Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
19-01-2024 22:28
Static task
static1
Behavioral task
behavioral1
Sample
68ca805df0c74e02d25c86dd7d49303e.dll
Resource
win7-20231215-en
General
-
Target
68ca805df0c74e02d25c86dd7d49303e.dll
-
Size
1.5MB
-
MD5
68ca805df0c74e02d25c86dd7d49303e
-
SHA1
e62170c551c0f1edf022e1c6c8b2f54b755977b0
-
SHA256
f613f68232c24e7b4c0e5a49431a159dbffb259080f66d7e773de9649da7235d
-
SHA512
ab5f9da7cc894d7cdb6f07152b99cf3c284752d3078810eef4f2438170d2618ea35a869a71e4b486d081bfe312ab7942d2583f5bac15734491eb993ee732963b
-
SSDEEP
12288:fVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:WfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1364-5-0x0000000002700000-0x0000000002701000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
BitLockerWizardElev.exeTpmInit.exefvenotify.exepid process 2096 BitLockerWizardElev.exe 3000 TpmInit.exe 2012 fvenotify.exe -
Loads dropped DLL 7 IoCs
Processes:
BitLockerWizardElev.exeTpmInit.exefvenotify.exepid process 1364 2096 BitLockerWizardElev.exe 1364 3000 TpmInit.exe 1364 2012 fvenotify.exe 1364 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pfoxtyecp = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\DjWA5h\\TpmInit.exe" -
Processes:
rundll32.exeBitLockerWizardElev.exeTpmInit.exefvenotify.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BitLockerWizardElev.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA TpmInit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fvenotify.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 1364 1364 1364 1364 1364 1364 1364 1364 1364 1364 1364 1364 1364 1364 1364 1364 1364 1364 1364 1364 1364 1364 1364 1364 1364 1364 1364 1364 1364 1364 1364 1364 1364 1364 1364 1364 1364 1364 1364 1364 1364 1364 1364 1364 1364 1364 1364 1364 1364 1364 1364 1364 1364 1364 1364 1364 1364 1364 1364 1364 1364 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1364 wrote to memory of 2364 1364 BitLockerWizardElev.exe PID 1364 wrote to memory of 2364 1364 BitLockerWizardElev.exe PID 1364 wrote to memory of 2364 1364 BitLockerWizardElev.exe PID 1364 wrote to memory of 2096 1364 BitLockerWizardElev.exe PID 1364 wrote to memory of 2096 1364 BitLockerWizardElev.exe PID 1364 wrote to memory of 2096 1364 BitLockerWizardElev.exe PID 1364 wrote to memory of 3004 1364 TpmInit.exe PID 1364 wrote to memory of 3004 1364 TpmInit.exe PID 1364 wrote to memory of 3004 1364 TpmInit.exe PID 1364 wrote to memory of 3000 1364 TpmInit.exe PID 1364 wrote to memory of 3000 1364 TpmInit.exe PID 1364 wrote to memory of 3000 1364 TpmInit.exe PID 1364 wrote to memory of 620 1364 fvenotify.exe PID 1364 wrote to memory of 620 1364 fvenotify.exe PID 1364 wrote to memory of 620 1364 fvenotify.exe PID 1364 wrote to memory of 2012 1364 fvenotify.exe PID 1364 wrote to memory of 2012 1364 fvenotify.exe PID 1364 wrote to memory of 2012 1364 fvenotify.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\68ca805df0c74e02d25c86dd7d49303e.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2476
-
C:\Windows\system32\BitLockerWizardElev.exeC:\Windows\system32\BitLockerWizardElev.exe1⤵PID:2364
-
C:\Users\Admin\AppData\Local\oC6JnlpOk\BitLockerWizardElev.exeC:\Users\Admin\AppData\Local\oC6JnlpOk\BitLockerWizardElev.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2096
-
C:\Windows\system32\TpmInit.exeC:\Windows\system32\TpmInit.exe1⤵PID:3004
-
C:\Users\Admin\AppData\Local\heUhJ\TpmInit.exeC:\Users\Admin\AppData\Local\heUhJ\TpmInit.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3000
-
C:\Windows\system32\fvenotify.exeC:\Windows\system32\fvenotify.exe1⤵PID:620
-
C:\Users\Admin\AppData\Local\Qp4\fvenotify.exeC:\Users\Admin\AppData\Local\Qp4\fvenotify.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2012
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
98KB
MD5d1e3d14ec7a5b08896990d6bb9840c18
SHA1f3b92a639540ed8a23f722aeadfc7a80522bd5c0
SHA25634218ae07defa4d2e29529aa72615162c5daae2aea652253f8b3312a5e7da919
SHA5121879488bf270cd37381fc7c9c8a6f913ff3926da7f65424bcb9c45d3f1b647419366765ca992d27bb08bd6e15b92eea8c8ac4a13a70b4a2f84f7d8ec8e586388
-
Filesize
38KB
MD51dac8319e3c12ec9df7e81c430ce6da4
SHA1f46f37ae9d7b85106ea1f462226472fd0a6f2084
SHA2569602ddd11d7b5930bf48f7558f7722fa274995f2461a69dde616f004c369a2d4
SHA51269a6d9f1b41e008c56d8f098814d0c8f329c947bda36c638bf5539e845f14559b53a682ad6b740099342e56f8a74ae08785695b538f425ec29318819a5eebebe
-
Filesize
85KB
MD5a31cdb0be3f78a3a6d19b279440b9d6a
SHA1a0ba873515401c12ade3664a5ffa6503701bf78b
SHA25653a3b93e52e37beb7ff0433a5f25d7489eef503f3302e4f4c1be2dd6cf92f3b7
SHA5127ca26c98373ecb77656c9e32bd1c1b542c8cc6b1836758178c52e640363b0903abcdca0b8598a76a132016f14dd12ad540c0f09d79dd571353448aada5e9dd12
-
Filesize
26KB
MD590fee0856fbe4df2342c45ec03deecca
SHA16cbcd55a006f59f4be2ba782c991c4e9391d45ca
SHA256fe17c1d5bf26fb31a165e16140231e12ac66670696b9529941e49ef8e2e4463d
SHA512342045baaca004077de786e4b40deb8b56b54424e04d44814513ffa9c4173fdc667a6bf9e9b2c9d5218de11b86d7488c82634741739616ecd5198e89309a75e8
-
Filesize
73KB
MD510a3cfe7254d403f7138388fdbfd07e9
SHA11cd35572784c24be2d708db39d8182c05c29f8e5
SHA256d2d6ff09aa2377e5437eaa5270f5246a1314463d9a1af8d72811ade973bad7ff
SHA512407f6ca76622901eefb3bc7f3d454e092ea19e25ebb2982d35292cdd2a23a0a84cb90c5e8b56cee473dd22af7e8a4cf6cdcd0c99834fc9615f052fe7df58ff5e
-
Filesize
26KB
MD5f278003e9f0a687c2c743b491f23bc7d
SHA167b65464300a38007d55112830b76f067841f5fc
SHA256768c554a90d673ac3544d67d37e3e912db734e12a3d462e0cd429a74cb614f79
SHA512a5f15c658e448b32b0ac68e6790e0fd1b554db6d30e9702e3969372450173b1e266296beb405f23dcb73d7e8a82cb6b258f0701986a25cfdfe841df557c29e9b
-
Filesize
25KB
MD5babc017b98b03a8c28945de1fef64f59
SHA1e4a9b3dfb7d7a56f645761485efe2ede337d2381
SHA2569f5e1b545703b473712912e53799dc7e6459f67eb6f88b8478364fe4f12615d1
SHA512f0d38e6101de4a8094d812ebd400a5ac706c486aba08d118eb0db4d0dbd81c888487b73ff3d7720b44952b8235ad2faa60814199b387de60b696619a2ae0c577
-
Filesize
11KB
MD5d35ea6dbf9b954d4cfc9608eb4c8dfc6
SHA17c8c2d992f1b71e0a77565d0e57701c92958c514
SHA2560f1c0f70648db61c10a52663e0040a2449a59afd4cddf879385dbeaba7be95f9
SHA51270f5694423cae7c8c9948de58b8a373e1aaf4ade41b60b33770a997198f3ae0b95e7d5d60debe64fdfb24527899155bb9afdb092cbf3ed66cd60c5b08f87539b
-
Filesize
1KB
MD525ce79429905ef53c780d561b9c041c3
SHA125cad8c52c94ea55156afd636c84cf2cfd3e4c8c
SHA25696a9c16e7c295dac6c72309f30306a4a078efb3b29e27b683655fcbd2c726cdb
SHA512f8b9960a08517a71cc0d30fdedf5d3ca3fcf21313642cb27ff95262542e72a1027cb4d05209fc71096a40e6d25b93f28f9e3237aa2bd83f143f626a260522091
-
Filesize
1.5MB
MD5079d114f0bef3506e5c48fb089d40887
SHA11a05966f9cebba45a67e65539d8a24c5cbc322a6
SHA256c3e99e2c347e441d354dd13e6d201d2beb94df313f7fda7521953351090591c5
SHA512548f364703e42f75759731a7ba1220c0b6ca8bf74cc4d58a537d61ed370037ed095bb9af7b0bc4c3f28cd4acf3361d7417b0a56120c840243959b194901cfcf4
-
Filesize
92KB
MD510d4966e5a7c387df060ef1db2c0e727
SHA11b0d8ab3532a3063dd2733121d6991d377c8e290
SHA256fa16d99a12600f3d8e8ac57f42917b09c9de1eb57837b1229fb392e94466d69c
SHA512c40e4453c9d2f3e4e0391d70a4f35da54988a127fe896308591d3ab32342ea2ee94a4063e6a82b33b4ee65b6178c41de212a5867e6cb13da705ffc1ceef1bb07
-
Filesize
1.5MB
MD58b22b843282ccbed97044c4a3d319ac4
SHA17854554e45685fdcd1ba2f695b588cde3b700828
SHA256f66ba86c4186ac7ee7f308c5c7600e7e52be6100b1aada623dcb42b76d0369f1
SHA512371a1e7875bf91be2a63c646a45705ce89e86320e169f8943b4ef5a19acc19588b5020f152e2d8c13dcf26f38d4936dfbf2d6785b45d82dfad90853875608afa
-
Filesize
1.5MB
MD55c0ffaafd4db1dc17d4f9308f002503f
SHA16f6a879e8a761c92c979159234cc61231397f69d
SHA25647bfd48a5f9fbea616b46e9dbda249a4ba471d6d1a1ff5ea1b731ef787b8f142
SHA512785fc2f52154a6564f78e2c3c74541d495ccad6cfbfb480e1d93f9c1775690108442f261c2f5f721ef380b11987fed8db6b8c7c424f902a1e1c140fa1380fa77
-
Filesize
56KB
MD5aadf8fb86c5c956cabb1ba956cfa326a
SHA1c8b270bf02a5c5b1c858b327936518ada7ec40d6
SHA25669b4da45817220c476e09b4c77505d66b631698484176227c57bdfa2591cef06
SHA512ff30fbbf10e22fe0f123a09395cff15734ce6b448045929a7f03df857f6df3043c7aa79ef63bf258518c4e68eea1b9e5a1ea10350b8ef789f6018b31e3859250
-
Filesize
136KB
MD5411da1a6843e2da784a4997560e7ad15
SHA17a389831be6e892d82c4419f5d59f8a1c5a2e5b6
SHA2566a4fd8dc08d03eda65c117966d3b71e35b8be6a511f34932d90991bdaf7ddd2b
SHA512374c4ec74fcf03ce7d01148c81e526b2195239f2a106e6ef83bdf9eeb97c341ee0f5947c559c58d95cd6f7dad944d41b96f09576e05030ea2b27d0dea341e61a
-
Filesize
49KB
MD59513ee48b8c50a4ddabfb752ebc1da85
SHA1920305216f307104a486deac764749f941a67ce8
SHA256e60817d368b8418feb1259033fb853f05128ab89e4db9a7a672efcd01e72c1fb
SHA5122328bdc773d6c8b402bd8aaca9e7bc2b21aaf7d9ad49881fc6b41141d9133cb93bc9a58a05a670ef0f6ea839be28431ac02954661b2a50bfef8a7366fa145b9a
-
Filesize
84KB
MD5f0605b4c3753e6ec16a39b31c7921813
SHA13192b040cb830954281466499a29b755bb3099f2
SHA2567ff0397e8d1f704bab94de01fbb9be8fa5d8a78bdc5dbd84d2c28da22dc53bf1
SHA512674d737a5906c229cf66a66263892fdf1e736bed458795b8d19598f2a21b8d8c766973930834dfcf11371081093551f68ccecfec1239ccdaa3675e7fdc1a5c98
-
Filesize
8KB
MD50cba4187bd397261930347cb203f0e91
SHA1ca26eac633d06c2656f2bd8965b605a1b05b8c2c
SHA2568b5e362f3b2183d6de02003f2222ec5d781c633f7fdcc28cbb61c6bb8b040f85
SHA51262d8f0b93a7decd03bb3dfacd705c34a1c53b916363acf81613b5c4cb90effe4fcfb3e8766c37cb7467e4d904d0422a6e7dd4ffb1604d4c8cd56d9564824026f
-
Filesize
7KB
MD59139852848c2a5099bf361550b353160
SHA16e1e0290ff9d8ebf09914df99f692a9b7fdd1b04
SHA2565de57e302d8f600328d6a3108fe6f72391f329793f5ee091ef9a3cf603f9180f
SHA51225fb2af9cf01b626ee6c48efcbe2b4d01a983ff52ac9bbaa544515b09d8f19d0f700821fb8c719b5ce571c6991ce927c9d40b787c846fff248be218e6bd5af5b
-
Filesize
117KB
MD5e61d644998e07c02f0999388808ac109
SHA1183130ad81ff4c7997582a484e759bf7769592d6
SHA25615a85cd6fbcb1ec57d78f986d6dd8908bd56231ce0cf65775075512303f7e5fa
SHA512310141b73394ae12a35f8d4f0c097868ee8a8045a62dd402a5dfbe2151980dd4fe18409ae3ca9422e3b88b2fa9afb04c1acbf8ec23a937a0a242b32a9a1e9272