Analysis
-
max time kernel
191s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
29-12-2023 20:09
Static task
static1
Behavioral task
behavioral1
Sample
02a0cd716c96815422f1fc564501caa7.dll
Resource
win7-20231215-en
General
-
Target
02a0cd716c96815422f1fc564501caa7.dll
-
Size
2.0MB
-
MD5
02a0cd716c96815422f1fc564501caa7
-
SHA1
db2c33750e463f702b50f2d8c4d765c7f9c7866f
-
SHA256
03c531f4b15ced54d56d9202a64d3ba2d2f5996c6cc290cc6a5ccf9a777afed4
-
SHA512
a201da4d62323fc02b330591a9f203f00713670f7963338667b4fb9b015252f6d6a76d40c6697f982a18bedac88bf5824d4d01e2a311195665a6ebafbe4ed63a
-
SSDEEP
12288:iVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:/fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1256-5-0x00000000038C0000-0x00000000038C1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
BitLockerWizardElev.exePresentationSettings.exeosk.exepid Process 1416 BitLockerWizardElev.exe 272 PresentationSettings.exe 1068 osk.exe -
Loads dropped DLL 7 IoCs
Processes:
BitLockerWizardElev.exePresentationSettings.exeosk.exepid Process 1256 1416 BitLockerWizardElev.exe 1256 272 PresentationSettings.exe 1256 1068 osk.exe 1256 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\Xkgbzoakajt = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\DNTException\\Low\\yc\\i7DturZa2\\PresentationSettings.exe" -
Processes:
rundll32.exeBitLockerWizardElev.exePresentationSettings.exeosk.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BitLockerWizardElev.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA PresentationSettings.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA osk.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 2888 rundll32.exe 2888 rundll32.exe 2888 rundll32.exe 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid Process procid_target PID 1256 wrote to memory of 1088 1256 29 PID 1256 wrote to memory of 1088 1256 29 PID 1256 wrote to memory of 1088 1256 29 PID 1256 wrote to memory of 1416 1256 30 PID 1256 wrote to memory of 1416 1256 30 PID 1256 wrote to memory of 1416 1256 30 PID 1256 wrote to memory of 2120 1256 31 PID 1256 wrote to memory of 2120 1256 31 PID 1256 wrote to memory of 2120 1256 31 PID 1256 wrote to memory of 272 1256 32 PID 1256 wrote to memory of 272 1256 32 PID 1256 wrote to memory of 272 1256 32 PID 1256 wrote to memory of 2064 1256 33 PID 1256 wrote to memory of 2064 1256 33 PID 1256 wrote to memory of 2064 1256 33 PID 1256 wrote to memory of 1068 1256 34 PID 1256 wrote to memory of 1068 1256 34 PID 1256 wrote to memory of 1068 1256 34 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\02a0cd716c96815422f1fc564501caa7.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2888
-
C:\Windows\system32\BitLockerWizardElev.exeC:\Windows\system32\BitLockerWizardElev.exe1⤵PID:1088
-
C:\Users\Admin\AppData\Local\7M1fNBN\BitLockerWizardElev.exeC:\Users\Admin\AppData\Local\7M1fNBN\BitLockerWizardElev.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1416
-
C:\Windows\system32\PresentationSettings.exeC:\Windows\system32\PresentationSettings.exe1⤵PID:2120
-
C:\Users\Admin\AppData\Local\9QDPHeY\PresentationSettings.exeC:\Users\Admin\AppData\Local\9QDPHeY\PresentationSettings.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:272
-
C:\Windows\system32\osk.exeC:\Windows\system32\osk.exe1⤵PID:2064
-
C:\Users\Admin\AppData\Local\JlDV\osk.exeC:\Users\Admin\AppData\Local\JlDV\osk.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1068
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
51KB
MD5bf0863c6d13fef9091a578e8e943a866
SHA1d7cc7ed7bad9d25c74e08d86b2eeae1a2f063be3
SHA25650a9928f73b6ee9e695ab8a2077cde13231dc386653af366f5285b789e285437
SHA512d4efb498e610f73a44cd57f7c264b6529f79cb1668ee9535baffb4acb9d14dc18fb98462cf34c90e829b94a6d38224a7f68206fada79f8642f566475b4562a0e
-
Filesize
33KB
MD534cbd85ddf890283ec3ea7e83cc6a4a3
SHA17e92ba6f54ad385de578b9a29697e0975c561aee
SHA256784f274548408191c8964bf224e19d16114be230be927b6241ec3f92c67fb448
SHA512a2741f3caf45c7cd753a2f6a5ca70daea6c2cc6cad7a0dac822a6788624b096fa10359fc94244226bb79eb5bfbb490be8b3d5f1b06fc2467b57404acb17fb6fb
-
Filesize
45KB
MD536aebd2c9844d6e3546768844d261f3f
SHA1a63870b29cd23d4d3143c8b11bbb89ae00141a96
SHA25682cc99dba83caf10e7e227cc4a03be6336452c6dfd8265faacfd2098933635d7
SHA512f191f847b469d24a9332c8f65d0d2db70e07ba2a3ae005a643f06469ce347329a0f8abfd3f30dbf7febb05a89e0999407a2abb3b2f188c94eec0b4b1c6316899
-
Filesize
2.0MB
MD573dc5196872db6d2bec767dfd3e6c405
SHA18eaa65f2e895ca69aba164eec729f069c581aa26
SHA2560d21d3b38c37009ac632d1f70e62255f8e586d2dd3e86c0a9e5fe51b78c1888a
SHA512772dcce8fb3898ecc83351a60dd55267358d811d4ccff66007acc5d2f6c7f80a926c96287cbaf60f0a4dbcebfd3b4daa3d9ef78b51fd873458b79427f59750ac
-
Filesize
2.0MB
MD557eb3e643bb3eeab75fda3372da001d8
SHA14caf837281c263d206ed37db6757db1d0d1040bd
SHA256cd8ad4130be48827dad1cc119852686df1718ba854df193c22e04a51af9c9737
SHA5121fa4998989381383f4999cf8ec972a720a87913a83cd1cce712f79b1232647e9d0f40ae4eeec0d013bb33a5dd2efef035bf7a59b949f9363ca3d5dfe86b29633
-
Filesize
1KB
MD5be6ebf99b4a5a49b27105ca07bf0b609
SHA1e7f17dcaa688b6dd92572e891c15e7f9b5768b29
SHA2562fe62e0637d3a6048c0b58f6f7ae49bb72be3cb5a7d5eaa21abf37b5d34d7baf
SHA512f3ae688e3cf63d1c5fec128beab9d34c8db6b854d1bd33e4d42e0186be2a75f4693c2d59be415a29a3af57a8a9fd7a9a9dc34748598c661f733ec61f62c2d516
-
Filesize
2.0MB
MD50873f81d9c5e7930d1ac03420c4a2d1b
SHA1acf9f790045040d4a1b889b0c428d0654c905fe5
SHA256f436e6fb8aee25c52dd858da904fab7998fa8c8f29d4e101b4bd43e9416e9639
SHA5128baf4caa4eaf87c342a80a91cee3a168e1d7f5a0490c04d6b470b89cc0a3a95907ec7e6038019c45b79e8452638031e80974979baa931b539d73ccc9c10ab232
-
Filesize
97KB
MD523bca2c14b67c1f03d12c00b44d790a7
SHA1ecd59b4e0a749cf2a3f4c6e03f704bb786a8ac98
SHA256903f094a62d926883b8b8848f243a9a773b77ac8c4975bfe3efb5fafcfdb0c45
SHA512628607fdb6fc1ecb6fe842cd17d1348be9e8436e970ea39086a0913161c74bd2cd82190e8985055dc87e5925c567ee6f3a9975912a4ff7346d761d2d8021b229
-
Filesize
66KB
MD579d18bdba56d90b399c7a6f557b62954
SHA16fc7a56e5b4574e9e14568efd5af3dd4cb638b7f
SHA2566d8761bc1d5cc41743c04818525211d7d24dd8d34e8cce8a3a82d4e3bd1a752c
SHA51251a69f2e98330d62b136feaedb5928732f860cdd9db0b51b72246b3134cc26eb23af4830fa6aef44d26bbac6ba9c35ad00140ab61e276c7b75351c4c35917593
-
Filesize
172KB
MD5a6f8d318f6041334889481b472000081
SHA1b8cf08ec17b30c8811f2514246fcdff62731dd58
SHA256208b94fd66a6ce266c3195f87029a41a0622fff47f2a5112552cb087adbb1258
SHA51260f70fa8a19e6ea6f08f4907dd7fede3665ad3f2e013d49f6649442ea5871a967b9a53ec4d3328a06cb83b69be1b7af1bb14bf122b568bd1f8432ee1d0bfee69
-
Filesize
676KB
MD5b918311a8e59fb8ccf613a110024deba
SHA1a9a64a53d2d1c023d058cfe23db4c9b4fbe59d1b
SHA256e1f7612086c2d01f15f2e74f1c22bc6abeb56f18e6bda058edce8d780aebb353
SHA512e3a2480e546bf31509d6e0ffb5ce9dc5da3eb93a1a06d8e89b68165f2dd9ad520edac52af4c485c93fe6028dffaf7fcaadaafb04e524954dd117551afff87cf1