Analysis
-
max time kernel
152s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26-01-2024 05:17
Static task
static1
Behavioral task
behavioral1
Sample
767b661339f842a24584de1cfd7ff58a.dll
Resource
win7-20231215-en
General
-
Target
767b661339f842a24584de1cfd7ff58a.dll
-
Size
2.0MB
-
MD5
767b661339f842a24584de1cfd7ff58a
-
SHA1
e01e2af3f556dab1835683abc02c7e6f4886568e
-
SHA256
12f891dd73ef13029a6cb2422c35d390835c149c627ec7f52a985633b4ec14d4
-
SHA512
ac3f08cd8a55c437a73d79529ff0e3133a7c30d666dc11ef200a5096435ffa15a6c3030f41b1de623e7cb080508d2e89b25539230e886abbd6c2c7ed58861b9c
-
SSDEEP
12288:bVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:6fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3464-4-0x0000000002D40000-0x0000000002D41000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
MoUsoCoreWorker.exeRecoveryDrive.exeperfmon.exepid process 3864 MoUsoCoreWorker.exe 3900 RecoveryDrive.exe 2320 perfmon.exe -
Loads dropped DLL 3 IoCs
Processes:
MoUsoCoreWorker.exeRecoveryDrive.exeperfmon.exepid process 3864 MoUsoCoreWorker.exe 3900 RecoveryDrive.exe 2320 perfmon.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Loeeeopgcaia = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\ICxF9fmWOMp\\RecoveryDrive.exe" -
Processes:
rundll32.exeMoUsoCoreWorker.exeRecoveryDrive.exeperfmon.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MoUsoCoreWorker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RecoveryDrive.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA perfmon.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 4740 rundll32.exe 4740 rundll32.exe 4740 rundll32.exe 4740 rundll32.exe 4740 rundll32.exe 4740 rundll32.exe 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 3464 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3464 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3464 wrote to memory of 3336 3464 MoUsoCoreWorker.exe PID 3464 wrote to memory of 3336 3464 MoUsoCoreWorker.exe PID 3464 wrote to memory of 3864 3464 MoUsoCoreWorker.exe PID 3464 wrote to memory of 3864 3464 MoUsoCoreWorker.exe PID 3464 wrote to memory of 4520 3464 RecoveryDrive.exe PID 3464 wrote to memory of 4520 3464 RecoveryDrive.exe PID 3464 wrote to memory of 3900 3464 RecoveryDrive.exe PID 3464 wrote to memory of 3900 3464 RecoveryDrive.exe PID 3464 wrote to memory of 3340 3464 perfmon.exe PID 3464 wrote to memory of 3340 3464 perfmon.exe PID 3464 wrote to memory of 2320 3464 perfmon.exe PID 3464 wrote to memory of 2320 3464 perfmon.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\767b661339f842a24584de1cfd7ff58a.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4740
-
C:\Windows\system32\MoUsoCoreWorker.exeC:\Windows\system32\MoUsoCoreWorker.exe1⤵PID:3336
-
C:\Users\Admin\AppData\Local\hun60\MoUsoCoreWorker.exeC:\Users\Admin\AppData\Local\hun60\MoUsoCoreWorker.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3864
-
C:\Windows\system32\RecoveryDrive.exeC:\Windows\system32\RecoveryDrive.exe1⤵PID:4520
-
C:\Users\Admin\AppData\Local\c3hKHAicR\RecoveryDrive.exeC:\Users\Admin\AppData\Local\c3hKHAicR\RecoveryDrive.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3900
-
C:\Windows\system32\perfmon.exeC:\Windows\system32\perfmon.exe1⤵PID:3340
-
C:\Users\Admin\AppData\Local\zczKA\perfmon.exeC:\Users\Admin\AppData\Local\zczKA\perfmon.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2320
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
75KB
MD564b8099e4a6b1f7a1c36671d0c10352d
SHA19b53b23f8e3502c5615c60b68d5a6a5a318bcb65
SHA256ef5d2a55f33c89e3beb65fd9cd7511231ecaf19a2cd863f84d9d8c6f838f1d5d
SHA5128b6057320af434c7d2aeb698511f850c058e1d9d37e0c168e9daedb5e45e6b29b64531db44ddfe1db06a21267381c48f083c0c7d1d12cc779f0ee00fd116cd7d
-
Filesize
1KB
MD58412a15bcbb2617d77b0ca3a054dae32
SHA1ce1c1abe24fcfa0707de26399f3a390dfd21a1ff
SHA256ff44ce6e99fc581a53fc00b4e3ddd7a05b99c226f2371b4704aa4e121af95011
SHA512b2572d5dc34ac549b611f1060f4faa2c9ebe7de85d17199463ad6893c37fa48c114c5f01c20ff7d185d119fc91acd8520b7a2daa0a0f8c9d6610a4a047801159
-
Filesize
71KB
MD56b116d5069c93bb6e6951999f7e299e5
SHA13efa069904f2b15808619f7782ea5a0cfa70b61f
SHA256ade3ad486310bd4fee2998e94d102ec2bb6a581bab23efbb40d9badd14871e16
SHA51234b2e858870993a0e7ccf612556e08db1f56c648a7d9d93b0712737497b11826ba82e610aba6d339d0886f9be1df5dafd849d5957f86642f76c8daa19ff457f4
-
Filesize
1KB
MD5fd5f4081ee8502d29506ffab9226f0ea
SHA14ac3c1e43655c61283c1d8b0fb2a4952f6fc8e34
SHA25614a0740d8d0d4a2ca2574450c40253ddad48bbd5526535f6ea267892acd6c932
SHA512c4592fa92549894f9991ded78b2c43f64f86258f869fefba400e5ca546ce6f8d79549c3511eb6fd72e778473676c7de3d6130fae92abd7bb2a53b37918bfe731
-
Filesize
121KB
MD5ffb0966c6bcdf74f3d829337e69adb22
SHA1982e88941a43ada22d4cfc289812700b03d05b1d
SHA256e476fa9a77feb177033a8260fff32a17adc7b3dd5aa1e1b866a1ad3d46084bf6
SHA5125048f3fbb84eaca777d2f83f11d6e5c983bc06bb6dacc6fe6d58bc01c097543f4ab174f509c6b4a2fcc8c0004a7d411e2f086592178e0a455af1224868275ad2
-
Filesize
159KB
MD5a9f832070aeb475b2c506c2d68ad5225
SHA19663de78c286e25430211a79fb2046d6b113c8a4
SHA2566b6a76f581f6d4749e5ee7c8db4953674645604473dcb9ace3845812ab8342c6
SHA512a3ed2ec5534e1884a5c6c20faa979b9bcaf43b6c27c426bdb8145238b1cbec9ee83af6293d28e4a5707d1bbea194605978e2c93241db25c4e957ca0bb4c801f8
-
Filesize
196KB
MD5d9788eb9c606dc0e1026594b54b8586c
SHA103c1eb8f5f69a249bac3bdfdfdc50321ccb4a666
SHA256962a72967037d6a7b6aa02a48a0f61a13528e7d859f0b23cf250d5b0ec0db079
SHA51254dad99dd5024e091a6c11978b7629e09265db9cc674928b91766983a246c3fabf8163680916d1424d6ea4d7266ff5b1d9840aca9f954c89bebd7b75a7325fde
-
Filesize
286KB
MD52b8149b75caf86521bdd3888ecd6fb7f
SHA149b9248e1419bc0ba206b38c0a6e64eba60875ff
SHA25609eaad9c5c60064016ff94b0b569806693b14d630a5c6115dc15ae84333dd8a5
SHA512b354110cc4549ec17510a20f152496025433ceaca330c149fa350229cb2a4fa5fc917342084147607d4a1c6a22d9c69f30dfee3e6afa60a51656a9d50d5c8e8e
-
Filesize
194KB
MD50e92a19a4ca1a01c699c9651217bb13c
SHA156bc35b7886ff63bb8307338af3c1a951d3a4fee
SHA256ffc4b90ace75d99d962c30c7c1139dcf3c0ec34a9372de52c181b0d7eaef0971
SHA5127254e0333b05cef9904801543f5641efb6f18a7f0193ac7394b45601d0c84b51cfe7313a507385e158c710cfd967a8911c7a637015b6e3742dd2c3f091ac7f65
-
Filesize
189KB
MD50ea23e2f4c476502961fb7473812b8a4
SHA1be47fc151f2662af71fe4ac2685135012b96fec7
SHA256abe3adadb2a3f3b29eb6d441fff1a54f8bb0011128a5e25f33ce8ee56b854c4c
SHA51245ca94ad5e9ea171fb89dbd0f185f253a0b6c1ecf9a67e20f7615e50a9067339b04650543acc80438b797b130a0402f2f1fe1c3e1a189cc40da76c4a9123e5b2
-
Filesize
97KB
MD5ad8d568e60982d26fa53c86c08149f33
SHA1733d7c010ef44f654dcfb5417f7be17053481b53
SHA2566439b5ed226205bea9287102b604bad9bf6ccfc636c5cea196a5e1167afc53fc
SHA51293e05a2a88c0768332ba64d63c7bd5118bee0cd9b93ba809b9d0098f96c92be20102793ae54334f431f7ca0f9fb3e6fa62bccd72daac7c15b6190ea99f215e0e
-
Filesize
177KB
MD5d38aa59c3bea5456bd6f95c73ad3c964
SHA140170eab389a6ba35e949f9c92962646a302d9ef
SHA2565f041cff346fb37e5c5c9dab3c1272c76f8b5f579205170e97d2248d04a4ea0c
SHA51259fa552a46e5d6237c7244b03d09d60e9489217b4319a212e822c73fe1f31a81837cb906ae7da92072bd3d9263fe0b967e073110ba81da3a90126f25115fff68
-
Filesize
1KB
MD51adc4e2e7197b16a8ba64d5ee6f2887b
SHA146d03f3ca8c688746d125c699728f9e2c4eb4d7e
SHA2568da6da494d52b68c9a9f4d90c1fd8e42caae8061c0e28d46a49600ff5a3eb678
SHA5129ae6aead995b45e956ce6c12521697c03242110487adf622452123941b6d7ad82d6974605462862378af2fb778dee9d079653629780b014e81c27f8bb94145c5
-
Filesize
2.0MB
MD59c1833e2a0babc939c6945a3d76ec900
SHA12737b5715ea9497656482f45882b5a39332541e1
SHA2562cb7976e0501232818963f95aca412cd162a06db4e2e0aeaf52eb46f01bb57e4
SHA51295f7f255d8631f1e94f342b1e9cafeedad2cb64176fad33789afdf5c3df2dd43ebaf380508e1c694176446b7fc375b5773320d4dfeb01d3507c17a6bdb69b4ea
-
Filesize
2.0MB
MD57c3d532854c1583d1dafdd19a325d240
SHA12579363112f72461e9c7f27be95b80d3c73a4896
SHA256c77333e92b5cd0ee200e2d45899b101052bab5e19d78baaa6e7b8b1cc8d3fbe9
SHA5128e1732257fa5b65be8c20d380d529ec62cf9ab480c8f276af56b751183da7f50148c99cc89fc9cc6f3a736c89da0c49d3cdf96a5f0ec4aabfd87001c6b41e7c0
-
Filesize
2.0MB
MD5ca2f6123acb29c389ed27e7501c41340
SHA126b5e1f05284199684982b5203907a4885d50587
SHA256d07dad79d6ef019fb88d02fba0bd4d1001cf0c80e21b49e8a8bb50282db7d0b1
SHA5120397f0f9a3cde818e98b9cb0a0a9a1a89bd8d4ee6449a9d558e96a42ecadf325a363a21ea7e3fbc43788ef41117bb75412f8a8738d5643bc5bab2452231eb6f3