Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26-01-2024 05:13
Static task
static1
Behavioral task
behavioral1
Sample
76793acc5d4fbc8010e234153b47c147.dll
Resource
win7-20231215-en
General
-
Target
76793acc5d4fbc8010e234153b47c147.dll
-
Size
2.9MB
-
MD5
76793acc5d4fbc8010e234153b47c147
-
SHA1
4b78ec6bf864956998aba727320eb629d82e15d9
-
SHA256
51148fdd8214cd04462c3c1e06dea7736dcbc85cacf0e7ed50a028df5812136c
-
SHA512
b7e5911d471a4f1a8cb882c0d1fbd07c1cfdc0368716d0ddc25872012018bed4fe574bf65543ea4196fd68c4c205b896a11375c1a38cef784fd792541579d885
-
SSDEEP
12288:SVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:PfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1196-5-0x00000000024E0000-0x00000000024E1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
taskmgr.exeBitLockerWizardElev.exesdclt.exepid process 2964 taskmgr.exe 1888 BitLockerWizardElev.exe 692 sdclt.exe -
Loads dropped DLL 7 IoCs
Processes:
taskmgr.exeBitLockerWizardElev.exesdclt.exepid process 1196 2964 taskmgr.exe 1196 1888 BitLockerWizardElev.exe 1196 692 sdclt.exe 1196 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bsfvntd = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~1\\ACCESS~1\\XJJ1oLi\\BITLOC~1.EXE" -
Processes:
rundll32.exetaskmgr.exeBitLockerWizardElev.exesdclt.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskmgr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BitLockerWizardElev.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdclt.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1196 wrote to memory of 2868 1196 taskmgr.exe PID 1196 wrote to memory of 2868 1196 taskmgr.exe PID 1196 wrote to memory of 2868 1196 taskmgr.exe PID 1196 wrote to memory of 2964 1196 taskmgr.exe PID 1196 wrote to memory of 2964 1196 taskmgr.exe PID 1196 wrote to memory of 2964 1196 taskmgr.exe PID 1196 wrote to memory of 332 1196 BitLockerWizardElev.exe PID 1196 wrote to memory of 332 1196 BitLockerWizardElev.exe PID 1196 wrote to memory of 332 1196 BitLockerWizardElev.exe PID 1196 wrote to memory of 1888 1196 BitLockerWizardElev.exe PID 1196 wrote to memory of 1888 1196 BitLockerWizardElev.exe PID 1196 wrote to memory of 1888 1196 BitLockerWizardElev.exe PID 1196 wrote to memory of 604 1196 sdclt.exe PID 1196 wrote to memory of 604 1196 sdclt.exe PID 1196 wrote to memory of 604 1196 sdclt.exe PID 1196 wrote to memory of 692 1196 sdclt.exe PID 1196 wrote to memory of 692 1196 sdclt.exe PID 1196 wrote to memory of 692 1196 sdclt.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\76793acc5d4fbc8010e234153b47c147.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2264
-
C:\Windows\system32\taskmgr.exeC:\Windows\system32\taskmgr.exe1⤵PID:2868
-
C:\Users\Admin\AppData\Local\Q2Nrip\taskmgr.exeC:\Users\Admin\AppData\Local\Q2Nrip\taskmgr.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2964
-
C:\Windows\system32\BitLockerWizardElev.exeC:\Windows\system32\BitLockerWizardElev.exe1⤵PID:332
-
C:\Users\Admin\AppData\Local\CTYBLcK\BitLockerWizardElev.exeC:\Users\Admin\AppData\Local\CTYBLcK\BitLockerWizardElev.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1888
-
C:\Windows\system32\sdclt.exeC:\Windows\system32\sdclt.exe1⤵PID:604
-
C:\Users\Admin\AppData\Local\V5ejf1w9\sdclt.exeC:\Users\Admin\AppData\Local\V5ejf1w9\sdclt.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:692
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
26KB
MD57cc5fbdcbc2e24e5fd00e6299ab35662
SHA195929323da5d9d4e04c52b85418a7e2837914487
SHA2561b172aef62c55920399653a04c2fdccd617dd7d237cdec8a0cb9f51f2fe52233
SHA5128915eeb2251242523058d09695458ec285c4b06e96b088869476028cf26bb8f5e777fe0735080017d702b5a53f25c4c1aec371464f44f2eee5399e2b87ddf483
-
Filesize
98KB
MD573f13d791e36d3486743244f16875239
SHA1ed5ec55dbc6b3bda505f0a4c699c257c90c02020
SHA2562483d2f0ad481005cca081a86a07be9060bc6d4769c4570f92ad96fa325be9b8
SHA512911a7b532312d50cc5e7f6a046d46ab5b322aa17ce59a40477173ea50f000a95db45f169f4ea3574e3e00ae4234b9f8363ac79329d683c14ebee1d423e6e43af
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
55KB
MD5233f235b80700d2bd929b0a2484a4fb6
SHA19d03bff64a7499a5303e150e194887928a0b077b
SHA2561981c7a5166a4d31605a7c7065895f26c38934edaa8f236b15c06a49b13458d8
SHA5123a5ab956f1d6a40fb639744628f0a55f9dca1a2bfd58ab1f40ae77f432c689677b5ff90cb0585cbdfc8ba5fee6b434ea1c6a348553618ea8ea87a1eafe86611d
-
Filesize
76KB
MD5aca5f57f89df206f2ccd888e21bac6c2
SHA1009921d2fe93c5d0d1b9bf3ae7350d9271dc4133
SHA2563864e38685d127164dea7930c253976d8b4e7482b5d368494b12bb58c18b5a23
SHA5124edd6ab06c6fb1757ea67af6b2c5e8dfc99aecd39261e4b3234808574af3a12b3251ede5ae5c84d8bfe14612dce897f7141fcc3f5d309e5adf4efa2e1ff5438a
-
Filesize
140KB
MD54e80b245652d3b825212900e57f90041
SHA11614ce8ff23582772eb1651b7a0d99addfe3ab1c
SHA256ee2fe20d00143737a22d9b880c0c40746d68bd5656d70415f577f23d10ddbab3
SHA512f903aeedc1a8874bb698bdee96e27a5548f096f121e36dbec694222f2c63d1133d0901321ce92d0d0e3d62e65be5e3686a5f30f563ac55c31b87b38aa4e2dfc1
-
Filesize
40KB
MD563fe62055b78fd3f162302ae45c94d8d
SHA1047375f40bddc8bed0fc438e8ff1e102728da5e4
SHA256be1bbeaad849486fef163656683e69f6c3543036b8e2207c739d38e32baca475
SHA512cab5f684cf3bce66fbcd1885b0261a40a716eb70eb977319e4ffc13b77d6a056124fc3ff491fa6688647a32d30a8cffee4602dff1a547948d2cdd2babc7dc4cc
-
Filesize
82KB
MD5b7af5465a895ef7f8ac9725de9030636
SHA1b9f0a3c283e67683b3f831a52ecd0290251f4f0c
SHA256afab6f135c32e11d975cabfd11f8de342191a517a6168c398dd9ba2ea8ac8eb0
SHA5124348c09f1c87fbb6019725658132442997a424bab43cb0c13bc8b301663f3bdf62cfb6341203f1321f1f0985c7716b08c5a12bc59c7c6f826dc996bc1d0ac9a2
-
Filesize
81KB
MD54d84dc6d234a808aa6fd593b542ee175
SHA182a620f2b47dffd2a318e42ce6b335803d27f2a0
SHA2566caf0e899d2bda618d1ec37646e61efa03febcea4cc645e96a16a1bf2491ced9
SHA512d72830899ee62ef5fedb0c180e15a84199e01a60b969dedf880fde1d2da6bfb890ae5cb981189e1299e833090e0d6529e09a7405b53d305f58364872720e2093
-
Filesize
1KB
MD58ef4b713ad991e73e619696b3caa6efe
SHA17cec0e5c6e7bc398b66205790cdec3d3684bdee3
SHA2560160719188f0bfae5474ca172b05741c0f4791076e2aed97431a487ef5fa1352
SHA512540be16d08e5f2a0f203956ae962b737a7b82056a11c92c2bd5d6b464add7d486bca72ac48fbed6e8e754c0b665dec7b18197d072662cd3a866deff946c78e00
-
Filesize
190KB
MD5f2b3658c010f1dc6174ad5d97b246d90
SHA126665179e14121affaf47bd2fcfbf32b0878fc4e
SHA256b9a050dc6f1ea790da0f886c3792a3be11d3e84b9a1e1d31183003262b1f8ecf
SHA5124c8d5174e1f0c39d3549de038bb20ab7ce94cd9a93d588ce81e21b9d7aaeee98244e5b8391d2679de3ecc0c5b54f0cc1ed9cfa756cecc3de989c4c17a45e7acf
-
Filesize
2.9MB
MD55251fbcd5ffd1069a917f087e292c4ad
SHA19b469fb5b5ccfa4ba843707e4b64cd02d8ca9ec0
SHA256adf2a6b373c467d57e46b7bf692512f5fb7f93f17bc722c6f8327fade1f23cc8
SHA51247d05bbbcd1a73fa8ae81d5d071d224ac5d6b54636919ef9b1d5c7391b0a004124c364e98465ed912d0edc7ebd05d3ae6b9e5c84c8204efe13aa59f16666935c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\XJJ1oLi\FVEWIZ.dll
Filesize126KB
MD524a32d7eb7f49646d4aaf13d4eb4f8f8
SHA1db829b53a5cbbfb02299bc9e8d229f55d7539327
SHA256ac7c70388a8ee537bc0f529ea1b0bc22fa0a055a975e0eac8cfadab77ed4e138
SHA5126027af6ec78454bca83a63fa2ed04a30148efbcc7f1aacf8ce86353ff92259ad4d606b88dfd4858690c3f6a9aae4fbe2b530b00e151b1b1b44101bccf2cb202c
-
Filesize
96KB
MD55681edda2d25714e353b7da317de6b87
SHA1a54852ddbb839abf76d3c9832da0fb8d567069b3
SHA256cf741ffe182985573454818fc9dbfa6ae364b1563e71d0c3ed3089bee842cd02
SHA5121d6498e5141ebeefcd86f8bf59beafe11f198d9d4afe5b2e01a34793a76573a3a811e4a6a65d8d14a0bc142a801667a6221b63d0a5c302f0e0c154fa3f229146
-
Filesize
8KB
MD54c1a7566df376a9c7936bfd7177cf049
SHA178904cca7c2996e71ee818e3888b38b877a01773
SHA256fc9bfe4b00732458a07da5d8c893ee8a7b9f0c2d5004f8370e2f00aedd412bc8
SHA512de2c706de985ead3c91927c223e98666888da0fd0c3a26498a3583f5443385f01ca3cbd2d9ab5fe0325275d73a81a57e9f134b8a9489e7acd926c057c6d993ce
-
Filesize
113KB
MD548dfaa88e45c4cc912dcad19abb88e0a
SHA1e0def63b9abd16cb95f9da2ec46ebdf8df2f2168
SHA256157d36a07fee917e780e9e5f60bb0c8bb8942e49082861af2535b413d4b5972e
SHA51284e4f88cddcff5148086d87d27e12085f54869e73c3bcc87927deb19c97c715dbf3afbc8f112683e0f5c03b2f66261973f487b73c21d0dfd081df40f311c92ae
-
Filesize
59KB
MD55ac97dff5cf3917ecca283d708c79116
SHA15eaa44ebeb307dbffaa9a3a5565da6db4bfa0d2f
SHA256561d9140543144168bfdf06a4d814eb51e15cded7a062b065532dc1564899838
SHA5120646ff531fc69f869dc1f8723dc9e2c0de91b32061e358dde4c93d9546911cfcf5a3d506a5e0f58b69e817b7ee6b2bb3183d2d81227fdb38be596d1d3660e06d
-
Filesize
33KB
MD5857bf7c51161bab2109041c57ff944b8
SHA1d50f6ef92de75ff2aec355b41370da570d4fc9bb
SHA256b621ebbf90ab310eb78fed418058a0ad8a12c91f7f13fd8d94b1735a75f86637
SHA5123d7dbd62620e391a17d0e9c5f92c861f703b3a3e2405a312a18c46badf0622dc747c2427a2956f826b1497d5b6de7b6796fa13b49a77121454c025ededc02bb6
-
Filesize
6KB
MD5d2a4f67f67de21a6963ec5acac1fc5c8
SHA126bcddd7809b0c97b10719e48d23b780691ec8dd
SHA256a7bac1efa44b127b20302c5fadb6628d46f28f78a12662728cb266f0db5c38c9
SHA512728d9bb32ab621da44d8cbb9aab17068a1dd8b6bf9697476ef09d56de2d98c4210acc43a73a13162f2da865ac47c759371a392ba01377c08d1d1b01df707b26d
-
Filesize
58KB
MD56e0cfb38ba7c9018ed7f6fab2b47565e
SHA1d663066ebc56eca1d32b73832097b72e22af8f6c
SHA256b38d93907fe33f06a87e80d5af9c5ecaccd1d39e33d265ecffe432a3500640c0
SHA5127fa231b89f7c912b51628f2faa93a2952a771bb2fc886de31a920d9048321689538d38540959de0de3b85c23afd367b1942e3709824f67b96b1a55dd2dad3898