Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 05:15
Static task
static1
Behavioral task
behavioral1
Sample
73d3e10fa82e2301bd8fb5cabf77c864.dll
Resource
win7-20231129-en
General
-
Target
73d3e10fa82e2301bd8fb5cabf77c864.dll
-
Size
1.8MB
-
MD5
73d3e10fa82e2301bd8fb5cabf77c864
-
SHA1
d2b3b357137270b8fd1a4d7e2cb60a8b6ff1dc05
-
SHA256
bdec67160c740cc4f649a1688c8cdc2467729c086df711606600d9967c967641
-
SHA512
8b3af541942e69cb96783ed8ea2ac18bda4e9e91d1ea57e1ab8d6b66ca07ec51c699bccf3b612e98b98ab37f929a30cb3547a7d97210289a8928e90b6fc46c81
-
SSDEEP
12288:5VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:4fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3504-4-0x0000000007FE0000-0x0000000007FE1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
isoburn.exeisoburn.exemfpmp.exepid process 2284 isoburn.exe 1412 isoburn.exe 2404 mfpmp.exe -
Loads dropped DLL 3 IoCs
Processes:
isoburn.exeisoburn.exemfpmp.exepid process 2284 isoburn.exe 1412 isoburn.exe 2404 mfpmp.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mbfbagbrjs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Office\\Recent\\CWCyC\\ouKP\\isoburn.exe" -
Processes:
isoburn.exeisoburn.exemfpmp.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA isoburn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA isoburn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mfpmp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 4948 rundll32.exe 4948 rundll32.exe 4948 rundll32.exe 4948 rundll32.exe 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 3504 -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3504 Token: SeCreatePagefilePrivilege 3504 Token: SeShutdownPrivilege 3504 Token: SeCreatePagefilePrivilege 3504 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3504 3504 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3504 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3504 wrote to memory of 2164 3504 isoburn.exe PID 3504 wrote to memory of 2164 3504 isoburn.exe PID 3504 wrote to memory of 2284 3504 isoburn.exe PID 3504 wrote to memory of 2284 3504 isoburn.exe PID 3504 wrote to memory of 2072 3504 isoburn.exe PID 3504 wrote to memory of 2072 3504 isoburn.exe PID 3504 wrote to memory of 1412 3504 isoburn.exe PID 3504 wrote to memory of 1412 3504 isoburn.exe PID 3504 wrote to memory of 2472 3504 mfpmp.exe PID 3504 wrote to memory of 2472 3504 mfpmp.exe PID 3504 wrote to memory of 2404 3504 mfpmp.exe PID 3504 wrote to memory of 2404 3504 mfpmp.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\73d3e10fa82e2301bd8fb5cabf77c864.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4948
-
C:\Windows\system32\isoburn.exeC:\Windows\system32\isoburn.exe1⤵PID:2164
-
C:\Users\Admin\AppData\Local\mslkdfAq\isoburn.exeC:\Users\Admin\AppData\Local\mslkdfAq\isoburn.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2284
-
C:\Windows\system32\isoburn.exeC:\Windows\system32\isoburn.exe1⤵PID:2072
-
C:\Windows\system32\mfpmp.exeC:\Windows\system32\mfpmp.exe1⤵PID:2472
-
C:\Users\Admin\AppData\Local\n3NOY\mfpmp.exeC:\Users\Admin\AppData\Local\n3NOY\mfpmp.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2404
-
C:\Users\Admin\AppData\Local\gvgm8wZiN\isoburn.exeC:\Users\Admin\AppData\Local\gvgm8wZiN\isoburn.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1412
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
138KB
MD515e8d2e818b6ad64d7c36234aed2d7be
SHA115417d4070fce1aa88b9ccd971dcdce8eb3879b0
SHA25650ab7c606f24d71081f45dd1b780c36d64c8ca7fdf4d6aaf0f9bae9613706eeb
SHA5127442becfa2d3aeeec71e1bfe07e58b21ce585b9b4ee176da97b38ae6a62520b7985325aa23a62de306120a7587aaf0734370f7ef65adc29d2f693cd3b42e8a3f
-
Filesize
80KB
MD507628c7eea55e8ea1d92e6a5c800a179
SHA16a942af764efbdbc75aa119f93533cb19d99e180
SHA256acb0332c9d8d0ce5035cdddce2e0ca4f4fde9bcb62d1dfacf991d26237cc51af
SHA51294ed070a7cd339dc7bb2d51f84dfe39a8c50b1bf10acf74d2c37b695ad461df595fe0bfe592fb98e02688685d7d3a0dc96dab6670912f4a7ebb4ac7f3197701e
-
Filesize
71KB
MD5c6c36c4b03b120d1729a7c6d1d133f0e
SHA134a936148f7db694b30773ba5d05b8936a97f00b
SHA2561593c2a41473e78d0132e9c392d0db03de540ecb23e28721680b9d2c23ae964c
SHA51211921c3aa80a1219394e47291ea5439e34e95b75965574a60ae0920a87e22eba8257493664b5ecf4fdebad8eb4c711070edb77652e90f2cb8832f57f657603b2
-
Filesize
15KB
MD530f3913caebdcd0081d900c4b0192a4e
SHA154b29d951346f292ae0e43064c7a9c2eb0aaeb1f
SHA256a7529b76c5043ac8967f5573a44891033ee711e9165ebacef636c174f06358c0
SHA512484b2678c993d8cd5a51043f1cb5379c908b32f8df0297c585342a4ac64c9879b2046a64f769b7472bfb70e55481fb6ec5ef2d2715d854b5f77ced17bf9abd21
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
35KB
MD541bfad340d11aff8e50c88de84d28b4c
SHA18d5a76bda3a584755d19a4f4a9f8a249637b8d63
SHA25605eff330eef9b282c3457a6923f76fc837c23fc12145c04e56bc4c768523e534
SHA512ef095ac1809d219a34d7f3abf2753924edf5c0aa9638a4097a495be6c3341feffc0d09bdd4ef52f38414d18d9a1f95c7865d336074cfd55429adaf5b8fbb6e33
-
Filesize
82KB
MD5f3cc8445e6753cb30ec83e58ac59d25f
SHA13dd6f18971d944475a12fbbd85d4cd829fda3720
SHA256152a8b970a9676dc3af349dfea66ba83cdef15f4c4931f7de84b8c6b7a948217
SHA512209058d04a90c98bceb510cff9785c1ef36823d57b415bdefcd34b8278979b461c54f3c5ce56e5000b99b720e1113f479e5b81f7281a51369a39e4182e32a48f
-
Filesize
100KB
MD5ca94b6cb71349a463eac16b0a329bfc6
SHA1ad56dea15c0a17753d3977ebfffc81b3139b70c3
SHA256db01b8e242b4cd843c1947b123217bcb68c3d2039f0402868594bd924b45c883
SHA512fc74dc23e944939b926b064962705462333d8920be833727e595c96afb0dbcb5d3bc1e4d28717f36756b4e5f73fc3f96fcad435cb10cf59c2c0ce07fb80dc9d2
-
Filesize
28KB
MD53413984e77be21626bf83b7b85665cd6
SHA16eb4212ce0d8452cda09ebc42b58f1ab9877f3bf
SHA256c66fc32105b47c46fa6dc5a59b2a00f1f67b049bd209b4b31b54a4bf8835ce89
SHA512c22b353bd9ee4a8be03da624a4ec9bb7e88741732d6bd538fe3e4d4771ff6ea0b8996a820da5ce1305243d584bd05eb5534b1c48d990b7fac1735b41e6d04216
-
Filesize
39KB
MD52ff57e7d66bae3d21677592a3d1ddd2f
SHA1969c1bf3c8808efa66a4ced4b6a136074fc1db56
SHA256db390f6f4e344617b9bc3bef92d745cb8f9859bda4773bb07b345db63d0cbc79
SHA512dd2d8113d6995d1de4c32acc72885833741e66f1af7ee17b4a717fcede141041370b05c329c984855336724c0d9b1522146f3442291c936b896b68ab77d7a2f4
-
Filesize
46KB
MD58f8fd1988973bac0c5244431473b96a5
SHA1ce81ea37260d7cafe27612606cf044921ad1304c
SHA25627287ac874cef86be03aee7b6d34fdc3bd208070ed20e44621a305865fb7579e
SHA512a91179e1561168b3b58f5ca893bce425d35f4a02aec20ac3d6fb944f5eb3c06b0a1b9d9f3fb9ea87869d65671d2b89b4ae19acf794372bdbd27f5e9756c5a8ab
-
Filesize
1KB
MD5404e6c92c428b627361da81ec542776c
SHA1a5e33c72261afe54ea0b7912c2d1a65e8e2d3f27
SHA25645ee3583d979ca2d5caa884ab1f7b458b2d2f4f3197d17860973ab8cde33c059
SHA512ccc011a710310370ad7b0be723de27dab0a10aef98e3ec8fc6a4bbc8c5aa4ae731b9963c6a8aeb6863b0ea50b13bddeecbb483fcbee6f1ba799d160895f43ff7
-
Filesize
1.2MB
MD5ca28274475764cd6d8075474c5574e3e
SHA1a4c57beb819ab936fa1d765b0cd1194dcbcf5d1b
SHA25621052531521f0f38b2482599c6f82decf2890df1341989ea24fb2f3b7374387f
SHA51208e70731de840db82ab07da3bb2ca782ce267843673a4f3870a4209402f38c148838e20e28a3a7dd03fdb67de8a84495a5d45bbb04827fa0c1207f1a35cbc586
-
Filesize
1.8MB
MD59ecf31d7088b51e001aa8cb02e373bf4
SHA1081920d046bb2d3fe747d1a44328e303a50df101
SHA256b849fcb1345d334e85c4db081d4e23b8757552456e7b139aefd0281548a17500
SHA512117eadade9f63c4f2e52e8b82f319f7a4ae09c303ce6dfc915f5d71b231b41adb5b9972fbbc94c20f26d07b1ea8d60fe81eb041beb6d5024d581233e45133d7e
-
Filesize
1.8MB
MD52e1583a5837e56cdb9c33cf16afbfff6
SHA146b6c6de029c3ddd8cd3b5bf6eb1e4fbe66b1f01
SHA2562abe0c8a5de2c562a9627e4e214317daf90c42aca9012f16968d0dc94cfe70fa
SHA5126d4e7e353a0db64be250e01a69959c54ef43e1559dd3427c1930be5701cad0b966ea63e359744a5856198a3a0228aaa6a249745dd95f0fb2c3951c6b710cf3bf