Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 05:49
Static task
static1
Behavioral task
behavioral1
Sample
73e4b574f7a058d63f9b35f74580a338.dll
Resource
win7-20231215-en
General
-
Target
73e4b574f7a058d63f9b35f74580a338.dll
-
Size
2.0MB
-
MD5
73e4b574f7a058d63f9b35f74580a338
-
SHA1
4abd585b62be4d0a8efbd763891772521390c3f6
-
SHA256
d8ae9023a64efcbaf60e37647a920cf6757fa96a6e1e7357d67a3ac970c86eca
-
SHA512
4e9aa099ae2b51d59db1818768b34662b8b812fdd37a26aa72bb7994b3219b34d1f0e14902154ae5c51eade8bdcf5bb0da7aa48fe23f7ca6de3c36974b4f5d97
-
SSDEEP
12288:lVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1L:8fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3524-4-0x0000000002600000-0x0000000002601000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
MusNotificationUx.exemfpmp.exeiexpress.exepid process 4616 MusNotificationUx.exe 4884 mfpmp.exe 3160 iexpress.exe -
Loads dropped DLL 3 IoCs
Processes:
MusNotificationUx.exemfpmp.exeiexpress.exepid process 4616 MusNotificationUx.exe 4884 mfpmp.exe 3160 iexpress.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mbfbagbrjs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\91w\\mfpmp.exe" -
Processes:
rundll32.exeMusNotificationUx.exemfpmp.exeiexpress.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MusNotificationUx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mfpmp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA iexpress.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 4472 rundll32.exe 4472 rundll32.exe 4472 rundll32.exe 4472 rundll32.exe 4472 rundll32.exe 4472 rundll32.exe 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 3524 -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3524 Token: SeCreatePagefilePrivilege 3524 Token: SeShutdownPrivilege 3524 Token: SeCreatePagefilePrivilege 3524 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3524 3524 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3524 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3524 wrote to memory of 2464 3524 MusNotificationUx.exe PID 3524 wrote to memory of 2464 3524 MusNotificationUx.exe PID 3524 wrote to memory of 4616 3524 MusNotificationUx.exe PID 3524 wrote to memory of 4616 3524 MusNotificationUx.exe PID 3524 wrote to memory of 3504 3524 mfpmp.exe PID 3524 wrote to memory of 3504 3524 mfpmp.exe PID 3524 wrote to memory of 4884 3524 mfpmp.exe PID 3524 wrote to memory of 4884 3524 mfpmp.exe PID 3524 wrote to memory of 2592 3524 iexpress.exe PID 3524 wrote to memory of 2592 3524 iexpress.exe PID 3524 wrote to memory of 3160 3524 iexpress.exe PID 3524 wrote to memory of 3160 3524 iexpress.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\73e4b574f7a058d63f9b35f74580a338.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4472
-
C:\Windows\system32\MusNotificationUx.exeC:\Windows\system32\MusNotificationUx.exe1⤵PID:2464
-
C:\Windows\system32\iexpress.exeC:\Windows\system32\iexpress.exe1⤵PID:2592
-
C:\Users\Admin\AppData\Local\TLOsXXq\iexpress.exeC:\Users\Admin\AppData\Local\TLOsXXq\iexpress.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3160
-
C:\Users\Admin\AppData\Local\depNl9\mfpmp.exeC:\Users\Admin\AppData\Local\depNl9\mfpmp.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4884
-
C:\Windows\system32\mfpmp.exeC:\Windows\system32\mfpmp.exe1⤵PID:3504
-
C:\Users\Admin\AppData\Local\eTSNNOaO4\MusNotificationUx.exeC:\Users\Admin\AppData\Local\eTSNNOaO4\MusNotificationUx.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4616
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
218KB
MD5d9952dc5d97cc9c3f0282b901116b146
SHA1a844c858f296e7fcc33d8ee88a1fdf67644b7dca
SHA256af3ca2cc9655f7ef5e8e1f61decdc4cf86dc436324e641f77286f11e6b8450ee
SHA5125442786b95ae55b15ff3bdf57d402c200ca1d4464591b1bf791408a44612be9875e2583ff386f3b6964690c5ce59ffb2aaa010c27c05e27dba71c2565654325b
-
Filesize
254KB
MD5d9d52cd198acbf4737dd3f9384a7b736
SHA14f866b35338a0398f85e5acd507efa004c8c4eea
SHA256319cb81937ca28d46f7f4c0d90589192907f3c9b3c6527001781d87a9ea78740
SHA512e56913b2af5ff74716333c52686d27e0e4079a81529a6f03c4ece933286e27ee1ff4b6ff01b1193d96eb0353844394b62e002e7bce2ec9b2d13fd0e9410ef75e
-
Filesize
99KB
MD5227ab2fc33a1cc8fa4fb0237741fc617
SHA150690f645bf47779fa1d8e80578a797cfd87b6b6
SHA256cfabe68c6aa58ace3da85eb09dc5fcf79d5155010edb71437a1e602a9240b878
SHA51294db1c88f56705e992310a833c86e3dcc69d6c13249306fe7a3efd20c956cbd8a8ad6ce9c32ef384f986df3ea017cf4856aa3b2b38960ed5f1b775dc7c9b2c8c
-
Filesize
166KB
MD517b93a43e25d821d01af40ba6babcc8c
SHA197c978d78056d995f751dfef1388d7cce4cc404a
SHA256d070b79fa254c528babb73d607a7a8fd53db89795d751f42fc0a283b61a76fd3
SHA5126b5743b37a3be8ae9ee2ab84e0749c32c60544298a7cce396470aa40bbd13f2e838d5d98159f21d500d20817c51ebce4b1d2f554e3e05f6c7fc97bc9d70ea391
-
Filesize
192KB
MD5b28d560feee94aa29f2b811385d97bbe
SHA1c44a548f7b403c6e664fcb4c94b1462a308e0142
SHA256baff44255ff72d66715f8860a02e7714ca403d15d62baebb0c971fb93adfd004
SHA51292d9bcc5c572faff1982bfab98d014c7984cb25cee32c6a25062af6a2946e96a12e66673d06ab3f45bf63de9b4b727c7d3ee20d58f304a595379447b8840141b
-
Filesize
270KB
MD5c50d98c861256764d4fa7d47390bbbd8
SHA13ae9f1c353703c0d4e8eaf4c470089e4da18fa8d
SHA2560fe9efcc0deb9cf66cc46008730ab68f187e93aad09597194a5073c38df3545f
SHA512dda1b67cc1f0897bbb595527bf2f3867d66750957d25ff5ba2479c461f476315a652914ca3c943a68c4d87fff5891c43bcbc6602175d13694c56c174c5f66e3c
-
Filesize
46KB
MD58f8fd1988973bac0c5244431473b96a5
SHA1ce81ea37260d7cafe27612606cf044921ad1304c
SHA25627287ac874cef86be03aee7b6d34fdc3bd208070ed20e44621a305865fb7579e
SHA512a91179e1561168b3b58f5ca893bce425d35f4a02aec20ac3d6fb944f5eb3c06b0a1b9d9f3fb9ea87869d65671d2b89b4ae19acf794372bdbd27f5e9756c5a8ab
-
Filesize
389KB
MD545dc6e99453e1cdf35359447794dd776
SHA1aab3ac86ab0f4c80ba091899ea80b29bf3894880
SHA2565aefeb3c2a946e5829e8eb478f0e2047a738619b8417343afe68fe448e203bb6
SHA5128c374c3eadcdeb79f4d7a2fc24821e346c458f75767bbbd8c656eb38e757838b7cd84e479fba588e5a6a9496baa176827e4ce70d77d4578ea78eb2224e3df5af
-
Filesize
233KB
MD5606717695e29b8f039d948015e00003d
SHA1690da4edffbe50ea1de3e6c482182a70c316a51f
SHA2560f66ba44232658822e5bb5a7cdf8698850db92b0e916b7c908764ab67bec3e7b
SHA512de76525bee845410e2658a3ac42fcb7a54d77a67c6dff4292dbea057377cdd78326364a5918290f1f45ea381b28dafccb6a94480a2d8181bc8c6e54e5e1c0cc0
-
Filesize
174KB
MD581cea3d511bdbe79b733d7ed35abea05
SHA1d811ba18d3fc5ac2de26a0a9d0eadca3ea68408b
SHA256d5a5d37c0354cf166298171b7579b4902b321eeafbf3c751ad6ee3ecac3063c0
SHA51297e3fdd0135f015ac75bee40f7098f5d4ec01ff7d0d703b7e79d58da0519f868c76ba7e6487527802f4bf08fb0879a6c0a0283c485328e21196153e9fa3b54c3
-
Filesize
387KB
MD5c7cabcfb1af104ac2fbb360b1221ea1b
SHA1dfcdd8a5f08ad36e782970eba26451166ded50c1
SHA25644e0087aacb083e1f9e0dcc285243c97d85fe72115530db02e86a27de39b7809
SHA512ee524f087cd07c7a9d8bcbf256fd385aa58e420358adbeb0f1378b8466986a9ea4572da5c9d56be94e0f9f3c064dc703dd270185b95ff52acb983aec5f46c70a
-
Filesize
1KB
MD540046bbec3c19f403608a345603d1a10
SHA1eb3b1db462107936baf9e24b8c842ebeaa782a1e
SHA256ca030d8455840e50bce97872e5fbe8677b8f54876ee02a5fb3130d34fcf3d8d7
SHA5125617bb88da6bd0d3e8b65bc435e9c06df4e09bfaa59293437b181c45c77d47f858db4183100a4c67676dd539f2be292bf92bf526c51be68e2db054d093a8ae55
-
Filesize
2.0MB
MD504b4170dc230fded01356074d3802a0a
SHA1c1259e7a90a7ded5ce2cf855c20b4830f5b55a3c
SHA256f4f4483765dcd61b550d99a02ebfc33eecd3784dbf5fe504495039e4a7591190
SHA512927e4a7dbb0a6b5e46e3d5cecfac13ce26f3a1948141a2e2a3625a98d0a5bb6577e45691314ad23f79824cf4ab1fd3a50bcddb14cabfc3560e745b17cabd7c3b
-
Filesize
2.0MB
MD576c5af9abee001e721c3b6c1eec89276
SHA1a848688581557c61d7d67970aaf666d7cc86ebf2
SHA256d0d9c8e7955ad3eefd4943b75f3fa0d95af81a00b519fa1ff2bba3dd42430e34
SHA512f3b8da1f99e4d3c661f994a319bd7f57152813ad4bd1cca401529c6f9e65b7d9aec8908f3acb146fbad7cd7b8720350c2a85f375a28a8824a34bca5302190d13
-
Filesize
2.0MB
MD51054dfd902ffa49ed554c6b8cc50da6a
SHA162a4ac626c025c553589375d5e50b696689b2faf
SHA256cae591410d9deebbdacdcef826473def1d15f9bf36aaa13ddbd2900836bb2a24
SHA512b8d7a7dae1893847f6fc739a8c7272644679a2a83792b7e6add50d6d4c9f94d3763a73c86e6b8a90f4a638b3e4b6fcd21122f2f9c050d556644a9655f40d557e