Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22-12-2023 15:49
Static task
static1
Behavioral task
behavioral1
Sample
e16fbec8441b778d6ffa3c0a50387254.dll
Resource
win7-20231215-en
General
-
Target
e16fbec8441b778d6ffa3c0a50387254.dll
-
Size
1.6MB
-
MD5
e16fbec8441b778d6ffa3c0a50387254
-
SHA1
f4618ea77b9fc65e1dae34efec00a1bee0121580
-
SHA256
dcfe6f600462653084dd91777388c633bf70f43a2c2e9d2b51851feae9aa3598
-
SHA512
501b030422ead74da9a3e43b304008178e612678c8b36bff2c89bcb32a744148d2ccf7ab07e76cdabdf434406c9901bced4b3d3dcd9f9e54e2ed9db1c07aa565
-
SSDEEP
12288:QVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:VfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1324-5-0x00000000026C0000-0x00000000026C1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
mblctr.exeDevicePairingWizard.exerdpclip.exepid Process 2532 mblctr.exe 2972 DevicePairingWizard.exe 1564 rdpclip.exe -
Loads dropped DLL 7 IoCs
Processes:
mblctr.exeDevicePairingWizard.exerdpclip.exepid Process 1324 2532 mblctr.exe 1324 2972 DevicePairingWizard.exe 1324 1564 rdpclip.exe 1324 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\Srfjajs = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\UserData\\LW\\DEVICE~1.EXE" -
Processes:
rundll32.exemblctr.exeDevicePairingWizard.exerdpclip.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mblctr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DevicePairingWizard.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rdpclip.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 1244 rundll32.exe 1244 rundll32.exe 1244 rundll32.exe 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid Process procid_target PID 1324 wrote to memory of 2644 1324 28 PID 1324 wrote to memory of 2644 1324 28 PID 1324 wrote to memory of 2644 1324 28 PID 1324 wrote to memory of 2532 1324 29 PID 1324 wrote to memory of 2532 1324 29 PID 1324 wrote to memory of 2532 1324 29 PID 1324 wrote to memory of 2928 1324 30 PID 1324 wrote to memory of 2928 1324 30 PID 1324 wrote to memory of 2928 1324 30 PID 1324 wrote to memory of 2972 1324 31 PID 1324 wrote to memory of 2972 1324 31 PID 1324 wrote to memory of 2972 1324 31 PID 1324 wrote to memory of 1756 1324 32 PID 1324 wrote to memory of 1756 1324 32 PID 1324 wrote to memory of 1756 1324 32 PID 1324 wrote to memory of 1564 1324 33 PID 1324 wrote to memory of 1564 1324 33 PID 1324 wrote to memory of 1564 1324 33 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e16fbec8441b778d6ffa3c0a50387254.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1244
-
C:\Windows\system32\mblctr.exeC:\Windows\system32\mblctr.exe1⤵PID:2644
-
C:\Users\Admin\AppData\Local\Z8q\mblctr.exeC:\Users\Admin\AppData\Local\Z8q\mblctr.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2532
-
C:\Windows\system32\DevicePairingWizard.exeC:\Windows\system32\DevicePairingWizard.exe1⤵PID:2928
-
C:\Users\Admin\AppData\Local\iNbW\DevicePairingWizard.exeC:\Users\Admin\AppData\Local\iNbW\DevicePairingWizard.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2972
-
C:\Windows\system32\rdpclip.exeC:\Windows\system32\rdpclip.exe1⤵PID:1756
-
C:\Users\Admin\AppData\Local\kl5\rdpclip.exeC:\Users\Admin\AppData\Local\kl5\rdpclip.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1564
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
196KB
MD50d616fe854e844e0842bb0d7a6027c13
SHA174f7b43eff9d1ea49fcd5a485765d5cc5774ea33
SHA256197c5351dd2374f27e3aab956d813f67a7dfce24f22a5b959b5202690d4d79d5
SHA51292fde42f93638644c59dacc6bf8f2a692f4070d7b0729b912d0ba022df74cd791130af2c16426508e5b7b6b2d9cdc18e0e0c43c07e92ac982acf475c6c99557d
-
Filesize
1.6MB
MD58d51a4a683b948b47aab5ef0f1eaf30e
SHA142e519cf5ba856b99fa1c37167f6150cca07eba7
SHA256b73eb3e2e426ce4ccf65c320f65573532c9e4209f03c4308046ac4e4b03ff079
SHA512ff75c71aec873174be8673f101498615642cc84e60338474101cdcbbbd8a4e4560a91650c0e79c10a52edb4e4b61898861b5157f7060b1418eb7956ab5609dfa