Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
01-02-2024 13:56
Static task
static1
Behavioral task
behavioral1
Sample
870eeef933351d3ca6e6f77f6f1b0506.dll
Resource
win7-20231215-en
General
-
Target
870eeef933351d3ca6e6f77f6f1b0506.dll
-
Size
3.5MB
-
MD5
870eeef933351d3ca6e6f77f6f1b0506
-
SHA1
292b7b5c4c378e9d4f9271ceb61af16ccecca218
-
SHA256
0244e314ec929575d050f32ef42e74e572b141b849802f6929ca22fc1401553e
-
SHA512
3116fc28269a0056ad24e65c488ac694e7a1d67880130f006c1ee1002a9345f9c7b04264cd6788aeb24f086adbed527a0cdff2abd3c6af35f5162ede228a38df
-
SSDEEP
12288:iVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1Fag:/fP7fWsK5z9A+WGAW+V5SB6Ct4bnbFa
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3568-4-0x0000000002EC0000-0x0000000002EC1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 4 IoCs
Processes:
SystemPropertiesProtection.exeWFS.execonsent.exeshrpubw.exepid process 3228 SystemPropertiesProtection.exe 4060 WFS.exe 4500 consent.exe 2508 shrpubw.exe -
Loads dropped DLL 4 IoCs
Processes:
SystemPropertiesProtection.exeWFS.execonsent.exeshrpubw.exepid process 3228 SystemPropertiesProtection.exe 4060 WFS.exe 4500 consent.exe 2508 shrpubw.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mbfbagbrjs = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\UserData\\jFZztRz\\WFS.exe" -
Processes:
shrpubw.exerundll32.exeSystemPropertiesProtection.exeWFS.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA shrpubw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesProtection.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WFS.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 460 rundll32.exe 460 rundll32.exe 460 rundll32.exe 460 rundll32.exe 460 rundll32.exe 460 rundll32.exe 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3568 -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
description pid process target process PID 3568 wrote to memory of 1216 3568 SystemPropertiesProtection.exe PID 3568 wrote to memory of 1216 3568 SystemPropertiesProtection.exe PID 3568 wrote to memory of 3228 3568 SystemPropertiesProtection.exe PID 3568 wrote to memory of 3228 3568 SystemPropertiesProtection.exe PID 3568 wrote to memory of 3552 3568 WFS.exe PID 3568 wrote to memory of 3552 3568 WFS.exe PID 3568 wrote to memory of 4060 3568 WFS.exe PID 3568 wrote to memory of 4060 3568 WFS.exe PID 3568 wrote to memory of 2180 3568 consent.exe PID 3568 wrote to memory of 2180 3568 consent.exe PID 3568 wrote to memory of 4500 3568 consent.exe PID 3568 wrote to memory of 4500 3568 consent.exe PID 3568 wrote to memory of 1368 3568 shrpubw.exe PID 3568 wrote to memory of 1368 3568 shrpubw.exe PID 3568 wrote to memory of 2508 3568 shrpubw.exe PID 3568 wrote to memory of 2508 3568 shrpubw.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\870eeef933351d3ca6e6f77f6f1b0506.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:460
-
C:\Windows\system32\SystemPropertiesProtection.exeC:\Windows\system32\SystemPropertiesProtection.exe1⤵PID:1216
-
C:\Users\Admin\AppData\Local\mtcGu\SystemPropertiesProtection.exeC:\Users\Admin\AppData\Local\mtcGu\SystemPropertiesProtection.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3228
-
C:\Windows\system32\WFS.exeC:\Windows\system32\WFS.exe1⤵PID:3552
-
C:\Windows\system32\consent.exeC:\Windows\system32\consent.exe1⤵PID:2180
-
C:\Windows\system32\shrpubw.exeC:\Windows\system32\shrpubw.exe1⤵PID:1368
-
C:\Users\Admin\AppData\Local\gvap\consent.exeC:\Users\Admin\AppData\Local\gvap\consent.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4500
-
C:\Users\Admin\AppData\Local\ADK\WFS.exeC:\Users\Admin\AppData\Local\ADK\WFS.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4060
-
C:\Users\Admin\AppData\Local\dSVFnZs\shrpubw.exeC:\Users\Admin\AppData\Local\dSVFnZs\shrpubw.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2508
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
150KB
MD5f874e7f70ba7e648e6364f4519836820
SHA1aa29ac2a691c06d36caed0f779846bcdd864a273
SHA2566a088ca7339d67c77901613491ff748001b45083d9d665a568bd925a34403cd3
SHA512747730284889f497acd3275a23d6a6e9ac46a3a90be2de5889cbeafa940b44d4e10743f59a6eba54d0109aa49e7a3e3b0105486b6c51f5a9ff30ad69c1cb7b9a
-
Filesize
35KB
MD5bb1317768fe31286457f39467bf2752d
SHA14c9e326001306fe436197670ad75e5c430086e05
SHA256685bd7ce4a7e3ca87c46107d78fcef99393987eede3de909c4e1320030488a0a
SHA51275844ceee768a464f7153a1b791f0d97fcbb153ad9d0c98265563394d73944fdfc05f3643179787d09d8b1abd68755d9de3e6291cb0df54b5f0ac2a308b8e2eb
-
Filesize
172KB
MD558e102b977551521d268d5841c102882
SHA1ccd5f076b6fc1b2738b9418980495df700ad034c
SHA25637e8c54d0bd4463edce627cf303fc655ad9d02e5881754e94ece65c8a26733a5
SHA512def1b7320cd2393be3bbc125ae59023d1314c0c7fe06369bc471896d8f91b4f3887b4f0634db89e4e4630958bf6b3c6da97c5186796ac7e1d9bb632dbdecfb96
-
Filesize
68KB
MD5a4fc10fb34de2050f1c2bc3bb57ca38b
SHA1b31204bc6ba850a65c944c8c2a19427707f59bc9
SHA256a7ce6dd8f834a9864af1790c18d15ea9a73e0af3d573a0aae5d6226894e6a2b2
SHA51261ad5ee5beb4063230ad928d7bc07453918a9dfe576059462e9ea90389cdabf7069a09aad0c42d41588f49dac0cb0906150bc01cc06ec815a4091fa19b8ebcaf
-
Filesize
106KB
MD557c644384f898efdd1069670223b6fa6
SHA1153a945ee8893c0d1f5c08e262a7eee0517aedea
SHA2563a2382dee7e7aeb7f240e17b2bd53d9a47587d3fb651401350a3c510270f340c
SHA5121f9b6ccbe698840c79e4c30429f74a3fe30198c2335713c3b92b0552157fd72892eafb49f7db41133440c3ca8ec06fafb580f4232122287e5b261d19be102c0b
-
Filesize
54KB
MD5d822ac764e42024860f8bc246860f8d8
SHA151d11a7b6d6d64a887e9b23441192aa04c3a04d5
SHA256dee3d1fac3f1fb3b5b8eb978be94d37e90213c4b3fd1daaa7bb1eea82a81dfa2
SHA51266be7830f258344375131914e1a85e8ba1742b91c5eedb23f1d676085381aa8755be70fdad802ac39a272602194aa64a69f76406127a199a914ff48b02db7dea
-
Filesize
59KB
MD59910d5c62428ec5f92b04abf9428eec9
SHA105f27d7515e8ae1fa3bc974ec65b864ec4c9ac8b
SHA2566b84e6e55d8572d7edf0b6243d00abb651fcb0cddddac8461de5f9bb80035a2e
SHA51201be043f7ff879a683e53962eec58456ba200d6787ea66581bb62669ae65d5e58a5577cdf23441165f7a535fce1dec933e3ad2465c72172b4a1488b24ce722cb
-
Filesize
186KB
MD541dae782693423580eaa8c26a9772e7c
SHA16580bf99762ac852c9e62c4d7dcfb490e3732aa0
SHA25641883c7e3c6235b762e53989c93b3226c5043b0452eb899716c889f97b405877
SHA51292aba9cc04221d0f809b05481eac17b665e8b504c6a368d1379a0f0c64300fcef80112522f25e19acc0383c4213e6ffcc6b6fbfbba879abaaffad3aa4f400efa
-
Filesize
97KB
MD5d01001e27e3a8140e652d0e7c58bf51d
SHA1f7f29d15146db5883d83ef62f007032b7974866d
SHA256108429afda69982d1dcc1a75c728ee14c714f92f14765605c36b82f1efc280b1
SHA512b7f06486173d60bbdfd2db50c0fdfbd079dcff261e16e46a6780034d103008e814ebc8e7887dd31a5ed1e227361dc49b8dbdb8f4ce5b88a647585e415e727819
-
Filesize
162KB
MD56646631ce4ad7128762352da81f3b030
SHA11095bd4b63360fc2968d75622aa745e5523428ab
SHA25656b2d516376328129132b815e22379ae8e7176825f059c9374a33cc844482e64
SHA5121c00ed5d8568f6ebd119524b61573cfe71ca828bd8fbdd150158ec8b5db65fa066908d120d201fce6222707bcb78e0c1151b82fdc1dccf3ada867cb810feb6da
-
Filesize
14KB
MD58cfacb5c8d1497eddaf2d46b3dc2f99d
SHA18d51d5fc8e72fe63f7e976d5addba68a2dc1b8a9
SHA256ed0bee0074bf9b003470c5763314c0c788b4e39632cdb269728f558f7456580d
SHA512371379be397cb435629473fb2eb1ff881c36580ca82a95716689f5bec83a2a30bb99c627757ddc8d9dc542fc8cc92c61245a6e2e4cab83294015d98badf51c39
-
Filesize
68KB
MD5b4adef0fdc696c64168afc2b5aa74c2a
SHA1e6fcd4a17b2bd50738036ac62faad8e803d76d7d
SHA2564eaa94e941140ce791ccf3cf314ca9a33ee2f6d2bf81f8d88e0be7544d43c151
SHA512c79f188af494f6a80c922beff72f6f2f82850668bcaad050560810ae3662ea8e7c576a00eae0790c12057fb5262659763da84c4e63561a2af31a6c3a3d245582
-
Filesize
82KB
MD526640d2d4fa912fc9a354ef6cfe500ff
SHA1a343fd82659ce2d8de3beb587088867cf2ab8857
SHA256a8ddf1b17b0cbc96a7eaedb0003aa7b1631da09ebfe85b387f8f630222511b37
SHA51226162a3d9d4a8e3290dbcf6fe387b5c48ab1d9552aa02a38954649d877f408cb282e57580f81e15128e3a41da0eb58328d1d6253e1b57232f9a8cecdd99991dc
-
Filesize
240KB
MD56e1dd9f95694dedfe1321641f505e026
SHA1e3852d37e0b7e91f6cf177387f39e12f8480bef8
SHA2568f1bbecd68e1f0a46b8bbffe5275a9c90066c59955b7b25d8c6e0b42105f1a0e
SHA512944defbf6b91f4dec0a178f3cbf092120c985aef31bfe9656b7081297cb42f63c1e94458c3228711aeb0487cd8fd2569f2d7f022dd8c2a70ba769486eb0b9386
-
Filesize
1KB
MD5ffcaa9d01c3434b14f464349f67178d0
SHA1b7154af0a606e44cacc45b39a81dd98c1eece769
SHA256a89c9f31810c8862b7c511fdbcb969cafa16bde8cbd951096151c629b80bd995
SHA5126a6f46b4734d4be35e87900908b671bb0d4ced99287b29c53902726c6ae07661b0330d0ce0d79106cb9628d1eaefb18c61055beaba3a3685cdb77ecad1497869
-
Filesize
223KB
MD5bbe2d681c41296565c824df4b6faa504
SHA12e8d7e7011c972b0a651db179b0c0112a8f2971b
SHA256fff4ffe577adeeed35308c0d925071fa06f5ce402570a77012ea7dd046423dba
SHA512710dc54066cac025d528b3ccb9616b1bbdcdbd7d8e4ce151a10c5417f5c5f54db33c2550753edb9f0ec6709032fa633729c9a15a955d18b580806cb9976d35ca
-
Filesize
72KB
MD5e8c1d4e7df174db73428d0ba5004f090
SHA1c16078d7046046fb6800b2b08add56edccdfa804
SHA256076541ff52f6c0c0464fa0bf754f8f016e562d1836353018d9cf7c86c389c4d7
SHA512ea94e88d3fdf9f532bc01c18a70dd6065b5402edc1ebff48ea40f135fa24f3bb02715096d38f1f45e338ca307165a8cfb27cd5b7a930d6aac5459ac04a284e4b