Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
28-01-2024 20:58
Static task
static1
Behavioral task
behavioral1
Sample
7dfc5de3055bae2c2056b13cdd47a090.dll
Resource
win7-20231215-en
General
-
Target
7dfc5de3055bae2c2056b13cdd47a090.dll
-
Size
1.7MB
-
MD5
7dfc5de3055bae2c2056b13cdd47a090
-
SHA1
51978d2febcabd2e969a15e71da3d4b572a2053d
-
SHA256
d95cc0433afb03437c023c244ea84af4d4adb9e3f99de177b77f27dde047399e
-
SHA512
d8810393576a5e82348cb00d700ad8a2731a2ef8029db264a2739dde9cd85f334a1508f53b604f4fe90d44ba88915bf48d94bd9a4466da4efd21ced49c64cde0
-
SSDEEP
12288:vVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:GfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1208-5-0x0000000002C90000-0x0000000002C91000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
slui.exeisoburn.exeRDVGHelper.exepid process 2652 slui.exe 2792 isoburn.exe 2168 RDVGHelper.exe -
Loads dropped DLL 7 IoCs
Processes:
slui.exeisoburn.exeRDVGHelper.exepid process 1208 2652 slui.exe 1208 2792 isoburn.exe 1208 2168 RDVGHelper.exe 1208 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\Xkgbzoakajt = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\MACROM~1.COM\\support\\YK1MFK~1\\isoburn.exe" -
Processes:
RDVGHelper.exerundll32.exeslui.exeisoburn.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RDVGHelper.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA slui.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA isoburn.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2012 rundll32.exe 2012 rundll32.exe 2012 rundll32.exe 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1208 wrote to memory of 2588 1208 slui.exe PID 1208 wrote to memory of 2588 1208 slui.exe PID 1208 wrote to memory of 2588 1208 slui.exe PID 1208 wrote to memory of 2652 1208 slui.exe PID 1208 wrote to memory of 2652 1208 slui.exe PID 1208 wrote to memory of 2652 1208 slui.exe PID 1208 wrote to memory of 2676 1208 isoburn.exe PID 1208 wrote to memory of 2676 1208 isoburn.exe PID 1208 wrote to memory of 2676 1208 isoburn.exe PID 1208 wrote to memory of 2792 1208 isoburn.exe PID 1208 wrote to memory of 2792 1208 isoburn.exe PID 1208 wrote to memory of 2792 1208 isoburn.exe PID 1208 wrote to memory of 3048 1208 RDVGHelper.exe PID 1208 wrote to memory of 3048 1208 RDVGHelper.exe PID 1208 wrote to memory of 3048 1208 RDVGHelper.exe PID 1208 wrote to memory of 2168 1208 RDVGHelper.exe PID 1208 wrote to memory of 2168 1208 RDVGHelper.exe PID 1208 wrote to memory of 2168 1208 RDVGHelper.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7dfc5de3055bae2c2056b13cdd47a090.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2012
-
C:\Windows\system32\slui.exeC:\Windows\system32\slui.exe1⤵PID:2588
-
C:\Users\Admin\AppData\Local\56dWecyrk\slui.exeC:\Users\Admin\AppData\Local\56dWecyrk\slui.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2652
-
C:\Windows\system32\isoburn.exeC:\Windows\system32\isoburn.exe1⤵PID:2676
-
C:\Users\Admin\AppData\Local\WO6eRUK4\isoburn.exeC:\Users\Admin\AppData\Local\WO6eRUK4\isoburn.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2792
-
C:\Windows\system32\RDVGHelper.exeC:\Windows\system32\RDVGHelper.exe1⤵PID:3048
-
C:\Users\Admin\AppData\Local\Qwp\RDVGHelper.exeC:\Users\Admin\AppData\Local\Qwp\RDVGHelper.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2168
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
117KB
MD519e451b1d34267f08486e0acc71a4c10
SHA19666f6b31937751a71e90bc5a4a31f6c6af3251d
SHA2568b1c3f677ea1833664fa8fe555e2d3c29d9769af1772d4a3fd0fdb5c5d3f0332
SHA512dcbe52aa4dbcfa885b93b3e51766ce2b121ffb1baaeff4a49e73d0a801b52928a711cdfc3e22332f4f61aae269df85efdb8a2f8849c3f4a37e9b9d88127de295
-
Filesize
199KB
MD5d94fe069c00712fa80114ee29519685d
SHA1322ffcbab982fe3a3c423f6359fa8a8c255ddcb0
SHA256dc697b2960c10325fb55e5246f75c538b4a61a62b1cdc461f1d02260dcef68ae
SHA512be361fe0845b78c35088c9c29e6fabb3822ca4108db1612e314edb71500559998db8e931f0449c362765a8610b18cf36c5f9b14921b1c2de5f03eb215b5170d1
-
Filesize
78KB
MD59c9ea25f8cbc3088927fc2e9700c5acb
SHA1e11439586de20229774eff0a6c544fa900088396
SHA256329e4d2edaaf8067096933292a05fea07592b27dc1e14a19685e9dd0b816be00
SHA5129717570123bc731fc88d328caf93706a6c51122dd026cfc4faa06874eb1acbf9fc4e9c547ca72eca5133934e895855a8af81bf45e9673ee640cdee8391c9c214
-
Filesize
1.7MB
MD530b5d555dfdb235ecf8c54816bd12b49
SHA1e42c7226dd95080ce1f02f0dcc93d4f9448bbd9e
SHA256977252eed40b67675977edf0931d72440bd7924e0d1cc086ce97aa05c5e1c89e
SHA5121be552415d5d26fd25e7403b4b0d3c77506f8e4d593db4ba5968e8bd7e2613e7995f17a470f990c85f95e6d52dea83c955361357158d25b305a75c0cb5699104
-
Filesize
267KB
MD55cc7999742ce93bcba0df5a602a38b02
SHA1f941e025a50b764b9b7a332918fa021e7a5c92fc
SHA2561c94e674a78895a0788db82c864ac2865ecd53b7b20e927a81fc91e2dd1a1bd8
SHA5124625dd58f2b1a902ac700b311b93f7161cf5fb890cce387d0a2a1b3d9df1622884d515934939e0e2772a987a816076579c5531b3512400757ef0cd258be2b174
-
Filesize
89KB
MD5f8051f06e1c4aa3f2efe4402af5919b1
SHA1bbcf3711501dfb22b04b1a6f356d95a6d5998790
SHA25650dcb4be409f50d26c0fc32dd9cdbf96bff4e19bf624221cb566ebeb3e09ce1a
SHA5125f664d937abe4426ee7e0d8491a395f9ef4ffe7a51dba05b54b7ba27e80c9be37833400911c5878d3dec659f4fa1579ec8ba4cfc485fb2ce24dd37c321006daa
-
Filesize
1KB
MD548a3aa339e7ebfee3dd597b34b681ff3
SHA1775e10c37a6358c67fb6e3fccf8b69a75506b014
SHA256dda6944e75dbdf8b85b39a6ef4ab9838919cb690807c0e20a9aa4e12053923da
SHA512bb80d0b6254c3ed712e5cd6324644353ce04759043b6a869512eea3acd3aa33cabb8c7b03474c4c7727e4a48f0be1af1468cc813c1542731c06a26bdb045fda4
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\Yk1mFKxt3i\UxTheme.dll
Filesize1.7MB
MD5ae8de4fc88369a8775e1a53b5b547a96
SHA1bfc45855ba52cd5c1cc1be5bc67cb7d48cfe495d
SHA256c76503842e4d472c561761d55b1bf7dc0f54f6151e399219cee7913e85c1988e
SHA512b1183d936ecf9a1e1d1d70bc112c7bea56210eae3e3283208074b700c1ec53811f3258f02a23bf1a98f30b0d51a0bc0efb45d2de34b1de4e2e0cf4104e0ff56e
-
Filesize
1.7MB
MD5082c5c6b143fe28534607c4d5ccd15d0
SHA1de7715dd2ea48dbe1b39199ad1852dada35b6ccc
SHA25601fe2292b4baa3454742f3d9a67af50081ad85eae985af1070b1e21c21aad977
SHA5126ffcaaf18c3954d36707bb84cd4af3e94cbbd5190012a3035808d62807544732e8f53f6bf1bf4c584a4d795671ca2042d2842a98e5907b98b91a79c77f5809c4
-
Filesize
71KB
MD5774d310e1190f90ffed9ad7534d3eee1
SHA1a0fc04635e4ac8e3c910f89306bf84d8372a056f
SHA256802bb19f2963ed50a4b4833c222dd9237a1819ee8023741d480232e08a2358f9
SHA512b5c6e7c1e76491679e16fc44264dbf3c8d265a2500c6a540b633fbc82ed6f54da21877b74fe67fc7119aae56405be2b5feeafd887387abfa90f9153414acef37
-
Filesize
211KB
MD5ec8098883cf0d1c83269fc0447d67c78
SHA15f661f61311403ea7c684b0e0658cc8d0e095091
SHA256c8363a5f3db5724e4652d83440d028b9b7bdce89eeb3297bfd1567f1d680e293
SHA512052417a887d4e137a6b1b6bdc5649b09013f1694ab776f87f2b59221c651e87318d418faaac8a72fd893dd17963c2c18ccf788c00444a0c4ff31f53409cc151a
-
Filesize
93KB
MD553fda4af81e7c4895357a50e848b7cfe
SHA101fb2d0210f1c47aaf684e31a9fb78f89bba9c0f
SHA25662ab8c2c5b5bd84fd07e96b6a3b87a4ea56946107ed9b7f8076580ae1fefd038
SHA512dbbda90a57d27160c5a3a5e4e94cfc43b1663fcbfe424fdec851e52356f61492bdcf677c46be8aa4e8ccc8be7c389b6aa7bbbce8447e1fae32f03e5e409f4051
-
Filesize
245KB
MD524127704d1a9a21c2161b3ae486f77e0
SHA1f529147e03eed8a4476fa252c3a5b21e6f72dd16
SHA2568998b8101fbf7c0c5548f6d488538fc90dd9e51d85d4fca1bffa9044918adc02
SHA512e911fbb2a405c7730029195e31f04779a3bcc6635f292e51b2a467164ef3683565040551acef8576d3c24e3d915487869689791280ea94aee3cc56c121a28282