Analysis
-
max time kernel
149s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
30-01-2024 23:29
Static task
static1
Behavioral task
behavioral1
Sample
82db4107f6e131cd91a70e918dc4bfb2.dll
Resource
win7-20231129-en
General
-
Target
82db4107f6e131cd91a70e918dc4bfb2.dll
-
Size
3.1MB
-
MD5
82db4107f6e131cd91a70e918dc4bfb2
-
SHA1
113d6fe86befdae836743292ba115bbfd63edbd7
-
SHA256
297b30d04329d60ca335b82dd1d813b21d884fe642e602b61a9314501ad69782
-
SHA512
92c92584210b0c0bf9b6d1798a0db0b21901763ef07f93bf176a607ae6448be6e2e82ecc909df5aa65f3a02899cf80c75357d08e544e85438e11a1430c14c6a7
-
SSDEEP
12288:FVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1I1:cfP7fWsK5z9A+WGAW+V5SB6Ct4bnbI1
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1384-5-0x0000000002A00000-0x0000000002A01000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
ComputerDefaults.exeDeviceDisplayObjectProvider.exeBitLockerWizardElev.exepid process 1764 ComputerDefaults.exe 876 DeviceDisplayObjectProvider.exe 2344 BitLockerWizardElev.exe -
Loads dropped DLL 7 IoCs
Processes:
ComputerDefaults.exeDeviceDisplayObjectProvider.exeBitLockerWizardElev.exepid process 1384 1764 ComputerDefaults.exe 1384 876 DeviceDisplayObjectProvider.exe 1384 2344 BitLockerWizardElev.exe 1384 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mjgqrtoi = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\CF0VXO~1\\DEVICE~1.EXE" -
Processes:
ComputerDefaults.exeDeviceDisplayObjectProvider.exeBitLockerWizardElev.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ComputerDefaults.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DeviceDisplayObjectProvider.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BitLockerWizardElev.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1384 wrote to memory of 2940 1384 ComputerDefaults.exe PID 1384 wrote to memory of 2940 1384 ComputerDefaults.exe PID 1384 wrote to memory of 2940 1384 ComputerDefaults.exe PID 1384 wrote to memory of 1764 1384 ComputerDefaults.exe PID 1384 wrote to memory of 1764 1384 ComputerDefaults.exe PID 1384 wrote to memory of 1764 1384 ComputerDefaults.exe PID 1384 wrote to memory of 1792 1384 DeviceDisplayObjectProvider.exe PID 1384 wrote to memory of 1792 1384 DeviceDisplayObjectProvider.exe PID 1384 wrote to memory of 1792 1384 DeviceDisplayObjectProvider.exe PID 1384 wrote to memory of 876 1384 DeviceDisplayObjectProvider.exe PID 1384 wrote to memory of 876 1384 DeviceDisplayObjectProvider.exe PID 1384 wrote to memory of 876 1384 DeviceDisplayObjectProvider.exe PID 1384 wrote to memory of 1496 1384 BitLockerWizardElev.exe PID 1384 wrote to memory of 1496 1384 BitLockerWizardElev.exe PID 1384 wrote to memory of 1496 1384 BitLockerWizardElev.exe PID 1384 wrote to memory of 2344 1384 BitLockerWizardElev.exe PID 1384 wrote to memory of 2344 1384 BitLockerWizardElev.exe PID 1384 wrote to memory of 2344 1384 BitLockerWizardElev.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\82db4107f6e131cd91a70e918dc4bfb2.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2948
-
C:\Windows\system32\ComputerDefaults.exeC:\Windows\system32\ComputerDefaults.exe1⤵PID:2940
-
C:\Users\Admin\AppData\Local\m2cq\ComputerDefaults.exeC:\Users\Admin\AppData\Local\m2cq\ComputerDefaults.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1764
-
C:\Windows\system32\DeviceDisplayObjectProvider.exeC:\Windows\system32\DeviceDisplayObjectProvider.exe1⤵PID:1792
-
C:\Users\Admin\AppData\Local\rMqp\DeviceDisplayObjectProvider.exeC:\Users\Admin\AppData\Local\rMqp\DeviceDisplayObjectProvider.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:876
-
C:\Windows\system32\BitLockerWizardElev.exeC:\Windows\system32\BitLockerWizardElev.exe1⤵PID:1496
-
C:\Users\Admin\AppData\Local\AMsGPi\BitLockerWizardElev.exeC:\Users\Admin\AppData\Local\AMsGPi\BitLockerWizardElev.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2344
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
98KB
MD573f13d791e36d3486743244f16875239
SHA1ed5ec55dbc6b3bda505f0a4c699c257c90c02020
SHA2562483d2f0ad481005cca081a86a07be9060bc6d4769c4570f92ad96fa325be9b8
SHA512911a7b532312d50cc5e7f6a046d46ab5b322aa17ce59a40477173ea50f000a95db45f169f4ea3574e3e00ae4234b9f8363ac79329d683c14ebee1d423e6e43af
-
Filesize
112KB
MD52be30f81b80bb026c2ad98a21fcfc7e8
SHA1b9f42f38573d1b1da8b6a3ef954010b87daab7d8
SHA25675e841b8d111057de153bdffff1cc0f3770c33aec4aa8b4f1de59ab5dab0cb00
SHA5127de186b7f58cb2ce92db4a2838d32d16d1a4bf4ded4fdd5fbea085a7bf43214cebbbac954c3d3a93758b9ddcd1a6881667424b529d1b8daa023352094405d7a3
-
Filesize
36KB
MD586bd981f55341273753ac42ea200a81e
SHA114fe410efc9aeb0a905b984ac27719ff0dd10ea7
SHA25640b194be2bad2d3d4d1b69f9aec2853c8b663130810a11607ff72a9e3a06d5b3
SHA51249bb6d4bf7a9356fadde7f6165af6973630827d28b69db10ad477a84d98b08fb82e4daae777166e1ddddb5b5efcdf634e4e9bd34b255dae87462ba32e8bba143
-
Filesize
144KB
MD54a460c513cb5b5d541745ebdb7c24a89
SHA1b7229290b0330bda1d2d36bb38a53eea385dee08
SHA256ef1048eef6d240573e6cfc0790e4b64b57f6d0c89417af361d705ae011ab7d9b
SHA512c2e46b421b0c71c95cba66043fc5fc92a058354ffc514b448b00b3374273c141dcaae6b0931b6cc103a1042d54ec8e61ca39bbcc8d9702c9a2bac39fcec11b2b
-
Filesize
48KB
MD51fffd5db902c6bdaa7c56ee780fe9fd3
SHA13ad853969142f78835904de5aba74fa0ce1411b1
SHA2562d5b4f609429806763f48b5fab64181f00e3fb60d30eeb3fd859c0598dbbee8c
SHA512c215ccdf98d9ac47986062528d159554e68265688534d8bccd4484e6e99d1e8ba5e471a9c68a1fd8cd1fcac19ff03cd3e04a2215a8cd8e62a4a8b2a2bc8146a2
-
Filesize
43KB
MD5f9a79479fd303e74edca6b9079e9c839
SHA1858b42b3f50fd24c7ce0754938e9d11dd53cbb20
SHA2566ce3304366db0370ef22360320caa549360b429fb765088be6e6b7327df6f037
SHA512a1e5229bdb3f08206c0c040d8f23b9ea87924d6eeff36fdc2f2ef86453f68e2fa3445ba043046ce6a46342aa3d30a82e44cffb230e621f1c8648ab48b28a5b9b
-
Filesize
1KB
MD5a1c097ca2d2e8f14e3856435a0d23a89
SHA16fb9a5afba99bb0590ccdc841a07d624c2112362
SHA25693bcd20ad967694bdbc0bc1eb89f232fc251a51b8ec30abc2b24c458df2f8ed9
SHA51231a20150a14a28ae4560a1e7fa2affc9bb71338023878034c52a7a85ff7dc2d2cb93ea387770c0ea6073870e7d4f600dbc2f0c65f94d7b26cd06daa0f15daa44
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\EYSJKQKJ\IkhM45LsJ8\FVEWIZ.dll
Filesize3.1MB
MD51387b1b0e64d26e71f7feae51b049b0d
SHA1da653da74e8a9da940864017659bd92c3c540532
SHA256962396dddb441d5b43a19e038722091806f945a8cce79a082971f24656a829ff
SHA51231f116a9d034651f5b1d89aa7dd7fae44184f0c63ac9e433316b07ca873fdb726ebab96939fbd2f57c34d70a7e5e48a1c5124d85ad2372fdb974b9c8ce0e595f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\cf0VXOVMXTd\DeviceDisplayObjectProvider.exe
Filesize109KB
MD57e2eb3a4ae11190ef4c8a9b9a9123234
SHA172e98687a8d28614e2131c300403c2822856e865
SHA2568481a8ec19cb656ce328c877d5817d317203ba34424a2e9d169ddce5bf2cd2b0
SHA51218b1a0637f48929972a463d441182307725ebf1410dd461a1966bd040ac5dcced138155b7c713bfc924ea2f7b39527a084a08b44fa24c3eb9c654871f99caabf
-
Filesize
592KB
MD57e0da16b846a6f71d494e4548f610a6a
SHA10987f9ae66ea08d766933d82e7c1371b8336d0d9
SHA2566f00969e209f70c997c1440b13be99dd2a17cda19c0d9a36a437d3edba061cbb
SHA51236771851af2245c96b304139f3235e4df453c75a5031dbe2a7ac054a8207b46fd03cac8ddef1799418864bd04ca254f5ad6e2814b8b9ac5876b004d374cf7542
-
Filesize
97KB
MD5015c38842e81e36f68ccea31cc835480
SHA1c29a109d93b15cb1361af74fa32b54825ade7c54
SHA256160e230daf82dc4f482307c504d47e5aaa3a1d1083e033dfbf241bf9fd584d4a
SHA5120feb506770be4bce18e967800cb6d531a37aeb6600310fcd187533c425db0af8d1cf0775641b96bf084c29d6b5887fcb1f87fe4bb14343bf084608196889d301
-
Filesize
108KB
MD53367dd81b65c54db5d91bd476cb519bd
SHA1e23863b6e28a3f0969ba7f04ab0e871bac73b9fa
SHA256bc5036db87108d2e6259b3fe00e034b3d64ae837e8849a05aa64cc7babda1349
SHA5126e77ea682275b87c6b59678aa1997df6ffa935cd0a21fb30af9ccc7bad4043500333515c0df10cec8db17b7320ac74a81a70c769ca2d406763c0d50ba60e864d
-
Filesize
152KB
MD5bf730a89e3f78d94db9935ddfdf84bc1
SHA13d24069067f920801ab4beb378f9369ff2d2d0ca
SHA25636e98fd33a1412f8b9428805a672d45d6a6bcc90799d8d5f15f42f5076287f1d
SHA5126e27a68c10093610cbb002386f80a139a1d81b753cf9b7711a21407f3ab50a1b0e1e22a3424e203e453fe2a3ca1d1a2c30e7946d218ab94295b88a3f7b11e0b1
-
Filesize
37KB
MD5c96c8854766f7b5d314e5e5cb9dd37cd
SHA16a280be3746f052e01797d4b7b1aa12237421b50
SHA2565b387569e33d1c5f6c100410bfa8346152fdc726fb894fb73315e5f17c6925d1
SHA512aca48cd23524efde0c3975a394388fc12e578db974e1580737cda90d0c8d78edc1137d76fe82b2988f68bdc13a46f9c8c2c96bb3315a151ca63003e7175d70d6
-
Filesize
60KB
MD59086b275455f1233c77e2cb7c4077a7b
SHA1016732a992c478559c7a92ae94b4f3cf7dee3bdd
SHA256394cfeb66285fc5e967dc3d05b60040c779bcc0d9f6e0556e18d1db4b1a4f637
SHA512d8d4fe290bd1eed81b04176bb2ced296880f85e9de7a2411773f27902f80a5b94c49d86193531b52fcd5ef6a725995181f217c1a4d7eca2f9c1be2b44652aaa2
-
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\EYSJKQKJ\IkhM45LsJ8\BitLockerWizardElev.exe
Filesize1KB
MD50bf47230134131e29b6882da88f46ba8
SHA17f8e57a2e713016a133fe5d753af670042677515
SHA256f39bb73e7eb0c9152883471835f4c8053b85ade257b7e05b6d79ec55cf0b021f
SHA512a285de5b15adcf66b522dc31c98d09de8f2ea9097c4f0e82bb2df42f17b17186d7bd13c5c524428ec50ccd3b720956edb71dc06ba04bdbcbc2cedde9a82ed980