Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14-11-2024 17:10
Static task
static1
Behavioral task
behavioral1
Sample
3b8ccbf4ae592f02e2fbe743c82f523486fe5da1c6386edfce800ef4c4dd41f3.dll
Resource
win7-20241010-en
General
-
Target
3b8ccbf4ae592f02e2fbe743c82f523486fe5da1c6386edfce800ef4c4dd41f3.dll
-
Size
672KB
-
MD5
3aca1383a7540c9153c2064e5d66af1c
-
SHA1
c2afd47eb14d504194df17e550407989e34d91aa
-
SHA256
3b8ccbf4ae592f02e2fbe743c82f523486fe5da1c6386edfce800ef4c4dd41f3
-
SHA512
a513bc6cb4c62792ecc1a18e5927322535e9403c72b95b2181e1ef4aaaaf883e7cbcd19de0310dbc85dce93a53d2286cdf1272e2e5c9e6f3953d77542161dad7
-
SSDEEP
6144:934xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTh:9IKp/UWCZdCDh2IZDwAFRpR6AuXt
Malware Config
Signatures
-
Dridex family
-
resource yara_rule behavioral2/memory/3436-3-0x0000000008290000-0x0000000008291000-memory.dmp dridex_stager_shellcode -
resource yara_rule behavioral2/memory/4040-0-0x00007FFC8F7E0000-0x00007FFC8F888000-memory.dmp dridex_payload behavioral2/memory/3436-17-0x0000000140000000-0x00000001400A8000-memory.dmp dridex_payload behavioral2/memory/3436-36-0x0000000140000000-0x00000001400A8000-memory.dmp dridex_payload behavioral2/memory/3436-25-0x0000000140000000-0x00000001400A8000-memory.dmp dridex_payload behavioral2/memory/4040-39-0x00007FFC8F7E0000-0x00007FFC8F888000-memory.dmp dridex_payload behavioral2/memory/2816-47-0x00007FFC7FC10000-0x00007FFC7FCB9000-memory.dmp dridex_payload behavioral2/memory/2816-51-0x00007FFC7FC10000-0x00007FFC7FCB9000-memory.dmp dridex_payload behavioral2/memory/1784-63-0x00007FFC7FBB0000-0x00007FFC7FC59000-memory.dmp dridex_payload behavioral2/memory/1784-67-0x00007FFC7FBB0000-0x00007FFC7FC59000-memory.dmp dridex_payload behavioral2/memory/2324-78-0x00007FFC7FBB0000-0x00007FFC7FC5A000-memory.dmp dridex_payload behavioral2/memory/2324-82-0x00007FFC7FBB0000-0x00007FFC7FC5A000-memory.dmp dridex_payload -
Executes dropped EXE 3 IoCs
pid Process 2816 tabcal.exe 1784 Dxpserver.exe 2324 WFS.exe -
Loads dropped DLL 3 IoCs
pid Process 2816 tabcal.exe 1784 Dxpserver.exe 2324 WFS.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pzfwfhktmuesbir = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\KTbigSEwN\\Dxpserver.exe" Process not Found -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tabcal.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Dxpserver.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WFS.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4040 rundll32.exe 4040 rundll32.exe 4040 rundll32.exe 4040 rundll32.exe 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found 3436 Process not Found -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeShutdownPrivilege 3436 Process not Found Token: SeCreatePagefilePrivilege 3436 Process not Found Token: SeShutdownPrivilege 3436 Process not Found Token: SeCreatePagefilePrivilege 3436 Process not Found -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3436 Process not Found 3436 Process not Found -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3436 Process not Found -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3436 wrote to memory of 3328 3436 Process not Found 101 PID 3436 wrote to memory of 3328 3436 Process not Found 101 PID 3436 wrote to memory of 2816 3436 Process not Found 102 PID 3436 wrote to memory of 2816 3436 Process not Found 102 PID 3436 wrote to memory of 1720 3436 Process not Found 103 PID 3436 wrote to memory of 1720 3436 Process not Found 103 PID 3436 wrote to memory of 1784 3436 Process not Found 104 PID 3436 wrote to memory of 1784 3436 Process not Found 104 PID 3436 wrote to memory of 3604 3436 Process not Found 105 PID 3436 wrote to memory of 3604 3436 Process not Found 105 PID 3436 wrote to memory of 2324 3436 Process not Found 106 PID 3436 wrote to memory of 2324 3436 Process not Found 106 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3b8ccbf4ae592f02e2fbe743c82f523486fe5da1c6386edfce800ef4c4dd41f3.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4040
-
C:\Windows\system32\tabcal.exeC:\Windows\system32\tabcal.exe1⤵PID:3328
-
C:\Users\Admin\AppData\Local\YFJhhg\tabcal.exeC:\Users\Admin\AppData\Local\YFJhhg\tabcal.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2816
-
C:\Windows\system32\Dxpserver.exeC:\Windows\system32\Dxpserver.exe1⤵PID:1720
-
C:\Users\Admin\AppData\Local\vrjtL\Dxpserver.exeC:\Users\Admin\AppData\Local\vrjtL\Dxpserver.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1784
-
C:\Windows\system32\WFS.exeC:\Windows\system32\WFS.exe1⤵PID:3604
-
C:\Users\Admin\AppData\Local\uCOKlmH\WFS.exeC:\Users\Admin\AppData\Local\uCOKlmH\WFS.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2324
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
676KB
MD50aafcf92085bb493cc3387e219cb0549
SHA17b1269ef50cdef19652ef94540fe1b840e3606d4
SHA256134d9cfbf16f0267cda766543ac6efd6ee2a4185892e23237a37767c28de815a
SHA512443345c4de32e625f198fba5470509b0f7f03d8dcc1264474690bc2c83ce9d550622590adb7280ba01c00d9104576fc13614f52e033a9cb418ece81985a46f2d
-
Filesize
84KB
MD540f4014416ff0cbf92a9509f67a69754
SHA11798ff7324724a32c810e2075b11c09b41e4fede
SHA256f31b4c751dbca276446119ba775787c3eb032da72eabcd40ad96a55826a3f33c
SHA512646dfe4cfe90d068c3da4c35f7053bb0f57687875a0f3469c0683e707306e6a42b0baca3e944d78f9be5c564bb0600202c32c223a770f89d3e2b07a24673c259
-
Filesize
944KB
MD53cbc8d0f65e3db6c76c119ed7c2ffd85
SHA1e74f794d86196e3bbb852522479946cceeed7e01
SHA256e23e4182efe7ed61aaf369696e1ce304c3818df33d1663872b6d3c75499d81f4
SHA51226ae5845a804b9eb752078f1ffa80a476648a8a9508b4f7ba56c94acd4198f3ba59c77add4feb7e0420070222af56521ca5f6334f466d5db272c816930513f0a
-
Filesize
680KB
MD5d8219ca5c7fcfc063ca24d99ba182c7d
SHA1ba0ee9c2821a1cbfa0bab473d26e398e4ef786ea
SHA256c7ae1d15f2b366a9144cd8a09c035646b2d9bdc50980a5ba5fbee440ac542b89
SHA5124769082b4867d69b162996c2fc9a30e7e027c04ba9a223c12fd6932b77da868dd9e334ccaeb37bbb96dcc2a67d7e262f1d1f3a1293bc8606709b8dad3b011a90
-
Filesize
310KB
MD56344f1a7d50da5732c960e243c672165
SHA1b6d0236f79d4f988640a8445a5647aff5b5410f7
SHA256b1081651ac33610824e2088ff64d1655993dd3d6073af1e5ffe0b4a0027f502f
SHA51273f6fa01b880e6619fafa065c171bd0a2b7b2d908762b5aca15f2b8d856b5501b3884e3566ef9b8032c8cbf9bb15116e60c22fded4656c8857c974cda4213d65
-
Filesize
676KB
MD58894be2ad43c5cbe83bc62618877dc2c
SHA1f01d4dbc59d3b488cebd52318f788af96302e668
SHA2564f88b20e178ec7b90b79ab8f297588b4ea22df1f844df260dde9cb9c5b9c5304
SHA5124a561809229b3603e191075df95dc06339262b6443ab12c761d463b20142bd6378ee5a8abe91375f2155b7bd96548c07434cc43808008c8bd97ea8ac6e57719e
-
Filesize
1KB
MD5384fe135d725bddf1814ce591f16ba85
SHA11990f11e2ddf6dda4fcfcd63e471114dad56c961
SHA2564dcbc39e3f6cec7126f4b1c71ca1fdb2a4824c5ff14019444dfc32c3c807e758
SHA512da41def5d0e8dde83a75a06f5aef9c137c0a929a732aa4cc7f12aff59493ed5e9db7e671cbe3174e369b8ee3765079d3d293356377a937751143e8af640f32e2