Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
29-01-2024 01:01
Static task
static1
Behavioral task
behavioral1
Sample
7e7645b86e265b69aed08c4852fe6291.dll
Resource
win7-20231215-en
General
-
Target
7e7645b86e265b69aed08c4852fe6291.dll
-
Size
1.1MB
-
MD5
7e7645b86e265b69aed08c4852fe6291
-
SHA1
0e39986ca509db0826c81ca3693fecb375726dcb
-
SHA256
e0980b4994c3d61ec8c3ab1db13ef837487bd2e209e97a4ad4708211d9d4d712
-
SHA512
2f2f7e96591bf49bec9e3b56f7457ee00ca85bd7812c6de3a27097fdfda3beb9b42467b7e0f11b01036704c635e461bbf3a2f12877f672a7de1af462611b26ff
-
SSDEEP
12288:JkbQEkWqv+157EYfxarhwLNuR7ek1tHffB/HzTyNQ6NIeGYr/RUX/ShJ:JkbHkWfzZ5adwLNGeStHntqN7vaP
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1204-4-0x00000000029C0000-0x00000000029C1000-memory.dmp dridex_stager_shellcode -
Processes:
resource yara_rule behavioral1/memory/1944-0-0x000007FEF6080000-0x000007FEF6199000-memory.dmp dridex_payload behavioral1/memory/1204-20-0x0000000140000000-0x0000000140119000-memory.dmp dridex_payload behavioral1/memory/1204-27-0x0000000140000000-0x0000000140119000-memory.dmp dridex_payload behavioral1/memory/1204-38-0x0000000140000000-0x0000000140119000-memory.dmp dridex_payload behavioral1/memory/1204-40-0x0000000140000000-0x0000000140119000-memory.dmp dridex_payload behavioral1/memory/1944-41-0x000007FEF6080000-0x000007FEF6199000-memory.dmp dridex_payload behavioral1/memory/2660-55-0x000007FEF6860000-0x000007FEF697A000-memory.dmp dridex_payload behavioral1/memory/2660-60-0x000007FEF6860000-0x000007FEF697A000-memory.dmp dridex_payload behavioral1/memory/2792-73-0x000007FEF6080000-0x000007FEF619A000-memory.dmp dridex_payload behavioral1/memory/2792-77-0x000007FEF6080000-0x000007FEF619A000-memory.dmp dridex_payload behavioral1/memory/1648-94-0x000007FEF6080000-0x000007FEF619A000-memory.dmp dridex_payload -
Executes dropped EXE 3 IoCs
Processes:
mblctr.exeOptionalFeatures.exeUI0Detect.exepid process 2660 mblctr.exe 2792 OptionalFeatures.exe 1648 UI0Detect.exe -
Loads dropped DLL 7 IoCs
Processes:
mblctr.exeOptionalFeatures.exeUI0Detect.exepid process 1204 2660 mblctr.exe 1204 2792 OptionalFeatures.exe 1204 1648 UI0Detect.exe 1204 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pfoxtyecp = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1268429524-3929314613-1992311491-1000\\0wl\\OptionalFeatures.exe" -
Processes:
UI0Detect.exerundll32.exemblctr.exeOptionalFeatures.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA UI0Detect.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mblctr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA OptionalFeatures.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 1944 rundll32.exe 1944 rundll32.exe 1944 rundll32.exe 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1204 wrote to memory of 2600 1204 mblctr.exe PID 1204 wrote to memory of 2600 1204 mblctr.exe PID 1204 wrote to memory of 2600 1204 mblctr.exe PID 1204 wrote to memory of 2660 1204 mblctr.exe PID 1204 wrote to memory of 2660 1204 mblctr.exe PID 1204 wrote to memory of 2660 1204 mblctr.exe PID 1204 wrote to memory of 2912 1204 OptionalFeatures.exe PID 1204 wrote to memory of 2912 1204 OptionalFeatures.exe PID 1204 wrote to memory of 2912 1204 OptionalFeatures.exe PID 1204 wrote to memory of 2792 1204 OptionalFeatures.exe PID 1204 wrote to memory of 2792 1204 OptionalFeatures.exe PID 1204 wrote to memory of 2792 1204 OptionalFeatures.exe PID 1204 wrote to memory of 1984 1204 UI0Detect.exe PID 1204 wrote to memory of 1984 1204 UI0Detect.exe PID 1204 wrote to memory of 1984 1204 UI0Detect.exe PID 1204 wrote to memory of 1648 1204 UI0Detect.exe PID 1204 wrote to memory of 1648 1204 UI0Detect.exe PID 1204 wrote to memory of 1648 1204 UI0Detect.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7e7645b86e265b69aed08c4852fe6291.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1944
-
C:\Windows\system32\mblctr.exeC:\Windows\system32\mblctr.exe1⤵PID:2600
-
C:\Users\Admin\AppData\Local\E7jLd\mblctr.exeC:\Users\Admin\AppData\Local\E7jLd\mblctr.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2660
-
C:\Windows\system32\OptionalFeatures.exeC:\Windows\system32\OptionalFeatures.exe1⤵PID:2912
-
C:\Users\Admin\AppData\Local\sBUME\OptionalFeatures.exeC:\Users\Admin\AppData\Local\sBUME\OptionalFeatures.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2792
-
C:\Windows\system32\UI0Detect.exeC:\Windows\system32\UI0Detect.exe1⤵PID:1984
-
C:\Users\Admin\AppData\Local\MU2iq\UI0Detect.exeC:\Users\Admin\AppData\Local\MU2iq\UI0Detect.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1648
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5409cc1b141d44ae6525911837e46e78d
SHA1e075c662d275d60d572014701ea8aa665aee3303
SHA2563f44153bde9311f0732597cf08a1e9c0082ed93751aed2bda955fe5e9718cf29
SHA512c2f7042757fcdd2f96bba73f4993f6b6e3c09d222f1f99c014e424f085059767bdb1fa88ce97208e6203d4e6d0e53a36c6cd70e37a6ff863ae77849512c23dd1
-
Filesize
1.1MB
MD58f27d39ff91109cedc48233fe2373db6
SHA13aafe78932e33dcc1b61d920f82533d0b4ab49a9
SHA25639f209ee19ad165b57662a5500ae82d1d6b403a69b60dd8896be65954e498584
SHA512e3ad5621d73f395d224d2e1a6777925932acbecf9e776dfbe7b23f81fd2f233e846c33bc2de2fbb938b9c32fe1a2c9dfdd63bae8186e1442c76a345ef7a7b4b0
-
Filesize
1KB
MD5775299c60cb1b4b639269651f8ee286b
SHA1cf446d65e5cd4a4ec4eb3d962fdd8b4bc9663485
SHA256747073d8016c97a75f293a420f4900eaff826ac3ff22414ea05c85fd7099fd5f
SHA51273a5d04ce68603f629d97ceb1a6cdf500dd40b8344dc3c11533eff418bb2d44faacd86790f95dfd0b599e5eba386db33d774ef81094e8b8cb034d3b43ccf49de
-
Filesize
1.1MB
MD5785afb7b5d4c68575a3761cd891602cc
SHA1034585b66be6dd9d93348ad7c47716fc56e9ba23
SHA256b23ea1f10b0e1c747436d145c594472f484cf0ffea9fe0d53395a02ddad22786
SHA5129fee445ff5c52e4e00f612be497acc146bb1b955710ecd3689da37c9f91c1cf6890fb89d3df5783b33a879c702f95ff960f3752f967b5866e73db20bf95c7456
-
Filesize
1.1MB
MD545f793ab7aea6c16f4e8c5ac78ab04b5
SHA1acb1ecd1d961e4e205991e1aed90cfbc754634b6
SHA256b9db8e0bf94bf4cf8416e9b8aa72bcfe4a83cf49d6a5a4f847ddbf6eedae9e07
SHA512b64ae62654a0339d09067173e0341fde67dd741450cb9488d837af0d6f973c62c6c0cfb677fc4053f0b362191e315b8d098f2504e8e5a53899893b5aa76ecbbb
-
Filesize
935KB
MD5fa4c36b574bf387d9582ed2c54a347a8
SHA1149077715ee56c668567e3a9cb9842284f4fe678
SHA256b71cdf708d4a4f045f784de5e5458ebf9a4fa2b188c3f7422e2fbfe19310be3f
SHA5121f04ce0440eec7477153ebc2ce56eaabcbbac58d9d703c03337f030e160d22cd635ae201752bc2962643c75bbf2036afdd69d97e8cbc81260fd0e2f55946bb55
-
Filesize
40KB
MD53cbdec8d06b9968aba702eba076364a1
SHA16e0fcaccadbdb5e3293aa3523ec1006d92191c58
SHA256b8dab8aa804fc23021bfebd7ae4d40fbe648d6c6ba21cc008e26d1c084972f9b
SHA512a8e434c925ef849ecef0efcb4873dbb95eea2821c967b05afbbe5733071cc2293fc94e7fdf1fdaee51cbcf9885b3b72bfd4d690f23af34558b056920263e465d
-
Filesize
95KB
MD5eae7af6084667c8f05412ddf096167fc
SHA10dbe8aba001447030e48e8ad5466fd23481e6140
SHA25601feebd3aca961f31ba4eac45347b105d1c5772627b08f5538047721b61ff9bc
SHA512172a8accaa35a6c9f86713a330c5899dfeeffe3b43413a3d276fc16d45cd62ed9237aa6bff29cc60a2022fba8dcc156959723c041df4b7463436a3bdabef2a9d