Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
24-01-2024 08:16
Static task
static1
Behavioral task
behavioral1
Sample
71bb36f4bcc6b93c90c000f353db7173.dll
Resource
win7-20231215-en
General
-
Target
71bb36f4bcc6b93c90c000f353db7173.dll
-
Size
1.6MB
-
MD5
71bb36f4bcc6b93c90c000f353db7173
-
SHA1
4089e571bfda56a10036636485e1113cfb5fe669
-
SHA256
bad6364c6a3a60c2e7982bb223a06f05ec95abf264dc500f75d2454642d84034
-
SHA512
7845c3f5a2e5c78251e2accc1a0be49c9e0d6b3c85231bd417b2e806048e62389bb2d6088a6909f39e1573daf455f9cec629d98d9c0f02ab41099c5f96317615
-
SSDEEP
12288:QVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:VfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3568-4-0x0000000007E40000-0x0000000007E41000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
mblctr.exeApplySettingsTemplateCatalog.exeDevicePairingWizard.exepid process 216 mblctr.exe 1376 ApplySettingsTemplateCatalog.exe 4252 DevicePairingWizard.exe -
Loads dropped DLL 3 IoCs
Processes:
mblctr.exeApplySettingsTemplateCatalog.exeDevicePairingWizard.exepid process 216 mblctr.exe 1376 ApplySettingsTemplateCatalog.exe 4252 DevicePairingWizard.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mmiwstgfcubwacq = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\bf\\ApplySettingsTemplateCatalog.exe" -
Processes:
DevicePairingWizard.exerundll32.exemblctr.exeApplySettingsTemplateCatalog.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DevicePairingWizard.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mblctr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ApplySettingsTemplateCatalog.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 4104 rundll32.exe 4104 rundll32.exe 4104 rundll32.exe 4104 rundll32.exe 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 3568 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3568 3568 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3568 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3568 wrote to memory of 4224 3568 mblctr.exe PID 3568 wrote to memory of 4224 3568 mblctr.exe PID 3568 wrote to memory of 216 3568 mblctr.exe PID 3568 wrote to memory of 216 3568 mblctr.exe PID 3568 wrote to memory of 3128 3568 ApplySettingsTemplateCatalog.exe PID 3568 wrote to memory of 3128 3568 ApplySettingsTemplateCatalog.exe PID 3568 wrote to memory of 1376 3568 ApplySettingsTemplateCatalog.exe PID 3568 wrote to memory of 1376 3568 ApplySettingsTemplateCatalog.exe PID 3568 wrote to memory of 2416 3568 DevicePairingWizard.exe PID 3568 wrote to memory of 2416 3568 DevicePairingWizard.exe PID 3568 wrote to memory of 4252 3568 DevicePairingWizard.exe PID 3568 wrote to memory of 4252 3568 DevicePairingWizard.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\71bb36f4bcc6b93c90c000f353db7173.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4104
-
C:\Windows\system32\mblctr.exeC:\Windows\system32\mblctr.exe1⤵PID:4224
-
C:\Users\Admin\AppData\Local\fyoiHUH\mblctr.exeC:\Users\Admin\AppData\Local\fyoiHUH\mblctr.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:216
-
C:\Windows\system32\ApplySettingsTemplateCatalog.exeC:\Windows\system32\ApplySettingsTemplateCatalog.exe1⤵PID:3128
-
C:\Users\Admin\AppData\Local\wIzru6PhH\ApplySettingsTemplateCatalog.exeC:\Users\Admin\AppData\Local\wIzru6PhH\ApplySettingsTemplateCatalog.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1376
-
C:\Windows\system32\DevicePairingWizard.exeC:\Windows\system32\DevicePairingWizard.exe1⤵PID:2416
-
C:\Users\Admin\AppData\Local\V6ALARLt\DevicePairingWizard.exeC:\Users\Admin\AppData\Local\V6ALARLt\DevicePairingWizard.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4252
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
93KB
MD5d0e40a5a0c7dad2d6e5040d7fbc37533
SHA1b0eabbd37a97a1abcd90bd56394f5c45585699eb
SHA2562adaf3a5d3fde149626e3fef0e943c7029a135c04688acf357b2d8d04c81981b
SHA5121191c2efcadd53b74d085612025c44b6cd54dd69493632950e30ada650d5ed79e3468c138f389cd3bc21ea103059a63eb38d9d919a62d932a38830c93f57731f
-
Filesize
132KB
MD5169fc68af57622948b8add9a2787d7d6
SHA1f234c1bfb534f386507dd18731aab216c0e6aab4
SHA2563a6c128699383137586ae8a96f422e0d352f04e68b46d123dfce3eb8268b6663
SHA5126af9d390591074393fd4b7a7894db8c66033f6e7f8420b16d9a756f439e3dd49ba299c7c8b52e956d64d827b7ab62dfa04e90454364b203ea46758dbd9f2b1e9
-
Filesize
248KB
MD503559cfcb23cce149625e1d45e7cfacc
SHA170982f958a8ee4392eb8f315a8c62830855df35f
SHA2560110f5826d6892311cd8bf1966d6e985e73ad2481097fbd0a7a38063360075ad
SHA5128226e3a50990202545e6dc40d4d9aaf1d754bd1bc141c172aa4f0e159eaf1541647bb08687e10e0ce825276c3b317bda2f587288b863a7271c2259de5fbdde75
-
Filesize
40KB
MD58d6dad690a9bfaa023cef1efa56d66db
SHA1e2246baf53d7ec696d3d955aacb153b96b54b16f
SHA25660574a54197367fcadfbc37ee2e791ac6753b93a3a3f57e4d656994fa978ab1d
SHA512b1c51970bd92886eb3f8375f0ca23c79d2c3b06935468b8c122bb47f6dbd836d54726ba566a8224f9c7f0fa24a1f409a4f03fc3e76fd99c91c3eabf2497c9a87
-
Filesize
14KB
MD5d9d5686b623ebd5e502552beab13e1b7
SHA1b07c6e788fe8c2f1e70b4a199d032808e5210aa2
SHA25651e01f2dbc21d193e6b57b563df2db001a643a4d2174a3e89d6e3da1c5ae73cf
SHA512022d4ca4c39a329db2d8b8328871944db9ed0d4d1f14e2dc6861044abaf9b596d619d065352bea4139eb1cd703eb9baa301e020edae310035fb5a2781c477096
-
Filesize
61KB
MD5ebb094ee735e2148f70944bc99aa988d
SHA17b4d94e3487815ecfce0f95c1b1e6f3086c0a04c
SHA256c92529afbf01d9a0ef45d50a7d8c52a4ef051e29e2c2e22b12d713edd12bb40d
SHA512e61faba18a213088a1f0fdf2de1353fb669a8ccec20cec2b6b5ef06d0995290da7f22f9bf5bfbd577b4cbcf144cf7e37f142a1c8fc2131c32dee7494d343ee3c
-
Filesize
1KB
MD5ca27c46cfde45c526bfc7468ebc176bc
SHA1b9627d4aec68c9335407c6fbb722630a5c7f996f
SHA2562e59635834b06ea3b71078a1c3014e5025be0c35cb5744213d710ccf0cc1317b
SHA5124995c5f66c2cff918f0cd2602344b6d62078c43530d4bae804ced30a79319a4e37108401d8317c5565c792c446b3774e7acd887717aa6182070c0e19e6cdc0aa
-
Filesize
98KB
MD512aea8f25b78db5cae16b0898f2d6168
SHA11dcf592b8fd961d418b1c212ebcbef96f761356b
SHA256acf4312f9d5ee67bca9919b63082c419dc6ca1da6377a7fe857189be9239d0c4
SHA512f300cc05a6eacdcbc4294b6197bffe1d8d6d0670eeec8db5751853a14ab2c141c526d31c9d298b43fffbdc7ac9cdd0ac283a9be713a7f2abae16a8e6c9644ad2
-
Filesize
1KB
MD5722386c8c9297b09a2e9d94a45503ec0
SHA19c475333698ce74b43f73602ae759f24a75e6e4a
SHA2562c73b547df5401a307eb8de97a64645ea7aad583f3b0b7529adccb4385b01676
SHA51217eba0cfb595e008caf9908d8c53a76c1765f295fe957c186c0b867248c95ac3c8ca847d44f1e5c7a14a3b5ab48d147c3acc02b1e653bac50eb9b6e1ad91bc7d
-
Filesize
149KB
MD503b685b3b5cc75961c104348158f4da4
SHA148e9151614630f960956eec156c62a44f868a385
SHA256e640ef8e5fb077d36af548e25d532de52188bfd4b268b3bb96b427e75d5886d4
SHA512461a12aa73c5809088ce990573682316c12023b3b08332be05c0fb6e7e0341460cc5bcd651cf226fff0a522a0a6f3197f4ba9db48e0c25b1588a89814dc974a4
-
Filesize
57KB
MD561af8973de81bdd904335d887206f0e9
SHA1441eb9dd71368d7d1df1fc8a531a7fd9c69bae77
SHA256f01c9ce442b4aa439a84954c14b735a347ff51b4337fedbd9e13ff2ad1577f06
SHA512a4f86afdb49f987d7edae9ffa8bae3d517836822b711e33e4d27664d1e841ebbf8a2336397837485be54dc0df68c4f844c569ab58808c067cbcc7ad392c9801c
-
Filesize
1KB
MD5a3bb3cd635636283e53adc5a7de6446d
SHA1437514f9b89b006ce969df23930e3a9f84db64da
SHA256d93ad0d17e76d89ae7300106d029ce3c53b1a7ffb6e33f5cd6d67586c269a464
SHA51223f3f984ebca5ffcc9a5003deaa567945a6075d3f30fbe06ffdff15d4cc7e5d40184168b3b79c485e84c799670891983c8fe21f2972337209c213e70cdf62285
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\5lcAp0\MFC42u.dll
Filesize1.6MB
MD51036b97b23e0cf6eb216734c275110e5
SHA18dd74e54c975a5c172e9e0636eb4e84f6485f491
SHA256ca5d649a82e516738cb4d8ff1ff94fcd46b2157cc1c70711b062e2959c009a97
SHA512c3a7acd27ee15341da17bc7a20235fea7fa93c129a120f5cc1f777926d5b9ecf9f2dd4d238e8ca55d7abaf4ccd78bcc56971651a8db952fbdaff7fc8b5b5083d
-
Filesize
1.6MB
MD5facb62c12ac78217a8a63bad5870ce9d
SHA15721b62dfc1058096afb1162f35a460fd802127a
SHA256dfe1f64e671e3961c8bc96155e188ed25cc745837cd3a140782ab0a9be416983
SHA512976c42145dc6634b4b4a58c64706b0dc27fb1f0c3799af572b9609a8d081094ea443feed8355a72d7e1007b1c8138e44ed114ed5508fcd0b42e5575b3f4b70cd
-
Filesize
1.6MB
MD5be745c43d1e5fcda08db22902047c7f0
SHA1f55b67bb848a035e277c1bba433a046a74f4b789
SHA25697a0124b2ff29ef23aaf57002525c62e6cf92c0b618dc0accafc56079b269d99
SHA51257417bfe61fa76e33f632426be697fb6a2644f1c2930e112d4982eabd3ab916f31197e419d6b67ac5a35eb038fa2d7fa7ee57037fb6062217fc6346bbb921704