Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
02-02-2024 07:20
Static task
static1
Behavioral task
behavioral1
Sample
88e7c4c98a35a8043d0fb99f1b88898a.dll
Resource
win7-20231215-en
General
-
Target
88e7c4c98a35a8043d0fb99f1b88898a.dll
-
Size
2.7MB
-
MD5
88e7c4c98a35a8043d0fb99f1b88898a
-
SHA1
fb320c3b7aad7cad0f10d6430b2a244d4daf6aab
-
SHA256
9af7f7a4d19d0327bdddeff74e7cc37b1eda5272fdf1853d54708c72c28178d1
-
SHA512
5be1d5bf938edc1d1482b0d015ab57dfe8cf812163ac1cb5cb7e02383fa18385c4244dd67e993105faed3b01ad89bf2a83ae3037ef2420cb6de4a88ed2b3085d
-
SSDEEP
12288:dVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:EfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1248-5-0x0000000002950000-0x0000000002951000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
rdpshell.exejavaws.exemsra.exepid process 2116 rdpshell.exe 280 javaws.exe 976 msra.exe -
Loads dropped DLL 7 IoCs
Processes:
rdpshell.exejavaws.exemsra.exepid process 1248 2116 rdpshell.exe 1248 280 javaws.exe 1248 976 msra.exe 1248 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\Niubkzso = "C:\\Users\\Admin\\AppData\\Roaming\\MEDIAC~1\\IKBQXX~1\\javaws.exe" -
Processes:
rundll32.exerdpshell.exejavaws.exemsra.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rdpshell.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA javaws.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msra.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2536 rundll32.exe 2536 rundll32.exe 2536 rundll32.exe 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1248 wrote to memory of 2436 1248 rdpshell.exe PID 1248 wrote to memory of 2436 1248 rdpshell.exe PID 1248 wrote to memory of 2436 1248 rdpshell.exe PID 1248 wrote to memory of 2116 1248 rdpshell.exe PID 1248 wrote to memory of 2116 1248 rdpshell.exe PID 1248 wrote to memory of 2116 1248 rdpshell.exe PID 1248 wrote to memory of 2268 1248 javaws.exe PID 1248 wrote to memory of 2268 1248 javaws.exe PID 1248 wrote to memory of 2268 1248 javaws.exe PID 1248 wrote to memory of 280 1248 javaws.exe PID 1248 wrote to memory of 280 1248 javaws.exe PID 1248 wrote to memory of 280 1248 javaws.exe PID 1248 wrote to memory of 780 1248 msra.exe PID 1248 wrote to memory of 780 1248 msra.exe PID 1248 wrote to memory of 780 1248 msra.exe PID 1248 wrote to memory of 976 1248 msra.exe PID 1248 wrote to memory of 976 1248 msra.exe PID 1248 wrote to memory of 976 1248 msra.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\88e7c4c98a35a8043d0fb99f1b88898a.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2536
-
C:\Windows\system32\rdpshell.exeC:\Windows\system32\rdpshell.exe1⤵PID:2436
-
C:\Users\Admin\AppData\Local\84PBsYS6r\rdpshell.exeC:\Users\Admin\AppData\Local\84PBsYS6r\rdpshell.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2116
-
C:\Windows\system32\javaws.exeC:\Windows\system32\javaws.exe1⤵PID:2268
-
C:\Users\Admin\AppData\Local\M9yQGCiq\javaws.exeC:\Users\Admin\AppData\Local\M9yQGCiq\javaws.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:280
-
C:\Windows\system32\msra.exeC:\Windows\system32\msra.exe1⤵PID:780
-
C:\Users\Admin\AppData\Local\XVBg8RN\msra.exeC:\Users\Admin\AppData\Local\XVBg8RN\msra.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:976
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
202KB
MD5c70d28eddf23fe127fc66c6dfc5d4a45
SHA16eb5c0ddd213bd7c45a2777afdbab06522db1c01
SHA2565076da204f9cdfc8faaffc90ac81713753a73a5401da983395150888eef631c5
SHA51284e54446d6232aaad3e0828e3ee34e4d07a51eaaea378c6d360fe3f3110f690a1b7379059c736be9b2ac23b0e0bcc7e60357acf7a4d1bd99d47dc25af35c6f2c
-
Filesize
158KB
MD5783db0cf5829c3754a00b5437e18f7ae
SHA1bc068f563123ad94e651204689681c96d380fcbd
SHA25652265ac3e5c854cf58e5d40581099236c023f2471d1291d770fbd242a8a3b19e
SHA512ad6a076c04d1d4e75e7e52129c38b6e44dca91d7fcfbd42b7466519f77762c1bf583898d962ddd1eec7cb02a54ebbe8fe766bf79054a37978793cb08f18cb261
-
Filesize
243KB
MD59269569dbed4d34f6086ad8d174cc18d
SHA1b79dfe01cf424bb4ac114b773a401f520daf358d
SHA25694dd365556bc7fc62086038ba62ac8075247b36274bfc9c40bc84c4b3a5ff307
SHA512455feafcb511e9bce9126f73e7a84f209a40a12480395e9e30be66cded630acc175e4e4ab99ef9c88d5625fdcbecf4f241621fee6fcfcd8d370ec610cbf25591
-
Filesize
312KB
MD5f94bc1a70c942621c4279236df284e04
SHA18f46d89c7db415a7f48ccd638963028f63df4e4f
SHA256be9f8986a6c86d9f77978105d48b59eebfec3b9732dbf19e0f3d48bf7f20120c
SHA51260edf20ca3cae9802263446af266568d0b5e0692eddcfcfc3b2f9a39327b3184613ca994460b919d17a6edc5936b4da16d9033f5138bcfd9bc0f09d88c8dcd52
-
Filesize
195KB
MD504de78c5b4a0d975ae606983ccf091a8
SHA13a26c5ff29959b20b21131ac93d0d4fa96fa9fb6
SHA2561581dc1758b9165e1760cad7de17655e9e0bc2bdf9928f9e0f503c50c52fb3e2
SHA512cfefa4db84b1a684584125a98282faefbf12694436539a763540c945ff7772aa3e1ca1d588bda365d97561604951ae21e20a89696eb81200e29099715b1fe8b1
-
Filesize
518KB
MD5603d3623b7dd0955d38f508669bdff1e
SHA1d09c16f1bea8ddde36c816719bb3b89a56c6f253
SHA25603142f361832acbd234fbeb0c2d9cf657b8198f32e03b3c9e6af7f2f4c3f1436
SHA5122ff259826155cd6e5b6ea066c5786ea1f7fb0a2346a1fa4dc8989b27084fbb1ddcec418ee4f9ffb52580f33c424c648224a29ca2d2b922e166e1f013e0c3d0e4
-
Filesize
523KB
MD5948c145a266120aacfbb544c6792e98c
SHA18c84b9de7a6f70d31baf990130b26140968bc932
SHA2565c27210e00b1c840773bf2d48fac93c1d9a05be5c1a28f0d19a861de1600f85d
SHA5120ad7b974c7d82ed72d303d53a33b659e3e5111ebc12f106cd2c0f6b2fa769100da99068b198624e61f41f0c5fc20eb3faf36488c1c703278458911017e95b216
-
Filesize
474KB
MD54deb443842c8b9d50e20a87a5f118929
SHA1935f4d9573bc4df61ea6023849a46e163a64e9ca
SHA2568e3d847e7052bfefe88befee3f31cec46b801dff41687b4254997857f59782df
SHA512e684c3f3312e857dd3ea7b3f8f5a7fda0729f22865307b2a237d6867f25dafa9089bb0a968ea94250b8fd996bb173ca2ebe1fd8d09b9915dd43296e6c5cfb54b
-
Filesize
998B
MD57344cfcd81a98e6ca86f00d065f7b867
SHA106e3c373f6bc90e7eb77723e3279eace214c5467
SHA2568552166a6f97f5f64dd4ca55c1b0d03685971d6a4207975cb6cd443fcd482727
SHA5120fc4503c20b82a46fb603c0130de8cb92a119e06861908df239449ce59c7e04e634f6e89efdfb7b1913f7f74964cbb1517a81601f4fa7d9e26cb8ef8185c8edf
-
Filesize
2.7MB
MD550379f37b464c9ae1198369356af7291
SHA162b6afd151d70ac743a90fd6300b555cfe63870b
SHA2568ddef1edb4b0fe6a0d74da2c9434bc429593b61058357fc71c0ae4e34c1fb39f
SHA512324fdbb680d17f0509d9249b427abf2ab43ee1caa8c5c3f5bbf78fb1057332edd816fba39919b74622a2ddf549d400cdc05e9002151e4325197ddf9b5c89b60c
-
Filesize
2.7MB
MD51e3a342b1cb99c1f3f8a67eda6184a83
SHA185dde84d415c847bea280e96204a8b03bc2cbda3
SHA2560042ca1c14b0b35f06a685e1243f9f1f9ae591dd46922b82dcedb3b442951e66
SHA512fd843247287d3ea7320a065e75786e70eb8fe7f9dbc849a71f750c8cbe4a0875ff1669fe31b31753f2043c74a7836215bf62657c6a357ef456608948199e7403
-
Filesize
2.7MB
MD5f80d2338308309b8908a18547ab4c0d1
SHA1cf7bbced72080eeb710447657f1178346003c538
SHA2561480747ed24939416458ab7ca82c83100c350e33bc82e18f1b03ecc343347755
SHA5120b2025ef56421d38e91e2bbb8dc7e1ca10da6da55c86925fe00f4b433175511172bf5d03de7f3573e61f8244d46651e0c949622279715b111ba9d9f6ede7d03a
-
Filesize
292KB
MD5a62dfcea3a58ba8fcf32f831f018fe3f
SHA175f7690b19866f2c2b3dd3bfdff8a1c6fa8e958b
SHA256f8346a44f12e5b1ca6beaae5fbdf5f7f494ba204379c21d1875b03ba6da6152e
SHA5129a3df5be95017c23ab144302d2275654e86193e2cd94957d5f72bda3cb171ec2a6da14e6631a7fd4fd053b4529f4083aa287ada57484ad0ee01a8e5b2b54c603
-
Filesize
196KB
MD568d799c15a18969be13476b2e89b2a9b
SHA17cf73bb556ca645bf756e736c55ea113c889f1e6
SHA256c75599f2bef555aa1ac6ccc103d136f2e3cbd18c3b147fdd25616b262a6ae67b
SHA51250372bce220f86989b9b7f38b82ebbcc283a6d5151a9bb3e4af4cacfae6ab0e004b45bc179fe87e7e550a9c1995800c2435e1dc31ecd4c8d3b2ce011e5e4f91c
-
Filesize
168KB
MD5e8374257eb20fceddc183fa8b45d30ca
SHA12215e1d38f9146320d5311aa5885144bd061d046
SHA256393be3a4eb29752f1dccd7bf90783584d1c1c5ef5b5506dc30ee457fb88b853f
SHA512ff70b3ab471e3db1a6c7c4305c2d58d993346c38a3ea02d025ce8f127b4cee259f0de60faaafab23eae3ab2a079a58ba2aee3cf53e89f0e582171fccbf49a252
-
Filesize
399KB
MD5457de880a710f35e3c9363a72014a3cb
SHA1bccd464e20f96a7df3532b89f9765d0dfa8746ef
SHA256dd2e893a69470bb713d79d7d3f7cdfd4db4ab3160f6e5e6827ad56a9a1b52955
SHA512d5ba80c6685846162fd337a34a0d0770018759e0da4d142678d5497f67103fad84d65f0f30337ccc0b7432d8623b55100bdaf7ead81795f3e27650e784c413a0
-
Filesize
273KB
MD5c55fd5c925fe023faf5bd664b9e42197
SHA18f46780abda95559b209dcd4b0154824941f2d61
SHA25600bf1b62df0800f83c4ab863a4123ce63f109e86637df819c3762769ac2fae0a
SHA51252297e59e9c80ee2db72903e46c35c853c469abc3452350415ba95a0ed8c84537decf80d11b86c70537910de74bd875d548ba672a5afbd6c2e87f96399d0a0c6
-
Filesize
347KB
MD5d4a637cefbc53073f6401ac85187d972
SHA13d30140dfaf9f4f7d36bccb2ab48694e30a54703
SHA25658d4a8d3a56f41b5126f1d5dc91a50e9a9baa188d6c823901e3546be192007ae
SHA512d40a017f7ef773571bd8c93ea0b4d6cdd6dcda39aa793526d4eba8ddf511bf3e96cbfe63c464f61e2c590094f9ad741b849e6694d6d692644f6fcd165f3e4a4f
-
Filesize
361KB
MD50fb60bc64fae7cec780513fb047385bc
SHA192572d0aff364ccd15949b53ba4d2871942c20b4
SHA2564c683a0b1f011fa7d15f026ca6896c9f307106e953655ce69ef3bdb2c069f5d6
SHA51216356e381bcdac69bf5bfb9acd53444453f96f6a30671dc39371406dbda2ba2e9f33522633085451cb92aa49aeeadcf6a945827d97d38ea81e5db5801c0acd0e
-
Filesize
20KB
MD5ebbb6a9f4cd86df2f1491457ff7165ae
SHA1c1ab32500bf96f0ae18a0174fe187f592a5ce095
SHA2563f667630e515e3ee4ed98d48a8e29bef2932d32c9e34c36b9d0d885f147a940a
SHA5128d6503191ce7f724bbd6d9c92ba5b2e82864c130b97577f90c5a40f6961c094a759003dd70a3c381dad67e5de4ad96e072b3b278a557c7c8fb12967b2f4fe567