Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
28-01-2024 06:42
Static task
static1
Behavioral task
behavioral1
Sample
7c6984424b8af070581e59a97ed874d6.dll
Resource
win7-20231215-en
General
-
Target
7c6984424b8af070581e59a97ed874d6.dll
-
Size
1.7MB
-
MD5
7c6984424b8af070581e59a97ed874d6
-
SHA1
2a8e3182c1dbd840a4b040d12f0cddb218ea055c
-
SHA256
abe02436407d423ba7d2ee6fb54b60261b85fb70c076afc60d906b1b4a5f569a
-
SHA512
1362191bdc99468b21ee2b9060835afe60d345062d0806028ef5959535f4e03d29c0fae11a893ab0307afa7f5708005dd4fc61784ab4b31f4ec89e069bfe21ff
-
SSDEEP
12288:UVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:RfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3504-4-0x0000000007FE0000-0x0000000007FE1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
wbengine.exeosk.exewermgr.exepid process 484 wbengine.exe 2072 osk.exe 4796 wermgr.exe -
Loads dropped DLL 3 IoCs
Processes:
wbengine.exeosk.exewermgr.exepid process 484 wbengine.exe 2072 osk.exe 4796 wermgr.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mbfbagbrjs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\OneNote\\R6Od\\osk.exe" -
Processes:
wbengine.exeosk.exewermgr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wbengine.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA osk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wermgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
regsvr32.exepid process 368 regsvr32.exe 368 regsvr32.exe 368 regsvr32.exe 368 regsvr32.exe 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3504 Token: SeCreatePagefilePrivilege 3504 Token: SeShutdownPrivilege 3504 Token: SeCreatePagefilePrivilege 3504 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3504 3504 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3504 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3504 wrote to memory of 1440 3504 wbengine.exe PID 3504 wrote to memory of 1440 3504 wbengine.exe PID 3504 wrote to memory of 484 3504 wbengine.exe PID 3504 wrote to memory of 484 3504 wbengine.exe PID 3504 wrote to memory of 4380 3504 osk.exe PID 3504 wrote to memory of 4380 3504 osk.exe PID 3504 wrote to memory of 2072 3504 osk.exe PID 3504 wrote to memory of 2072 3504 osk.exe PID 3504 wrote to memory of 1968 3504 wermgr.exe PID 3504 wrote to memory of 1968 3504 wermgr.exe PID 3504 wrote to memory of 4796 3504 wermgr.exe PID 3504 wrote to memory of 4796 3504 wermgr.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\7c6984424b8af070581e59a97ed874d6.dll1⤵
- Suspicious behavior: EnumeratesProcesses
PID:368
-
C:\Windows\system32\wbengine.exeC:\Windows\system32\wbengine.exe1⤵PID:1440
-
C:\Windows\system32\osk.exeC:\Windows\system32\osk.exe1⤵PID:4380
-
C:\Users\Admin\AppData\Local\RRz9CFGsq\wermgr.exeC:\Users\Admin\AppData\Local\RRz9CFGsq\wermgr.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4796
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe1⤵PID:1968
-
C:\Users\Admin\AppData\Local\OfkVjzV3u\osk.exeC:\Users\Admin\AppData\Local\OfkVjzV3u\osk.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2072
-
C:\Users\Admin\AppData\Local\RAlrZ3Bl\wbengine.exeC:\Users\Admin\AppData\Local\RAlrZ3Bl\wbengine.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:484
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
215KB
MD521c28197eed28d2f1eb788109c306112
SHA178d8d650adb474c5527a181d000aaffa553fddba
SHA256b20e33b2c70b4947769f28ddcbbf8208c76e8857bb8a5bf0c994aebb2f64c80f
SHA5120514dde9136d9d6b8b00db1d369c5a1b2e3193f5a0bf44c7d3a0a09289e9c834c57419f622900d5e7ce4be9799d5f25d574d912e0945ba4c941c78eeab0c1583
-
Filesize
145KB
MD56c321a34180bced0b4beda5c742602e4
SHA17cd1145a69fc18f1ac2b2230b099d087c80adf45
SHA25649f82fd23e80d31719ead0389cc51a3ce31c5ce6299436684bf7dc22921c3d0c
SHA5124ae976085f0ff2fcc8997b653678bef1b73f84fb1428c98128a63c0e3e4ba585fd0d85d8d94ec939117671aaddcf4e3f2cd2b0544241764a24e7f8561cac5f3c
-
Filesize
207KB
MD5c7b4b9944cebdbf3ebcd11cbe31988cb
SHA109c510dea634ee68f6d946b8b6b8089cf589bcaa
SHA256ba2244077761c0d6aa1c32c6b1ccf773e95d600f167a51d73ada55c07460a52e
SHA51250a1b3a399386680202faa95ae409cb5e6fadb504112a79753ee635c14d6c8e82300328a97ea785b17d436e93490efdc9d4629aa6ae229c6e4b06ae71c704e0d
-
Filesize
153KB
MD5900c1367db60154c3bbbb07342118ab5
SHA183e3113daff8086098b5e042788621879a555687
SHA2562c1965f48c3f0b662a96866fe660ae48f83df8c360f4c070bc527fe5e6513ad6
SHA512ecc1c3323ce42428a355628441a7f0d8ee652d4395e8005980574b22aba41d1fa1a0a010955af199c54c37a110275a24040ec10ad756c6c308f9a34bfad51979
-
Filesize
35KB
MD5a729fef85b60ffdef20fd592a09096f3
SHA1535ebc8438bff63f4fe22cdb29605934ee1bf6df
SHA256836d40ccc39949118d58c9c7eacac249c047ef484cd510a6e01f731cd2b57e65
SHA512cf45b9a29c84028f66ba69f6cdc7702888e5b7b74281edd4b0c3e30a4f7e1e42aeb8411b89623f56810b24c430c6e8e5fbf16e4487d12973dac82423bc6962c4
-
Filesize
139KB
MD5cf73c4d270dfe003038a1780e482725d
SHA1811d03ec6ae8cfa3b46368ca3e09e683ec65ec78
SHA25644e8ec7a2f39873d0a37c390a6be17805f9e5ad05f961c2ab10f530404b6f167
SHA5127340adff2409d12fc94b0d7c7073141d76886f6dc10759d49968a0657c2f5436df4bcf9f9bc17650822f3427c69cf690ad3f8bd59295dca86fc736ff8ef93a2d
-
Filesize
219KB
MD58b2479c9554a6abb7193fc2c105f01a2
SHA1b3cb8c6809e6489a4cb4078c0167b21142d47b7f
SHA2563c4276408edc02892b009ecd9471802bb83641d20193db1a4858ce818914bffb
SHA5129537626a01e3058331deb1008b218c32da1e9c8aa6da7cef0cbf5e3b9d92922572b74052c783f60d33088ab72a205d9679e469c48269f9d49d82ae737d7a0a57
-
Filesize
311KB
MD5395af89ad7ef78c034a3c32f1db8e609
SHA12b9577cecbbd6ccc34822fff8dd5924e74793c5b
SHA256bf4d0d80ca13fd03ba1fed089a688f391399c8452d1ea9aa9e91dbb3eb986d56
SHA512b39fa47021e50d0467fa6f4544609bac0108cbc86ab71ed9cf580b21554c50955e5f03bbb24c16e5c7293ced5a31df38ab9b4cf1638f1190ea229964d9b80382
-
Filesize
173KB
MD5e64fb2ee507ba8ee8990022464e2f0c4
SHA109b009ede447aea0ada55ff24acbabe6afd26143
SHA256136b0279adb053f8418e25a1eaf63023d85645e1edcdf9b50a016d00a8c15845
SHA512591b9a9a0466bf5163007a75b79683de15a71c0fcbcad308a64f28029b0c71fa8491b844d34461dd499bfe757cfdd07334c8c0d125c97452c64609450c3704a5
-
Filesize
182KB
MD581f89616aebce00d18d4c1f47356b888
SHA14d39f1e251aabd805d0e8945d908517390eab859
SHA25621ba026219c7142f909184f2d73e777f597e85424c4599f91e118cdb828da8fa
SHA512542ebe34e345c44c76471f1eda330d507d9a735a3f143950b652cb62015b96376833366baba2c8fa3136a0ce92d2f18d6fb16fc6e852f8c0f5265e774eb79f51
-
Filesize
88KB
MD5ca02e312be7aaedfc0fa0b818098f7c7
SHA1a5b2554b7d7fa017af7a3df88d4f351f2ce9589b
SHA256f7f78ab6499e6c873bc1328defb8d9e4aa5bc79c893bfff4d78fccbbad813b2d
SHA512fb0bc469014c20c3bef8191a5938483d335e7036e22c29627243cd70f3275d407046bba0d33b5f3e0dd103b525e6b8a44d77d28d354bc6de7c5b26bd714d85e1
-
Filesize
223KB
MD5f7991343cf02ed92cb59f394e8b89f1f
SHA1573ad9af63a6a0ab9b209ece518fd582b54cfef5
SHA2561c09759dcd31fdc81bcd6685438d7efb34e0229f1096bfd57d41ecfe614d07dc
SHA512fa3cf314100f5340c7d0f6a70632a308fcadb4b48785753310a053a510169979a89637b8b4fedf4d3690db6b8b55146e323cad70d704c4e2ede4edff5284237d
-
Filesize
1.7MB
MD5109c9392cc6c3aaa2aaa0b13ff32f4f3
SHA1732696b9d12d0b491c1f6d4f9bf8e5738212c7c9
SHA2566f7b8abea170e0180a80fa3bea1f42f91b22b9a820fc66558bf64d27d35e358e
SHA512173ca3346f77c775e66d93fb4b78923d9547b8fc82c0e0ac854b18b53b85472199e67e4102838dde15f8eba879b702baebc44aecce8a7b867a20d0d6425c5c21
-
Filesize
1KB
MD50c5ff9fb2c7b0191974f47218bd4265e
SHA189d46132f7264bf509fbe6f089764ef8ddd6703b
SHA2561086f843ce9b1b3b3c08d4bace531d1b3694153d44dc3e2191c5aa582e37e095
SHA5127378bea77ab32d63408ea62730f1608fa765c60039df4d56cf642110083dde885e34ffeffaa1043b9dc0934648cc6022bd64d4c14e9bcee6faea2a0499084022
-
Filesize
1.7MB
MD5620b881007161068583a2699acf62320
SHA144eb1fbd44bcedad9fb8c2e54f26d54b7af8d1ec
SHA25613c3a514f14d138548009784696a1f64761550e5282bfa90df42c17e075a2153
SHA51233617be43680fe15a594fca7e40d81bc5ac7d2ad99a7c334db96dec583f04ce5eb48ad4d13e803ff330f76eaace9ed16872286a50a1bed4d8aedb549bc3854f6
-
Filesize
1.7MB
MD5da5939c641d372eb07d0322b038782e5
SHA12c4d063ec73c1f85ce1e3e2409227478e66251d1
SHA256711ea12c6200dd07c33646ffe13dc7f4d79a6a9e2f65d7cd43752b5a3f518674
SHA512d854c934b426c85710823489a845256e296f84b626d6a2c6cef4d5c370af65f46d281d6e93ea4f4267319d903487450f09613b89b1eddd50d806ecfc7c742bf9