Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
01-02-2024 16:32
Static task
static1
Behavioral task
behavioral1
Sample
875d030c5fc6c9897bd817f84ca43711.dll
Resource
win7-20231215-en
General
-
Target
875d030c5fc6c9897bd817f84ca43711.dll
-
Size
2.9MB
-
MD5
875d030c5fc6c9897bd817f84ca43711
-
SHA1
865b73891c48646127255bfdc6104552b7aa90a4
-
SHA256
2303cd17c0c377a2c2446c1267c7ff5a772e4cc30c721eddf332fae15489d256
-
SHA512
d67ae0e3134a96e7c3948813206839eb330f411104751450cd600b4b7aea549aa2c140b9b45c9c7d36c21b4c09c3ed83c89eac384816dd5942c4d07490cca48b
-
SSDEEP
12288:tVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:0fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3476-4-0x0000000002F70000-0x0000000002F71000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
SystemPropertiesPerformance.exeperfmon.exerdpinit.exepid process 2108 SystemPropertiesPerformance.exe 4932 perfmon.exe 4804 rdpinit.exe -
Loads dropped DLL 3 IoCs
Processes:
SystemPropertiesPerformance.exeperfmon.exerdpinit.exepid process 2108 SystemPropertiesPerformance.exe 4932 perfmon.exe 4804 rdpinit.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mbfbagbrjs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\UProof\\AOkJb\\perfmon.exe" -
Processes:
rundll32.exeSystemPropertiesPerformance.exeperfmon.exerdpinit.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesPerformance.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA perfmon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rdpinit.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 4792 rundll32.exe 4792 rundll32.exe 4792 rundll32.exe 4792 rundll32.exe 3476 3476 3476 3476 3476 3476 3476 3476 3476 3476 3476 3476 3476 3476 3476 3476 3476 3476 3476 3476 3476 3476 3476 3476 3476 3476 3476 3476 3476 3476 3476 3476 3476 3476 3476 3476 3476 3476 3476 3476 3476 3476 3476 3476 3476 3476 3476 3476 3476 3476 3476 3476 3476 3476 3476 3476 3476 3476 3476 3476 -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3476 Token: SeCreatePagefilePrivilege 3476 Token: SeShutdownPrivilege 3476 Token: SeCreatePagefilePrivilege 3476 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3476 3476 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3476 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3476 wrote to memory of 4584 3476 SystemPropertiesPerformance.exe PID 3476 wrote to memory of 4584 3476 SystemPropertiesPerformance.exe PID 3476 wrote to memory of 2108 3476 SystemPropertiesPerformance.exe PID 3476 wrote to memory of 2108 3476 SystemPropertiesPerformance.exe PID 3476 wrote to memory of 3656 3476 perfmon.exe PID 3476 wrote to memory of 3656 3476 perfmon.exe PID 3476 wrote to memory of 4932 3476 perfmon.exe PID 3476 wrote to memory of 4932 3476 perfmon.exe PID 3476 wrote to memory of 2932 3476 rdpinit.exe PID 3476 wrote to memory of 2932 3476 rdpinit.exe PID 3476 wrote to memory of 4804 3476 rdpinit.exe PID 3476 wrote to memory of 4804 3476 rdpinit.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\875d030c5fc6c9897bd817f84ca43711.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4792
-
C:\Windows\system32\SystemPropertiesPerformance.exeC:\Windows\system32\SystemPropertiesPerformance.exe1⤵PID:4584
-
C:\Users\Admin\AppData\Local\pN8UjZK6U\SystemPropertiesPerformance.exeC:\Users\Admin\AppData\Local\pN8UjZK6U\SystemPropertiesPerformance.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2108
-
C:\Windows\system32\perfmon.exeC:\Windows\system32\perfmon.exe1⤵PID:3656
-
C:\Users\Admin\AppData\Local\aKU\perfmon.exeC:\Users\Admin\AppData\Local\aKU\perfmon.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4932
-
C:\Windows\system32\rdpinit.exeC:\Windows\system32\rdpinit.exe1⤵PID:2932
-
C:\Users\Admin\AppData\Local\Gxb4\rdpinit.exeC:\Users\Admin\AppData\Local\Gxb4\rdpinit.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4804
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
148KB
MD52cf6b0e09a31ad97cf6b4b5742dccd5e
SHA16e6f298fdfeb06e63c9079242f52609bff76f045
SHA2561bee8d526438e1a705405fc5b047350fba22848f6d7f5a420e92e97b098d0862
SHA5129222b7c9382ff49f312223abf513a4c769bc484a71d9181b366cc8fa52ea9c41c3a72f7d1e49cb48c8ed214c4e295e444a35dc03305aff79434e72bc416b53fc
-
Filesize
114KB
MD5949e25ad7091fdc09721ba28aa3217b4
SHA1122b9594d991b31c5f653e7718479157c8417cf7
SHA25641d34657d5cede6c9b325b8d923cf5ef893f633963480461a50cb557143da3de
SHA512965fd301f93e09697b5f7e4ac903e4a264739ff25fb09eac84e7e1ef7bab22d6c92db997bce7554930a5bda9c0cc09c79c5536ede530f934bfa4ac14943b4bda
-
Filesize
146KB
MD5d8d69894d1c8208c1de0a8160ef00b03
SHA1bac8472e728de47a79068aa5fa94e7bf7dd1a48d
SHA256d1f854b6c5686b6bcb5816b63b5a609c5cbba9a00fc52abff7b0ce26d98e95b0
SHA512f7595477a4fe9e3807f89a5c0d778ef17fe4162f8b94c65d46e1a4b365406dc6b380eb8805ca8d5d878377b7c2f77783859b01282335e422d2e6e1cb10f1bc35
-
Filesize
128KB
MD5675e58c5c39098da7b62e2d2e2a0ad8d
SHA105e6ac73545584462366c6f2ee01a0bdf718d7a1
SHA256eb0051a83c533515346aced55567dd51da28bb51442e64463dcd54fc5b7dba12
SHA512517c7f3db24b74e0f56dd211ad69d5a336996722003ebfca0e250c18bbf3cff2296769a5f7bd941fd9685a23320bd4582451fc1b73fbde4b0fbbd6363079b245
-
Filesize
23KB
MD5314f6c7f16d5fb2716e1522aa9a18820
SHA1872a0560e675a97e3eb2af699a1cd7e00263d31b
SHA256c49b4a248359597b2e45c46ba7650d2bd6ac220a84cb3e2101c0f43ee7b2fc86
SHA512cf1eb185f8770943dca341dea026f84a3536a2a9f0eed3d7414da18d6e4bb9423222bc773f6b77726247d3f533f61facfd4dd12421707cb6ef609f47624fccb6
-
Filesize
50KB
MD5d7dc8eed4044324135c15a3b0514d98d
SHA12f5e0282cd5425681882306356c7bd0207a9895d
SHA256c949a9d53dc13743462e07e659644dcbc5125680e171a6924e55e872b9e00bac
SHA5127879db1f6b9546fe1129d64d595af3da516fda9924f3bb47d19c7950b2aaaa56b8aeb9a79f2da7dc46decef65bd90172930bcd043f82f695170fb539f2a5d5a8
-
Filesize
9KB
MD5e6fcb021f69f747424d5cae244231d7b
SHA19e498a85ff65b1e68dcc78f0e651de5dd29bbdaf
SHA256d94d3e2cd29a7bff5798312b800be0760958edbcad1f1881c2c4237b592117e5
SHA512c3e14b43e4e0a5692a98398d2d6ba3a3f1da2ccec4d37d10ce958ebdfcabe4fe0a6e0877b5ceaba20f19c1f7901833d0e79d134337e0400d30f730516173b495
-
Filesize
9KB
MD5fd4fe809327ed3aa30e2257f29845fb7
SHA1d60dbd95d482b20b09bd093d8d5bc675a5070f46
SHA25639d2138c161977b9e80124f181af493a22a01f571a6477e1aed200ccb6d66120
SHA5121c932b5a130959632d34f63a30ada402cb9c4b0505cf5554d60cfbec42597f0f76f5561273f647717e6bdbed5b1b41baa1a3b026f3dd3fb8bfb3846fbd1f88e8
-
Filesize
79KB
MD5e0f222df7b84a9832baaa2d20a2cb3ce
SHA17bf1f284857d55e1e4fcbff5e91641990b070cd8
SHA256d170dc3a00e24d1af0d4e935455c5cdb4998f92499e11d56fb13a8e45a3e8285
SHA512fb6cc7980d6625fd2e40f4c7a8f367c5f09ebf542d1393df9a79b0a624417e4ace3d90e941c74a2c4111a5c28c1831626a9ca3a778c2df0eb0146692690cd362
-
Filesize
54KB
MD5032a00a6cec70c25dab3d7a07d7156d9
SHA16ba1018ad30743908e6b4dd11aa2fcd140ae3c61
SHA2563f0d10ef9e89208237346f65b687408bf1a4131dadf80f9ae6bcab7c89992aab
SHA5125bf896c720a90e5575e990e0874b367d9780e2dc0d96b2cdce51121fb462851c1f21e5e0b619aef40b8841917fa1f5147688564c101cf6b80e55bb35ce9f1b45
-
Filesize
74KB
MD5286000af312605193247bc0f4b1a6f40
SHA10303ec4a444cb95182cc0e950039d35e67e26f7f
SHA2565d2b95c69a7a218f389b33d3e0f795085d63a7e16ec5f1ad66ddf9bfce5a3d71
SHA5126345414821b189afff6860562b29de06977198a17c08346cbe732ee18041368c766bce380f649c7ad23d622fc2e912e6936bec95ec77dc1ea8460f3542dc98ca
-
Filesize
75KB
MD54a70d5107178e91de8887eb7bf432c0e
SHA1083ee63cf469f311c77dd9b17d6a7780813ab29f
SHA256b351f0efc5bc8d34de7dae95e2e1521147b690e3ce487429178799b7961d313a
SHA512282df6d36a2964ccbd3fc7e6b5867b5927c1cded6682d4f35a70d6e6ca65e5a8a7b4148d81a958f94ac36a6abb198d512ae4aa5979fd2c646df76f66751c1a50
-
Filesize
979B
MD550712ca3160b5a7dec36f0034ea14ad2
SHA1adb8f59bf905df10865360325834dee373daa699
SHA25646241544c90c79b13411d6f72a335de136fcfeaac55edf88703081fdd1f8751b
SHA5120d16ba5716ec680bab45201c49dfcb85198d019d951190af82c1033988a9797f691db92fcf4c5367015a00451aa0ea9ab1cd90c45eda74e602335a587048d858
-
Filesize
51KB
MD5615bab233249caeb3c60f103fa44a937
SHA175856f11a63be04eac227f183def37e3af93cb36
SHA256074e6ca2a537ddb30eaec59e1d284803e28add7060c1467b3b22d377b334db87
SHA51246d29771d497371f66e37fce1c6b7ad5d25873ac096c34885a851dadcc13f5c5adbb6dccb533ced5fa837e660acec8149769a9103b5e7fd376e0b834e261a94e
-
Filesize
167KB
MD54000828f80141e667e09fadabb6b1dca
SHA1fd7addfa2b4ee4ada753e25f300788ee589df16f
SHA2562f7a5eae5026ad437e92561fb1f92a69d2d87dce611b0c5a88e8159b1c76380b
SHA5123c8d5a952726056e48f29cdf58b914ce38f653697889563e04621ba2bb80198540cdb2f50d5bcc99100021629592f9d8c2c6f3323ba8830be513c1929c16cd5e
-
Filesize
54KB
MD5e61a06405aeb928ab6294e54f1aedbb7
SHA132698792cb2d3c272db080a1481380e6f82c7cdc
SHA256b58b4f6c40230f8e59f22ef569457b04d9b3ccab32091e4dc676337bc66960a5
SHA512fd2e08571c19cc3dca750dc9a309e7c67f4c33872dfe7c10dc8580573ec5bc78df66545b1573b4afdfb94c892c980409ab22a2e8037717cce425e998ee97d8de