Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
28-01-2024 20:58
Static task
static1
Behavioral task
behavioral1
Sample
7dfc5de3055bae2c2056b13cdd47a090.dll
Resource
win7-20231215-en
General
-
Target
7dfc5de3055bae2c2056b13cdd47a090.dll
-
Size
1.7MB
-
MD5
7dfc5de3055bae2c2056b13cdd47a090
-
SHA1
51978d2febcabd2e969a15e71da3d4b572a2053d
-
SHA256
d95cc0433afb03437c023c244ea84af4d4adb9e3f99de177b77f27dde047399e
-
SHA512
d8810393576a5e82348cb00d700ad8a2731a2ef8029db264a2739dde9cd85f334a1508f53b604f4fe90d44ba88915bf48d94bd9a4466da4efd21ced49c64cde0
-
SSDEEP
12288:vVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:GfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3532-4-0x0000000003380000-0x0000000003381000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
CustomShellHost.exesdclt.exeAtBroker.exepid process 3752 CustomShellHost.exe 4656 sdclt.exe 4664 AtBroker.exe -
Loads dropped DLL 3 IoCs
Processes:
CustomShellHost.exesdclt.exeAtBroker.exepid process 3752 CustomShellHost.exe 4656 sdclt.exe 4664 AtBroker.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\PRINTE~1\\QbXMe\\sdclt.exe" -
Processes:
sdclt.exeAtBroker.exerundll32.exeCustomShellHost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdclt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA AtBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA CustomShellHost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 3216 rundll32.exe 3216 rundll32.exe 3216 rundll32.exe 3216 rundll32.exe 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3532 wrote to memory of 1332 3532 CustomShellHost.exe PID 3532 wrote to memory of 1332 3532 CustomShellHost.exe PID 3532 wrote to memory of 3752 3532 CustomShellHost.exe PID 3532 wrote to memory of 3752 3532 CustomShellHost.exe PID 3532 wrote to memory of 3764 3532 sdclt.exe PID 3532 wrote to memory of 3764 3532 sdclt.exe PID 3532 wrote to memory of 4656 3532 sdclt.exe PID 3532 wrote to memory of 4656 3532 sdclt.exe PID 3532 wrote to memory of 2332 3532 AtBroker.exe PID 3532 wrote to memory of 2332 3532 AtBroker.exe PID 3532 wrote to memory of 4664 3532 AtBroker.exe PID 3532 wrote to memory of 4664 3532 AtBroker.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7dfc5de3055bae2c2056b13cdd47a090.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3216
-
C:\Windows\system32\CustomShellHost.exeC:\Windows\system32\CustomShellHost.exe1⤵PID:1332
-
C:\Users\Admin\AppData\Local\Qk9\CustomShellHost.exeC:\Users\Admin\AppData\Local\Qk9\CustomShellHost.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3752
-
C:\Windows\system32\sdclt.exeC:\Windows\system32\sdclt.exe1⤵PID:3764
-
C:\Users\Admin\AppData\Local\i5h54\sdclt.exeC:\Users\Admin\AppData\Local\i5h54\sdclt.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4656
-
C:\Windows\system32\AtBroker.exeC:\Windows\system32\AtBroker.exe1⤵PID:2332
-
C:\Users\Admin\AppData\Local\3tl\AtBroker.exeC:\Users\Admin\AppData\Local\3tl\AtBroker.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4664
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
90KB
MD530076e434a015bdf4c136e09351882cc
SHA1584c958a35e23083a0861421357405afd26d9a0c
SHA256ae7b1e298a6e38f0a3428151bfc5565ede50a8d98dafaa147b13cf89c61f2ddd
SHA512675e310c2455acf9220735f34fa527afe87dac691e89cc0edc3c4659147e9fd223f96b7a3beea532047aa0ebc58880a7010343019a50aa73ce69a038e3592024
-
Filesize
1.7MB
MD53f62658d9a8e62b732b8b9cb5d2f3272
SHA146bb84a50f367ecde2651ebb0da3dabeb65aed96
SHA256760df1abaed86030f23218417ca36cca22982ce4e7459ba197289ad5933edf33
SHA512c15cc4bab4999a73b1575dac81253a4b348b62c6b7ac57ec643509ec90db16c615eb7ee2aa8e785cce560630e5c9c5a42005f9dceb40631b967a810ce07afc4f
-
Filesize
1.3MB
MD57bd3e5a0bad0b0fd6c1633dd3b543ca1
SHA178a528c80ced2c9aebc6a7c2605bfab15c33563d
SHA256b5a23d3fb74326dbaeea4c127aa3cd7e7ae018725842b70a33f81864f9435b3e
SHA512c2d23948392d958fd54e32318f98706bf5a2fda9db5cd76131dc17cd10e7bd55f16f1bec0909c32f2e3b0fc9fc1b238c7d490bd1f8e35a8b320c59a2473d12a2
-
Filesize
835KB
MD570400e78b71bc8efdd063570428ae531
SHA1cd86ecd008914fdd0389ac2dc00fe92d87746096
SHA25691333f3282a2420359ae9d3adf537688741d21e964f021e2b152ab293447f289
SHA51253005dda237fb23af79f54779c74a09835ad4cad3ca7b9dcec80e3793a60dd262f45b910bef96ab9c8e69d0c6990fea6ca5fee85d7f8425db523ae658372959e
-
Filesize
1.7MB
MD54fc6488de9e47ed1d300e266f2bb3204
SHA13a99d3bf374914b100a5ecbbb5a6fc7b459c3fb0
SHA25653b9194d4fa5520100d9d662d494095f46d7c7959315b840358267f554dae3ef
SHA512f0f83cfdada877036deceb9c69994c1ef16663ba32bfa91799714b666b1072dc179a32ce365e9ce2397b29925945ff8520f1df5b00dfe6b5b56c62a2ad8977e5
-
Filesize
1.2MB
MD5e09d48f225e7abcab14ebd3b8a9668ec
SHA11c5b9322b51c09a407d182df481609f7cb8c425d
SHA256efd238ea79b93d07852d39052f1411618c36e7597e8af0966c4a3223f0021dc3
SHA512384d606b90c4803e5144b4de24edc537cb22dd59336a18a58d229500ed36aec92c8467cae6d3f326647bd044d8074931da553c7809727fb70227e99c257df0b4
-
Filesize
1.7MB
MD555b6042f7ff53d44b98b2c7d0a3f9beb
SHA1f8ed9656553aa656cf5f17f45776abd26828e2d1
SHA25662e532a62acef71066ddb5f451a4a537bd650940e5e4a75ea69eb344ef1844b0
SHA512ed95d0251144e318a719aa666f4d05d3621f49836c52ccf37875549d0ab2b57d7542d75a49da1ed7413f2e3582cae805b7a72e0633ea7e3df7d928109f5ec553
-
Filesize
1KB
MD519cd86f36c13a19cef26997fa7b148e5
SHA13a2a8e04c3cc0ae76afe7365a06c0d8afc20ecd3
SHA2563da33f52e037648f7feb453d30d0f7542341b322f130951c6db49bc39696a1dd
SHA512951e24497a0c6926cb35a6a544f89ad233d39d720d3f30b286fb767726f71953246eaa46915db73299e73a73e1c94b7a9d7ba4b72940fb35d29f7f14f6173d01