Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30-01-2024 23:29
Static task
static1
Behavioral task
behavioral1
Sample
82db4107f6e131cd91a70e918dc4bfb2.dll
Resource
win7-20231129-en
General
-
Target
82db4107f6e131cd91a70e918dc4bfb2.dll
-
Size
3.1MB
-
MD5
82db4107f6e131cd91a70e918dc4bfb2
-
SHA1
113d6fe86befdae836743292ba115bbfd63edbd7
-
SHA256
297b30d04329d60ca335b82dd1d813b21d884fe642e602b61a9314501ad69782
-
SHA512
92c92584210b0c0bf9b6d1798a0db0b21901763ef07f93bf176a607ae6448be6e2e82ecc909df5aa65f3a02899cf80c75357d08e544e85438e11a1430c14c6a7
-
SSDEEP
12288:FVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1I1:cfP7fWsK5z9A+WGAW+V5SB6Ct4bnbI1
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3392-4-0x0000000000BA0000-0x0000000000BA1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
msinfo32.exeMusNotificationUx.exeslui.exepid process 1008 msinfo32.exe 1484 MusNotificationUx.exe 3068 slui.exe -
Loads dropped DLL 3 IoCs
Processes:
msinfo32.exeMusNotificationUx.exeslui.exepid process 1008 msinfo32.exe 1484 MusNotificationUx.exe 3068 slui.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Loeeeopgcaia = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\AddIns\\VO9Pe2\\MusNotificationUx.exe" -
Processes:
rundll32.exemsinfo32.exeMusNotificationUx.exeslui.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msinfo32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MusNotificationUx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA slui.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 636 rundll32.exe 636 rundll32.exe 636 rundll32.exe 636 rundll32.exe 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 3392 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3392 wrote to memory of 4312 3392 msinfo32.exe PID 3392 wrote to memory of 4312 3392 msinfo32.exe PID 3392 wrote to memory of 1008 3392 msinfo32.exe PID 3392 wrote to memory of 1008 3392 msinfo32.exe PID 3392 wrote to memory of 4764 3392 MusNotificationUx.exe PID 3392 wrote to memory of 4764 3392 MusNotificationUx.exe PID 3392 wrote to memory of 1484 3392 MusNotificationUx.exe PID 3392 wrote to memory of 1484 3392 MusNotificationUx.exe PID 3392 wrote to memory of 4376 3392 slui.exe PID 3392 wrote to memory of 4376 3392 slui.exe PID 3392 wrote to memory of 3068 3392 slui.exe PID 3392 wrote to memory of 3068 3392 slui.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\82db4107f6e131cd91a70e918dc4bfb2.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:636
-
C:\Windows\system32\msinfo32.exeC:\Windows\system32\msinfo32.exe1⤵PID:4312
-
C:\Users\Admin\AppData\Local\ETb9oF\msinfo32.exeC:\Users\Admin\AppData\Local\ETb9oF\msinfo32.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1008
-
C:\Windows\system32\MusNotificationUx.exeC:\Windows\system32\MusNotificationUx.exe1⤵PID:4764
-
C:\Users\Admin\AppData\Local\LSxc\MusNotificationUx.exeC:\Users\Admin\AppData\Local\LSxc\MusNotificationUx.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1484
-
C:\Windows\system32\slui.exeC:\Windows\system32\slui.exe1⤵PID:4376
-
C:\Users\Admin\AppData\Local\3n0LOro\slui.exeC:\Users\Admin\AppData\Local\3n0LOro\slui.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3068
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5aab395b3713100e89968143e6660d35d
SHA13401423701e8f003683cfda11376e224f17219e7
SHA2562861ea6962e3d0e73a4aa6376d29a487aebeeb419e3bf9ddf6d7a9b6503ed4d6
SHA51231fe9bf069e7192e62dcd1ee71c273c041b242f7735f45f3666fec88dd9b8adc850b750ba6f2614be7a93c4fff6d4a99c4363a5f96605221add0b1bf7ae0db5f
-
Filesize
49KB
MD5e66e436895e57e36c87716f377be5c73
SHA180545353a7dcb288ccbbab4ae39b80206dcffe76
SHA25662e3232323b8e0ce851e7c931c45eabdcc88b4b935ce8a05771bc817566cefa9
SHA5126de6d76d9a9ed8125564c16e63470d6394250c047d3cdd99c97abe579eec53921ea74a470b2768233695aff7462fd6a85983358e25cf97ea76035b39465554e7
-
Filesize
5KB
MD5985e280b5f1a4e8c3d9a2488141f33da
SHA1e487e8db6d6b4cdb265ee645cc3c115297d4a8bf
SHA256bdb1ad1ce7a7b4d755c05bd9e8406a4b86bd7909e17e469f4dd05a2bb459654a
SHA5121152466037a41791ed3555566fa1a0a95b8ac07df090bd47356bac8d9372e4ee689c129c436c7a3e0a2afb9924c261aae652e11f5bf86bc418f90173a8668b5c
-
Filesize
208KB
MD5de50f3cd9d2e00d1f010963cf90471dc
SHA1410e4f258916a40c146f7a341ae53cc624ae3b56
SHA256ef072f41d0973cbeb251e721bb35fc6ffde04824f3e9bdbdda6901c057dfc294
SHA512fd7d2ffd6c2a87b02e38ca1ce735f42cbecbbe9e6397a4a83ecf0626b145bcfdd3fb36823082ca259692db5c218f7d7f3bd3c8c9d2bd3f138c37cc152e3f33a2
-
Filesize
254KB
MD50328f872e56e03d431511b816bafdaa5
SHA17c909e864144d88156fc17c9b8786a2f16168bb7
SHA256e2a0a81c3951f9453c4cecb6087a51926b07a2d6d41379934af124b1bcb3256e
SHA51247394a42af1555a8edf82c18fc68a840e958bcb4b191ff5f57152044a0a065d68d3540df897a39b19b5b94429161e31b904281796c1a6e4e24b703a18a2044e7
-
Filesize
320KB
MD5aed8988e35f05063b928a88f8fcd708c
SHA1b26042d06d73bc0430ce041ea3f913e1f396df3f
SHA256047911a6ade8398496049caab8a5c2b1742d55f48968c11ddc545777af11f249
SHA5122efbc38985950099a8b02e0a730937e12464d4c36fa3bea04916ffb909935d08215b2e3cd72b017b697ed9c6630b042fab3bfd2d40581d60479e7400901bf521
-
Filesize
210KB
MD585ac749bb1b114cce683f3ec15f4e548
SHA1d6157ec509d2d3fb138f5a4b4c39b4df5ae00c97
SHA256f014450fa8d4ccbd171997988a40848f081292e1971f8a6bacf229dc59744c16
SHA51250ae04abccc807a6f4d2bdf4014ac9631cba47d4d9ebbd61aba327e74d2827bf7c9fe096dfe32b910893bc256eb523e6daa22f47637cfa0bd663076d0cad5434
-
Filesize
206KB
MD5a31dd2bf8868f96e8e4da799b3c5efed
SHA1669ebd8fce571337106619a95455b20fceaeba04
SHA2569a1241c18510db5a3378143ca2381e61344de975784e348b166180ef8daa5e80
SHA512f8df5d64d4459bbb1ee62bad65fc8f5b6de280edb3e4c8251604b93b330572146148b1a8da02b3409ae61f9c2d7a5dfc4b4cfb9e0e718db5a0ca1c3be18243c3
-
Filesize
165KB
MD5270a4f431525a7368784707bbe0b438a
SHA1993c33261fb6f4957418cb058b11c204e5f7f83c
SHA2564ae2a9c5280b042c2dd6cf75f58b389838600cffa4362e55f224e9ca35f413a3
SHA512e3f35c1c40fc96e296ac0fe80abd7c260642727a05be921c1c7884ca6dbdf2f05008bfbe9ba71c31e1c63b64ef55ae43dd2d4b0b52fa051f5661fc253beaa485
-
Filesize
69KB
MD5a3f58d7cff2631a3bd997e11c93ff494
SHA11d574e7628728c95c2771a95f83cad8e33f08477
SHA2567a5ea80a67ddc4c68cf99e206452fb6b894f7f11479cc56b24d4f912010d2b60
SHA5128f574e2ade7a6178b2889b78f147a64722c7249de85e4ef1d8feb89a3b13d5ddbb6a9307edc8c293e519b6bb3e41be27bae784a26d336ee4fdfdd8d668a964d1
-
Filesize
185KB
MD5d1dcac7fbc53da70821f2e6cddd3aab7
SHA18618b0294bf6902075f91096ad9c3dc39ef9d1a7
SHA25667a0688cf98d2691014fd1b807bc832deab5bd32e83429f02138f654e5fc7311
SHA512843de3e08f004a3dfac90931400585f500cb3522fb6f8c39a17f384d6af4c2f8283084fa787c900ae58a536d1bf7c8b581ca4279123722649bd27a4e10191dd8
-
Filesize
142KB
MD551efdb3baf5676cc76272bfa7c27827f
SHA1e8d6da2c8f0df8c03ef37812b5c0e8afcd10f900
SHA256ab2dd218c7a94e951c87b066741171b21871882e8bc05f9b5f93fc0b151ab82c
SHA51275d88cbe1c33346a3ba0a9119fe4468cb13a59d20db81022455fc54b038542a59df216c61f7872e767104aeb2081bc867c5873d1739cc94e613c29841840cf46
-
Filesize
332KB
MD5b845a2df799155ba80eafae496796b04
SHA162805690f4cd9a13711529d72cacd5d359db3cbc
SHA256961497d529a1d85b61e0d0eb35a37c587d40e30875f8632f16fb921a58565e56
SHA5124e139803559bdfa8f8fbf606b9dc43969580a09bd22777f759362bb540f7f68138b54395182f0d80932fa02b72fe049920847f4a09667861452b65ab20749c92
-
Filesize
1KB
MD50862b73d5c2ac2616453a66be3f9ce93
SHA1c2c69b4107d61641c253027548a0b26fd1c39aa2
SHA256d7b31e9d67250c2145e103acd9fac29faf3b2d5104395a60765faa31aedb1f07
SHA512bb042ec82c4d63c067f5e113381d417249a7fd057e7e556f02237e85ec4a28703b96da4d807594a0584331e4fb634180e91378bdad4994cc5728c141847201eb
-
Filesize
3.1MB
MD5045b2896f94f4f10a4863f7e09aa9c09
SHA10cf695742d107d544c3c41e5c8debe11e9c96f47
SHA256c71d16a5b71de29c5d2dff9df340044bc038329c44949e7aaa3ffd78ad4e4d77
SHA512b0fb4850b59d2c35cc5785465673cae149cfb43de393e1d8f899fc5a3492fbd8cd4619bd6e244dd3839b36c4fe22ef47eadb76862a15ec690913fc0c9c9c6f7b
-
Filesize
3.2MB
MD543bf94dd5a162e83cf4acd8db1c915fd
SHA1e9afd1847746851722ae05b030b96b8edebb10b3
SHA2566550eca6923c644d6accfb896bb085522a7d9dbbf468695182b95beba3aa3d3f
SHA512418370019f8f44dc475bbaebf33263bd5f73de417e656854e2a64e44c1738ab2e1b41f9966dca0f242bc47e7edeff02a5b6c96bac1eedf0abc205d7a24314088