Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26-01-2024 11:50
Static task
static1
Behavioral task
behavioral1
Sample
7747f0093a61bd648a9356cf2797bc88.dll
Resource
win7-20231215-en
General
-
Target
7747f0093a61bd648a9356cf2797bc88.dll
-
Size
1.7MB
-
MD5
7747f0093a61bd648a9356cf2797bc88
-
SHA1
2d2ad0030c4569e867ceb32bdc0f23a30a1dbcb3
-
SHA256
2a93a9d8dcfa728e06e4cde541d13154ee6a07f1439f177e54d31dea176dc681
-
SHA512
6e131a6cfa2f256b7d757ba2e52f4fa89f8f3fd80529fe1fdb3324e4ab277d9d3041ce802ee78163e72081ffd1118b7f9a66d8dcda0028743251ddd677f622d5
-
SSDEEP
12288:NVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:UfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3380-4-0x0000000003600000-0x0000000003601000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
isoburn.exeeudcedit.exequickassist.exepid process 2788 isoburn.exe 2800 eudcedit.exe 4088 quickassist.exe -
Loads dropped DLL 3 IoCs
Processes:
isoburn.exeeudcedit.exequickassist.exepid process 2788 isoburn.exe 2800 eudcedit.exe 4088 quickassist.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fidpgamyc = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\AccountPictures\\lp5CtG\\eudcedit.exe" -
Processes:
rundll32.exeisoburn.exeeudcedit.exequickassist.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA isoburn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA eudcedit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA quickassist.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 3380 -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3380 Token: SeCreatePagefilePrivilege 3380 Token: SeShutdownPrivilege 3380 Token: SeCreatePagefilePrivilege 3380 Token: SeShutdownPrivilege 3380 Token: SeCreatePagefilePrivilege 3380 Token: SeShutdownPrivilege 3380 Token: SeCreatePagefilePrivilege 3380 Token: SeShutdownPrivilege 3380 Token: SeCreatePagefilePrivilege 3380 Token: SeShutdownPrivilege 3380 Token: SeCreatePagefilePrivilege 3380 Token: SeShutdownPrivilege 3380 Token: SeCreatePagefilePrivilege 3380 Token: SeShutdownPrivilege 3380 Token: SeCreatePagefilePrivilege 3380 Token: SeShutdownPrivilege 3380 Token: SeCreatePagefilePrivilege 3380 Token: SeShutdownPrivilege 3380 Token: SeCreatePagefilePrivilege 3380 Token: SeShutdownPrivilege 3380 Token: SeCreatePagefilePrivilege 3380 Token: SeShutdownPrivilege 3380 Token: SeCreatePagefilePrivilege 3380 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3380 3380 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3380 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3380 wrote to memory of 4888 3380 isoburn.exe PID 3380 wrote to memory of 4888 3380 isoburn.exe PID 3380 wrote to memory of 2788 3380 isoburn.exe PID 3380 wrote to memory of 2788 3380 isoburn.exe PID 3380 wrote to memory of 1276 3380 eudcedit.exe PID 3380 wrote to memory of 1276 3380 eudcedit.exe PID 3380 wrote to memory of 2800 3380 eudcedit.exe PID 3380 wrote to memory of 2800 3380 eudcedit.exe PID 3380 wrote to memory of 4488 3380 quickassist.exe PID 3380 wrote to memory of 4488 3380 quickassist.exe PID 3380 wrote to memory of 4088 3380 quickassist.exe PID 3380 wrote to memory of 4088 3380 quickassist.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7747f0093a61bd648a9356cf2797bc88.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4868
-
C:\Windows\system32\isoburn.exeC:\Windows\system32\isoburn.exe1⤵PID:4888
-
C:\Users\Admin\AppData\Local\fzQ1UvIMV\isoburn.exeC:\Users\Admin\AppData\Local\fzQ1UvIMV\isoburn.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2788
-
C:\Windows\system32\eudcedit.exeC:\Windows\system32\eudcedit.exe1⤵PID:1276
-
C:\Users\Admin\AppData\Local\p7Fxwh3\eudcedit.exeC:\Users\Admin\AppData\Local\p7Fxwh3\eudcedit.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2800
-
C:\Windows\system32\quickassist.exeC:\Windows\system32\quickassist.exe1⤵PID:4488
-
C:\Users\Admin\AppData\Local\KHa\quickassist.exeC:\Users\Admin\AppData\Local\KHa\quickassist.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4088
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5aecfb8a223946b5d005cc07fb5e85e0c
SHA143f4e23bb4b62b4c994a00d32f5cf595b86926f7
SHA256dc4970b703b65c3c31c7392e63470a0bdca54794a55112b14dcaf811a7fb43b1
SHA51225d9e1266123c056a4c7f5d062d656c832371fb95bed8b947562aa0928f6e55cfdc16f2c68659c7fac7490d8fbbbd2995f5060939b805b1b6a0ce05ad8867bc7
-
Filesize
1.6MB
MD5213c40d094b5fbe42b2e571842d509da
SHA1e9976d39656009e618af27c46629ec1c3caf4f3f
SHA256b4e4a1082b770be47ef79b6dc3db3677adc14daae328dda0dad4af4c39df117a
SHA512c16190a7dade514051ab3ad5b5979520bcfd939c68ee34b3a0f47533b55a692d7bc9692ca1df891d5cb1c0584109fad5d3d57ff0d7db9e9f864c899838b60db1
-
Filesize
665KB
MD5d1216f9b9a64fd943539cc2b0ddfa439
SHA16fad9aeb7780bdfd88a9a5a73b35b3e843605e6c
SHA256c1e8fda00da574e8759ba262d76b6edc1d5f4a80620730ef0be7527e0d803db2
SHA512c5fd7d81d1d478056fcbed0ba887ce551832f0104e7c31753c3c8760b4d63f38324f74e996684042acc8f9682fce8a8c85172741a868257e87d5e0f988c4e567
-
Filesize
418KB
MD5c4ae0c89306390bd0c132b1a366ed683
SHA167743a161fa42f19d86bca2f306fb56a49af1710
SHA256fe27d49f45c771c8e3a9c4a4655643352dd27545031ae0a5854d21b99a96c239
SHA512347410dfd97107e9672931e90d8f203146cf9e9909e2aea30428fe685b8b07d0a7cd8d1b8eb8eeade995fd217c2a7e48ade8cec33136791b17b37c67ded62c93
-
Filesize
553KB
MD57dd72ec1fe877bf9667e63860e11b8b1
SHA1b13e8a928de3af87208949c024d20d000880df1f
SHA2567d8dda363470163994ccdc381f6231bd7dc3ba9655bb619a15f135d3b8c9860f
SHA512238899be24cbde891ce48fcdd9fef7b92773b50c1ccdaae6deef27018b549524deae18b9d476501be2a455865a73753083f3a0c77e987aa836decc9a016478d2
-
Filesize
119KB
MD568078583d028a4873399ae7f25f64bad
SHA1a3c928fe57856a10aed7fee17670627fe663e6fe
SHA2569478c095afe212bce91d2de1a3c3647109f2d54e46b9bf70843e839324458567
SHA51225503a47c53fe83eeb56726b5a5eec5cb01bc783e866306f92242a7a8cbafa20a3209217e0f4561febfec78d2f64f1725727a6b2d3ee6da512618984d0bb0bc1
-
Filesize
1.1MB
MD56027b47258cbd04e04381400faa9ed80
SHA17545f2da4a6f70c07ea378593a6cf8c904b0cda8
SHA256b2824f2a80c7c79cbfd20731a097cec51b349e8b9e8d68aa8e7020d2c834c715
SHA51231a4109271f3228faf43cb573d9a6fb5a3003260a51858d604d26925cf640e6605ffacd9b2a2d7da2096f08481adcf7c15313fb727a4d15b53bcad9d90a42dbb
-
Filesize
723KB
MD5b033b5ea88f9c68e78d36a86f9e5a857
SHA19ee0a8ffaf696d744fb2c939536ab40ab0741fb5
SHA256be0da881793ca1975ca3996417951a65a578f758e04c7bfbed85bb9601b28552
SHA51230faf690cc124b04aa1e0a160fa71790f478b8ee5a54362e97da48dd1fc0393e2b0eb7808b6411d8d973a67fe69cc83b1823d7aaebe69df843fb771e8e1b99a5
-
Filesize
365KB
MD5a9de6557179d371938fbe52511b551ce
SHA1def460b4028788ded82dc55c36cb0df28599fd5f
SHA25683c8d1a7582b24b4bbc0d453c813487185c2b05c483bd1759ef647a7e7e92dfe
SHA5125790cac8dae16a785b48f790e6645b137f211c1587fb64ea88e743b846ff3a886324afcfef4bebc61f869023b9a22ba925c461dfb2e12497b70f501e6b79153c
-
Filesize
1KB
MD557e6455139b7dad256543f59de4e6369
SHA1b420fe8580101b3bce9429a8c558008de4fc859e
SHA256a42d731a250b877906113fa8cc6fa8d288185e6c9d58764c6886df05e1f40c71
SHA51297a59e269f5137b785332a8c7b18a03e44161c9523149edd22a2bc8baa8fa4ba7b5e1b6069e6df085d008b95aa2397ecec5de206f0bcf549139ec470aa3d4c01
-
Filesize
1.7MB
MD5de1dadcaa1ba24b0e19457b39e750416
SHA19b249407252d92e6cf30390687745901d3a3ca77
SHA25618cb5f964acba5dff393b3b10933993612918e8041f735fbe874e2fd06bc879a
SHA512f24fb23856249b8f970cc44d94e2b4943c12748fc05f7f6097fbf421b78c3a1f85b75b17d2c423e3077dfa7fca7ec3b00e3be8e40f5080d52a80ef18afbb7247
-
Filesize
1.8MB
MD586563819e97e99f877cca706b07c8edc
SHA138c9e6c27bc1129966ac722a5f89abe3cbd03cd9
SHA25656e9f74e3345f1a608724b2f475a80033f70160e2085dee7b4e877b6dfb1df1d
SHA512a6e140018488d41e0a66636403485f99f9b360cc16561a59b2926b918a1f6e551be72c04aa9806d2ceb46c1da6c67bdd8e6ae253bbfb6d3c5419962edc18e77b
-
Filesize
1.7MB
MD50e821ba42f3184fc0abae1193d5cb101
SHA1f86cbec6000dab84b0e8ef97e941c01f14a7d692
SHA25624dd8879f44db9214d0de70b0760849665ff37accfa6084178fa0294f0fa5f33
SHA512cb976c84413714040b919115ac423bf3a54808688d333402eefbf355b538512b3a536f0263bd2d8d47b7494302c12fa5201318cf59af35923980c3fc0bf5bf0f