Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26-01-2024 21:07
Static task
static1
Behavioral task
behavioral1
Sample
7862e1e052ba3eff8d397f0c28d8fea7.dll
Resource
win7-20231215-en
General
-
Target
7862e1e052ba3eff8d397f0c28d8fea7.dll
-
Size
3.2MB
-
MD5
7862e1e052ba3eff8d397f0c28d8fea7
-
SHA1
9573a33a7a67bda2f5d4a1177397e544efb6d829
-
SHA256
eeebc052be55ded532fd74517fae12e73ab5054eb3c0d61f000ec87ccb16f526
-
SHA512
4a37ff3116311eefa256610e65ecff791334baa682cd4a50691be10be630ba095df4beac5ee351f4efddf9c1d850ad0250050fbdab48d7b58fed8e1630b64a3b
-
SSDEEP
12288:zVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:ifP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1180-5-0x0000000002650000-0x0000000002651000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
BitLockerWizard.exeDxpserver.exeBdeUISrv.exepid process 2836 BitLockerWizard.exe 1592 Dxpserver.exe 852 BdeUISrv.exe -
Loads dropped DLL 7 IoCs
Processes:
BitLockerWizard.exeDxpserver.exeBdeUISrv.exepid process 1180 2836 BitLockerWizard.exe 1180 1592 Dxpserver.exe 1180 852 BdeUISrv.exe 1180 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtxtioiynm = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3601492379-692465709-652514833-1000\\At\\Dxpserver.exe" -
Processes:
rundll32.exeBitLockerWizard.exeDxpserver.exeBdeUISrv.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BitLockerWizard.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Dxpserver.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BdeUISrv.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2148 rundll32.exe 2148 rundll32.exe 2148 rundll32.exe 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1180 wrote to memory of 2592 1180 BitLockerWizard.exe PID 1180 wrote to memory of 2592 1180 BitLockerWizard.exe PID 1180 wrote to memory of 2592 1180 BitLockerWizard.exe PID 1180 wrote to memory of 2836 1180 BitLockerWizard.exe PID 1180 wrote to memory of 2836 1180 BitLockerWizard.exe PID 1180 wrote to memory of 2836 1180 BitLockerWizard.exe PID 1180 wrote to memory of 2124 1180 Dxpserver.exe PID 1180 wrote to memory of 2124 1180 Dxpserver.exe PID 1180 wrote to memory of 2124 1180 Dxpserver.exe PID 1180 wrote to memory of 1592 1180 Dxpserver.exe PID 1180 wrote to memory of 1592 1180 Dxpserver.exe PID 1180 wrote to memory of 1592 1180 Dxpserver.exe PID 1180 wrote to memory of 352 1180 BdeUISrv.exe PID 1180 wrote to memory of 352 1180 BdeUISrv.exe PID 1180 wrote to memory of 352 1180 BdeUISrv.exe PID 1180 wrote to memory of 852 1180 BdeUISrv.exe PID 1180 wrote to memory of 852 1180 BdeUISrv.exe PID 1180 wrote to memory of 852 1180 BdeUISrv.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7862e1e052ba3eff8d397f0c28d8fea7.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2148
-
C:\Windows\system32\BitLockerWizard.exeC:\Windows\system32\BitLockerWizard.exe1⤵PID:2592
-
C:\Users\Admin\AppData\Local\5oO6A\BitLockerWizard.exeC:\Users\Admin\AppData\Local\5oO6A\BitLockerWizard.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2836
-
C:\Windows\system32\Dxpserver.exeC:\Windows\system32\Dxpserver.exe1⤵PID:2124
-
C:\Users\Admin\AppData\Local\1Won\Dxpserver.exeC:\Users\Admin\AppData\Local\1Won\Dxpserver.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1592
-
C:\Windows\system32\BdeUISrv.exeC:\Windows\system32\BdeUISrv.exe1⤵PID:352
-
C:\Users\Admin\AppData\Local\7BlOZIKZQ\BdeUISrv.exeC:\Users\Admin\AppData\Local\7BlOZIKZQ\BdeUISrv.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:852
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
102KB
MD5e4165935223eb9f9c5b397907c1e0595
SHA150d56bbf260b02712e8e92cd25ef709fd3da081e
SHA2561edd8f3c7a91a7680d0cf62df6131fa884859c6fd2a54247c70901f6d4d17590
SHA512aba97ad66cae4db486d9cce01125abcb5429c028292fa50b9b5392b5a41d3338dd53a14cdb66cca9d1a6e827deddcdaa9e758d1aa104bf0ab9966139c6a04cc9
-
Filesize
77KB
MD52b1edaf8107605d7415fa0f5f06d9f66
SHA18f21ec27ff39c1657b47c9106a4c3c210933f2fa
SHA256b53a27841f80c0c1e95458b85c4e8d7c92b220fe4d7f176deb91df047afabe61
SHA5124b6a2bec4c747bef6d834b3cffde34b268919bc99de12fb3d1f049d8accafee89728492de73b958be4f2a319df09cb10f0097f8f72aed5c16d115922ee23d4b8
-
Filesize
1KB
MD59b28a659213092756cc1f2198f8e6a26
SHA10068cdab5b2ebad9d4daaf131d35d9037b39fad2
SHA256cad8394684ba0eddf853f259df25229e3a126d1c5b39cd201fa4580861287e41
SHA512178472fb768114a582bcf907373c77c427fe8da05d743de8815b94573f5c43adc71f5c5ebbf51d10db2858f55d4dc67279d0510fefc65b56a17b7cc350dd9902
-
Filesize
82KB
MD5073db153bae5b2b3a7050f78f5e7d471
SHA1f6c99095c0d45c78f06bb1beb0748c92ae71c96c
SHA2562a36e1806831e7aa271fe4bd2db70e05514e8fd7ade367b0bb6b39f82f0541fa
SHA512d636148ddc2ad11a718d21b45d2cb272b4ed02bdc75c73f66de36a5cbb4396419c2bee843427d961cb529f4a144083c1bcd40ac3560912b8e9826e0416ac4ba3
-
Filesize
107KB
MD58049ad0673ced4b79ef37fafeadd62b9
SHA1b6d5a7bc0ff3a86f09595920772a708adedf500e
SHA256196e7d8c200f2ee30822206c6d4ee1e7dcefe35ed71e475285a959410a6c93f4
SHA51247875e78b297250c7c317d9c5457320d725887f9659ee71262ecc444abcdd52d91f982f72ea8fb64d9e7aedd83d6aaf194bd7576c94db8d5677f715420bb84d2
-
Filesize
47KB
MD51da6b19be5d4949c868a264bc5e74206
SHA1d5ee86ba03a03ef8c93d93accafe40461084c839
SHA25600330a0e0eb1dbb6ee84997963f8e15c7c15c1df787f1c7f109609d7b31bd35c
SHA5129cee858c55eb0852e5bad53a675a094ae591b46b07afe9fb4224cac32e0be577fe36c1ed3e9f6bda4d4eb0c924a773d00e3181cd97f07e24c6c68c70f2b002c6
-
Filesize
8KB
MD52499bf64d14e18319ef4749b09580944
SHA1767f4f9ea1f35a4fac92a6b3ebe223cd43d0c744
SHA256ed4ab74ab2e849db654fa5d6352660ef47b0c0eda65359d4c21d92f811a0534b
SHA5127b9bc313471a90af84830498d84b0099d8efdf261a2600d93b51a2845aabb1c9b40de064d6272aa3684c791eca9a5a21cd7cec0bd12cc547624e17091324486d
-
Filesize
12KB
MD5c77a92b7d55eee4ae5655151c89df3cb
SHA18e5dda6e253dd439aa87074084c55765e88c59ad
SHA256e1af3310c6d80ff1727533e68efd376561383da97b3a25b36778eef0682b3926
SHA51287248d69e67e8969ad9b03ec0896008282b6f728e5fdc62cd915cd76b49503073ca259374378b8b853fd43ad339f5045ec7912bb77d97c607d37428685d7cfea
-
Filesize
85KB
MD51ed890b1b59a34b2f7b0d1def632f0f2
SHA157643de0db54d246704e2454d53857b4e1d67c8b
SHA2568301cf6dbc0a70a61574840634138a5e2f315fa2aeb1cc9daabde804ac554867
SHA512a8ca9440727b75300f3c044112de9c0563c3fdba3581bf1542364503bef0ed30327eedc1950b0289ab3f24ab2157e6624c2f58a12062ff0c333b96a1db393993
-
Filesize
921B
MD5891d0a656623fec5cbd314f8ec60205c
SHA143fe8401efc44e8d5a81b225b779da7f2096d229
SHA256d0efe1ed3c666fa2003cd8317152a1b1dc0d27ea94f55500416436d836dc91c4
SHA51272d6d56e7d60d19c84b381a53cb71cacf32d2d97ec75aa308bba0dbaf5af038a10b99ad588b7c3ebf0cf76622bd812bf27b876bb87d8ae50974bee18a8f0dd9b
-
Filesize
22KB
MD57ba362ee62f16d95647f31bd24024ee9
SHA111ba01a5ded8785f799a40405427ca75e61bd915
SHA2569c94f6ad83b434f6044de4170b489615a3f3d0f948d07d253eb3ef29a2b82089
SHA512df0121d8401bca0cd9d14946b65fb8bc997fc6fb921946880bafc6499d2a854e12d7d81bbfd1900739244836c1f55956f9f91ebfc5b82e0439ccc7e943de744e
-
Filesize
122KB
MD51c2c412fd4ad1fbda29353c7ef18d5d3
SHA108bbee40eb64aa30f44ed226dc6693e8cadb8b75
SHA2569c608e33a49fbe159339db77ed18478bc8149292cd85ceb3758dc179e24a0bf2
SHA512cb2b34930d61db10f0b0770b87fe5172619be674ecd6cacea2ae0f5b6a7a474f1d683fe3bb407228d5d9d7774f0956f47664f8717368acf194c2aa8b271ae724
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3601492379-692465709-652514833-1000\At\XmlLite.dll
Filesize82KB
MD5baecfd9987810c756559d3bc30d83561
SHA1691849987d60ace40fb6fc8dc73797a2058484c3
SHA2561ef5358a14e6185b2b1544fd14bea834c2a61a5dea52c02c9c0c402f303f0ffd
SHA512caf7a0329f28e1064bdbafc3ce0c8d06f96f8922fb74f1c0d47473b8fbb4b54a2674041ec011a6e59aec536946824cfa9c432366bc8d73a6f420b2ea74fa64ac
-
Filesize
27KB
MD57a3edfc7845e3a6c7c53918d23a95ce5
SHA152136ab9e16760edb8eac4cb87e421f3b99e7898
SHA256d6113c195770228d9a918bf75b4c7879be57bfc0fbc126c486c3bbb459ac894b
SHA512bdc606cd4d5310162371a6c6a9e2cb8f8b1df98edb4f8e20f90fa697f6fdfb24e56d343083e2570ed450a469fa78d3744cfaad2ad180ecee484daa8eaa6c7c88
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
98KB
MD508a761595ad21d152db2417d6fdb239a
SHA1d84c1bc2e8c9afce9fb79916df9bca169f93a936
SHA256ec0b9e5f29a43f9db44fa76b85701058f26776ab974044c1d4741591b74d0620
SHA5128b07828e9c0edf09277f89294b8e1a54816f6f3d1fe132b3eb70370b81feb82d056ec31566793bd6f451725f79c3b4aeedb15a83216115e00943e0c19cab37c9
-
Filesize
130KB
MD5f247e96a8024d1bc14b5248da46619a0
SHA1721b7bf7fd4585bbdb115f2e873e2d7b14416739
SHA256d6ae40fa5e9ebf5589830719cffbf79a63b7ee80c5173e183548ada25c76bde5
SHA5122cccb211d1e619ea8fd91c9fdc97e594b34281aa4f9431e99c2f14027195413fc122016fd490ee2b63c97540e579c904ab4172049367b16b7cd3ca109ab93be4