Analysis
-
max time kernel
151s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
19-01-2024 15:40
Static task
static1
Behavioral task
behavioral1
Sample
6800149dece7def1ad1cd84f715f4837.dll
Resource
win7-20231215-en
General
-
Target
6800149dece7def1ad1cd84f715f4837.dll
-
Size
1.7MB
-
MD5
6800149dece7def1ad1cd84f715f4837
-
SHA1
640fca273f248d6a72d3265dea4a3f774c6aa64f
-
SHA256
b0d4e0d901760c1879169db38ef00435f986e19dda97a46b8797d55e379eb1ac
-
SHA512
f93a6f187f01bdac3af4abda5a11d040f4633296db46cbf2d19eb22c0e369129939e3d5aeaef5f67b44b9140fb13ad6971df7847c78a975cc86259e336da50e2
-
SSDEEP
12288:bVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:6fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1380-5-0x0000000002580000-0x0000000002581000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
MpSigStub.exeslui.exeirftp.exepid process 2080 MpSigStub.exe 2524 slui.exe 2020 irftp.exe -
Loads dropped DLL 7 IoCs
Processes:
MpSigStub.exeslui.exeirftp.exepid process 1380 2080 MpSigStub.exe 1380 2524 slui.exe 1380 2020 irftp.exe 1380 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lgpbj = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\ASSETC~1\\2Q3NG7~1\\slui.exe" -
Processes:
MpSigStub.exeslui.exeirftp.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MpSigStub.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA slui.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA irftp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2412 rundll32.exe 2412 rundll32.exe 2412 rundll32.exe 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1380 wrote to memory of 2100 1380 MpSigStub.exe PID 1380 wrote to memory of 2100 1380 MpSigStub.exe PID 1380 wrote to memory of 2100 1380 MpSigStub.exe PID 1380 wrote to memory of 2080 1380 MpSigStub.exe PID 1380 wrote to memory of 2080 1380 MpSigStub.exe PID 1380 wrote to memory of 2080 1380 MpSigStub.exe PID 1380 wrote to memory of 796 1380 slui.exe PID 1380 wrote to memory of 796 1380 slui.exe PID 1380 wrote to memory of 796 1380 slui.exe PID 1380 wrote to memory of 2524 1380 slui.exe PID 1380 wrote to memory of 2524 1380 slui.exe PID 1380 wrote to memory of 2524 1380 slui.exe PID 1380 wrote to memory of 2480 1380 irftp.exe PID 1380 wrote to memory of 2480 1380 irftp.exe PID 1380 wrote to memory of 2480 1380 irftp.exe PID 1380 wrote to memory of 2020 1380 irftp.exe PID 1380 wrote to memory of 2020 1380 irftp.exe PID 1380 wrote to memory of 2020 1380 irftp.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6800149dece7def1ad1cd84f715f4837.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2412
-
C:\Windows\system32\MpSigStub.exeC:\Windows\system32\MpSigStub.exe1⤵PID:2100
-
C:\Users\Admin\AppData\Local\N0CE7X0Nj\MpSigStub.exeC:\Users\Admin\AppData\Local\N0CE7X0Nj\MpSigStub.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2080
-
C:\Windows\system32\slui.exeC:\Windows\system32\slui.exe1⤵PID:796
-
C:\Users\Admin\AppData\Local\MKbqlZ\slui.exeC:\Users\Admin\AppData\Local\MKbqlZ\slui.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2524
-
C:\Windows\system32\irftp.exeC:\Windows\system32\irftp.exe1⤵PID:2480
-
C:\Users\Admin\AppData\Local\Xjmy6\irftp.exeC:\Users\Admin\AppData\Local\Xjmy6\irftp.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2020
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD50728b6d38c43ab4c1441f5b50ef84f8b
SHA1f6e79eba7c46b2aaf2064a602833b154bb78b840
SHA256871e191e8264b12bbcc31ec5aac58730052305a3954edf1245954c4e7a00223d
SHA512fecdcf74615fa47b3080d57e28b78ba5a83ba5b9f3bf3ba7213c77d73a1fe1369aab2c19c8b6041e21e3a80b0761acdc37a059fa600e4355433e9be32319cffa
-
Filesize
264KB
MD52e6bd16aa62e5e95c7b256b10d637f8f
SHA1350be084477b1fe581af83ca79eb58d4defe260f
SHA256d795968b8067bb610033fa4a5b21eb2f96cef61513aba62912b8eb5c6a5ff7b3
SHA5121f37150f6bcbe0df54bb85a5ad585824cea9332baa9be1649a95c1dfb41723de85c09d98fb2ca8261a49c2184d3bda638b84b2b7b60b97fe42a15ab1620a2542
-
Filesize
302KB
MD50a180432688c5f1d82b6e804a645b49f
SHA18f6129555c3c16233bac1b2b42afa73edf4c6140
SHA256efd2fa65234a12b4951fd23f47c023a1a0777a19b522d54a7cdb7ac008f18448
SHA512ae3c4717d7a9c575a9f5610f9aa07382aeae501b5f0881c732b6d6bf0200617e3ed6a64d1db7301eae9571b6cf428a00e8eaa3121e229b85a5394e5c743d304c
-
Filesize
1.2MB
MD5c5ee14af829955b6e3b2e2440ca07531
SHA1d3ecd740e4811fb2b44178d47fef6c5e1619fd4e
SHA2566aa2ef4a4aa0b376510687f98ee84c2fa00542ec292196b349f41e07bd66c572
SHA512f7188ca5b9277331f80b7c94259e8c5457f918a5d1fbc3ff1befe95a4dcd6734ca657dc886936826c915c748d51e0c428e7997deb6ca575b9b2dc9f2d25ab5f6
-
Filesize
1KB
MD51271bc34c68d9bb7129bb843d7d3618a
SHA1a8c2c58bb14a6b01bf0797d91d2e51c50eb04752
SHA256f075f9f631de7da818d8bc7848234abab9830969d771d80234bd65889d4fa44c
SHA512d2835a4cf6860abc290e91f0686236422f2434334d65c4778c527c65b94fbd195fb31980813d2b22ee753f65995a37a7492010888ae886c7dbfc29b82ed5ca87
-
Filesize
1.7MB
MD5d74dd02041a8de8b2ae4fc0de5bdb0ca
SHA1f2e370990662bb6bb588fd31830e7a44c5652b64
SHA2564c2d5c56df7b719e34b54553dccab046172f2d650002af512ce1c0569db206ee
SHA5127eb21cdc07e7afd3e3649c2f32b3ae3bbea2395cdaa2c1e30e65564e6886740b0b3b8be9ad8a338411921d17f95280100d8122e0a1e0b79e6e571580441fb51d
-
Filesize
1.7MB
MD5eafa1afb468ea2986930ecfe7425e03f
SHA1873b7bba20b6b16851f3602a2050ff205dea9c9b
SHA256bcda63785ecebb671aa7b92bf736131fe65473a43c437fd7a6390eaa3f55a767
SHA512ce7df400a40a746d3df2ad4a39debf36a597b67200e8fbfcc9d8ad21b9157892b9f8f4c2a9bdca33f1d1740e3b8ef0e32177a29ae06741a89c4c5188214d1439
-
Filesize
341KB
MD5c5ce5ce799387e82b7698a0ee5544a6d
SHA1ed37fdb169bb539271c117d3e8a5f14fd8df1c0d
SHA25634aa7ca0ea833263a6883827e161a5c218576c5ad97e0ce386fad4250676b42c
SHA51279453b45e1f38d164ee3dbc232f774ff121d4394c22783140f5c8c722f184a69f499f2fb9621bdb28f565065b791883526e1a1d4abef9df82289613c2ce97a5c
-
Filesize
242KB
MD50d82712e20e6d2ffe6bdcc8fccab47eb
SHA14c112c2374b45035441e681c95270e9d5459e297
SHA25666dba37dfc3361900d7df0a891bd9015c90b0d4698efb1fcb22b57c7b875024e
SHA51227e4de9c1b1dbf87597c3c47941109733d587a983100635865732f56fa18f900cf41a61cefa6472162f77451ada3f996245d486e8d8df5f8afb4f2267df15c73
-
Filesize
256KB
MD59a01f641327cb348e963d9db3ac04861
SHA1e30770234e264bd6f2d5e1ec52cbafe7c0de39d3
SHA256549b46f2a7d7e8e23f1879c66625bcfb7205f8abf11c0ec0a1d47cf4013e6f3f
SHA512f19086dbf1ceb19ceb04154b2d02fc86ed0bc09a7a0d72e5f74e2e170371d5f4dc183aa6b76d5b98f36be09a83b41c1b98cee2a00180b3a850a2818bf4ef2887
-
Filesize
192KB
MD50cae1fb725c56d260bfd6feba7ae9a75
SHA1102ac676a1de3ec3d56401f8efd518c31c8b0b80
SHA256312f4107ff37dc988d99c5f56178708bb74a3906740cff4e337c0dde8f1e151d
SHA512db969064577c4158d6bf925354319766b0d0373ddefb03dbfc9a9d2cadf8ddcd50a7f99b7ddf2ffad5e7fdbb6f02090b5b678bdf792d265054bff3b56ee0b8ec