Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
02-02-2024 03:10
Static task
static1
Behavioral task
behavioral1
Sample
88668b1d3f06f675f928f23dd79da143.dll
Resource
win7-20231129-en
General
-
Target
88668b1d3f06f675f928f23dd79da143.dll
-
Size
2.0MB
-
MD5
88668b1d3f06f675f928f23dd79da143
-
SHA1
c032664de6dc7c1c3380fba695c51cb453ade557
-
SHA256
b211dfe06a94fe21d84592e03c8f26bc8529eccb6b4ee1bcc7784ffa27f1851a
-
SHA512
e7a8d2f5d1ba3ffc35ae4da94c25b7b74b80bad5ade5a749b625e3740e246189f482504a04482cd7a35c7d1ca8f30d4f31b989a95a06562dccea6b38f7e018d6
-
SSDEEP
24576:qfP7fWsK5z9A+WGAW+V5SB6Ct4bnb+sJS:+DW/e+WG0Vo6CtSn
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3492-4-0x00000000030F0000-0x00000000030F1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
ie4uinit.exeddodiag.exeSystemSettingsAdminFlows.exepid process 1636 ie4uinit.exe 2504 ddodiag.exe 1736 SystemSettingsAdminFlows.exe -
Loads dropped DLL 5 IoCs
Processes:
ie4uinit.exeddodiag.exeSystemSettingsAdminFlows.exepid process 1636 ie4uinit.exe 1636 ie4uinit.exe 1636 ie4uinit.exe 2504 ddodiag.exe 1736 SystemSettingsAdminFlows.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kqgfxymewp = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Templates\\FVo\\ddodiag.exe" -
Processes:
rundll32.exeie4uinit.exeddodiag.exeSystemSettingsAdminFlows.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ie4uinit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ddodiag.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemSettingsAdminFlows.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 4512 rundll32.exe 4512 rundll32.exe 4512 rundll32.exe 4512 rundll32.exe 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 3492 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3492 wrote to memory of 3088 3492 ie4uinit.exe PID 3492 wrote to memory of 3088 3492 ie4uinit.exe PID 3492 wrote to memory of 1636 3492 ie4uinit.exe PID 3492 wrote to memory of 1636 3492 ie4uinit.exe PID 3492 wrote to memory of 552 3492 ddodiag.exe PID 3492 wrote to memory of 552 3492 ddodiag.exe PID 3492 wrote to memory of 2504 3492 ddodiag.exe PID 3492 wrote to memory of 2504 3492 ddodiag.exe PID 3492 wrote to memory of 1596 3492 SystemSettingsAdminFlows.exe PID 3492 wrote to memory of 1596 3492 SystemSettingsAdminFlows.exe PID 3492 wrote to memory of 1736 3492 SystemSettingsAdminFlows.exe PID 3492 wrote to memory of 1736 3492 SystemSettingsAdminFlows.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\88668b1d3f06f675f928f23dd79da143.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4512
-
C:\Windows\system32\ie4uinit.exeC:\Windows\system32\ie4uinit.exe1⤵PID:3088
-
C:\Windows\system32\ddodiag.exeC:\Windows\system32\ddodiag.exe1⤵PID:552
-
C:\Users\Admin\AppData\Local\dq3B\SystemSettingsAdminFlows.exeC:\Users\Admin\AppData\Local\dq3B\SystemSettingsAdminFlows.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1736
-
C:\Windows\system32\SystemSettingsAdminFlows.exeC:\Windows\system32\SystemSettingsAdminFlows.exe1⤵PID:1596
-
C:\Users\Admin\AppData\Local\P2kcu\ddodiag.exeC:\Users\Admin\AppData\Local\P2kcu\ddodiag.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2504
-
C:\Users\Admin\AppData\Local\UJb\ie4uinit.exeC:\Users\Admin\AppData\Local\UJb\ie4uinit.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1636
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
186KB
MD5045058ca2fcbd2ac5193fcc3f4cee300
SHA112e01d71004f56d9b69c2285df3a2d361ec5a742
SHA256644260e4d16276eeecbec613b1aa99c2b2e1a36879d7434e4983cb5c4faa108f
SHA5122e3ccdfab1ace3cbd3bfff165d30cfafde8803632c3a66681dcd8bc5775920e91d076f40e3a7f35f0aac19778d551c674c999a80bb53e4236ce97e4822abb64b
-
Filesize
54KB
MD5c60180e84c90d320b92789cc7721ca6f
SHA18b48683d8f97945e8e4d8e632e4c1a5878237e72
SHA256b2d296c382b2c21074a4fbac5933f8e938171dab95d9d6ea3cd3223468622938
SHA512a8ff5a3f201bb36530c8db76f39c9712763c2dee82725b8c6c7f5d4a4ac7f8942cd4f0885c45817a1b689fe3405e026f9775f2acdb15ef1df7f1b9d830240911
-
Filesize
39KB
MD585feee634a6aee90f0108e26d3d9bc1f
SHA1a7b1fa32fe7ed67bd51dea438f2f767e3fef0ca2
SHA25699c63175504781e9278824d487da082da7c014e99f1024227af164986d3a27c6
SHA512b81a3e1723a5180c5168cd7bb5181c631f4f57c59780bb82a502160b7874777f3eef1ebe1b14f66c97f9f1a4721af13b6fbcdff2045c8563c18b5d12540953ff
-
Filesize
17KB
MD5bced4e56dcdeb16d699342d05184950d
SHA18f072044e2d95e54ff1f3398134c2388225440c6
SHA2563d95f8f4743ee80315b02b7e785e75c4845f7960c442ac0bfc8cad74a81c1c4a
SHA512c1d19da2441c2c89e1da0aa5bb4134291a3f0951e3593eff8a49529fee49298debd4d365572a2c19e56ee5ea823d6b62bf7eaf0dde048631fb0f8e84f2fbb60e
-
Filesize
57KB
MD54f340d6e45deac9509106cdb8648e08c
SHA106bbe24d8c009156649fd11edbbfdb29f06e5bb0
SHA256e323f1d5f0226ce9546aba89a3314a1758d74bd8fec96a2135d52dde398293c7
SHA5126ccf298c8d1114ab7b42efabb3cdfe2a72e9574039f69344410228db3f50a4e97fc33cd93a9512a6cb2a2a96fd284766db140688b4986d3bb2716c3c554ae59b
-
Filesize
67KB
MD511948bce6f29d1733ac160ec536ba999
SHA15f42abf57433f346a0e6039c4fa501361217b610
SHA256ba8e335dc3acbccdcaad14d6af52ea44eba89caeb156e4eb57279133c443661b
SHA5127d74ebd3dfa432e7acb634a60882739ef79e6a35b497198fa71879907775a5a3af20b6741efc55f3996c9b0ca4b0d0380e267d09b84776b815a8211b0322ad84
-
Filesize
57KB
MD53242e3b0dcf1406d23d0780569e8e194
SHA1fd5e6d44651f3d8feb65dd5e040274a070964bae
SHA2567690b1fc7cca46d615f62a8331f3bf87203de00ff28291e2f7ce1c93e12548e5
SHA512ddd1a22775f76114d622ce4bd7c4dd5584ca9ea9f485454a3807866ed6591e2f905b5d686bcc21ba0cdede7fbf3744e8578d13eed099fd6a3337acadec1026bd
-
Filesize
82KB
MD5a18887f7fffd958457db13671f892dba
SHA18da180a05e793bf0e1ab4fad417ab21bc9d6ce80
SHA25677d81be85d71452b076bc75cbe4e5534b40a6a907cf4e4a0a92d61370550507d
SHA51203f20ab266226241c2c05da8ace6b6dbc7993596f1788f6418aa5bc6053962f9d2c381af932aaedcd075230eff60e03d6467420b680fef34337cdbf64818291d
-
Filesize
43KB
MD50024d8ffe842ce2d48bee896e22bdafc
SHA1a6fa90b20123663f936d11dc9cab61fb7c846d97
SHA2568f8a03e2f3ded5cc631c777410fd4ed6f71eae0b8e8261d04a34eefa60d8dde0
SHA5125f622181eaec84d8bf8c1dd580cc300625ea1395997a6a69a049f1aee4a49c17b5309cf539f01da4a9148e02daedecf10b068b987a2a7f1ed72c4427e70b37a0
-
Filesize
190KB
MD56338d0099ba676651e567cbf4dcbe5b2
SHA1eed8e56364dd48af2aaa98c4cf8509f82f138b30
SHA2569acfd4acd9029d9cae80a3314663013f057d51d73c0dfff35efd2eab0708013a
SHA5126866ea12aa4d7caff27fe5eac3a1c1ecde2fceff4d219224b3f75a4c193c90bfff7c9d2084ec9016d1633e766754910eccb9d810234cf460c803fd4ab43733b4
-
Filesize
272KB
MD57051c9fa2bea81e0ac43994d89dd35f1
SHA1e14bc7c3d1dd9b07b217ea4d373dceae9f10bd49
SHA256372d1dd36ef41648d8bdaf4574903a486c619d6eb7fb88ae8b2a745514789966
SHA512267015d8ac16bdd935c709d3decbb381a02269e5ebec90a42fe5cb090542cdb2e3b7373ea655a427e4e57f81f4050a6673170fcb1bc339356463529e7632fb3c
-
Filesize
92KB
MD5da030710143952160134051ebf21d030
SHA1943832ee23482f380dbe756ab23bdbd56f0d4314
SHA256587ea16b623d56eab9f4dd2d6791e328798dd785ba50b0cca46a3b2c3a5e084b
SHA5125f8d9a1af92246fcb03bbfe7c1b3942092c87a47fe35a71eabd7dd1edbe251f393ab9ed32e08d302222bb3e0b4a60cc21a32c7aea3e2abaf31955fe73fdb9688
-
Filesize
106KB
MD5e1db49e30bac0e2a5cae3a5a75ea2b9e
SHA151f682afc712ff979a14b37435a9eee863ecd622
SHA256fa00abdac70735ae7c561b6e82495623a742b459cc60550211deb54e8cc09db2
SHA5122553d7e4a6b6119d944b92da0f0071bb8b62bb28859aa0992d5857a3d0c863e43f2189033fcb0dab877b06d09cd1d6bc074ac1bafda66d33bc26cc321c1300bf
-
Filesize
1KB
MD51d3aea7b755de0a26b13c77da1c152ee
SHA1549dd5c34b0bbe8c3b3771d7628eb7dc10d69b07
SHA256401700369e6c497ead14f7494578d01797bbfaa192413cb79fca83aa90e80b06
SHA512aead37aa352e6e5ea31d87e3bf1b1be2716a2dbe6c950e49f5ae6b899dd081e2d4b6266f833ef646134bf12dc915ee17127c738762ed357f1f626cbbb88a64f3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\Y7w9doSN6t\VERSION.dll
Filesize32KB
MD51ed5b0e58fb35276efd2cb6bf1094b3a
SHA1972665476a92ac4aefaf20d5e851a093bc29bb2d
SHA256bbdfc4f7f9ba1572b3967ce3fec9a40e47c39b2a7a1d841c8c69ec0683638694
SHA512c27f2836d6eff1d64319a3d4832418d4703ff62d85a7853eb244f3e21014279ade77a226701da2ff4e9d24bd9cfa110a1ff281fbb797c3f8c45f2573720b0bcf
-
Filesize
92KB
MD526d66919f02dff6eecf798f2db57f169
SHA1a6f0dab7b982c3b95477c18c684392db97bca05a
SHA256124ee406256a87370035863f524aef29781e731cf031be05baf6218ae1dc249e
SHA51253ac54107559ba19305d94488a21d04f368f75c22327d3062710b2777eb00b134073cfba89acc892d7a5fe2e0b0551057d37204aaeaebc7563f3eb8a5f88b553
-
Filesize
29KB
MD5cac5da366ab74789d864bc72f8a7d72d
SHA1d918041b4474af282d8ceceeb1c6b113fa6ba531
SHA256ccf16b328fd8c2ce997200129fc7c24d4f5d479cab3bd7d3cf604dd534da7365
SHA51273889ee172d28f2a1dd867af5efc00c31f5ca502da42b20ba5b4e8462cdb38c5530600bcebe52c21e07f4ad3758e1a14547a4221d4c50c99631fe1ab5dc0a884