Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
19-01-2024 07:50
Static task
static1
Behavioral task
behavioral1
Sample
6714db2df8a6f6b5c50d59629ec34c6c.dll
Resource
win7-20231215-en
General
-
Target
6714db2df8a6f6b5c50d59629ec34c6c.dll
-
Size
3.2MB
-
MD5
6714db2df8a6f6b5c50d59629ec34c6c
-
SHA1
a4b2879a300b905a63dce5114092208d4d1dec9a
-
SHA256
d86ef2b5b3a29c907febf6d15d8f3fa781e1d5314549fed66df51d00db694818
-
SHA512
7b6f0a5a4ea204821d3e513cb9a5c2926f06ab2ae2aea9d5baba857ec82867bf912edf75ab8e0250364ca81e015114d71b3e26dc9918ee734103fbc7456d1d56
-
SSDEEP
12288:yVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:vfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1360-5-0x00000000025C0000-0x00000000025C1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
slui.exeSoundRecorder.exerdrleakdiag.exepid process 3000 slui.exe 1864 SoundRecorder.exe 2828 rdrleakdiag.exe -
Loads dropped DLL 7 IoCs
Processes:
slui.exeSoundRecorder.exerdrleakdiag.exepid process 1360 3000 slui.exe 1360 1864 SoundRecorder.exe 1360 2828 rdrleakdiag.exe 1360 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lgpbj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\4HBT6\\SoundRecorder.exe" -
Processes:
rdrleakdiag.exerundll32.exeslui.exeSoundRecorder.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rdrleakdiag.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA slui.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SoundRecorder.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2168 rundll32.exe 2168 rundll32.exe 2168 rundll32.exe 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1360 wrote to memory of 2888 1360 slui.exe PID 1360 wrote to memory of 2888 1360 slui.exe PID 1360 wrote to memory of 2888 1360 slui.exe PID 1360 wrote to memory of 3000 1360 slui.exe PID 1360 wrote to memory of 3000 1360 slui.exe PID 1360 wrote to memory of 3000 1360 slui.exe PID 1360 wrote to memory of 784 1360 SoundRecorder.exe PID 1360 wrote to memory of 784 1360 SoundRecorder.exe PID 1360 wrote to memory of 784 1360 SoundRecorder.exe PID 1360 wrote to memory of 1864 1360 SoundRecorder.exe PID 1360 wrote to memory of 1864 1360 SoundRecorder.exe PID 1360 wrote to memory of 1864 1360 SoundRecorder.exe PID 1360 wrote to memory of 2832 1360 rdrleakdiag.exe PID 1360 wrote to memory of 2832 1360 rdrleakdiag.exe PID 1360 wrote to memory of 2832 1360 rdrleakdiag.exe PID 1360 wrote to memory of 2828 1360 rdrleakdiag.exe PID 1360 wrote to memory of 2828 1360 rdrleakdiag.exe PID 1360 wrote to memory of 2828 1360 rdrleakdiag.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6714db2df8a6f6b5c50d59629ec34c6c.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2168
-
C:\Windows\system32\slui.exeC:\Windows\system32\slui.exe1⤵PID:2888
-
C:\Users\Admin\AppData\Local\1LYvp\slui.exeC:\Users\Admin\AppData\Local\1LYvp\slui.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3000
-
C:\Windows\system32\SoundRecorder.exeC:\Windows\system32\SoundRecorder.exe1⤵PID:784
-
C:\Users\Admin\AppData\Local\xTgeUD\SoundRecorder.exeC:\Users\Admin\AppData\Local\xTgeUD\SoundRecorder.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1864
-
C:\Windows\system32\rdrleakdiag.exeC:\Windows\system32\rdrleakdiag.exe1⤵PID:2832
-
C:\Users\Admin\AppData\Local\0ShrJ\rdrleakdiag.exeC:\Users\Admin\AppData\Local\0ShrJ\rdrleakdiag.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2828
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD549b55439a96b7003436742ad9e335996
SHA1eadb0c32c6836ffddeb9bae3f628da1dc46eb354
SHA25693db37691d69b750e9d8d4c76f7af600bb70ddd93f0570eefef06bf1475ae4ae
SHA512abc9b4cb1eac592bab581dcd8aa872cd00a4ace2e6f567d2a59582403a1ea95515fbaf2ff8b7179ea27acd83ad60edd6681a75480330b25c6636c68a7988ae24
-
Filesize
147KB
MD5e5c9c7d7e52fd682e921e3e9460ac004
SHA117337c9052eb419454d6ae66c756ce22e76b3da0
SHA25683d33081af1ef341e4047cce0ffab5a25f015d2e2b7dbf9914f90ee1dd89cf9e
SHA512cd7cf70010aafb0472a879da5527144966c2317c511c3e2df31951be277bd038bbc89dd694dc7f6d75caf9e7efc5ff16b3996bd5e9a8b8fbcfc78f12e9ef2a83
-
Filesize
64KB
MD54036533e7ad0a6f1fcf6bddd8915a3e7
SHA16a0607493719824ca744ee98288c6c3b93c27779
SHA256a6fb08368d86b0d9923da90e0a9337fa73b7d28238fcb40c67697bbfafbc4be0
SHA5125a65ddd9eb69f84ce7d668a6da990d47f5af8c91c045729a3db9c5329ca78ee55f6358773c23a77826704d9c6567592c781b26bc924e5c664a369968ee80f56c
-
Filesize
142KB
MD54c69d77cedf7f93c32016dfcdd2e2d48
SHA142a775e41b551df80e6d0c10fe504ff229575cc6
SHA25688a6c503b97735038aeecdbeacf977777507c6af2eca6cce77fddb1d581247af
SHA51298d82edca5e42a2d05f2318f2612bcc2b47bf0f7f1a9b39dd722e8e798af27aee4eb8bfb1a798db4ed710191148758b2f645415c73e3979608c679cc56bc2d04
-
Filesize
266KB
MD55231bdcb06e75797eae0f5a2f04d5b62
SHA13823dce4039a449214f83fce7229039d3f66ab97
SHA256f9c92587c6c8c6a035bbbb2ba3ad09843392df098f8d1b0b81f4dd66bbf692e0
SHA51294c58fa06e6e467586cf9cd2d73056c8bdce88aeb77210540d8da157e9fc5998686913948f6ec77b207094cca46aebcacd2abfb542b23d5c888d33d65f75a448
-
Filesize
3.2MB
MD5798b239a9c885dd28e896ad5dd58cf29
SHA1cd8a6df7f2291db2b5d33a7b40e8b7bf5d52e249
SHA25625c36ce747691e368aa3ed7ebaf9e8290324e454299edeeda3e8a3ac69561f69
SHA51266f7b5a56da76c46ac2ca290d38ae49b3a94482606580122763ab2c923d471bee8a090ad07eeeb61907b6e2a8f80e9c13708f370e61dd960cb3e6cd983a9f9f7
-
Filesize
1KB
MD5b211d9f88c0b1e77ca0b761adbf41af1
SHA1d9deccd2217e6e372bebeae751275b1734bc146a
SHA25624ba390e6461f4f0acf1292ba1dc6d3be1d5894768c1f4a18df92c485cf5c1ba
SHA5128398a3b228588ea211c2918389ceae1b9bb13883a95345772583261e1b2ffed6eaf1fd060f93d862168c62502c5abbe5bbbff5914308e8290a6ec8182ee3987c
-
Filesize
3.2MB
MD5153901ab12c8a12a81b63dd43607377f
SHA101877819eab589c806804c8905ba17305240f364
SHA256a4210f6342865988fd4c7bf8566649ccd2e48a5aa6574fbe5908533bb965ebc2
SHA5120b119887d580fdefa41a9660e3f5acd50712682f011c7c2ae7652ce0715beedafe823dc62d33a8a9394a83bb07dfba91095184e36040802598978c06f9c8a4e6
-
Filesize
3.2MB
MD5d7b4fb439c322922134c6d7ff180e548
SHA1a225f6fa1effb287d372be66e143853c245b922d
SHA256678b553820afccc2eee907367d2a1d38e2531ba2d3162e461705c5de4f687984
SHA5121ad7fb22fabac3fa9d66c667055ff559b4fb3ff25903cc3b888a374d0fb1f24ad985e8b0983dfafd6dbb386b7a120227675c0cfa5bd359325fa84121d4937e31
-
Filesize
39KB
MD55e058566af53848541fa23fba4bb5b81
SHA1769ce3bfc45e4d56ed01dbeeeca7be22f9b9eed6
SHA256ae83b050fa722da7e4b19fc3d534f0126b1ec055643bb1f267b85b55160f4409
SHA512352029cf0af7583a4c525cfd1da7467446bac410a885b2768d8052f39577ccce85b21d5bd946be6bf8341e7308c8e4f645e4d79232b93aaf6a92d6cd55f598d0
-
Filesize
2.4MB
MD5b5e9c51fa887699fe07dfb07cac15ed1
SHA1bec490f6765cf1f0f75d8f0d2004ccc87d984453
SHA256ab72a3bb8f0fbf1e5a10ccebde5daa66156743e5e7eacebab537460d2f0e8387
SHA51242e06786b64afa93d1ae3847f1660f06030e2fac6c703deb8c73b5d4754311e6e92032ddd4727d05b0af76d6de2b59466fe8556cda9494d7bc38878cd44faa38
-
Filesize
119KB
MD5f9d45b1dc0431c1e093e212c00b819ed
SHA12de9cb5e9acf358fcb627acdbfba13404a6ce04c
SHA256a93123a4e1325c0025e8e91971536434dd4a6d54ce02af9ee659530b8be80237
SHA512f918ce1a255da0523505aa9d0ceb4ed89bfdec5f3435df8c81aa3d7df9bc8c8d7e37e1b430601746415f4ee92af17d85920463ba0d95a73749bc99131c90bb91
-
Filesize
138KB
MD55c70675645de3a5d03c151f37a2b8242
SHA12259f35ac4c77f3f2fc5bbe9811b3c24de1e2bf1
SHA2569e26996c442389e61c4eef9048735b89adc8fa0d1a72b2b5e35a5efd78f64650
SHA512df520d2857cfad413542f2ad846bff8664ac5ee9c532dcb6ee52a771387b8a0e1b5b3b59b2ab5af6f1642758daf0317b72b161399d35457d1163bf3b0d2ac118
-
Filesize
139KB
MD547f0f526ad4982806c54b845b3289de1
SHA18420ea488a2e187fe1b7fcfb53040d10d5497236
SHA256e81b11fe30b16fa4e3f08810513c245248adce8566355a8f2a19c63b1143ff5b
SHA5124c9a1aa5ed55087538c91a77d7420932263b69e59dc57b1db738e59624265b734bf29e2b6ed8d0adb2e0dec5763bfbf86876fd7d1139c21e829001c7868d515d
-
Filesize
284KB
MD5be6a135b25e5ddcb17a2e609fdc276f1
SHA1ae8876baa92ece9ccf2b7c6c2bbab0bd529659bb
SHA256e39a8c71a30523802383240a4cbb01369655afbf185a26efe97acf2ee93c9d6d
SHA512350bbec3cc4468d598d2aaf1be61aab25c17eef9483a6dc9de814259299efc087fda0a4287ba7e3462cdf0fabc54abb4c73785dbdefa6d8e1ff089f205f0dfa0