Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22-12-2023 15:14
Static task
static1
Behavioral task
behavioral1
Sample
d5124b4f11f73e615ab6573dc5bb02cf.dll
Resource
win7-20231215-en
General
-
Target
d5124b4f11f73e615ab6573dc5bb02cf.dll
-
Size
1.9MB
-
MD5
d5124b4f11f73e615ab6573dc5bb02cf
-
SHA1
8a2f582744a0cdca0d21e40ce81f2ce3067c8bee
-
SHA256
9b64a70112f7e8f285ac2c020036d4fa5d3cc529daf0fbbfefab39630ec50a2b
-
SHA512
889ca16bb6fdd0a1677111c340cf67f29d3b0d305ed5ced6e4a4ed129b1828cc72021b9544b8f545c534671be11034e50d40596a6924ebe024c6cfa800495451
-
SSDEEP
12288:/VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1K:2fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1296-5-0x0000000002950000-0x0000000002951000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
Dxpserver.exedvdupgrd.exeBitLockerWizard.exepid Process 1720 Dxpserver.exe 3008 dvdupgrd.exe 1768 BitLockerWizard.exe -
Loads dropped DLL 7 IoCs
Processes:
Dxpserver.exedvdupgrd.exeBitLockerWizard.exepid Process 1296 1720 Dxpserver.exe 1296 3008 dvdupgrd.exe 1296 1768 BitLockerWizard.exe 1296 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fskzoiv = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\#SHARE~1\\2yB3kZj\\dvdupgrd.exe" -
Processes:
Dxpserver.exedvdupgrd.exeBitLockerWizard.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Dxpserver.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dvdupgrd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BitLockerWizard.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
regsvr32.exepid Process 2892 regsvr32.exe 2892 regsvr32.exe 2892 regsvr32.exe 1296 1296 1296 1296 1296 1296 1296 1296 1296 1296 1296 1296 1296 1296 1296 1296 1296 1296 1296 1296 1296 1296 1296 1296 1296 1296 1296 1296 1296 1296 1296 1296 1296 1296 1296 1296 1296 1296 1296 1296 1296 1296 1296 1296 1296 1296 1296 1296 1296 1296 1296 1296 1296 1296 1296 1296 1296 1296 1296 1296 1296 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid Process procid_target PID 1296 wrote to memory of 2396 1296 29 PID 1296 wrote to memory of 2396 1296 29 PID 1296 wrote to memory of 2396 1296 29 PID 1296 wrote to memory of 1720 1296 28 PID 1296 wrote to memory of 1720 1296 28 PID 1296 wrote to memory of 1720 1296 28 PID 1296 wrote to memory of 2760 1296 30 PID 1296 wrote to memory of 2760 1296 30 PID 1296 wrote to memory of 2760 1296 30 PID 1296 wrote to memory of 3008 1296 31 PID 1296 wrote to memory of 3008 1296 31 PID 1296 wrote to memory of 3008 1296 31 PID 1296 wrote to memory of 1772 1296 32 PID 1296 wrote to memory of 1772 1296 32 PID 1296 wrote to memory of 1772 1296 32 PID 1296 wrote to memory of 1768 1296 33 PID 1296 wrote to memory of 1768 1296 33 PID 1296 wrote to memory of 1768 1296 33 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\d5124b4f11f73e615ab6573dc5bb02cf.dll1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2892
-
C:\Users\Admin\AppData\Local\23W8pEv0d\Dxpserver.exeC:\Users\Admin\AppData\Local\23W8pEv0d\Dxpserver.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1720
-
C:\Windows\system32\Dxpserver.exeC:\Windows\system32\Dxpserver.exe1⤵PID:2396
-
C:\Windows\system32\dvdupgrd.exeC:\Windows\system32\dvdupgrd.exe1⤵PID:2760
-
C:\Users\Admin\AppData\Local\cO4z\dvdupgrd.exeC:\Users\Admin\AppData\Local\cO4z\dvdupgrd.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3008
-
C:\Windows\system32\BitLockerWizard.exeC:\Windows\system32\BitLockerWizard.exe1⤵PID:1772
-
C:\Users\Admin\AppData\Local\G6zUAd\BitLockerWizard.exeC:\Users\Admin\AppData\Local\G6zUAd\BitLockerWizard.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1768
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
127KB
MD5426b0fb43500a70d8260e125bf9a7d6c
SHA1baf92e8e83510ca718713461d0071bd66e118b07
SHA256c7099f6c26c5e8a08af48451c103312e10e38bf05138c2f19fc82bcd7ce71901
SHA5128850059611c415edd63b7342e2cd5c9c2a235636654e927f522f2d5a0528cfa10e64d92807f464ea6c83d94c5f1a9956a60e1f7583fc98aeef330d05c27f36a5
-
Filesize
155KB
MD5b2b90d4bae34d66b93f5ae8bc827d365
SHA1171e1f36a3bf11a52256658373b96f92b866765b
SHA2560ac538393b0db5fdf98630af57ed5cbd970f2645768a9a9e01b65ca62d27453d
SHA5124805a815d537772a15fb4616cb145f1eaea7ec2f0cb8f7f3e64cc47a24511bdae10e29406d21b36126ba0ca90f08c1c4e4cd70f185a795b46c2966d2840f43dc
-
Filesize
335KB
MD525ac540676b8725738d2ec816c3fa5a0
SHA1dae4883c054655e5120f022c683955415e4ba26f
SHA2565774b6490f9270233f77b27d7e1e76b8edd3f04a9d88c8ff70d89278a9045bb8
SHA512800d5e19136e2598ab3f90d75e54e91d3e838ddb1909464575681e4030fc1a9163a3abd0f35e057f5488f991e74202dd43b059e1942333665f2dc55147cf12fb
-
Filesize
47KB
MD51e10dd1d9e5d049b1b031d750c01d62c
SHA1c0abaf35d883b10305cf5f4c6ee45160c33f460b
SHA2564ca18c78dd9fb03ee3569ad6943aa8e4c421c330f70412d0c8396a822d8623cc
SHA512d9a50f95605001669a7e24aafdcad2483a81e09099afa7aa629e83b1e2ec35ba2d38435f77e4199b8855ce3efd148b9b9481a826ddc6eb18f65048d1cbfb5de4
-
Filesize
166KB
MD5a9eaedc4895d58e66199d7d3461b6209
SHA17d635d5b75bed7abfdf5ed54cb57f68c977e4c54
SHA256ee69ccf0a7d3c43d103f54919e8cd098dbcc6e889744f0a5e2298217795230c5
SHA5122ab4117e37103287fbed7ee58f86a3c5e537695a8ec59aae034147eed27d28eeb794605fde9d31848d8181b3b7e747db3994d2286cd037b11738b202ca97b358
-
Filesize
33KB
MD5a042e35cc4686adc0ea3a97f10b73b31
SHA1af5a86e2fe561100a6dfa021482b17e99f7a12f9
SHA25632a55a992705fadf2619e094ec654a4e1f1de037dbd4ee3fdfab2f9eaab74890
SHA512d203bc6cd1062277df375faa92f1846d15d31ed6b9d56f4e5f1cb7069466691a73324617fe2461412a5b87fef80b353fb6b8a89decc7a076028f576af3e8c69b
-
Filesize
25KB
MD575a9b4172eac01d9648c6d2133af952f
SHA163c7e1af762d2b584e9cc841e8b0100f2a482b81
SHA25618f9f520c7157023b0e7dfe7433a63c4dedd47b04d24aac4038b795893050736
SHA5125a7a2c7f184efd9c84256a1a0a5e7aeb95432d63a567196be54e7a9437a5ada9b922983c5fc0cafb16eab4493665d8e56e2f646f9f6a2d6179986925ffcdf769
-
Filesize
1KB
MD527eb2c175b21f439a1342e8b6723ff6c
SHA1a226a5d631e2e7fab2ddb77d43a3ca7ea272ae33
SHA2566251b1f13936005111a5fb2a3f9c79d666295619a4f83c72df041cb1e28e4463
SHA512906eb981cd97698f6b782f375e9da0d2d81ef5dc806551b090e9f3bcde1a2a48e326ca845c36936b888e5d8d7e0c72a5d6412c82ff33b934304682fa61f39581
-
Filesize
448KB
MD5649926126233964cafde5f3afca42a67
SHA11db6fd459354aec8a44382bfec2ecd58f82ec8d7
SHA2567708a063f9aa86ca02cd98bd9e3da7a81a91cd0483852a9d190ca66595323b3b
SHA512e3b7a20ab8eb915beae5415eb5a3d7570d8197a3b92840fe72a69924c8a2e96a02b9e402a34d2f26060e7f1c57e9d3c56f0391d9a7724389be2208d8c78f2420
-
Filesize
136KB
MD54397de773759859c95f80e8d25d2b3cc
SHA159f742995abbf7f27a4cb516e8dc9313ed6fa587
SHA256da2a9d149952b2a2d3c79d2a4f7ba3003c50ec56224b7bdc980f9614b000c136
SHA512b7725478a8e992ff6b32ab8e2cdf4218e7e0325bad0477b5cbe768abfdc68d8829009f18b3b6d095ade12a2b6fdc2c793503e3abd547917ce9c39ae2d5dcf226
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-452311807-3713411997-1028535425-1000\rnc\FVEWIZ.dll
Filesize94KB
MD5e062cafbddee4f91b0b6cb16a1f1f3e3
SHA1a238a0063b4740c65ee2b9f3fe77233b8342dde9
SHA256f464f8bd7a6cb24ca5b46242414ab34e824159990f5a41c5613151c71dc6c80e
SHA512ba603954963df7d05983ad1cf735598d42699c8dccfcec6ffff337fb30cc239aa11614eab6f84bb3c51520310cc45bf31fde46fa2e17da1dc5282aa7987f331d
-
Filesize
259KB
MD54d38389fb92e43c77a524fd96dbafd21
SHA108014e52f6894cad4f1d1e6fc1a703732e9acd19
SHA256070bc95c486c15d2edc3548ba416dc9565ead401cb03a0472f719fb55ac94e73
SHA51202d8d130cff2b8de15139d309e1cd74a2148bb786fd749e5f22775d45e193b0f75adf40274375cabce33576480ff20456f25172d29a034cd134b8084d40a67ba
-
Filesize
113KB
MD55f1f6b7685c47f28f195aaab4945f49a
SHA1090e977f9122c6dfc3ba7691140e58d406c38183
SHA2564705b824e6b5712b915d48a9a56b566da8d56fbf035736496cc0eb045d5da483
SHA51292f153fd7dc02978813f8495301353ba2ac8c2a8c5147cf9d6911566a632543090fd1d8030cbe2ea44fe37d1aa9a6fc5d932fdc440f34f3ec6f6ad2cda3599e4
-
Filesize
98KB
MD508a761595ad21d152db2417d6fdb239a
SHA1d84c1bc2e8c9afce9fb79916df9bca169f93a936
SHA256ec0b9e5f29a43f9db44fa76b85701058f26776ab974044c1d4741591b74d0620
SHA5128b07828e9c0edf09277f89294b8e1a54816f6f3d1fe132b3eb70370b81feb82d056ec31566793bd6f451725f79c3b4aeedb15a83216115e00943e0c19cab37c9
-
Filesize
67KB
MD59153724d22ed91c487eb4fd2de22dfd5
SHA18b6c50d603676352db208a2e0b2d581e450fe3d4
SHA256de2822595b29f813e06e2a4e9aae300c9a476211a3a26e22a288e4ab6c0e4e1c
SHA5128d6bbb007f45dd3ffcf3254096255a603596a3aaf5b694b0223b4a182f7f61f33e6efa5cbca9ec642ea64e01c792bcf1db1ff60e7c2fda60c10de2d4005554a1
-
Filesize
310KB
MD59bc1a90180d3db43f2560b2393df03a6
SHA1fc26125acfa598979d42c9b51304107423903e83
SHA25617ed74bbe143f69de2d042c2a239cae89733608d4beca467f5cd65610267028e
SHA5129e1d89acd15de106129477d64150ff583de28c1434caf77a3f14b530ac169bb05c49ad02911eeb78bd823403967e6ce7e537990316a664b0984ce3cf32012039