Analysis
-
max time kernel
151s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
29-12-2023 22:21
Static task
static1
Behavioral task
behavioral1
Sample
057bb2ade128476e59bac8ad60086d9e.dll
Resource
win7-20231215-en
General
-
Target
057bb2ade128476e59bac8ad60086d9e.dll
-
Size
3.2MB
-
MD5
057bb2ade128476e59bac8ad60086d9e
-
SHA1
63c16b30db7718bc853802ede3e3d3f8563f7a5c
-
SHA256
2fd1f1b0c7fb142aa3c4e81bedb7e6722acede96384123b60c86b2dca501b50a
-
SHA512
3bbeba9f3ceae53a739e2689be4cb57cea9f96ee2aeb61ee3f118d3963fcfea082c05f0a1c162887a554c4b2289a4766fb6b9e8b14cc6911ad07a036429a6d61
-
SSDEEP
12288:7VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:afP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1200-5-0x00000000029F0000-0x00000000029F1000-memory.dmp dridex_stager_shellcode -
Drops startup file 3 IoCs
Processes:
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\auAD8i File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\auAD8i\FVEWIZ.dll File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\auAD8i\BitLockerWizardElev.exe -
Executes dropped EXE 3 IoCs
Processes:
osk.exeBitLockerWizardElev.exemsconfig.exepid Process 2968 osk.exe 108 BitLockerWizardElev.exe 2984 msconfig.exe -
Loads dropped DLL 7 IoCs
Processes:
osk.exeBitLockerWizardElev.exemsconfig.exepid Process 1200 2968 osk.exe 1200 108 BitLockerWizardElev.exe 1200 2984 msconfig.exe 1200 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\Niubkzso = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\Startup\\auAD8i\\BITLOC~1.EXE" -
Processes:
BitLockerWizardElev.exemsconfig.exerundll32.exeosk.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BitLockerWizardElev.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msconfig.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA osk.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 816 rundll32.exe 816 rundll32.exe 816 rundll32.exe 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid Process procid_target PID 1200 wrote to memory of 1484 1200 28 PID 1200 wrote to memory of 1484 1200 28 PID 1200 wrote to memory of 1484 1200 28 PID 1200 wrote to memory of 2968 1200 29 PID 1200 wrote to memory of 2968 1200 29 PID 1200 wrote to memory of 2968 1200 29 PID 1200 wrote to memory of 2944 1200 32 PID 1200 wrote to memory of 2944 1200 32 PID 1200 wrote to memory of 2944 1200 32 PID 1200 wrote to memory of 108 1200 33 PID 1200 wrote to memory of 108 1200 33 PID 1200 wrote to memory of 108 1200 33 PID 1200 wrote to memory of 1696 1200 34 PID 1200 wrote to memory of 1696 1200 34 PID 1200 wrote to memory of 1696 1200 34 PID 1200 wrote to memory of 2984 1200 35 PID 1200 wrote to memory of 2984 1200 35 PID 1200 wrote to memory of 2984 1200 35 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\057bb2ade128476e59bac8ad60086d9e.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:816
-
C:\Windows\system32\osk.exeC:\Windows\system32\osk.exe1⤵PID:1484
-
C:\Users\Admin\AppData\Local\vKXB2V1Za\osk.exeC:\Users\Admin\AppData\Local\vKXB2V1Za\osk.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2968
-
C:\Windows\system32\BitLockerWizardElev.exeC:\Windows\system32\BitLockerWizardElev.exe1⤵PID:2944
-
C:\Users\Admin\AppData\Local\2jZyUH\BitLockerWizardElev.exeC:\Users\Admin\AppData\Local\2jZyUH\BitLockerWizardElev.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:108
-
C:\Windows\system32\msconfig.exeC:\Windows\system32\msconfig.exe1⤵PID:1696
-
C:\Users\Admin\AppData\Local\PFWHWG8\msconfig.exeC:\Users\Admin\AppData\Local\PFWHWG8\msconfig.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2984
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD5aa8647851f92c87f2e174fbdb2208842
SHA19f630a3fcfcf4cc37751a107ad301a5a26780ae3
SHA2567c2da0e82df081ef17e4451457832056a43827d80422f71ee6da6ad28e958831
SHA512a37e7474ffe4971a17ccf9c362b9f7ce43e5165a4c4d6879b5a16ad736ee24b185c350f6b0bc5fbb7915877a7c9e8d8393d3ef1448f6f35d616db1234db0ce7a
-
Filesize
1.5MB
MD5966f88d18a8f2728ca44993f228cefc8
SHA165c8baeb31b4c8bb7fadd24623aaebee77bdd710
SHA2563da9b3376d0769503c3ea6c1de2cf871bc1c2199da1274d39a8e931ca249682c
SHA5125f386156f999032d7a85c6c7e68013ca4b6cc71da30787ae83b64c6c680cc37b8aa0d3ce4add6b73d25adc10fb5aea5929a6e3a5527dd4c945dc7c60592ea24a
-
Filesize
83KB
MD522865f64942a35ac74e9e1de662f6187
SHA1a0a0655bf377cba9308ac9886e005e01f1bc8165
SHA25609b400db84593b024ebb0ba979c79a463c9f54953ff3e2db88151179dbe407dd
SHA512ee0d789ef0cf25a952f8026d005905827f6bd4849b63bbe411405c5912a62c25188cbc72a1d7a2341db8da44998aa54aeb4edcd05eed6e2159e11b40b763de87
-
Filesize
175KB
MD535272a16c4af43a850240bdc01eb34aa
SHA17431345b5818da148828cca7608c7f46eb0270c0
SHA256db801a8805d39506ce60df4cf2f0197fdee534ded7747af14153023ffd87ff39
SHA512de9b077e984d244e8cd5f704536825041f0d7496eafe67fd3ffee507010004c85625875ff0140fc9d5aad4b665f0b4758d30cca1275d5dab89ef62d995c5de7d
-
Filesize
92KB
MD5898f9e44da78d76a4f62d05bef5f5926
SHA194c1b10199a09cd711ab2bd2dbd91584bdf6b897
SHA2561509b680653247b8086cdddd9994b1c719fe51abdeb92ca54584c850e48c86ad
SHA512f7a080507a024740f28bd1bb0eaa0ee015ec4fdc1c91c627ed6cef902cdb19d231fb90673e3b53817fc412e43c8de3aa3107f60a4d916cd3167341e0b5c6bbcf
-
Filesize
1KB
MD5c1e1f6de88099e5bf84c94dc1164a0a7
SHA16af22c95d21cae0bc4ab3946483c484ce9d3efc0
SHA2562bfe0dd679ae026fa35b5b752c34ca00c402898f3e997952fa3072eb36ba449a
SHA5127bf18afe46a49b604e8c8cd47862993d312dcee6861785121f7a1b850ef9cade954b80cea6ca6523157aa53acb2408777383dc3d8fd1a4f712a39b98896d6fde
-
Filesize
2.0MB
MD58731d1de7b8b62e75f63918c9546f526
SHA1d5ac88bb4d6f826118aeb4a377b0baf8821198a1
SHA2562077dfc770226f92f14f57a8a1dd24b7e70ccfcf52f9addc3bb7364edc93b9ea
SHA51224bb17cb309070827c65b4d52dcf276e7143e13e71111cce397c7c4b2c3a936a2f6abd9328fb7b2323c482ef1f7f240a2552d14fa3b40b44c849501d1944410a
-
Filesize
3.2MB
MD596651dc9ee1fc6b648e4ec49cd8fed4c
SHA1befc482e57da3b1165076969cbc957088f3fc8ae
SHA25678d76173c90eac79aaabc26250f40419f84216dffb65428a31fcc30a6b1b5a1d
SHA512669aade51f2478c437c52e8a018eb79508ab0f79d7997d1b148e43562c596cb655f5bf27d90c0a3617a2dde003e4403a82554154019f2ce4cf8956f2b4b90a8e
-
Filesize
98KB
MD573f13d791e36d3486743244f16875239
SHA1ed5ec55dbc6b3bda505f0a4c699c257c90c02020
SHA2562483d2f0ad481005cca081a86a07be9060bc6d4769c4570f92ad96fa325be9b8
SHA512911a7b532312d50cc5e7f6a046d46ab5b322aa17ce59a40477173ea50f000a95db45f169f4ea3574e3e00ae4234b9f8363ac79329d683c14ebee1d423e6e43af
-
Filesize
3.2MB
MD5f55f199a48855e441c14ffbc9226c1af
SHA146afbdd481d6bd500f318bc9cb159094dde56885
SHA25635cdead7a6b2f352e534808e7f960d2883497ee3096bd0606d1483b138542ef1
SHA5121ec997812d92273a365fae47c65ffcc8eac66e509e723b104afbcfc9ec0ed745344f061d81f5f50ee24b1e7166ab877b238c23d14bf27047ae9b14dbdadc214a
-
Filesize
1.2MB
MD56cd6f03144050649059edd44c5ddf317
SHA14d618d46c470d56dd896785a0e1cde2f15591b1c
SHA2564e64b738c12290b6cbcf397817430861c91a84228a49b6a80d401c575cdf527f
SHA51273910150335af660bbcd491d2cd4c785f523f8272e4800b6cd0ec74c21a8b99a03e05622172d9df27871cc0d58ace384334b3aec0029a19a0582ae38a3e2ba7e
-
Filesize
293KB
MD5e19d102baf266f34592f7c742fbfa886
SHA1c9c9c45b7e97bb7a180064d0a1962429f015686d
SHA256f3c8bb430f9c33e6caf06aaebde17b7fddcc55e8bb36cec2b9379038f1fca0b1
SHA5121b9f1880dd3c26ae790b8eead641e73264f90dc7aa2645acc530aad20ad9d247db613e1725282c85bca98c4428ac255752a4f5c9b2a97f90908b7fe4167bb283
-
Filesize
50KB
MD54e4544649d2317c011ad1c2c978f2644
SHA157ccef9cbf2d088b8a5ef7cc3fdab4a3a524c8e8
SHA2569276d5256acb2fc3cb22e07ec372f620ed145ece00f5f310767f0ee61966ca0a
SHA51237134db0abc4585d273c1b9e84003238e3b35df799b206c0a1f2f40094c2eb808cc16b243dcb03bcc032d9d83eb757bf6fbdfb67b3e74b9007c4328f944aa83c
-
Filesize
31KB
MD506d0bd2c078e2e114054dc291218037c
SHA1118e0a2a0b22a51a32e2b77fe5f0a8a5e7649582
SHA256250801b30ab992f654fee07a5acddb057e98a2c7b6b04acc9c28da4b1f613f77
SHA5128c0fb37e518ca78b96a909273b64c0e976f125ee32d9ea8bedb3ad74c446b2c4b5b125c93653a3d741798b8695e48c49a235eff97ac6b7dbe1daa0b06851e230