Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30-01-2024 21:46
Static task
static1
Behavioral task
behavioral1
Sample
82a4bc5335713f3201927604dc1c17fa.dll
Resource
win7-20231215-en
General
-
Target
82a4bc5335713f3201927604dc1c17fa.dll
-
Size
1.7MB
-
MD5
82a4bc5335713f3201927604dc1c17fa
-
SHA1
0760fdf10d7b767e7b1c6c75b5a6df7fa582f2de
-
SHA256
b24b5a97da7b45c297575085b7e6a6812e70391a8460609e4ab225c8b8c421b8
-
SHA512
fdc555fae69369b3e61dae10b2e01607d5c853ed93bc403d08678447454e550ed598a3c46e4c7489e9e9626ffca57c317a92b64a3e48c6d44717667be684fe2e
-
SSDEEP
12288:hVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:QfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1260-5-0x0000000002BA0000-0x0000000002BA1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
raserver.exeUtilman.exeBitLockerWizard.exepid process 1924 raserver.exe 2792 Utilman.exe 800 BitLockerWizard.exe -
Loads dropped DLL 7 IoCs
Processes:
raserver.exeUtilman.exeBitLockerWizard.exepid process 1260 1924 raserver.exe 1260 2792 Utilman.exe 1260 800 BitLockerWizard.exe 1260 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fskzoiv = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IEDownloadHistory\\o6T6Cp0b67\\Utilman.exe" -
Processes:
raserver.exeUtilman.exeBitLockerWizard.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA raserver.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Utilman.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BitLockerWizard.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2480 rundll32.exe 2480 rundll32.exe 2480 rundll32.exe 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1260 wrote to memory of 2560 1260 raserver.exe PID 1260 wrote to memory of 2560 1260 raserver.exe PID 1260 wrote to memory of 2560 1260 raserver.exe PID 1260 wrote to memory of 1924 1260 raserver.exe PID 1260 wrote to memory of 1924 1260 raserver.exe PID 1260 wrote to memory of 1924 1260 raserver.exe PID 1260 wrote to memory of 616 1260 Utilman.exe PID 1260 wrote to memory of 616 1260 Utilman.exe PID 1260 wrote to memory of 616 1260 Utilman.exe PID 1260 wrote to memory of 2792 1260 Utilman.exe PID 1260 wrote to memory of 2792 1260 Utilman.exe PID 1260 wrote to memory of 2792 1260 Utilman.exe PID 1260 wrote to memory of 1208 1260 BitLockerWizard.exe PID 1260 wrote to memory of 1208 1260 BitLockerWizard.exe PID 1260 wrote to memory of 1208 1260 BitLockerWizard.exe PID 1260 wrote to memory of 800 1260 BitLockerWizard.exe PID 1260 wrote to memory of 800 1260 BitLockerWizard.exe PID 1260 wrote to memory of 800 1260 BitLockerWizard.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\82a4bc5335713f3201927604dc1c17fa.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2480
-
C:\Windows\system32\raserver.exeC:\Windows\system32\raserver.exe1⤵PID:2560
-
C:\Users\Admin\AppData\Local\BwjLVSh\raserver.exeC:\Users\Admin\AppData\Local\BwjLVSh\raserver.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1924
-
C:\Windows\system32\Utilman.exeC:\Windows\system32\Utilman.exe1⤵PID:616
-
C:\Users\Admin\AppData\Local\HpCcfb\Utilman.exeC:\Users\Admin\AppData\Local\HpCcfb\Utilman.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2792
-
C:\Windows\system32\BitLockerWizard.exeC:\Windows\system32\BitLockerWizard.exe1⤵PID:1208
-
C:\Users\Admin\AppData\Local\fUkKHw\BitLockerWizard.exeC:\Users\Admin\AppData\Local\fUkKHw\BitLockerWizard.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:800
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
475KB
MD540e79bcdfceb9abc774cd4ce1913f167
SHA17c7f99c9ba975704ecc63c64045f595f8fddaf10
SHA25670849c9108b9049ae1b1e152ba10227a55d4050608f27e0f07fe8376f189d3fa
SHA512681eebf8044eb7dd21fe72396c399541bf38f18529e1f4684536fe26bdd3fef3fb45066b951b6221aaf1ef08f07dbb9cefd63e4f932ee319dadcf1d7fb449db3
-
Filesize
123KB
MD5cd0bc0b6b8d219808aea3ecd4e889b19
SHA19f8f4071ce2484008e36fdfd963378f4ebad703f
SHA25616abc530c0367df1ad631f09e14c565cf99561949aa14acc533cd54bf8a5e22c
SHA51284291ea3fafb38ef96817d5fe4a972475ef8ea24a4353568029e892fa8e15cf8e8f6ef4ff567813cd3b38092f0db4577d9dccb22be755eebdd4f77e623dc80ac
-
Filesize
1.2MB
MD594b82b06ef00aac47ddbc60a782d9d92
SHA13bad39eab79fcdaa86d9b5ad693d944595d320e1
SHA2560379dca29ac143aa5d91125106f46ea9f49c84b7b87ecf08c207324c4935a097
SHA5124f3c07b5127c6445a5053ef7404c4ea08dc27320efb55a99b58ddcc1eb7767e79ae2f329d1f4101514eaa5f4fcbaea4baa235d16351244d1d299c81fdbf47494
-
Filesize
1.3MB
MD532c5ee55eadfc071e57851e26ac98477
SHA18f8d0aee344e152424143da49ce2c7badabb8f9d
SHA2567ca90616e68bc851f14658a366d80f21ddb7a7dd8a866049e54651158784a9ea
SHA512e0943efa81f3087c84a5909c72a436671ee8cc3cc80154901430e83ec7966aac800ad4b26f4a174a0071da617c0982ceda584686c6e2056e1a83e864aca6c975
-
Filesize
98KB
MD508a761595ad21d152db2417d6fdb239a
SHA1d84c1bc2e8c9afce9fb79916df9bca169f93a936
SHA256ec0b9e5f29a43f9db44fa76b85701058f26776ab974044c1d4741591b74d0620
SHA5128b07828e9c0edf09277f89294b8e1a54816f6f3d1fe132b3eb70370b81feb82d056ec31566793bd6f451725f79c3b4aeedb15a83216115e00943e0c19cab37c9
-
Filesize
1.7MB
MD5c6e7d0ebbf7ebc4a01f50207d50d2442
SHA1560a7587255e027f37d7f44cda8ac5eccaa9fad0
SHA25613a64706754cb79f8c42b4595a1afd24e50bee4e905f02559ab486146b5752d3
SHA5127b7020372974da34c1ebe047e0aed6b71e0ca2712a4dc382f44c7e6a0871109559f1e9e9ba2c921dffab02bdae5c79931027004af5c855fda535740907cae00a
-
Filesize
1KB
MD52709b8e6adb741768c5304b14638a600
SHA16402622a4ac56907a89c57f3a1c91700d695e8ff
SHA256e18cc7b8de30041765d5df88a6f3950341890524d17164a86b00c5f7430ce70c
SHA51282287263e903a17f75ec704a95441a0d424850df6209b84fa4c56f9bfc239d0876694b47f20566f28385b8638dca7fb23dcaba874a4e0eaf07b707804448d758
-
Filesize
1.9MB
MD5714f3bc478bfe98ecd4a9ccc595720ce
SHA17c3587b9a1f2cc1eefe71c1afd2989e7dfb9e021
SHA25681e62aab7ec80d454eed0f2b39e1769338a7cbee884433659487b2fe1ec95269
SHA512cc72e1f110aeee89fa2f117dd263b10396a5fe83160a6c2986e3f5705decbf8769150c0d0025c815cb2eadb31a8c6ea70c8c025129ba4b5602dcecd807a0cf51
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\4xmVg\WTSAPI32.dll
Filesize1.7MB
MD53be5ef623e8882cf49366c54c260663e
SHA1fe90098027f39a097ecb7413b192bfef6c297664
SHA256ba9c20af25a4d4245a761ecd9de367e18d0fdb720759f390cdd561587676fac0
SHA512e103fef057e923bfd14818f983efb8670e9227c616105e51c6754b77cd243431460d154c176792663bbf09e9a003091dc1b8c7afba56210193cc8db311535d3d
-
Filesize
259KB
MD52056825fde299eab944562db6d64c66c
SHA19709850fb65fe760f92e0ad5c90c6e6de7e45b76
SHA256d59ce7a7ff891e279e52ad379147b9678c91042c0046d33b0a132aef82cab7f6
SHA512e780a6572a28a5d5d6c754eb4023ad10b44bc8badebf10da8388b1ce6188955158c56fbfa55c616d5d00e61ac219bdecb80bf482222da08d6645df172649d2e9
-
Filesize
983KB
MD5515f26508b41412a0d07895b7981b421
SHA1ea1bdb5e336803c5a0ead032e52beb2fce37765a
SHA2562d0fda983f9c9d8365401e98f2b6c2b3386745bf6f3235be8027e9ce3eb7ee60
SHA512809f8c4bc72ee53a3886f3c34e246163d216be695abc43e6e90796ce745f3a7f0e62081dee37e8f7cdc4d18f95e61b40a611d7891496cdf01b9ed26a7674cfe6