Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14-11-2024 17:04
Static task
static1
Behavioral task
behavioral1
Sample
943d4fc5d133c77195cc6890a2242901bc15b2d4ee602b95920606549966af3a.dll
Resource
win7-20241010-en
General
-
Target
943d4fc5d133c77195cc6890a2242901bc15b2d4ee602b95920606549966af3a.dll
-
Size
676KB
-
MD5
8872f507e943dddfbc1a37950c801fd6
-
SHA1
8fcec7153c1819828a6d17899029eab9e313f888
-
SHA256
943d4fc5d133c77195cc6890a2242901bc15b2d4ee602b95920606549966af3a
-
SHA512
3956325e9805bced8d537d4e06241b2db14446e3abb2ed085882454b5fb27f02110db5e1743e68efa4c082be2970b08b572e9690c8b06a171a0e94fc4fc7cb85
-
SSDEEP
6144:p34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:pIKp/UWCZdCDh2IZDwAFRpR6Au
Malware Config
Signatures
-
Dridex family
-
resource yara_rule behavioral2/memory/3436-3-0x00000000025B0000-0x00000000025B1000-memory.dmp dridex_stager_shellcode -
resource yara_rule behavioral2/memory/1244-1-0x00007FF93EE30000-0x00007FF93EED9000-memory.dmp dridex_payload behavioral2/memory/3436-18-0x0000000140000000-0x00000001400A9000-memory.dmp dridex_payload behavioral2/memory/3436-37-0x0000000140000000-0x00000001400A9000-memory.dmp dridex_payload behavioral2/memory/3436-26-0x0000000140000000-0x00000001400A9000-memory.dmp dridex_payload behavioral2/memory/1244-40-0x00007FF93EE30000-0x00007FF93EED9000-memory.dmp dridex_payload behavioral2/memory/3684-47-0x00007FF92F200000-0x00007FF92F2EF000-memory.dmp dridex_payload behavioral2/memory/3684-52-0x00007FF92F200000-0x00007FF92F2EF000-memory.dmp dridex_payload behavioral2/memory/3176-64-0x00007FF92F0F0000-0x00007FF92F19B000-memory.dmp dridex_payload behavioral2/memory/3176-68-0x00007FF92F0F0000-0x00007FF92F19B000-memory.dmp dridex_payload behavioral2/memory/1184-79-0x00007FF92F2A0000-0x00007FF92F34A000-memory.dmp dridex_payload behavioral2/memory/1184-83-0x00007FF92F2A0000-0x00007FF92F34A000-memory.dmp dridex_payload -
Executes dropped EXE 3 IoCs
pid Process 3684 DmNotificationBroker.exe 3176 EaseOfAccessDialog.exe 1184 SystemPropertiesDataExecutionPrevention.exe -
Loads dropped DLL 3 IoCs
pid Process 3684 DmNotificationBroker.exe 3176 EaseOfAccessDialog.exe 1184 SystemPropertiesDataExecutionPrevention.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nzvdnevrdk = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\NYBCCaIdjV3\\EaseOfAccessDialog.exe" Process not Found -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DmNotificationBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA EaseOfAccessDialog.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesDataExecutionPrevention.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1244 rundll32.exe 1244 rundll32.exe 1244 rundll32.exe 1244 rundll32.exe 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3436 Process not Found 3436 Process not Found -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3436 Process not Found -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3436 wrote to memory of 2956 3436 Process not Found 92 PID 3436 wrote to memory of 2956 3436 Process not Found 92 PID 3436 wrote to memory of 3684 3436 Process not Found 95 PID 3436 wrote to memory of 3684 3436 Process not Found 95 PID 3436 wrote to memory of 4892 3436 Process not Found 96 PID 3436 wrote to memory of 4892 3436 Process not Found 96 PID 3436 wrote to memory of 3176 3436 Process not Found 97 PID 3436 wrote to memory of 3176 3436 Process not Found 97 PID 3436 wrote to memory of 1564 3436 Process not Found 98 PID 3436 wrote to memory of 1564 3436 Process not Found 98 PID 3436 wrote to memory of 1184 3436 Process not Found 99 PID 3436 wrote to memory of 1184 3436 Process not Found 99 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\943d4fc5d133c77195cc6890a2242901bc15b2d4ee602b95920606549966af3a.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1244
-
C:\Windows\system32\DmNotificationBroker.exeC:\Windows\system32\DmNotificationBroker.exe1⤵PID:2956
-
C:\Users\Admin\AppData\Local\sgTcI6h3R\DmNotificationBroker.exeC:\Users\Admin\AppData\Local\sgTcI6h3R\DmNotificationBroker.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3684
-
C:\Windows\system32\EaseOfAccessDialog.exeC:\Windows\system32\EaseOfAccessDialog.exe1⤵PID:4892
-
C:\Users\Admin\AppData\Local\NjbeVLJ\EaseOfAccessDialog.exeC:\Users\Admin\AppData\Local\NjbeVLJ\EaseOfAccessDialog.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3176
-
C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exeC:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe1⤵PID:1564
-
C:\Users\Admin\AppData\Local\hS2RfyCR\SystemPropertiesDataExecutionPrevention.exeC:\Users\Admin\AppData\Local\hS2RfyCR\SystemPropertiesDataExecutionPrevention.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1184
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
684KB
MD553395692bedf9764777ce5c8448cfc9b
SHA1024a199225bfcd28fb04bd62c294081ef61f7d88
SHA256930446e5fd983899c7405f9a31d1b2971cadf2f21d3989727604116bdd52c7ce
SHA512c8b4a44308f6b2aacfceaa013f623dc6ded640604e9d2e4a9d497e57b73d22c77123cffd546a205dfbc8fa63ee30cb47fab7ff07192b685ed9932b7e1d30a731
-
Filesize
123KB
MD5e75ee992c1041341f709a517c8723c87
SHA1471021260055eac0021f0abffa2d0ba77a2f380e
SHA2560b1731562413eaa972b373cd7388c644a3059940ce67eb89668e4073f3e068dc
SHA51248c3a8531df6bcc5077367cdf32af104c94cf7701118a85e8beabba2e9c4f511ae14e47b6d1b57d11a2bc1e8b4f6d5bacae27a8d16fcd09a8f9e0018f5a6370a
-
Filesize
680KB
MD56ae542268424b4a1cdefee809aca72ba
SHA1025282ad34ada05541f0ceefabd5fa7012203f19
SHA256a76e48cb7bba0d978ae4fd560352f6da0ca52099909a486ef6b6caa42c594f71
SHA5126e39364137c01573309043a915f594d74926a958ec83e0cdc85c5d3947105573729c8402c69fd06e763ee8d9f864782148abc7c9e93ec34530853ccb7fbad8b2
-
Filesize
82KB
MD5de58532954c2704f2b2309ffc320651d
SHA10a9fc98f4d47dccb0b231edf9a63309314f68e3b
SHA2561f810658969560f6e7d7a14f71d1196382e53b984ca190fa9b178ac4a32acfb3
SHA512d4d57cc30d9079f4e9193ba42631e8e53d86b22e9c655d7a8c25e5be0e5e1d6dfff4714ddc23e3e392809d623b4f8d43c63893f74c325fc77459ac03c7a451ed
-
Filesize
956KB
MD5c170df5eb612870a765b3cd326ff8441
SHA140fec0e9c2019e5ee54e620b0425e3c4bb853db2
SHA256c518380f3a422dfcda0535410496ce57cc1783665b711d062c6e217eaaae7c7b
SHA51259921f1df930150bcfd27cffc8d5fc9c387af09c776236537104ba48d1e4e477dd4fcefc0afa6a91a89ea999a75532c57823ddc688d920d843fcd64efc98ef55
-
Filesize
32KB
MD5f0bdc20540d314a2aad951c7e2c88420
SHA14ab344595a4a81ab5f31ed96d72f217b4cee790b
SHA256f87537e5f26193a2273380f86cc9ac16d977f65b0eff2435e40be830fd99f7b5
SHA512cb69e35b2954406735264a4ae8fe1eca1bd4575f553ab2178c70749ab997bda3c06496d2fce97872c51215a19093e51eea7cc8971af62ad9d5726f3a0d2730aa
-
Filesize
1KB
MD5fd60ef40a5b003630c3588b26134004d
SHA1902d8ff04bcd4dcb6416c40ab2733a873f811a93
SHA2562d5ff6a751c42fb1903de4416c89e02cca8989d9a40a2c5cb722cb5279d559dc
SHA51205cffa4eca8df26398f9b244ea94f9eedeed9814561f47aa08a12daaadfd09bc8a1342dbe405006c0a91ac191339f459a880459a4a3bb586cba67f884ff89cd2