Analysis
-
max time kernel
155s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22-12-2023 16:12
Static task
static1
Behavioral task
behavioral1
Sample
eaf0253303d762297bfe8a16d4011c06.dll
Resource
win7-20231215-en
General
-
Target
eaf0253303d762297bfe8a16d4011c06.dll
-
Size
2.1MB
-
MD5
eaf0253303d762297bfe8a16d4011c06
-
SHA1
0d4f0dadb228828861593e2582044e6160edd443
-
SHA256
eee23c7594dadc97d779a835a31eaa189bcbb14273cdffebc64e7fef7e5ff036
-
SHA512
ea25b83a26e1a07782c6a88828ddc437bca8659429163ae21f53025e6f253f314244851acf176ed31746e6cd1a5e36f5186d91e531d25ee35dcb17c732e8ab9f
-
SSDEEP
12288:hVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:QfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1232-5-0x00000000025A0000-0x00000000025A1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
tabcal.exeicardagt.exerdrleakdiag.exepid Process 1644 tabcal.exe 2580 icardagt.exe 2572 rdrleakdiag.exe -
Loads dropped DLL 7 IoCs
Processes:
tabcal.exeicardagt.exerdrleakdiag.exepid Process 1232 1644 tabcal.exe 1232 2580 icardagt.exe 1232 2572 rdrleakdiag.exe 1232 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\Xkgbzoakajt = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\NETWOR~1\\1AsX\\icardagt.exe" -
Processes:
tabcal.exeicardagt.exerdrleakdiag.exerundll32.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tabcal.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA icardagt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rdrleakdiag.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 1652 rundll32.exe 1652 rundll32.exe 1652 rundll32.exe 1232 1232 1232 1232 1232 1232 1232 1232 1232 1232 1232 1232 1232 1232 1232 1232 1232 1232 1232 1232 1232 1232 1232 1232 1232 1232 1232 1232 1232 1232 1232 1232 1232 1232 1232 1232 1232 1232 1232 1232 1232 1232 1232 1232 1232 1232 1232 1232 1232 1232 1232 1232 1232 1232 1232 1232 1232 1232 1232 1232 1232 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid Process procid_target PID 1232 wrote to memory of 2492 1232 28 PID 1232 wrote to memory of 2492 1232 28 PID 1232 wrote to memory of 2492 1232 28 PID 1232 wrote to memory of 1644 1232 29 PID 1232 wrote to memory of 1644 1232 29 PID 1232 wrote to memory of 1644 1232 29 PID 1232 wrote to memory of 1852 1232 30 PID 1232 wrote to memory of 1852 1232 30 PID 1232 wrote to memory of 1852 1232 30 PID 1232 wrote to memory of 2580 1232 31 PID 1232 wrote to memory of 2580 1232 31 PID 1232 wrote to memory of 2580 1232 31 PID 1232 wrote to memory of 2068 1232 32 PID 1232 wrote to memory of 2068 1232 32 PID 1232 wrote to memory of 2068 1232 32 PID 1232 wrote to memory of 2572 1232 33 PID 1232 wrote to memory of 2572 1232 33 PID 1232 wrote to memory of 2572 1232 33 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\eaf0253303d762297bfe8a16d4011c06.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1652
-
C:\Windows\system32\tabcal.exeC:\Windows\system32\tabcal.exe1⤵PID:2492
-
C:\Users\Admin\AppData\Local\bZSlh83\tabcal.exeC:\Users\Admin\AppData\Local\bZSlh83\tabcal.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1644
-
C:\Windows\system32\icardagt.exeC:\Windows\system32\icardagt.exe1⤵PID:1852
-
C:\Users\Admin\AppData\Local\MISQZKzY\icardagt.exeC:\Users\Admin\AppData\Local\MISQZKzY\icardagt.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2580
-
C:\Windows\system32\rdrleakdiag.exeC:\Windows\system32\rdrleakdiag.exe1⤵PID:2068
-
C:\Users\Admin\AppData\Local\k5ZvGLujJ\rdrleakdiag.exeC:\Users\Admin\AppData\Local\k5ZvGLujJ\rdrleakdiag.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2572
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
49KB
MD5714440345169bcccb70f9d91de07440b
SHA12250dd35ee4e2cd001ba4b72a0f7d7fba7bc5c49
SHA2565b4e29b5389eeb56d8f832cc44b46f83f591e920ca29a84da4e1bbd7cf0c6984
SHA512f178539f033015b632851f49c28d103a63626ac805faa489d9816f3c7d1cfffb2ffd6072a15e8efe42acb9aece60e5ba90c046a6f4c050508dbea43c50c08583
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
77KB
MD584610cc10a2fb47041c3a21baef53042
SHA10682fd0bc64b863da87959dd7839d022444164b8
SHA2569c843f63e9831bb6a46d7459b537d7e32822435e422d3e18a5a589541339e31a
SHA512f4668e57cb3e21bdb8a6175317e4e20a1128fae6b5b5e199fcb098d02acc67fe8413db8a8b719f54e4c359a47b4d1b589a45f2b909c9c8950c44ceb917eaf0aa
-
Filesize
91KB
MD5d0e79b3b6442b42442c373eb7f09cd54
SHA17551bca998b09e2568b1cdcd546edbd243d627fd
SHA256879901b105d943f1ff13fd245d9e068226c236b4de7ebbfbbc7551b4f66b9751
SHA512d8f70941b4a904eb0703e3aa108e98c9a67119f6e72a64ca958cf915b46a883199e9d21c28def12d52bc901c0d8b47b6a0da0259a0f47fe60f65fb38d23ee00f
-
Filesize
77KB
MD598e7911befe83f76777317ce6905666d
SHA12780088dffe1dd1356c5dd5112a9f04afee3ee8d
SHA2563fe8b63367b4298e70d46e87ce04cc7af5f30dfdb86b79eae41d0731d9415ea1
SHA512fc0226381d9a6984cccac8282697c78966524e1359f7f6044559b8223e773d3c108dda08a2dd283aa171dca3390801f2c92a5d1dbb978dd7f92a67bd8877b8b6
-
Filesize
28KB
MD5188ae3689bc48d7da6a59037c342b5dc
SHA1f39f94974e7f25cbfd039c0a71cbf21256133d4d
SHA25637980903e8ba30f74ba57abe647cfe0205adbb3c61bb46c349679e59531ec3bb
SHA5120e7b0bbc59b23f2d3d320e3309568f6f9d95991b14a01df2216b451fc124a7195a46a10d5dd6829cf8f5e3ff111ee90dac16864d66080f855b498789f1498f36
-
Filesize
39KB
MD55e058566af53848541fa23fba4bb5b81
SHA1769ce3bfc45e4d56ed01dbeeeca7be22f9b9eed6
SHA256ae83b050fa722da7e4b19fc3d534f0126b1ec055643bb1f267b85b55160f4409
SHA512352029cf0af7583a4c525cfd1da7467446bac410a885b2768d8052f39577ccce85b21d5bd946be6bf8341e7308c8e4f645e4d79232b93aaf6a92d6cd55f598d0
-
Filesize
1KB
MD559c3e152e5d124ebcbbca72cadba68d3
SHA1253db94d538db509e860074174912ebb24879ead
SHA256ca00cffca56e06ebd71cc6a64f68e4d14253163261d8256a8b7439aa4f993f45
SHA5124c0e816d51d9351f8c298be81d00e50c12ef8d0292ef77c985f2295255f871df5022f5589ded281736eeb15918aed292971921079e02be774d8970a5c5c77a88
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\E1yZhYB8ERH\VERSION.dll
Filesize2.1MB
MD55f173eb311d3c951d1e063a733ec973d
SHA1874d90e11e426366e1aa345afb44419fb6568ca2
SHA2563d046c4ec4230295eb98d65d57225b0fdba6d0418d9d6dd9a4f7505318930ff5
SHA5122a42bb63752e9e0f1404b9b738db47ced2e0d984f9371c8f84ae865c3831dc408e43b672feae66bd4eb2b90486227424111e1dc2633cb17cbcb9c65288994196
-
Filesize
403KB
MD5445d63017c270fa584b3c80451d0f3cf
SHA15a23c8fa537dc11a75f7b81eee9723074e220df2
SHA25689562abe92940e2a7daa9bdee62dd8048b33cef1072adb3fed0e484ecb9a5ae6
SHA512e168aec97752ff4d0ce884a2a99ad65d3cc0259f10a8834c3db0563a0a038774634f3eeebc5795344eb8c048d7d2df4139f0a16c67e47d4eeb7dfd24e0cc548f
-
Filesize
107KB
MD5e411dd85183edccc26bb1f520239f0c8
SHA13fd42a1865957fafdb38d8861385ff2f98c8d28b
SHA256f01a0985f7b7cc466059ef1b219dd1c2f9d9a016ec2eae7de53765326af170a1
SHA51262fb37e4f6d4cdf15c268c2e9bd2f09a585d77366e1cd5e3f5785184e563397f51f698bad68aea62e120c6c2c91dde572002d7689ef2de07aafb423ebc3bcdee
-
Filesize
5KB
MD599cfe841e9b66c98e703468a43b1d624
SHA193b7df909d13facfb682c3b3a8333326ffbc041a
SHA256c3d9fec2880a63b968976d6f8bf8a4b02d02136ed99ed0c29530bff24ed7f9c3
SHA5128aa9ed22a8211318b7e7b5e494f6acc0ca99e6105ea125e5fc4c62a2c76df1d53545182a023833c85da9b42759f48a6a0b5ca0a40a1ed681caaab6ef1d4d622e
-
Filesize
21KB
MD58e0b54df8b66cc931b9109b7ce2286e3
SHA159d747b03db49dd0c59a358fc7de483f8703bc74
SHA256b0164c3fb9077cb87702e10abe0bc2247611121468ef7dc93c4070d250aa9515
SHA512a0154958417a2b90e6eea53cbaa99a9d92e6cd0b9fb52568eb9bf2408330164947d7652007956c3e03fb6d499f0e77295287ecbbbac9129ccf2389f72e28bd33
-
Filesize
193KB
MD523e7fded8b677ffa978649f5d19316e2
SHA1d7f2f47decbd212ceb4e2139a9b16bc5c03d0ffa
SHA256d6ef4138943b3a57c6b35be53fc4b7f855e2c0dd8abe2f05d4e80d2cc77bf363
SHA5125ffed789e5425dfc149882729c15aeac1a06a95b598c4764419367953038087ffc6b969f21b3a45ee8567665274ebe4cce2b9ef04ba13dba92fc7c630d912fb1
-
Filesize
107KB
MD57e1d955148f704ea0ef37d0b8ceb821a
SHA19a50ffbdebe75c6876b5753c5102b9e180f504a3
SHA256ce2821bafd80c27b98a601321cb59351ab56f64493d7cb7b063b968da5849e92
SHA51292df7a2157d76f33641311b5ca5ee20032f96b0e50478bd48324050830fa28b0393566de4c05efa5d1f9892c3064879db5fd7b15c95419d95a86c25b0914eb39
-
Filesize
947B
MD572267b1d52040f3a585a6db7c1361e70
SHA12c30e3e6b9ed18509418c8ee936dab8f841e1319
SHA25607265146f0a1982a0a99338741a546729ef5d7df0c78e847830a1923cbc93f3c
SHA5127ae56828806acd9fbdcd75bea531f5235b67ef532fce6c4037ec8ab2f963bf0c91eeb2298b4721523a20c5e3cff56acd65513743c33990a408befe27d1077c39
-
Filesize
63KB
MD5c68bac7ac7363f8876c4bd30137469c2
SHA1d8c0cd80d8c742d8cf9b36e78c3a9ae52bf78155
SHA2560930c566789d3c08086385033d6d79be5012fce10bc2b0b75eebd203559becee
SHA5122a40c1f9f1e70a3d8ff3bab629d727838af9eb46f0993ea77280e4275aa5bb3bcc1a90942d448f4ac15b8f482d562cf54d1ddb7a6ac215d1bf2af2e7652c82b2