Analysis
-
max time kernel
155s -
max time network
134s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
26-11-2021 09:28
Static task
static1
Behavioral task
behavioral1
Sample
17f1c7f8add9b69cb52bee6eb8c572c2a482078a91f9cc52710e60c43efbb7d3.dll
Resource
win7-en-20211104
General
-
Target
17f1c7f8add9b69cb52bee6eb8c572c2a482078a91f9cc52710e60c43efbb7d3.dll
-
Size
1MB
-
MD5
5f5c07488e5abf8dfc6e7fe4186c3560
-
SHA1
736fbf758cc7b79f7c67fb6df47ed96fcd5a641d
-
SHA256
17f1c7f8add9b69cb52bee6eb8c572c2a482078a91f9cc52710e60c43efbb7d3
-
SHA512
053d5770731ad4b585dc0efb6251109f4c96e216f9c225780c7c33c46514c748e1fe3b4045cce0dbc6ffb6943662fcb4515fa800fcd9e906675ccb8030f5df4a
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3040-122-0x0000000000930000-0x0000000000931000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
BitLockerWizardElev.exeCloudStorageWizard.exesigverif.exepid process 3944 BitLockerWizardElev.exe 1224 CloudStorageWizard.exe 1908 sigverif.exe -
Loads dropped DLL 3 IoCs
Processes:
BitLockerWizardElev.exeCloudStorageWizard.exesigverif.exepid process 3944 BitLockerWizardElev.exe 1224 CloudStorageWizard.exe 1908 sigverif.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\Slqggwbvaxk = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\ftZ\\CloudStorageWizard.exe" -
Processes:
sigverif.exerundll32.exeBitLockerWizardElev.exeCloudStorageWizard.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sigverif.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BitLockerWizardElev.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA CloudStorageWizard.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exeBitLockerWizardElev.exepid process 3308 rundll32.exe 3308 rundll32.exe 3308 rundll32.exe 3308 rundll32.exe 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3944 BitLockerWizardElev.exe 3944 BitLockerWizardElev.exe 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3040 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3040 wrote to memory of 3980 3040 BitLockerWizardElev.exe PID 3040 wrote to memory of 3980 3040 BitLockerWizardElev.exe PID 3040 wrote to memory of 3944 3040 BitLockerWizardElev.exe PID 3040 wrote to memory of 3944 3040 BitLockerWizardElev.exe PID 3040 wrote to memory of 592 3040 CloudStorageWizard.exe PID 3040 wrote to memory of 592 3040 CloudStorageWizard.exe PID 3040 wrote to memory of 1224 3040 CloudStorageWizard.exe PID 3040 wrote to memory of 1224 3040 CloudStorageWizard.exe PID 3040 wrote to memory of 1888 3040 sigverif.exe PID 3040 wrote to memory of 1888 3040 sigverif.exe PID 3040 wrote to memory of 1908 3040 sigverif.exe PID 3040 wrote to memory of 1908 3040 sigverif.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\17f1c7f8add9b69cb52bee6eb8c572c2a482078a91f9cc52710e60c43efbb7d3.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\BitLockerWizardElev.exeC:\Windows\system32\BitLockerWizardElev.exe1⤵
-
C:\Users\Admin\AppData\Local\1Q0MoMnvL\BitLockerWizardElev.exeC:\Users\Admin\AppData\Local\1Q0MoMnvL\BitLockerWizardElev.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\CloudStorageWizard.exeC:\Windows\system32\CloudStorageWizard.exe1⤵
-
C:\Users\Admin\AppData\Local\Rlq\CloudStorageWizard.exeC:\Users\Admin\AppData\Local\Rlq\CloudStorageWizard.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\sigverif.exeC:\Windows\system32\sigverif.exe1⤵
-
C:\Users\Admin\AppData\Local\zok\sigverif.exeC:\Users\Admin\AppData\Local\zok\sigverif.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\1Q0MoMnvL\BitLockerWizardElev.exeMD5
43d63950e411885e21eeb33a7f33dc85
SHA1aa5489c400ae898ba8590e7198846ca51d4ae872
SHA25682f381697c3ea8df147de184892751a5c99475617c245b3caece870bb0a5418a
SHA51265b87ecb21289f3ce72f8ea00e877f6023551d4ba5f62e27ac00df7376c1f1d3d612419fac54211a91383b016e03a7f82ac8bc0beaa10262767538dba09423ca
-
C:\Users\Admin\AppData\Local\1Q0MoMnvL\FVEWIZ.dllMD5
91a4f815d8434820258973109ad1b1d8
SHA116986a178590c680b11c408060a6072e2a24e147
SHA256069e068cb913e2134463c99550e4b1bd7e74ad3251adc4536ad254e5efe6f923
SHA5122c69d496e4ac51a1af2b75d0c36e4a371c0c2c323b566b66bad88092dd0bbc58ec8f8adfff4ecf452cfef5825dfd01b99ab32394d523acea1068f449f102365d
-
C:\Users\Admin\AppData\Local\Rlq\CloudStorageWizard.exeMD5
b11d2d85645265e5fcb9e5a18a775ba6
SHA1cd7f2899a6c23d63724cb89db0eb3cd09a879240
SHA256be0e80ed36b0b257cf1aebb083934bd8a468ad2535fe5fb3e70c1b7e258143a9
SHA51296835dfab6e2142b21eca1b4ce5744a9aec3b751ca56932a029c54dab5a3099678440100e6b66dcd0b35a56742a59ee0b1b40a46bf8ce22e3d34482cc66ad08a
-
C:\Users\Admin\AppData\Local\Rlq\DUI70.dllMD5
48eec21e99f1de2a2426234ff8707662
SHA14795af2f2425f90b2c5db550d034b651a0d57cf6
SHA25644901828d201f856b0581c7dff7a0a4c9ab3eb18d9ef504e6f4b8c73ca1d8ba7
SHA51256bba3f42863ecb28c7329ecdae986433911dd3225429f903da2e2abaa7fe8201224659cd911f5b9e5918a15030e9d5fb1b0bf03a8ee512256ead5bc728ab52e
-
C:\Users\Admin\AppData\Local\zok\VERSION.dllMD5
50dd1d9592319354a84d1ce93cd915d5
SHA16e342ecb9ae86015eaf3be7aa58ad96dee462f05
SHA2569718eb0651cf334482f3008d2fc79f7f760f93317acc7cbcba47b5dfcb2b7bef
SHA512f2cb0208e885c96a9ff566a9d6259459ee4392b9f3f7f542e40ccbd10658c021568a6ffdfa8f3a7218690588952de2766175f76879c00f8528765ca5d7c31f01
-
C:\Users\Admin\AppData\Local\zok\sigverif.exeMD5
92f7917624a4349f7b6041d08ae29714
SHA1eac68bc72ed4d8634a59a1a37faefa4f8327bd2f
SHA256a57403e41c7178403981cd384f6096f12092dee68d3dfbd92f94661f613dfcab
SHA51220eb8366a8285a7d19a8d860038364a625b9b7de5e9d87ed59d2580ab4d5658b6d09d9220f6b0a6291151145373f3e0ff8ac46609c6b4a4aafecc8f2670ac56d
-
\Users\Admin\AppData\Local\1Q0MoMnvL\FVEWIZ.dllMD5
91a4f815d8434820258973109ad1b1d8
SHA116986a178590c680b11c408060a6072e2a24e147
SHA256069e068cb913e2134463c99550e4b1bd7e74ad3251adc4536ad254e5efe6f923
SHA5122c69d496e4ac51a1af2b75d0c36e4a371c0c2c323b566b66bad88092dd0bbc58ec8f8adfff4ecf452cfef5825dfd01b99ab32394d523acea1068f449f102365d
-
\Users\Admin\AppData\Local\Rlq\DUI70.dllMD5
48eec21e99f1de2a2426234ff8707662
SHA14795af2f2425f90b2c5db550d034b651a0d57cf6
SHA25644901828d201f856b0581c7dff7a0a4c9ab3eb18d9ef504e6f4b8c73ca1d8ba7
SHA51256bba3f42863ecb28c7329ecdae986433911dd3225429f903da2e2abaa7fe8201224659cd911f5b9e5918a15030e9d5fb1b0bf03a8ee512256ead5bc728ab52e
-
\Users\Admin\AppData\Local\zok\VERSION.dllMD5
50dd1d9592319354a84d1ce93cd915d5
SHA16e342ecb9ae86015eaf3be7aa58ad96dee462f05
SHA2569718eb0651cf334482f3008d2fc79f7f760f93317acc7cbcba47b5dfcb2b7bef
SHA512f2cb0208e885c96a9ff566a9d6259459ee4392b9f3f7f542e40ccbd10658c021568a6ffdfa8f3a7218690588952de2766175f76879c00f8528765ca5d7c31f01
-
memory/1224-173-0x0000026B9CD90000-0x0000026B9CD92000-memory.dmpFilesize
8KB
-
memory/1224-172-0x0000026B9CD90000-0x0000026B9CD92000-memory.dmpFilesize
8KB
-
memory/1224-168-0x00007FFD5D440000-0x00007FFD5D5D5000-memory.dmpFilesize
1MB
-
memory/1224-174-0x0000026B9CD90000-0x0000026B9CD92000-memory.dmpFilesize
8KB
-
memory/1224-164-0x0000000000000000-mapping.dmp
-
memory/1908-175-0x0000000000000000-mapping.dmp
-
memory/1908-184-0x000001D1EE7A0000-0x000001D1EE7A2000-memory.dmpFilesize
8KB
-
memory/1908-183-0x000001D1EE7A0000-0x000001D1EE7A2000-memory.dmpFilesize
8KB
-
memory/1908-185-0x000001D1EE7A0000-0x000001D1EE7A2000-memory.dmpFilesize
8KB
-
memory/3040-131-0x0000000140000000-0x000000014014F000-memory.dmpFilesize
1MB
-
memory/3040-129-0x0000000140000000-0x000000014014F000-memory.dmpFilesize
1MB
-
memory/3040-138-0x0000000140000000-0x000000014014F000-memory.dmpFilesize
1MB
-
memory/3040-139-0x0000000140000000-0x000000014014F000-memory.dmpFilesize
1MB
-
memory/3040-140-0x0000000140000000-0x000000014014F000-memory.dmpFilesize
1MB
-
memory/3040-141-0x0000000140000000-0x000000014014F000-memory.dmpFilesize
1MB
-
memory/3040-142-0x0000000140000000-0x000000014014F000-memory.dmpFilesize
1MB
-
memory/3040-143-0x0000000140000000-0x000000014014F000-memory.dmpFilesize
1MB
-
memory/3040-148-0x0000000000940000-0x0000000000942000-memory.dmpFilesize
8KB
-
memory/3040-149-0x0000000000940000-0x0000000000942000-memory.dmpFilesize
8KB
-
memory/3040-150-0x00007FFD6B605000-0x00007FFD6B606000-memory.dmpFilesize
4KB
-
memory/3040-151-0x0000000000940000-0x0000000000942000-memory.dmpFilesize
8KB
-
memory/3040-152-0x00007FFD6B740000-0x00007FFD6B742000-memory.dmpFilesize
8KB
-
memory/3040-122-0x0000000000930000-0x0000000000931000-memory.dmpFilesize
4KB
-
memory/3040-136-0x0000000140000000-0x000000014014F000-memory.dmpFilesize
1MB
-
memory/3040-135-0x0000000140000000-0x000000014014F000-memory.dmpFilesize
1MB
-
memory/3040-134-0x0000000140000000-0x000000014014F000-memory.dmpFilesize
1MB
-
memory/3040-123-0x0000000140000000-0x000000014014F000-memory.dmpFilesize
1MB
-
memory/3040-124-0x0000000140000000-0x000000014014F000-memory.dmpFilesize
1MB
-
memory/3040-125-0x0000000140000000-0x000000014014F000-memory.dmpFilesize
1MB
-
memory/3040-126-0x0000000140000000-0x000000014014F000-memory.dmpFilesize
1MB
-
memory/3040-133-0x0000000140000000-0x000000014014F000-memory.dmpFilesize
1MB
-
memory/3040-132-0x0000000140000000-0x000000014014F000-memory.dmpFilesize
1MB
-
memory/3040-127-0x0000000140000000-0x000000014014F000-memory.dmpFilesize
1MB
-
memory/3040-130-0x0000000140000000-0x000000014014F000-memory.dmpFilesize
1MB
-
memory/3040-137-0x0000000140000000-0x000000014014F000-memory.dmpFilesize
1MB
-
memory/3040-128-0x0000000140000000-0x000000014014F000-memory.dmpFilesize
1MB
-
memory/3308-115-0x00007FFD5D490000-0x00007FFD5D5DF000-memory.dmpFilesize
1MB
-
memory/3308-121-0x000002DF52720000-0x000002DF52727000-memory.dmpFilesize
28KB
-
memory/3308-120-0x000002DF52730000-0x000002DF52732000-memory.dmpFilesize
8KB
-
memory/3308-119-0x000002DF52730000-0x000002DF52732000-memory.dmpFilesize
8KB
-
memory/3944-163-0x000001DEA6740000-0x000001DEA6742000-memory.dmpFilesize
8KB
-
memory/3944-162-0x000001DEA6740000-0x000001DEA6742000-memory.dmpFilesize
8KB
-
memory/3944-161-0x000001DEA6740000-0x000001DEA6742000-memory.dmpFilesize
8KB
-
memory/3944-157-0x00007FFD5D490000-0x00007FFD5D5E0000-memory.dmpFilesize
1MB
-
memory/3944-153-0x0000000000000000-mapping.dmp