Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2024 12:24
Static task
static1
Behavioral task
behavioral1
Sample
6a6b1b2cfc389798b42fa591a501875a.dll
Resource
win7-20231129-en
General
-
Target
6a6b1b2cfc389798b42fa591a501875a.dll
-
Size
4.0MB
-
MD5
6a6b1b2cfc389798b42fa591a501875a
-
SHA1
a0139d22265f40b8571722655d128c58f500d50b
-
SHA256
0aecdf55017f43fa0c4a2c407c639d854fb2fddd9400e047d573b163596ef7f5
-
SHA512
652b3db7e0e0f19e7362f08ce418290fbec37c7e66a2ee6a5b8abd644caa056d6c5c4372a35eb607d40f0f3b60847130e29dc42a945d34c5147a3a2375b11813
-
SSDEEP
24576:mfP7fWsK5z9A+WGAW+V5SB6Ct4bnbxXM0:qDW/e+WG0Vo6CtSn6
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3528-4-0x0000000007F50000-0x0000000007F51000-memory.dmp dridex_stager_shellcode -
Drops startup file 3 IoCs
Processes:
description ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OYQ\FVEWIZ.dll File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OYQ\BitLockerWizardElev.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OYQ -
Executes dropped EXE 3 IoCs
Processes:
msra.exemfpmp.exeBitLockerWizardElev.exepid process 1956 msra.exe 4328 mfpmp.exe 4272 BitLockerWizardElev.exe -
Loads dropped DLL 3 IoCs
Processes:
msra.exemfpmp.exeBitLockerWizardElev.exepid process 1956 msra.exe 4328 mfpmp.exe 4272 BitLockerWizardElev.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tgnmvdx = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Proof\\VU6ip3zKf\\mfpmp.exe" -
Processes:
rundll32.exemsra.exemfpmp.exeBitLockerWizardElev.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msra.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mfpmp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BitLockerWizardElev.exe -
Modifies registry class 2 IoCs
Processes:
description ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2696 rundll32.exe 2696 rundll32.exe 2696 rundll32.exe 2696 rundll32.exe 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3528 3528 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3528 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3528 wrote to memory of 3988 3528 msra.exe PID 3528 wrote to memory of 3988 3528 msra.exe PID 3528 wrote to memory of 1956 3528 msra.exe PID 3528 wrote to memory of 1956 3528 msra.exe PID 3528 wrote to memory of 1728 3528 mfpmp.exe PID 3528 wrote to memory of 1728 3528 mfpmp.exe PID 3528 wrote to memory of 4328 3528 mfpmp.exe PID 3528 wrote to memory of 4328 3528 mfpmp.exe PID 3528 wrote to memory of 4804 3528 BitLockerWizardElev.exe PID 3528 wrote to memory of 4804 3528 BitLockerWizardElev.exe PID 3528 wrote to memory of 4272 3528 BitLockerWizardElev.exe PID 3528 wrote to memory of 4272 3528 BitLockerWizardElev.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6a6b1b2cfc389798b42fa591a501875a.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2696
-
C:\Windows\system32\msra.exeC:\Windows\system32\msra.exe1⤵PID:3988
-
C:\Users\Admin\AppData\Local\r3k2\msra.exeC:\Users\Admin\AppData\Local\r3k2\msra.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1956
-
C:\Windows\system32\mfpmp.exeC:\Windows\system32\mfpmp.exe1⤵PID:1728
-
C:\Users\Admin\AppData\Local\auaOx\mfpmp.exeC:\Users\Admin\AppData\Local\auaOx\mfpmp.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4328
-
C:\Windows\system32\BitLockerWizardElev.exeC:\Windows\system32\BitLockerWizardElev.exe1⤵PID:4804
-
C:\Users\Admin\AppData\Local\sfsFTIoji\BitLockerWizardElev.exeC:\Users\Admin\AppData\Local\sfsFTIoji\BitLockerWizardElev.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4272
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD5927238ffdcadd5fe585d632ec8755962
SHA1ae8b86a22949aa8973174ab5e9d9cd3dd29460ff
SHA2562c5738fa5c2f46fa8f911fd65fef4287d5245145ebb535c53eef5ed5bd20ec46
SHA5121debc5cd22a063dcef7d7348cd956bfa047d3ebf496ce4928a2e377018d00a486ae78fdedcb21261f3bddce115162c5360718f685b8a20b88b366aa25a0d0857
-
Filesize
21KB
MD5cd9aca571d930d4295f7915a8f4a461b
SHA198aafc34634d74c1a07fcf3c56dabdb98c64b5b7
SHA25657ccdd0297d5b773b779e376ad3305f119b25371610617f2d7bfd2642a249307
SHA512ad99507fc1f390c34605919d8eab753a431328d247bcadc485762de51557c5429073e395444f870867a09107f470d847e68ee52537bfa3be052f367013e4314f
-
Filesize
46KB
MD58f8fd1988973bac0c5244431473b96a5
SHA1ce81ea37260d7cafe27612606cf044921ad1304c
SHA25627287ac874cef86be03aee7b6d34fdc3bd208070ed20e44621a305865fb7579e
SHA512a91179e1561168b3b58f5ca893bce425d35f4a02aec20ac3d6fb944f5eb3c06b0a1b9d9f3fb9ea87869d65671d2b89b4ae19acf794372bdbd27f5e9756c5a8ab
-
Filesize
26KB
MD5158efa34afa3ad3ecdfebb44d64bb127
SHA1cd7baa1e71aed07a304a16f3e98606687343e231
SHA256c26594a0522018aa15828f5f9f04a104bb6504ea3512c2a756dae0f8273cff8f
SHA512a8e168b026cdaabff5f60b1581370cbcdf66138326a1a6675fa9ac11ee4ea48e8fc8620833560ce80d0f09403c0963aa70835c0e2449c5985cfffe054055df72
-
Filesize
25KB
MD5836db5aa3379da7be07bbffde22b50a1
SHA10660f2b3ee85fddf49974d4d8d8e573dedae18c9
SHA256d0b618fb197f9206134900728a5908890bec2d78020ba6ddcbe2832453df909f
SHA5125f3d7fb2d3d8959634426f1fe6462f91ce5d7361c1d5b22675478e2429e7eae2e7811c8c7a0583c80d11a085eafdb5134e7d8fee49c6f9bf47c4f9dc53e5b935
-
Filesize
57KB
MD5400b880bdce2445fc113b4a5e2a2499b
SHA18eabb5b795f392e64faf5f3cb581ae0cfd701019
SHA25660e3525be63b45a54e2bc10e0199fba7b603f98fb3eccba71fd0a1befcfd193d
SHA512be123bc05d53de478af7c5225b0e619a07ee5edf80689847da0c75b2121334145c9c16d360a4757d303168a83335cf694207121310a999c8de1010784d0dc56d
-
Filesize
82KB
MD5d586ea3ba1d29a5b754aea8f3f703a03
SHA1929a309d54715e224198385c5e7721874837f7a1
SHA256995f930c3b4310c9449e4e585a9bd718a313ed4c1aaadb3aae64cd2fb46dad7e
SHA51215fc78a448e8e2bbd7de2b50f222390a985999a35df2379ec8c874f69afb33823d6b5b04e3d98cea30ba6fbc7d847d47a89e1bbe3735715b9aa531f4abbbb5de
-
Filesize
100KB
MD58ac5a3a20cf18ae2308c64fd707eeb81
SHA131f2f0bdc2eb3e0d2a6cd626ea8ed71262865544
SHA256803eb37617d450704766cb167dc9766e82102a94940a26a988ad26ab8be3f2f5
SHA51285d0e28e4bffec709f26b2f0d20eb76373134af43bcaa70b97a03efa273b77dd4fbd4f6ee026774ce4029ab5a983aea057111efcd234ab1686a9bd0f7202748b
-
Filesize
68KB
MD5c875067683ede9ca8e686ab7ade73a5a
SHA1716bfd7182f301731661ddb1f7503e5a113672db
SHA256364902b3e3a5e974e36ba9a573c3e84fa103cc2a994b371fc34558275d1730d8
SHA512873aed324231eda4e63f6659f4d23cf7c0bab0d55daa7ff9d70270b77afada347d823e3383336bb53775971229135683288d10d76398c8ae185862112c9f0d1e
-
Filesize
149KB
MD507eaf9359d605cf013b20aa816c83efa
SHA12858d90d8a421ae05d03175618854f2b3619637e
SHA25650c83c7a9609fe5aa74118b5626ff8918bdc163c7aab308db3f38223184664fb
SHA51288292cd28ea8fa50318f4447d187ebb4735305e47bb2676bcfc33ef79441be55dfa002c48cbef56f9f43dcdde4860958e82792602d450f57336d106e728c21b1
-
Filesize
1KB
MD5856e649b8cf113ee7f060663cf12d3c5
SHA12d4419fab7652262407d243f69804e4668faf176
SHA2569adff31fcdb6ca24e3912682f6c39bcfd0323b5cb2183f726f667b79ac59fcd6
SHA5127208aacb2ac49d19fd0a8156d6395aaaf2c580d1cd3d6fd98cab4beaa8ca9cd4bf1cb6711d01b0640008670f7c2a65584f668b00ce296a52590a47040daa72b8
-
Filesize
47KB
MD5f208ef34299c376b1c1c84948f84594c
SHA153ead9ade4f3cacf12e7dcfef0a058c0d35dd12a
SHA2566b2a5b41e7e1d761cfd5afb83987ef3722a65483b8387b19b5c8a5163dd5cbb9
SHA512b409a0b2ea64cd7e823c0e33c3919906be9bca34152484c0ded645f5b35be351b69983039ad27db90f8fe0bef74a2de08cf2cc849c803aca006b2785d88b30de
-
Filesize
190KB
MD56e23852bae62ddb9fd140ba5c6daa4aa
SHA153d9c7d5fccab9d287ae1d3b14a88349e852c0ff
SHA256ad69d03399366c65b3018550e04253c45df83e6efede52852ef947e96dcf31ff
SHA512f85dfe8b330ae060e2805ad84a5879484467ef56f04b19c6b1f56b2f6fb0bfe486d77a4c490459c6b28c71f72cba2924418d2fcb16a9a8fded283ebc3fdc2f7a
-
Filesize
57KB
MD5268e624df6d702c3d938b7700fa4dcf1
SHA14dcd869857ea211dab357378fa9d7c3494d45a7b
SHA25640a2798e5b5f70c8f97bd5a40f19a70b7c1067578106b2049c592816ec08372e
SHA512fe67afc73520959b4040d1056373e2b4f82e12a7d5d3792f3987cbb26eed9758338d46f31c06ded1e3cf75ea4b9d648dec2a59d4a5e31c3c359cd608b9193043