Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
29-12-2023 20:39
Static task
static1
Behavioral task
behavioral1
Sample
0363154b6154c58e1968193a92704afc.dll
Resource
win7-20231215-en
General
-
Target
0363154b6154c58e1968193a92704afc.dll
-
Size
2.0MB
-
MD5
0363154b6154c58e1968193a92704afc
-
SHA1
cefe766c0f88c2ca05a0d84ad75a7c65cf51f484
-
SHA256
5828977b2ceed7da8ad59af7255116b6eacb7624a0106f0604bc3ce29e4470be
-
SHA512
772f23f5b47f9802caad4d0f693dc5cba562eb2028e3a20aa0120989b5c5e0a88c6ce037e6cf3dfada990bd936d05fe0d56403f101fcc6639ac11a5e2af56ab6
-
SSDEEP
12288:3VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:+fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3388-4-0x0000000002F80000-0x0000000002F81000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
MDMAppInstaller.exeRecoveryDrive.exeOptionalFeatures.exepid Process 2400 MDMAppInstaller.exe 4416 RecoveryDrive.exe 4760 OptionalFeatures.exe -
Loads dropped DLL 3 IoCs
Processes:
MDMAppInstaller.exeRecoveryDrive.exeOptionalFeatures.exepid Process 2400 MDMAppInstaller.exe 4416 RecoveryDrive.exe 4760 OptionalFeatures.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dturazvnnsjkgvr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\Keys\\S0\\RecoveryDrive.exe" -
Processes:
rundll32.exeMDMAppInstaller.exeRecoveryDrive.exeOptionalFeatures.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MDMAppInstaller.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RecoveryDrive.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA OptionalFeatures.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 924 rundll32.exe 924 rundll32.exe 924 rundll32.exe 924 rundll32.exe 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 3388 -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
description pid Process Token: SeShutdownPrivilege 3388 Token: SeCreatePagefilePrivilege 3388 Token: SeShutdownPrivilege 3388 Token: SeCreatePagefilePrivilege 3388 Token: SeShutdownPrivilege 3388 Token: SeCreatePagefilePrivilege 3388 Token: SeShutdownPrivilege 3388 Token: SeCreatePagefilePrivilege 3388 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid Process 3388 3388 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid Process 3388 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid Process procid_target PID 3388 wrote to memory of 3428 3388 93 PID 3388 wrote to memory of 3428 3388 93 PID 3388 wrote to memory of 2400 3388 92 PID 3388 wrote to memory of 2400 3388 92 PID 3388 wrote to memory of 2880 3388 94 PID 3388 wrote to memory of 2880 3388 94 PID 3388 wrote to memory of 4416 3388 95 PID 3388 wrote to memory of 4416 3388 95 PID 3388 wrote to memory of 4080 3388 96 PID 3388 wrote to memory of 4080 3388 96 PID 3388 wrote to memory of 4760 3388 97 PID 3388 wrote to memory of 4760 3388 97 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0363154b6154c58e1968193a92704afc.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:924
-
C:\Users\Admin\AppData\Local\T12i\MDMAppInstaller.exeC:\Users\Admin\AppData\Local\T12i\MDMAppInstaller.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2400
-
C:\Windows\system32\MDMAppInstaller.exeC:\Windows\system32\MDMAppInstaller.exe1⤵PID:3428
-
C:\Windows\system32\RecoveryDrive.exeC:\Windows\system32\RecoveryDrive.exe1⤵PID:2880
-
C:\Users\Admin\AppData\Local\DiB7SxO4K\RecoveryDrive.exeC:\Users\Admin\AppData\Local\DiB7SxO4K\RecoveryDrive.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4416
-
C:\Windows\system32\OptionalFeatures.exeC:\Windows\system32\OptionalFeatures.exe1⤵PID:4080
-
C:\Users\Admin\AppData\Local\ynvUt\OptionalFeatures.exeC:\Users\Admin\AppData\Local\ynvUt\OptionalFeatures.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4760
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD5b2e6aa6df3db504b5d79157b7cd09ab4
SHA1bdd2a3d924cbbaaa867ac91c4495662acbb9b4cf
SHA2561e0cc051f55c4e93d5b5d19a7517afe804302c6971d40f49d81c9076d1151bb4
SHA512d8891971ba5c3696ccef5aac92737daf25a4e9fc2e6c6a511c335bb3f483fce824185380ea5d0eef558e0cefdc417ac44697118b7f71f45e758fc70e84e9dae3
-
Filesize
148KB
MD50b5d2c967d288cfd28af7e641f43f7df
SHA150a2a3bcba8ec563edd5f6c7eef438ef34dfe788
SHA2561e006587c028461d9f578e9be4da920d1a51c89080981e38f8307c47cde64712
SHA5121f6412fae4c314afae3fa6cff6eba25713ffaf82a30a7c1725bf9916e4fb31c35437fc9cddde722ac42b0f7ef065a5a2e77ca51ab9bf6cd6dc70c29be2e6480f
-
Filesize
150KB
MD539f3931498bcf86baaedbc9b37339f24
SHA110778ed0b8989a187a94cce735f05d93942743e2
SHA256a0124dd2b5748bf50b419cb203928138788addbd91146393b9d56be40fb99223
SHA512a727201d04c8257ed6f9f8824c93700f56213d71162b45242ce0f5d70fbc2b528f9723683a8ae732a3948d122b8f6395fd87cadd1c852dafc667d04ea5ccf0df
-
Filesize
123KB
MD5b4170e0267f661f6d8bb2d91f2bf92a0
SHA14cae850d79e2ca8ad3adb3d130eb8a070622f622
SHA256bed0cd1ce22617111543504d1f3c34a7d29a3002b19805407ee2693c8732282c
SHA51270651a46c86ab1a856cd2d50734ed528d840e052a7a7ab37b4097e1ce075005b1c4ef1fdb05b1f05f6a2f7f0e9fa2d420ff5c754f915e9f9f11dd822f98bdf45
-
Filesize
151KB
MD530e978cc6830b04f1e7ed285cccaa746
SHA1e915147c17e113c676c635e2102bbff90fb7aa52
SHA256dc821931f63117962e2266acd3266e86bf8116d4a14b3adbebfade1d40b84766
SHA512331923fa479f71c4c80b0e86ea238628666f95b6cf61cf4d741ae4a27ea2b8c636864dfac543d14599b4873f3b2ab397d07c4e4c17aca3f3b4e5871e24e50214
-
Filesize
148KB
MD58642ade7f1b6db865b2fc489f509f622
SHA19414ac31c33f9c67e1d73da482440b0455902d8b
SHA256052dd4150d0e7c3e79e5958dacdfc1aee87cc76e1c4ec75dcc071f2473b19a44
SHA5126fce6477d24481e0ab4002a078329ec95c0a4875918e5183b1a41826907d837f0cce997f2557e107c9aee057a04b447787d30be36353b5099a094cf6716ddf88
-
Filesize
185KB
MD53fa0b7885789ab1186f3a43c8f4f9bab
SHA109a636f2d4b7462eba81f8a1caffa9ba4cccb334
SHA25683c3b77e51732759ed40056919fe6efe4ebf107a864b10299ee8f0a1070be40c
SHA512fccb95e3c9c911fb5bcca0b8128c057dbbd514ab6f84549d79a303c156899993ff00bb0a6faeacd57865316969fcb22851c68066a59baf894c36baf814bb2aec
-
Filesize
208KB
MD503b19b3c61bcac1feeca77f069bbd1e5
SHA13e9dd661aea282ddd05d061ba542db36fb9bf255
SHA256d0cfeb1b04176ec5e1179b7230d9c72ab12b9e6b895ed2b01a4ea357b3206af4
SHA51237b333156e6d98955d0a6f16277087e72ec45e4f1bd3fa60142168d7fff33075ff133cf08da38b111d8594aa7ffbc9cbcbf9758a9d2fa502018cde5f962299a4
-
Filesize
110KB
MD5d6cd8bef71458804dbc33b88ace56372
SHA1a18b58445be2492c5d37abad69b5aa0d29416a60
SHA256fa2e741416994f2c1bf9ef7a16b9c4dbf20c84267e3da91ae6f1ad75ee9f49b8
SHA5121bed8af2cf99a7f3bb36a34f4a71c34787904bd072ecdc731fb7498290dcf4024b956fb8b6912ad050b74aa861f0b0349081b77088f72732bda5075413b1f83d
-
Filesize
79KB
MD510f70fbe0067afc89a0a6f2cdc547c80
SHA12d39851a8dbc7f49a75b34a1f0e735fae51a996c
SHA25644ec5b759837632271e8273bc9cc8d2db245651a38ad61983a149bcf3c303341
SHA512a6bc5a763addbcf415380753a2a86140083df225b3ad449adf757914e53c80f9e70ee0a97bd3dcf029267cd2cb4deb5a896911b70d164632b550f00f04c2cd9f
-
Filesize
31KB
MD57b9dc495effd6f8b350bda01192d5d38
SHA186c4fd9648b22420664aa854665c4274ca2c5bee
SHA256d3aabcd52cdfc6d3949cf3c6faf614fa5fba663670526c74061ddad23722f052
SHA51270fb73b75646136b77911399ec889f4c0cd636c8d3b320fca189bcd10fc9cf776e7dd2131caa804d3ee81c53a646d88c57d82c9de8b697dd8a269bf9f755e2ad
-
Filesize
100KB
MD58b2e50cd9081acc9e81bcfdf1218a461
SHA135488e703a8da322e34ac84e802645db574917e9
SHA2566e0b7cf8e54d4ccb651d8530a5f3634dc88e348547da15cc72b15f3f231c9669
SHA51265f6c72c63b5a9e0e02b3daaf264f3c36d3bf844f7213c58cdc1379f56a38bd5b9ca5d934de2c94fa9a9ff28ea570ffcf09b53591429abf6d92c8747cc06e5eb
-
Filesize
1KB
MD5085d583552d1eb72e1422fc92c69242c
SHA16fbfc1bbc9224c111147df9e9594b773791f203b
SHA25632d006352829aacee3c6cc3da82f93296e56f6ac343fbcf75b7f10dfe620862b
SHA5123233442b3d70892b41e46fd4cc4894c322cb0106e1a63d028b58d9d8e270f02c8ee859c0a9ea2604e39191e1e2b4135afa7d62ebecb0c6271b323d1a2472ce78
-
Filesize
2.0MB
MD503368cacb42d1be38ad6af5c7f08c3ed
SHA1ecbdb102613bd6d90fc14e5c1a2804fa11c56868
SHA256e3732f1b5cd7a29876fc285f45c1aed7d9792b84ebe70c0e29f833fd19824d6e
SHA5129685534ec032e37ff005a0625c64388fd3815c797a03059548b4b13171f4efe6a55b8bdd5986324eb9a98fca54cd0dc8a491095ece446bb9851f40a865ce6c7a
-
Filesize
2.0MB
MD55a9b99c4d0575658dfa0c8156609afa3
SHA1378242aa0f286110e9b4716919310e1a8b4e94d1
SHA2566802c75118da28d6e0db40eed175205f32f1b3d1b3b1f37884121e800af3bdb2
SHA512e92bd8246896c2803a832a0bfbe01e077fd913b2e2d3080f2bda413c570173c25f1e9dfc26ffa6ff58533e04bd6916f53c147c1fc4c97faa4b8611cf23e3534f
-
Filesize
2.0MB
MD504346ed6595d8fbaac2ae155cf02a221
SHA1a904f217a90183047678e4dfeaf2cc3592fe3caf
SHA2564a0d9a6fea773ea64be87b3a9efdd3f61afc553a9e55d1a4000d514c90739aba
SHA512f707f140dfaaa4980183354b9b7718d13514222c9b47f1a0c8cb8eefce249094585558835f1c2383d9a492afddde98bb6bee03dde5b198758f320ff8637645f0