Analysis
-
max time kernel
152s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22-01-2024 02:08
Static task
static1
Behavioral task
behavioral1
Sample
6e701a6565714d75f57e4ac97c8b92cc.dll
Resource
win7-20231129-en
General
-
Target
6e701a6565714d75f57e4ac97c8b92cc.dll
-
Size
1.5MB
-
MD5
6e701a6565714d75f57e4ac97c8b92cc
-
SHA1
25de2e09d2506a090f949c1091c99e8209029564
-
SHA256
bd76a02a02d4a0c8c7837fe4c4985ace8f6249f11e0a71ed9ffa55e8f4639be6
-
SHA512
b38cdaa350fc05950787cfe6fef67253e63f4c4d037f9708cd7f74845fb151a20693d20ce0b57ae6cc47e3d6a8a9e22384a5941a3bb2fe26c6466b296d122882
-
SSDEEP
12288:bVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ177:6fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3580-4-0x0000000006F30000-0x0000000006F31000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 4 IoCs
Processes:
BitLockerWizardElev.exeNarrator.execmstp.exeSystemPropertiesDataExecutionPrevention.exepid process 1716 BitLockerWizardElev.exe 988 Narrator.exe 4656 cmstp.exe 1300 SystemPropertiesDataExecutionPrevention.exe -
Loads dropped DLL 3 IoCs
Processes:
BitLockerWizardElev.execmstp.exeSystemPropertiesDataExecutionPrevention.exepid process 1716 BitLockerWizardElev.exe 4656 cmstp.exe 1300 SystemPropertiesDataExecutionPrevention.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\SYSTEM~1\\p7u\\cmstp.exe" -
Processes:
BitLockerWizardElev.execmstp.exeSystemPropertiesDataExecutionPrevention.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BitLockerWizardElev.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmstp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesDataExecutionPrevention.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
regsvr32.exepid process 1000 regsvr32.exe 1000 regsvr32.exe 1000 regsvr32.exe 1000 regsvr32.exe 1000 regsvr32.exe 1000 regsvr32.exe 3580 3580 3580 3580 3580 3580 3580 3580 3580 3580 3580 3580 3580 3580 3580 3580 3580 3580 3580 3580 3580 3580 3580 3580 3580 3580 3580 3580 3580 3580 3580 3580 3580 3580 3580 3580 3580 3580 3580 3580 3580 3580 3580 3580 3580 3580 3580 3580 3580 3580 3580 3580 3580 3580 3580 3580 3580 3580 -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3580 Token: SeCreatePagefilePrivilege 3580 Token: SeShutdownPrivilege 3580 Token: SeCreatePagefilePrivilege 3580 Token: SeShutdownPrivilege 3580 Token: SeCreatePagefilePrivilege 3580 Token: SeShutdownPrivilege 3580 Token: SeCreatePagefilePrivilege 3580 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3580 -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
description pid process target process PID 3580 wrote to memory of 1400 3580 BitLockerWizardElev.exe PID 3580 wrote to memory of 1400 3580 BitLockerWizardElev.exe PID 3580 wrote to memory of 1716 3580 BitLockerWizardElev.exe PID 3580 wrote to memory of 1716 3580 BitLockerWizardElev.exe PID 3580 wrote to memory of 4392 3580 Narrator.exe PID 3580 wrote to memory of 4392 3580 Narrator.exe PID 3580 wrote to memory of 2892 3580 cmstp.exe PID 3580 wrote to memory of 2892 3580 cmstp.exe PID 3580 wrote to memory of 4656 3580 cmstp.exe PID 3580 wrote to memory of 4656 3580 cmstp.exe PID 3580 wrote to memory of 3728 3580 SystemPropertiesDataExecutionPrevention.exe PID 3580 wrote to memory of 3728 3580 SystemPropertiesDataExecutionPrevention.exe PID 3580 wrote to memory of 1300 3580 SystemPropertiesDataExecutionPrevention.exe PID 3580 wrote to memory of 1300 3580 SystemPropertiesDataExecutionPrevention.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\6e701a6565714d75f57e4ac97c8b92cc.dll1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1000
-
C:\Windows\system32\BitLockerWizardElev.exeC:\Windows\system32\BitLockerWizardElev.exe1⤵PID:1400
-
C:\Users\Admin\AppData\Local\Ue2\BitLockerWizardElev.exeC:\Users\Admin\AppData\Local\Ue2\BitLockerWizardElev.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1716
-
C:\Windows\system32\Narrator.exeC:\Windows\system32\Narrator.exe1⤵PID:4392
-
C:\Users\Admin\AppData\Local\1IsK3mGu\Narrator.exeC:\Users\Admin\AppData\Local\1IsK3mGu\Narrator.exe1⤵
- Executes dropped EXE
PID:988
-
C:\Windows\system32\cmstp.exeC:\Windows\system32\cmstp.exe1⤵PID:2892
-
C:\Users\Admin\AppData\Local\iMthGw27\cmstp.exeC:\Users\Admin\AppData\Local\iMthGw27\cmstp.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4656
-
C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exeC:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe1⤵PID:3728
-
C:\Users\Admin\AppData\Local\rrkeYruM\SystemPropertiesDataExecutionPrevention.exeC:\Users\Admin\AppData\Local\rrkeYruM\SystemPropertiesDataExecutionPrevention.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1300
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
521KB
MD5d92defaa4d346278480d2780325d8d18
SHA16494d55b2e5064ffe8add579edfcd13c3e69fffe
SHA25669b8c93d9b262b36e2bdc223cc0d6e312cc471b49d7cc36befbba1f863a05d83
SHA512b82c0fbc07361e4ad6e4ab171e55e1e41e9312ba995dce90696ca90f734f5d1ea11371ca046e8680ea566a1c2e0643ab86f1f6dcf6cbd05aed8448425a2830b5
-
Filesize
100KB
MD58ac5a3a20cf18ae2308c64fd707eeb81
SHA131f2f0bdc2eb3e0d2a6cd626ea8ed71262865544
SHA256803eb37617d450704766cb167dc9766e82102a94940a26a988ad26ab8be3f2f5
SHA51285d0e28e4bffec709f26b2f0d20eb76373134af43bcaa70b97a03efa273b77dd4fbd4f6ee026774ce4029ab5a983aea057111efcd234ab1686a9bd0f7202748b
-
Filesize
1.6MB
MD554b0b224124254de976220ace8e81a88
SHA12947bba6da35591058c811e779e1ca6500fb1374
SHA2563582d8247b3dddb340250a0d5cebc1ab8dd918f81c07398c0792cbc83495f493
SHA5126272b6dacc3427b0bce983f11757dae8e7644f697275018ffc288a606f04b6170c7fe359fef78d63029b4092fe7a569bc346c18e70971ce3a701445783dcf676
-
Filesize
1.6MB
MD583f6fba7aaa05a8381a6802d95648bd5
SHA160f4ab00b7d0c34e4b01c2e79b7098c507aeb6cf
SHA2562e07be93d86813adad8ae6bf64fc6a511fa62660ba9633073a60fe99a3f61409
SHA5124a9f3fb9bb60bb39ce735b48010646e43de55e13767e475019e9f786ecff39143776304cc0fec602547babfe41b86e6ea873551c636a9ee41f8e06d25f625917
-
Filesize
96KB
MD54cc43fe4d397ff79fa69f397e016df52
SHA18fd6cf81ad40c9b123cd75611860a8b95c72869c
SHA256f2d3905ee38b2b5c0b724d582f14eb1db7621ffb8f3826df686a20784341614c
SHA512851ef9fa5a03ec8b9fea0094c6e4bfa0b9e71cee3412ee86b2dfc34682aa5fb6455fefe7fc0092b711956d7c880cf8a5761b63ee990aa8e72f3473086ac0f157
-
Filesize
1.6MB
MD538f9d586bdedd52efecbd860891e2dcb
SHA1d24ff785f7d172f3a929af386c9ea1d9b57d9725
SHA2566aa9b56466562eb33f0ecc2ee68cd9a5d2cb3633528d8f45363333cedd51b249
SHA51229e694e9793907e7bd977551586084c5ae9a06f1d5437ceaea173ec15e2499d8decda26301f99990761f5d4df149f3d97dc9741d4e0c8baf61b98654d964ab83
-
Filesize
82KB
MD5de58532954c2704f2b2309ffc320651d
SHA10a9fc98f4d47dccb0b231edf9a63309314f68e3b
SHA2561f810658969560f6e7d7a14f71d1196382e53b984ca190fa9b178ac4a32acfb3
SHA512d4d57cc30d9079f4e9193ba42631e8e53d86b22e9c655d7a8c25e5be0e5e1d6dfff4714ddc23e3e392809d623b4f8d43c63893f74c325fc77459ac03c7a451ed
-
Filesize
1KB
MD537d5eb0bed06ca1b72bb550d07087061
SHA1d0a37643101696e6ff1b3e0b2419836dcf0246fa
SHA256257558f1698a04fc8eabe128d0de7eba6d72af2e2ada64604b7565eeb06ed0ff
SHA512ac567c179ca4b7a51a63cef1f9eb26284bd6c34167686aaf26c323bf89943dfb197ca959543e55b6b2e27100a0327fef4aa698993fb3d5b8f7ca8b0fa128f512