Analysis
-
max time kernel
133s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2023 16:57
Static task
static1
Behavioral task
behavioral1
Sample
7e7645b86e265b69aed08c4852fe6291.dll
Resource
win7-20231215-en
General
-
Target
7e7645b86e265b69aed08c4852fe6291.dll
-
Size
1.1MB
-
MD5
7e7645b86e265b69aed08c4852fe6291
-
SHA1
0e39986ca509db0826c81ca3693fecb375726dcb
-
SHA256
e0980b4994c3d61ec8c3ab1db13ef837487bd2e209e97a4ad4708211d9d4d712
-
SHA512
2f2f7e96591bf49bec9e3b56f7457ee00ca85bd7812c6de3a27097fdfda3beb9b42467b7e0f11b01036704c635e461bbf3a2f12877f672a7de1af462611b26ff
-
SSDEEP
12288:JkbQEkWqv+157EYfxarhwLNuR7ek1tHffB/HzTyNQ6NIeGYr/RUX/ShJ:JkbHkWfzZ5adwLNGeStHntqN7vaP
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3448-3-0x00000000029A0000-0x00000000029A1000-memory.dmp dridex_stager_shellcode -
Processes:
resource yara_rule behavioral2/memory/3292-0-0x00007FF987870000-0x00007FF987989000-memory.dmp dridex_payload behavioral2/memory/3448-20-0x0000000140000000-0x0000000140119000-memory.dmp dridex_payload behavioral2/memory/3448-38-0x0000000140000000-0x0000000140119000-memory.dmp dridex_payload behavioral2/memory/3448-27-0x0000000140000000-0x0000000140119000-memory.dmp dridex_payload behavioral2/memory/3292-41-0x00007FF987870000-0x00007FF987989000-memory.dmp dridex_payload behavioral2/memory/3500-48-0x00007FF974930000-0x00007FF974A4A000-memory.dmp dridex_payload behavioral2/memory/3500-53-0x00007FF974930000-0x00007FF974A4A000-memory.dmp dridex_payload behavioral2/memory/4040-69-0x00007FF974930000-0x00007FF974A4A000-memory.dmp dridex_payload behavioral2/memory/4276-86-0x00007FF974930000-0x00007FF974A4A000-memory.dmp dridex_payload -
Executes dropped EXE 3 IoCs
Processes:
wbengine.exerdpclip.execmstp.exepid Process 3500 wbengine.exe 4040 rdpclip.exe 4276 cmstp.exe -
Loads dropped DLL 4 IoCs
Processes:
wbengine.exerdpclip.execmstp.exepid Process 3500 wbengine.exe 4040 rdpclip.exe 4276 cmstp.exe 4276 cmstp.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kqgfxymewp = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Proof\\59w7Pw\\rdpclip.exe" -
Processes:
rdpclip.execmstp.exerundll32.exewbengine.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rdpclip.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmstp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wbengine.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 3292 rundll32.exe 3292 rundll32.exe 3292 rundll32.exe 3292 rundll32.exe 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 3448 -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
description pid Process Token: SeShutdownPrivilege 3448 Token: SeCreatePagefilePrivilege 3448 Token: SeShutdownPrivilege 3448 Token: SeCreatePagefilePrivilege 3448 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid Process 3448 3448 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid Process procid_target PID 3448 wrote to memory of 4032 3448 99 PID 3448 wrote to memory of 4032 3448 99 PID 3448 wrote to memory of 3500 3448 98 PID 3448 wrote to memory of 3500 3448 98 PID 3448 wrote to memory of 4952 3448 102 PID 3448 wrote to memory of 4952 3448 102 PID 3448 wrote to memory of 4040 3448 101 PID 3448 wrote to memory of 4040 3448 101 PID 3448 wrote to memory of 4748 3448 104 PID 3448 wrote to memory of 4748 3448 104 PID 3448 wrote to memory of 4276 3448 103 PID 3448 wrote to memory of 4276 3448 103 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7e7645b86e265b69aed08c4852fe6291.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3292
-
C:\Users\Admin\AppData\Local\ePXXSj8w\wbengine.exeC:\Users\Admin\AppData\Local\ePXXSj8w\wbengine.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3500
-
C:\Windows\system32\wbengine.exeC:\Windows\system32\wbengine.exe1⤵PID:4032
-
C:\Users\Admin\AppData\Local\rN1c7\rdpclip.exeC:\Users\Admin\AppData\Local\rN1c7\rdpclip.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4040
-
C:\Windows\system32\rdpclip.exeC:\Windows\system32\rdpclip.exe1⤵PID:4952
-
C:\Users\Admin\AppData\Local\151\cmstp.exeC:\Users\Admin\AppData\Local\151\cmstp.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4276
-
C:\Windows\system32\cmstp.exeC:\Windows\system32\cmstp.exe1⤵PID:4748
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
391KB
MD5df592eea3fa83e64d1d1685224242d52
SHA1f6dfd7883bba096273d91ae6dac6bea43a9fde9a
SHA256297293d8c707ceb3c2fd63c10e596b18705ab849660ec228eeed3b78a1cd0a68
SHA512f07a198d267b488a01d214b76b6808cec80748c6dd0824684f6161e1ad50e6ab15d479b00f235467708e06a7ea4cb008fa1691a86867f88a8dd4e257287d0625
-
Filesize
348KB
MD5d465079a62622c3894e644d3b59e31c8
SHA158842196b79d9e1299e310e94a803bf245898cbe
SHA2566aead4e3b6d7bf7000ed3d462d6f18507b4302806dc1c738ebd7c13c5519a146
SHA512d61c3e4a5ba06e02db09c1941eb6b1df7c9243a8528a2a4792f1532d1c4ca4e3481524b1ad702638a2d92450597045697744b7a7f8f250fb1836969a192af4c3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\E8PdapiDMJq\VERSION.dll
Filesize96KB
MD5957d8ffe1faf0fdddd6a06957860c3a3
SHA1fa21e34011676c63a3f6f44937cddc080d6261bb
SHA25645e34220c7919c825c15ef45645cf4aac140cb7461fd72b80850e07b9f9a0cc3
SHA512e6947c861abcf6c63f452fc348246ba553612aa93c80e4346a79a2687f104c6a5657b2dab58d007634ec11e4cdb6e0ea06dc780fa011b0de498df1b0ca3cb426