Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 20:50
Static task
static1
Behavioral task
behavioral1
Sample
757e0a2c79443f7d9de1d2fa72898839.dll
Resource
win7-20231215-en
General
-
Target
757e0a2c79443f7d9de1d2fa72898839.dll
-
Size
668KB
-
MD5
757e0a2c79443f7d9de1d2fa72898839
-
SHA1
60098803bc798f80bf40d9f4621651f344c6dc23
-
SHA256
18d9182f2a3793c2c3eae6bb486603ed056d9bd1d3303da091ceaa8fbed7228b
-
SHA512
018eb061037a6f67b58978399855a60802d4cb3b3822d23c2747de1d5d83258dabb10d1423510cf8cff05f5c25828685f3cf190b8d68bee3484595b71f4edda0
-
SSDEEP
6144:o34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:oIKp/UWCZdCDh2IZDwAFRpR6Au
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3560-3-0x00000000027F0000-0x00000000027F1000-memory.dmp dridex_stager_shellcode -
Processes:
resource yara_rule behavioral2/memory/3140-1-0x00007FF932A90000-0x00007FF932B37000-memory.dmp dridex_payload behavioral2/memory/3560-17-0x0000000140000000-0x00000001400A7000-memory.dmp dridex_payload behavioral2/memory/3560-24-0x0000000140000000-0x00000001400A7000-memory.dmp dridex_payload behavioral2/memory/3560-35-0x0000000140000000-0x00000001400A7000-memory.dmp dridex_payload behavioral2/memory/3140-38-0x00007FF932A90000-0x00007FF932B37000-memory.dmp dridex_payload behavioral2/memory/4612-45-0x00007FF922830000-0x00007FF9228D8000-memory.dmp dridex_payload behavioral2/memory/4612-50-0x00007FF922830000-0x00007FF9228D8000-memory.dmp dridex_payload behavioral2/memory/2104-61-0x00007FF922C90000-0x00007FF922D38000-memory.dmp dridex_payload behavioral2/memory/2104-66-0x00007FF922C90000-0x00007FF922D38000-memory.dmp dridex_payload behavioral2/memory/4452-82-0x00007FF922C90000-0x00007FF922D38000-memory.dmp dridex_payload -
Executes dropped EXE 3 IoCs
Processes:
DisplaySwitch.exemsconfig.exeMusNotifyIcon.exepid process 4612 DisplaySwitch.exe 2104 msconfig.exe 4452 MusNotifyIcon.exe -
Loads dropped DLL 3 IoCs
Processes:
DisplaySwitch.exemsconfig.exeMusNotifyIcon.exepid process 4612 DisplaySwitch.exe 2104 msconfig.exe 4452 MusNotifyIcon.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qzenv = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\4webIN\\msconfig.exe" -
Processes:
rundll32.exeDisplaySwitch.exemsconfig.exeMusNotifyIcon.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DisplaySwitch.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msconfig.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MusNotifyIcon.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 3140 rundll32.exe 3140 rundll32.exe 3140 rundll32.exe 3140 rundll32.exe 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3560 Token: SeCreatePagefilePrivilege 3560 Token: SeShutdownPrivilege 3560 Token: SeCreatePagefilePrivilege 3560 Token: SeShutdownPrivilege 3560 Token: SeCreatePagefilePrivilege 3560 Token: SeShutdownPrivilege 3560 Token: SeCreatePagefilePrivilege 3560 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3560 3560 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3560 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3560 wrote to memory of 3060 3560 DisplaySwitch.exe PID 3560 wrote to memory of 3060 3560 DisplaySwitch.exe PID 3560 wrote to memory of 4612 3560 DisplaySwitch.exe PID 3560 wrote to memory of 4612 3560 DisplaySwitch.exe PID 3560 wrote to memory of 4404 3560 msconfig.exe PID 3560 wrote to memory of 4404 3560 msconfig.exe PID 3560 wrote to memory of 2104 3560 msconfig.exe PID 3560 wrote to memory of 2104 3560 msconfig.exe PID 3560 wrote to memory of 4596 3560 MusNotifyIcon.exe PID 3560 wrote to memory of 4596 3560 MusNotifyIcon.exe PID 3560 wrote to memory of 4452 3560 MusNotifyIcon.exe PID 3560 wrote to memory of 4452 3560 MusNotifyIcon.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\757e0a2c79443f7d9de1d2fa72898839.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3140
-
C:\Windows\system32\DisplaySwitch.exeC:\Windows\system32\DisplaySwitch.exe1⤵PID:3060
-
C:\Users\Admin\AppData\Local\dxIZ\DisplaySwitch.exeC:\Users\Admin\AppData\Local\dxIZ\DisplaySwitch.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4612
-
C:\Windows\system32\msconfig.exeC:\Windows\system32\msconfig.exe1⤵PID:4404
-
C:\Users\Admin\AppData\Local\bdronWpUY\msconfig.exeC:\Users\Admin\AppData\Local\bdronWpUY\msconfig.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2104
-
C:\Windows\system32\MusNotifyIcon.exeC:\Windows\system32\MusNotifyIcon.exe1⤵PID:4596
-
C:\Users\Admin\AppData\Local\4UAW\MusNotifyIcon.exeC:\Users\Admin\AppData\Local\4UAW\MusNotifyIcon.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4452
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
629KB
MD5c54b1a69a21e03b83ebb0aeb3758b6f7
SHA1b32ee7e5b813554c4b8e8f96f176570e0f6e8b6c
SHA256ac3e12011b70144cc84539bbccacdfae35bd4ea3ee61b4a9fca5f082d044d8bf
SHA5122680ab501ffe7d40fed28eb207d812880c8a71d71a29d59ba3da27c0bae98c74893e04807d93fba7b5e673c3e13a1ad21bfaab10bdb871d83349ff4e7c614b19
-
Filesize
672KB
MD509d9b6e1a939eb3cdaac2a2073965704
SHA189571c16fe41ca88aa7a0555e097cf403e79b84d
SHA256be2098396ee87049760910c4a90fc67ab76523dec8024e3b112958ba92777ccf
SHA5124a2fc0a9169e44122dd5aa1d39aa49e960bb9d7e4b7ff97916244d6b568c3b37fd6f9eeae343900c91abf4ae69c22aa308096d42d6912ffaff34c31a34a0a181
-
Filesize
672KB
MD51cb84c7c3c7f531c41509f1dc905cb35
SHA1941c8d9ef37a13b94b360dca75168cf7a300c82e
SHA2565086650122f86455d17115a7ba37c76a00e251ec668856da81c10b119ac879ca
SHA5123399e5588558f729cc6fa2b5e658eb8f4516962d213f2018a0eff107fe8b2b852b3c3a114fb7c47bf19eb3063b17212e10ce468ccbf4c2346693c3abba641bd4
-
Filesize
193KB
MD539009536cafe30c6ef2501fe46c9df5e
SHA16ff7b4d30f31186de899665c704a105227704b72
SHA25693d2604f7fdf7f014ac5bef63ab177b6107f3cfc26da6cbd9a7ab50c96564a04
SHA51295c9a8bc61c79108634f5578825544323e3d980ae97a105a325c58bc0e44b1d500637459969602f08d6d23d346baec6acd07d8351803981000c797190d48f03a
-
Filesize
1.8MB
MD51698cf33da2818e0d7dddbfcff3fe40f
SHA1163efb7359e1c15ac7f192758fa3dc71c9cfe47b
SHA256e0c88f993bad878d8f8ac0a154d95369545fda4701b78b73aa3b78cef6f27eaa
SHA512f9958816c9c532cd22fcdb54864cb25168cc3e9552a888fd056b7154cfb1f678a5e77da620966712bbc4500e14481f962a783ab24ce3c0ea854eea27cd2ecc39
-
Filesize
1.8MB
MD55338d4beddf23db817eb5c37500b5735
SHA11b5c56f00b53fca3205ff24770203af46cbc7c54
SHA2568b581f1d15a6920e4ecfe172d8ef753d0a2bf1a47e686a8d5d8e01147fa4c65e
SHA512173170b83e0048ee05da18c0c957744204954da58a93c532b669d62edb632c4c73d0744c13eb864ecf357ff12831aa46c4f2445dc33b62a4547385b9e0297b0c
-
Filesize
672KB
MD53de59507bb4e43d2a144755303ad9c92
SHA15051a1ec6b9fe813df80f59a444cc512d3a0adea
SHA25679d91a6e4391e1f046785b67941088f7e5755fe95e4b163d78b50f5e9f6cc4b9
SHA512b0e0dbfeab7a714c331ef9fa1097063326c4d9b1a34a41f6a6cfefc139cac2486e457562288d189ea4b2ebf2344deab7fb06d2144362f918582fb692e22ed920
-
Filesize
1KB
MD5e74d5585c34afd5e3b8e65260e5f7f76
SHA1aa186f751cb4df52d9f31bce371324169d1c0c4c
SHA25639f688f9377a6e947546b18c6aa6340fa6d4fa2c49044b3264ad96835c192891
SHA51247c344e473be214bfe188403ded0014e85575d1ee0406b193945440bf1f09cc2b861b304982dad1bcaf6ae7f68c98fd83937d7a1896cccdfda2c7159a832546b