Analysis
-
max time kernel
133s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
28-01-2024 04:57
Static task
static1
Behavioral task
behavioral1
Sample
7c364a9cc46fabb61560e9bb9ef588ce.dll
Resource
win7-20231215-en
General
-
Target
7c364a9cc46fabb61560e9bb9ef588ce.dll
-
Size
1.6MB
-
MD5
7c364a9cc46fabb61560e9bb9ef588ce
-
SHA1
1a755f4b3d03b6bce41ebb26bd8d15e3e6dfe96f
-
SHA256
ac5e42f699e4e1efc7f7cd1f1b6516c4ff8405ff1e82aba21ed18cc8cf26efd7
-
SHA512
807cbefe2206e54c26929f9868c6f8a0340d324d18a63e0da216ab6e523109cf6012b41676cd5552f0ee8681875065d8ad021632e80129089070317737dda75f
-
SSDEEP
12288:GVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:bfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1196-5-0x0000000002520000-0x0000000002521000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
AdapterTroubleshooter.exeRDVGHelper.exeTpmInit.exepid process 2596 AdapterTroubleshooter.exe 2340 RDVGHelper.exe 2992 TpmInit.exe -
Loads dropped DLL 7 IoCs
Processes:
AdapterTroubleshooter.exeRDVGHelper.exeTpmInit.exepid process 1196 2596 AdapterTroubleshooter.exe 1196 2340 RDVGHelper.exe 1196 2992 TpmInit.exe 1196 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bsfvntd = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\4gKF6E8\\RDVGHelper.exe" -
Processes:
rundll32.exeAdapterTroubleshooter.exeRDVGHelper.exeTpmInit.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA AdapterTroubleshooter.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RDVGHelper.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA TpmInit.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2536 rundll32.exe 2536 rundll32.exe 2536 rundll32.exe 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1196 wrote to memory of 2608 1196 AdapterTroubleshooter.exe PID 1196 wrote to memory of 2608 1196 AdapterTroubleshooter.exe PID 1196 wrote to memory of 2608 1196 AdapterTroubleshooter.exe PID 1196 wrote to memory of 2596 1196 AdapterTroubleshooter.exe PID 1196 wrote to memory of 2596 1196 AdapterTroubleshooter.exe PID 1196 wrote to memory of 2596 1196 AdapterTroubleshooter.exe PID 1196 wrote to memory of 2648 1196 RDVGHelper.exe PID 1196 wrote to memory of 2648 1196 RDVGHelper.exe PID 1196 wrote to memory of 2648 1196 RDVGHelper.exe PID 1196 wrote to memory of 2340 1196 RDVGHelper.exe PID 1196 wrote to memory of 2340 1196 RDVGHelper.exe PID 1196 wrote to memory of 2340 1196 RDVGHelper.exe PID 1196 wrote to memory of 3012 1196 TpmInit.exe PID 1196 wrote to memory of 3012 1196 TpmInit.exe PID 1196 wrote to memory of 3012 1196 TpmInit.exe PID 1196 wrote to memory of 2992 1196 TpmInit.exe PID 1196 wrote to memory of 2992 1196 TpmInit.exe PID 1196 wrote to memory of 2992 1196 TpmInit.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7c364a9cc46fabb61560e9bb9ef588ce.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2536
-
C:\Windows\system32\AdapterTroubleshooter.exeC:\Windows\system32\AdapterTroubleshooter.exe1⤵PID:2608
-
C:\Users\Admin\AppData\Local\e3Fy0nv\AdapterTroubleshooter.exeC:\Users\Admin\AppData\Local\e3Fy0nv\AdapterTroubleshooter.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2596
-
C:\Users\Admin\AppData\Local\DI2Rso\RDVGHelper.exeC:\Users\Admin\AppData\Local\DI2Rso\RDVGHelper.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2340
-
C:\Windows\system32\RDVGHelper.exeC:\Windows\system32\RDVGHelper.exe1⤵PID:2648
-
C:\Users\Admin\AppData\Local\QCib\TpmInit.exeC:\Users\Admin\AppData\Local\QCib\TpmInit.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2992
-
C:\Windows\system32\TpmInit.exeC:\Windows\system32\TpmInit.exe1⤵PID:3012
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD5ce6704500246ee13cd19ab108dbffce1
SHA110505da49da1d0453de1d0fe28a793cbf944ee71
SHA2564c4288a0f07b5a796435982b550b2991ac02998b4c85506988e8d49e9ad44750
SHA512b2890a01e9cc49a9204736d41e18f58e4df8de60b243fdb51ad5fbca536f898a4d187fcc7ac832efd64ab58af429ec633faf0f7020192c87c5414b9462350d97
-
Filesize
39KB
MD5d851cd63cc9121c8ba1adb5da5ea5ed7
SHA167aa7cc843a8409da2b7d10ee20d5321392f804b
SHA25637b69fbc887e9eb3e25ef5df784b4e6113db3f6685ba7cfcbd20c585da0afffe
SHA512464d9a56916d3cf62a3abdc5f1dde39862ef9b949dcfa14ba283adb0f3aa96b425cc0c372d1cb867cf4b56f20c71ed4caf48ebe5d77a08173a530e297539722b
-
Filesize
119KB
MD5e85a26f26e4d8d6eff6d87dec51c3962
SHA14ba946aa14482541fbf7f6b547f8d5a2ca5fbaf3
SHA256472514a21cf69c1364fed1de700eb36f55f13d287907edcc53eae1398f0685e2
SHA512715ad8cab54085efcd26a8c1202f70862228dce6c9957ff3e10e003221e780783e058f3f7aec89d43220862908bf05b60be34d818559a19d792c203be55ea053
-
Filesize
96KB
MD5edad2981231c1a42b8c7a7d3206cfdc4
SHA121ca15ca3be5c4caa81c8358174313341accc251
SHA256480e8550b072a767c2ac9d086ed6bce08078fec4f95e784f5fc6772c2a277ccf
SHA51204be414cd7e0b4813e7495404a0144942e5743b7d5a259bd819572f768c40333ddc12663589b89a7a8df1d48503201da037915308aec107346ca1ef521760d62
-
Filesize
112KB
MD58b5eb38e08a678afa129e23129ca1e6d
SHA1a27d30bb04f9fabdb5c92d5150661a75c5c7bc42
SHA2564befa614e1b434b2f58c9e7ce947a946b1cf1834b219caeff42b3e36f22fd97c
SHA512a7245cde299c68db85370ae1bdf32a26208e2cda1311afd06b0efd410664f36cafb62bf4b7ce058e203dcc515c45ebdef01543779ead864f3154175b7b36647d
-
Filesize
39KB
MD5d4170c9ff5b2f85b0ce0246033d26919
SHA1a76118e8775e16237cf00f2fb79718be0dc84db1
SHA256d05e010a2570cdd5a67f62c99483aeeecb6a8d5ecc523cd49b158a460c9be5da
SHA5129c85a9ea4002bd55cf9c51e470dd1bec527ff04b5d0d6f83094a998c541416cd47c9f42c6ca7e35ffa2842877f79e3c2e989489b9bf81644c5c57bb406b89608
-
Filesize
258KB
MD5462f4e1a0c67f968856be2f1e70362ac
SHA14f66d2291c6dd79a824128c92039d70731b1c0c5
SHA25668a6b40c799157f4a51dc8583594537fbe20a0c142498166d309e34da761e5d1
SHA512a6aed16b3efff87e8aefb16a224615d509af8c72bf6972d8ddc8030f37c892d1e5b80a94ef5be670a4be5e6a6f2ef5c7d59f14fa60e4e6085cb8903c88e07dc1
-
Filesize
1KB
MD5cb630a3f56283f7cdea0bca1f7315518
SHA1e7d51fdcea9103bf9d7f6941122d036d394ae252
SHA2565235c4581459a3ca3997d44fcac983a4a34bdbd88eaee202ae5dfe9203da379b
SHA512e9d1c4b646230a61a9f2d0b7f8a67558c293953c6497c0bef15d99931f235ea9295bde0a58b76f3702757d18547679beb42e8ae46a5f6bf5602a64289ec3e6fe
-
Filesize
93KB
MD553fda4af81e7c4895357a50e848b7cfe
SHA101fb2d0210f1c47aaf684e31a9fb78f89bba9c0f
SHA25662ab8c2c5b5bd84fd07e96b6a3b87a4ea56946107ed9b7f8076580ae1fefd038
SHA512dbbda90a57d27160c5a3a5e4e94cfc43b1663fcbfe424fdec851e52356f61492bdcf677c46be8aa4e8ccc8be7c389b6aa7bbbce8447e1fae32f03e5e409f4051
-
Filesize
1.6MB
MD5f4620ad1d3d15b04300fec0455048a45
SHA1f64e57e0deb46d02d54972e13da92fc90b23b1a2
SHA256a37bfdb4a09dd1032ba9ac6adcda671bd98076b4c19e4222492c09491532fc33
SHA512c5124b385261cc26bcb2aff9f1e8282e3f77c3c5af905b11a6331d229983b52f7efbf86be1d887002c547855d209e8890d61a353aa53070a895c829dc84d8595
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\iGKdI8QN\ACTIVEDS.dll
Filesize1.6MB
MD5b1546da3664afbad197d1a238fb227f3
SHA1ab9abd07069539aa63e99b87644e93b6ce099e41
SHA256edfe97461c577176d3f616fc93614809cbbd59f0f536010967841bcb379a2e7f
SHA512ba1608544f0b6934af377cfa9f7c6d77cd3e056c8c29ecf318ff9b3f408a1453b757f89f8138b222acd81014960e83980f25365f8dc3dbb8ead17fd69f0c2dc9
-
Filesize
1.6MB
MD504c597e5b87e69ded7a9cbc710371b55
SHA11fbf85f255835d0351cd46c40e138055f990c443
SHA256820dbad229c9359844c097f215e59d86c4fd862311b2e0c64ba894ae353cc597
SHA512fc8d2e30ccb8bf154826ffd1a3f28e8a304b66410716ba68774ffad56e1160fb73ed23f1b562dcb69c355301297ccb0fe30573dc6b0cbe7ce5b1abf7d2e89180
-
Filesize
55KB
MD545172b5447822eedb94261d316f7cc88
SHA1829a48efd232956df3bf7770da25cde7a5c8e3e8
SHA25600bcec24c6e45f2f1f31560324c17da2b4fa01820687c6f7fe3d5081cd23dc0d
SHA51238d455769ba7b58bcb4a8fd569fdf325fc54878c316246126a92470cf94c3e2264628d4a59c0c7eb63e7ad44e432e1e2af3508af1968a4b1ff0f9415bcf24360
-
Filesize
23KB
MD5a6de505eb6e21ea38fbdfe6ae7a7fed4
SHA16b6ef40579de2e5e15231f8963443183cff8c96c
SHA2565d48102bf245b5dc33408957289f4f0871ebe6d4756ea479000857c75ebc37ed
SHA51249dd647993e6b7ac0210f378f4074250d3afd253c27e0b9595f382e25f9746e080240721c81c3475213a084fbd57e38d35ed80a909bd834799e3ad5bacb94be5
-
Filesize
156KB
MD54c82ea2b20e692ac2c3cc8c2822be2bd
SHA112ecd10fd529e18b51530ac852d4ba75e4f9c024
SHA25661b4ae9258ef4f74dc687e8ec4235d56ee216c45dfc438d4a96200710d405d2b
SHA512c3d6b64fc689ffd5ff2fb7bd825e1f4ce702172accbfe10e3992ff42a525ba9596638ce37ee6fed74933dc6547b452861e113455d1fd615f76c28be484548b08
-
Filesize
217KB
MD552744a14a7f693f81eb79cce4469b25a
SHA1006fd6813efb32f2650049ffcbb60ecec7ec4a89
SHA256fd762fe4352b5bf0c123081bc5a798033f8d927bfad982094c7987df5dba012a
SHA5126bed8714dceca8e569155aa18f49c5772db9064bbcfb0ed8faf7894bfa5e9a203e85923bb71e5a7082f6339f926db212367e3b315eb8ae10c664b6b2702c28aa