Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
27-01-2024 12:18
Static task
static1
Behavioral task
behavioral1
Sample
7a3a76153e2caa54fc663d0fdc121d17.dll
Resource
win7-20231215-en
General
-
Target
7a3a76153e2caa54fc663d0fdc121d17.dll
-
Size
1.6MB
-
MD5
7a3a76153e2caa54fc663d0fdc121d17
-
SHA1
328a9e052e7a779cb70145f52761fe95ce11f2a1
-
SHA256
4566f8ee1f24d26293566ff8f5bd093244cd716536def070a0cc36ef83be64dd
-
SHA512
29dc194e0f6ab90c2eb34c5d989b15ac4950dca13cb3ab8eafcbfa1ac7fc5d108ee9090d25abca1be31633aa6ed0df2cf7369f7855c66f0f952d975d3f8619fd
-
SSDEEP
12288:SVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:PfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3296-4-0x00000000038F0000-0x00000000038F1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
SystemPropertiesAdvanced.exeBitLockerWizardElev.exemsra.exepid process 2556 SystemPropertiesAdvanced.exe 4856 BitLockerWizardElev.exe 3992 msra.exe -
Loads dropped DLL 3 IoCs
Processes:
SystemPropertiesAdvanced.exeBitLockerWizardElev.exemsra.exepid process 2556 SystemPropertiesAdvanced.exe 4856 BitLockerWizardElev.exe 3992 msra.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hcbfaqn = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\TaskBar\\8wJ0BYT\\BITLOC~1.EXE" -
Processes:
rundll32.exeSystemPropertiesAdvanced.exeBitLockerWizardElev.exemsra.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesAdvanced.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BitLockerWizardElev.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msra.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 1496 rundll32.exe 1496 rundll32.exe 1496 rundll32.exe 1496 rundll32.exe 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3296 Token: SeCreatePagefilePrivilege 3296 Token: SeShutdownPrivilege 3296 Token: SeCreatePagefilePrivilege 3296 Token: SeShutdownPrivilege 3296 Token: SeCreatePagefilePrivilege 3296 Token: SeShutdownPrivilege 3296 Token: SeCreatePagefilePrivilege 3296 Token: SeShutdownPrivilege 3296 Token: SeCreatePagefilePrivilege 3296 Token: SeShutdownPrivilege 3296 Token: SeCreatePagefilePrivilege 3296 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3296 3296 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3296 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3296 wrote to memory of 3508 3296 SystemPropertiesAdvanced.exe PID 3296 wrote to memory of 3508 3296 SystemPropertiesAdvanced.exe PID 3296 wrote to memory of 2556 3296 SystemPropertiesAdvanced.exe PID 3296 wrote to memory of 2556 3296 SystemPropertiesAdvanced.exe PID 3296 wrote to memory of 2896 3296 BitLockerWizardElev.exe PID 3296 wrote to memory of 2896 3296 BitLockerWizardElev.exe PID 3296 wrote to memory of 4856 3296 BitLockerWizardElev.exe PID 3296 wrote to memory of 4856 3296 BitLockerWizardElev.exe PID 3296 wrote to memory of 2880 3296 msra.exe PID 3296 wrote to memory of 2880 3296 msra.exe PID 3296 wrote to memory of 3992 3296 msra.exe PID 3296 wrote to memory of 3992 3296 msra.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7a3a76153e2caa54fc663d0fdc121d17.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1496
-
C:\Windows\system32\SystemPropertiesAdvanced.exeC:\Windows\system32\SystemPropertiesAdvanced.exe1⤵PID:3508
-
C:\Users\Admin\AppData\Local\rI0CG6efH\SystemPropertiesAdvanced.exeC:\Users\Admin\AppData\Local\rI0CG6efH\SystemPropertiesAdvanced.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2556
-
C:\Windows\system32\BitLockerWizardElev.exeC:\Windows\system32\BitLockerWizardElev.exe1⤵PID:2896
-
C:\Users\Admin\AppData\Local\6XTLQ\BitLockerWizardElev.exeC:\Users\Admin\AppData\Local\6XTLQ\BitLockerWizardElev.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4856
-
C:\Windows\system32\msra.exeC:\Windows\system32\msra.exe1⤵PID:2880
-
C:\Users\Admin\AppData\Local\LY8KCin\msra.exeC:\Users\Admin\AppData\Local\LY8KCin\msra.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3992
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD58ac5a3a20cf18ae2308c64fd707eeb81
SHA131f2f0bdc2eb3e0d2a6cd626ea8ed71262865544
SHA256803eb37617d450704766cb167dc9766e82102a94940a26a988ad26ab8be3f2f5
SHA51285d0e28e4bffec709f26b2f0d20eb76373134af43bcaa70b97a03efa273b77dd4fbd4f6ee026774ce4029ab5a983aea057111efcd234ab1686a9bd0f7202748b
-
Filesize
637KB
MD50881bd0bb7e90785adf62a7b86a29991
SHA15da5693401d8704239a841b3fd65214ff0d89544
SHA256f26de7002583374d0f5417351009a371d154e216fc32f961b862076759af671c
SHA512988340e29a7a13c7fb23a77130ef55c28079ffa25428132e8985ca53618640be78c0e95f198edd62f325b2ceeb44444bb9f2e214689fe4b9e6755fcc8b57782c
-
Filesize
743KB
MD5d129354d26d7079ea15e0fcc8c213fc7
SHA1266cc02c3392af551a1c3f1af10b605c106379aa
SHA256344ee2c2a2f2b9b8c7c6020fa560d9d5ac8106ad49a4bd4b1fda628d33ec2f41
SHA512b9385cdb480dd5fae855ec3752195b70159cf9b56371bd335c5087591505d0d2b4b88810d1cbe7c2b31c57bf4a5eb87c019b3f1c43898ed5227737ef0a5f20eb
-
Filesize
684KB
MD538bae3d075bbe75ce96d372f529b7134
SHA196c046593a006f96cf3d65ea3e7986cbf974858c
SHA25628f3167e7896bca1dc162906a144e6b97e6f1c74dfb7e5e6cd5eaa6e56a8e86c
SHA512efa20be4364505d20e1369db4e214dfa583ecc54f4e248162aa338dc9a1f0f96b65dbe28b70b04705ee030da49c5618b93867d78f337f4d0a3a4e50b95f847de
-
Filesize
453KB
MD5ef724c7b63693bc92b0333d3ee0a3338
SHA13f1614a6aeefdc53388b067508fc29940842b1b0
SHA256275332764d06f8ba73a36ea997e67bcede1d9689fa8352ff00135721a6fd2f35
SHA512fe80924b9b5f27e8e4a824e42b64fe57ab91a9adc46bbfa5de7ccf12b3baa2c46583dea043b77c63b8a5979181e0c373a4eb0a6cc8407948ceab1a0af51ea2b9
-
Filesize
545KB
MD57b87c6796a2d7e5de9cd9c8296e03dbf
SHA15ac568d80e455718d4c0c7e3db03e1e5a456eba1
SHA256a7c7b645fddf4d436c4c068ba9e0bb7a7ccfe7821e636bcdc2a1110788636e1f
SHA51270527ce3ae68a2118ba7b8f21d78a360c54b05ec385a76f3dbef4d218f4af8e4e068621a151234f44a9eb532c1999083c6344de2cdfd0cb493db753f31198d61
-
Filesize
538KB
MD523334362588f6b10e5a58f1ec1b5cedb
SHA1f594c338ce33dbf74c86a2650e6227eb8b6fec23
SHA25657cc160efb221fb3eb4fc57df88432ef933cdfaa3e51e502cb3e4439cdd82405
SHA51272e66119b5ee5b3fd919c39735e03d1ea4f2a2ccaa56194ebb1f93495ba2a3f970861b12b47865fcaac81d2f73d33d3cbd99d6963361496ab4ae872f390cd0b1
-
Filesize
53KB
MD5f639c5ee445a2dab4768616969ae4a8b
SHA1e8c48ae686c560dadbd167491089dd099d9d1a86
SHA2568c33f00e874accb229788dbd2a788030e00ffc950562de03f7c04c57414e2a9e
SHA5121241d96d6b61fa3633ffae15d7cd185d673a6dac4b92fe4e1f7844cffcf96e60a1e6669b25cedcffba8a001a1da7ff31a79cfd99d09fe5d3ac2d5ab406a7e648
-
Filesize
32KB
MD53123265084b8049c00dd468f13a5df89
SHA17e45cbff66ebe4b104eaa500ca8ef60d129a5f97
SHA25624b8b1a6480507869de48b6d5ca2a0f0bcae0f55313c8e0ee05f4198c585f046
SHA512ff95dc8418f18024dcc6ba510f69e57596dbe73d2efff69dca4e88a1af43df2539aa87e289dbab6168612cffe37fa6f1bd627b8db2c95f8e7fe98f9bfd613cca
-
Filesize
82KB
MD5fa040b18d2d2061ab38cf4e52e753854
SHA1b1b37124e9afd6c860189ce4d49cebbb2e4c57bc
SHA256c61fa0f8c5d8d61110adbcceaa453a6c1d31255b3244dc7e3b605a4a931c245c
SHA512511f5981bd2c446f1f3039f6674f972651512305630bd688b1ef159af36a23cb836b43d7010b132a86b5f4d6c46206057abd31600f1e7dc930cb32ed962298a4
-
Filesize
1KB
MD512aa063da2e151cc0d0858f1b71c2c0f
SHA1884c1e2a92a07d7942feca57a26bf17e0c272678
SHA2561a5f39b1dfb5e61052b58420a97f2852247d696ee8adec8e4d47c5df750fa951
SHA5129ca84af97583fc4dfe3c0d950dd51b8e5b16616409deeeec5700a3c432c8333606392fb22deb5b4ce8969dda743c941881325a72d890a4061b011bb8ad71428d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\8wJ0BYT\FVEWIZ.dll
Filesize1.6MB
MD5593297ceda2fc50e55aff253d1d75d95
SHA1124cacd89ceeceb0a4ae608e6d8cdcf0ccdf892d
SHA256464491f646b956e42da47d9fc35623dedcd2cc2f96384bd0a3ce4ff5ed7d1cf3
SHA512ee42dfad2d99a8fb7d10c17f36aaa15a1cbc9fe9fd8856dacf69d92307cbce4976782ada52588686c4f0211500f16122b78ae0a65d35a41ca2d26d5e70c68d9f
-
Filesize
1.6MB
MD58f2ea99727f33dec0820f20509351ea8
SHA1b7507b1f3c8697c1e8d11838985dd825fca13a6a
SHA2562e44fed26aa40188f50675ea355cf88d354b65c48f9164f62c2fcf6b6055847b
SHA51217b987ededd96d0a7ae1c3679f9a6ab9c563bf2526ba404be82f712f03b5b394a9ddc703e748f9aa03cdda20c0cf6a70db339360fb2e708bbc6c08cddd683ac4
-
Filesize
1.6MB
MD5d1adb1ff5f4e49c8e1f763756318e270
SHA17e53c7a9941168b7971093225da16ea32e91a357
SHA256b0a56fa17035d8e1efc446f85da52f6a8a34f73328e4cc664595e56e7c2cf49b
SHA512e68999aa311a7ba12a9e112497c21f0a928c15158554947f6b3e0f064f98593ddd07f29b19a6b0be7f5d92b3988d4253df14ed943927f01ed02d49b30cc1b52b