Analysis
-
max time kernel
45s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2023 16:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
edfa77cc042165230bda125457230eff.dll
Resource
win7-20231215-en
9 signatures
150 seconds
General
-
Target
edfa77cc042165230bda125457230eff.dll
-
Size
2.1MB
-
MD5
edfa77cc042165230bda125457230eff
-
SHA1
a5be3756956178ab76ab58a1e5ad877066153513
-
SHA256
f950e61cdd81d2cf15ee868489a6b5d887fc9a4d3ca4ab69928dda40b131274b
-
SHA512
9329b8ad60683c6c574069a3966c4c2919a8d51b82b3b8e7fb2ce8ec5ab03f6d0f19e6cf961a8477280d93c0666e1c7e055c186747e65dc03143cd8704d31f6d
-
SSDEEP
12288:lVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:8fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3484-5-0x0000000002D30000-0x0000000002D31000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
isoburn.exeBdeUISrv.exeie4uinit.exepid Process 4256 isoburn.exe 4220 BdeUISrv.exe 4956 ie4uinit.exe -
Loads dropped DLL 5 IoCs
Processes:
isoburn.exeBdeUISrv.exeie4uinit.exepid Process 4256 isoburn.exe 4220 BdeUISrv.exe 4956 ie4uinit.exe 4956 ie4uinit.exe 4956 ie4uinit.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hwtkseldaftjsj = "C:\\Users\\Admin\\AppData\\Roaming\\Sun\\dthsL8W\\BdeUISrv.exe" -
Processes:
isoburn.exeBdeUISrv.exeie4uinit.exerundll32.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA isoburn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BdeUISrv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ie4uinit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 2780 rundll32.exe 2780 rundll32.exe 2780 rundll32.exe 2780 rundll32.exe 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid Process procid_target PID 3484 wrote to memory of 3028 3484 92 PID 3484 wrote to memory of 3028 3484 92 PID 3484 wrote to memory of 4256 3484 99 PID 3484 wrote to memory of 4256 3484 99 PID 3484 wrote to memory of 2424 3484 98 PID 3484 wrote to memory of 2424 3484 98 PID 3484 wrote to memory of 4220 3484 97 PID 3484 wrote to memory of 4220 3484 97 PID 3484 wrote to memory of 860 3484 96 PID 3484 wrote to memory of 860 3484 96 PID 3484 wrote to memory of 4956 3484 94 PID 3484 wrote to memory of 4956 3484 94 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\edfa77cc042165230bda125457230eff.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2780
-
C:\Windows\system32\isoburn.exeC:\Windows\system32\isoburn.exe1⤵PID:3028
-
C:\Users\Admin\AppData\Local\lEPRtFIT4\ie4uinit.exeC:\Users\Admin\AppData\Local\lEPRtFIT4\ie4uinit.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4956
-
C:\Windows\system32\ie4uinit.exeC:\Windows\system32\ie4uinit.exe1⤵PID:860
-
C:\Users\Admin\AppData\Local\R9t5FTlg\BdeUISrv.exeC:\Users\Admin\AppData\Local\R9t5FTlg\BdeUISrv.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4220
-
C:\Windows\system32\BdeUISrv.exeC:\Windows\system32\BdeUISrv.exe1⤵PID:2424
-
C:\Users\Admin\AppData\Local\RGOVIeauk\isoburn.exeC:\Users\Admin\AppData\Local\RGOVIeauk\isoburn.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4256