Analysis
-
max time kernel
138s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2023 15:47
Static task
static1
Behavioral task
behavioral1
Sample
e07278c27ec90b3d8fc7500d8180f0a8.dll
Resource
win7-20231215-en
General
-
Target
e07278c27ec90b3d8fc7500d8180f0a8.dll
-
Size
2.2MB
-
MD5
e07278c27ec90b3d8fc7500d8180f0a8
-
SHA1
2182eb858155c58ed16cab5d023fe4fde762a6be
-
SHA256
ea2fba4b7d64dc7c14d8b7e2bbb4f2333976b93c5f6d32310925eda10593ca72
-
SHA512
73b7d147fb8242d641315bf6e8f5824738dad17356ec8245b38754fd190f174278fdf69f1326a7f7e819de3aeebdbf563bbbf4a0e27ba461ceb8170d4a7cd8db
-
SSDEEP
12288:bVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:6fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3468-5-0x0000000002F60000-0x0000000002F61000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
EaseOfAccessDialog.exemfpmp.exeBitLockerWizard.exepid Process 680 EaseOfAccessDialog.exe 5000 mfpmp.exe 1704 BitLockerWizard.exe -
Loads dropped DLL 3 IoCs
Processes:
EaseOfAccessDialog.exemfpmp.exeBitLockerWizard.exepid Process 680 EaseOfAccessDialog.exe 5000 mfpmp.exe 1704 BitLockerWizard.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tgnmvdx = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\JQSjJGf3IE5\\mfpmp.exe" -
Processes:
mfpmp.exeBitLockerWizard.exerundll32.exeEaseOfAccessDialog.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mfpmp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BitLockerWizard.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA EaseOfAccessDialog.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 3468 -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
pid Process 3468 3468 3468 -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
pid Process 3468 3468 3468 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid Process 3468 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid Process procid_target PID 3468 wrote to memory of 4592 3468 90 PID 3468 wrote to memory of 4592 3468 90 PID 3468 wrote to memory of 680 3468 89 PID 3468 wrote to memory of 680 3468 89 PID 3468 wrote to memory of 2668 3468 94 PID 3468 wrote to memory of 2668 3468 94 PID 3468 wrote to memory of 5000 3468 93 PID 3468 wrote to memory of 5000 3468 93 PID 3468 wrote to memory of 2936 3468 92 PID 3468 wrote to memory of 2936 3468 92 PID 3468 wrote to memory of 1704 3468 91 PID 3468 wrote to memory of 1704 3468 91 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e07278c27ec90b3d8fc7500d8180f0a8.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4616
-
C:\Users\Admin\AppData\Local\4ELeR\EaseOfAccessDialog.exeC:\Users\Admin\AppData\Local\4ELeR\EaseOfAccessDialog.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:680
-
C:\Windows\system32\EaseOfAccessDialog.exeC:\Windows\system32\EaseOfAccessDialog.exe1⤵PID:4592
-
C:\Users\Admin\AppData\Local\H5kfv\BitLockerWizard.exeC:\Users\Admin\AppData\Local\H5kfv\BitLockerWizard.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1704
-
C:\Windows\system32\BitLockerWizard.exeC:\Windows\system32\BitLockerWizard.exe1⤵PID:2936
-
C:\Users\Admin\AppData\Local\3sx2\mfpmp.exeC:\Users\Admin\AppData\Local\3sx2\mfpmp.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5000
-
C:\Windows\system32\mfpmp.exeC:\Windows\system32\mfpmp.exe1⤵PID:2668
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD5562c480ea39b48543a905fe323451465
SHA19ccf6afedd3faad643bb486cc7f584e92d63f2d3
SHA2565f75d8153ec735478e0fd503834eebcc7ec72665288bd9c8d3ca7d172bcc6fbd
SHA51297ed785fc4947415c47a23e79b03afea0d8293708abe00f4ae8a39e42f35b29812a476f8ac6307d24bccb359bc5f108473a9e0c9baaa4ba5ee4e07b1e0bfe3f3
-
Filesize
57KB
MD5f38931d6e59ef19136436b64056d6563
SHA192fa053c74d4893066e056a1860165dec28feaa6
SHA25630d729771052eda1adc38a040e96ea530c57e5c6236bec62975576fb99e78de4
SHA5122274293ce4aa3e267ef8e685e5e916c0ccb9cc1f20334fe303e1e3ba69df4f95e5329b8e2d72c220ff2acdf4a31020f560690c218bdfb74146cac50cb15836b1
-
Filesize
41KB
MD5dde86491fc2c1e8cb0cb7ac6ad771ee6
SHA1e7c497ee7be00331269a2f8a01ac948f12ece116
SHA25608f3aece8bdab8249e02f5c671e11418829e4f28175ee8c14efd115420bf5293
SHA512018fd97628c9fe776c1f1b3a4a488000d04b7906bde0f5daec1a6737c8ffe07eeec9317b128d3344850652732849303a3f68088ac696a66117a6d46daad5b68f
-
Filesize
34KB
MD5cd810bb75a4224ea34c4e7bb53ced4e6
SHA1c6090c486e45ca5491e93e7dbf2f7f3043d3e5f1
SHA25621decf4857071ab66fcd046d21389e1a4601d64a0eccb1ef89f36ee4c424d562
SHA5123896c8b1802c942126bb649d12df31c992528c4b959ca2f27d86ef5ce9cb2698d2ce6510a0e17dbdd1950b1172cd820392bc9e94ab2074d27db635ff06f9fb43
-
Filesize
34KB
MD5e52b08749fa407e44c37a05f6b542242
SHA168b1f1aa9a70c59172578dcae0e98071601525d1
SHA2564387194d62f0710397ae6e4f3f707dc8574957da2625833ce7e4aeac837eed16
SHA51200c4af4bac9db9a1c2dcc447990d0cd4bbc80b304c14816522403097935e513bcf07e7f1d37a60f2257dde69b4099f1ced3c53943fc8f6bfcbc68072797646da
-
Filesize
26KB
MD5e8061bcb916dc31651a86ed6181f5e4b
SHA11d59fcaa79cd06c5eae8d16ef36e8b49e16e9d0b
SHA256d0bade86222ad5685c7b2fb946d23590423e20197c8dd3379325dc0b78910398
SHA512055403d382c6df2d3b13e974ae8948229e067dd7412cadcc59eabd7fcae4d1eeee5e50e5c1376d15d22d129c97a7e7005c2cf0cc4dcf77e3dc2327ba38f1f1c7
-
Filesize
58KB
MD59722e097b460d7b27896f3cb93d6a703
SHA12daec85a58f5d498cd43e61e61f2464c5acc4e30
SHA25624c95de22da6da97dfe5461d9d88092414fc71073f5851c56cf927d0be0b6f0c
SHA5126fbb02d23baa4d1926b1c214d946aceb67bd005ea13b75b42ed570eecbe115263fa1808ed3b987197333464457048cfa6c9d3dfbc17ac1f3201fabbb31cd9c36
-
Filesize
17KB
MD5bd67724a7f88fecf8d84d95ea70d5b72
SHA10404399a7a1366219d22216fa62ccc8e084a934b
SHA2561cf76594a34fb84dedddeb1a9cddf578a377a3112adf2286669cba278878a287
SHA512b540e18db9cabe9b0e09fac877aedc3b14a794ed1e7cc4144b9029880e4b97c909641ba5f4fc06e095a7ae52131102754330f91d4e11ea3bab852710ca8da584
-
Filesize
39KB
MD5620aad971540dce295960abf840c6cb1
SHA1b9318b585110a9afd14c3aca2e1c554cd42c0ea7
SHA2569edf0f094b98b671b6251f20bae45cdd611764c33725bff3af4556f254d56e90
SHA512daf0a4775de72689dd324189e13e9e0925c3a85eb904cdae03807dbc16c0383a4d91f4766822ef207ba24d5010d2bbd01233f45e148eaef209034a15142e49b1
-
Filesize
73KB
MD5e7fb91ffd9b64c86109fc1701245fc2a
SHA16f285f255ad89bfa6de3dd8c62f856039479396f
SHA256c84c5a6e46ab73a0f6a6109f571b39a4915beabab8ff5c6683495a35b8259a4b
SHA512a8f7204080b68a65626468f19d4c784461efda21f97a9846f84c1937c95a786e2e8143abef3b81954f1ee450114387b7ace0e0e0d48ef83a8db2e29d92a46b12
-
Filesize
59KB
MD53446992ec608716139eef422cb6312f5
SHA1c1e1927e341c5118035a94294082aacd582f4244
SHA256a247284e3fb93ce7d1fce9b11c413550e2be38be0b4ac56d4e63c812ff6767f3
SHA51282af6e4d70fbe894d942d10bdb89864562b3c0ec50ad892aa6a177fcc73437c2c718aa4c128e890df5ff647d7c996b6d28f74e774659fe878b6477429b28311d
-
Filesize
71KB
MD50c32ee784a254efd2a47dde0c65a3c03
SHA174df1b6a8fcc0f9f135f051e749429002a0ed11c
SHA256f600f6384570ee0ed42dacdcf0ae2cfeceb78c6b16f24742f0aead5f6608d5e3
SHA5128ff947bb7fbc08988d682bfd9a9161ca1ff54a7b9d3ba762c0cf1ab4f0d194d3ad92f053e993b81879c616090e5ff4ead9b82114f2196a0a8f4c09abd1b1443c
-
Filesize
1016B
MD518edf0ff7bf7e08e270245b861d9647d
SHA12ffa20eb9943844c2e683675e8242cc0a0c4d742
SHA2562531aa273580ada41e3f3aad81c28cefa8cad55723eadf4ddc4c3b150cedee4a
SHA512edfc02f26a6c198322e124ff760473ada1f736610dd3487f34b2fb0187e1e378a48b8306786d3fa8e290150dc66d0c28eb48f06a60e86271b8a52a01a5952911
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
1KB
MD537531edbe6d2ad4494bb2f957b214221
SHA14d4cfc4c47cf9d4312b005ee3f7279f667be546c
SHA256494582d1022c7f6301135af7fb2e00f3301d76f20b11e8241e799530b0fde84f
SHA512948caddb9c76f00ccf83181191cfefe6bb8482789f5f47cd474399dd6b4642cf67b39934bdb1511996f529f029cafc4eb0f140670d95c115df71f645003892f7
-
Filesize
120KB
MD56aa4fff3f5fa055fca5fcd0a6cee0462
SHA1871c07b1ab9f3a65c293778fec4b17fe09ed46c3
SHA2565d09126995d4c3f5d0d936fbce926630c71b728f4ed1f36ba03347959ead8b69
SHA5124b607ad96bc1071a522f2d6687e04f1db2f52c979cdeaf0512b15fac51c2764db4c8a467d977cbe146e7dc24296194fc7d035609ddb3822b51b95d381bab4b83