Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
23-01-2024 19:52
Static task
static1
Behavioral task
behavioral1
Sample
706c428f1cdf3c4e2003ba9c1a54b608.dll
Resource
win7-20231215-en
General
-
Target
706c428f1cdf3c4e2003ba9c1a54b608.dll
-
Size
1.4MB
-
MD5
706c428f1cdf3c4e2003ba9c1a54b608
-
SHA1
3b476cac8210f67bbca4ba8a89216f169c977883
-
SHA256
22cfa40d7e29bf79dc313aa90b86ea3a7716d0a95e553cfe8d112098645a039b
-
SHA512
f2ae94b7dd481354bba7e05cc2af08e8e99f81ec960f70e128657476b28b6645dea26e02e5c702a7e8f3a75aec403767f5fe9e35796b03a354dbe1fde6b5cc26
-
SSDEEP
12288:7VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:afP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1224-5-0x00000000025B0000-0x00000000025B1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
msdt.exejavaws.exeOptionalFeatures.exepid process 2580 msdt.exe 272 javaws.exe 2428 OptionalFeatures.exe -
Loads dropped DLL 7 IoCs
Processes:
msdt.exejavaws.exeOptionalFeatures.exepid process 1224 2580 msdt.exe 1224 272 javaws.exe 1224 2428 OptionalFeatures.exe 1224 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lgpbj = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\MACROM~1.COM\\aLC1Q\\javaws.exe" -
Processes:
rundll32.exemsdt.exejavaws.exeOptionalFeatures.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msdt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA javaws.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA OptionalFeatures.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2092 rundll32.exe 2092 rundll32.exe 2092 rundll32.exe 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1224 wrote to memory of 2336 1224 msdt.exe PID 1224 wrote to memory of 2336 1224 msdt.exe PID 1224 wrote to memory of 2336 1224 msdt.exe PID 1224 wrote to memory of 2580 1224 msdt.exe PID 1224 wrote to memory of 2580 1224 msdt.exe PID 1224 wrote to memory of 2580 1224 msdt.exe PID 1224 wrote to memory of 572 1224 javaws.exe PID 1224 wrote to memory of 572 1224 javaws.exe PID 1224 wrote to memory of 572 1224 javaws.exe PID 1224 wrote to memory of 272 1224 javaws.exe PID 1224 wrote to memory of 272 1224 javaws.exe PID 1224 wrote to memory of 272 1224 javaws.exe PID 1224 wrote to memory of 2948 1224 OptionalFeatures.exe PID 1224 wrote to memory of 2948 1224 OptionalFeatures.exe PID 1224 wrote to memory of 2948 1224 OptionalFeatures.exe PID 1224 wrote to memory of 2428 1224 OptionalFeatures.exe PID 1224 wrote to memory of 2428 1224 OptionalFeatures.exe PID 1224 wrote to memory of 2428 1224 OptionalFeatures.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\706c428f1cdf3c4e2003ba9c1a54b608.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2092
-
C:\Windows\system32\msdt.exeC:\Windows\system32\msdt.exe1⤵PID:2336
-
C:\Users\Admin\AppData\Local\ocD\msdt.exeC:\Users\Admin\AppData\Local\ocD\msdt.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2580
-
C:\Windows\system32\javaws.exeC:\Windows\system32\javaws.exe1⤵PID:572
-
C:\Users\Admin\AppData\Local\iOo\javaws.exeC:\Users\Admin\AppData\Local\iOo\javaws.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:272
-
C:\Windows\system32\OptionalFeatures.exeC:\Windows\system32\OptionalFeatures.exe1⤵PID:2948
-
C:\Users\Admin\AppData\Local\xgBL\OptionalFeatures.exeC:\Users\Admin\AppData\Local\xgBL\OptionalFeatures.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2428
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD51daa5a9cbf5d3861c7b982d87207511d
SHA15701d227804ff5609d0b8e8a84588f2d37ed6c1f
SHA25673671aac3e08e4e6f59b324a5e17c39a13df4a8ce8b3bfc9ccc44f230b9bb5df
SHA5126d80e531350f1088ed601a7f48b87d64fb5c97170c91796776d922da3f8bbd5e6b5c9636d884da808a170a4e8e60924571ac27a08796d4f48993d75be2462bf8
-
Filesize
1.0MB
MD5aecb7b09566b1f83f61d5a4b44ae9c7e
SHA13a4a2338c6b5ac833dc87497e04fe89c5481e289
SHA256fbdbe7a2027cab237c4635ef71c1a93cf7afc4b79d56b63a119b7f8e3029ccf5
SHA5126e14200262e0729ebcab2226c3eac729ab5af2a4c6f4f9c3e2950cc203387d9a0a447cf38665c724d4397353931fd10064dc067e043a3579538a6144e33e4746
-
Filesize
1.4MB
MD5213392b3514791546c9366ef10d1af20
SHA15c3353c4bdd2ff7abe33fe0b792e1e3c3a073fee
SHA2567a9c0f847ee198084e949537b3dbb1f35f16b01bfe1687238044ddece6d6cbc0
SHA51264a85f11cd562250bb80200b7458516a6911c10d2b3d576c647d9cdf67b57a685033d296ab0d233c165f53f3d08bb14c21bd8533145ce0f8ab63e64879fcf7c4
-
Filesize
95KB
MD5eae7af6084667c8f05412ddf096167fc
SHA10dbe8aba001447030e48e8ad5466fd23481e6140
SHA25601feebd3aca961f31ba4eac45347b105d1c5772627b08f5538047721b61ff9bc
SHA512172a8accaa35a6c9f86713a330c5899dfeeffe3b43413a3d276fc16d45cd62ed9237aa6bff29cc60a2022fba8dcc156959723c041df4b7463436a3bdabef2a9d
-
Filesize
1KB
MD556258109373a1e7d9ebaa8691415f131
SHA1ba239640bca22de27fca669bc3a080e7504fd800
SHA256255d18eb1d8849d1f72b1c830348a4aaf7f8e19730443667f444214d91f98aed
SHA512d63a013fc950161af12f96d192fe3949f5a9e7a95a025dabcdb12934fb14a181a4154f0ffd669f868125a1340a62158a2f5cc7c178a63e32436d55c99c8e4145
-
Filesize
312KB
MD5f94bc1a70c942621c4279236df284e04
SHA18f46d89c7db415a7f48ccd638963028f63df4e4f
SHA256be9f8986a6c86d9f77978105d48b59eebfec3b9732dbf19e0f3d48bf7f20120c
SHA51260edf20ca3cae9802263446af266568d0b5e0692eddcfcfc3b2f9a39327b3184613ca994460b919d17a6edc5936b4da16d9033f5138bcfd9bc0f09d88c8dcd52
-
Filesize
1.4MB
MD5acf818af83b1ea00392f2ce293d203fc
SHA16f84de0e100e154d1271fed79fb09c4eb945f3e1
SHA256ac4c5b95e1c9faebff642e5da2616cac5879133d7d4aeb54977c27047ee19c27
SHA512f6112e46825c897dc4ef2d7c27cd3086f58c826b5fe695e7e646d5d7f677dcf1536292b57a4f9ceaa9a2802a7375021466904584c0facb08073694bdcfec0bd1