Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
21-01-2024 01:01
Static task
static1
Behavioral task
behavioral1
Sample
6bf2b8dfb0ae1a87d53b7df0eba45900.dll
Resource
win7-20231215-en
General
-
Target
6bf2b8dfb0ae1a87d53b7df0eba45900.dll
-
Size
1.7MB
-
MD5
6bf2b8dfb0ae1a87d53b7df0eba45900
-
SHA1
21fd1716131f7cb2c2558cca781bdd40ebe582f5
-
SHA256
040d5692e18f3667089d59f660741709390f41f201dd0f2d879ec90e47435a97
-
SHA512
e773f27dce2811185f20ae0e4c26dfa68c75b12fa31f8930360132b51ae654dc3ba61d573d34cd1004865699f61475d59759a7d9e3db486c57db7c1ec7987f87
-
SSDEEP
12288:tVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:0fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1320-5-0x0000000002A20000-0x0000000002A21000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
calc.exeAdapterTroubleshooter.exeRDVGHelper.exepid process 2620 calc.exe 2856 AdapterTroubleshooter.exe 1600 RDVGHelper.exe -
Loads dropped DLL 7 IoCs
Processes:
calc.exeAdapterTroubleshooter.exeRDVGHelper.exepid process 1320 2620 calc.exe 1320 2856 AdapterTroubleshooter.exe 1320 1600 RDVGHelper.exe 1320 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\Xkgbzoakajt = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\Ut9as\\AdapterTroubleshooter.exe" -
Processes:
RDVGHelper.exerundll32.execalc.exeAdapterTroubleshooter.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RDVGHelper.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA calc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA AdapterTroubleshooter.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2192 rundll32.exe 2192 rundll32.exe 2192 rundll32.exe 1320 1320 1320 1320 1320 1320 1320 1320 1320 1320 1320 1320 1320 1320 1320 1320 1320 1320 1320 1320 1320 1320 1320 1320 1320 1320 1320 1320 1320 1320 1320 1320 1320 1320 1320 1320 1320 1320 1320 1320 1320 1320 1320 1320 1320 1320 1320 1320 1320 1320 1320 1320 1320 1320 1320 1320 1320 1320 1320 1320 1320 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1320 wrote to memory of 2112 1320 calc.exe PID 1320 wrote to memory of 2112 1320 calc.exe PID 1320 wrote to memory of 2112 1320 calc.exe PID 1320 wrote to memory of 2620 1320 calc.exe PID 1320 wrote to memory of 2620 1320 calc.exe PID 1320 wrote to memory of 2620 1320 calc.exe PID 1320 wrote to memory of 2760 1320 AdapterTroubleshooter.exe PID 1320 wrote to memory of 2760 1320 AdapterTroubleshooter.exe PID 1320 wrote to memory of 2760 1320 AdapterTroubleshooter.exe PID 1320 wrote to memory of 2856 1320 AdapterTroubleshooter.exe PID 1320 wrote to memory of 2856 1320 AdapterTroubleshooter.exe PID 1320 wrote to memory of 2856 1320 AdapterTroubleshooter.exe PID 1320 wrote to memory of 1704 1320 RDVGHelper.exe PID 1320 wrote to memory of 1704 1320 RDVGHelper.exe PID 1320 wrote to memory of 1704 1320 RDVGHelper.exe PID 1320 wrote to memory of 1600 1320 RDVGHelper.exe PID 1320 wrote to memory of 1600 1320 RDVGHelper.exe PID 1320 wrote to memory of 1600 1320 RDVGHelper.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6bf2b8dfb0ae1a87d53b7df0eba45900.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2192
-
C:\Windows\system32\calc.exeC:\Windows\system32\calc.exe1⤵PID:2112
-
C:\Users\Admin\AppData\Local\W9Wu\calc.exeC:\Users\Admin\AppData\Local\W9Wu\calc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2620
-
C:\Windows\system32\AdapterTroubleshooter.exeC:\Windows\system32\AdapterTroubleshooter.exe1⤵PID:2760
-
C:\Users\Admin\AppData\Local\rz5r4e\AdapterTroubleshooter.exeC:\Users\Admin\AppData\Local\rz5r4e\AdapterTroubleshooter.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2856
-
C:\Windows\system32\RDVGHelper.exeC:\Windows\system32\RDVGHelper.exe1⤵PID:1704
-
C:\Users\Admin\AppData\Local\OwD1Q\RDVGHelper.exeC:\Users\Admin\AppData\Local\OwD1Q\RDVGHelper.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1600
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
93KB
MD553fda4af81e7c4895357a50e848b7cfe
SHA101fb2d0210f1c47aaf684e31a9fb78f89bba9c0f
SHA25662ab8c2c5b5bd84fd07e96b6a3b87a4ea56946107ed9b7f8076580ae1fefd038
SHA512dbbda90a57d27160c5a3a5e4e94cfc43b1663fcbfe424fdec851e52356f61492bdcf677c46be8aa4e8ccc8be7c389b6aa7bbbce8447e1fae32f03e5e409f4051
-
Filesize
220KB
MD59b20c91f6dde094fbc0b56a18b66b714
SHA16d1ccd162309a1110c5bf24877f8a178474b7781
SHA2567a508e3a708189f660dc5707c212936d471f7f8e2bfe4d1e45de6492aa6c7c4d
SHA51225914e3ab19b255f276469bf4d7d8b1ddb2929256ab707570bfd232c59052702e2f07923f239dd00c4692af60195e19900a1a997b21e9345ef15d7178bff615c
-
Filesize
219KB
MD5de2b84d52f060bcc4c7189415131f8b5
SHA149b40b0919b846e4f0712aa0eb1bc8d7dc6f2cd0
SHA256b831abfefe07c3f87ea40b8183917b7862b551a075864565018f962b981bc3cd
SHA512e527145e62d4ec5c9bee3502115bf6106c8bf82a603d02e4d719d98804c954500dedc0158462c563a272be9ba8ad489ddf9190f96c80ed49d25a24501b9c1796
-
Filesize
439KB
MD509fe8f5734bc2eac8bdfa6a0db387879
SHA1d64c137dd78d6dcac0a1985b9bf4bfb6008701ba
SHA2564aa0e1665b0a29ec997a9f561f49e6d9f8e9fd8259813c3478a6bd28d3f12802
SHA51248a815a4e17b84bcb212669fca202313100a3cc9c470838bf39e3be28977b994ef1aa22ff7144d8140372bda5fe2ca54227e4418d1e85a50b13034cbaadbc32e
-
Filesize
16KB
MD5b308ff3bf227b6f5e2b14c450b7468e0
SHA1b7a1ad036084f62b93bf41beb041503cec352c44
SHA25620ceee5d5c213b9da6a560ed4e78b0f0cd50118bad9d7756c351372b8a260237
SHA51281003e4a3a2b3c4ae408835214c14d5ab886bd01df7c833243366c1c7b57078df5e8c0f3313bc575d1c9382675df262ae740263d68585152c00378756d0f4193
-
Filesize
39KB
MD5d4170c9ff5b2f85b0ce0246033d26919
SHA1a76118e8775e16237cf00f2fb79718be0dc84db1
SHA256d05e010a2570cdd5a67f62c99483aeeecb6a8d5ecc523cd49b158a460c9be5da
SHA5129c85a9ea4002bd55cf9c51e470dd1bec527ff04b5d0d6f83094a998c541416cd47c9f42c6ca7e35ffa2842877f79e3c2e989489b9bf81644c5c57bb406b89608
-
Filesize
131KB
MD5bf8b96a275e6604475bc4e098cbc8451
SHA16b5ace38da5932d7a49a02d80a9091f038f1b72f
SHA256810a5b3c8be966fd424908d77d48ee5ef260eaf025e1e14a670c027c6fd8ebf2
SHA51247b59175be131a7796f817f40ec1075d4e1f2be0b4a341f265b5a202b48f71dbd2edd3d3b061d2440ea10d2e86c1bd8791b9c6cae902fa447523a7a0e780294a
-
Filesize
1KB
MD5873a58cac353341b2769c258728b0346
SHA1443e95a7d9d7d13ead8c47d2a2a1bcdec7b5d0e6
SHA256c7971e77cf4c5cb15cf114674beeff2c3f79253042fe4f3a9795b5102830954f
SHA5127f9fa1909cec3903ef864a9c3fa04d3b9806bafbe477a5446cdf6f44f3a1e9fc3b9e863bdd677d1ab90b30600c395a6ee677355036654472e1260badda53fec3
-
Filesize
1.7MB
MD5a964a79e384c403db02f77882958f330
SHA18fe9faedaed7339972c5e4d5b31ca6028458bae0
SHA256ac33e757d92ec0686a4bf288303499fbfca3d1edfefd87235c8a9493df14cbb3
SHA5128ac519f885d7476845afd6a99330b5f1272327508e2f5e8ad8b113792a4e7e5ccbec34c84e5411dcda0d28f7e8b5e5156d7d1f1166f4f6f205e380431f60ec6d
-
Filesize
1.7MB
MD5079962ec263c4b5b31b8d9e4c949a96a
SHA1cd2c39c14e705765b559af182ca04d218b42df43
SHA2568980f2d5d3e4f3ac6ce8873c4d570e73216f63474f0d327d4748d737353ee379
SHA5122747e49885d752ad3543201e15601b11630e3a206e652144402db1a806305fd7363b3eab6913bb24300d5cdea7cf2fed576386a4f610144b7fcf819fb6c4de7b
-
Filesize
1.7MB
MD5ba58532ea25bf3c04924a2b24ef759b2
SHA117cd30f58604639f0bffdf5162fdc2b1b563c85f
SHA256d077dbf9174af2889111588142a1270fdc51c108ee4f53c9ed6bf4a4a8797095
SHA512231cb5bbf20f395d367648407918e8030d17e6062b04e00fcf73ccc314b099b04a766ef20c87b70e8c4bf8be08301c3d9ce0879f2ff7e0e66746092f88fcad9e
-
Filesize
208KB
MD5da5ac15a9c33aecf356e1822b841a221
SHA1b3980dc0801d5168b7e1cfd39d8e011d4593e10f
SHA2561ab5e32dece3ad289a221b60665e8cc74394498744a274139fbd1865658da2eb
SHA5122416f726722aa101a180c8bcae9fdea9b9523279c61035b5195551ffec63008fda5b03475578ec8958ca84cfb4ddafaa00b6d1a7a956414619ff8dbd7394e468
-
Filesize
244KB
MD551128ba135ba596f3bb418b11c85c621
SHA1bd3695af1424ae29dbdcdcd8c02ffb188fbd4b3a
SHA2561bdca5b67f7185f21ec03d18dbd58b07a49d88b0bacd1ea9ec79709de6e11dfa
SHA5129452dc9d55c1b6ef3136e446073b78138f6d55b6f4d681d82812fc053787e196f0057503b8f60f801a5f6f5d1f2523f951c3466879291eda04b813db6ecc2723
-
Filesize
182KB
MD5afbd6ca409e247fd0d76207e4c998fa7
SHA19508cdf8f01a4f0cfa82da75ddaa2748a2d24874
SHA256a8d6e8c954c37ac56704f7cadbbbf125969018396d23d8bcfc02f4d134fffc1e
SHA512d359a64de49e4882c7bf153e035fd69a5ee90eb5003ddbda49aa597cc8d9223549d3cb43da9e2f0f9a8cf76c90dece70688cba4d0d2a11b3c570a0e17458988c
-
Filesize
276KB
MD5ccdac99c8ef02e35ede2f92e80a0dd64
SHA145e8b44ffdb79da6c184ac73d644d3a7671236f0
SHA256ddd610a65a9635a2b87b86ba8f668372f3e2218ad076b25a31e8f5f88fc5f788
SHA512c2ba435b4c7d5cf54bd7bfee9e701aaec1af32babf27b3b91a1fe77021a367fc5e6ae900ee42368e3ede26d0522b85193c585a71659f4a4e8004d7b21ca09546