Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26-01-2024 22:48
Static task
static1
Behavioral task
behavioral1
Sample
78978e5afac60e6f6b472c51b7fc6180.dll
Resource
win7-20231215-en
General
-
Target
78978e5afac60e6f6b472c51b7fc6180.dll
-
Size
3.3MB
-
MD5
78978e5afac60e6f6b472c51b7fc6180
-
SHA1
14062e7ebe696b055b7c78bf1816159cb8206692
-
SHA256
36d11f59d8e8c07bc7d44ff589ff73669cd9794257680dab506d9badb7b80a47
-
SHA512
0c5cc1cc61645539bc8d6291ac72bd98aaed32a33424dc5c1f69549034648afa75eb6b677e2dc2f71fd4ae26720195c377e7460f57ee853b508d21871db0d981
-
SSDEEP
12288:jVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:yfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1340-5-0x0000000002580000-0x0000000002581000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
wisptis.exeTpmInit.exemfpmp.exepid process 2916 wisptis.exe 1900 TpmInit.exe 3052 mfpmp.exe -
Loads dropped DLL 7 IoCs
Processes:
wisptis.exeTpmInit.exemfpmp.exepid process 1340 2916 wisptis.exe 1340 1900 TpmInit.exe 1340 3052 mfpmp.exe 1340 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\HGH57a\\TpmInit.exe" -
Processes:
rundll32.exewisptis.exeTpmInit.exemfpmp.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wisptis.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA TpmInit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mfpmp.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2856 rundll32.exe 2856 rundll32.exe 2856 rundll32.exe 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 1340 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1340 wrote to memory of 2948 1340 wisptis.exe PID 1340 wrote to memory of 2948 1340 wisptis.exe PID 1340 wrote to memory of 2948 1340 wisptis.exe PID 1340 wrote to memory of 2916 1340 wisptis.exe PID 1340 wrote to memory of 2916 1340 wisptis.exe PID 1340 wrote to memory of 2916 1340 wisptis.exe PID 1340 wrote to memory of 748 1340 TpmInit.exe PID 1340 wrote to memory of 748 1340 TpmInit.exe PID 1340 wrote to memory of 748 1340 TpmInit.exe PID 1340 wrote to memory of 1900 1340 TpmInit.exe PID 1340 wrote to memory of 1900 1340 TpmInit.exe PID 1340 wrote to memory of 1900 1340 TpmInit.exe PID 1340 wrote to memory of 1704 1340 mfpmp.exe PID 1340 wrote to memory of 1704 1340 mfpmp.exe PID 1340 wrote to memory of 1704 1340 mfpmp.exe PID 1340 wrote to memory of 3052 1340 mfpmp.exe PID 1340 wrote to memory of 3052 1340 mfpmp.exe PID 1340 wrote to memory of 3052 1340 mfpmp.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\78978e5afac60e6f6b472c51b7fc6180.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2856
-
C:\Windows\system32\wisptis.exeC:\Windows\system32\wisptis.exe1⤵PID:2948
-
C:\Users\Admin\AppData\Local\OzrwcsQp\wisptis.exeC:\Users\Admin\AppData\Local\OzrwcsQp\wisptis.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2916
-
C:\Windows\system32\TpmInit.exeC:\Windows\system32\TpmInit.exe1⤵PID:748
-
C:\Users\Admin\AppData\Local\dkDQXTMC\TpmInit.exeC:\Users\Admin\AppData\Local\dkDQXTMC\TpmInit.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1900
-
C:\Windows\system32\mfpmp.exeC:\Windows\system32\mfpmp.exe1⤵PID:1704
-
C:\Users\Admin\AppData\Local\srMXQTuB\mfpmp.exeC:\Users\Admin\AppData\Local\srMXQTuB\mfpmp.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3052
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD5ef4f0c33d8d7f7debf3556344f1bf88f
SHA1d6d9a4ebdd9afd8feaac7a5d81ac423c5e552bab
SHA256e183dff90c1a2dc5f9d59e3bf69a918e976bb63bb5de3abbc01aabbcc835b9c4
SHA51241fd0122d67d3a700a69418be3420abd81f84dfcf9fd6c2c44bbd0676d4e3beeb1b2a30214004782922d3aac7d0e3db629c95ec4dd3e4794739f4a5c0774df58
-
Filesize
396KB
MD502e20372d9d6d28e37ba9704edc90b67
SHA1d7d18ba0df95c3507bf20be8d72e25c5d11ab40c
SHA2563338129ddf6fb53d6e743c10bc39ec372d9b2c39c607cbe8a71cff929f854144
SHA512bcad8894614dcfc1429be04829c217e7c8ac3c40ea3927073de3421d96d9815739ee1b84f0200eb18b3b8406b972bd934204b7b31638c9fe7c297fb201ed4200
-
Filesize
3.3MB
MD524a91eddb1c9033379546124f7c4e0df
SHA1e71e115ea1d754897360932bf7e76aedea48861f
SHA256fc2a2a8d7cc12cf430618fd07ca6dece66b839e730723b14d7f3d674d7d90fae
SHA512efbad0b125630a7b2ea282864253d2d8b93a4e7a8455ad7113e01ef520a9628990a7355e1ae74dccdf4f6998ecc108b8752275e213ad3cad7d3171d414c20ba9
-
Filesize
2.2MB
MD5e24df9c436584ce6f79cfc680e641a28
SHA12446c94b9e6570e739da1f1411fee720033a486b
SHA2565e49093c8635e1f513583bcf319e775f04eaed8df14dc44f9b642ce1aa5a2704
SHA5129c51e995537485f0e98845818034169f24c9297e4a2f9fbcd7d67198b233e2cdca4e1fbe476ab96e13a0b63d1f849f9dc8d84a1e76dd4c6aab3a08bb56348f86
-
Filesize
1KB
MD5fdb320f19cabc05ab3961741ef0aa517
SHA11dd53e13da9bb830c4ed1401c23759cbfe515a3f
SHA256f123b485dac882d1664866a2e16f57e80eb8c2fa937fe6bcc318da05ad3a1e29
SHA512303a63ac63a19a95d14a273e815e0df24a17c5acb52535942879ffb395bf7bc3d7c9ba03c3167f70992223f8623f516898a1a7ec620d757c59fe1dee4587e761
-
Filesize
3.3MB
MD5468dd9d9bff25c57a05f0cb38fbe7a69
SHA1387164f9121889b0a9bc1d25aeed213b8cf46239
SHA2560097fcffbada442cad1f0116d2466fce643c62c3cdacef574e0871c0c7bfea4c
SHA5123ad01a2086723c7548cf377ac9cea17048bb19bff53b2db3d6a73a46b63cacd996eb86f278a42df0376178821ef8f8d14930d3ad7aa4785ae7cb8e39d2abb031
-
Filesize
3.3MB
MD5a4903cec68d63dbc1d3bc72b87d8b7ff
SHA190ee5225180538528f1bec5a3724dfc885a9382c
SHA25621cb2c94596f185e632d69c0d2b2c2a48b1f70783eaa2dbaeb9a53f2b4a86f6f
SHA512aaf222678167cb1702d63f156246ca2b4db4aef2e059707227de6b6cba8104dd727c6b3a6b57ee778c70517e0c62af0716877314924243ef081d1b14cc06f195
-
Filesize
112KB
MD58b5eb38e08a678afa129e23129ca1e6d
SHA1a27d30bb04f9fabdb5c92d5150661a75c5c7bc42
SHA2564befa614e1b434b2f58c9e7ce947a946b1cf1834b219caeff42b3e36f22fd97c
SHA512a7245cde299c68db85370ae1bdf32a26208e2cda1311afd06b0efd410664f36cafb62bf4b7ce058e203dcc515c45ebdef01543779ead864f3154175b7b36647d
-
Filesize
2.8MB
MD539d25c4147a07b834f4d928b189bb5ac
SHA12993b204937db9cb3349d72b4f36b164711444c1
SHA256522ab76d3c2237d153f9010bff29ed1bc737c9af9ac4180d56ad951d11c141ca
SHA512ae74263ff5c5bcd87265104be624511efe3df3c311eac95ff2bd3158580d6f3ca3470eafc0f7a52a0a6a06cc05400e1f64854ca49eb70c13bcdb8478a494ed05
-
Filesize
24KB
MD52d8600b94de72a9d771cbb56b9f9c331
SHA1a0e2ac409159546183aa45875497844c4adb5aac
SHA2567d8d8918761b8b6c95758375a6e7cf7fb8e43abfdd3846476219883ef3f8c185
SHA5123aaa6619f29434c294b9b197c3b86fdc5d88b0254c8f35f010c9b5f254fd47fbc3272412907e2a5a4f490bda2acfbbd7a90f968e25067abf921b934d2616eafc