Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
23-01-2024 22:19
Static task
static1
Behavioral task
behavioral1
Sample
70b4e740a07d198ec5ac903eaed6ff43.dll
Resource
win7-20231215-en
General
-
Target
70b4e740a07d198ec5ac903eaed6ff43.dll
-
Size
2.0MB
-
MD5
70b4e740a07d198ec5ac903eaed6ff43
-
SHA1
7f30bccf96428c20875a437c2995388987fa2e84
-
SHA256
718a533c6fd5cccfb5c4afd72ad1d850327a0b4e6a37aed68679e7bb4afce5ce
-
SHA512
c0e2e1771108c56358814da4618a4d6c5fdfcb3e8ad536e6ecbb1c12afb47819f7a3c5770b4033e73011dd117249474fb6ac44bb017c041b2f5c289ebd74834e
-
SSDEEP
12288:uVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1+o6:zfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1144-5-0x0000000002E10000-0x0000000002E11000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
sdclt.exerekeywiz.exeWFS.exepid process 1664 sdclt.exe 2844 rekeywiz.exe 1712 WFS.exe -
Loads dropped DLL 7 IoCs
Processes:
sdclt.exerekeywiz.exeWFS.exepid process 1144 1664 sdclt.exe 1144 2844 rekeywiz.exe 1144 1712 WFS.exe 1144 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtxtioiynm = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\ASSETC~1\\44URQ43K\\31\\rekeywiz.exe" -
Processes:
rundll32.exesdclt.exerekeywiz.exeWFS.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdclt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rekeywiz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WFS.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1144 wrote to memory of 2680 1144 sdclt.exe PID 1144 wrote to memory of 2680 1144 sdclt.exe PID 1144 wrote to memory of 2680 1144 sdclt.exe PID 1144 wrote to memory of 1664 1144 sdclt.exe PID 1144 wrote to memory of 1664 1144 sdclt.exe PID 1144 wrote to memory of 1664 1144 sdclt.exe PID 1144 wrote to memory of 1688 1144 rekeywiz.exe PID 1144 wrote to memory of 1688 1144 rekeywiz.exe PID 1144 wrote to memory of 1688 1144 rekeywiz.exe PID 1144 wrote to memory of 2844 1144 rekeywiz.exe PID 1144 wrote to memory of 2844 1144 rekeywiz.exe PID 1144 wrote to memory of 2844 1144 rekeywiz.exe PID 1144 wrote to memory of 280 1144 WFS.exe PID 1144 wrote to memory of 280 1144 WFS.exe PID 1144 wrote to memory of 280 1144 WFS.exe PID 1144 wrote to memory of 1712 1144 WFS.exe PID 1144 wrote to memory of 1712 1144 WFS.exe PID 1144 wrote to memory of 1712 1144 WFS.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\70b4e740a07d198ec5ac903eaed6ff43.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1940
-
C:\Windows\system32\sdclt.exeC:\Windows\system32\sdclt.exe1⤵PID:2680
-
C:\Users\Admin\AppData\Local\2gBC6gHGV\sdclt.exeC:\Users\Admin\AppData\Local\2gBC6gHGV\sdclt.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1664
-
C:\Users\Admin\AppData\Local\1mE5tc\rekeywiz.exeC:\Users\Admin\AppData\Local\1mE5tc\rekeywiz.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2844
-
C:\Windows\system32\rekeywiz.exeC:\Windows\system32\rekeywiz.exe1⤵PID:1688
-
C:\Windows\system32\WFS.exeC:\Windows\system32\WFS.exe1⤵PID:280
-
C:\Users\Admin\AppData\Local\Pse2t\WFS.exeC:\Users\Admin\AppData\Local\Pse2t\WFS.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1712
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD5767c75767b00ccfd41a547bb7b2adfff
SHA191890853a5476def402910e6507417d400c0d3cb
SHA256bd70e504871a2ac1c883d19b87970c8d1b8b251c784bf777ba77ed764f5f2395
SHA512f096043452a1aa213a5e4d62638de3ee4b0b3ad3d12b7ee0372d8c79e00e2e13b4fd0ebc4206bbdb5124bed292dd5b30ef1641288046ef835f89c332985154f9
-
Filesize
267KB
MD5e07858204845210b6f67b04fd69d5dfd
SHA10d79a6e50dc5c579b26825a171189c36f48e67ef
SHA256e77160f9a8af23cd09f9535184fec47078f7a76c049e152c395b858fabd1ad0d
SHA512ea7192d3886e01b4a9ff7feff866ed3d62c164c03a27b2a0ac5fc575ec273dd69b8128a3eef2fe3cb661dd2d7f785af922134c345eba136c8514c9334dcfacdf
-
Filesize
62KB
MD5dd4aff5307fbbf2b0cff9363ec608f02
SHA163a267b1c6acdedfd7dfcc526e3493909538e614
SHA256d17543c8a22146f1e9a520bf173f667520a566ad1e81e9bf4c361e3816b0413a
SHA512a1d5a51d804abc8f10b3de04799cedc2676f6385d8bac0e1b1d869a654f972881f32ca292706d37ce213336b6e292249023e3c1f9206afd8f3c5df5c20b5a37d
-
Filesize
107KB
MD5f2f2c9236757972919d937cec1ecd98d
SHA193b815ce93a8b2cdccb8b29ef447ea61bb51ce81
SHA25657f9b6a01bb88737e9314f6ea4b3871269cf9dcd34dee51867549a2ced0f8507
SHA5126800c345efe3054a10b7f105eac83e8c23c11d46ba65a5e8858a17914a1540bcf513c40a70f2aa62479e05f22ee13ead640e394e8548092aed073a7618893f61
-
Filesize
212KB
MD55e337a70c60cf4e0227bed0587e394bb
SHA1fa0635b9b68beefc33b1c9914ce01465c3479bf1
SHA25685d2156a9c549a7e8130b9d95bc7ac29e7731edab93d9d9b03572da69ae3af61
SHA5121e6a220dfe0e4490d1f945b9ebc645fcadc5cb5abf7f08dd7136f5d549241e3523cfa009712028909cbfb7de8b9eac05a3abc90fd2ad4ffe7c52280a9ba28bc3
-
Filesize
299KB
MD5ed17bfb811bbd973eb8e68f2ce1a3577
SHA112612dc723d00c7a63afc39df60b5f977cd142a3
SHA2567ab208b039eb4c594b5e2388d528107410b7077336129dc4b930bf2f15f8dd15
SHA512191a792479a97b4f3b1d12fabfa5a41fbf5c2050bfaf48b62aaa74ea5eec2d73da1c6994024ed953fd7a6272cfceead939fdc89d0fd7664bf806ac70c3db87b4
-
Filesize
192KB
MD599c81cf4a496f3f7c15675cfaa1084f2
SHA1edbf4ec02cc5d1a351c0e375939ac7260b2875b1
SHA256b85a848ff829930b536938563100fb26eefc38aa09efef3b7a9cee0bea94a2a3
SHA5127f3fef3b41d5b4dceb54c8aeb10d8e0099547043d2f8a38a325c41dbeb581fe0d488bdf766ce0026bf98a9e76ce520a38740a3622c2a931fad427f202fdbc523
-
Filesize
26KB
MD5ed7b90e5848238dab736e50693bc7861
SHA19aaf8a80dcefbb1bf7021526cf1591394f36dc39
SHA256007c48b87e41be8cbc9697c10abc111716c8e87ed65583edb6a92e050a783eee
SHA5128911fa5308ac82687b26023bfb458b3233a67adda9eea17fb8e472e591936fe539e860d952b304b2a92e774c239fc5247d0fd381039b1f4552a1d57b5cd712d4
-
Filesize
9KB
MD5391b327bc982d40baf2f1e125f230c1f
SHA1f1e508f3d14f44a5fd2e692c31988c7b416a58b2
SHA256ed55034a0ea2b67f1948905a0f79adcb8368dc8539f7d5f9008466e5fb9f29fd
SHA5124d3e71cd6c340ecbaf95f4433554ab41bb0d0aad8dfc8c910c299c67dc038ae50dcb03c1b3554f5495f587917010e25e3f163f1b2be093fd623bce3fbf645e4b
-
Filesize
2.0MB
MD51901dbef283abf9de000cc1fb8ff6858
SHA123af6d74c3fdea5396fb9abb0c73a699b44d1832
SHA2569bee9d7bd8bac17443340a7a4beb3f29ee81ecf7d52eb69ae02d14cbe97d1b0f
SHA5124aa4df2e371ed81bef3d76446af25806c737ede95b6ccc205d2a64172072d83b5350bfcd09a69177723ffdb9ac88bd151580fe6718c22c7488da7b337b2632fc
-
Filesize
1KB
MD58a60736349bdcfdcc152136d6aed71bd
SHA15cc6c138836ace26a6bba30c80f03ab07fd71ac4
SHA256ef49f17f0ccf2dfb4cd04d508ecb2ef63e9a1181f83d640560e1b9646210fcbe
SHA5122b956b42aa79dd7b15b5ae26bf76e617108c28e51873c8cfeed61cec1ffe125c8166e2a0d108ceaacd3ef0c2378d7024b10235f1d71cc9b2b79def01d592062f
-
Filesize
2.0MB
MD599eb6ccd39d5985c94ef90d6eac3d4e9
SHA18d6e7227c55fac5c604a06a337d671cbf168906a
SHA256aa02869970cdee8a0744c9da2f45d87acb868929241f7f3c245ea1a53a3bc575
SHA5122377e15136b5c52dd394433b036123e68c6c21b661762f2b20edced0d5491e9928168a5615e28d350ef1388534b7be41f172e63852f13528be1e947a76a339a9
-
Filesize
2.0MB
MD5bff0ec3d31c16c6146034b25d0bbd48a
SHA179ff181c2ae88a3708334b426105dd59f446cb46
SHA256f104fdf6052e4e0bef6adc14dc7c9f32e8077598419afdbed7c21551c87a61fb
SHA51284f3694ed92e2a8e2fb1cb03379f057b2d40bccb5d32ff9a79d2dd86046c9f8ee8eaca990fcad4611dfe32daa7461560bfc9f80652bc710e1304f7dae4514ca3
-
Filesize
268KB
MD5e2d71330c89a6614be16a986455e4e14
SHA1467b72da16532707892cc3fb0db29d790b997156
SHA2562e366232cfc006093bce3e9a9df813779aa49ccca9a55621c07768f10446fa7c
SHA512508e48f75a06c34b0699e6f4117b09dffdd68482058fbe460f0c2330b59d13160998c015d9491d90f74d383aaf302257b57fcc1ffd770ef85db54db49831fb29
-
Filesize
668KB
MD53d074088395502aebb8fcae47a0e51b7
SHA1fc7272b5e7d609e909f58010774ea507768f5499
SHA2569bdb22866fa2a398c21fdba7c3e68ee2ff7006ded224f68948618558122f77da
SHA512b45202ffc0c22fe471e3455fe642a038d8016ffba1d266e6212670322914a7f3e3de8e136288c08e1075e34904ed48e2c291c07f15ee60ac1ac79e0173b4eed2
-
Filesize
162KB
MD5edcb85cac2d68fb9d1f1e7d11d609767
SHA101d5fd64707fb339c7443bc46db576b084a157cf
SHA256e8cc0e80627458de060ffcab82b81371c931c697fbcc38a6f5cf37e4d4e43e69
SHA512d6f6071399fb9729f2f51c75e08b341af3a2906264a7b7c3c7164b9283474e158ba09d7ccf2f018d42fe87bff023589f942f9ded73e4be6bdfd00a2c985a93dc
-
Filesize
304KB
MD5c6891385852a00edce28a47f02ade7ba
SHA1865c266e0742d206eebd9fb5cdb38d6b2a425c00
SHA256b05fad7dd31d3a7621c9941698ccf186f2195401eef1683c9eefc1fe6ffb3598
SHA5129dbb59ae37b041be482523939659acf32301a40c42c814c2b3960bf8e195ce9cc68c2612c667d05729a29aaef1a341d015311df94f24049637f926de91045ce2
-
Filesize
1KB
MD5ca9c7773818844fad518af7cb09a79d8
SHA165d2f9a254f4ea74c123c5ae6e358b099165aef9
SHA2566fc660a671b0537486209e029e8220c470c318dde976dbe98905df44b19eaebf
SHA512b614f76435fe50cd6af2839416b361ffae7ad4fd123507a1d92cb7dbab36736bdd8e9b8dfd77f656958caa6a5d2901dc747867ea11a8d33570102e7a307c1759
-
Filesize
53KB
MD58b983c4a7034807392eb6d6750e51e77
SHA1a6878f8c8b3677dbe76ba4e96e59de3eb107a28b
SHA2566915ad8ea73b50da494129a9fc9ddc9723ce0d04139cf72c4c359224696fc5f9
SHA512865e7a25a6c878a8dfc0ddfb1a206e6be99952f45f45d44665bc2e2979d012ed727efecfdec9ef49f3eae3d934a06425cca68bd5cc69582d1c435fac207d5f98