Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26-01-2024 06:47
Static task
static1
Behavioral task
behavioral1
Sample
76ab58fddc3a0bfc0befb9c1840e58c0.dll
Resource
win7-20231215-en
General
-
Target
76ab58fddc3a0bfc0befb9c1840e58c0.dll
-
Size
2.0MB
-
MD5
76ab58fddc3a0bfc0befb9c1840e58c0
-
SHA1
af815a39e30a201a65f0669e7b957072e57939de
-
SHA256
1476d58e91f48e2f1a549b08316ea6a465b85edd954d01b4d33a8c86ac56898e
-
SHA512
c14eec86c7ac0a9a869b559e7078326cf11961d9252f2075acc55263494e2ae1c0263f491fc018f8c8482023904a9656806f3bb71aeb682faffb09321f0e971c
-
SSDEEP
12288:2VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:rfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1136-5-0x0000000002E20000-0x0000000002E21000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
cttune.exewinlogon.exemblctr.exepid process 2644 cttune.exe 2544 winlogon.exe 2096 mblctr.exe -
Loads dropped DLL 7 IoCs
Processes:
cttune.exewinlogon.exemblctr.exepid process 1136 2644 cttune.exe 1136 2544 winlogon.exe 1136 2096 mblctr.exe 1136 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtxtioiynm = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IEDownloadHistory\\lO47FAabQ\\winlogon.exe" -
Processes:
rundll32.execttune.exewinlogon.exemblctr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cttune.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA winlogon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mblctr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 3012 rundll32.exe 3012 rundll32.exe 3012 rundll32.exe 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 1136 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1136 wrote to memory of 2616 1136 cttune.exe PID 1136 wrote to memory of 2616 1136 cttune.exe PID 1136 wrote to memory of 2616 1136 cttune.exe PID 1136 wrote to memory of 2644 1136 cttune.exe PID 1136 wrote to memory of 2644 1136 cttune.exe PID 1136 wrote to memory of 2644 1136 cttune.exe PID 1136 wrote to memory of 844 1136 winlogon.exe PID 1136 wrote to memory of 844 1136 winlogon.exe PID 1136 wrote to memory of 844 1136 winlogon.exe PID 1136 wrote to memory of 2544 1136 winlogon.exe PID 1136 wrote to memory of 2544 1136 winlogon.exe PID 1136 wrote to memory of 2544 1136 winlogon.exe PID 1136 wrote to memory of 2128 1136 mblctr.exe PID 1136 wrote to memory of 2128 1136 mblctr.exe PID 1136 wrote to memory of 2128 1136 mblctr.exe PID 1136 wrote to memory of 2096 1136 mblctr.exe PID 1136 wrote to memory of 2096 1136 mblctr.exe PID 1136 wrote to memory of 2096 1136 mblctr.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\76ab58fddc3a0bfc0befb9c1840e58c0.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3012
-
C:\Windows\system32\cttune.exeC:\Windows\system32\cttune.exe1⤵PID:2616
-
C:\Users\Admin\AppData\Local\TiX\cttune.exeC:\Users\Admin\AppData\Local\TiX\cttune.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2644
-
C:\Users\Admin\AppData\Local\jA2dBf8\winlogon.exeC:\Users\Admin\AppData\Local\jA2dBf8\winlogon.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2544
-
C:\Windows\system32\winlogon.exeC:\Windows\system32\winlogon.exe1⤵PID:844
-
C:\Users\Admin\AppData\Local\bfo9Gpgv\mblctr.exeC:\Users\Admin\AppData\Local\bfo9Gpgv\mblctr.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2096
-
C:\Windows\system32\mblctr.exeC:\Windows\system32\mblctr.exe1⤵PID:2128
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
188KB
MD51b6ec3f2058d3415c516de33c94b513d
SHA16ec0de533519894ae575ece478927c252615153d
SHA256aefbb5edcb48fef2ec95b024efddd15900aca347f84359640708edfb7eafc280
SHA512ea69938041d65cfdd5d3aded737fffe4a7e749c4309b6922a4d5c84c225ce8faadf530366bb27d0c9e714abfbd700f62ac1295ccfc6b480c72d1205e8c80f4f3
-
Filesize
262KB
MD544befea0f5aaa8cd40f2de96b23e9267
SHA17b34d5d3b663a09cac8121a1e92b5774bc46f585
SHA2565692265cc46b170529c3a3ceefa20ab51fcba4f0796783f7d0c17ef30a856bae
SHA512816dead7477c04ebafff367705ef93364dab1f09bd9b003492abf4dceb830dda06e498be2ad4598af3b9e378f8e600ddad4c72f50fa53bfdf9fdf3ae5acb21b1
-
Filesize
127KB
MD5072d5235099a241a32aba0bb0b0a21a3
SHA11d6a4196032f6c1f8832acf87e876f64c936849e
SHA256e019e4274f035e14d2b65eeeed7f8ebe57bcf40a8f94d3e860d743c28dbf0d9f
SHA51264d0ec0a84747ce13b0d8370c7e828ee3f77acf3bf29f862029e6d1a3264fc8efa260e731ce9c67aa0bfff75459228871aada016215c171c8b643aa28b812dfe
-
Filesize
69KB
MD5844d6807a09af61035e815d74b735fe7
SHA1a31a2deca0621e931e8cdb124f521449de40de47
SHA256d1ddda41776efbe954dd50a0533c7f5b0757065395c7829bdfe04fa7f026ace9
SHA5124c6a8e6d7b376fb0d315606cec83e087799c093e6e9bf331dd89ce15d5c79c3407b8d52cc5e08b29cb671c2a47c8bbd3cb34f71aeada0789fb01e550ff702818
-
Filesize
109KB
MD5b7345aa83f5d30dc4f26945b08051a63
SHA11e61be248a98505b2007a91afcfa69aa856487df
SHA256c6e27232e43bab71261f3bb36c8a4a51dfbb33ab068c2defc8e1e23bc6d19735
SHA51276e6205f3a97e7a9981a42256bbd7596ce16018d7ce701b01ba29f46467de5105536cf96711a5b7a7918271bf29773a627016fcc803db12ed1b44c1c69ce3fcd
-
Filesize
26KB
MD5c96360e6e05f05eeadbb8eae0266f609
SHA19341b1a0fb611b385ea81bf37d8b05f8f7862c6c
SHA256eb334135b0505b07318554972d74c7ea53be69538ffb2d129cadd4d1abd61b9a
SHA512339b9c56d96353992c93b359923bea5503cb3a5da30f835b4abefb98f0be3bd9a3e7e0911defda0fac3902ff6d7b7a3e7f44311f3f8bc7c468c0361b98766e66
-
Filesize
13KB
MD59323900374eaa65fbcee7eab34cadea7
SHA1b8b32d0fc17a987c867b85dce1b668f25685d2f8
SHA2564dc21d12954e9d5277078bf283f6070b875ed58ac67ab3dc2a9e2ee4733389c8
SHA512a504c0443ef6cd80cf54dbecb2dff416bf4c5c5d036bb4484dc9ede0682fc6e71ccaf6b2aa2079f6e48d642f3fa37fd5cdb01533210c68f33005e3300449c37d
-
Filesize
224KB
MD557191c528425ddd52233a5d6d6786fcb
SHA1ba77b08547b2ea187d558adfc4c90c39e7088277
SHA256637e3fa140dd87926ab0f71269160d2e7b41d094ae276666330b102a250ab3a3
SHA5129947f8173188d2159667773ca1def6ee548dbcda030e26cf9f24b70bfed5bd716c98c356cde94a03bb00f94c6edf000bb34caa20234073a93d5fb8b7bc7273bd
-
Filesize
1KB
MD5bf98aa7d4839e56d3ccf3f2fad838d5e
SHA1414e271e52a71c35fcd22c04c4f4d47be4fbb2c2
SHA25665e78437569d637b61aab4b9ae1bea0c4f1333627dca3331afaecb199e45c33f
SHA5122e7f8f31d7ac4734174efb79caa5faf1e91e924894cc64d5815c288df5f72fd0fb67f03298868e199929743d5a17cbc4cf6f3cc73dfe0563535260d3a0d23394
-
Filesize
1.9MB
MD5df29c4eb083b47bb14333c66ec7defa1
SHA1290aebc4d055c0f205f8d005ecbe1cb9b009c991
SHA256f4447b5a498232610195dd5b4624ab522b6b9ae9b6e8b9d90ec6e504f013b0b3
SHA512ef9da61e10174b9e4d95fbcf1d2c4850c04f51d278f41c9d3a1c8d0990402b3dfaf64428bd0101e4f90b257c10cd3268a970def51adc398c46a8a491f66b3c05
-
Filesize
2.0MB
MD5d320497321e8f24ba027347416da2f88
SHA1700b0bb714da82d373443862d3fdb33da91222ee
SHA256f77bc99f2ca480d561eeb621c6df89fa06dc199199135d38042f2b36052d564a
SHA5121fc289fd7b55230b4773563f2837dda825a8bb3d39a1043b0658a4dd9109c6b2b5549228a55b533281595ca2bf12fa9453ef150ce92b324f1e4f696d58ceeea8
-
Filesize
2.0MB
MD53270731020a6bf5f7e857d317b7011ac
SHA1219798b9f3f7bf3ac792f26206a96a7e711d41db
SHA256f87f1fa30faaff0c45828c2ee08cfdb712f1053b15942bbb8aa6734fb3f881de
SHA512e3de5b86d293b8fb068738795eec07a742bf52f79b24c6f6c08cc132fd3325827c32fe19357c405ffd8fa2dadc14ffa8ea65f86dc38663ea6c04c1dbd6ebb693
-
Filesize
13KB
MD5bb1fd1e5f83fd78003860ec0eb221082
SHA1d59363615c899085f7cdfab86265816ebc2d0795
SHA256baaf6c28b879064918c1af4b8e9e8ed247d56dd9d7c75f18341b72aa1a2436f2
SHA512daa488ccd8312b47a288513b8857867f94e0ad99ed099284c66334914617293f2a4dfbeb8d014f795819137679bd0558bfb6d7edfe357cf6b158fa20f7c74b3c
-
Filesize
234KB
MD50d409848b9584d57c06be49afd8180db
SHA10bf53f74cd8b68afa3decfddea6900e85e906115
SHA256f1ab500955c1cc1c4d6b47eeb06ecfc26484bd163909bbb43c9df486255e52fb
SHA5125e510fbeec88c2cf40a9d6d4d7d7b4fefee416c7671d9e92d024f23984cdaefbe906bc6173f861ce2940872e6d8b62d50d432040abad3323fe41ab015d9f7302
-
Filesize
314KB
MD57116848fd23e6195fcbbccdf83ce9af4
SHA135fb16a0b68f8a84d5dfac8c110ef5972f1bee93
SHA25639937665f72725bdb3b82389a5dbd906c63f4c14208312d7f7a59d6067e1cfa6
SHA512e38bf57eee5836b8598dd88dc3d266f497d911419a8426f73df6dcaa503611a965aabbd746181cb19bc38eebdb48db778a17f781a8f9e706cbd7a6ebec38f894
-
Filesize
150KB
MD5a79a56d0be7a15528e71c6e5e1a04211
SHA1feb9cb7bbd168183d0ed928e2eea4fe8a19e4662
SHA256f180e706211d2b755a94cfea322d6692bd6ca05dfae5b547a9d9cd6f4f75cc2b
SHA512cea0d44f145298de0f5a7400b4741ce6507434f78d508c48e0a5522c1811148c7d04ae59ddbd75c0b67f4c43a98119547c0e8d473e2d56d26ec46778fb0c2004
-
Filesize
99KB
MD599d79c3e9be254c678f92b5eb96fda5b
SHA1a4cf8c2615b7a5cba2113b51c2579a4ed876fa63
SHA2565dad20631948b1028e782361dc9373d280ce393b562960b9efd120b400b8e4bb
SHA512a26d34ad6ece2d6abc92721c422595fe31def90f3ea576748549f54206e0824db0a3c8547f495125ca438afd0f50eddb4a2dfabafd78b10eedbc6e8a9b2797b2
-
Filesize
4KB
MD53dba63b890aa64c43a045b2dafb1dd4b
SHA1124816b8d125a648c629c59f04e86e4bed5b920b
SHA256c73cd0b9832eccd67e41a57431ad17a06118ebe4757e843554bb1073b653eeae
SHA5129e60c15fe919b1ca3748a7481622eea44caa37c46b25f70fff1fa8a2c4a34457568b9fec87edc10e84267508b629bba3d2d5b15ba896234916112a4df4fb7f6e
-
Filesize
28KB
MD5d31d5a29863c6c2db208360ba1ebf98f
SHA147176cd3ccfd2da11d96e4b1cd9f8d1d1c1c52ee
SHA2563a8c5658c4e775702f2aa285cf91434eae26ba7d697625400edb3c36cafd732b
SHA512b08d4659ed78d8f2eed9db58801fbcf64c8417c443fe349f481aca3ee2c51ea6660f807516d351d0ca1f5c7472ae503396c98a426e0029b68de3a5d5e01ab221
-
Filesize
152KB
MD5fcdeff5e3f432c5b2eb3f6e5963c8c9f
SHA15fcd8a390143b12ccb97ed49513c231bbb097b07
SHA256d79ef8c29f7412343f44551b2d4b17d9209b52a4732aab27957b64f4c2ebc07d
SHA5122dc0c27b1e57566ba611b45596eb4edaea8a45d54de5863f69ef23f7f6e402196cd50bc61e222e2aee8e8d62236a7e55e2cde8f10c3c75ef10c9223f1cd9f3cc