Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
02-02-2024 11:03
Static task
static1
Behavioral task
behavioral1
Sample
8958de5c2bf9701d5a7d93d25444c447.dll
Resource
win7-20231215-en
General
-
Target
8958de5c2bf9701d5a7d93d25444c447.dll
-
Size
1.7MB
-
MD5
8958de5c2bf9701d5a7d93d25444c447
-
SHA1
a7ce13895a1f347b2efb1b028041e78376a8193d
-
SHA256
f07f4994e0fb57cc2f550e7cc7059b2eb27470c13df7ff76e488626d7e8c5efb
-
SHA512
5dee19a23e54b34acd0a7eca69ebdac3f9c5c0b124d07640a075013f3610263172a7ea804bb1176294e4e800ce2d16e5670fec4455fef21a67c68f8f0183fbbf
-
SSDEEP
12288:rVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:qfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3496-4-0x0000000002DA0000-0x0000000002DA1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
Netplwiz.exeSysResetErr.exeNetplwiz.exepid process 736 Netplwiz.exe 3020 SysResetErr.exe 2208 Netplwiz.exe -
Loads dropped DLL 3 IoCs
Processes:
Netplwiz.exeSysResetErr.exeNetplwiz.exepid process 736 Netplwiz.exe 3020 SysResetErr.exe 2208 Netplwiz.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hwtkseldaftjsj = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\4GUS\\SYSRES~1.EXE" -
Processes:
rundll32.exeNetplwiz.exeSysResetErr.exeNetplwiz.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Netplwiz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SysResetErr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Netplwiz.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2508 rundll32.exe 2508 rundll32.exe 2508 rundll32.exe 2508 rundll32.exe 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3496 wrote to memory of 3760 3496 Netplwiz.exe PID 3496 wrote to memory of 3760 3496 Netplwiz.exe PID 3496 wrote to memory of 736 3496 Netplwiz.exe PID 3496 wrote to memory of 736 3496 Netplwiz.exe PID 3496 wrote to memory of 548 3496 SysResetErr.exe PID 3496 wrote to memory of 548 3496 SysResetErr.exe PID 3496 wrote to memory of 3020 3496 SysResetErr.exe PID 3496 wrote to memory of 3020 3496 SysResetErr.exe PID 3496 wrote to memory of 1600 3496 Netplwiz.exe PID 3496 wrote to memory of 1600 3496 Netplwiz.exe PID 3496 wrote to memory of 2208 3496 Netplwiz.exe PID 3496 wrote to memory of 2208 3496 Netplwiz.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8958de5c2bf9701d5a7d93d25444c447.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2508
-
C:\Windows\system32\Netplwiz.exeC:\Windows\system32\Netplwiz.exe1⤵PID:3760
-
C:\Users\Admin\AppData\Local\8Vpo4\Netplwiz.exeC:\Users\Admin\AppData\Local\8Vpo4\Netplwiz.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:736
-
C:\Windows\system32\SysResetErr.exeC:\Windows\system32\SysResetErr.exe1⤵PID:548
-
C:\Users\Admin\AppData\Local\Uv0DTXN\Netplwiz.exeC:\Users\Admin\AppData\Local\Uv0DTXN\Netplwiz.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2208
-
C:\Windows\system32\Netplwiz.exeC:\Windows\system32\Netplwiz.exe1⤵PID:1600
-
C:\Users\Admin\AppData\Local\bDWwEIYm\SysResetErr.exeC:\Users\Admin\AppData\Local\bDWwEIYm\SysResetErr.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3020
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
228KB
MD5aed00e8471456737c620d2f80839b93c
SHA1d27b1d890abd587bd4866832775a555951fb4542
SHA256119ab458476a0fe6e6a518c06b963d75c95502ee11d38e12fa8fe1db65a18d5b
SHA512a7a59e118acd8f7e906551dd399137d77f3959408ac3a419e404943e6be0ec9965eafc363373c45503dd80f7233b8b59d793b0c83d5b3431f45e6076d5e87ad1
-
Filesize
302KB
MD562c3d0c77bf5179d3c31758823d7b052
SHA1f68f389c94604f5928aa88ec4df7b6ac03669935
SHA25600539bd73b878507a79f4fc0baa1ba7a5a33ec3e3c2243d08028499beece873e
SHA512e045af7316c3023edd32cc41951fffd9e6c272a0d93c571a0fb55f11cab596559688dab945d66433dc3f33da37d66cc386d79eba768a6beda098d8b498b2e0fb
-
Filesize
40KB
MD5520a7b7065dcb406d7eca847b81fd4ec
SHA1d1b3b046a456630f65d482ff856c71dfd2f335c8
SHA2568323b44b6e69f02356a5ab0d03a4fc87b953edcbd85c2b6281bf92bc0a3b224d
SHA5127aea2810f38d1640d4aa87efbbe20783fe7b8e7f588864a3a384a37c91108d906abd89b235672608c98c46ed76db2b0039462098a1064ebe4108ec37b6087914
-
Filesize
9KB
MD5557f87abe6078231780f728adfa930b1
SHA19c55be79aba51648568540bea4b351bbc8b5f9ca
SHA256982351cf4f7064f361b46b063de1cec3d16518a11b89aa737132ee19c4d61e3e
SHA512c1c3e0ba3b771937edb1d7543c8cab63dd1b62d3366c90ea85f84d3e27fc85fba4dcde4996a45217563aa197a65544b63f7744d694f56ca9fb55243ff144cb78
-
Filesize
105KB
MD51ed82a44ce8ec81aa18e4fb8b1680715
SHA1e0270267e49c5b76f08bb86acfcad6e5442f816a
SHA2566c815c7f2506069748b73e97a5a5a4a3342df97aa97aaba335656bb5e93aa5cf
SHA51221cf0388ecd3cb897721aac35eada417e9a4ccccd3be2d70704e1c07c46ef45ccbffb6a5663d24e1ef774e7da6878d01abd0689dd9c62c9b115d1aba9706ff49
-
Filesize
140KB
MD5dfe8901172a1c4ab473b2eab3ef45500
SHA1e5e36692328506298b896e012d8de46d679d2012
SHA2566371c0fc50a80b872247c81be13cc05d1e9f33de9e8024e06623e1f85641dada
SHA5122464298d9447d6319b0f24b033b6d6b2d31e6d21d48f2b68efe5748eb1cef53b41b6494b01132b702eea478416a5b44737ae79bca06946b7dd2141838cd52ae3
-
Filesize
113KB
MD59d817a5feabe94dd9780283cca3330ba
SHA13d33590d509c6beabf469d98bd4c37cbfd08da46
SHA256b796fe31ecfaa2e0f577d62ada7cd8bf011d4f1e539effbb6bbb697c98f9ae1b
SHA51231af88a03e9fd72efd49030e3752a2114e3ccc3915e4733b7521918ae9c219a6eb34c763ea460b2ecbf77309f516afd839a7bae117acb903886be4ae84e9ef4d
-
Filesize
169KB
MD5a85872effffd98b9f9011dde07335f0b
SHA1b085261a5ebbb713db282f3ca6a1db28215e2c5d
SHA256b54205a209de778cb852be731224f0aae7d0ab2b8f4093bdc094076f50324dd9
SHA51223c40403e732ad98cf850814597a9774d7bcb0f504cc49fb835e841898d7b87157b509c773a24bf76d816a3138c9f3f7b9b9f69ce643efe09c7f092fa06083a2
-
Filesize
41KB
MD5090c6f458d61b7ddbdcfa54e761b8b57
SHA1c5a93e9d6eca4c3842156cc0262933b334113864
SHA256a324e3ba7309164f215645a6db3e74ed35c7034cc07a011ebed2fa60fda4d9cd
SHA512c9ef79397f3a843dcf2bcb5f761d90a4bdadb08e2ca85a35d8668cb13c308b275ed6aa2c8b9194a1f29964e0754ad05e89589025a0b670656386a8d448a1f542
-
Filesize
1KB
MD580aa05f1524fa83cb51dfc3dbce96d1e
SHA152c135b44a2a4222ef2d100b70a115f89456aeb3
SHA256583283f161c2a184815edfda3b825d682d6e37629fe1e71c32f4f7493d0e00e4
SHA5123d71175a2e628662c97181faca41550d952b04a94e535f62e947330dede413a6b1831d72c4dcdebf5b64b99997bbf9ce5c110e9a7bbdc67ab5e25488747b03f9
-
Filesize
999KB
MD5427ef53bb09581f767c697c3147f7e2c
SHA143ad8b1f2213b166e508376e4f96fe8d155c4766
SHA25646482d08805a889da37c3fe7e8c07f564613555a95a67b2294b7620cb4a17d08
SHA5123313d5c7954c470255d0764f5b02e35a29c30e8cc7394b49cd098967faf18c4054239fdeae8aa7ad203ee87d278d37f05164e37d5b7ec89d1257010bbec0bcb1
-
Filesize
425KB
MD5f81a683aec0a74626f8945043acd965d
SHA1104400609b2024a9e9dee795bd1d3cb0b78db4ea
SHA256c7c456481ed06c4578b462dee6e2277a8b6e09edc4fe7e17499c15ee2a042d92
SHA512916cef5a0bf730a56df2e168a3aafc8171f4fadf0b75a66b2f0391d3296a99aa8458554d3db64abf3ba1cc7dca587b79329a6888c41091e27a340c0ae22b5efd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\tDNPr89K6bi\NETPLWIZ.dll
Filesize376KB
MD527d34f39b88d5f2895983de165c72f5a
SHA10f5e1b131b69c0c90c6a6ee77483c4d9c8538362
SHA25632fb0c879820b5acc5361a2ae6d436bb9fd1f39b3691ddcf858dc0518924d62d
SHA512d48eafeba2200955bf3d6e705adb39d738c1a62a6cf3ec34531179cd5429bdd8278b9c76de5cdf88d9837b7b70ae14714f960acfba66b41e7dc839728a1edd84