Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22-12-2023 15:44
Static task
static1
Behavioral task
behavioral1
Sample
df0708fcf553fdf7b27a1591a96257db.dll
Resource
win7-20231215-en
General
-
Target
df0708fcf553fdf7b27a1591a96257db.dll
-
Size
2.0MB
-
MD5
df0708fcf553fdf7b27a1591a96257db
-
SHA1
cb8d06051f06b38cba24df4ccf676c1be7090484
-
SHA256
6dffce1ea68f5480f850e4b067f15d5950bca8d75f8d1a4b70059e11c0e02445
-
SHA512
11ec4c936d13c08215f41a023f3846773aabfa0cc89d35cf2674cc9072e51537fc147b690a1bbb7d4fa1c845eed35345cf78ad43acde8cb8e55e612509d524d6
-
SSDEEP
12288:AVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1xx:lfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1212-5-0x00000000029E0000-0x00000000029E1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
msconfig.exemblctr.exeOptionalFeatures.exepid Process 2620 msconfig.exe 592 mblctr.exe 2940 OptionalFeatures.exe -
Loads dropped DLL 7 IoCs
Processes:
msconfig.exemblctr.exeOptionalFeatures.exepid Process 1212 2620 msconfig.exe 1212 592 mblctr.exe 1212 2940 OptionalFeatures.exe 1212 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pfoxtyecp = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\IMPLIC~1\\UId\\mblctr.exe" -
Processes:
msconfig.exemblctr.exeOptionalFeatures.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msconfig.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mblctr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA OptionalFeatures.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
regsvr32.exepid Process 2044 regsvr32.exe 2044 regsvr32.exe 2044 regsvr32.exe 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid Process procid_target PID 1212 wrote to memory of 2812 1212 28 PID 1212 wrote to memory of 2812 1212 28 PID 1212 wrote to memory of 2812 1212 28 PID 1212 wrote to memory of 2620 1212 29 PID 1212 wrote to memory of 2620 1212 29 PID 1212 wrote to memory of 2620 1212 29 PID 1212 wrote to memory of 2884 1212 30 PID 1212 wrote to memory of 2884 1212 30 PID 1212 wrote to memory of 2884 1212 30 PID 1212 wrote to memory of 592 1212 31 PID 1212 wrote to memory of 592 1212 31 PID 1212 wrote to memory of 592 1212 31 PID 1212 wrote to memory of 2784 1212 32 PID 1212 wrote to memory of 2784 1212 32 PID 1212 wrote to memory of 2784 1212 32 PID 1212 wrote to memory of 2940 1212 33 PID 1212 wrote to memory of 2940 1212 33 PID 1212 wrote to memory of 2940 1212 33 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\df0708fcf553fdf7b27a1591a96257db.dll1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2044
-
C:\Windows\system32\msconfig.exeC:\Windows\system32\msconfig.exe1⤵PID:2812
-
C:\Users\Admin\AppData\Local\5Thf1kxi\msconfig.exeC:\Users\Admin\AppData\Local\5Thf1kxi\msconfig.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2620
-
C:\Windows\system32\mblctr.exeC:\Windows\system32\mblctr.exe1⤵PID:2884
-
C:\Users\Admin\AppData\Local\Q6vgZ9\mblctr.exeC:\Users\Admin\AppData\Local\Q6vgZ9\mblctr.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:592
-
C:\Windows\system32\OptionalFeatures.exeC:\Windows\system32\OptionalFeatures.exe1⤵PID:2784
-
C:\Users\Admin\AppData\Local\pXBHn3G4e\OptionalFeatures.exeC:\Users\Admin\AppData\Local\pXBHn3G4e\OptionalFeatures.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2940
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
37KB
MD5cb557015032697289408d0eb7c85dba2
SHA11951fa5aa8e69165daa792b40d9ab0abf33afe34
SHA2565253a4c6f0c186db473b0c3c81be6d4b8a7eb0da71eaf572b67ec8199b2eb46c
SHA5125941d9d6085f6a337ede461326a229c842c9ebdcb376e74f821ce1322376681d8d275290b197761f9a961728ec4f8ceba4298b15397a4460ec2549130807bae3
-
Filesize
92KB
MD592ed19f8f1ba819b7758a9ae0ea8ff40
SHA1cc012031585c35ed054920460c171efd424f96f0
SHA256b88d336ba69571de72f949f6d5b07836345eeff6dad077fd3ea8bc96bb3c6053
SHA5123ef87db59e6418f4c140bc9f537adffc0eca19fd61b82e5ec8896a88870dcb8accf76ed357a2d75060fde7fbe45e8aef0b73b8535ef4e639fce3b7abc2124e03
-
Filesize
4KB
MD5626cbb4f428f1f3f34e942d4ecd894fc
SHA1c66280c4fd71f0b3026303f0883d8bfa0d87e2cf
SHA256aa484e22a8de6109d08a9b13aa757d0de8e5585bf9782c73bed76f5c09210a56
SHA512fdcb21efa81dad222feacf0f40a514fd0a1642cdd9950eb714c900afa5f9f7fd2483b836d89344d03721605755295e6eb47cdf2804e7892b318686eef63a67db
-
Filesize
109KB
MD5b7345aa83f5d30dc4f26945b08051a63
SHA11e61be248a98505b2007a91afcfa69aa856487df
SHA256c6e27232e43bab71261f3bb36c8a4a51dfbb33ab068c2defc8e1e23bc6d19735
SHA51276e6205f3a97e7a9981a42256bbd7596ce16018d7ce701b01ba29f46467de5105536cf96711a5b7a7918271bf29773a627016fcc803db12ed1b44c1c69ce3fcd
-
Filesize
215KB
MD520f66e98be35c5986bf6a464a65388d6
SHA18f0fa737849b65cfb65fc237ef9194b02f24cec7
SHA25624a0a70c87d531810640453ead68397ac639f67b83ddb1d2b8ad8d7462ad1146
SHA5125a112e87bcbfeb9d66ecae41f4522a8dbef8bf56a75fd028160d095f9acf4ec1823deebcf29d9f124e15251cb0a704d93b5982d2bc0e877105f62b833251160d
-
Filesize
1KB
MD5c9f457cbe2c1cac83ac310666dddc046
SHA1f7e8fdf3b5516f148c07fc0eaa1312e04f8b372f
SHA25627c1d175e58e74c490fba42b1f9553e0bf6a00dee0be718a56f6036af9ddb12b
SHA51235394b244f5c59df299d0a266f4c04ea71756dc89ddcd1f7558ab15af769fc339812a804a52c424dae521461aad279231c147c0bef404de50ca07ab70de13632
-
Filesize
20KB
MD5505ea6da480b671b9120644f05f4d507
SHA14acf7ce35414eceb070aba66b7c8b462e967630f
SHA256addb52970376323fa60010c1fb5ba8eb75fbbe749f0e873675d4bbeb453eba8c
SHA5128402201099b61d10e385b257949aaee8eb8e2c7a4b0a1a61028248aa861a65796cc9eb16a4f076b665c239d9bf872ff439415452d3671ae808a5099231680ae7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\UId\dwmapi.dll
Filesize102KB
MD5db2a0c4f8b3b34a67c2b5d29cb4d146d
SHA18b39526cb57d8c5737983e917e326445a4dcf809
SHA25645f6bd52669fa654ad9468150d62866407b986969476ff7b81677128e0cdb189
SHA512ed0f393ac825a1ae3b35e9fbc9a705a9c25e2407f13ea41d0e45c3f2d9143390efaf536050efa17370ddbb22c2117bc58e23242323bc20ba3e7d36b473e2d75b
-
Filesize
124KB
MD540dc107b24a9d73b3b34bb00ab9ad43a
SHA140d7f9fb1630f615449c1dc04d27fe0688fd1cd3
SHA25636298f61cec6810d23b0acddaec5cf9d4116de9bee3585de886d20a04a0e18fb
SHA512089ff96f86ba232dfba98d8f12dd68c8699faa5625d9313adde5baadafdc9ec015441e4ee57a4c9c35d184e960e33b195d3056a8a83dc3a93047e142c30aa9b8
-
Filesize
9KB
MD5028ea2065ba5e788bc41461da8093a74
SHA1ddfe32b5cd7575d5c1cf2643a02950dcdc226f60
SHA25688012febc84cae83b37865a7463fa9e3a055515a6df5004635bcac43ab02ce26
SHA512671056a45ce67895f8f63678fa60f7a663a5e8ae73b1a92be8d2e74ca60fd51885366be9609c2d76b178f521e0cbef4320c486e05dececd2a10258315f5c6e07
-
Filesize
33KB
MD5b83b0bc79339d2332db64a9c9e6b7f04
SHA1e73562899f217ead516289cfe169b813e0f8dab0
SHA2566503a998aa1ae5343bd218615a8057a9be333b06f3a61660b16e697a2b058583
SHA512b616986a0b74e8531a21c7b09c2a62528531d013a30c033a5df91362029687cd9b2828207ce0b4b4e1a88ec56a4669ca3590d90620d9e6f7dacf46d87af2818d
-
Filesize
33KB
MD513fd77c1bba8d8880e3791c9a3b4cdc6
SHA166f331f558c9c23e009599185d0947915d2e8187
SHA256b4de5a043304d12a8a62fdd02fbbfc4f51537744309284811ef8392ad3ea1178
SHA5128397990ed95b9e21039b10e8f76fc01334cfd12df81bff2fcdcd11b554302ffbe1da0f94830e895be4731b46b4067dcc052c3e8ab597bf069a0d9a72add3149d
-
Filesize
92KB
MD523ff9b897f560c459f3a4203d8a6b957
SHA1cbd7c34554aea09a8c70e88d6e5314a8b9c1e3c0
SHA256f54f0da3968d734a123bdf5ddf042597bef765fb1ca148e4ad393d03fa2438b6
SHA51244c7f62c8614206f8feed98562ee6eb38e70db54bf8ecdcaa4979c24901a51bb4291b4f793fd769029c4d24db87930df9e0114b7ecbf3abde9c5e9bfb11bf1e7