Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
21-01-2024 10:09
Static task
static1
Behavioral task
behavioral1
Sample
6d08db5aa8c6eec9c991d6a14bd58a5f.dll
Resource
win7-20231215-en
General
-
Target
6d08db5aa8c6eec9c991d6a14bd58a5f.dll
-
Size
1.5MB
-
MD5
6d08db5aa8c6eec9c991d6a14bd58a5f
-
SHA1
e2a82cb1cffee35083b1a7ff9461a7eb5fa6046c
-
SHA256
b183bd1e5a5f6a08cdb529a91cb1a1049d1b0f9700f6a10bf3716e17acb79d43
-
SHA512
7d01b699b05e93f4cc671652dbf9c263dde5a16804d653fad4bca51c900cf58c72d58c58c0074377f5e9c7c647a1770bf9476e4f9393a5f099cc6613d7b9f3dd
-
SSDEEP
12288:yVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:vfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3468-4-0x0000000002620000-0x0000000002621000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
msconfig.exesdclt.exeSnippingTool.exepid process 4460 msconfig.exe 2096 sdclt.exe 1104 SnippingTool.exe -
Loads dropped DLL 3 IoCs
Processes:
msconfig.exesdclt.exeSnippingTool.exepid process 4460 msconfig.exe 2096 sdclt.exe 1104 SnippingTool.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mmiwstgfcubwacq = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\EUlJnF1n\\sdclt.exe" -
Processes:
msconfig.exesdclt.exeSnippingTool.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msconfig.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdclt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SnippingTool.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2388 rundll32.exe 2388 rundll32.exe 2388 rundll32.exe 2388 rundll32.exe 2388 rundll32.exe 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3468 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3468 wrote to memory of 3300 3468 msconfig.exe PID 3468 wrote to memory of 3300 3468 msconfig.exe PID 3468 wrote to memory of 4460 3468 msconfig.exe PID 3468 wrote to memory of 4460 3468 msconfig.exe PID 3468 wrote to memory of 2472 3468 sdclt.exe PID 3468 wrote to memory of 2472 3468 sdclt.exe PID 3468 wrote to memory of 2096 3468 sdclt.exe PID 3468 wrote to memory of 2096 3468 sdclt.exe PID 3468 wrote to memory of 4056 3468 SnippingTool.exe PID 3468 wrote to memory of 4056 3468 SnippingTool.exe PID 3468 wrote to memory of 1104 3468 SnippingTool.exe PID 3468 wrote to memory of 1104 3468 SnippingTool.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6d08db5aa8c6eec9c991d6a14bd58a5f.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2388
-
C:\Windows\system32\msconfig.exeC:\Windows\system32\msconfig.exe1⤵PID:3300
-
C:\Windows\system32\sdclt.exeC:\Windows\system32\sdclt.exe1⤵PID:2472
-
C:\Windows\system32\SnippingTool.exeC:\Windows\system32\SnippingTool.exe1⤵PID:4056
-
C:\Users\Admin\AppData\Local\16Ctixbp\SnippingTool.exeC:\Users\Admin\AppData\Local\16Ctixbp\SnippingTool.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1104
-
C:\Users\Admin\AppData\Local\hgF\sdclt.exeC:\Users\Admin\AppData\Local\hgF\sdclt.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2096
-
C:\Users\Admin\AppData\Local\vlO3\msconfig.exeC:\Users\Admin\AppData\Local\vlO3\msconfig.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4460
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
57KB
MD5029faebfb6b88a228df45d4b730e1fa3
SHA1674c019496c3992de4a99137cadbaa4b21fd7d16
SHA2563f7fd249c2d0f6a992bb6923e9201768614bc1bed4571ab2de05096ad3f6fef5
SHA512914e71f50fc1946f72ceb586bca0ae16c6d39f4320fe270e37b9b13571ae80257d258f09b204ef78a28f783d7f973052df1d74bb58d23c1faf019a2548941af6
-
Filesize
62KB
MD5214120d578d82e1594862e0db209af30
SHA17c0c1c99ccdf1d5cc44e864cea276cca7cc8cd70
SHA2567be9671f202d070324ce02ee95ce3db3e51094799c6c29fbabe80520092669c0
SHA5128bdf5928d73a576ea10ff644711d8fdeab2d0a53560972fa78976e3406322806891e95a9b5104cdd65f06245cbd4d70baa11892bdb5aec156c70055fe4a95a3d
-
Filesize
78KB
MD503a0c388a0ba0e1972c9b12d47b13395
SHA141a7b67df8b86e40065ca611b57c3e1aa784914e
SHA25675462c976981fffad0224dda523cdf5c4a5f49997c6c1be09b785b0971790a3a
SHA5123d70c7170ba6117a93c4f7abb7f35af2deb94bc0ccc485f7175b7a9e694c34de685d57447f71d57a2999e947f5882b8846bb185d7d087da4b7daa2534eca297c
-
Filesize
71KB
MD5a1085f35207d27fb6509a01c94acfe06
SHA1495d93fb0fbd106fda3226045ac3e598517bcf05
SHA256c750c6edd79b1e999d623826e4f81c6d1c0c31ad44e557477d0f7737ab6b67af
SHA5127c8c68c5c9860435dce34c9e1c199e3f5ec4a3a686569b27937702789cab7893354f66d8d21209b90fa655b17d7c05717707bfe648b3abd82606a9d9104b659a
-
Filesize
115KB
MD5563ddfd9093bef70004cc8c04993262b
SHA18343b9c33b51247834a3aa6dbebf33c03d2e7dbd
SHA256fdfcaba5574425855835cdd1fbd3478766d10c1417186e5678d8a5c96dc416f7
SHA51276d8b7529eefd0fb257c5e8b7da9f3cf08ce8e1cff835bd749b2f253392e4aa954ade356e367c0afdd8f43dbcd2f4eefd354090f4f801c00fc3f683f45b45755
-
Filesize
182KB
MD55280132f784ddfa56495f8cd0f00f5a8
SHA1afcdbb8984715687ce5f92866a3c6dbbc225a2fe
SHA256abd5fa25e8cc54180478f490c42e377a0ee71522fcc712040f83449a3dde7bcb
SHA512befe91baf6439202b49ab63931fa2a3da2a821ef91b2c5c2cad69ba5802cd2823578f52f13d2495c2a3358eef3937d59c873242629a1a38659da913b39e7d7b8
-
Filesize
131KB
MD563861a270165aef842f584a17ac53b48
SHA13b76f46b0007671437424e0774beeddeeb301f27
SHA256e60e442639113f009bbad39a015fae140b9d7b69b687708207d39fc409f50635
SHA51287996c24b68c04bb0cb6d1e375f62732b7a66898c9de7966b28eee9155aa09326e8b351dad7c1f72e6ff11eec32519f92564b9d8c34fef0272eccd5a12099a0c
-
Filesize
126KB
MD5689251f53924c4747ce64258aa7fc5d9
SHA1381e05d1ca1ace8f6fa1be22f0e9c6fd994f4758
SHA256a0e2aa624455aa7f6afebc8ca663c4362df2bfb4b77a0b779c9f4f449cdd5c70
SHA512c3d0376b052a83400f19f348d12c5c73a02a283a1d3f1540c9bca58267d782abf689497898863693d344218b98035324a9a151983763fda3867efba8cbdf6b96
-
Filesize
116KB
MD533912728ed8fbe3e7cc97f6b3c3a88b1
SHA136859280062a30dadc54ed86d9d91607c6f92989
SHA256b37c6d5ed2957b066dedaf20d57fef4e5e1531238cd9e41749e2ed9dbbd01eec
SHA512d535929d13396c215e364aaf9e0d49408ff302ca59b2d84b2652be89b9ae68cfe9c9c68aba437ee6bcfc2f4b7141cc891b801e10da86c8d98ca182d63a34ba2d
-
Filesize
113KB
MD59d21ac8806ed3d10eb8110d9f0927878
SHA1b91cb85653e5c8c14f075d5978b5addc9cd3fc44
SHA2561ec5acd6ccbb3092363bd2e720b606bff17aa075bec3a55cc24ac1c0459b9ac0
SHA5128923dae8024335cd9a80e65ccef4131c7905b73ec2c9784da243f0f9180ed634a61ae26fcd2e590fa74da8d2bab3294da8bf356230cdd50b314b0cd48bd1af8a
-
Filesize
193KB
MD539009536cafe30c6ef2501fe46c9df5e
SHA16ff7b4d30f31186de899665c704a105227704b72
SHA25693d2604f7fdf7f014ac5bef63ab177b6107f3cfc26da6cbd9a7ab50c96564a04
SHA51295c9a8bc61c79108634f5578825544323e3d980ae97a105a325c58bc0e44b1d500637459969602f08d6d23d346baec6acd07d8351803981000c797190d48f03a
-
Filesize
122KB
MD5cf6c3b40ba244445f348f1afa6de5f58
SHA190df3ba3d79439ce637069c5b6e327783e9cf968
SHA256b48c84a7f8a269bb19874624ed2fae2bf685d8f13113fcc4d2fc622c90bee376
SHA51223213f04d58ba7d38b620a9ad68281ba16001b87eded399a138fcd9c9492b1b4a3c520c6772d5ac003253787c2c30f9a509b45bec1edc1da45b45c63fa215dee
-
Filesize
1KB
MD5c823c10030a2fcfe84c5fa9f0fd27858
SHA171c900ac1deea2741b2f8fd7faadc69a08b5fe64
SHA256e4a92798a06af598173a374bf049437e0868086bc4d567bfabd08c6cd3f9f575
SHA51241cd5e06625e0cc18b0fd31b8b52c0fd30fd387689d1245a1e785eda21fd75e1e14c330f64154dfa7a01f4c130d715fb2f6427c549f39b0eb8e15ef78f7f1ada
-
Filesize
1.5MB
MD51ddb4a9fd55a369b6a5a3faea38c84ac
SHA1af12593a9114708065476d7e664f7516c1de14fe
SHA256198213e2bdd278d0efd22222624abde4c1f4fe8844c842c1118b62aa089f3d9d
SHA512b3668c5b8ea8f5b348b7fba5613f7bf13d456d1b0b10cfe82e5f2b4ac349f7e7178b40daed14639e70e277eca5f8aabb16cc4a25337ef4888293e58516aa3dab
-
Filesize
1.5MB
MD57af1530c7a8ea808e13813830aef9264
SHA186791a9589344ee2feddc5c257710d0aeeee679f
SHA2567618935f51ce8d8c322b4e1b3ed023e485da10a3b0089ed0c237008c482c6578
SHA5122b7450144d0bcf63118e704f5466d51568655b07887bacd7a6e6a8a82f950c190234cd27e1b2e4af0baaa71824e53a96cca955f6ec46ccbfbd691e2a40875581
-
Filesize
1.5MB
MD5f58e79917707e974c503ed055080d2fb
SHA14f6f2aa646b9d20fda4b0423f58477cf26f6bb57
SHA25636316b9f2190c0ef0083d50128279c6294c6ff3a8e75152cc5bf2a74a3e05220
SHA512a7c2e2b991fdbab465a299304e43cfdea9a245ba7f960d7fe1a638d1d79742023e05c0629c7a4560323b494c887e9488d4a0c10eef3d18bf769f9a6ca0e84a94