Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
28-01-2024 04:12
Static task
static1
Behavioral task
behavioral1
Sample
7c1e2e5883295d072f73627f00279333.dll
Resource
win7-20231215-en
General
-
Target
7c1e2e5883295d072f73627f00279333.dll
-
Size
3.2MB
-
MD5
7c1e2e5883295d072f73627f00279333
-
SHA1
d0308ecef0df53a4b448d8d59ed4c99efb0bb9c4
-
SHA256
20d290a43af5edaff7a58b11a463755ee38c570a6e9258e9672146566ed58ced
-
SHA512
cc59d338eddee33127471a1ce20f6021889b7d2d795111804105c93127c28dcbfcd23d5e04711e011629a932eb5d62fe7a8d7987c9e42963508a5bc353d6538b
-
SSDEEP
12288:0VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:xfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3504-4-0x0000000002B90000-0x0000000002B91000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
upfc.exeSystemSettingsAdminFlows.exewbengine.exepid process 2696 upfc.exe 5108 SystemSettingsAdminFlows.exe 544 wbengine.exe -
Loads dropped DLL 3 IoCs
Processes:
upfc.exeSystemSettingsAdminFlows.exewbengine.exepid process 2696 upfc.exe 5108 SystemSettingsAdminFlows.exe 544 wbengine.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mbfbagbrjs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\fx7DKf\\SystemSettingsAdminFlows.exe" -
Processes:
wbengine.exerundll32.exeupfc.exeSystemSettingsAdminFlows.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wbengine.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA upfc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemSettingsAdminFlows.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2892 rundll32.exe 2892 rundll32.exe 2892 rundll32.exe 2892 rundll32.exe 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3504 Token: SeCreatePagefilePrivilege 3504 Token: SeShutdownPrivilege 3504 Token: SeCreatePagefilePrivilege 3504 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3504 3504 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3504 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3504 wrote to memory of 868 3504 upfc.exe PID 3504 wrote to memory of 868 3504 upfc.exe PID 3504 wrote to memory of 2696 3504 upfc.exe PID 3504 wrote to memory of 2696 3504 upfc.exe PID 3504 wrote to memory of 2256 3504 SystemSettingsAdminFlows.exe PID 3504 wrote to memory of 2256 3504 SystemSettingsAdminFlows.exe PID 3504 wrote to memory of 5108 3504 SystemSettingsAdminFlows.exe PID 3504 wrote to memory of 5108 3504 SystemSettingsAdminFlows.exe PID 3504 wrote to memory of 2816 3504 wbengine.exe PID 3504 wrote to memory of 2816 3504 wbengine.exe PID 3504 wrote to memory of 544 3504 wbengine.exe PID 3504 wrote to memory of 544 3504 wbengine.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7c1e2e5883295d072f73627f00279333.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2892
-
C:\Users\Admin\AppData\Local\3Q3\upfc.exeC:\Users\Admin\AppData\Local\3Q3\upfc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2696
-
C:\Windows\system32\upfc.exeC:\Windows\system32\upfc.exe1⤵PID:868
-
C:\Windows\system32\SystemSettingsAdminFlows.exeC:\Windows\system32\SystemSettingsAdminFlows.exe1⤵PID:2256
-
C:\Users\Admin\AppData\Local\K1XGagU\SystemSettingsAdminFlows.exeC:\Users\Admin\AppData\Local\K1XGagU\SystemSettingsAdminFlows.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5108
-
C:\Windows\system32\wbengine.exeC:\Windows\system32\wbengine.exe1⤵PID:2816
-
C:\Users\Admin\AppData\Local\Ujc\wbengine.exeC:\Users\Admin\AppData\Local\Ujc\wbengine.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:544
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
149KB
MD5ddf7f70cf62ddb48ea6d400384830c24
SHA1dbbc07892b8987c6238e7410a73790e4f9c42296
SHA25644c45ce33950642c623d917f78743b303f6d16786c6487c8995ea95a1c736896
SHA512bc01332dbe6710616eba5316a39fd30ca4c546ceab00ae5c40ec4b102ebe8c4d5389af331a3e723c5e51f35a9726a4c48c8984cf4abe36ccb18795184c22ef22
-
Filesize
151KB
MD5c78fdb6dae69af9a035a9bb4f747e2f4
SHA12e4b10f0031b1b1287f295f1e2cacbd35e40211c
SHA2566f481cf0cc6ea273241c058908980ab718e624ea9be1e06788b28e2eab5878ce
SHA51292cf796793ecde3fd064c801d4259d0c3d6446ac07927375a4bef5930565a266398436b6805ac252ca93b4f28d2bf56507f19596fe66524cc7c3a353ed58c10d
-
Filesize
107KB
MD509e094e8be0e4ee7db913bef7262a312
SHA1061845e0db136d92003c578cbf147b1efcf15de5
SHA25681b55b7db25b9f035ce222b0acf48573660c35fa0970b91a9da591158a6eb70b
SHA512fb6aa89293124442d3a7ab3c139c2395c721874e224f649c9f042bb0832a7137b3c2a8c8f899a153297ee5cb5ea64ef957d4ecfbeab6d244b9935761d0e8adce
-
Filesize
118KB
MD5299ea296575ccb9d2c1a779062535d5c
SHA12497169c13b0ba46a6be8a1fe493b250094079b7
SHA256ee44fe14df89c4e5eaf8398f8fb4823fd910c5a94d913653d6b9e831254f6cc2
SHA51202fc2b25167ebd7dfcc7b8aa74613e7004fdf33dfccccba6c3427434cca981c2eb50f4a801969b3a40c495a9bb0eac8176f4f2ec9091916cf3509a7f909b30fa
-
Filesize
93KB
MD53dac1f19dda5df7d36f5a68d732930ec
SHA1071acddc521d81b1bea9cc306284c76dd3f05684
SHA2561872274d2f5364bfd6b20e730e080e8c9399d0a3dda2f37c8bd15bd61a81d8d6
SHA5123810473e5762d7a263edd6b6477f9b7f853e0bb8c5aab87415d66811e49b177a574e0501f39b7b83b66f0f7cdbce53de4de2ab55e3c24babb19b204bb2c50dd6
-
Filesize
60KB
MD54887517805ab643e50a64e86167c42ba
SHA1c3fb12b85753f26b4c60b4853af2fbff7dd8a247
SHA256bef6757738cd2ce036a563402bda11d88f6568b3bbb46bd21c0dec9d6eb0c202
SHA51215b97a01bf77c315adf84fa17178898e11d6ca8305294380adb36339f2b28599eb1b0b35fd2b4c6c0cc3944c5de0031f7245fba9509a04b5d74b452d06d8337d
-
Filesize
1KB
MD58ba4fad275d574a0aad833eccb7fdb99
SHA14e83c5de81dae62fc5a3bc4fa75d5d9b2a02cbab
SHA25683a0f2463fd6f84736cfadda687acaf6f763479c0507e0690f46a08537da3e93
SHA512edb22065d1e42dfc16ee6a39dc501104170727e223aae2533452882ccaeabf5749cb62b0c2de5050733fd00fa7364bf6c380a268ce0a6f965ae848363533ed7d
-
Filesize
113KB
MD55a1f26d1eac6a38eb2e8a23b408f0241
SHA104fcd476c2c7861e00b05f786f449b70f0f2834b
SHA256fa2e8ffb5e0464fe33f286d7b3f88ab1436daa729c6e279dd3d7c1f6825d40dd
SHA5121f761aac06697847edbdf609bce3beed588471c5b8bc95de2feece153927ca89a596b66e941c1991d6ab45aa2ab71669060ecd4497979143fced311260453969
-
Filesize
83KB
MD57619313476dba75258f758a8fc090780
SHA1dd926ad86c6fcc639e80be4d5c443eac664a5d45
SHA2568266d181ce71949c861dd06e976eff83508bd468c439714d89c8dac7d4f6b929
SHA512c311ccb7596fbd9d007283707d74e451c29ff10e40b94e28310eedfb05aff4ea053e779882cf75428a98fbe8ad717755e27e315c6c977a7a05ccc6709b4274f9
-
Filesize
86KB
MD5b6e70d2c1146e10d4be41f9f471257b0
SHA10e99c19645e36ccf9dcd15fdb6c2686d09687f76
SHA256f48c01de822715e4701586cd2411966ef52b51a8b23fdefc02faf7a74870fb5b
SHA5128d3d2d25c8608c4c8fd5b8498ad26ee55efa6ab1d7d558c1a2f4b48f13d0f11f9977bbdf328a24307984b28b57867b8ae9de4d680bb09fd042b56e66740ef1c1
-
Filesize
41KB
MD5555b904ab4154dfb6b1d73121d64cb66
SHA1f8a93e039cd7b1f6528867dc9ae91786ccaa27f6
SHA256133fc41aefb1db552731d5b8a15c24cb51b24f14d3e28b4110317f9096c14050
SHA51264993a81c275774c23714d420d9a8923540590b35ffa3dfa06de2dc79d55d86907c520c12260a540cdec835a9bc8a7bd3db3333da973c7bf1bd859c8f6645e0a
-
Filesize
1KB
MD589da55a431778e5f2bbb6273d1cf03ca
SHA1564e1774210e8a5eadc4e1106b92e124063a83b3
SHA256bf63a24d92ea0bbef70e995bc66b8f092562bce8b5c6f603b64d30ef668d7536
SHA5125605f8877217ff3367ec5980c6352c9908f92618888ffcf0d2c706ed3c8b1a9d099b7613a2ae88dd414324db5e9a1d5bef49ff5d8c06f777833c2a221684d597
-
Filesize
1KB
MD5e17f391a325f2b278b01ba20df1d7cfa
SHA1bc2523af20380b2c74e0f97d7c932ed64133d01e
SHA25662b3a3ea2dd4ecf591df7b48078cf42dd20cf18f24767aa702551eab44c47359
SHA5128649c27ed504e93016c474bca2a301336981d688d6509805ed6e38d4e79e671c13e190157474ff49052a5612dae65dfd0fc3382c2fa874b758b1b718b3e09597
-
Filesize
98KB
MD5af4cf7d7720fb2d24af2b666797b7433
SHA1cbd6c4cfb7b59964a1a47f53fcbae3f6ed98cd33
SHA25669c411546cc1b00e99aa58d2d29f6ad19d24c64d79808c4afa87a39c4cd0e427
SHA512c4faf1333da247331ba8f9cc92f3ecf7be003f0bda93966a922f7fa2d3d74bdace2b189e853c94456751cc910720821a9549544d55a2c97af186fa675c1fbe1b
-
Filesize
65KB
MD5eafe2d03935be1bfce29773165f2cdff
SHA1f400bb9a434334b3972c78c1af3b73ed9b90b524
SHA2562185bc3954aec0174d4e0685f16f80502642dc79322817ffc2af1f7f57ab198f
SHA5120c727d48e6b0061a6ad605b53699440938780c56682258ea6a674e4c638cfa123125a0445d8ec3ebfed53bd5f756a11414fd62ee5061b9a5cbe9b6ba29f0f11d
-
Filesize
18KB
MD53d93d05e0fd5c8b2727ba84754b644f9
SHA1cad6f9fd57c9d56737896cc557a884c5bd645047
SHA2569440efee669f1ed492be7657299f81be084759157400f33b53e712a3ba3500f2
SHA512dc1c5a9c9555ffaa279a4c67865cbc8ea600b55963598254904b9fc17aa303492937597e09e9f2efe34967b950257d2bd8c8e216bfbe6b93bedeb7db86e3d1d5