Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
29-12-2023 19:19
Static task
static1
Behavioral task
behavioral1
Sample
017fef171fcb1bae625fadf3ff3a5b41.dll
Resource
win7-20231129-en
General
-
Target
017fef171fcb1bae625fadf3ff3a5b41.dll
-
Size
1.1MB
-
MD5
017fef171fcb1bae625fadf3ff3a5b41
-
SHA1
f6807821506e43999eb3768fe506f9e4f364f489
-
SHA256
bf60aa85ca8b3e356c3a27fa9f81014450da3e144866ed72f2f58c71e6ad2194
-
SHA512
8f231509b877e7466db748422889bb8518267683a6f4e35a62e3d650ac922c65d0e96c2927564a2db6a5592bea653077c9ad9fe1b06338513a49c73125970dcd
-
SSDEEP
12288:rkMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64C:rkMZ+gf4ltGd8H1fYO0q2G1Ah
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3592-3-0x0000000002870000-0x0000000002871000-memory.dmp dridex_stager_shellcode -
Processes:
resource yara_rule behavioral2/memory/1956-0-0x0000000140000000-0x0000000140122000-memory.dmp dridex_payload behavioral2/memory/3592-26-0x0000000140000000-0x0000000140122000-memory.dmp dridex_payload behavioral2/memory/3592-37-0x0000000140000000-0x0000000140122000-memory.dmp dridex_payload behavioral2/memory/1956-40-0x0000000140000000-0x0000000140122000-memory.dmp dridex_payload behavioral2/memory/3548-47-0x0000000140000000-0x0000000140123000-memory.dmp dridex_payload behavioral2/memory/3548-52-0x0000000140000000-0x0000000140123000-memory.dmp dridex_payload behavioral2/memory/1356-65-0x00000221C2B40000-0x00000221C2C63000-memory.dmp dridex_payload behavioral2/memory/1356-69-0x00000221C2B40000-0x00000221C2C63000-memory.dmp dridex_payload behavioral2/memory/1900-85-0x0000000140000000-0x0000000140123000-memory.dmp dridex_payload -
Executes dropped EXE 3 IoCs
Processes:
RecoveryDrive.exeie4uinit.exeSystemPropertiesPerformance.exepid Process 3548 RecoveryDrive.exe 1356 ie4uinit.exe 1900 SystemPropertiesPerformance.exe -
Loads dropped DLL 4 IoCs
Processes:
RecoveryDrive.exeie4uinit.exeSystemPropertiesPerformance.exepid Process 3548 RecoveryDrive.exe 1356 ie4uinit.exe 1356 ie4uinit.exe 1900 SystemPropertiesPerformance.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qoccyyzfzcu = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ADMINI~1\\5cy1V\\ie4uinit.exe" -
Processes:
rundll32.exeRecoveryDrive.exeie4uinit.exeSystemPropertiesPerformance.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RecoveryDrive.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ie4uinit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesPerformance.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 1956 rundll32.exe 1956 rundll32.exe 1956 rundll32.exe 1956 rundll32.exe 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 3592 -
Suspicious use of AdjustPrivilegeToken 20 IoCs
Processes:
description pid Process Token: SeShutdownPrivilege 3592 Token: SeCreatePagefilePrivilege 3592 Token: SeShutdownPrivilege 3592 Token: SeCreatePagefilePrivilege 3592 Token: SeShutdownPrivilege 3592 Token: SeCreatePagefilePrivilege 3592 Token: SeShutdownPrivilege 3592 Token: SeCreatePagefilePrivilege 3592 Token: SeShutdownPrivilege 3592 Token: SeCreatePagefilePrivilege 3592 Token: SeShutdownPrivilege 3592 Token: SeCreatePagefilePrivilege 3592 Token: SeShutdownPrivilege 3592 Token: SeCreatePagefilePrivilege 3592 Token: SeShutdownPrivilege 3592 Token: SeCreatePagefilePrivilege 3592 Token: SeShutdownPrivilege 3592 Token: SeCreatePagefilePrivilege 3592 Token: SeShutdownPrivilege 3592 Token: SeCreatePagefilePrivilege 3592 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid Process 3592 3592 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid Process 3592 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid Process procid_target PID 3592 wrote to memory of 4332 3592 96 PID 3592 wrote to memory of 4332 3592 96 PID 3592 wrote to memory of 3548 3592 97 PID 3592 wrote to memory of 3548 3592 97 PID 3592 wrote to memory of 1084 3592 101 PID 3592 wrote to memory of 1084 3592 101 PID 3592 wrote to memory of 1356 3592 102 PID 3592 wrote to memory of 1356 3592 102 PID 3592 wrote to memory of 4968 3592 106 PID 3592 wrote to memory of 4968 3592 106 PID 3592 wrote to memory of 1900 3592 107 PID 3592 wrote to memory of 1900 3592 107 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\017fef171fcb1bae625fadf3ff3a5b41.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1956
-
C:\Windows\system32\RecoveryDrive.exeC:\Windows\system32\RecoveryDrive.exe1⤵PID:4332
-
C:\Users\Admin\AppData\Local\XNY\RecoveryDrive.exeC:\Users\Admin\AppData\Local\XNY\RecoveryDrive.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3548
-
C:\Windows\system32\ie4uinit.exeC:\Windows\system32\ie4uinit.exe1⤵PID:1084
-
C:\Users\Admin\AppData\Local\gJBhrKG\ie4uinit.exeC:\Users\Admin\AppData\Local\gJBhrKG\ie4uinit.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1356
-
C:\Windows\system32\SystemPropertiesPerformance.exeC:\Windows\system32\SystemPropertiesPerformance.exe1⤵PID:4968
-
C:\Users\Admin\AppData\Local\SbClPH\SystemPropertiesPerformance.exeC:\Users\Admin\AppData\Local\SbClPH\SystemPropertiesPerformance.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1900
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5e29b51d76623b9fe3a28905b427e77ea
SHA1ac8d47b7718dbc27abdceacdf1c41daf6dc68448
SHA2561fba6757b2122366043fada4c935dd73bf69084dda1401ecec0f9be7efd86a82
SHA51222a2f2c6f13efd270adcf631b71e91aa236e9520aa78f59744ae7768aa9f7152584f3e8caa983ee8077191b154993f8b1a115638e8745104168d19edf9efccfa
-
Filesize
1024KB
MD5cb0cd04482bd2d1906d76beb3d716b41
SHA1f83bcfd0f6d4ec731d61a5ade340201a98ca8134
SHA25683e4d4d2168d0b0bd2c99a6f36c2281726c0188eeb68e34f7079a83f3fd020ef
SHA512fef256ff500cff015eff4710dc381169ee8ee82088d0ef047fe4939b49d5d9f667b554d7e6bd1e24fe59c5a882c0c82a249e2e012903b63d2c4b8db09522ab25
-
Filesize
82KB
MD5e4fbf7cab8669c7c9cef92205d2f2ffc
SHA1adbfa782b7998720fa85678cc85863b961975e28
SHA256b266318d45a4245556a2e39b763f2f11eca780969105f6f103e53dd0a492bb30
SHA512c5c62578d04133352d6cb7b018df96a7b55c18d6111ab8bf2bfe232a3315a63b07047fa5b0b88551d152085776c66169b47566242c8c4c5e0333c55adc64e1b6
-
Filesize
911KB
MD5b9b3dc6f2eb89e41ff27400952602c74
SHA124ae07e0db3ace0809d08bbd039db3a9d533e81b
SHA256630518cb2e4636f889d12c98fb2e6be4e579c5eeb86f88695d3f7fff3f5515c4
SHA5127906954b881f1051a0c7f098e096bc28eddcc48643b8bf3134dd57b8c18d8beba4f9a0ac5d348de2f9b8ea607c3e9cb0e61d91e4f3ba1fefb02839f928e3e3fe
-
Filesize
1.1MB
MD5351cae17e932564d3c05659a10abb325
SHA1d5a35bcdf9313542219c78f432e7114aeec78f41
SHA2569ccd6f47882c72840fb3286ac296360b3ff5d93ace6d993cafab559e4d80db54
SHA51259f85cd9d4d9e173e5b0e099471f2245b415c2adaeb2907dc89150330e1d10ebf865dfec454e558198331df77219ae16ed7c5b83166a3cdc6b6dae9c5df25b32
-
Filesize
1.1MB
MD527db998b0de3973ce4c41bf650fc940c
SHA12ce21720ced672c5ee7d623a96368f0635b8286f
SHA256e719be4460e73cad38598acaaaa547619f87f71ded8e27e9e713648ced307697
SHA512319918ef6ce161930119cf3a050d2ee9ce72e38e183dfedec894fcdeba9b2929fdcf9caac826b1cc5e9bddb31d4e22050cb0de6527df0626f5c4bbd9b3f28435
-
Filesize
262KB
MD5a2f0104edd80ca2c24c24356d5eacc4f
SHA18269b9fd9231f04ed47419bd565c69dc677fab56
SHA2565d85c4d62cc26996826b9d96a9153f7e05a2260342bd913b3730610a1809203c
SHA512e7bb87f9f6c82cb945b95f62695be98b3fa827a24fa8c4187fe836d4e7d3e7ae3b95101edd3c41d65f6cb684910f5954a67307d450072acd8d475212db094390
-
Filesize
171KB
MD536b9259b271be43e6a6017115758ca9b
SHA1bbe9109887a841798beeaea4dfd4f9e3f75115cd
SHA256fe3cd9fea41d55a2271cfb393af2f19fbf027291aa4f799bb1bda48ed47e3c37
SHA512703cb182863f939b1d39be13732228b654d30f35a6caabcbb68c0a563c01bf3b6ab298c1fbe313b8fe1340da8d1ff3906e9483fa70f67c55b4e42ae097aa416c
-
Filesize
1KB
MD5d25eaa89d949cf05e47ec1c64da2c6c3
SHA178c21f9a80579ff83b28d294333b584c61ac9a42
SHA256e4ed77df5299ac021252665aa15cccc5466a4f6022a99c117512b34acbbdb1be
SHA51243755ac2e164a78a526e2c52d011d8ed4ab41584f8426d9e1c42b5146464e20e894e88e4bb2d2646e3127ab70665adf09dacdbafa8686abe1f53ee69dfa3521e
-
Filesize
1.0MB
MD55acda3ed30b57aafa725ae7ea7c27c97
SHA10e9bc0932fce3b3ef495bbaf9d41339275ff9785
SHA2569d35190f8eea5ac1918352614a341aa424198ceec4c84786e67dc7c8e26ea04d
SHA5125672f996b4a9ad55e7d06ac7895bdcdd40788eb8f5af5c18dac46a31b502ce4cbf19cc568ff8cd9e5415a3981b433ab6407a2b254552388f0f25e3315d3e6162