Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30-01-2024 22:26
Static task
static1
Behavioral task
behavioral1
Sample
82b98a019126a5f30050d77d82814f93.dll
Resource
win7-20231129-en
General
-
Target
82b98a019126a5f30050d77d82814f93.dll
-
Size
3.5MB
-
MD5
82b98a019126a5f30050d77d82814f93
-
SHA1
903191e96053b8e6ac7ba8cbea36462ca8cf27c0
-
SHA256
9463a439b0c76f66e03535405b713b906c9bce1453dfdc13a0ce3579c7059e41
-
SHA512
aa8c585df62b333496bae2c05db6dbb026df46f2dc0a535a6a743479c8f7b6d2c7c4146e21430d955f9d60f4742e5c808267e535059d9470ba921c758b88d90e
-
SSDEEP
12288:ZVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:YfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3440-4-0x0000000002850000-0x0000000002851000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
recdisc.exeMagnify.exeprintfilterpipelinesvc.exepid process 1232 recdisc.exe 4812 Magnify.exe 2888 printfilterpipelinesvc.exe -
Loads dropped DLL 6 IoCs
Processes:
recdisc.exeMagnify.exeprintfilterpipelinesvc.exepid process 1232 recdisc.exe 4812 Magnify.exe 4812 Magnify.exe 2888 printfilterpipelinesvc.exe 2888 printfilterpipelinesvc.exe 2888 printfilterpipelinesvc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ddiqrdu = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\B6NiKt4I3cg\\Magnify.exe" -
Processes:
recdisc.exeMagnify.exeprintfilterpipelinesvc.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA recdisc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Magnify.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA printfilterpipelinesvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 1960 rundll32.exe 1960 rundll32.exe 1960 rundll32.exe 1960 rundll32.exe 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 3440 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3440 wrote to memory of 4152 3440 recdisc.exe PID 3440 wrote to memory of 4152 3440 recdisc.exe PID 3440 wrote to memory of 1232 3440 recdisc.exe PID 3440 wrote to memory of 1232 3440 recdisc.exe PID 3440 wrote to memory of 5104 3440 Magnify.exe PID 3440 wrote to memory of 5104 3440 Magnify.exe PID 3440 wrote to memory of 4812 3440 Magnify.exe PID 3440 wrote to memory of 4812 3440 Magnify.exe PID 3440 wrote to memory of 3012 3440 printfilterpipelinesvc.exe PID 3440 wrote to memory of 3012 3440 printfilterpipelinesvc.exe PID 3440 wrote to memory of 2888 3440 printfilterpipelinesvc.exe PID 3440 wrote to memory of 2888 3440 printfilterpipelinesvc.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\82b98a019126a5f30050d77d82814f93.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1960
-
C:\Windows\system32\recdisc.exeC:\Windows\system32\recdisc.exe1⤵PID:4152
-
C:\Users\Admin\AppData\Local\dumg9s1h\recdisc.exeC:\Users\Admin\AppData\Local\dumg9s1h\recdisc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1232
-
C:\Windows\system32\Magnify.exeC:\Windows\system32\Magnify.exe1⤵PID:5104
-
C:\Users\Admin\AppData\Local\YJxUai\Magnify.exeC:\Users\Admin\AppData\Local\YJxUai\Magnify.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4812
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe1⤵PID:3012
-
C:\Users\Admin\AppData\Local\3e7S5ve\printfilterpipelinesvc.exeC:\Users\Admin\AppData\Local\3e7S5ve\printfilterpipelinesvc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2888
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD52f67b49be077de9206e0d3281231c0b0
SHA1a4e6ce15536e6e1d014c5a3406ebd7b41e297f05
SHA25684594403fdd80a7fcf9f2230733312b9361becadc4ad75bdd60a8b2811d7eacb
SHA512ef56025433045ae9d67b049a18bc903d5c9852a61094a256bebad59a451f6da2aec82364f7b9c6f1b8fe1f5f1321866b61da2c6316b2b7ca10390ca0bd6ed5f4
-
Filesize
98KB
MD515b0ec01e7112858406b45bc4508dc80
SHA18fddb90a029fd103b45ab96f4524f197141e7223
SHA25670b9133761ae929289c0425acf39ae3b1cb1be2034e366303d1900f712e3b78b
SHA51296387346aeb9c559da45abcc2a59ae294d38e5904ffe12d0c07323bf4f685d06d2225d77bce53f6491e142da2038296bc9d1a75d8098397e9f3c49c2a52ac705
-
Filesize
225KB
MD597e5d336c66a40a95cabe8d11d7934f6
SHA100da531f5d97dba5ab01417cb2c987966f85c89b
SHA256381018d15fcfd415812615b1511916d52315359bbf54c2513f15e26dde284261
SHA512be27f590f7e7ddcec05ebb515bbf7407c15b315181b87de6883bd7e7f360bf5a427e4aec9b2eaf8da0154d644d2ec9ca25593bb6eef7bb56dc8b87e1444fdff4
-
Filesize
129KB
MD52528a332d5b018a416ebcfe4a8d4ac7a
SHA1e20ca9b86da2d8e082d780ba9d6155b5df2ccdb7
SHA25621d24fdd050057028802ba280b2445bfe455785bf498d131d132fb600f6dcb40
SHA512046d5c2e996977ef3c49ee11fcf128f503b54e0fa7b43aee09c8e71fab151febdb02f46d3d35766d4fb80b381a3e5ac3cce1d4f62ea8244cd8694b77f49b792d
-
Filesize
167KB
MD5312661a7a84e4ffb65ba9ba78d5a0c66
SHA1d08d209c2ecb0abf44d4f7d91a8fa80770c0ea68
SHA25618cb096c0617af0ee4a4a8338abc11c130b18d541622cae66bd74ed8a13d9d23
SHA512cbecd8e4712d174e029c859dc942ddcb09e697db2064b9a71e2727aa004cde7e873807395f0f7d780eb5ac0c49eb5e6ba33ed638b9e06f6586742f9b894212ed
-
Filesize
126KB
MD5b2a7dc13ac88ca37015d28aa5dd8b5cc
SHA1145c4d0c8fb9b5616a0dd618d51fe58bd9b89c5f
SHA2565d3deaef291851ea58d24dbe693982c93540daa66f2e61b6d7712d4ecf50b362
SHA5121f466f4d0baf1b9cdd7cd1664909389474aeac11260645e67e208d005762e00726da101e764b650edd270285beeffadd1417beed5b49532d6b28dbe5b135d840
-
Filesize
105KB
MD5deb1c965788b8d51905637c6b9b12ebd
SHA182af1c3eecf4f3d1c5a454839ff7f30cb04204b8
SHA2562d23f281f0815d9d42786ab3f5475330f74cf8c3b5abe7760ab4367f369bd6d3
SHA51295af508738a46b88a2750afdf49a1389b7e5ec73f4a70d88376d7fb08e169c51a0822003fac048cd9153b47484fa636e24f778b46f5dff422908dda719f139ed
-
Filesize
44KB
MD5eee85e2706d0c28bf678caa3a819581a
SHA1eba01b433fcd6a3bbbf5478af195efc8616f4ba4
SHA25605e4a557572e181c926d8e8346bdf5f5fe11335907445c65948e5deb983fa577
SHA512a3a88f51c632ee7ab64f53bb3b191da772a850b7e64469a678fe1f48bce4b593be0005489c7de619648609deb17774f0dbad22fdbedec519de89ff6c9ffbd54b
-
Filesize
92KB
MD5238491598e30e0e05afc18e216f9104d
SHA13b48144b145cc0309efdaa190ea5e9736524fc8b
SHA2568197a292eaa6639b88366fbe5dd2e05aaf389f1afc7031d06b6ad00e50c773aa
SHA51242767d2cd712b3718310b5d84c929ee5e9b19ca74911371bc5fb1e83c7e9b1af0f69fc23f954d463dc24fb0886b3637bf41ae10ad89563aa98eed8b369f74f8e
-
Filesize
53KB
MD5472d16df6c93c35aa6d4d01680987b08
SHA13474903bb8f48a895da704d1a706322747c969c8
SHA25689d2f715cb926c9b9db5b65374a325ea2df01404af3a3e88c84f667a4c16acfa
SHA5129b5242dfe8d70482aae01277f99b1eddb110d38c040f1e8319f0e9455d61df723f57bd96ad3d7247efc21fc917a3f6b7a737e7b12e72a3c392bd46de4afc11b9
-
Filesize
69KB
MD52e09da7e42797a019887261ede6b438d
SHA1251fb0a23528d1a41485543b3cda3b5ccab2ce0a
SHA256651569c7469a0140286b2e32bb9b57d63b171c147efaaa15f38ff9a881c01d05
SHA51298dc51d602c78a9d6c68b9782ff4ceb6671034e46e855abad4facd353044c0aef84580e2a10cef4c33233bc2a79d857d5e2052647125fb5b04805d5e4f0bcdea
-
Filesize
48KB
MD52439cf0a43a430357c184fe161b91233
SHA171c25e7c809d003bd4ea1ce66fbf4f60c2b97146
SHA2564174d734ed3ac9cdd63b26741317df5b32cea2dfe52ff370f6070e189f8fb478
SHA51236d9ee9daadfa362406a1d7b54d6becc38e68bfeeff3235687617c12e942ed0502df65b148af00b5687753b16dc962273d95937891f014c6a3885b0c9a997fd1
-
Filesize
95KB
MD59e03bb817133a629095b722891d1382c
SHA1aa486a54795b1c7dc718fb5ed85d878920afdbfb
SHA256c81987311af44f0bc3d460ff76fc9e907dbec10af4d03d14d3ed15a98d26c99b
SHA51287f65e9d9ef2c47f075df85a778e4556d1219052bde5885567d8a8bd2ae6d2b18444f20105953765ab4201bd65ecb006d9166b10e5b4d6c031af68acb0ed83bc
-
Filesize
193KB
MD518afee6824c84bf5115bada75ff0a3e7
SHA1d10f287a7176f57b3b2b315a5310d25b449795aa
SHA2560787b37cf197595b8149ffe3784f9c59eacde3616011f185513ff5c075a5ac4e
SHA512517356165b401dbebf15437d3b17746aef5a6a4cc62a0afe45966abc92b4cf377eee4514a36ee28b1e88e55a22a2f8a6c997df45971e7f354b66ac7d9e141845
-
Filesize
65KB
MD5f461ff54eb3ba45b7b7a0d5d65398fd0
SHA1017653bdca6b48f76f5adfc7496408dc18e9de67
SHA25622c017dd7b992c6c64d7110935507563341334787b383f08aeeec1af51698228
SHA512cde6689565085fc76267c05b2808f111e33f2d06c1a22e7b5bfb9501b9cf65c030834b4235ce1c39f1204467d0ff8ff3c5f13fdb07b048edd61b06815bef1b3f
-
Filesize
1KB
MD502f2ac4ba174c36e5207ccb0d2835d0b
SHA18590f7447b84754a10bd1316d98aa58c1b5c33a9
SHA2567c1cecc18aad4b30117e06a7ed126bf4455395363cfffc09e2bf9aa8fc969ea1
SHA51233806b0f719e49130049091bfb161afdde98cf6080cc78371c3d09a53b16dffcae8eb6ce3f2575648435063cc5c34924edc600ab870b0510f59bf9445987a21c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\7NrnvntQdBQ\XmlLite.dll
Filesize88KB
MD526e7b2591db586bc497bb7b2b75714c0
SHA1e47e4a72f99991dad99d48e88c8e35f92d744764
SHA25618bd7ca051de5d28aeb11dc0669d5bfd56f5eea45dc338aa00d05a5b5ff3d352
SHA512bcf5f62409af904c6a09f3c134f8c879507f74f15b035f453690af7e2ebc44f27d57e4844d40a232291d391a3511849d2044e58d26fee2fbd4e99616bb288866
-
Filesize
115KB
MD5a42b4d81aff86fbfb69b9cbd3299546d
SHA14d227c3d71e1606fb1b6330a196d4128f1b668be
SHA256d75264272b61ac364b71c8ce020e95bf270117cae9eee496746cb5896f8a39da
SHA512b27f3b3c0f49b10c9b7fb6f8d51e0abeefac4ab24f05a336a4d85294ffc1d27c2807a2f4a1fa5bc563d4da1f796e08f9d769fdd0c58f598f07efb409b17257ac
-
Filesize
22KB
MD5a07cfdfc907ba3b00df4745718687f53
SHA1dde00128b69da5f1178e55bf2f54f4c53b5b811c
SHA256d2539bba3d06d664d00d29cc453a9edbdd43a0ae5611d6f7405cd46b3dcb34b9
SHA5125823812905caa1c670f41a9a76b4e9e3151dbc3e05317a3840c22371663691fdcd6f51bd157cdea085da933ccc831fc3cd4b5e2fb23feb0410459b7801d6337b