Analysis
-
max time kernel
151s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
21-01-2024 08:51
Static task
static1
Behavioral task
behavioral1
Sample
6ce094e7633ddc304e6c7b56a7e56e86.dll
Resource
win7-20231215-en
General
-
Target
6ce094e7633ddc304e6c7b56a7e56e86.dll
-
Size
1.7MB
-
MD5
6ce094e7633ddc304e6c7b56a7e56e86
-
SHA1
693a8ad317cc0ece3f05edc77e1fd28d452483dd
-
SHA256
dcb4e6dfc9dea7413fcd611f3f06c684dc85f48b698fe86c13fe9884756f81da
-
SHA512
8f28d13f798af1fc4adef5339271054e165f0f18852c1482c8e685566a1cb77df217511fd3a01150ef7a27ed91d1ef58bbb9c160f0b0f925eace7c0d40f4c42b
-
SSDEEP
12288:9VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:kfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3532-4-0x00000000032C0000-0x00000000032C1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
MusNotifyIcon.exeslui.exewscript.exepid process 732 MusNotifyIcon.exe 3708 slui.exe 2664 wscript.exe -
Loads dropped DLL 3 IoCs
Processes:
MusNotifyIcon.exeslui.exewscript.exepid process 732 MusNotifyIcon.exe 3708 slui.exe 2664 wscript.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Word\\b1ilq\\slui.exe" -
Processes:
rundll32.exeMusNotifyIcon.exeslui.exewscript.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA slui.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wscript.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 4796 rundll32.exe 4796 rundll32.exe 4796 rundll32.exe 4796 rundll32.exe 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 3532 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3532 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3532 wrote to memory of 2916 3532 MusNotifyIcon.exe PID 3532 wrote to memory of 2916 3532 MusNotifyIcon.exe PID 3532 wrote to memory of 732 3532 MusNotifyIcon.exe PID 3532 wrote to memory of 732 3532 MusNotifyIcon.exe PID 3532 wrote to memory of 2300 3532 slui.exe PID 3532 wrote to memory of 2300 3532 slui.exe PID 3532 wrote to memory of 3708 3532 slui.exe PID 3532 wrote to memory of 3708 3532 slui.exe PID 3532 wrote to memory of 2164 3532 wscript.exe PID 3532 wrote to memory of 2164 3532 wscript.exe PID 3532 wrote to memory of 2664 3532 wscript.exe PID 3532 wrote to memory of 2664 3532 wscript.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6ce094e7633ddc304e6c7b56a7e56e86.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4796
-
C:\Windows\system32\MusNotifyIcon.exeC:\Windows\system32\MusNotifyIcon.exe1⤵PID:2916
-
C:\Users\Admin\AppData\Local\pgvj\MusNotifyIcon.exeC:\Users\Admin\AppData\Local\pgvj\MusNotifyIcon.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:732
-
C:\Windows\system32\slui.exeC:\Windows\system32\slui.exe1⤵PID:2300
-
C:\Users\Admin\AppData\Local\8zj\slui.exeC:\Users\Admin\AppData\Local\8zj\slui.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3708
-
C:\Windows\system32\wscript.exeC:\Windows\system32\wscript.exe1⤵PID:2164
-
C:\Users\Admin\AppData\Local\953\wscript.exeC:\Users\Admin\AppData\Local\953\wscript.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2664
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD5fa67e94f768921cd0fa15cd8197c4327
SHA124e00655fca6f191c469ac8a978b277220c21db4
SHA2560f61a93ffa93c36426c990f3812008b432838b88a5fb8902f75cae5b7135beb1
SHA5126193c7b5435110865d6dbbc4868ea20179b02fd8103ae348556d70641cc63ad26a7616b09d4e132d85e89c992888acb59ee86544efde09e5551c06adc0a6de70
-
Filesize
534KB
MD5eb725ea35a13dc18eac46aa81e7f2841
SHA1c0b3304c970324952e18c4a51073e3bdec73440b
SHA25625e7624d469a592934ab8c509d12c153c2799e604c2a4b8a83650a7268577dff
SHA51239192a1fad29654b3769f007298eff049d0688a3cb51390833ec563f44f9931cd3f6f8693db37b649b061b5aab379b166c15dade56d0fc414375243320375b26
-
Filesize
1.7MB
MD55bea0a6c3ddb0ada28bf7c0bfb3f093f
SHA127da8388017d52440645fc1bcd4eaca388a5f494
SHA256ccc8dcb3394b5b86231a75ab890b6613e4c20caec21dedee04cfe718d633fed0
SHA512b74ff36440e45cfe4da57ca2983ba66e9c71ba3a1dcb65d6cc105db9523f598998dd538dbf04dd8a3a24f396d37a797e0373cf857a8aaa5df27d68403443f586
-
Filesize
166KB
MD5a47cbe969ea935bdd3ab568bb126bc80
SHA115f2facfd05daf46d2c63912916bf2887cebd98a
SHA25634008e2057df8842df210246995385a0441dc1e081d60ad15bd481e062e7f100
SHA512f5c81e6dc4d916944304fc85136e1ff6dee29a21e50a54fe6280a475343eccbfe094171d62475db5f38e07898c061126158c34d48b9d8f4f57f76d49e564e3fc
-
Filesize
629KB
MD5c54b1a69a21e03b83ebb0aeb3758b6f7
SHA1b32ee7e5b813554c4b8e8f96f176570e0f6e8b6c
SHA256ac3e12011b70144cc84539bbccacdfae35bd4ea3ee61b4a9fca5f082d044d8bf
SHA5122680ab501ffe7d40fed28eb207d812880c8a71d71a29d59ba3da27c0bae98c74893e04807d93fba7b5e673c3e13a1ad21bfaab10bdb871d83349ff4e7c614b19
-
Filesize
1.7MB
MD563b235765fc17589e41d8625c926a631
SHA1aa68b4ccdc12dc8a093cc8f09022859934f0241f
SHA2560da5a71a04b00330992efd247aa4baffd4e6c01e01cc6cddd5f2f2939acf746b
SHA512a4d6557412222f2f0d600b041013e487fa32d1fa675f85f0e3d746fdc4bb79bb15d0eed3f10d55c1d7f8347e1c82b029159f1385a33ecbf2ea229634c8f4a24f
-
Filesize
1KB
MD50bb0b6ac67c15c21b988b2782c52d949
SHA174cf236b848dd521cc0a3784d59526a40105751e
SHA2565f268cdcd92bb2602c2716b1e1e080389762aa8cbb7f04605e578ba1d565e19d
SHA512545181331fb3d2ebfde40b1e32821865fcc85461e557f56c29b19ebca359f0c21bb40caf611160fde6bcf2ee5fcd6f5e6abcb177f9acd5f36ff3662658b57484