Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
21-01-2024 07:25
Static task
static1
Behavioral task
behavioral1
Sample
6cb54ce97dda3423fb40360ebe2c88db.dll
Resource
win7-20231215-en
General
-
Target
6cb54ce97dda3423fb40360ebe2c88db.dll
-
Size
1.4MB
-
MD5
6cb54ce97dda3423fb40360ebe2c88db
-
SHA1
ff9700994ee0d483cf5b88fb1ae6529db9b38f17
-
SHA256
7b557ca1d1202e571ad469ccbb01f76cdbf54143444865fe520c01f413a60cdd
-
SHA512
9734892b590d61f9d50eba59bea46ab41be2dba1e4da9794f7a2d740b5093722f834dc9588d63a4528cea9d805197fab064e9f101f98b01f222f07e1e3804b9d
-
SSDEEP
12288:fkMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64CQo:fkMZ+gf4ltGd8H1fYO0q2G1AhX
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3520-3-0x00000000088D0000-0x00000000088D1000-memory.dmp dridex_stager_shellcode -
Processes:
resource yara_rule behavioral2/memory/868-1-0x0000000140000000-0x0000000140166000-memory.dmp dridex_payload behavioral2/memory/3520-26-0x0000000140000000-0x0000000140166000-memory.dmp dridex_payload behavioral2/memory/868-32-0x0000000140000000-0x0000000140166000-memory.dmp dridex_payload behavioral2/memory/3520-38-0x0000000140000000-0x0000000140166000-memory.dmp dridex_payload behavioral2/memory/3604-48-0x0000000140000000-0x0000000140167000-memory.dmp dridex_payload behavioral2/memory/3604-52-0x0000000140000000-0x0000000140167000-memory.dmp dridex_payload behavioral2/memory/4740-68-0x0000000140000000-0x0000000140167000-memory.dmp dridex_payload behavioral2/memory/2584-86-0x0000000140000000-0x0000000140167000-memory.dmp dridex_payload -
Executes dropped EXE 3 IoCs
Processes:
mblctr.exeCloudNotifications.exemsinfo32.exepid process 3604 mblctr.exe 4740 CloudNotifications.exe 2584 msinfo32.exe -
Loads dropped DLL 3 IoCs
Processes:
mblctr.exeCloudNotifications.exemsinfo32.exepid process 3604 mblctr.exe 4740 CloudNotifications.exe 2584 msinfo32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dturazvnnsjkgvr = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\kqloZD\\CLOUDN~1.EXE" -
Processes:
rundll32.exemblctr.exeCloudNotifications.exemsinfo32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mblctr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA CloudNotifications.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msinfo32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 3520 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3520 3520 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3520 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3520 wrote to memory of 4108 3520 mblctr.exe PID 3520 wrote to memory of 4108 3520 mblctr.exe PID 3520 wrote to memory of 3604 3520 mblctr.exe PID 3520 wrote to memory of 3604 3520 mblctr.exe PID 3520 wrote to memory of 3048 3520 CloudNotifications.exe PID 3520 wrote to memory of 3048 3520 CloudNotifications.exe PID 3520 wrote to memory of 4740 3520 CloudNotifications.exe PID 3520 wrote to memory of 4740 3520 CloudNotifications.exe PID 3520 wrote to memory of 972 3520 msinfo32.exe PID 3520 wrote to memory of 972 3520 msinfo32.exe PID 3520 wrote to memory of 2584 3520 msinfo32.exe PID 3520 wrote to memory of 2584 3520 msinfo32.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6cb54ce97dda3423fb40360ebe2c88db.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:868
-
C:\Windows\system32\mblctr.exeC:\Windows\system32\mblctr.exe1⤵PID:4108
-
C:\Users\Admin\AppData\Local\faPMxHBR\mblctr.exeC:\Users\Admin\AppData\Local\faPMxHBR\mblctr.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3604
-
C:\Windows\system32\CloudNotifications.exeC:\Windows\system32\CloudNotifications.exe1⤵PID:3048
-
C:\Users\Admin\AppData\Local\FGLyklV4I\CloudNotifications.exeC:\Users\Admin\AppData\Local\FGLyklV4I\CloudNotifications.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4740
-
C:\Windows\system32\msinfo32.exeC:\Windows\system32\msinfo32.exe1⤵PID:972
-
C:\Users\Admin\AppData\Local\Pl7\msinfo32.exeC:\Users\Admin\AppData\Local\Pl7\msinfo32.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2584
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
59KB
MD5b50dca49bc77046b6f480db6444c3d06
SHA1cc9b38240b0335b1763badcceac37aa9ce547f9e
SHA25696e7e1a3f0f4f6fc6bda3527ab8a739d6dfcab8e534aa7a02b023daebb3c0775
SHA5122a0504ca336e86b92b2f5eff1c458ebd9df36c496331a7247ef0bb8b82eabd86ade7559ddb47ca4169e8365a97e80e5f1d3c1fc330364dea2450608bd692b1d3
-
Filesize
1.4MB
MD5ae929a0749157b4e066875db351711ef
SHA18aa55d7d9b43225ce5f67b31332f56c35459520d
SHA256b996bd4a19e143f16d6497f87abf72874f0afba80cf5374d24b0a3522556b082
SHA5123b5b6c85574e6bb6620cfc78c07b18101df0ef2e4e9d8f8f1affa83c0b8cfc4557a86338bed9467ddabcb6c7b98ebfd972cd1d0031ae927436629fabb8e39c34
-
Filesize
1.4MB
MD5e74399f942cf0cf81df1e8a4972bb8bb
SHA113416b3359fb3b1ce03acca069454bb4c228b3f0
SHA256db433f70692c1bb245625c99f1860d748aef2021c8918d5f1433ed12a043650a
SHA51209968cb2afead5f2626ed4c85471ffa0b80fab89066e4662dd07f86824a9873f149fa840950123989fe9fdee44649de6f52a7975da6d57ff29094ddfb4b459d0
-
Filesize
376KB
MD50aed91da63713bf9f881b03a604a1c9d
SHA1b1b2d292cb1a4c13dc243b5eab13afb316a28b9a
SHA2565cf1604d2473661266e08fc0e4e144ea98f99b7584c43585eb2b01551130fd14
SHA51204bca9b321d702122b6e72c2ad15b7cd98924e5dfc3b8dd0e907ea28fd7826d3f72b98c67242b6698594df648d3c2b6b0952bb52a2363b687bbe44a66e830c03
-
Filesize
1.4MB
MD5460853dc2d4eb8c6ef969468e96d4848
SHA11cf879eaffda5e86c10851318b6aced388609191
SHA256d5e632ebe0a5db834a209391c2ddf1ec91aad99a19e177d68daa51998b3ace26
SHA512481935aaf938dca27ff8fc91ea0d905db8c7d9036be72e2ac5eaa449ddfde7a8d074f9d20d51a11a1f850d11730c9f2a0e18ca3bfa99ea2455b573a45cd2182e
-
Filesize
790KB
MD5d3db14eabb2679e08020bcd0c96fa9f6
SHA1578dca7aad29409634064579d269e61e1f07d9dd
SHA2563baa1dc0756ebb0c2c70a31be7147863d8d8ba056c1aa7f979307f8790d1ff69
SHA51214dc895ae458ff0ca13d9c27aa5b4cfc906d338603d43389bb5f4429be593a587818855d1fe938f9ebebf46467fb0c1ab28247e8f9f5357098e8b822ecd8fffe
-
Filesize
1KB
MD55781c377a575cca0f6ccd8c4f819271e
SHA1a597e54f8a469d0d446b9ddd972e0d092ba10b50
SHA256be06a5bee37aafa22d4de6b983e214486a58322194fee0e74442535d5aa52261
SHA51212876b36027ea4745b731bdddd64990321166b8aec2fec233e806b5624b0631b956cdeb3be63f4ca8b0ea05cd7cc402bf98371d77715635f069a5ff5c3da4388