Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-10-2024 07:16
Static task
static1
Behavioral task
behavioral1
Sample
9d547a1ca3ef9b612354dc907c31c5acf7310f540dc48686f3157398d1e53bb7.dll
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
9d547a1ca3ef9b612354dc907c31c5acf7310f540dc48686f3157398d1e53bb7.dll
Resource
win10v2004-20241007-en
General
-
Target
9d547a1ca3ef9b612354dc907c31c5acf7310f540dc48686f3157398d1e53bb7.dll
-
Size
1.2MB
-
MD5
02cc0f2d0a0c7407558ac5a569c4e04c
-
SHA1
4b7060c03c224e42c420651368c73dbddcc3a3e3
-
SHA256
9d547a1ca3ef9b612354dc907c31c5acf7310f540dc48686f3157398d1e53bb7
-
SHA512
ac134e657c9ec47511245fdcbf717221a83eda2faea7e57560a59e212efa9312f4f13abc29b81be6210405680f507c5d921c4f6fe9ec933249c093e342eef554
-
SSDEEP
6144:k34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTI:kIKp/UWCZdCDh2IZDwAFRpR6Aup
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/3456-4-0x00000000025D0000-0x00000000025D1000-memory.dmp dridex_stager_shellcode -
resource yara_rule behavioral2/memory/2672-1-0x00007FF917F90000-0x00007FF9180C3000-memory.dmp dridex_payload behavioral2/memory/3456-26-0x0000000140000000-0x0000000140133000-memory.dmp dridex_payload behavioral2/memory/3456-18-0x0000000140000000-0x0000000140133000-memory.dmp dridex_payload behavioral2/memory/3456-37-0x0000000140000000-0x0000000140133000-memory.dmp dridex_payload behavioral2/memory/2672-40-0x00007FF917F90000-0x00007FF9180C3000-memory.dmp dridex_payload behavioral2/memory/4004-48-0x00007FF909AD0000-0x00007FF909C05000-memory.dmp dridex_payload behavioral2/memory/4004-51-0x00007FF909AD0000-0x00007FF909C05000-memory.dmp dridex_payload behavioral2/memory/4416-60-0x00007FF9092F0000-0x00007FF909424000-memory.dmp dridex_payload behavioral2/memory/4416-65-0x00007FF9092F0000-0x00007FF909424000-memory.dmp dridex_payload behavioral2/memory/2604-76-0x00007FF9088F0000-0x00007FF908A24000-memory.dmp dridex_payload behavioral2/memory/2604-80-0x00007FF9088F0000-0x00007FF908A24000-memory.dmp dridex_payload -
Executes dropped EXE 3 IoCs
pid Process 4004 mmc.exe 4416 cttune.exe 2604 DisplaySwitch.exe -
Loads dropped DLL 3 IoCs
pid Process 4004 mmc.exe 4416 cttune.exe 2604 DisplaySwitch.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Husvxt = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\PVmCD\\cttune.exe" Process not Found -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mmc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cttune.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DisplaySwitch.exe -
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 3456 Process not Found 3456 Process not Found 3456 Process not Found 3456 Process not Found 3456 Process not Found 3456 Process not Found 3456 Process not Found 3456 Process not Found 3456 Process not Found 3456 Process not Found 3456 Process not Found 3456 Process not Found 3456 Process not Found 3456 Process not Found 3456 Process not Found 3456 Process not Found 3456 Process not Found 3456 Process not Found 3456 Process not Found 3456 Process not Found 3456 Process not Found 3456 Process not Found 3456 Process not Found 3456 Process not Found 3456 Process not Found 3456 Process not Found 3456 Process not Found 3456 Process not Found 3456 Process not Found 3456 Process not Found 3456 Process not Found 3456 Process not Found 3456 Process not Found 3456 Process not Found 3456 Process not Found 3456 Process not Found 3456 Process not Found 3456 Process not Found 3456 Process not Found 3456 Process not Found 3456 Process not Found 3456 Process not Found 3456 Process not Found 3456 Process not Found 3456 Process not Found 3456 Process not Found 3456 Process not Found 3456 Process not Found 3456 Process not Found 3456 Process not Found 3456 Process not Found 3456 Process not Found 3456 Process not Found 3456 Process not Found 3456 Process not Found 3456 Process not Found 3456 Process not Found 3456 Process not Found 3456 Process not Found 3456 Process not Found -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3456 Process not Found -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3456 wrote to memory of 1176 3456 Process not Found 87 PID 3456 wrote to memory of 1176 3456 Process not Found 87 PID 3456 wrote to memory of 4004 3456 Process not Found 88 PID 3456 wrote to memory of 4004 3456 Process not Found 88 PID 3456 wrote to memory of 4864 3456 Process not Found 93 PID 3456 wrote to memory of 4864 3456 Process not Found 93 PID 3456 wrote to memory of 4416 3456 Process not Found 94 PID 3456 wrote to memory of 4416 3456 Process not Found 94 PID 3456 wrote to memory of 4136 3456 Process not Found 96 PID 3456 wrote to memory of 4136 3456 Process not Found 96 PID 3456 wrote to memory of 2604 3456 Process not Found 97 PID 3456 wrote to memory of 2604 3456 Process not Found 97 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9d547a1ca3ef9b612354dc907c31c5acf7310f540dc48686f3157398d1e53bb7.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2672
-
C:\Windows\system32\mmc.exeC:\Windows\system32\mmc.exe1⤵PID:1176
-
C:\Users\Admin\AppData\Local\jyIiiepfH\mmc.exeC:\Users\Admin\AppData\Local\jyIiiepfH\mmc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4004
-
C:\Windows\system32\cttune.exeC:\Windows\system32\cttune.exe1⤵PID:4864
-
C:\Users\Admin\AppData\Local\3ZS1WJ6Go\cttune.exeC:\Users\Admin\AppData\Local\3ZS1WJ6Go\cttune.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4416
-
C:\Windows\system32\DisplaySwitch.exeC:\Windows\system32\DisplaySwitch.exe1⤵PID:4136
-
C:\Users\Admin\AppData\Local\X2l\DisplaySwitch.exeC:\Users\Admin\AppData\Local\X2l\DisplaySwitch.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2604
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Accessibility Features
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5789c84c27b4e9573db749f48de8a4279
SHA16912737f11854c36b6ddb925aa8d4db5b73f1954
SHA2562ad9902a737b056fdabb9d63653b710b7e5664da8bf9da69e6fb7a6f0a6e7295
SHA512410a44fef72b412001b5581cb1a067785546ee785e4bfbcfb6bc873ad11bf744fdc8d2c7a74ccd198e350d606442ee2ee1c2682c492537884fcd7de12be033aa
-
Filesize
90KB
MD5fa924465a33833f41c1a39f6221ba460
SHA1801d505d81e49d2b4ffa316245ca69ff58c523c3
SHA256de2d871afe2c071cf305fc488875563b778e7279e57030ba1a1c9f7e360748da
SHA512eef91316e1a679cc2183d4fe9f8f40b5efa6d06f7d1246fd399292e14952053309b6891059da88134a184d9bd0298a45a1bf4bc9f27140b1a31b9523acbf3757
-
Filesize
1.8MB
MD55338d4beddf23db817eb5c37500b5735
SHA11b5c56f00b53fca3205ff24770203af46cbc7c54
SHA2568b581f1d15a6920e4ecfe172d8ef753d0a2bf1a47e686a8d5d8e01147fa4c65e
SHA512173170b83e0048ee05da18c0c957744204954da58a93c532b669d62edb632c4c73d0744c13eb864ecf357ff12831aa46c4f2445dc33b62a4547385b9e0297b0c
-
Filesize
1.2MB
MD5432ce7407f87e485f88c898a24d22905
SHA15174ddd5195d96c2613728f6a85cfe21af37ac08
SHA256e16be823bb5a617c58e78a040cba16b2e2682f6a1cc18558df2907b9ee5b2444
SHA512e824468f70053f51c48e79c4d692eca0735563b4f79e950f9bed6f072a57ee95be539c56c58a17a63f3b12d10c3e3cd599ed05997314693e500dba4b9d2281f3
-
Filesize
1.2MB
MD5d25fa016db1171ca4756e53ba9d73291
SHA1ae3f155681546fa9784b78dd37a34cd2dc676c45
SHA256cb9da523eef08175a67287e14bea2d5bbc3bfe24d212eff78c18a518c11f4097
SHA5124446f100fea5c261c20a60036508db3f02816d5bc45396dbc817fa4fc9a97030854d0d1ed270db63a1ad8256ad7712cf3103ab08a5359efb4f9e25d0fe2ece8b
-
Filesize
1.8MB
MD58c86b80518406f14a4952d67185032d6
SHA19269f1fbcf65fefbc88a2e239519c21efe0f6ba5
SHA256895eef1eda5700a425934ae3782d4741dfefb7deafa53891bde490150187b98a
SHA5121bbdaa3ae8b5716ad2bd517055533e286ddb8a6c23cbc7aa602143dbb1ae132b513088ab61527c49737c554269c51416cceb80206ac8128ac6b003f1864eb099
-
Filesize
1KB
MD5497800502742b07cd6a20d665a98a85a
SHA1acad503a1649e9a27df5e4d453b2a9169ea8a36b
SHA25680909bbac09ab64609d48d08b549bb879bc841cf3f09ea6eebb505b6edb85978
SHA512fa4ff2d184f69a820c78c00319830dfd044987332ef17429f4a0b15f6ae9ebcbb66ffa555a1b619ae1e0e1ca02079777cdd7da8af571f580205296b722fbb7c0