Analysis
-
max time kernel
152s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
21-01-2024 01:01
Static task
static1
Behavioral task
behavioral1
Sample
6bf2b8dfb0ae1a87d53b7df0eba45900.dll
Resource
win7-20231215-en
General
-
Target
6bf2b8dfb0ae1a87d53b7df0eba45900.dll
-
Size
1.7MB
-
MD5
6bf2b8dfb0ae1a87d53b7df0eba45900
-
SHA1
21fd1716131f7cb2c2558cca781bdd40ebe582f5
-
SHA256
040d5692e18f3667089d59f660741709390f41f201dd0f2d879ec90e47435a97
-
SHA512
e773f27dce2811185f20ae0e4c26dfa68c75b12fa31f8930360132b51ae654dc3ba61d573d34cd1004865699f61475d59759a7d9e3db486c57db7c1ec7987f87
-
SSDEEP
12288:tVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:0fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3552-4-0x0000000000F90000-0x0000000000F91000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 4 IoCs
Processes:
sessionmsg.execonsent.exeSppExtComObj.Exemblctr.exepid process 2468 sessionmsg.exe 4296 consent.exe 2340 SppExtComObj.Exe 3664 mblctr.exe -
Loads dropped DLL 3 IoCs
Processes:
sessionmsg.exeSppExtComObj.Exemblctr.exepid process 2468 sessionmsg.exe 2340 SppExtComObj.Exe 3664 mblctr.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Loeeeopgcaia = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Office\\Recent\\9Apeh8FC6\\SppExtComObj.Exe" -
Processes:
rundll32.exesessionmsg.exeSppExtComObj.Exemblctr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sessionmsg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SppExtComObj.Exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mblctr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2044 rundll32.exe 2044 rundll32.exe 2044 rundll32.exe 2044 rundll32.exe 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 3552 -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3552 Token: SeCreatePagefilePrivilege 3552 Token: SeShutdownPrivilege 3552 Token: SeCreatePagefilePrivilege 3552 Token: SeShutdownPrivilege 3552 Token: SeCreatePagefilePrivilege 3552 Token: SeShutdownPrivilege 3552 Token: SeCreatePagefilePrivilege 3552 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3552 3552 -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
description pid process target process PID 3552 wrote to memory of 3416 3552 sessionmsg.exe PID 3552 wrote to memory of 3416 3552 sessionmsg.exe PID 3552 wrote to memory of 2468 3552 sessionmsg.exe PID 3552 wrote to memory of 2468 3552 sessionmsg.exe PID 3552 wrote to memory of 4992 3552 consent.exe PID 3552 wrote to memory of 4992 3552 consent.exe PID 3552 wrote to memory of 4296 3552 consent.exe PID 3552 wrote to memory of 4296 3552 consent.exe PID 3552 wrote to memory of 2168 3552 SppExtComObj.Exe PID 3552 wrote to memory of 2168 3552 SppExtComObj.Exe PID 3552 wrote to memory of 2340 3552 SppExtComObj.Exe PID 3552 wrote to memory of 2340 3552 SppExtComObj.Exe PID 3552 wrote to memory of 2500 3552 mblctr.exe PID 3552 wrote to memory of 2500 3552 mblctr.exe PID 3552 wrote to memory of 3664 3552 mblctr.exe PID 3552 wrote to memory of 3664 3552 mblctr.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6bf2b8dfb0ae1a87d53b7df0eba45900.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2044
-
C:\Windows\system32\sessionmsg.exeC:\Windows\system32\sessionmsg.exe1⤵PID:3416
-
C:\Users\Admin\AppData\Local\Hdq7E\sessionmsg.exeC:\Users\Admin\AppData\Local\Hdq7E\sessionmsg.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2468
-
C:\Users\Admin\AppData\Local\6JQ3J7Ek\consent.exeC:\Users\Admin\AppData\Local\6JQ3J7Ek\consent.exe1⤵
- Executes dropped EXE
PID:4296
-
C:\Windows\system32\SppExtComObj.ExeC:\Windows\system32\SppExtComObj.Exe1⤵PID:2168
-
C:\Windows\system32\mblctr.exeC:\Windows\system32\mblctr.exe1⤵PID:2500
-
C:\Users\Admin\AppData\Local\IFt4W1tIe\SppExtComObj.ExeC:\Users\Admin\AppData\Local\IFt4W1tIe\SppExtComObj.Exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2340
-
C:\Users\Admin\AppData\Local\AYzwzV\mblctr.exeC:\Users\Admin\AppData\Local\AYzwzV\mblctr.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3664
-
C:\Windows\system32\consent.exeC:\Windows\system32\consent.exe1⤵PID:4992
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
162KB
MD56646631ce4ad7128762352da81f3b030
SHA11095bd4b63360fc2968d75622aa745e5523428ab
SHA25656b2d516376328129132b815e22379ae8e7176825f059c9374a33cc844482e64
SHA5121c00ed5d8568f6ebd119524b61573cfe71ca828bd8fbdd150158ec8b5db65fa066908d120d201fce6222707bcb78e0c1151b82fdc1dccf3ada867cb810feb6da
-
Filesize
194KB
MD5289f2848ef9d24b3ea00092a6d4533f8
SHA17f7d19bbcb7863cea350bb5309e9b4fed6acf30a
SHA256af2f900a3de0b85166c99393551d303f2fd5859234aadc764768000a4d6a915c
SHA512585817c78a64cc37f1ee9a0bcd0db8e55a022d20734f972d9a17fc05201e52f6e455f1f305786fb1e5102e9ecaa1eb97f29fc96f900e8ab6b77f43075e8af417
-
Filesize
242KB
MD5882347c1b447d106cf94258c04835248
SHA1e21334f3ece6f76ea14c38400ae607fa2ad0a6e4
SHA25686f173b7152ef5db22483ba5bccd74374d7ff615bdcf6e5fd76c4d4e87928e84
SHA512a0f2a63ff139b10a86de465d4e9c0b76843d472156df8ab79f5db4222a92baeded4bb460040921435f689df19b3b4bc3ff73a375fb218d7827191a9fdda45f1b
-
Filesize
149KB
MD5e7398b4378c9ae087d680836893b0e7f
SHA18a547a9bd5a1d56efd37bab774d77edbd2380364
SHA256a5ea5969e2e27b06a7dbf313a3ec29352d121552b22a90077c82d6adb967762c
SHA512c726ba04b6e87b260e24f4371c3475855b98ac5c1f2fdcdcdcc23fcc5b7994effddd8c6638143c7322081184911231d9117572e7f9553437662a14b402c609b1
-
Filesize
128KB
MD580f06d5105497a698a4dd58003a72474
SHA132c3ee2da3ef7150d3771e1f751507c86fd37dc7
SHA2561030fc0e4f555791acf128d5c083b1b769ebb5ce3b16a4ee128eeabf6acb64e8
SHA512d267cad0b80b18773f5720dcb2fa87081a810afa39729012d47d54a01ca414276190c2c5c07d2940c8ae3afcd739c452f158371a56d135aac4c22fe0e5a9d529
-
Filesize
200KB
MD53ecaa73db340e8c72f04b5d846fca7ca
SHA1a8c71ff5ef401db413e39a51355b27f4a9636339
SHA2560f9ab8c86592a6f22c890734e5dd856fff622a489150773170c5fa6f12cb0f15
SHA512a83b6e62ba6e9eb106465dd340ad4851c4272928759a9f66dde10e4863ea0c81ca24aa35ab8216d6cbdea726c3f2c517cfaf81a0c55efde0f4eecab09e658365
-
Filesize
192KB
MD53cf5410bf3c4e84a07a130be752e3a60
SHA190ebd2ee19fef8b5b83741c6a64b5e6a3ee3553e
SHA256137e1017e3b089328277f18c70b551da675eebef81656b6ab8b3c4560a619749
SHA5120a59e7bfa8593a36f5a99d34b7c2bec32a0204bc9d5494b8a586589c654fab20acabf6c12fe8c2b21eac5de0d7fd0d8cb2ab57e19a4147fb9203adf432feadb4
-
Filesize
85KB
MD5480f710806b68dfe478ca1ec7d7e79cc
SHA1b4fc97fed2dbff9c4874cb65ede7b50699db37cd
SHA2562416cd4aa577dbb2f8790a61e36fbab2b30bff81a4e1f67a5151c2fec29585bc
SHA51229d3d234ebc45049a533b6a91b246ac043a56b9af67276aaf493b014ae34d73000f99a6b0c0b85d2dfb7fba54811cf8bbdfd167a9eed01a8617b7f05bf2971db
-
Filesize
64KB
MD5c9f6e6682e4e91ed12a1dc3d21e62efb
SHA11ebe640e53ac67e5e7a1943bc43443de3642db62
SHA256e81c36d1ad40f292541d4783038c65e6f61d95b3486535ccd55a90e3bc8352e6
SHA5120f7b7db1b391e6092ed16f0a4f63479257fdec59aebbb8bcc2d9ae737f921ac9b80e3951d225700c61dd77595e1c6c5afb515664ec1cd8e8eee0199edd28cc6f
-
Filesize
15KB
MD5b74c410efc0be2c402004decd33780d6
SHA1aa560f031e4f9023d4845710010c5a0d93011821
SHA25686b6009efb0312b0896da5f5bb56b21d2ff15e442f4e6b1a08e5af1495303ec2
SHA5120c95747b0a6b9c7a5ce2ff722fd450f9d8639c9e176159bba8a97314edba185839ceb207989bc0954d77401295b2791d8be4fe5252ba8a52a8dff8c3ac61699a
-
Filesize
23KB
MD54bdbe0723e3d0850febbf8c524bbaaae
SHA16e8698f2392aaf02440e679e6baaaec1d4a163c8
SHA25672e5ff540de63737ab98ed58e5f9e2136dd96eb91481c131c76714a4fe9a0630
SHA512b0e9aa0494059e87c5dd0aed546b8c32583539b85a4c8ea2ef245b9ac648c5f8769e55bcd08dd336f028355f5cf05d151828e2ba19ad988c549542ba9055a838
-
Filesize
68KB
MD5f4ffd37463488cd21b73810e7cfa46df
SHA1baba51e90b5b75bc2376bf83d370aded220197e0
SHA256e605ec1915b24c19aba48f62b26e8255b7f5cf1e9946f4ba2cf2f3afb5d1d6ad
SHA512f4b985d86ce91477beb3ffb96706318890567e22727a138095d162071b734ce5e082bff77f4f5eab147bd72514a856a15f7416e8f8806b620cdfb99f1d5bcd45
-
Filesize
1KB
MD5e4f980761d4b2f50131e45abd59d7a60
SHA146395e85449028a574e26fa3c7fa2ac850a9cd56
SHA256bbec79f875831f6a9f1be483ad71395b715ed75e5a7da4a02bc51d45c4624aa1
SHA5129cefa29f4ed047545df2841ef00cfd6ca3c86f24423febb2de6e9d6c4b8dffb567373d630c058bbe864b7a726e05a01aa0aaeac585ac26328c91ca92199d2183
-
Filesize
1.7MB
MD57d2492ee437fb311530ccb848975db4b
SHA18f6e81c3ed775887a359f81332f186ca916f373d
SHA25653807ab411bcc7b41622999af736d045858069ff96dcbb11b77ef3cdccba7040
SHA512f303441759c9efce6c8b1b24f349d515496962646ef63e982cfc62fcecdaaefedc3077da12b4276b2ed89df1524e7406f0fa9b3e185a5ccabb7f70a554d5837e
-
Filesize
1.7MB
MD50bc88fc73b87d666758fb6bf0c1ccfdd
SHA18ab7c6cc57acd6583d6bb2c75cd2997d0626a80e
SHA256c7fe682588c725ac2cc45f7280e84e6c5b19383683f1ffc3b288b306e9aa393f
SHA512e3405478899b567035e6d2781c3a3573a4f43c1db214cbecf61580d375d7e0277ffae7ae89f132b66cc643ebefb04e386b13bd1f31c01e5d12d4c11c7b3be800
-
Filesize
1.7MB
MD5af21885de1e84dddf5e04757b7c2623f
SHA19d7682f0993b6eac54949958de60c50df7848b52
SHA256852dde5ad8c75257a87fa6dc69b5ad6d802873b31ecc4e667124b085c41d9ac9
SHA51223e6ed8831a251544cd8592f4637faaed813cabe719cb007c4a6db81c7d5e27477c55fcf54807002b8bc77997e4430710868f03f9532d9176432d52ff8421e87