Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
19-01-2024 04:33
Static task
static1
Behavioral task
behavioral1
Sample
66b58767a74baad1c7515631dc19f40d.dll
Resource
win7-20231215-en
General
-
Target
66b58767a74baad1c7515631dc19f40d.dll
-
Size
1.4MB
-
MD5
66b58767a74baad1c7515631dc19f40d
-
SHA1
ee1d09e46fcb9cf0a71d4a055a82fd1e7b18580e
-
SHA256
cf999aa80ee97169297cb4ba12d751d3b0bf3195f85022adf03933d10cb43641
-
SHA512
d625c635b29537eba27e37d403515685f1cc8730906e749c5fdc08c78bef80b5dbf89ee31c5579a581aaa3f5cb76797f30c26540d4ef8bab6e00882cea45d060
-
SSDEEP
12288:OVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:TfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1276-5-0x0000000002B70000-0x0000000002B71000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
rekeywiz.exemblctr.exetabcal.exepid process 2744 rekeywiz.exe 3056 mblctr.exe 1908 tabcal.exe -
Loads dropped DLL 7 IoCs
Processes:
rekeywiz.exemblctr.exetabcal.exepid process 1276 2744 rekeywiz.exe 1276 3056 mblctr.exe 1276 1908 tabcal.exe 1276 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fskzoiv = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~1\\ACCESS~1\\TKIrDggP\\mblctr.exe" -
Processes:
rundll32.exerekeywiz.exemblctr.exetabcal.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rekeywiz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mblctr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tabcal.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2128 rundll32.exe 2128 rundll32.exe 2128 rundll32.exe 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1276 wrote to memory of 2648 1276 rekeywiz.exe PID 1276 wrote to memory of 2648 1276 rekeywiz.exe PID 1276 wrote to memory of 2648 1276 rekeywiz.exe PID 1276 wrote to memory of 2744 1276 rekeywiz.exe PID 1276 wrote to memory of 2744 1276 rekeywiz.exe PID 1276 wrote to memory of 2744 1276 rekeywiz.exe PID 1276 wrote to memory of 2912 1276 mblctr.exe PID 1276 wrote to memory of 2912 1276 mblctr.exe PID 1276 wrote to memory of 2912 1276 mblctr.exe PID 1276 wrote to memory of 3056 1276 mblctr.exe PID 1276 wrote to memory of 3056 1276 mblctr.exe PID 1276 wrote to memory of 3056 1276 mblctr.exe PID 1276 wrote to memory of 1864 1276 tabcal.exe PID 1276 wrote to memory of 1864 1276 tabcal.exe PID 1276 wrote to memory of 1864 1276 tabcal.exe PID 1276 wrote to memory of 1908 1276 tabcal.exe PID 1276 wrote to memory of 1908 1276 tabcal.exe PID 1276 wrote to memory of 1908 1276 tabcal.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\66b58767a74baad1c7515631dc19f40d.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2128
-
C:\Windows\system32\rekeywiz.exeC:\Windows\system32\rekeywiz.exe1⤵PID:2648
-
C:\Users\Admin\AppData\Local\PL9y\rekeywiz.exeC:\Users\Admin\AppData\Local\PL9y\rekeywiz.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2744
-
C:\Windows\system32\mblctr.exeC:\Windows\system32\mblctr.exe1⤵PID:2912
-
C:\Users\Admin\AppData\Local\M8jH9THJF\mblctr.exeC:\Users\Admin\AppData\Local\M8jH9THJF\mblctr.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3056
-
C:\Windows\system32\tabcal.exeC:\Windows\system32\tabcal.exe1⤵PID:1864
-
C:\Users\Admin\AppData\Local\vTCeBnl\tabcal.exeC:\Users\Admin\AppData\Local\vTCeBnl\tabcal.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1908
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD5296c9ffbf084e80a35aecb3de1c10cf8
SHA1d4546a21f1ea5d5b0af8df29bbce66c5b359a035
SHA25693d56d9859c87573fecafe1563408205b29109cae6314dfaf3349e9c57a34c57
SHA5125f510a3afda968507bb1ccb7213754ad4595d86ee79d06339ce9fc71f911acb72959c83ff5196dd5b6570b0e6ab2e63e587b1f84e5b313e00f07f3ac10e9e6bf
-
Filesize
413KB
MD5d01e4e8dcfa8052316005902d06eb37e
SHA1e132ae028e18d2ec91d214562683842e025235f3
SHA256f50976e2e591ac65750764abd5f9669a6df3d1780b00eba47624f2f46cebfafd
SHA512fc9087de61a3a127e09081051a3dca12ef95db89ce5399b0dd979ad3e85468523c9dd1c16a9cebe95b8f4955e0e49a1f3f40ce71d1b7bb1a3e6023580166350f
-
Filesize
19KB
MD55a76b5c04a564b3d565453dcfc06eb75
SHA1d075aec14f6c318a9bbe6d5904e6c8fc59c60dcc
SHA25632a62934544cf2cbc89bb874a9e102685f9cf2d84571f35227f5835059a6d7b9
SHA512439fdb8d8d78b14a11b342fb81f106a803ab7833c72fafbb7879dc70b9ec5e95587ce7beed89c0651261625b8788318d3c2a91c9723d2097ff0c7dae5a6bb524
-
Filesize
67KB
MD5767c75767b00ccfd41a547bb7b2adfff
SHA191890853a5476def402910e6507417d400c0d3cb
SHA256bd70e504871a2ac1c883d19b87970c8d1b8b251c784bf777ba77ed764f5f2395
SHA512f096043452a1aa213a5e4d62638de3ee4b0b3ad3d12b7ee0372d8c79e00e2e13b4fd0ebc4206bbdb5124bed292dd5b30ef1641288046ef835f89c332985154f9
-
Filesize
53KB
MD5f00cdcdef6cf5cb5b8773f998d25fb4d
SHA1cb38a877023c8951acd5037277aab5b16a540268
SHA2560cb0f14bd9dbe30b6670d7ec499b8d4a829465ed738b2a9862591851c148e004
SHA5126d6011ae0afb9006743cedf55695f7959be0f35f6c3febe4f8d3760a04d6f7a963994f15e53c0fdff3c1cb0417bfadb31f477d657325d2a0295da3c758fe0a1e
-
Filesize
325KB
MD5a7e0028330d965f1d156dbf3f214a0b9
SHA150451b928c2a1144202d54b64443c0536f4bfe9c
SHA25616eed4eadeb90c2f1616854c95b16fe43a124d57115f67bb4234278f005349fb
SHA512d58b60881eceaa47e4ac5a034344556dd921ad789984cb9726b07d53de64576df4ff92f11543cf384a4fa39fcd1aa5628e337f2398641dc49c2c7162baf57f32
-
Filesize
77KB
MD598e7911befe83f76777317ce6905666d
SHA12780088dffe1dd1356c5dd5112a9f04afee3ee8d
SHA2563fe8b63367b4298e70d46e87ce04cc7af5f30dfdb86b79eae41d0731d9415ea1
SHA512fc0226381d9a6984cccac8282697c78966524e1359f7f6044559b8223e773d3c108dda08a2dd283aa171dca3390801f2c92a5d1dbb978dd7f92a67bd8877b8b6
-
Filesize
1.4MB
MD579cf2db4455de7f73ae635eb8571fe0b
SHA1fb97f898ef4e59379d68c448e81bbef0c9d3c845
SHA256f9da4579d9600a6c9b53709143eeaf0810a9d7264e1a0fc7fe2a4fd33585cfd2
SHA51202f725283489b2e62303bc02b7ece16fbf1a517befed19659ca22ee62f00766f5a9e73e04d38ffdcb47ff5b8881a9754750ab8f18603ce70a1847a13097d5d6b
-
Filesize
1KB
MD5e957fba34c20c9f85e0737d05baeb36c
SHA109babcaafcefad080d3d301a30fc6260e8985f77
SHA256f4d69a6d90b9b486369ba71774290a9addd0c5aa9f2c57f36801d51b41c2d5df
SHA5123855439864ad5cd6e044ae4433b5d01dc266cfa66b95fb6c772b7a0a59071e9edb1cb87c630135ec31e98c0ab16063709ee67cd6a88f26dd656a16166bf437cf
-
Filesize
1.4MB
MD5cab577c65e69c31ef9237156eb37b0e8
SHA1d147ec6e9a087ebd6dd4fd4e1e418be976317696
SHA25649dbf06533f64d6853c9e8401110db91149a5496e55cb55ae76a7b1a893e34ee
SHA51291e35723bcb3a4da74dc959b647ef7a8a4550730ad0016d6aa49c60130b38c05e451913d738e628d6541693a470925998ab0f0bce016bf6245e82ba4f538a7d5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\TKIrDggP\slc.dll
Filesize1.4MB
MD5f4f2e0f173b7c2d0d57396cc773b65b5
SHA13b9b261bd5ea04384989ebdf00ed7c79e3cb3d71
SHA256854cd6c1d01ee7542e54a3b8012b7599b0e37cf6145c6d134e4f309c1f2a2a06
SHA51213e686cf5b957a356c0897c5950dba40bbb958e41d16c359bdfdc28d976eccd905818fe775061d5af3cfc722258688239aae669e3eea6d09e50176b090bf135e
-
Filesize
21KB
MD5074df62c2a07202742b1b82b89aa7863
SHA19bb87aba089db42cbd5744a436880e8d272534c5
SHA25624a6857d6a0d67edf424d838a4d36aa4bff889b8bf4372d025bab23963642bae
SHA512f39aea6d33dd8909771bffc45b682878c28fc61c30748b281b14d6f7b277fc1bd83fe9cd351cf33422e59827f6e563855e611a20f9d1a14beb10e0aa0f099fd6
-
Filesize
55KB
MD5d2363bfb796c10b2aba0c9dea2b3619b
SHA129a7a7c7849cb541889a087c695437404d55b66f
SHA25607f45c7fd93db5fc6f6dfad292b16c7ee57cdaa24f9ba612736dc818c7f7d35a
SHA512bfb6ef4e44087ba7e6e06afad1964a4d8324d8b00981ac96c1db6e73ced47beb036dcac293036e3efd19d3691b2f1befbabed0259ceb17455de80adf33dae850
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
127KB
MD5478258024a59acc41f6e7d61917b173f
SHA1b1dd8f829a4ec30c00d5a065f4a77f81f5f8606e
SHA2564293dc0b2dee9c17c347667a1e4e16794599ceb8dca2f8d74513b5f4e0e55cdb
SHA51201e8c4d0886c8fcde6ddb9de28e027632d88d11a6c8f4245983b308de77766771acdd398078efdd63a13987bd9f5c1dc6b66696975aafb04e817bf9d29299cd1
-
Filesize
525KB
MD52922d5de3f83482ad3c92406bd61d0c2
SHA16c7619b06260f0e23c8a5f5a7902172f638031d2
SHA256a524abfeb4fa79a82ae7439d1b305fae25847e0a131a33071fd7f45c6f896839
SHA512c4d0a9c1b75aa568df9ae65839a49ee6874adcacc60e750184dcbd978a3848127d2eb0eb855145cccaf62524141490e40b1e4f7845f7788e8fd6fe140bce25b3
-
Filesize
50KB
MD50f0daad7caf706e01a0736da42fedccb
SHA1e4f799f03edd3b183ace969ece1f344d711df993
SHA2565497f211c33edec1f9861902fd21d0f8c9977d03ec087456d0770c84e9a34fd4
SHA512acb455aa8a8a787d81a4b56ae1b4d63a91d8822b51b43fdfb148feab9d004b2a5ac27532f4f32368c27228b2191df4b668d5deeb68d5b1c81d053e022436e5bd