Analysis
-
max time kernel
123s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2023 19:44
Static task
static1
Behavioral task
behavioral1
Sample
38f8f403c494cd304763615d922a67fb.dll
Resource
win7-20231129-en
General
-
Target
38f8f403c494cd304763615d922a67fb.dll
-
Size
848KB
-
MD5
38f8f403c494cd304763615d922a67fb
-
SHA1
7706587dd4bc348037452e7833c6cd663111f440
-
SHA256
60df94d0fa102fe714906ec53efafa0308a79d6caf9e8688edc8525123a7b1e3
-
SHA512
8426cb54939bf66bcda1c537ecd0c574d64e548cbf04e03a38f15c670db0300c856a0ea5876b4c551edcdac8d33b266c6dc8f5f00944ffb1bc6fb796537679f8
-
SSDEEP
12288:AkbQEkWqv+157EYfxarhwLNuR7ek1tHffB/HzTyNQ6NIeGYr/R:AkbHkWfzZ5adwLNGeStHntqN7v
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3528-3-0x0000000002210000-0x0000000002211000-memory.dmp dridex_stager_shellcode -
Processes:
resource yara_rule behavioral2/memory/5000-0-0x00007FFFA6030000-0x00007FFFA6104000-memory.dmp dridex_payload behavioral2/memory/3528-19-0x0000000140000000-0x00000001400D4000-memory.dmp dridex_payload behavioral2/memory/3528-27-0x0000000140000000-0x00000001400D4000-memory.dmp dridex_payload behavioral2/memory/3528-38-0x0000000140000000-0x00000001400D4000-memory.dmp dridex_payload behavioral2/memory/5000-41-0x00007FFFA6030000-0x00007FFFA6104000-memory.dmp dridex_payload behavioral2/memory/3324-53-0x00007FFF96B90000-0x00007FFF96C65000-memory.dmp dridex_payload behavioral2/memory/3324-48-0x00007FFF96B90000-0x00007FFF96C65000-memory.dmp dridex_payload behavioral2/memory/4500-65-0x00007FFF96A00000-0x00007FFF96AD5000-memory.dmp dridex_payload behavioral2/memory/4500-69-0x00007FFF96A00000-0x00007FFF96AD5000-memory.dmp dridex_payload behavioral2/memory/2388-85-0x00007FFF96C10000-0x00007FFF96D2A000-memory.dmp dridex_payload behavioral2/memory/2388-80-0x00007FFF96C10000-0x00007FFF96D2A000-memory.dmp dridex_payload -
Executes dropped EXE 3 IoCs
Processes:
BitLockerWizard.exeEaseOfAccessDialog.exeSysResetErr.exepid Process 3324 BitLockerWizard.exe 4500 EaseOfAccessDialog.exe 2388 SysResetErr.exe -
Loads dropped DLL 3 IoCs
Processes:
BitLockerWizard.exeEaseOfAccessDialog.exeSysResetErr.exepid Process 3324 BitLockerWizard.exe 4500 EaseOfAccessDialog.exe 2388 SysResetErr.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qzenv = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\NETWOR~1\\bKvR\\EASEOF~1.EXE" -
Processes:
SysResetErr.exeBitLockerWizard.exeEaseOfAccessDialog.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SysResetErr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BitLockerWizard.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA EaseOfAccessDialog.exe -
Modifies registry class 2 IoCs
Processes:
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
regsvr32.exepid Process 5000 regsvr32.exe 5000 regsvr32.exe 5000 regsvr32.exe 5000 regsvr32.exe 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid Process procid_target PID 3528 wrote to memory of 1436 3528 99 PID 3528 wrote to memory of 1436 3528 99 PID 3528 wrote to memory of 3324 3528 98 PID 3528 wrote to memory of 3324 3528 98 PID 3528 wrote to memory of 3772 3528 100 PID 3528 wrote to memory of 3772 3528 100 PID 3528 wrote to memory of 4500 3528 101 PID 3528 wrote to memory of 4500 3528 101 PID 3528 wrote to memory of 4552 3528 102 PID 3528 wrote to memory of 4552 3528 102 PID 3528 wrote to memory of 2388 3528 103 PID 3528 wrote to memory of 2388 3528 103 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\38f8f403c494cd304763615d922a67fb.dll1⤵
- Suspicious behavior: EnumeratesProcesses
PID:5000
-
C:\Users\Admin\AppData\Local\ym9AL\BitLockerWizard.exeC:\Users\Admin\AppData\Local\ym9AL\BitLockerWizard.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3324
-
C:\Windows\system32\BitLockerWizard.exeC:\Windows\system32\BitLockerWizard.exe1⤵PID:1436
-
C:\Windows\system32\EaseOfAccessDialog.exeC:\Windows\system32\EaseOfAccessDialog.exe1⤵PID:3772
-
C:\Users\Admin\AppData\Local\jPkY0esy4\EaseOfAccessDialog.exeC:\Users\Admin\AppData\Local\jPkY0esy4\EaseOfAccessDialog.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4500
-
C:\Windows\system32\SysResetErr.exeC:\Windows\system32\SysResetErr.exe1⤵PID:4552
-
C:\Users\Admin\AppData\Local\s1cW\SysResetErr.exeC:\Users\Admin\AppData\Local\s1cW\SysResetErr.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2388
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
123KB
MD5e75ee992c1041341f709a517c8723c87
SHA1471021260055eac0021f0abffa2d0ba77a2f380e
SHA2560b1731562413eaa972b373cd7388c644a3059940ce67eb89668e4073f3e068dc
SHA51248c3a8531df6bcc5077367cdf32af104c94cf7701118a85e8beabba2e9c4f511ae14e47b6d1b57d11a2bc1e8b4f6d5bacae27a8d16fcd09a8f9e0018f5a6370a
-
Filesize
64KB
MD50e4d6d7d7476c37ce10a2114ac131b7b
SHA17bedd9d9242eca144b2229f108e2b01b40aaceee
SHA256974a1c627fbf4444f77d4428d0670c08f0d8941e1267cf096a9d44e5455bc4d9
SHA5129aae1cf586a0dfd135e71b3a23ee8053903b5e78fe0a3875f05c501bf8ed5aaf46c45e99e85cce6a04d15af482ff36ec7f2dee928e6d2b1b72b59b9ee786ecc0
-
Filesize
149KB
MD595879dc04c070ffd34dd6f919dcca9e5
SHA17c219b2ec7e5b36718b74482a7fb595efd352e8d
SHA2568f0f9db9cacf53a7431e15b6cec4a7e1b04768e3c63d51f695d435fec162c91c
SHA5126b8535299944f4a58ba3d1dcfb0cb9576190f61a1de82c8ba404dff02c56da86f5d6ad5ce39b6c61af06cb3a65fd2fc41001404bdde30a15d74795cc25bcec1b
-
Filesize
41KB
MD5090c6f458d61b7ddbdcfa54e761b8b57
SHA1c5a93e9d6eca4c3842156cc0262933b334113864
SHA256a324e3ba7309164f215645a6db3e74ed35c7034cc07a011ebed2fa60fda4d9cd
SHA512c9ef79397f3a843dcf2bcb5f761d90a4bdadb08e2ca85a35d8668cb13c308b275ed6aa2c8b9194a1f29964e0754ad05e89589025a0b670656386a8d448a1f542
-
Filesize
100KB
MD56d30c96f29f64b34bc98e4c81d9b0ee8
SHA14a3adc355f02b9c69bdbe391bfb01469dee15cf0
SHA2567758227642702e645af5e84d1c0e5690e07687c8209072a2c5f79379299edf74
SHA51225471b0ac7156d9ee9d12181020039bf551ba3efe252b656030c12d93b8db2648a18bdf762740f2a5cd8e43640e4bd4e8742310dea15823fc76b9e1c126876b8
-
Filesize
1.1MB
MD5320b2d02496d8c66fd1e47c6c63adaae
SHA13cf934c9a4087eeb50501a004822b53c74c7b6db
SHA256dd725ec6e8b7110735ffadbbc8cd499e211c8283c471ca48c615ce02588c77fd
SHA5128ffa8072736126c8fbb0ccb340dd193f391ce16c618ccbd1fd6535b6b2a5432245fb81c828da90dfa08db903bb5dd4d6ae26490609a75e774ffeef29f68f3ae5
-
Filesize
1KB
MD58c53567d7d2badc28cea4c5b7db4a216
SHA15e6e1eb1eaaee2ede7f7d453a08232e4464fd019
SHA25650f64b8a9035fe61351ced2cf15dd71c78d54a5c0c7a735f846a14cb75f32503
SHA51244e611b77a1501c050abd68f732f2b03565cc2cfbd69746d57e273454c26e371e7bdcb9bb16b1f3e8fed198ddb87c397c32874c49a7f076c5e92d16d6df01afc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\k4PQ3h5QDMw\FVEWIZ.dll
Filesize349KB
MD5f3cf3095deda254d0e720a0611b7ccc2
SHA1ed7d209366fa5b995431c3805fd9c7968270f297
SHA256bfd3c2bbaa7937eebdce8a2f38226c83a4eb3cf6141b166fa03d86df7167b5b5
SHA5122db7d73a151a5d66f0ed835d6290f6a9c8e38f0721172d45b249f55719a59dc1f4ada655c5d5e395edcda09eaf6d296dfab2c0d5c164ea46f89cfc4a3c5f7f88
-
Filesize
852KB
MD5d9748e3d357c10790848b4c72a399ee3
SHA1dc5102abaaa0ed30a203081b8379d9eaacf43d6c
SHA25690ea8ebc4731dce515c81086d129cef665de7677cf2d26722e60afd11f291e2f
SHA512cd8db322c28746c4310ebe692b11e91842c358e489e0763c5ef6924957bf809dec5322b1fead19aa684c5485803cf5ee8b40f310b85f7f90fc74a066a6b333f5