.exe PID 3408 wrote to memory of 3444 3408 wermgr.exe PID 3408 wrote to memory of 4692 3408 wermgr.exe PID 3408 wrote to memory of 4692 3408 wermgr.exe PID 3408 wrote to memory of 2812 3408 rdpshell.exe PID 3408 wrote to memory of 2812 3408 rdpshell.exe PID 3408 wrote to memory of 1616 3408 rdpshell.exe PID 3408 wrote to memory of 1616 3408 rdpshell.exe PID 3408 wrote to memory of 2120 3408 CameraSettingsUIHost.exe PID 3408 wrote to memory of 2120 3408 CameraSettingsUIHost.exe PID 3408 wrote to memory of 1400 3408 CameraSettingsUIHost.exe PID 3408 wrote to memory of 1400 3408 CameraSettingsUIHost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\868df0fad643001bb45bb8b38cfd7ec2.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3236
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe1⤵PID:3444
-
C:\Windows\system32\rdpshell.exeC:\Windows\system32\rdpshell.exe1⤵PID:2812
-
C:\Windows\system32\CameraSettingsUIHost.exeC:\Windows\system32\CameraSettingsUIHost.exe1⤵PID:2120
-
C:\Users\Admin\AppData\Local\T0A7R1we\rdpshell.exeC:\Users\Admin\AppData\Local\T0A7R1we\rdpshell.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1616
-
C:\Users\Admin\AppData\Local\3lgk\wermgr.exeC:\Users\Admin\AppData\Local\3lgk\wermgr.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4692
-
C:\Users\Admin\AppData\Local\Zrkg\CameraSettingsUIHost.exeC:\Users\Admin\AppData\Local\Zrkg\CameraSettingsUIHost.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1400
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD5cc85ca465742d3255e9990b59cb10b69
SHA17f7b8c2cdea5d9ac2736ee597a1f713519bd062d
SHA2568fe06c39c610a82619a9bba3c09f83ed764839676d7aec90f0e2ffd783b983b9
SHA512ab0a47c0c424c2bc605d1ee5098ea9a814fe10e94aba6ed4868d423536abf654474f54077086df86eff4c979ecf28c3ea8c0391c7661b0b2c999dfa8495c5b28
-
Filesize
209KB
MD5d80f79e5b1eac19dac428df5da4210d9
SHA1037a777c7482c40a5d29d12640a24e33509bc1f1
SHA25629b44bfc8ad46b3d6c2583e5be8b043a199b1abce5709ca69c941cfe12e953a1
SHA512da06bfda132c5c411054cc6ea8bac1737c97030fc882b8d56501fa8379d780c11b52981eb040305a082421805eb0eda50828eaf46b824d90010077ebcf74c8f8
-
Filesize
149KB
MD5f0290d52ed1be017930790f9dfbd4c97
SHA15c960668c6b1213259736a93b24c118314bec560
SHA2565cbb932752f9e5624f16f2dc0f5d33487984f424f12ac0e5e87ff856505279ac
SHA512b0022e3e9056287aaa63513ed8e09d43c346ed3d511a3c1781dd8b0557cd260b9d6a3f63f7a3425129684ef8e7125d626ec523d66c3e7ac20633ec30cb86e4c7
-
Filesize
118KB
MD5d3963f52f8c0abf67f229bfa8ad0d73a
SHA1c9f90ebbc9b6f4b34f823378bfe4e1108a3be92a
SHA256b5764e757f94aaabb0fa958c1358eed33d6fd81a593b04c64f82b3273a3f883d
SHA5126c2c470cc190f31d76e22440c47ff104430cc4f06d8a2acd990c8e7ae9a09fe8e9fcd2ff2ae5cdf7e3c4c940e8abb5a6f3cf555575f4fe3b231eb83a9fb1769a
-
Filesize
86KB
MD5fcdc3243d4476c7ee5aca417c7a87bb5
SHA1545e885c5e33e2f4fd852e233a27c7a1cb12954d
SHA256b306b19e0d60bba3342cfdc210c54115a9fa73f041e8be989cf5a7ba2f966b35
SHA51283c159d436462d050458df052b1b3da4401904a92498bd0d8d8aec6471e0ff2237780ea69302fc0f3aad403872c247abd319f0eb844426aa0f2420dae68faf34
-
Filesize
132KB
MD55edba5994b49f14fc6bef0b74c71d7ef
SHA1f37177cd4e721b829df67d7a8fbdb3a04babff92
SHA256f8427baaf2480c1d44768c31771b2aa13636470a6fd99092bec0e14a0e3a1c2b
SHA512cd4089e2b37bc3487a17147c502db752c33e0c88f92d18a625b32e656b697d027c73fe211a0c87d6f0ed02c19698ec6623dd98fd1ba849217576b06fc127565f
-
Filesize
67KB
MD55b4a14d793b24d89b0be96b5713c980d
SHA1496fa4f9fea7479ebbfd727ea1487b5bd33bef49
SHA256810856a5877f380d353f595be7c653485293de01bf8987d30f13012eee7f6cd1
SHA512fbfd6a6ae33f868304a27385bc04cef5500618e27373d8dff3e4c1fc6ff356a8c390de615888762cca8515d9488f4f1cda04f6071beb3356d28a020eed8d8fa2
-
Filesize
102KB
MD5df327a60a368d75cb46ce0ad48ea4a1e
SHA15bc83e186c1b87f606253431b7d8b0ae90344a76
SHA256a250660ca0413cab558b7c1aa7f2a9304eb02ad1ec258d611ab86575e65f3052
SHA5126677670afdf39b632c41b760ddc5453bbbde989dccb8a31dbf315fd083f3eca177d0e4fe49fe93a6798cc7c2e290252648c74f85707bb91f6a6674fc8309bad0
-
Filesize
31KB
MD59e98636523a653c7a648f37be229cf69
SHA1bd4da030e7cf4d55b7c644dfacd26b152e6a14c4
SHA2563bf20bc5a208dfa1ea26a042fd0010b1268dcfedc94ed775f11890bc1d95e717
SHA51241966166e2ddfe40e6f4e6da26bc490775caac9997465c6dd94ba6a664d3a797ffc2aa5684c95702e8657e5cea62a46a75aee3e7d5e07a47dcaaa5c4da565e78
-
Filesize
229KB
MD5791076ab34e22acbc7976f3b53caf8cc
SHA12d38e0fb1660143bcecc2357cfeee83399f0fe4c
SHA256b349954ab2e72b34f99db204136f30d86613655cf00fab65e02e02ac7d8ffc1d
SHA5127965f5287f4f38aceca7608b17e49a631427e9a5492a551a2d69551fe3e14da5effcf68c526590860d03c6ce5b8e8059dd2cd0a23104f2910828233aadf5a1db
-
Filesize
230KB
MD51d8450348de10657d793211c01e1423b
SHA1ac1d6105eed9703da5d63ab0d4bd0a47cc545e59
SHA256f69ca0691f6fbd8ae6d3af1f8883f24975e90e8b0806922f6665687443e52789
SHA512e5defa660a73f893690c2b7881f0097d9302bf4d094368c32f6036898dc1e5283a9af4ecf0c4e9898ee4af991eb9c226547604d31464f1dee25564490d0ce676
-
Filesize
1KB
MD50c9e8c90bd569b766ee0d8f81bb2185c
SHA1ad568e549361f8314612597b8cbf6e4d0c03781c
SHA2560c845afd25468e6bc6b94d32f54292b02e961efe41089ff65622763aebe2898d
SHA512d269b4c4337b298e65787d6ce286fdfb0e5035a9c22eda0c8066cc0accddc70416733be05476606abfdfef44f115eaa7185ff4f8a32c84fba938095f59ca5d22
-
Filesize
11KB
MD58283232934a41d7452eed2b88e208dbc
SHA123cd6227871c2191037a4953c8c15f647fef21f0
SHA25649a551d977cf770ad59b318394604e5d49f46af59186cb4dd4789a7bab9dbbd0
SHA512b6ed9e07754629caa7ed31cd1f98bc1240e56df7b8ff85493969dd2fa44c500f1f8a9d8766cc170becece1defb17eb8714f7e4ffd7024f32fd51ee4db45d7976
-
Filesize
50KB
MD57d89922aa33d13c03b554e792e8fc7c6
SHA1e8631ca5423577ab4a6767fad2f8fce33f80a771
SHA256d12b282c79a9005a19f6eb1e613a5fd9fe36a74fb50de808f83037b97528ac55
SHA512c9daa9e4ed099ce3893494e0e7b97e78e00e8504556c042f1623360b097628ce204b887f8210b7bc32a3e622ce71e5aecb396877507cec41ccaa50b501dd7a5d
-
Filesize
100KB
MD51ad6773b5d92bc290ef6a07b451ea749
SHA137fa77626267b31afb7a67fecd3cda6fcaa189da
SHA256f29c80a5fa69278eb998839b4d076fceccbee186a380ff650e76e0fa38bded61
SHA51237cb1eb4ea06e37fa677002e275f7cd683f688bb602848974d749e88f101e7a3fcc979fa68621fe95ed5f9375efb0c937bd803e975fabcdba89cf03f5d710ad4