Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30-01-2024 08:32
Static task
static1
Behavioral task
behavioral1
Sample
81f7894d5f57875aac520d9601f29693.dll
Resource
win7-20231215-en
General
-
Target
81f7894d5f57875aac520d9601f29693.dll
-
Size
1.7MB
-
MD5
81f7894d5f57875aac520d9601f29693
-
SHA1
4d2eceac1f40f5fe233c6ba1a1653b058173afed
-
SHA256
a6f1f005d6597eeaad112e697cdc23a870332a42fd7f897df28d80450d8f1801
-
SHA512
529bdda31f96e411ef5666581d4fa91ec4e9a14eae64eb544fca05910a3eb52d53f2b3d91153489bfa19d1e87e44075a0a6c04607fd5acaf66e25fcdd861870f
-
SSDEEP
12288:kVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:BfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1244-5-0x0000000002C20000-0x0000000002C21000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
TpmInit.exeBitLockerWizardElev.exefveprompt.exepid process 2572 TpmInit.exe 2148 BitLockerWizardElev.exe 2784 fveprompt.exe -
Loads dropped DLL 7 IoCs
Processes:
TpmInit.exeBitLockerWizardElev.exefveprompt.exepid process 1244 2572 TpmInit.exe 1244 2148 BitLockerWizardElev.exe 1244 2784 fveprompt.exe 1244 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\Niubkzso = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\UserData\\Low\\JtlScQzd\\BITLOC~1.EXE" -
Processes:
rundll32.exeTpmInit.exeBitLockerWizardElev.exefveprompt.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA TpmInit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BitLockerWizardElev.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fveprompt.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 1700 rundll32.exe 1700 rundll32.exe 1700 rundll32.exe 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1244 wrote to memory of 2440 1244 TpmInit.exe PID 1244 wrote to memory of 2440 1244 TpmInit.exe PID 1244 wrote to memory of 2440 1244 TpmInit.exe PID 1244 wrote to memory of 2572 1244 TpmInit.exe PID 1244 wrote to memory of 2572 1244 TpmInit.exe PID 1244 wrote to memory of 2572 1244 TpmInit.exe PID 1244 wrote to memory of 2144 1244 BitLockerWizardElev.exe PID 1244 wrote to memory of 2144 1244 BitLockerWizardElev.exe PID 1244 wrote to memory of 2144 1244 BitLockerWizardElev.exe PID 1244 wrote to memory of 2148 1244 BitLockerWizardElev.exe PID 1244 wrote to memory of 2148 1244 BitLockerWizardElev.exe PID 1244 wrote to memory of 2148 1244 BitLockerWizardElev.exe PID 1244 wrote to memory of 2152 1244 fveprompt.exe PID 1244 wrote to memory of 2152 1244 fveprompt.exe PID 1244 wrote to memory of 2152 1244 fveprompt.exe PID 1244 wrote to memory of 2784 1244 fveprompt.exe PID 1244 wrote to memory of 2784 1244 fveprompt.exe PID 1244 wrote to memory of 2784 1244 fveprompt.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\81f7894d5f57875aac520d9601f29693.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1700
-
C:\Windows\system32\TpmInit.exeC:\Windows\system32\TpmInit.exe1⤵PID:2440
-
C:\Users\Admin\AppData\Local\K5Rk\TpmInit.exeC:\Users\Admin\AppData\Local\K5Rk\TpmInit.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2572
-
C:\Windows\system32\BitLockerWizardElev.exeC:\Windows\system32\BitLockerWizardElev.exe1⤵PID:2144
-
C:\Users\Admin\AppData\Local\0H66b\BitLockerWizardElev.exeC:\Users\Admin\AppData\Local\0H66b\BitLockerWizardElev.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2148
-
C:\Windows\system32\fveprompt.exeC:\Windows\system32\fveprompt.exe1⤵PID:2152
-
C:\Users\Admin\AppData\Local\uXAK5Vf6\fveprompt.exeC:\Users\Admin\AppData\Local\uXAK5Vf6\fveprompt.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2784
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
98KB
MD573f13d791e36d3486743244f16875239
SHA1ed5ec55dbc6b3bda505f0a4c699c257c90c02020
SHA2562483d2f0ad481005cca081a86a07be9060bc6d4769c4570f92ad96fa325be9b8
SHA512911a7b532312d50cc5e7f6a046d46ab5b322aa17ce59a40477173ea50f000a95db45f169f4ea3574e3e00ae4234b9f8363ac79329d683c14ebee1d423e6e43af
-
Filesize
552KB
MD502d9f5bf31dd8faa6f4bd5589cbdffdc
SHA12690442db09a6358a7fb4b89473f5859c8bf0d9a
SHA2563a6a103e04853cc77532a1d7b49e009b62044a5dc2e074127539e5c95f92805f
SHA51221ab4afd95de5d061f77a2d6a013dcd5758a079c3bf75e9f2d489d209f95e70181d497d95c06b78fd8275af0e87b00ecb10c7cd166639cfc7833f27cb5d3581c
-
Filesize
150KB
MD56cbedd406eee67125836ca80fb49cd9a
SHA156a40c238d2cbca6daeacfd5a041a3b33477bf7b
SHA2569b136493759655a014b53128a0ee0e275bdf45f00c0b2ac97ab1ab8c5022060d
SHA512a6807b4c7985fef7ee8173792b27eaefdefd230ce74caa63c5a5e55ed21c9dcea227ae0bb829db6aa925106909b7eb7deda37770366227046e811c8952b8e604
-
Filesize
104KB
MD5dc2c44a23b2cd52bd53accf389ae14b2
SHA1e36c7b6f328aa2ab2f52478169c52c1916f04b5f
SHA2567f5b19f2c6a94833196ee1929d48094889b33b504d73d3af88dd857ceaf67921
SHA512ff083f74777a9cfc940d4e0cb55886397e27c85f867de9a5dd9ea2c2751d2a77bf75fe0734e424d9678c83e927788d07d0b3072024f7e5a9848c7ff1aa4090dc
-
Filesize
92KB
MD51dbe430b61992fddcfb619c0c985c2b0
SHA1f25679aadc70d9a163e83f3c88920aa139fb0c42
SHA256548ffedb55cfd4b365fd850c5f8ca68fd866ceb0faed145ad78b6f9a3e80a61b
SHA512314ade0f6852b9c52b444e33edfa3cd44fbcb3f7d868d419c2e437b013d043eecfb13b8bf6ed50a8beb7338c3b526ef5241f347fdcbcc6814089a7fa8958a5d2
-
Filesize
148KB
MD5d3e6be2623673bf93522feda1f6c00c7
SHA1b446c9218103cc1ba4bd0e7d2169fb7d64f80726
SHA2563ca85aa36be384f0641ba879f5ae850709a3d9d46ee50401f65bb39f42706ee5
SHA512d7bae1230116cc012010db451955289ef2716e2dc3e30edf3370acaca6362d393ff13bee0ab46854b6d438ad6d7c98452d54d0ebda1029129c7f19f10bd814c4
-
Filesize
1KB
MD53a8c634976c2aaa259f461c88cf77ff6
SHA1447f4213a158c156e37ad1a85fa9e5b48a083a47
SHA256cdf80913f8fb3c7d5d0159b1e7e768e5c73477c3a8251568b9787e9071477371
SHA5126e852af45b5f53e147f57848c880cec276eca52df28a84993bde7a04a5bec1b3cd8be15d971d8182b5839e16c3cf25ff5f7742ae61c4ce2cac1906d97c1b34fc
-
Filesize
1.7MB
MD58cee3c93272c8fd10483694b6a10e1fc
SHA1b14d192cf0412d45e74c5e457bf723b7dc19f9a0
SHA2567d95db42a54cf28c66877e2c8dec570991d29c724aa21ddea45990502e07a6d5
SHA512e340a31f71d1d12020c518ffe0f6e2127f0b6665f573687ddc2721128ac096436a95883422cde9397a5b1068775777757dfb10de299a6648de946d3b49aec5bb
-
Filesize
72KB
MD5f85aa5ae4e3c1e52f610fd0a61e90743
SHA11fcb61d04c986ac9a6ac43f9dad2c87ff67e2dce
SHA256ec2462ab80ac9f2e1d5b32bd9a38da4d7c49dbf4dcfb2de5ebc8cfc5234687d1
SHA512035800fa1e4218dd77903890735b9a4f104d5f728602b5198eb3f388586703522922cded89003f312bf5429afed02222630e1068d5dec5f7ff875bce1e01a146
-
Filesize
1.7MB
MD5a41f70f3a346045d67e98197c6a02a12
SHA1d8abd87faf0c1232b023984040bc6cafb2cc9667
SHA256e8e4110636570a4a731443f66a9a03ce295cf79f998194d501bd35c78eaa29fc
SHA512655a78b80c9cef4eaf40cd2cf3bf75baf8d834507924982320872d010806e8e6781383304fd31fbc992a8ef7c0116b15db762b9cd43cb0f45de896eec451ec42
-
Filesize
1.7MB
MD500a80b3c6332cd0d84e8be834df1881c
SHA169560c24876b1907762dcd2e96c6aa94d82b8329
SHA256f5fd420b26110c888877748b6bb13339fc7c320dde830f3ede6d457ef8f48d8e
SHA512b9e1faeac16095f85888ccf0af6560cf9e0135bc40ddd6efc37020c45a5870b9f1d06098663ed4145528c53567e1c53baeecf652e96d4226638b8abb042b6ee0
-
Filesize
482KB
MD5783fdcd25012ad1d0dfc4c4092ea1cf9
SHA14e6ab35bbc7e1787e6afda2905025b4c7471db42
SHA2562a9e54781231c4c29e8959aaea75fcb32bde66ba99df5d69043b8f7067bd5254
SHA51261efba1869bd0d461b397807b8a67423ab2b896dfe31984e955fc80dc2ff1f230b3e45d6e8b3ce3d28a156d09d07dc9875d543b95b495863eb932230be5e4bd9
-
Filesize
221KB
MD58ac961b25b6340b16bdfb2bd8f363970
SHA18f62305c73e4ffada75f30bd10fe356d73fb0fba
SHA256f9f37dbcf81dc9c099949eae343550a353552269e6f842022a6412883b56f9db
SHA512435bb4d1751fb9e6d001aee269143005896dee30ad80a35c26be0d176210ab89431f18149e9050dff4fa868516ea5af11aab9be2863026b361312b6aac2492f2
-
Filesize
112KB
MD58b5eb38e08a678afa129e23129ca1e6d
SHA1a27d30bb04f9fabdb5c92d5150661a75c5c7bc42
SHA2564befa614e1b434b2f58c9e7ce947a946b1cf1834b219caeff42b3e36f22fd97c
SHA512a7245cde299c68db85370ae1bdf32a26208e2cda1311afd06b0efd410664f36cafb62bf4b7ce058e203dcc515c45ebdef01543779ead864f3154175b7b36647d
-
Filesize
140KB
MD5b8efc9757f89bbba43ed0a59e5fa5507
SHA1180d880f7242084f1c68fb55a5841c4db7aabad7
SHA256e5e22597c6c41d172f14a4edf1cce1cc795bcb2f8639148e7d5bde44fde3f9cb
SHA5121c66d56703d4bae41e5d3762a0f4eda6afb633627104451b6343e7b8df04924262c87e4dc4def26ecd7adf4e02d0d0e68f8adedf0eaf1c22a87bd821503801f6