Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22-12-2023 16:34
Static task
static1
Behavioral task
behavioral1
Sample
f334c05455a23f89ee06fb59f1b9f77f.dll
Resource
win7-20231215-en
General
-
Target
f334c05455a23f89ee06fb59f1b9f77f.dll
-
Size
3.5MB
-
MD5
f334c05455a23f89ee06fb59f1b9f77f
-
SHA1
33410197fc64415e351f489720b48f0cc6ff401b
-
SHA256
0692471fb02d58c1e50832d9f74be4e0a1155b1de0d434d5c4d38f644abe1d79
-
SHA512
4c97f8d362f8256c9a2abf0785d96ceb82e451e23533aa007346f88f3f27776bee16c27fc2c76b7d09cb772f9138b1750d651c1cbbba478d8e40b87efcb07e01
-
SSDEEP
12288:PVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:mfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1380-5-0x0000000002650000-0x0000000002651000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 4 IoCs
Processes:
SnippingTool.exeBitLockerWizard.exesigverif.exedvdupgrd.exepid Process 2924 SnippingTool.exe 1956 BitLockerWizard.exe 928 sigverif.exe 1952 dvdupgrd.exe -
Loads dropped DLL 9 IoCs
Processes:
SnippingTool.exeBitLockerWizard.exesigverif.exedvdupgrd.exepid Process 1380 2924 SnippingTool.exe 1380 1956 BitLockerWizard.exe 1380 928 sigverif.exe 1380 1952 dvdupgrd.exe 1380 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\IMPLIC~1\\uOz\\sigverif.exe" -
Processes:
rundll32.exeSnippingTool.exeBitLockerWizard.exesigverif.exedvdupgrd.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SnippingTool.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BitLockerWizard.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sigverif.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dvdupgrd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 2424 rundll32.exe 2424 rundll32.exe 2424 rundll32.exe 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
description pid Process procid_target PID 1380 wrote to memory of 2908 1380 28 PID 1380 wrote to memory of 2908 1380 28 PID 1380 wrote to memory of 2908 1380 28 PID 1380 wrote to memory of 2924 1380 29 PID 1380 wrote to memory of 2924 1380 29 PID 1380 wrote to memory of 2924 1380 29 PID 1380 wrote to memory of 2964 1380 30 PID 1380 wrote to memory of 2964 1380 30 PID 1380 wrote to memory of 2964 1380 30 PID 1380 wrote to memory of 1956 1380 31 PID 1380 wrote to memory of 1956 1380 31 PID 1380 wrote to memory of 1956 1380 31 PID 1380 wrote to memory of 916 1380 32 PID 1380 wrote to memory of 916 1380 32 PID 1380 wrote to memory of 916 1380 32 PID 1380 wrote to memory of 928 1380 33 PID 1380 wrote to memory of 928 1380 33 PID 1380 wrote to memory of 928 1380 33 PID 1380 wrote to memory of 2156 1380 34 PID 1380 wrote to memory of 2156 1380 34 PID 1380 wrote to memory of 2156 1380 34 PID 1380 wrote to memory of 1952 1380 35 PID 1380 wrote to memory of 1952 1380 35 PID 1380 wrote to memory of 1952 1380 35 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f334c05455a23f89ee06fb59f1b9f77f.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2424
-
C:\Windows\system32\SnippingTool.exeC:\Windows\system32\SnippingTool.exe1⤵PID:2908
-
C:\Users\Admin\AppData\Local\cLsFocb\SnippingTool.exeC:\Users\Admin\AppData\Local\cLsFocb\SnippingTool.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2924
-
C:\Windows\system32\BitLockerWizard.exeC:\Windows\system32\BitLockerWizard.exe1⤵PID:2964
-
C:\Users\Admin\AppData\Local\QMJ53\BitLockerWizard.exeC:\Users\Admin\AppData\Local\QMJ53\BitLockerWizard.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1956
-
C:\Windows\system32\sigverif.exeC:\Windows\system32\sigverif.exe1⤵PID:916
-
C:\Users\Admin\AppData\Local\cQIVF7e\sigverif.exeC:\Users\Admin\AppData\Local\cQIVF7e\sigverif.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:928
-
C:\Windows\system32\dvdupgrd.exeC:\Windows\system32\dvdupgrd.exe1⤵PID:2156
-
C:\Users\Admin\AppData\Local\PggLtF\dvdupgrd.exeC:\Users\Admin\AppData\Local\PggLtF\dvdupgrd.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1952
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
704KB
MD56bdba44719d3a934ebff5a49d04d6347
SHA1b3f29162adaa8eef2617bc4052811523b0c1827e
SHA2568dffb790ce89316311fc9e641e5e22c9007d897c7e6be67fb83c873de7187cd0
SHA5120dcf943f35f988acda9675b9678693f304bd328f3699de3734cb9359d8cff34d94b3ea51c090828e313a66ea16903a36945fef2b67f56982dfd0c76337326841
-
Filesize
3.5MB
MD565359269f67fb316fe9484ce959d93f0
SHA1f8f173bd9a205f69321ea4029cc680488f193cde
SHA2562b909ad13b0bbcda99df41e89c1a6ddce52d5b5d07812a32d22fed0cb79b4d20
SHA5122fa7ca59eee70c98baeec75a85a75810e4362638beb4f9ce63b26d5f9f5948dde4fe9ca536ffd9220af8c59070716e01b1ed1097c9bf41f78e5ba4570d6ac1db
-
Filesize
3.5MB
MD598a0e73843d805b792047f376a59c7af
SHA1c5796f255c566626c2d224795eb7141ae505cade
SHA2567ddc75fec7449869b55a16f2e2b97f273969b5e2a10725200e05b989c181d7e7
SHA512cd2e515544c37c15eacd3d61f3d4b8a75dcade984e37728d07832c4323d7bde6f6e425de7bb55b83aea8a058dfef78975d837bc697fbbc8038a69b117579d7f2
-
Filesize
3.5MB
MD5f43ff900da2ce28117d76e11440d3df0
SHA1b367e84a2b2b157e9b7d8caa55f28f26dd8129c7
SHA256e0bde37571c8cd9ce746abd8a3ae82d779f335ca1ae3f1b41c9427574b501fcc
SHA51228c6b77372ad04bdba9ad51ef2b8ad8c6d7911f2f248e1a1c4152d7cdde5c196aa54894c95dcaedae5e0aa0b8cb55f8354de4fab0c154ec05d28a391d6c89edd
-
Filesize
701B
MD5d154c9b0d95c903fe7fe0299b2cd8bb2
SHA1aeb7f4642fefcad87f18b82587c3f7e0209f113a
SHA256bf66068f324347f8e61c489c4680269a9ad2cfea418521f88d1181aa170beeaa
SHA512d650d105deb1ba3cfc604c02dc693f57c007f0c87ef9385333c8b08588fdfd0f7e4dc2e323eb0ddf8aa67e941c6048ae7f47d9d67f410395f38a610e081fe1eb
-
Filesize
3.5MB
MD5aaaebd5837f2d85091c81431c9bbabe8
SHA1508b5b793f71cacd6924968fc65f270c59d5119f
SHA25618b029ec15649417b76ae923b40dca7e21a02ad2bb28b4ce7a6332596574b2e4
SHA5123e2e96889f530d6b1515b9d50e079a8dd2b280b1b1e1c5036e706f2597f7a30a45002c230a5a9c38bd15a0caa18b35acd02247ed631ccd1f2942834ce05bb25a
-
Filesize
25KB
MD575a9b4172eac01d9648c6d2133af952f
SHA163c7e1af762d2b584e9cc841e8b0100f2a482b81
SHA25618f9f520c7157023b0e7dfe7433a63c4dedd47b04d24aac4038b795893050736
SHA5125a7a2c7f184efd9c84256a1a0a5e7aeb95432d63a567196be54e7a9437a5ada9b922983c5fc0cafb16eab4493665d8e56e2f646f9f6a2d6179986925ffcdf769
-
Filesize
98KB
MD508a761595ad21d152db2417d6fdb239a
SHA1d84c1bc2e8c9afce9fb79916df9bca169f93a936
SHA256ec0b9e5f29a43f9db44fa76b85701058f26776ab974044c1d4741591b74d0620
SHA5128b07828e9c0edf09277f89294b8e1a54816f6f3d1fe132b3eb70370b81feb82d056ec31566793bd6f451725f79c3b4aeedb15a83216115e00943e0c19cab37c9
-
Filesize
421KB
MD57633f554eeafde7f144b41c2fcaf5f63
SHA144497c3d6fada0066598a6170b90c53e28ddf96c
SHA256890884c7fe7d037e6debd21d1877e9c9c5e7790cdba007ddb219ae6a55667f78
SHA5127b61b6736c2c4f49d80f53c839914ad845f86a7d921fee1557e49aa7b4e9713e3483417d6c717eca155229bb6a90fc2253e1543cf05192aaf08262dc761fa203
-
Filesize
73KB
MD5e8e95ae5534553fc055051cee99a7f55
SHA14e0f668849fd546edd083d5981ed685d02a68df4
SHA2569e107fd99892d08b15c223ac17c49af75a4cbca41b5e939bb91c9dca9f0d0bec
SHA5125d3c32d136a264b6d2cfba4602e4d8f75e55ba0e199e0e81d7a515c34d8b9237db29647c10ab79081173010ff8e2c6a59b652c0a9cfa796433aed2d200f02da6