Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 10:36
Static task
static1
Behavioral task
behavioral1
Sample
74792d6438fe27a6b4efb9c1142f875c.dll
Resource
win7-20231215-en
General
-
Target
74792d6438fe27a6b4efb9c1142f875c.dll
-
Size
1.7MB
-
MD5
74792d6438fe27a6b4efb9c1142f875c
-
SHA1
df86d55db627c71dfda71d31b9120875b4763655
-
SHA256
91f4e0d55b25c852d48512dcc4852c2aa7d950cfb08fbcc53c1f373202032dae
-
SHA512
c273b6b6e722fed5ebc10f107cce93c97bb4d32fdd89547ce1bf1392f02e1647d4eedfccd9a92cbe7cb0e239897fdce905ec15fc833f0be604856963792aa2b4
-
SSDEEP
12288:5VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1kt:4fP7fWsK5z9A+WGAW+V5SB6Ct4bnbkt
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1208-5-0x0000000002570000-0x0000000002571000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
winlogon.exeSystemPropertiesAdvanced.exeBitLockerWizard.exepid process 2820 winlogon.exe 2188 SystemPropertiesAdvanced.exe 2368 BitLockerWizard.exe -
Loads dropped DLL 7 IoCs
Processes:
winlogon.exeSystemPropertiesAdvanced.exeBitLockerWizard.exepid process 1208 2820 winlogon.exe 1208 2188 SystemPropertiesAdvanced.exe 1208 2368 BitLockerWizard.exe 1208 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtxtioiynm = "C:\\Users\\Admin\\AppData\\Roaming\\Macromedia\\zmknj\\SystemPropertiesAdvanced.exe" -
Processes:
rundll32.exewinlogon.exeSystemPropertiesAdvanced.exeBitLockerWizard.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA winlogon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesAdvanced.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BitLockerWizard.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2536 rundll32.exe 2536 rundll32.exe 2536 rundll32.exe 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1208 wrote to memory of 2676 1208 winlogon.exe PID 1208 wrote to memory of 2676 1208 winlogon.exe PID 1208 wrote to memory of 2676 1208 winlogon.exe PID 1208 wrote to memory of 2820 1208 winlogon.exe PID 1208 wrote to memory of 2820 1208 winlogon.exe PID 1208 wrote to memory of 2820 1208 winlogon.exe PID 1208 wrote to memory of 2232 1208 SystemPropertiesAdvanced.exe PID 1208 wrote to memory of 2232 1208 SystemPropertiesAdvanced.exe PID 1208 wrote to memory of 2232 1208 SystemPropertiesAdvanced.exe PID 1208 wrote to memory of 2188 1208 SystemPropertiesAdvanced.exe PID 1208 wrote to memory of 2188 1208 SystemPropertiesAdvanced.exe PID 1208 wrote to memory of 2188 1208 SystemPropertiesAdvanced.exe PID 1208 wrote to memory of 2200 1208 BitLockerWizard.exe PID 1208 wrote to memory of 2200 1208 BitLockerWizard.exe PID 1208 wrote to memory of 2200 1208 BitLockerWizard.exe PID 1208 wrote to memory of 2368 1208 BitLockerWizard.exe PID 1208 wrote to memory of 2368 1208 BitLockerWizard.exe PID 1208 wrote to memory of 2368 1208 BitLockerWizard.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\74792d6438fe27a6b4efb9c1142f875c.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2536
-
C:\Windows\system32\winlogon.exeC:\Windows\system32\winlogon.exe1⤵PID:2676
-
C:\Users\Admin\AppData\Local\pU9jsk\winlogon.exeC:\Users\Admin\AppData\Local\pU9jsk\winlogon.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2820
-
C:\Users\Admin\AppData\Local\H0An\SystemPropertiesAdvanced.exeC:\Users\Admin\AppData\Local\H0An\SystemPropertiesAdvanced.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2188
-
C:\Windows\system32\SystemPropertiesAdvanced.exeC:\Windows\system32\SystemPropertiesAdvanced.exe1⤵PID:2232
-
C:\Users\Admin\AppData\Local\kyp\BitLockerWizard.exeC:\Users\Admin\AppData\Local\kyp\BitLockerWizard.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2368
-
C:\Windows\system32\BitLockerWizard.exeC:\Windows\system32\BitLockerWizard.exe1⤵PID:2200
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD5e6e3cb87f89a9ce2b6c94ce28143c2d7
SHA1d4d94490d51cc91e44b730169619258448fba289
SHA256a8969f110c5d9b347f869f979b20260a9f07f16fd083e8df3c6529dcb8c2518b
SHA5126b0867a4605e154b5537ca147c5ab8d6b072e1c46da8f0d7e2f5efcbe71ecd1a8c813aeff10e6ca5c1e5f9e854c75b68ca718af0489c4aceee43e9ef5fc437ae
-
Filesize
78KB
MD53ecef6876be90cbec79fa0261ae52bee
SHA1e90593c99da3dcbc59f7990772c44b69e0c98595
SHA256cc68b431e946bce41da378f5a2bfbe5cc749a1df4930434f7c68b1b4c1c271fe
SHA5129d43bed82d032beb9fc30f4e263ecfbaf0275e1abca7ab0fa7e8dc9a7016b645932e5b347505a49740a68e62795bd1424920e0e19c908191c4359f0bfdd6430d
-
Filesize
98KB
MD508a761595ad21d152db2417d6fdb239a
SHA1d84c1bc2e8c9afce9fb79916df9bca169f93a936
SHA256ec0b9e5f29a43f9db44fa76b85701058f26776ab974044c1d4741591b74d0620
SHA5128b07828e9c0edf09277f89294b8e1a54816f6f3d1fe132b3eb70370b81feb82d056ec31566793bd6f451725f79c3b4aeedb15a83216115e00943e0c19cab37c9
-
Filesize
47KB
MD5261121504d8c23c8cdc10da9b92db42c
SHA1ecce1f62ebc07de4d15009b1ece9558630a421f6
SHA2566b3610e492f4bd44692470dbd4ed6b5d971592f532993e2cd7e6526f96cf4b83
SHA51293d1dd06d4ba583174f09e184d43f69720f23f08e570a358a80a40e4deb26ebb69f6564a45d1e00a531d5d49cba264cafc8d823a7b3ea2dbed97ee124aaaadeb
-
Filesize
212KB
MD53fb8b7f309a8f39ec3ee69b3766da8e9
SHA12005a7575f1a26fa410af1c931e19ccdf4f100e2
SHA2561f434ff41e051bc7f17abceb8426a040aa36a98fca5a05bdbb829c89cd0d4984
SHA512d83343ae730bda46024fdb430ef9b9437d383c7641220eb7938a08a2c9740540b187308bbc4c603feaca0a5ff14f57e3124f704c98cf36642596993169c96e70
-
Filesize
125KB
MD5584838eb0a99ef98b7671deab8059862
SHA1f4591ce1e60e4a5cfdedf5ec08369aafe270d81d
SHA256b4f62c8203213e5b000ee55f07283c667409d8c32bea39a454e70c52140f38ca
SHA512d6c6dcf7240e7c743404d44d9fce23c794f6faf51106e0fef0a8ec12420d3f9c76903bf8c30f60e88c4057031092cd590b00177a65585ca2ca1ce3f5c8b37aa5
-
Filesize
136KB
MD56dac19a27825c8d786c7f665ceab18a4
SHA1df0f6c4ccdea6de5ce93346b34e9de3b5dae2ce4
SHA2567e264b7ab05c3595d7bda1764bf3339ddf16ec4332b1452805de4a37028401ed
SHA512e37d98481259fee73c2792764e3a3b77454433a1462aeaf80e1f0e8afffe468ea65533c9103c14314b1fbf8223ef8213b2e0cebb2427e8dd8979aeae48379e7a
-
Filesize
1KB
MD59ee86ca8c1dc92d82444f206c40169d3
SHA1084f60ea22f35d08f7df1c306fcb23cd07e458a5
SHA256e9598f41eec8af63fcdf039457399fa653e98defd0c7a3694048fd298fe30e5f
SHA5121d8896757799a322988fbc0abcaf5f64948003f5382ef0e82a9ba36e18c85d4f2e17aed99a6e5a865c793a604497432275b83e6f2a0e94bd2c98961ed666fc32
-
Filesize
1.7MB
MD52d93fdf5bc81c96bd3233db367cf6095
SHA1acee813c6d17bcab555d809f57b3749ed9660919
SHA256e4ab35215c45f0946dd2a47c06b9a2870708cf234eae4719c32b6e77915c5aa5
SHA512c451b3bf40d01fa635e5d42d4a7abd252511e52be43e23769ab72391dec1f710b646ece91c04d99582e7f1f5699e4657a2647364f7cee791ea015869fa40444e
-
Filesize
80KB
MD525dc1e599591871c074a68708206e734
SHA127a9dffa92d979d39c07d889fada536c062dac77
SHA256a13b2ba5892c11c731869410b1e3dd2f250d70ff9efd513a9f260ab506dd42ef
SHA512f7da9ce4c3e8aea9095fcc977084c042f85df48fca0b58fb136dfd835ce69b5b1e68f3c11eeb14c617ffcec7011ffc7e5d5a948f49dde653a2348b28e10adb72
-
Filesize
1.7MB
MD5d2922ad17fa034c3d0f5a417ab07d03b
SHA1c5584e37e05db791b370d6df13ea06a388479782
SHA256cf3ebc731508687fcc257907b605b431e1381e731cc3723ece74fa70125d7382
SHA5124f71b6490298d429d64dfd5429acbc2205450edc4e75dade67cbad19d7e02bc5a78ce6ad717eff9121f3869cdebe857776dd5daaf4a34ba8ed277baf95f0e9a5
-
Filesize
74KB
MD51cbbfd698f3a17006cca66179a5a2cea
SHA1c21e677de216b0b99f974ec4618d8ed9347e4c8d
SHA256fe249d4ae54975fae42a79ba57cb4af2e0bafb9f2a5f7ed7e77f35177ba1f749
SHA5128b6b23598ef4ec2b47ee74ee564c71c29e6cdf95cec599b4771612c50f41a7770523cdfec13b9c0355197c63f06f99717ba34e0bff1c07b7a47a5b72f4d30205
-
Filesize
1.7MB
MD59670179df2e800d87ae511da048e0d44
SHA171bf33f0e84bf78d7cb5b63d6dddbb9c62145b6c
SHA256112cbd58fa53073423f387df4b9a94c2faf15df8240a30957c7e79a27a9962c0
SHA512ca3ff38a942fa7ff4b354fa5bb59fe558def915b7376a9483a8d659ed0cf2390c7ec1787f0c72e9e7778f8cca037114daae2232798c11f28c703d7211f4cd4a2
-
Filesize
34KB
MD5d74bb68fdbb4402016ef8e9e713c6117
SHA1399999eba7547122617eba5aac1062d9a009a18b
SHA25603d0f89ff64affe19fe50ce92d84828b377e9d858622039167f32e4b2dbae82a
SHA512dc3207968cd89f49c996dd8eb826d42e06c3e0bc9eb45ec9b692f59a1ebdd1df2c96dde55816559e58aa5461f3de1e152c14bb4f1bf3ac318e37a612203c37ab
-
Filesize
30KB
MD55df46b0258fd63b9f1f0b049341aaa93
SHA196685dc71fa5f64450d715d0d2a5fdc1dc960f5a
SHA256581f806288cb2cb2ac07f24c6836f9fdb6192641b25bc4b33bbf57c7d064a269
SHA5125d92fc7f9f07e801db35802bb359eeea95d98012a260dcdc19078a239cc2cf2f95a251e42840ad0bee68a5f99f592ff77ea39855d0a89686b4276cc8c6feec9d
-
Filesize
38KB
MD5757b9fdacb0c6ab6bc3668eae7a46a96
SHA1870ec8800facbcdd26d16d592fba4aab8e7d2951
SHA2569990a26084131ef374b9190adaa2465cdfe691c879d743ceeba15ebff7085b8a
SHA512adf703f058177c124d370e53b31dd8281ff700b6a24cc1e91afc835e8e6225ecef3d00b2396310ae65311424c6924b2dadde2cbb62175b2c36ad947553be0a1e
-
Filesize
99KB
MD52a4f2b687e242e5c57824a3c0150121b
SHA1d6c7dd46b77078d29f1d15937ac8505559b0c37a
SHA25660ca1d09b5df029f13e0585e92b2ac3ebac599d0cbdbd89642a4e43c8a857a3d
SHA51228512861fdd8d135018d185653b9a3c5712109cc7c8f7ffc834c27210fbc8d09ed9fb1c62eb9ac0be01139b398dc94d24b8051a438a4ba39820ab062aa2bd216
-
Filesize
128KB
MD5ad1508fca0cb4f714f13b4bb53e020da
SHA14fcac2b7801a1a38b88f645ade7921878f6290e0
SHA256bd8d0fb70fd03c0e02a0f7fb47732ed91009ef211fea86cf103eb34839d7dfff
SHA51269f5dc4940539480ea864a2197f5b4b08ce08f6b60ebd5eb2c86d86cc0dcf8651517c1ec9266d2d84a309e69e8af8399844d4937fa23fa80812fcf99d42c9162
-
Filesize
217KB
MD55209369b4aa1fe15361e93db06db32c9
SHA18f035cac4d29c6f8881ef356547ae695df915218
SHA2562cd8b43074281119d01200819255c3a817c80d311d99ac97ce64d902657509eb
SHA51255d8eb5b638027f38c372f3bc59c0d299e1577dbbd9cfb55273dda66fe3ba1d66153cf3d39e6d2d20f6ca06ff29ae8ab3aa1f8605f41f5cf453cb1e5ffa5c20a