Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26-01-2024 11:50
Static task
static1
Behavioral task
behavioral1
Sample
7747f0093a61bd648a9356cf2797bc88.dll
Resource
win7-20231215-en
General
-
Target
7747f0093a61bd648a9356cf2797bc88.dll
-
Size
1.7MB
-
MD5
7747f0093a61bd648a9356cf2797bc88
-
SHA1
2d2ad0030c4569e867ceb32bdc0f23a30a1dbcb3
-
SHA256
2a93a9d8dcfa728e06e4cde541d13154ee6a07f1439f177e54d31dea176dc681
-
SHA512
6e131a6cfa2f256b7d757ba2e52f4fa89f8f3fd80529fe1fdb3324e4ab277d9d3041ce802ee78163e72081ffd1118b7f9a66d8dcda0028743251ddd677f622d5
-
SSDEEP
12288:NVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:UfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1200-5-0x0000000002A20000-0x0000000002A21000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
fvenotify.exeOptionalFeatures.exewisptis.exepid process 1272 fvenotify.exe 1676 OptionalFeatures.exe 1052 wisptis.exe -
Loads dropped DLL 7 IoCs
Processes:
fvenotify.exeOptionalFeatures.exewisptis.exepid process 1200 1272 fvenotify.exe 1200 1676 OptionalFeatures.exe 1200 1052 wisptis.exe 1200 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bsfvntd = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IECompatUACache\\VkxLniYdti\\OptionalFeatures.exe" -
Processes:
rundll32.exefvenotify.exeOptionalFeatures.exewisptis.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fvenotify.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA OptionalFeatures.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wisptis.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2076 rundll32.exe 2076 rundll32.exe 2076 rundll32.exe 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1200 wrote to memory of 2708 1200 fvenotify.exe PID 1200 wrote to memory of 2708 1200 fvenotify.exe PID 1200 wrote to memory of 2708 1200 fvenotify.exe PID 1200 wrote to memory of 1272 1200 fvenotify.exe PID 1200 wrote to memory of 1272 1200 fvenotify.exe PID 1200 wrote to memory of 1272 1200 fvenotify.exe PID 1200 wrote to memory of 2200 1200 OptionalFeatures.exe PID 1200 wrote to memory of 2200 1200 OptionalFeatures.exe PID 1200 wrote to memory of 2200 1200 OptionalFeatures.exe PID 1200 wrote to memory of 1676 1200 OptionalFeatures.exe PID 1200 wrote to memory of 1676 1200 OptionalFeatures.exe PID 1200 wrote to memory of 1676 1200 OptionalFeatures.exe PID 1200 wrote to memory of 1812 1200 wisptis.exe PID 1200 wrote to memory of 1812 1200 wisptis.exe PID 1200 wrote to memory of 1812 1200 wisptis.exe PID 1200 wrote to memory of 1052 1200 wisptis.exe PID 1200 wrote to memory of 1052 1200 wisptis.exe PID 1200 wrote to memory of 1052 1200 wisptis.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7747f0093a61bd648a9356cf2797bc88.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2076
-
C:\Users\Admin\AppData\Local\HxQ5f\fvenotify.exeC:\Users\Admin\AppData\Local\HxQ5f\fvenotify.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1272
-
C:\Windows\system32\fvenotify.exeC:\Windows\system32\fvenotify.exe1⤵PID:2708
-
C:\Users\Admin\AppData\Local\E7vDW6Ff\OptionalFeatures.exeC:\Users\Admin\AppData\Local\E7vDW6Ff\OptionalFeatures.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1676
-
C:\Windows\system32\OptionalFeatures.exeC:\Windows\system32\OptionalFeatures.exe1⤵PID:2200
-
C:\Users\Admin\AppData\Local\0bPa\wisptis.exeC:\Users\Admin\AppData\Local\0bPa\wisptis.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1052
-
C:\Windows\system32\wisptis.exeC:\Windows\system32\wisptis.exe1⤵PID:1812
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5a5253ceb3ef871026150fc39d8210c00
SHA16dda88557951075dba52502d7ca435b4c9ea0565
SHA256b8f96dbec068a942ba478773e31b27b9e4fd824aaa3d095d46d6d4e3fef08b66
SHA512eaf7f5502a0324310448fc2ebba2947c1722e6370cf0ae719570dfd2142408ec18a642172e769496ea4416a8a11842a22589fd1a2b24b1f0652b250f0d89f8ce
-
Filesize
15KB
MD5c157117e072112b1ba8b13a1e008305b
SHA193ec97d1fb8223003146fb53c6a504d07cd5f8a5
SHA256214eba3e76e0db9e946bb2c33207e7be999d15888f75f528bbbe33ea0258b1a1
SHA512e46006b6c745f0f3a88ed7f937d07b2f2a999283416c191ef7a9f0f6105311574218e12b51316301d454352b7ba6a99f563d0823b889546692e59c6c465dbd23
-
Filesize
59KB
MD584e36bafa0f5b763e8d6417e16964b5f
SHA182d0a025f86743704809a4f814f9336977a6c903
SHA256d9589c39eac05be04fbf0fc85e04f06f5f9e30025a3b09217571125c9a887355
SHA512e8b7e54a6591f57d81a4409682445d87f0c02af54d48e4a4fc6b64ca0badfb74eed94dd5e4c96bb159207151c3182e3d61688a1c9d357ac372d5dfd9840645d0
-
Filesize
15KB
MD52098f9e5f964089dfdb02f2a86eae1b0
SHA1fbbaac160ac1a8ea4bd681d3b96cb9a4f163e95b
SHA256f319f4fb7f351f87b8a43d878b390bf148db2632bfaba0a589c0830b34d948be
SHA512e294eb7412f8b661657480688c3634ea163471932d3b8d3a8f831a1b997a7b19e862c9a2fddc0d16f22a10f0141598aaaf5496f662de7b7e1cf612ae302e5547
-
Filesize
95KB
MD584916e2ab92b5fd4a21e9da202a4f5e7
SHA1aac4f64a36c7acb26662f878bdbeea128a84779e
SHA2566bcbe0bbeeda09f9095c78edb1e279d61ee0ce53431908712a542ee57f80e56c
SHA512688216a6ee2a48c3c572c1a79a0b8d729b587a5562c39d7aac74b405c09f106b05f6c730d05ff500936e93013145131ed4b3168948bf4b0a6069b5cff5a076f6
-
Filesize
117KB
MD5e61d644998e07c02f0999388808ac109
SHA1183130ad81ff4c7997582a484e759bf7769592d6
SHA25615a85cd6fbcb1ec57d78f986d6dd8908bd56231ce0cf65775075512303f7e5fa
SHA512310141b73394ae12a35f8d4f0c097868ee8a8045a62dd402a5dfbe2151980dd4fe18409ae3ca9422e3b88b2fa9afb04c1acbf8ec23a937a0a242b32a9a1e9272
-
Filesize
79KB
MD5b266d79ad87fd2edcdc6a64f7caaa18a
SHA17a67208f878217d2f164fa4e3dee4aa10efeb51b
SHA2565ae190208ad66ae21fc7696843e6d92fe78e1d03d77488e989cb17e8c13d8bce
SHA5126be3fd27966769c04157c907f04c0aaaaa472976f2126755a168008cbe258bb986ee67fc04892ba806d5bb798d12599cb78c2f803e3c6e4e43191d3c49289a10
-
Filesize
45KB
MD5f9c76c892da470d035f4cf35a273bb11
SHA156696489f9cef68e27661053a9848ece877ef25a
SHA256f8555ef53c96e8e0c5dce8f219e9c3e6d7f38cb10594e60687ddb9df276101fa
SHA5120d61cbbf9d716c7e517eab49544baf44499841ce6bf467f392f3520882e632530101875c141098a6c0c562ef803500985a7fdb43e0e3e3d226678c4baebfe40c
-
Filesize
1.7MB
MD572bc675d77a744b1f951e553c2816ea2
SHA136d00a3d4ed648925fce64816bca4b7f69bc2d79
SHA2563415c0f9b27c7113e8d7a5f21385677ba1a7f9a845fab0687d0947c3759695bf
SHA512c14947625d3a8b2080c65e1257d1985d77b884ac4829d590c825dc44d0d77fb26a153c6386c934fa111cbd98331299d3844de547766d373749a4d3326945c273
-
Filesize
1.7MB
MD507da27c96e63838cd7f2b243d92063fe
SHA13b00792d7eeb81663781b92a35b8960cb2dedc1f
SHA256e4886cdad647b16151cc0255e4cf229108f135252c43ff74bc1ec8771b2f965e
SHA512c29e4c4678cb27ced665353dde3c47fa9bc9001f1c1fdbe8c0fe623c330b7284983d7baa312e77863441c6bd6836273bdb9c7ef64bd670cb40f69a28fa1d2b19
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
1.7MB
MD5e572e7a377695e6d436a4e6aa11e6193
SHA1e2c1b105ad3a3eb0d24ef3f26f217374981cbc1a
SHA25664e33d8a4d50812933de39a6992da64d92074f953a1c511d54ee449e1191221f
SHA5120d6c9a281cd3997bcb526e2535877915b16b8114fe97582f1c4c2ad40af13a20de9727049b145877ac071ae66c0c900e5eb12b5d2a8ad550d7c65434501db94f
-
Filesize
1KB
MD53a35e48f365545a5152c07a2d1d5fc21
SHA1138ab5b33ddd0f0159e8ab36ec515f94f5da1984
SHA2565b2dfb639daf8455c18f87549901a52e6c62cfa9c3d2042885a3f58d5a5ef907
SHA512bb8d6cc40e5f1a1cdc105af667d3fb3b8ddb93763c8c74df7078adc075a7c8682b30b5e9a6a34d37aff1202c9be7a7cd4bb75b275646eb2b447cd9e3f8ddb361
-
Filesize
45KB
MD5d26e5d3013049fa2df28f560ce87e84d
SHA1fa92eea122ac6d47360c47eb4ef09e06bd2899ae
SHA2565a0d92c397f413647f6c2b007789c8aa90dd87d25bc6e27bb9ca60af3617c37e
SHA512e01a0e27799b493001d71b83f196c1c4bc8d327bb0a6eb835c942111779bb2a2728d88ec145bb8e8a69fe0c54c917244b940c8b9ce26ec6801422bceee4342b3
-
Filesize
31KB
MD54452b41ddc6186378ecba67550600199
SHA16a5f5c58682339d7c9f4d2a13f77e68082284230
SHA256b3ff19a18d332b851ed6c1eebc74d08ad0790e30b75e4d658be9ba63e940e75c
SHA512d3edf04a56bfd5b2b324c41b784b5b7c59d788cda9c7f1170b397ed054faa9178d006cd757c09cc7e1620b8e9485bdb118e346908334451d53af4da363ea9a94
-
Filesize
80KB
MD57131ad4a12df34d0e567a9413a77283b
SHA12524a23e913a54c0523058bb419885b8bf32ad27
SHA25649ed5b1c177f4917bf3e848ca94b93bd11ffdfc64c613b5cb3aa8ca5b2694c08
SHA512956d38f8faebbae0c9cf15d243f59a2e27893e210b0ba4a2ff28a6b57a13c7fc9ccacb8a538495f65237046254e05f3c691b1e67b520d34867586788a6a239e6
-
Filesize
67KB
MD5af9a68a3e01f7f211c7d4b121e62e811
SHA1c9b7ff3368e04fde8d9992f041264a78c4858d17
SHA256aa15d52b77ac696d9ff202948bb41a77934ddd67a1b9c32e8d7d6d0c4555c166
SHA512fac6bdf782dde40cac15fab983860e6d822fa58fb2c5fb912df2eefbb7db4260dc61ea9c5ff7f9435e76fdc656f22235dd717a75c5af2c5949376534aa5c7d36