Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
02-02-2024 07:20
Static task
static1
Behavioral task
behavioral1
Sample
88e7c4c98a35a8043d0fb99f1b88898a.dll
Resource
win7-20231215-en
General
-
Target
88e7c4c98a35a8043d0fb99f1b88898a.dll
-
Size
2.7MB
-
MD5
88e7c4c98a35a8043d0fb99f1b88898a
-
SHA1
fb320c3b7aad7cad0f10d6430b2a244d4daf6aab
-
SHA256
9af7f7a4d19d0327bdddeff74e7cc37b1eda5272fdf1853d54708c72c28178d1
-
SHA512
5be1d5bf938edc1d1482b0d015ab57dfe8cf812163ac1cb5cb7e02383fa18385c4244dd67e993105faed3b01ad89bf2a83ae3037ef2420cb6de4a88ed2b3085d
-
SSDEEP
12288:dVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:EfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3548-4-0x0000000006E40000-0x0000000006E41000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
SystemPropertiesRemote.exePresentationHost.exeSystemPropertiesDataExecutionPrevention.exepid process 1744 SystemPropertiesRemote.exe 4112 PresentationHost.exe 3660 SystemPropertiesDataExecutionPrevention.exe -
Loads dropped DLL 4 IoCs
Processes:
SystemPropertiesRemote.exePresentationHost.exeSystemPropertiesDataExecutionPrevention.exepid process 1744 SystemPropertiesRemote.exe 4112 PresentationHost.exe 4112 PresentationHost.exe 3660 SystemPropertiesDataExecutionPrevention.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tgnmvdx = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\l1quSq\\PresentationHost.exe" -
Processes:
rundll32.exeSystemPropertiesRemote.exePresentationHost.exeSystemPropertiesDataExecutionPrevention.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesRemote.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA PresentationHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesDataExecutionPrevention.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2776 rundll32.exe 2776 rundll32.exe 2776 rundll32.exe 2776 rundll32.exe 3548 3548 3548 3548 3548 3548 3548 3548 3548 3548 3548 3548 3548 3548 3548 3548 3548 3548 3548 3548 3548 3548 3548 3548 3548 3548 3548 3548 3548 3548 3548 3548 3548 3548 3548 3548 3548 3548 3548 3548 3548 3548 3548 3548 3548 3548 3548 3548 3548 3548 3548 3548 3548 3548 3548 3548 3548 3548 3548 3548 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3548 3548 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3548 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3548 wrote to memory of 728 3548 SystemPropertiesRemote.exe PID 3548 wrote to memory of 728 3548 SystemPropertiesRemote.exe PID 3548 wrote to memory of 1744 3548 SystemPropertiesRemote.exe PID 3548 wrote to memory of 1744 3548 SystemPropertiesRemote.exe PID 3548 wrote to memory of 1564 3548 PresentationHost.exe PID 3548 wrote to memory of 1564 3548 PresentationHost.exe PID 3548 wrote to memory of 4112 3548 PresentationHost.exe PID 3548 wrote to memory of 4112 3548 PresentationHost.exe PID 3548 wrote to memory of 2872 3548 SystemPropertiesDataExecutionPrevention.exe PID 3548 wrote to memory of 2872 3548 SystemPropertiesDataExecutionPrevention.exe PID 3548 wrote to memory of 3660 3548 SystemPropertiesDataExecutionPrevention.exe PID 3548 wrote to memory of 3660 3548 SystemPropertiesDataExecutionPrevention.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\88e7c4c98a35a8043d0fb99f1b88898a.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2776
-
C:\Windows\system32\SystemPropertiesRemote.exeC:\Windows\system32\SystemPropertiesRemote.exe1⤵PID:728
-
C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exeC:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe1⤵PID:2872
-
C:\Users\Admin\AppData\Local\RbzX\SystemPropertiesDataExecutionPrevention.exeC:\Users\Admin\AppData\Local\RbzX\SystemPropertiesDataExecutionPrevention.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3660
-
C:\Users\Admin\AppData\Local\rvfa\PresentationHost.exeC:\Users\Admin\AppData\Local\rvfa\PresentationHost.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4112
-
C:\Windows\system32\PresentationHost.exeC:\Windows\system32\PresentationHost.exe1⤵PID:1564
-
C:\Users\Admin\AppData\Local\iTHmgL96Y\SystemPropertiesRemote.exeC:\Users\Admin\AppData\Local\iTHmgL96Y\SystemPropertiesRemote.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1744
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
213KB
MD5b457b62cc9e6e8ed883944ebac2b04b7
SHA1cad04c99d6da4d9d1dcc6d030e12eae5d521230e
SHA25628cf4ab6d246e2c1b211f3186d72e4f9c3c298bf234be20ce11be5365f497832
SHA512f43f3f8783a96fecc1816a4f8837eed6ba79d4f9a1a57f54e39d6aae9bdef630bf1b223c2ed8f500ec24902bb556d90bb90c1e4f964044cc68107202c33d2e4c
-
Filesize
80KB
MD57179efd9dcfd9c431ff4e1aa8ba436af
SHA18f7639fed1dfbb7e3771ec65a2dc7fcae827f492
SHA25627db48702ba3762e172f158a24c4850b6ecf584578131fb49811fb4048866c31
SHA512354077f5bd5515f3df541204cf57dd69daad5dd6df98f712452619daf86c23f3f279726734b45d6e4716e1a36394f54f3a5f3df9b4f293d88d00f9651cc046f5
-
Filesize
82KB
MD5de58532954c2704f2b2309ffc320651d
SHA10a9fc98f4d47dccb0b231edf9a63309314f68e3b
SHA2561f810658969560f6e7d7a14f71d1196382e53b984ca190fa9b178ac4a32acfb3
SHA512d4d57cc30d9079f4e9193ba42631e8e53d86b22e9c655d7a8c25e5be0e5e1d6dfff4714ddc23e3e392809d623b4f8d43c63893f74c325fc77459ac03c7a451ed
-
Filesize
172KB
MD5bb7c2d8169f0f164b88e376382c93254
SHA17da98bc9c4cafb3c4c3f5cbccfbf775b812322ca
SHA2565c215f387df01b17306d16230b2d6651238c9c3d1a7d3922159cd8c3c58520ce
SHA51218663b55d39aa4a8197e23cd4e5026736082eb4a0236cf3475ab5475c49808d376d063b64c935997919d6d0fdbade6277edb43b35684a7177e7a29178ea18956
-
Filesize
183KB
MD5316bbfda614af2a329ccebec80179284
SHA14dae5670fc147ad5ed42d5f816cbf670047d4063
SHA256d141fca90242a5c1248b7394301a9868c0e4a65aec890d0ff84dcf954cffdd89
SHA512d4cdd7b122ff35c6fec3127eb24a3b44b608ba194e880a891ff50813f0df0361e05d4fe05941c5f04bebf592502ec5539abc1835e57816a08c58b8bfc856705f
-
Filesize
82KB
MD5cdce1ee7f316f249a3c20cc7a0197da9
SHA1dadb23af07827758005ec0235ac1573ffcea0da6
SHA2567984e2bff295c8dbcbd3cd296d0741e3a6844b8db9f962abdbc8d333e9a83932
SHA512f1dc529ebfed814adcf3e68041243ee02ba33b56c356a63eba5ef2cb6ede1eda192e03349f6a200d34dfab67263df79cf295be3706f4197b9008ccdc53410c26
-
Filesize
70KB
MD51df762097651f773e2b444f5f254a01c
SHA1ace9d081bcecbceaca5ca971a443aaf6feed3052
SHA256af7ba208e82b49694ac6060d923e2362a9c4b4d4b9965955d61915fca90ada82
SHA51281b9406169f08084aa4c6e2e9f2e7da5fec3e14906c4cff91b14e0ef25c300d01f14004164549ccc4e3826600a5fc13f64bbae4f658873dd8b866facee339a42
-
Filesize
166KB
MD543c70ab6cc578d2a651cd568b99dc3e5
SHA17931b17b579c5055419053b898d096f0b527d807
SHA2562e1208b294d4f56cc411a32c7a481078e7cb404dab729587cb3be985dd5389b7
SHA51230e9e2592b2b8c4b34ae38275b0d1c9476276a96a1c056ea7b548cda240fdf15fb0779880e69b796f6efda1e9b6f19f159bddf6157a4e8cfe5fa2bb5bd623aa3
-
Filesize
293KB
MD5aa8ca50e8f18b40df19b960c56f81579
SHA1e050826b1d5bd43363f53dc93e38680f027c1496
SHA256f3563cf09642096baea99b2227bf0ad82ed8d5e74fc6bb6cec24e370ccf6eee1
SHA5126ad9b5d9836f74fa388022cb5c3078d3d9cb0c0a3e204e005b5ad9ece3473c9840573768f8e817028c31145a6bea8b4d16e25463239300a202d5862e4e8bf75a
-
Filesize
241KB
MD57c94a15b1006d48f46021ddafa2ae348
SHA1a6bbcea3ec401197702c92caf895f7be58b67327
SHA25672d6baebb2defa7927fd575a17501a730e7473d249dea5f00138831fe7fbb24f
SHA512b7cff4d1c32a2c3f70e7c08494ba182b3058e67141bc89df6619bc16021f62a4262caecfd3e9580dae20a5058140f79d61331c4419738367ee75d71aa304311a
-
Filesize
226KB
MD545db05affaabbe3dc6be67a4dc4a6afc
SHA1e58c3548c98d36e4037252e1a52a3a7e1027fe18
SHA256ec75cca13641aea341c0093773747e68d4c40c710722cb5be4a16bf78dcd649b
SHA51286dddf7ee9da0289a2b0c0d5f2091a3f49c8f050e50b04f1b40b557669020be58dadd5764fd364cb6b113d80178bfe44d31aa87fc8b02137e4ae9d748582a8a6
-
Filesize
1KB
MD5ada73b4215811d72d11346c16a54acf2
SHA14ecffeb199c2b61fba9fc5b8629ed65b8f88a4e0
SHA2561b4263224d37494f7d44f32b6a52260e2506d770d39f1d3ea2bd390de14fe63b
SHA51258bd2c97c528812381c8a33aec8e3b16a092224af34dafeaafbedbe3b97051539eefb60ec3047f78a5c8a9aa7fb24516912a8144613eacfcd253f90e2aaa28fa
-
Filesize
45KB
MD593883646947bfbe1bbfae9eefaaaa3d4
SHA18ab30699b5705d8748f23a85776c840e45bdccf0
SHA256bbbded9c6f5ae0a20d571e32a42681bf41653a83758822525155527c81970078
SHA512a9a2e8b09d996282c0e34215e40772fbece8f1207f892391cdb8f4d8c0377caf44a4ae86770403c1e0d88c4be56a3816ecc042a96521f1daa95b156a805fc8e2
-
Filesize
2.7MB
MD5730abe2373b4f3e3c6ca10288cf9ea23
SHA1ac1f0218ecf44a2046278bd6011e3760b5a25772
SHA256d1035153139ac2d879a67d2b8888d8d730812ee9a9730ceb047aa9ea5574c2c2
SHA51297f4e17641333c5b1892d73f832e56dbf36344a03b6049bd22afefe53331e77f88d0ab686912f7c169b4399abfbe4c49d5b4b9085f85d55f4bd49cfe99319bc7
-
Filesize
2.7MB
MD5a649bac21a9678e1de93db3d0bf155d6
SHA1794428c801becf44de4227d1b7740e915c55de41
SHA256356fa80cb19c1bb09ae2db4d6950e70f813bf36f097e6f8e8802981d240aa661
SHA5121a7db7d96e6139d28954e6d53551417df946d4baa6eab73ea708d65e151b93cae2ba32efab3fe6960af2bb9aaa56707b5deac3fc006ac43b3e0128f7208a0448