Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
21-01-2024 07:25
Static task
static1
Behavioral task
behavioral1
Sample
6cb54ce97dda3423fb40360ebe2c88db.dll
Resource
win7-20231215-en
General
-
Target
6cb54ce97dda3423fb40360ebe2c88db.dll
-
Size
1.4MB
-
MD5
6cb54ce97dda3423fb40360ebe2c88db
-
SHA1
ff9700994ee0d483cf5b88fb1ae6529db9b38f17
-
SHA256
7b557ca1d1202e571ad469ccbb01f76cdbf54143444865fe520c01f413a60cdd
-
SHA512
9734892b590d61f9d50eba59bea46ab41be2dba1e4da9794f7a2d740b5093722f834dc9588d63a4528cea9d805197fab064e9f101f98b01f222f07e1e3804b9d
-
SSDEEP
12288:fkMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64CQo:fkMZ+gf4ltGd8H1fYO0q2G1AhX
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1284-4-0x00000000029B0000-0x00000000029B1000-memory.dmp dridex_stager_shellcode -
Processes:
resource yara_rule behavioral1/memory/2156-1-0x0000000140000000-0x0000000140166000-memory.dmp dridex_payload behavioral1/memory/1284-26-0x0000000140000000-0x0000000140166000-memory.dmp dridex_payload behavioral1/memory/1284-38-0x0000000140000000-0x0000000140166000-memory.dmp dridex_payload behavioral1/memory/1284-37-0x0000000140000000-0x0000000140166000-memory.dmp dridex_payload behavioral1/memory/2156-46-0x0000000140000000-0x0000000140166000-memory.dmp dridex_payload behavioral1/memory/2552-55-0x0000000140000000-0x0000000140168000-memory.dmp dridex_payload behavioral1/memory/2552-59-0x0000000140000000-0x0000000140168000-memory.dmp dridex_payload behavioral1/memory/2900-73-0x0000000140000000-0x0000000140167000-memory.dmp dridex_payload behavioral1/memory/2900-79-0x0000000140000000-0x0000000140167000-memory.dmp dridex_payload behavioral1/memory/1620-95-0x0000000140000000-0x0000000140167000-memory.dmp dridex_payload -
Executes dropped EXE 3 IoCs
Processes:
mfpmp.exesdclt.exeMpSigStub.exepid process 2552 mfpmp.exe 2900 sdclt.exe 1620 MpSigStub.exe -
Loads dropped DLL 7 IoCs
Processes:
mfpmp.exesdclt.exeMpSigStub.exepid process 1284 2552 mfpmp.exe 1284 2900 sdclt.exe 1284 1620 MpSigStub.exe 1284 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fskzoiv = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\TaskBar\\LF64WV~1\\sdclt.exe" -
Processes:
rundll32.exemfpmp.exesdclt.exeMpSigStub.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mfpmp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdclt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MpSigStub.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2156 rundll32.exe 2156 rundll32.exe 2156 rundll32.exe 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 1284 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1284 wrote to memory of 2668 1284 mfpmp.exe PID 1284 wrote to memory of 2668 1284 mfpmp.exe PID 1284 wrote to memory of 2668 1284 mfpmp.exe PID 1284 wrote to memory of 2552 1284 mfpmp.exe PID 1284 wrote to memory of 2552 1284 mfpmp.exe PID 1284 wrote to memory of 2552 1284 mfpmp.exe PID 1284 wrote to memory of 2872 1284 sdclt.exe PID 1284 wrote to memory of 2872 1284 sdclt.exe PID 1284 wrote to memory of 2872 1284 sdclt.exe PID 1284 wrote to memory of 2900 1284 sdclt.exe PID 1284 wrote to memory of 2900 1284 sdclt.exe PID 1284 wrote to memory of 2900 1284 sdclt.exe PID 1284 wrote to memory of 680 1284 MpSigStub.exe PID 1284 wrote to memory of 680 1284 MpSigStub.exe PID 1284 wrote to memory of 680 1284 MpSigStub.exe PID 1284 wrote to memory of 1620 1284 MpSigStub.exe PID 1284 wrote to memory of 1620 1284 MpSigStub.exe PID 1284 wrote to memory of 1620 1284 MpSigStub.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6cb54ce97dda3423fb40360ebe2c88db.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2156
-
C:\Windows\system32\mfpmp.exeC:\Windows\system32\mfpmp.exe1⤵PID:2668
-
C:\Users\Admin\AppData\Local\Qt2b\mfpmp.exeC:\Users\Admin\AppData\Local\Qt2b\mfpmp.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2552
-
C:\Windows\system32\sdclt.exeC:\Windows\system32\sdclt.exe1⤵PID:2872
-
C:\Users\Admin\AppData\Local\EtSxOt\sdclt.exeC:\Users\Admin\AppData\Local\EtSxOt\sdclt.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2900
-
C:\Windows\system32\MpSigStub.exeC:\Windows\system32\MpSigStub.exe1⤵PID:680
-
C:\Users\Admin\AppData\Local\WjMBoz\MpSigStub.exeC:\Users\Admin\AppData\Local\WjMBoz\MpSigStub.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1620
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5cdebd55ffbda3889aa2a8ce52b9dc097
SHA14b3cbfff5e57fa0cb058e93e445e3851063646cf
SHA25661bd24487c389fc2b939ce000721677cc173bde0edcafccff81069bbd9987bfd
SHA5122af69742e90d3478ae0a770b2630bfdc469077311c1f755f941825399b9a411e3d8d124126f59b01049456cddc01b237a3114847f1fe53f9e7d1a97e4ba36f13
-
Filesize
1.4MB
MD5c32ce7525de15e6eb63b26c0c273d43c
SHA1489fc6280dde75311a22daad648d3e5a9911a510
SHA25644041874034c58a8e8f9f3313c9e06d76471f9d644dec93503c897aa8efb1997
SHA512699228baa764fcc1055eda917ccc32c99aaf2f94a5b4ed855717984028b3fea13beedce133d82296772d47fca0dd1e486a33b97ceefda811befa0a6504eb64c6
-
Filesize
1.4MB
MD516bb8e25d3d2f866cbf6826bb90fd325
SHA1ce86cea88918e556a9d0d2061c332da8e7513623
SHA256f4a8f6ec846b2fbe5edf0dc402093eceb69b87819e58953cada2d3c410c1476b
SHA51253321d6e37c9be3be9970ec3a69d84c049e022d071e47a03b922149b453493f531eb4f2afbaee0110d2ba4b87414c653015dd7f85d31fb41848063891b6bee72
-
Filesize
1.4MB
MD548ed0fa711c99b5dd370d33fd7283d7e
SHA1afc37df20ce5ebeff233832df9e90027589efddb
SHA25602381d7d554ad7da5ee83db9cb0de32a4c83a05525750c8a89d8152a383725be
SHA512c6a8e79fc63d5354221e45ea9e2cde1e079f4916f0cb53377b131f3d477fcb3d6650f79cd10fa8331e36947e335c032755027db07916d0c40d55c56553082935
-
Filesize
1KB
MD51cde2d6dc7469e7f514022416b21c591
SHA1a44973270b8a46b7aecc96a9869b81763b3eb46c
SHA25611378e5f61bc41ae20055296f8767c491f1d8faa606269983c63104c2e0aa552
SHA51205217c9f5c6a742fd4ef48d3e9927f94b426e56e9db036716249780faba38c08b42fed5192d5b01b5eaffdc34b7c97ec188acae5c10e73b6674ad0fb55af0e09
-
Filesize
24KB
MD52d8600b94de72a9d771cbb56b9f9c331
SHA1a0e2ac409159546183aa45875497844c4adb5aac
SHA2567d8d8918761b8b6c95758375a6e7cf7fb8e43abfdd3846476219883ef3f8c185
SHA5123aaa6619f29434c294b9b197c3b86fdc5d88b0254c8f35f010c9b5f254fd47fbc3272412907e2a5a4f490bda2acfbbd7a90f968e25067abf921b934d2616eafc
-
Filesize
264KB
MD52e6bd16aa62e5e95c7b256b10d637f8f
SHA1350be084477b1fe581af83ca79eb58d4defe260f
SHA256d795968b8067bb610033fa4a5b21eb2f96cef61513aba62912b8eb5c6a5ff7b3
SHA5121f37150f6bcbe0df54bb85a5ad585824cea9332baa9be1649a95c1dfb41723de85c09d98fb2ca8261a49c2184d3bda638b84b2b7b60b97fe42a15ab1620a2542