Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26-01-2024 13:37
Static task
static1
Behavioral task
behavioral1
Sample
77810543496dc906d195460796a0219f.dll
Resource
win7-20231215-en
General
-
Target
77810543496dc906d195460796a0219f.dll
-
Size
1.7MB
-
MD5
77810543496dc906d195460796a0219f
-
SHA1
715be388b02b3699ec35b93d4ad823e6b0127c91
-
SHA256
3df740c27f3febda3ee2de2dfb8825fec9efdf4017ef648ff61b91d77f76f8ba
-
SHA512
21fc370d2143019708e8980c089ec7ab3c930b3c5040c8a05b579312ddd16295d4efeb191a7c4b3cfd6ee570b7a351052268633880bd79aa68330f1bca1c033d
-
SSDEEP
12288:sVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:ZfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1200-5-0x0000000002210000-0x0000000002211000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
sdclt.exerekeywiz.exerstrui.exepid process 1792 sdclt.exe 2660 rekeywiz.exe 2492 rstrui.exe -
Loads dropped DLL 7 IoCs
Processes:
sdclt.exerekeywiz.exerstrui.exepid process 1200 1792 sdclt.exe 1200 2660 rekeywiz.exe 1200 2492 rstrui.exe 1200 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bsfvntd = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\ebxK\\rekeywiz.exe" -
Processes:
rundll32.exesdclt.exerekeywiz.exerstrui.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdclt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rekeywiz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rstrui.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2140 rundll32.exe 2140 rundll32.exe 2140 rundll32.exe 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1200 wrote to memory of 2588 1200 sdclt.exe PID 1200 wrote to memory of 2588 1200 sdclt.exe PID 1200 wrote to memory of 2588 1200 sdclt.exe PID 1200 wrote to memory of 1792 1200 sdclt.exe PID 1200 wrote to memory of 1792 1200 sdclt.exe PID 1200 wrote to memory of 1792 1200 sdclt.exe PID 1200 wrote to memory of 2628 1200 rekeywiz.exe PID 1200 wrote to memory of 2628 1200 rekeywiz.exe PID 1200 wrote to memory of 2628 1200 rekeywiz.exe PID 1200 wrote to memory of 2660 1200 rekeywiz.exe PID 1200 wrote to memory of 2660 1200 rekeywiz.exe PID 1200 wrote to memory of 2660 1200 rekeywiz.exe PID 1200 wrote to memory of 2912 1200 rstrui.exe PID 1200 wrote to memory of 2912 1200 rstrui.exe PID 1200 wrote to memory of 2912 1200 rstrui.exe PID 1200 wrote to memory of 2492 1200 rstrui.exe PID 1200 wrote to memory of 2492 1200 rstrui.exe PID 1200 wrote to memory of 2492 1200 rstrui.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\77810543496dc906d195460796a0219f.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2140
-
C:\Windows\system32\sdclt.exeC:\Windows\system32\sdclt.exe1⤵PID:2588
-
C:\Users\Admin\AppData\Local\rPIrD\sdclt.exeC:\Users\Admin\AppData\Local\rPIrD\sdclt.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1792
-
C:\Users\Admin\AppData\Local\2ipIWk\rekeywiz.exeC:\Users\Admin\AppData\Local\2ipIWk\rekeywiz.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2660
-
C:\Windows\system32\rekeywiz.exeC:\Windows\system32\rekeywiz.exe1⤵PID:2628
-
C:\Users\Admin\AppData\Local\Ovzd\rstrui.exeC:\Users\Admin\AppData\Local\Ovzd\rstrui.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2492
-
C:\Windows\system32\rstrui.exeC:\Windows\system32\rstrui.exe1⤵PID:2912
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD5767c75767b00ccfd41a547bb7b2adfff
SHA191890853a5476def402910e6507417d400c0d3cb
SHA256bd70e504871a2ac1c883d19b87970c8d1b8b251c784bf777ba77ed764f5f2395
SHA512f096043452a1aa213a5e4d62638de3ee4b0b3ad3d12b7ee0372d8c79e00e2e13b4fd0ebc4206bbdb5124bed292dd5b30ef1641288046ef835f89c332985154f9
-
Filesize
189KB
MD558cfa68b97770a7f969a96920676a45c
SHA1cbfd60488271d82d90dfe3b1935da8c454bf2301
SHA2563f35599fc2b9aa9f9aeb1309f633627ceca29665f0259028e93529fa7056d740
SHA512d3a440af4d12840e553b515392010ac5ce6a794b3fa9d7267f4dd5ed16947b4781777db2f7336f45aea6c48bad72548637ba4f29f017ec6435600172957079de
-
Filesize
71KB
MD51d237d48070457444927a19193eae76a
SHA1466e61a51f2dabff2ffec7742efa5c5f71b29b01
SHA2567828b6b5a7990736572563aab8f04d0113da5cad2a3ddfaa460ce283997a517f
SHA512ad312519d3d917ae2c5b11b09444f8483b55dfab755feea48a652e4244b179e6658bc0d891782546a8f06ab51d79fcb521d5666c16ba61b88120cdea0b16c5b0
-
Filesize
83KB
MD5f1684e6c16e233879f90830ac7965abb
SHA1c8ec3f7838497b54793bc515d5d5798c90018bfb
SHA256d16e9d1bbf007fce0b1f5b7d0fe9dd05546a39dddc35b3c7b0f93e441464e3ab
SHA512d406ed5db6c265e2e846d9550abaa7bc5c687f98ae42306192a38f29eebe5b1094e78ddbfd2f3930bd5b774851631107f3770b58a3e163fdc15db59ef18402ce
-
Filesize
112KB
MD54dc3ec61408834916a3dcdf6b91b134b
SHA108b84f218e16036584931acd9cd010ac687c3a0a
SHA256cc067ccea02f18d87d9337d3c5fdc1a839a6bceb35b2404f6828ab4f21dfb911
SHA512c8a87a3acc4f8170ad18539523c2d9581fd25a1feceaf6e5e3c190fb3d9ed8152b242bdb9425cd11821137123c3bcdd8506f9913ac357c53b986ab3c8a40dd1e
-
Filesize
144KB
MD5759a1552bb11b444aac50ee3337fea97
SHA1b3b97e1da25d3f0803e4add64de210ed187e0ba5
SHA2563cab7025db18a6c2a86a097fd77b58bedd5dacded30afbfe2877d3f68dfe5299
SHA5128f5d69838e02fe3e52a2d8e9898b6e46b4b4dccd65e5be399ae085e6f4aa1f935db5b98301f433d414b1c250de2cc92f65da76838d353773b5d02fd43dd1701e
-
Filesize
139KB
MD51163292404c87d6eded602fb8ed3befb
SHA12523b6862ec4d2b2bfe662a4f84ac2ef105f5d88
SHA2568b4354eb21b2f47a4a4004ef2dd74d91a23520d9bce362c5a400d9895b8703a0
SHA5127988623abe98261e2e739e6821068edff25b61eb35aa4c8c85e70c53463e72e1b529df4e2e355ead0089cd4d1d9cd2451d64258a66438eae1d99a6bed2956c17
-
Filesize
118KB
MD57c61a9afc3eb453bac76d740b04c557a
SHA1db8e5696cc5f13fdf71fa9a8e8cebeee4d7e6abd
SHA256f5cbcc8e781ebe299c11082017933ca60eb77cc25493f95cce9b8f5faf5b2cb7
SHA5121d68b2c8dfbd144285b2898ed33f386233b9991b35b469cefb221485ab5d2778fb4fc9edd389de063d0eaf7b621fcee62ae00849034afc8ec4b56b2ccde6087b
-
Filesize
1.7MB
MD5228fcd0e9b8225bab7d1ef1733561cd2
SHA13c38cf65a9e6a05f391ba75a0d715787cbdb9d2b
SHA256d07ef0d722ed82aeca0f8d9584a322e5978cc82c0f8a5c90f4a72f0cce495f3e
SHA51208f4ce8059bae12eb52eb7b2c7396448a436fd82cd61489aa645b7d3ad23d2468dbd86ec94fdc2edd09ec7f694c325bd8b711ebb3223660f6b3f03faf7153936
-
Filesize
1.7MB
MD54094b514a056fa26b348cd2300aafcc6
SHA1b8e1529fb4282d72d9a00f27bc3c8e76ed228a7d
SHA25695f926cb5d8f3ac7bf5e472461778d6524b2c9b6701ede37c8f353a8464f59e7
SHA51277929d203929e4191980731f2b0a3f4ba56854fe765438090dd219dc1edfe256ff38c517a8ec1bade42e612b2cce70e01b7a8b9831aa40d81a93c21f7baff526
-
Filesize
1KB
MD5358b160f1242223920b2e5ea27048228
SHA1a6b9f46aab3c4ac4318d27d3fdf944feb88be05a
SHA256fb79ba6be2306c2b04cb214111a4000284517e4f4a6bb50832b8c6c609156edd
SHA5124aa8f4d75783361646f206ec2ac31cad745d9efd3fe880fbd6d8fe5d0cc562675269a094711df85317342c58a308a1d5003203f743f1f16dbc605127f2c1c7e7
-
Filesize
1.7MB
MD58cd243505f4ad2a151e49a47065ef8db
SHA1338055b18dc059b4082f79226f8761b5404e84cf
SHA25612fe0d872ed7b61a07700c7bf2d6b09b43465a971e38d1404b5462532b8b6a41
SHA512cb49b8d614a82f4b972bfc1cb5e1b37ad6af0584b66f1731fb95bb563214fd3aa9911e5a3cf5d3d539826f748ec0821b980e182bb99f563dcb6e8875d97137e8
-
Filesize
206KB
MD55fecaff146cb69f5892cce74c6f86636
SHA1fd5fea48bbf1c2f721c105af6445ec119b4f73d0
SHA2560f2ebd5097c11f190c6e4133c374d308950674f22a6c8e21732181e865bf9fa7
SHA5124cbccc36ddd3694485a49e654b54e96b4a6c37d30bd09044cd783a39f86dd6816204e597cce70a850b90b19a343142b5aff6d385c03052b5500ae995a061113a
-
Filesize
84KB
MD58bd0c05a23dd20469a17ff1818ff689e
SHA1a726a1ee88399c62da3c4b28c6920d00b16b1b88
SHA256545c8ecd3f238f3a44545dca4f51e01351b253269077036aa83899f1d8e8b94f
SHA512092a74ce31b44ebaa703b4d6711c204c276f33523b1f5dbf48f4de6248ef17e2c0e81511fab578af367fae1c7d141013f4af20120287a11658ada3ab160a3001
-
Filesize
47KB
MD588dd12cc6797b17c61e2abbacf17dd4c
SHA1cd87e6f720f1a8e0df61366aa2a70dc5c640cbb6
SHA256e139a84bf991bd3ccf1dd849365259547f2fdac80f6abc9f98309bb0eff955e5
SHA5121645ea75875793031215d1fe0186d1b346eb11398e2107a6ac2125aaa3947d9afeaa74f7ccda3ed6eba067c07998e2660c0652c4ef0282fd51dd6ecf292caa28
-
Filesize
133KB
MD5c3b6459c89b91aa9ff4fdc20045d0a6e
SHA18be63136ffb4d30742a4584e7eadab4a70ffd80c
SHA256d682ec0f0f8d50adce18c6a87e38c1093fceaa1e157cb3e4d66e9692880d1158
SHA5126a237dc057c2a8f366f2ca0449f6a355869ba172c90c821fddd3fc50962216c85ae406ba9902c738f59206cee0ddec54d955a35952c0be199402998e5844dea0
-
Filesize
170KB
MD52c2c1b7ab248604574360de489e8d06b
SHA1819535e0636457fb5f5f2b3716d55c9ece064243
SHA256dcd432ecefcf65a64e78582b28d9e1d8b85e8c86b3177f8f22722ceaaef06e81
SHA512d0b021028c445c14d567bcd4902837a7ac7c2b0e32343f6281d7d6daaa3d061d966072ee0ae7e2b062e5976e67c7f39c4d7cc104c060cf79b164291b285625ea
-
Filesize
58KB
MD5b69136323ea51425c31bf6fcfd64b637
SHA11c0272f77499ebeb684a96e30c3f3148cb4b4aab
SHA25606168bac05ad12c59d824d67f41ef647712cf7bcf71ca6e788d7f6e9b2a2d8b2
SHA512d01adc1ee80428ca57b24cc9b6cdb5bec74d9fc5aebbf2f18ea6106b5b3b0f6fb0a831920b7c8cc3b15be89108061576a907c36ab88b289d86eedbb3f4e5adc3