Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
28-01-2024 03:36
Static task
static1
Behavioral task
behavioral1
Sample
7c0b7776d8e7e775fb646f2bf3c91c46.dll
Resource
win7-20231215-en
General
-
Target
7c0b7776d8e7e775fb646f2bf3c91c46.dll
-
Size
1.8MB
-
MD5
7c0b7776d8e7e775fb646f2bf3c91c46
-
SHA1
716d6d1caf34896aa69120fc3f08e7f480e3176e
-
SHA256
6e2ba94de342be1b5ed71468cb2628106a823c38419cbb3fc6f612465523853b
-
SHA512
874c1bf7a350dd8a81d00b9edfa95efd5c1f58b3b185fe99f8e58e4f3929b7646509c75b5524c49b7c6a679ea4be003471de69f236ea24c18dd192fa5fa50f5b
-
SSDEEP
12288:iVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:/fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3408-4-0x0000000001260000-0x0000000001261000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
tabcal.exeBdeUISrv.exeAtBroker.exepid process 4636 tabcal.exe 4896 BdeUISrv.exe 960 AtBroker.exe -
Loads dropped DLL 3 IoCs
Processes:
tabcal.exeBdeUISrv.exeAtBroker.exepid process 4636 tabcal.exe 4896 BdeUISrv.exe 960 AtBroker.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\MAINTE~1\\SGVLdslV\\BdeUISrv.exe" -
Processes:
rundll32.exetabcal.exeBdeUISrv.exeAtBroker.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tabcal.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BdeUISrv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA AtBroker.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 5028 rundll32.exe 5028 rundll32.exe 5028 rundll32.exe 5028 rundll32.exe 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 3408 -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3408 Token: SeCreatePagefilePrivilege 3408 Token: SeShutdownPrivilege 3408 Token: SeCreatePagefilePrivilege 3408 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3408 3408 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3408 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3408 wrote to memory of 4624 3408 tabcal.exe PID 3408 wrote to memory of 4624 3408 tabcal.exe PID 3408 wrote to memory of 4636 3408 tabcal.exe PID 3408 wrote to memory of 4636 3408 tabcal.exe PID 3408 wrote to memory of 4400 3408 BdeUISrv.exe PID 3408 wrote to memory of 4400 3408 BdeUISrv.exe PID 3408 wrote to memory of 4896 3408 BdeUISrv.exe PID 3408 wrote to memory of 4896 3408 BdeUISrv.exe PID 3408 wrote to memory of 2952 3408 AtBroker.exe PID 3408 wrote to memory of 2952 3408 AtBroker.exe PID 3408 wrote to memory of 960 3408 AtBroker.exe PID 3408 wrote to memory of 960 3408 AtBroker.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7c0b7776d8e7e775fb646f2bf3c91c46.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:5028
-
C:\Windows\system32\tabcal.exeC:\Windows\system32\tabcal.exe1⤵PID:4624
-
C:\Users\Admin\AppData\Local\KgDgCLleX\tabcal.exeC:\Users\Admin\AppData\Local\KgDgCLleX\tabcal.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4636
-
C:\Windows\system32\BdeUISrv.exeC:\Windows\system32\BdeUISrv.exe1⤵PID:4400
-
C:\Users\Admin\AppData\Local\ps3g\BdeUISrv.exeC:\Users\Admin\AppData\Local\ps3g\BdeUISrv.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4896
-
C:\Windows\system32\AtBroker.exeC:\Windows\system32\AtBroker.exe1⤵PID:2952
-
C:\Users\Admin\AppData\Local\43C\AtBroker.exeC:\Users\Admin\AppData\Local\43C\AtBroker.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:960
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
90KB
MD530076e434a015bdf4c136e09351882cc
SHA1584c958a35e23083a0861421357405afd26d9a0c
SHA256ae7b1e298a6e38f0a3428151bfc5565ede50a8d98dafaa147b13cf89c61f2ddd
SHA512675e310c2455acf9220735f34fa527afe87dac691e89cc0edc3c4659147e9fd223f96b7a3beea532047aa0ebc58880a7010343019a50aa73ce69a038e3592024
-
Filesize
1.8MB
MD5e1869764e0d2e79ca1973f305fb88cfa
SHA1553ca6ac4c5e43d069b7b82cecd45b07cf981063
SHA2566098597b8235df47ef83d204c96f3056310691690796fb2fb187837db67d6f39
SHA512a35f1fa6ad9dd9c2466f40adb8f428b7b436c08216f3d0b62a53fd4c465192fc34594e726d6d53a410fa67511bf56600bbc6b1fc51d47d4a9dbd265db6d829dd
-
Filesize
1.8MB
MD5d3612bc6eee20a2ff7cda0181c1a58b5
SHA1ddac83dabd84c2703264d37bb06e5b12fb16eb02
SHA2569eccf2ac1cac8c0627a5a49f32327646540d11bd9665521b79264985adeea6b9
SHA512d4211df62162c1910abd224d161c1c0036542af07fab092c70faa3ed1747062712eafc22dd002af0ce205db9828facee8288c50ec5a5b203d8eb990e0e1f6e76
-
Filesize
84KB
MD540f4014416ff0cbf92a9509f67a69754
SHA11798ff7324724a32c810e2075b11c09b41e4fede
SHA256f31b4c751dbca276446119ba775787c3eb032da72eabcd40ad96a55826a3f33c
SHA512646dfe4cfe90d068c3da4c35f7053bb0f57687875a0f3469c0683e707306e6a42b0baca3e944d78f9be5c564bb0600202c32c223a770f89d3e2b07a24673c259
-
Filesize
54KB
MD58595075667ff2c9a9f9e2eebc62d8f53
SHA1c48b54e571f05d4e21d015bb3926c2129f19191a
SHA25620b05c77f898be08737082e969b39f54fa39753c8c0a06142eb7ad5e0764a2db
SHA512080dbcdd9234c07efe6cea4919ffa305fdc381ccebed9d1020dd6551b54e20e52387e62a344502fa4a85249defd0f9b506528b8dd34675bc9f51f664b8fc4d88
-
Filesize
1.8MB
MD5b02cdb5b656541cb78958d358d40dc6f
SHA1084ecd4932aa300c9d711f15ca3e49adc1fabb1f
SHA256ae0e4c90b8c07841001790b6caf1ed3eac1cae74bf0bdf244824c027be780099
SHA512ed2e305d379ca352027e497a6e2ea9faffcb0fac48f7961de763e5051d6cc70b7112b86c44d9cc4c84cd5a8aea40bf28095493ca5e5a7577e8c45e7d579c1800
-
Filesize
1KB
MD5f21166e7f65374f6120da87470359c0b
SHA19a669feda974eb2c1c5d685d6aadd7319ede2e49
SHA25663fe54526deaf8292d3d23ebcf47a672f1d5b2305bc317428533e10a58e9a0b4
SHA512988074f9e7b5d44df3c347580bb32434b2a4d13d07454b29528883973ecf6b950a8d47e7eea40c2a752e6d2b925cf118e8c9b82d718ba0208053f275d45a6b8b