Analysis
-
max time kernel
149s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-10-2024 05:09
Static task
static1
Behavioral task
behavioral1
Sample
f5d660b977e22b4d550dca849e073ac6c0378b3158672b954a5a78c63a4ee6e8.dll
Resource
win7-20240903-en
General
-
Target
f5d660b977e22b4d550dca849e073ac6c0378b3158672b954a5a78c63a4ee6e8.dll
-
Size
677KB
-
MD5
155d603dd9fd58ebe24a854d6597e345
-
SHA1
3c43fdaa5916faf0aa144f918e71620b66b4c3d3
-
SHA256
f5d660b977e22b4d550dca849e073ac6c0378b3158672b954a5a78c63a4ee6e8
-
SHA512
e0b43c7a69318b198b63e821bf0543bfbb4e414c8084ee1b6b3aa4bbd0f3c8ee52723ab0496308bbba8411b2ac361c42b3c110c95165367e187b25e94f1148e3
-
SSDEEP
12288:bMotqoDpGg+O0HCmTkLK+qIRl+lC0fVtN86WCjt:IotMg+OsCoiK+9l+lhTTWC
Malware Config
Signatures
-
Dridex family
-
Processes:
resource yara_rule behavioral2/memory/3572-3-0x0000000002A60000-0x0000000002A61000-memory.dmp dridex_stager_shellcode -
Processes:
resource yara_rule behavioral2/memory/4984-0-0x0000000140000000-0x00000001400B0000-memory.dmp dridex_payload behavioral2/memory/3572-27-0x0000000140000000-0x00000001400B0000-memory.dmp dridex_payload behavioral2/memory/3572-38-0x0000000140000000-0x00000001400B0000-memory.dmp dridex_payload behavioral2/memory/4984-41-0x0000000140000000-0x00000001400B0000-memory.dmp dridex_payload behavioral2/memory/3344-48-0x0000000140000000-0x00000001400B1000-memory.dmp dridex_payload behavioral2/memory/3344-53-0x0000000140000000-0x00000001400B1000-memory.dmp dridex_payload behavioral2/memory/3172-69-0x0000000140000000-0x00000001400B1000-memory.dmp dridex_payload behavioral2/memory/2356-80-0x0000000140000000-0x00000001400F6000-memory.dmp dridex_payload behavioral2/memory/2356-84-0x0000000140000000-0x00000001400F6000-memory.dmp dridex_payload -
Executes dropped EXE 3 IoCs
Processes:
rstrui.exesppsvc.exebdeunlock.exepid process 3344 rstrui.exe 3172 sppsvc.exe 2356 bdeunlock.exe -
Loads dropped DLL 3 IoCs
Processes:
rstrui.exesppsvc.exebdeunlock.exepid process 3344 rstrui.exe 3172 sppsvc.exe 2356 bdeunlock.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rrsphmonwo = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\bZmQlPv\\sppsvc.exe" -
Processes:
rundll32.exerstrui.exesppsvc.exebdeunlock.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rstrui.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bdeunlock.exe -
Modifies registry class 2 IoCs
Processes:
description ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 4984 rundll32.exe 4984 rundll32.exe 4984 rundll32.exe 4984 rundll32.exe 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 3572 -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3572 Token: SeCreatePagefilePrivilege 3572 Token: SeShutdownPrivilege 3572 Token: SeCreatePagefilePrivilege 3572 Token: SeShutdownPrivilege 3572 Token: SeCreatePagefilePrivilege 3572 Token: SeShutdownPrivilege 3572 Token: SeCreatePagefilePrivilege 3572 Token: SeShutdownPrivilege 3572 Token: SeCreatePagefilePrivilege 3572 Token: SeShutdownPrivilege 3572 Token: SeCreatePagefilePrivilege 3572 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3572 -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
description pid process target process PID 3572 wrote to memory of 1584 3572 rstrui.exe PID 3572 wrote to memory of 1584 3572 rstrui.exe PID 3572 wrote to memory of 3344 3572 rstrui.exe PID 3572 wrote to memory of 3344 3572 rstrui.exe PID 3572 wrote to memory of 3172 3572 sppsvc.exe PID 3572 wrote to memory of 3172 3572 sppsvc.exe PID 3572 wrote to memory of 452 3572 bdeunlock.exe PID 3572 wrote to memory of 452 3572 bdeunlock.exe PID 3572 wrote to memory of 2356 3572 bdeunlock.exe PID 3572 wrote to memory of 2356 3572 bdeunlock.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f5d660b977e22b4d550dca849e073ac6c0378b3158672b954a5a78c63a4ee6e8.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4984
-
C:\Windows\system32\rstrui.exeC:\Windows\system32\rstrui.exe1⤵PID:1584
-
C:\Users\Admin\AppData\Local\2fJWl6XuP\rstrui.exeC:\Users\Admin\AppData\Local\2fJWl6XuP\rstrui.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3344
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe1⤵PID:3080
-
C:\Users\Admin\AppData\Local\0G1sy\sppsvc.exeC:\Users\Admin\AppData\Local\0G1sy\sppsvc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3172
-
C:\Windows\system32\bdeunlock.exeC:\Windows\system32\bdeunlock.exe1⤵PID:452
-
C:\Users\Admin\AppData\Local\3crWNu\bdeunlock.exeC:\Users\Admin\AppData\Local\3crWNu\bdeunlock.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2356
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
678KB
MD5a53b50c5f871797c8588ba19624ba6bf
SHA196fd57c5d2f16c5ef636dea760305d5570a568c8
SHA256436b142f3aab12b5d8212fd8a01d2b3c966c666dc27bacadbc1bf3a5d21805f5
SHA512009059db14ab5c75de1bdbed8af8798f7969a77e3d38676643e5771394e7d1e4993aee05f0aa330ecdb50e3165d69891848aa401ea766ff89554400cd4e94e67
-
Filesize
4.4MB
MD5ec6cef0a81f167668e18fa32f1606fce
SHA16d56837a388ae5573a38a439cee16e6dde5b4de8
SHA25682c59a2f606ebf1a8a0de16be150600ac63ad8351c6bf3952c27a70257cb70f8
SHA512f40b37675329ca7875d958b4b0019082548a563ada217c7431c2ca5c7f93957b242f095f7f04bcdd6240b97ea99e89bfe3a003f97c43366d00a93768fef7b4c5
-
Filesize
678KB
MD5929fbfad98ac0381a1d1b24f42167bc8
SHA1b96e640626fb51b28e2178083aabd69feda4f660
SHA256d4b7121a2d79e7b96d4bb461a8e0da47a1182012473773ffb28046501c3a1408
SHA512a756782d8189f6d93bced7f5ac4b80323aa7af37288f566deee0ecb028d9af3f06ede9a44d8a90bf8a4523de723deb105a6ef49f2de7ae2f2a225d693c83631a
-
Filesize
268KB
MD54cad10846e93e85790865d5c0ab6ffd9
SHA18a223f4bab28afa4c7ed630f29325563c5dcda1a
SHA2569ddcfcaf2ebc810cc2e593446681bc4ccbad39756b1712cf045db8dee6310b4b
SHA512c0db44de0d35a70277f8621a318c5099378da675376e47545cfbfa7412e70a870fd05c92e0d6523ea2e0139d54d9eeaed14973762341fa3154406ae36f4ce7c6
-
Filesize
954KB
MD554ae0ec24ada59f1c02f53d8a1a386c8
SHA162f5b5e22141942e41ba3a8dc9fcadfc7a50b3a6
SHA256cae12550fb91838101e6857699c35bf1cad79c9b436e7528e19ccc0639b4c8bb
SHA512759b8b0af60d242e99db3a21bf2b1364e0950858fcc82cd2e706a18b9e4766be50b12283fe4abde947c4b5c16d640d9e5535e7a8dd04a62fdabc2b9c2521537a
-
Filesize
279KB
MD5fef5d67150c249db3c1f4b30a2a5a22e
SHA141ca037b0229be9338da4d78244b4f0ea5a3d5f3
SHA256dcfdd67bf3244ff86cadaaea50b43cce5479014ea2021c0c2fb40b7c856e5603
SHA5124ded9ca87d9d30c31ab2baededaa6e26681741ea1742d80c318173536c643a01bc049e03a03c3b45b3cb8860464a855830e12e87670503e65eedcdd5e9b2d1e7
-
Filesize
1KB
MD5d1cdf103107add38472c6b3c9f579cf4
SHA17d00a5771a9907efe38947d799167ccd5a5639f2
SHA2567ace7ed71330d0134eb89f76829ec3965ba0d8e565b27b70edec29edabcbb7d5
SHA512744fd50f2737ac9606d9da6f1bb497b1b47bc0792271c5d0653b4abb61c2b976a1e0845babb04d337daaab8d112103ec3d207cb829ccda7f605d84a6ac996f31