Analysis
-
max time kernel
153s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
29-12-2023 19:17
Static task
static1
Behavioral task
behavioral1
Sample
017476e0432360ddcea82be7784d62c3.dll
Resource
win7-20231129-en
General
-
Target
017476e0432360ddcea82be7784d62c3.dll
-
Size
1.1MB
-
MD5
017476e0432360ddcea82be7784d62c3
-
SHA1
76763b98160cd831bbb09e2d7c99bd62d5f326c0
-
SHA256
442c78bea97cb5946f1754ba2e848784a617e377208e3c7f06f3e33b1a5192a1
-
SHA512
67a6fed3bf7893abe319a3df10baa17b9fbb38604a990c59f0f93fed127dae0efe2084088210ccc61da9bb6c372d0eaff01c4f030df1108b4da59182d1f54b40
-
SSDEEP
12288:vVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:GfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3436-4-0x0000000002C90000-0x0000000002C91000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
MoUsoCoreWorker.exeie4ushowIE.exedwm.exepid Process 4228 MoUsoCoreWorker.exe 3016 ie4ushowIE.exe 4468 dwm.exe -
Loads dropped DLL 6 IoCs
Processes:
MoUsoCoreWorker.exeie4ushowIE.exedwm.exepid Process 4228 MoUsoCoreWorker.exe 3016 ie4ushowIE.exe 4468 dwm.exe 4468 dwm.exe 4468 dwm.exe 4468 dwm.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ddiqrdu = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\mU20k\\IE4USH~1.EXE" -
Processes:
ie4ushowIE.exedwm.exerundll32.exeMoUsoCoreWorker.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ie4ushowIE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MoUsoCoreWorker.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 3048 rundll32.exe 3048 rundll32.exe 3048 rundll32.exe 3048 rundll32.exe 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 3436 -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
description pid Process Token: SeShutdownPrivilege 3436 Token: SeCreatePagefilePrivilege 3436 Token: SeShutdownPrivilege 3436 Token: SeCreatePagefilePrivilege 3436 Token: SeShutdownPrivilege 3436 Token: SeCreatePagefilePrivilege 3436 Token: SeShutdownPrivilege 3436 Token: SeCreatePagefilePrivilege 3436 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid Process 3436 3436 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid Process 3436 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid Process procid_target PID 3436 wrote to memory of 3092 3436 92 PID 3436 wrote to memory of 3092 3436 92 PID 3436 wrote to memory of 4228 3436 93 PID 3436 wrote to memory of 4228 3436 93 PID 3436 wrote to memory of 3040 3436 94 PID 3436 wrote to memory of 3040 3436 94 PID 3436 wrote to memory of 3016 3436 95 PID 3436 wrote to memory of 3016 3436 95 PID 3436 wrote to memory of 384 3436 96 PID 3436 wrote to memory of 384 3436 96 PID 3436 wrote to memory of 4468 3436 97 PID 3436 wrote to memory of 4468 3436 97 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\017476e0432360ddcea82be7784d62c3.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3048
-
C:\Windows\system32\MoUsoCoreWorker.exeC:\Windows\system32\MoUsoCoreWorker.exe1⤵PID:3092
-
C:\Users\Admin\AppData\Local\M0UOXkdys\MoUsoCoreWorker.exeC:\Users\Admin\AppData\Local\M0UOXkdys\MoUsoCoreWorker.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4228
-
C:\Windows\system32\ie4ushowIE.exeC:\Windows\system32\ie4ushowIE.exe1⤵PID:3040
-
C:\Users\Admin\AppData\Local\Xmke\ie4ushowIE.exeC:\Users\Admin\AppData\Local\Xmke\ie4ushowIE.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3016
-
C:\Windows\system32\dwm.exeC:\Windows\system32\dwm.exe1⤵PID:384
-
C:\Users\Admin\AppData\Local\urv5ZMZ0\dwm.exeC:\Users\Admin\AppData\Local\urv5ZMZ0\dwm.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4468
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD55798d6e8309c1d87997a7d2b8a256f28
SHA1f30a2583fd14d2cdf3478f2ee0ac9abc273f12eb
SHA2568f8a5f82327324df4e30a27bb87dd0da120b9a46f078e360bc68d66e2c07138a
SHA5129a152df70ff8e03c01d079591b0367bc1148943e521d175303de32cb134956dbcc1d8e961f6a3e370fc36ec78bcc5eab015d69e86e524bbf8c4f11bd478a860b
-
Filesize
44KB
MD5994781cb4455e854e8a56d0d86729418
SHA1120998cfad2fe8ef6213a3883e4dab288a35bb37
SHA256048a9900741ff3fa27aa0d47c78202aa19824733ff9800d6cb302c87c2529420
SHA512a76d895bfca20939fdd3c2092c1d16a334f5ddfb4fafb6283627a9a1b1afa66fe44d59311f10f4ae7acbf1492bfee038e9dbad058c65e2e458003e3d4afdfc22
-
Filesize
115KB
MD56096d8f2691f521c5471e3831f488dee
SHA1007d807b79a94996687a857d9033439aa35ddacd
SHA256a306c80116053da01af073f3b8e4110ed508f57ee93defc6526f5323468dedcb
SHA5123062f62e73b18740eca5386f1e6e3c5c1fb65e29ec938a4848f72f5be66134ca76bed52af2618459b85392f0ec4274d58bcb4585b9480b29f82e0b7516e22faa
-
Filesize
57KB
MD510a2bc5895c41998ca5fd710990cfd84
SHA1f8b261cd7242352c67b15c5bb31b832f2d7c11b0
SHA256548759fe1cfd85af75bf80ad8e8a17277e4ae43dd36160e03c6f0a2757399878
SHA5125bdc1b2709bd355c0485c18490375d3c3bc8f1a858af113405875afebb56bba9a839370a9fc6bf785ef9c2bf40d1fed926b233419aafb72b48729b3eb9b99d43
-
Filesize
25KB
MD58856aa57a9c31bd25ca41fd7e58a3faa
SHA1a0b667482771a97e269232539c5bb8e25dde2ac4
SHA256114debababba8166086ef482c0aaf85f62b23aa10cf0516ec1563543a6e8be7e
SHA5123810c3192f6e9c2b65e2a275191e259868638c9cccdf3fb262028194bc1bb2d1dfc7cf851251bdf86f342e8eb3e9602cba0f4e638396f50d7a04660ba2459546
-
Filesize
83KB
MD5afc5d6acf9fe46db2055363762df8cb2
SHA1098d3185228e3cc9d8f80a83a957aa6983b320d4
SHA2564d60a60d6b290863176389e6c029cafa4dd03ca07db7c5fd8cf0eee479c372b5
SHA5120edc56ca9381475b65f38b4bebe09bcb3b26488f316b33db23a20c6d0fe2443fb1e5f7d5decd25bdce61d79ea158ba1b6ef161d58f0859723844ba6a98fc5b23
-
Filesize
19KB
MD522bbbaea87d84f8ea435d55620d8b903
SHA17dfc373050fffd3d2a3d7ce1f718b3e940b0c931
SHA25655f06d181995eb462551ee1b9538464f08a465bdea10cbf3325338db240d4c21
SHA5127aabbdbf33096980c5617bf5f0247650cbea3d1ea5f6f7e8924fc5b06379a28e1417b8115df0a7dedc45a36841021f58d6bd4e1da6e93d73f2cc028ae11e09d1
-
Filesize
29KB
MD520c3e4c84ab7086f24d852bfebc35881
SHA1067750987872d1b8822b5b93880694cf61fc7968
SHA256f3b3f537cff90e40986d92aa02865717633ae7406c0e0b9add37292c9a197548
SHA51289672ac81368de470abfef063632d4c985c963fcf0220894c36d9a06cb4b37cb4c961a0528ab528bcb25eaf06c87f7de722ee063ce202b4d0ba65fa31d04dcc4
-
Filesize
92KB
MD55c27608411832c5b39ba04e33d53536c
SHA1f92f8b7439ce1de4c297046ed1d3ff9f20bc97af
SHA2560ac827c9e35cdaa492ddd435079415805dcc276352112b040bcd34ef122cf565
SHA5121fa25eabc08dff9ea25dfa7da310a677927c6344b76815696b0483f8860fa1469820ff15d88a78ed32f712d03003631d9aceaf9c9851de5dd40c1fc2a7bc1309
-
Filesize
54KB
MD521514a7f978d38c6841800dedbd4f69e
SHA19ce6d8337b669ba8a179ed77276a25222d783205
SHA25695e6ff2d8a8b922c9fc03f149db07f8a0fa91ecad6f30c6da67534ca45cf8afe
SHA512ae40682596ccf15269a8f9e884d7bdcd27e6c515c7c58fe368661e7629e92e08f7fca7a52ade82fba71ea31a7033294c29626623bb032280376923b8bcd99697
-
Filesize
5KB
MD5c4b41df8931b6353ddf2da18ddc76e9e
SHA1269a7ae60cb1bfdc2378e3845d6c3261052dc12f
SHA2566f68ddf53c7d90f40ce7e1446e6a72fd97ca36f62f6eea38d5a331a563e9d4b2
SHA51288c01cc49c46beab8ff9c3fbf58bc31b4621efee754df31302605859e0c2e671127c4f1c2bb9d3c00f001a5bce531777e2a6f948c05c70cac508510f596c6467
-
Filesize
26KB
MD5c091d844941b361df762c89e57920116
SHA18d29420979ba0a787dd15d68d6af07a9dd2db2e4
SHA256a91781d29c6c30a430514991fbb0df808d28a75bbf9a0325bd6be9f843ade3aa
SHA512101b999888019a17cd1a2b74ff722eb77cebe4b58b97d28757cf4c088be9d4e80e22a71de39574e72f18844b0e831035f7e98e62fd84ba0f03d5544c475a5b2d
-
Filesize
834B
MD56585b45da54640f428d6ee10032658f0
SHA11bba686537e5b535fb719d63553f540bc4613578
SHA2565e67dd45e731676f365be0f9cca039ce53adaef4a624f54bc1685dc801620b20
SHA5122070b74c7c457a39aa56447a166863f6db9d09d80690cc71f5295e36a70c2d254963b97a8a06fb5ac354d6246589112a3d926563b5d6587a59cb7d5ded3410fd
-
Filesize
38KB
MD5b0d16ec2fd98c9bdeb0fe2fd889e9a46
SHA12648b5cb2db0c93cf83e46e1831503df96d21bf0
SHA2562d0e9de7d2f3cad063edc19daa5418cd3930932eac7128b2da19d43806904da7
SHA512a17ce379b2011cc6d59280f4280b211860c9bfbf930ebc4efebb5830840f16993b10c915cc5ea3ac6ea00b8a1de00ece0c4f46aac12071796c4a7bfde81ae022
-
Filesize
81KB
MD5c50ea7490866ff7e7ae4256eb55f0261
SHA13cbdb8cc6415e847670bb28cfdf45076551c0f0e
SHA25650ea683500d42c02ea7c42e047a6f3b77fc3d09bbe50144e04d176627256b184
SHA512ba96a75e4a54f682943999c51550044edf8c99f846a2363d54d7c0bdc444038bce2183769539c6562fbe27ae86343c3a542b59c16cf58eb9627e8e2c22332194
-
Filesize
1.2MB
MD544a884e87359dfe3b64dfb2f511d2f64
SHA1bdff65ff64c46b86aa1d64625ac9608cbf465e70
SHA256228b12016dfb6a383206a73d6dd8a15b79081aa59f300f91bde748e2cc34f0d6
SHA512eeb5025de4af3758d8bc795ad558a454890dedee60e037f6e61723c69bb3a23bed60051dba0aa96041fce94e338d8970a519b73b269bd88283c9050475ede0fd
-
Filesize
1KB
MD5536baf1f96d7ada7018620ea51441c5b
SHA16aad011d42375eb68faa60e3b0e901596529eef7
SHA256990379399172149d9842b416eddaddfc521d25a8870ebc7b07f9ac987ca90983
SHA512d40a0bf91b8e2073190f12f7460417c0fd66bed36d39b52ad1260c8d7567f1445b13479381c3580c80d35a9f691f9834a6aa0a6302a393d84fd7d1ddc7eefe96
-
Filesize
1.2MB
MD59ad373dec65387a0f825167ac6f53011
SHA19af6f90f439eb9a1c5382e4108def543d54ba004
SHA256690345c90bcb5668f1d4d64b779b722e654d4d5b665ba21157c80b6aac942314
SHA5123892e8a8c5644d1c3f9215b3a3311a6882b70e988c1e4e83adbb9a422b003105c1dc62a7a24ddbd16eac3f7cce46226a9b2182dd29eca1b5eaf6e0d0048defed
-
Filesize
1.2MB
MD516a74b844d1f3277d1b75490a853a28a
SHA1b950e2fe55ed18e89b6717866024e26d3a8876e7
SHA25678296eeff56307a35478ddea5902a6fd8e3794635dcb7d718809545680a83623
SHA512b08ccc7b9f7354255aa45c43bae16a705bea89c2f1ac9904b541799f22afa7c801d04905cf52a43fc8f1a25c5de21dccce98a7ac15c5660a5d2d2c774f1bcf9d