Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22-01-2024 10:55
Static task
static1
Behavioral task
behavioral1
Sample
6f7d97ba73906e0867f0f46d5c537049.dll
Resource
win7-20231215-en
General
-
Target
6f7d97ba73906e0867f0f46d5c537049.dll
-
Size
1.5MB
-
MD5
6f7d97ba73906e0867f0f46d5c537049
-
SHA1
4760cd9fbb77d0a05a0f5a86a70ea98057e3bce3
-
SHA256
9abc5f5cc3312da7b9eb0e44a7a2306afd47d84c49b9cb86ed120cadfc05c824
-
SHA512
631240994428b1f4ce8ab54362384c7460ae14f97063c2320c33a3110f3daa7d4c6fee969bded9fead352bdd47c52c4a139877c8b52e5f4cf21915cfe61dd634
-
SSDEEP
12288:0VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:xfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1240-5-0x00000000025C0000-0x00000000025C1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
BitLockerWizardElev.exeshrpubw.exefveprompt.exepid process 1728 BitLockerWizardElev.exe 1864 shrpubw.exe 1736 fveprompt.exe -
Loads dropped DLL 7 IoCs
Processes:
BitLockerWizardElev.exeshrpubw.exefveprompt.exepid process 1240 1728 BitLockerWizardElev.exe 1240 1864 shrpubw.exe 1240 1736 fveprompt.exe 1240 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\tumEqtx6E\\shrpubw.exe" -
Processes:
rundll32.exeBitLockerWizardElev.exeshrpubw.exefveprompt.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BitLockerWizardElev.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA shrpubw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fveprompt.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2448 rundll32.exe 2448 rundll32.exe 2448 rundll32.exe 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1240 wrote to memory of 324 1240 BitLockerWizardElev.exe PID 1240 wrote to memory of 324 1240 BitLockerWizardElev.exe PID 1240 wrote to memory of 324 1240 BitLockerWizardElev.exe PID 1240 wrote to memory of 1728 1240 BitLockerWizardElev.exe PID 1240 wrote to memory of 1728 1240 BitLockerWizardElev.exe PID 1240 wrote to memory of 1728 1240 BitLockerWizardElev.exe PID 1240 wrote to memory of 2204 1240 shrpubw.exe PID 1240 wrote to memory of 2204 1240 shrpubw.exe PID 1240 wrote to memory of 2204 1240 shrpubw.exe PID 1240 wrote to memory of 1864 1240 shrpubw.exe PID 1240 wrote to memory of 1864 1240 shrpubw.exe PID 1240 wrote to memory of 1864 1240 shrpubw.exe PID 1240 wrote to memory of 1944 1240 fveprompt.exe PID 1240 wrote to memory of 1944 1240 fveprompt.exe PID 1240 wrote to memory of 1944 1240 fveprompt.exe PID 1240 wrote to memory of 1736 1240 fveprompt.exe PID 1240 wrote to memory of 1736 1240 fveprompt.exe PID 1240 wrote to memory of 1736 1240 fveprompt.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6f7d97ba73906e0867f0f46d5c537049.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2448
-
C:\Windows\system32\BitLockerWizardElev.exeC:\Windows\system32\BitLockerWizardElev.exe1⤵PID:324
-
C:\Users\Admin\AppData\Local\iOLCtp4kk\BitLockerWizardElev.exeC:\Users\Admin\AppData\Local\iOLCtp4kk\BitLockerWizardElev.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1728
-
C:\Windows\system32\shrpubw.exeC:\Windows\system32\shrpubw.exe1⤵PID:2204
-
C:\Users\Admin\AppData\Local\oPrXNnp\shrpubw.exeC:\Users\Admin\AppData\Local\oPrXNnp\shrpubw.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1864
-
C:\Windows\system32\fveprompt.exeC:\Windows\system32\fveprompt.exe1⤵PID:1944
-
C:\Users\Admin\AppData\Local\FsDb\fveprompt.exeC:\Users\Admin\AppData\Local\FsDb\fveprompt.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1736
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
98KB
MD573f13d791e36d3486743244f16875239
SHA1ed5ec55dbc6b3bda505f0a4c699c257c90c02020
SHA2562483d2f0ad481005cca081a86a07be9060bc6d4769c4570f92ad96fa325be9b8
SHA512911a7b532312d50cc5e7f6a046d46ab5b322aa17ce59a40477173ea50f000a95db45f169f4ea3574e3e00ae4234b9f8363ac79329d683c14ebee1d423e6e43af
-
Filesize
1.5MB
MD5c338f3236bebfca55f5ee1113b2a63e8
SHA12f907b6c463a3c3577c63e125ee219cbbfd1d972
SHA256d3b36a4222fc21dd9eac4c533c2e84f1b239b54ff23c22fce4cb5d7854f18aee
SHA512d94b55f7e6b7500ece9d3396f8fc9055dc377b0644a67295569a5b15a6691aeb26bec3e8196c40bd41359f3fe83ad892bef4656907e79b32323dbea3701eb7bc
-
Filesize
1.5MB
MD5692082607b170df2c355ff99e2b6d747
SHA1843bc4849ab9036e7cd8fafa10ba98e6d20bfb5f
SHA2561612a214923e9b7d61a6b9403dbe75f2aad84148759447d60ee06b01b68e3ba6
SHA5122e8a3c562ea18b783d75cfbe3575fdc692b5ba2f5a425d1eddc5a5ebb1880ad59943e064c9da017eb262a467d9b4015c07a9d4285151ccf872a624384a193f17
-
Filesize
1KB
MD51e187829c2ffe0eda1b1b6e82f5fb625
SHA1c392b5c68c7ab796b27305b8c979079be53d17a9
SHA25659a85e9a03c10cb0aab39163428beec66ea9f3c3e8f4f33585218c6924417dd4
SHA512889a98c89fb0af661f656d9c0ad1cba83f99b1cc878908ee46d475de507dba3a5b5e7e509ba9935e44ef40aff1bfed145ebbb486f600d53e5b7c2cddf174fadb
-
Filesize
104KB
MD5dc2c44a23b2cd52bd53accf389ae14b2
SHA1e36c7b6f328aa2ab2f52478169c52c1916f04b5f
SHA2567f5b19f2c6a94833196ee1929d48094889b33b504d73d3af88dd857ceaf67921
SHA512ff083f74777a9cfc940d4e0cb55886397e27c85f867de9a5dd9ea2c2751d2a77bf75fe0734e424d9678c83e927788d07d0b3072024f7e5a9848c7ff1aa4090dc
-
Filesize
1.5MB
MD5c1102bdd574a4b1dd56329a7d04334fa
SHA1fae430640c4e72efe27cfc5bc01ae3c4cdd23b0c
SHA2565d66e82dafb6657a5a0675fc52ce0202cadc3e36c22ab04a50d89b3eb201a072
SHA51224a7364b743a77fc081200d28c09e3a2f6fc775857229b2ffbb051d995989fd759d128b57b340e8c48c402c97216a11d6b3072c4bae088105cb3f7a08c64f52d
-
Filesize
398KB
MD529e6d0016611c8f948db5ea71372f76c
SHA101d007a01020370709cd6580717f9ace049647e8
SHA25653c868882ebc9e0d4f703afeccb172043069ccc0b5b6f7cac1d2aad9c4640930
SHA512300216ab47ee44b8f68d4835bf26641f949039522b680af00fb602f57d31c38812428dc624461bc2cc7d6384cad396bc033718e41e11a65f7dd0eeb36ed924e4