Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22-01-2024 02:52
Static task
static1
Behavioral task
behavioral1
Sample
6e878d3bec87e1562cd7b8f267d6511c.dll
Resource
win7-20231215-en
General
-
Target
6e878d3bec87e1562cd7b8f267d6511c.dll
-
Size
1.4MB
-
MD5
6e878d3bec87e1562cd7b8f267d6511c
-
SHA1
5babe29f33e7fb0f4d7327d937e71373645490e8
-
SHA256
9e34e48ce49ec56aa42b037c0bb4dee15418333d5374dbb3084a0787d254f2a5
-
SHA512
6358e14c1008bc891540650adfaf3afe328ce4306e30f5b4e9363f5609c090c13caa106322e0b64e17158d881aacd545e8d03b0e1f9a3652d0e7968539df67cd
-
SSDEEP
12288:lVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:8fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1348-5-0x00000000025C0000-0x00000000025C1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
rdpclip.exeMpSigStub.exeAdapterTroubleshooter.exepid process 2476 rdpclip.exe 2540 MpSigStub.exe 1196 AdapterTroubleshooter.exe -
Loads dropped DLL 7 IoCs
Processes:
rdpclip.exeMpSigStub.exeAdapterTroubleshooter.exepid process 1348 2476 rdpclip.exe 1348 2540 MpSigStub.exe 1348 1196 AdapterTroubleshooter.exe 1348 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\MACROM~1.COM\\support\\lu\\MPSIGS~1.EXE" -
Processes:
AdapterTroubleshooter.exerundll32.exerdpclip.exeMpSigStub.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA AdapterTroubleshooter.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rdpclip.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MpSigStub.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2644 rundll32.exe 2644 rundll32.exe 2644 rundll32.exe 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 1348 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1348 wrote to memory of 2808 1348 rdpclip.exe PID 1348 wrote to memory of 2808 1348 rdpclip.exe PID 1348 wrote to memory of 2808 1348 rdpclip.exe PID 1348 wrote to memory of 2476 1348 rdpclip.exe PID 1348 wrote to memory of 2476 1348 rdpclip.exe PID 1348 wrote to memory of 2476 1348 rdpclip.exe PID 1348 wrote to memory of 2440 1348 MpSigStub.exe PID 1348 wrote to memory of 2440 1348 MpSigStub.exe PID 1348 wrote to memory of 2440 1348 MpSigStub.exe PID 1348 wrote to memory of 2540 1348 MpSigStub.exe PID 1348 wrote to memory of 2540 1348 MpSigStub.exe PID 1348 wrote to memory of 2540 1348 MpSigStub.exe PID 1348 wrote to memory of 1616 1348 AdapterTroubleshooter.exe PID 1348 wrote to memory of 1616 1348 AdapterTroubleshooter.exe PID 1348 wrote to memory of 1616 1348 AdapterTroubleshooter.exe PID 1348 wrote to memory of 1196 1348 AdapterTroubleshooter.exe PID 1348 wrote to memory of 1196 1348 AdapterTroubleshooter.exe PID 1348 wrote to memory of 1196 1348 AdapterTroubleshooter.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6e878d3bec87e1562cd7b8f267d6511c.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2644
-
C:\Windows\system32\rdpclip.exeC:\Windows\system32\rdpclip.exe1⤵PID:2808
-
C:\Users\Admin\AppData\Local\gXwt2no\rdpclip.exeC:\Users\Admin\AppData\Local\gXwt2no\rdpclip.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2476
-
C:\Windows\system32\MpSigStub.exeC:\Windows\system32\MpSigStub.exe1⤵PID:2440
-
C:\Users\Admin\AppData\Local\M1lXF8\MpSigStub.exeC:\Users\Admin\AppData\Local\M1lXF8\MpSigStub.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2540
-
C:\Windows\system32\AdapterTroubleshooter.exeC:\Windows\system32\AdapterTroubleshooter.exe1⤵PID:1616
-
C:\Users\Admin\AppData\Local\lWDq\AdapterTroubleshooter.exeC:\Users\Admin\AppData\Local\lWDq\AdapterTroubleshooter.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1196
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
264KB
MD52e6bd16aa62e5e95c7b256b10d637f8f
SHA1350be084477b1fe581af83ca79eb58d4defe260f
SHA256d795968b8067bb610033fa4a5b21eb2f96cef61513aba62912b8eb5c6a5ff7b3
SHA5121f37150f6bcbe0df54bb85a5ad585824cea9332baa9be1649a95c1dfb41723de85c09d98fb2ca8261a49c2184d3bda638b84b2b7b60b97fe42a15ab1620a2542
-
Filesize
1.4MB
MD51aee649895241074597762d92442dc77
SHA14b84bfa9b8f32bfce9b27892141661bc3b1724c7
SHA256c08bea5cb8262370b757a44cf7e20b9b6c4ec98f4441987ae23676ec3181df77
SHA512663927e22bad28e5c54aca3454dea2a4c4a4b49a4df23c3af9be632904035be5ee0083d86d5dee76053fa44b51347fe34b943ce582979670f36159f5bda7a4cb
-
Filesize
1.4MB
MD5b51bd94a3a909f8bdd18578a9833fb66
SHA1f05a9ccbde744b57e338e6bf516f97622485429c
SHA256ab84fac1ee6a084951cc6d93bc1f302b5adbedcf67b628d0127ae83997e2484f
SHA512de16a60fbd986683d53a98ed0ce60be3df90fa879688f4aa800a8e58ae46e12681f9e00b9e1439cd72bcbe00a885419f85c6ddf173657036bde3ba22fbb12cfb
-
Filesize
1.4MB
MD5b659a4ea82d7457a70888141f644faac
SHA15e92c75b6137867c09c8981fad8da9a66d25a34d
SHA2567343e0047308277739264437c11625ed096013a2427b8f6c04b7d0b473b548a8
SHA512546c9031f4238ab19517bb105393996f9691d42298f3a7e0cb7782ed65e2ff7e2829c12356a6396d08f02d9913599e7d76b0901bc872195676629534225f7f6f
-
Filesize
993B
MD5428ff21e5606907e66d0122e9990901c
SHA1b916139008a7b57a85b103638bed87b3205caf66
SHA2566fabbe7ad769b7d99c698d7535b0a78ec8e35692c9bbf5f2ca0c8cb815765b94
SHA512013f448e8695256dbfbbb25e8023442370c373c134ad9b1867bb5158b90996ac99d0bd133c34b676adaf7d75dd4ee57db322478069f14e51b0cb1ba5f5d594ec
-
Filesize
206KB
MD525d284eb2f12254c001afe9a82575a81
SHA1cf131801fdd5ec92278f9e0ae62050e31c6670a5
SHA256837e0d864c474956c0d9d4e7ae5f884007f19b7f420db9afcf0d266aefa6608b
SHA5127b4f208fa1681a0a139577ebc974e7acfc85e3c906a674e111223783460585eb989cb6b38f215d79f89e747a0e9224d90e1aa43e091d2042edb8bac7b27b968b
-
Filesize
39KB
MD5d4170c9ff5b2f85b0ce0246033d26919
SHA1a76118e8775e16237cf00f2fb79718be0dc84db1
SHA256d05e010a2570cdd5a67f62c99483aeeecb6a8d5ecc523cd49b158a460c9be5da
SHA5129c85a9ea4002bd55cf9c51e470dd1bec527ff04b5d0d6f83094a998c541416cd47c9f42c6ca7e35ffa2842877f79e3c2e989489b9bf81644c5c57bb406b89608