Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30-01-2024 08:33
Static task
static1
Behavioral task
behavioral1
Sample
81f8648768d984dad73854085026281b.dll
Resource
win7-20231215-en
General
-
Target
81f8648768d984dad73854085026281b.dll
-
Size
1.7MB
-
MD5
81f8648768d984dad73854085026281b
-
SHA1
46693723c9775aa609b2a4fdb53bb7d383c9adf3
-
SHA256
f5a2a17ec58c0e535e888c046a88eb1703fd65111fff76073fa8b540702f5efa
-
SHA512
0372bb40acb5549ddc542b2899358c10bc50d77acea5cc8de2cc808e859f87bcf5979843ede11723e6aee0b227ee6191e2186f4e5ed70e174723a0242f52f914
-
SSDEEP
12288:MVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:5fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3480-4-0x00000000020E0000-0x00000000020E1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
usocoreworker.exerstrui.exeEhStorAuthn.exepid process 920 usocoreworker.exe 228 rstrui.exe 2432 EhStorAuthn.exe -
Loads dropped DLL 3 IoCs
Processes:
usocoreworker.exerstrui.exeEhStorAuthn.exepid process 920 usocoreworker.exe 228 rstrui.exe 2432 EhStorAuthn.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qzenv = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\LmJLI\\rstrui.exe" -
Processes:
EhStorAuthn.exerundll32.exeusocoreworker.exerstrui.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA EhStorAuthn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA usocoreworker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rstrui.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 3268 rundll32.exe 3268 rundll32.exe 3268 rundll32.exe 3268 rundll32.exe 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3480 wrote to memory of 1136 3480 usocoreworker.exe PID 3480 wrote to memory of 1136 3480 usocoreworker.exe PID 3480 wrote to memory of 920 3480 usocoreworker.exe PID 3480 wrote to memory of 920 3480 usocoreworker.exe PID 3480 wrote to memory of 4580 3480 rstrui.exe PID 3480 wrote to memory of 4580 3480 rstrui.exe PID 3480 wrote to memory of 228 3480 rstrui.exe PID 3480 wrote to memory of 228 3480 rstrui.exe PID 3480 wrote to memory of 1768 3480 EhStorAuthn.exe PID 3480 wrote to memory of 1768 3480 EhStorAuthn.exe PID 3480 wrote to memory of 2432 3480 EhStorAuthn.exe PID 3480 wrote to memory of 2432 3480 EhStorAuthn.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\81f8648768d984dad73854085026281b.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3268
-
C:\Windows\system32\usocoreworker.exeC:\Windows\system32\usocoreworker.exe1⤵PID:1136
-
C:\Windows\system32\rstrui.exeC:\Windows\system32\rstrui.exe1⤵PID:4580
-
C:\Users\Admin\AppData\Local\mSo\EhStorAuthn.exeC:\Users\Admin\AppData\Local\mSo\EhStorAuthn.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2432
-
C:\Windows\system32\EhStorAuthn.exeC:\Windows\system32\EhStorAuthn.exe1⤵PID:1768
-
C:\Users\Admin\AppData\Local\6d0thiHU9\rstrui.exeC:\Users\Admin\AppData\Local\6d0thiHU9\rstrui.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:228
-
C:\Users\Admin\AppData\Local\x1y7nj\usocoreworker.exeC:\Users\Admin\AppData\Local\x1y7nj\usocoreworker.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:920
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
79KB
MD567a493cadf34cdbe32904bbddd53d8eb
SHA17206f5affc12f074af5ad54b91b0613dd8ff3c25
SHA256ec1cf2ec6b82810344a7a83b0a93f0521fdc778eded59f9adce79aa356ec3150
SHA512b2b053b78d3f975fa42dc1dd0f083871b7ce8c861560bc43d2f0bc8ab0f5472189e9f04e1f146bdfd4218809769a26168d0a926e6579a1b69d13f4d8b15a0da5
-
Filesize
176KB
MD5b50731d2c099fa3ef07db0cf847c824a
SHA1076806d99f650a81772442988b9faaf6433be4db
SHA2562fef6b7d31a6f764439d62e965af6e27411324673fdfb25e5b1bc4dd6ff31a08
SHA5123c4936c6c1d160c1f1203f738c4f77e4e1dcf6055a0f3ef65dc0b64a2bf586879d67852d75eb86993284c6f439c1921d746d547068a58d67095161d69118f417
-
Filesize
181KB
MD5babfeec2b422d6866878a7b640316f45
SHA1ccf9b3653fa46b75e3100b0a1f95a58c751f0def
SHA256a43089f5d230971c959d50425f2111766b7cac07656442f09ed03cfe3a918b1a
SHA512da8b95bb93959613ca7935082d2ded544d50d7d84bfe2d2a1154e48f33f64ef6161e73911dbe586c6e5f242ab013eb83b460859f38c838d4763b7d4238860a77
-
Filesize
147KB
MD5b9702639a523d362466dc9acd1f280ef
SHA1c848fc6f27d3369645508cd5c6418daaae8e01a7
SHA2568d314314ac5b629385a15017cdd49b47428d96ddf7f5515f42dd0d99829b4e60
SHA51212a25f4a507145e8b4e82b8d22acf2a1d4fc91c298e00745771f1bdfba232adb70c59c1703007bec55b879c8d6c96acbcbe0469589eb5a6a78c3bb358eabda61
-
Filesize
86KB
MD584585f0aacad6cd4cea6ad7f70331cd6
SHA17f09414206caedf673b994834cd8a49982ead768
SHA256eaeb361c51d7082d24ceadeb36c3539a1011bd1427c2c7be253156961eeef7fc
SHA512607d2b0383baeaf1571d5185e0ba5247a6618538f92f843af034b5b5c84473eaadca5206529cebb4d072f6e7f6ad49b03b2fb76bb32b39f41fee038e1fcc7944
-
Filesize
64KB
MD5bd3ad25a9f050cbe28433233476ef6c9
SHA14a2dbe376a631e9e4718f18b89786c1f9b6db6d5
SHA256a175f44a0c62117cc36d24fe591935f6c2ebfe55e3337113abe018b202fb8db8
SHA5120c851a66f6104110fdd62f6cc7ff2310878d20d9ed6bc8b43ea3e39e7d93fd0e71d2e3df3af90daa2f724a1832f7bcc769635bd6195431e666209eb34f7304b3
-
Filesize
121KB
MD59c8d1d303d29b6845305cae2f862192d
SHA1d6c96966f7e8829b405edd59a11a798211f30c02
SHA256e286ba710464a0b83f7e9f26214c2d5775b96d5616a4ef95fad912b2a1175212
SHA512402dcb16087e0c5fe17ff08b470f95fa1f5eb9472433271d29f31a442d3c594c666b476768cd4d0447333bf83818f1f865192107f228a54b7c6602f2034a79e1
-
Filesize
93KB
MD51426522736a8c2d0f3ddeed0208ba8c9
SHA102b41a7faa55c48817028420eee1b2a63128bb70
SHA25600496f202b9dbf2b1e45c7c6f835728656e16356d40d4af7f73e19f430db3f44
SHA512b421f77ec2c6deec0d88262b84df40dd7319e33e7a7bee5ef1a923d963c9b291406e46ea695c67a9d97158ca0ba0b7dbc90a215b3926958793f45e185eb53cab
-
Filesize
189KB
MD5fe31cad26fc164d117941501eddba804
SHA154bb56b28f547ea01bfa8b956b9d05f6c6d3e4a6
SHA25643fb17984ab4889eafe66cf27c1d1a858902875cf96ef1889ed9008caf84604e
SHA512c36af5713817007a0393ff277e0ea3e27c17035aa96ab9b2a13bd560d9a728d95983fde2af6fccc9468cd8172dadb1c2c4b9262a940bf0e4f3db10cc35db1007
-
Filesize
130KB
MD571e8dec73738379659c9db9c7845d39a
SHA1d9ab9aae07f485694fb80e54d5bc6dfd3f530636
SHA2561f10d7d4167b788ad6b2d0c370bc5adcc4511c2166c20ee4c814874dfaf32e7d
SHA512edba2d5f17c69dbcf53892ba600595ba3f3a0ef4c81b855cfbb5486571af24daea063891251457fba5f263275ac7f4fa41744bd3f986863caf6f4febf23c6e05
-
Filesize
288KB
MD518ac52ebbdc18216bed23a6176495e42
SHA147efd4300b3ea9dc187a53bf43a0253734af7fe2
SHA2563d9a1325ba6abeaaede69984fb6fe0d813e8fdbe81e78b612e89520381e41bbc
SHA5123e589a86acbc31a61961820da77ce6785f6e94f87367a17f44ca4a1d063a0ea3814435e3f81094ef9fa9cf45e5bcb325ce8e3ca8d21f6cdbc6c0c8c9c8cf84ef
-
Filesize
198KB
MD5b24b17dc01a17e1e8f5962c851862df3
SHA1fa61e91ae0bd78688db8e2c5a6922e7e1bf999a8
SHA2561310c5ee988d99efbaff366a474cb59fdb47a12a0a2441f863dad00f0b19bf39
SHA512ac5bd4f2af7b4044ad8618293f52793f9f4b349d6efdf53ddc6e754671f97e357bcfb6196d09837ad58545eada447e82e390b25af8533bd0df759318f1101d82
-
Filesize
1KB
MD5022fc602cb526eca72602c5809ae3e09
SHA114772ab7faa65c0176bd3760187b5d926dfe6180
SHA25667cb76bf0445051c5d7717450220159540c38f17251968ad921f1620ab25ed0d
SHA5124a3677c85f11daec772244df24333cf143ca80114d4c26c82f36651e37b0d4dc1dc84f213ce1dabf79a0b72d19e647b829cd7bae9ac00102ad94505068b85830
-
Filesize
1.5MB
MD5510517f27dd9e9b19014869605ee7aa2
SHA10722ed65956f8b1dfec5cef85cb2b4396326dc16
SHA2566dd2365e06b59ddb2aec5c5af8138014834f8071117e00ce122dedd9565fa2b7
SHA5121e01bb67eca5d6809262b3cba64ef984f7337ce3e0ec32d5fabfe0d08fe339ae0586447618e0ea4695600aa062b8d8af90b3c0232939b8dbc06306b1b9b535d2
-
Filesize
1.7MB
MD52422584c0bcba20017a616f8a37bb81a
SHA183e627ba24069f752c83eaed1536351381207fe6
SHA2561eebc8c0dfb7d8c68c21f44fe842b743aaeb6a833836de21657f59ad3bbf5b96
SHA5125cc257557fccdde0c17fdf658b4176b32ac5f52247900b52270c227dada4d2195d4bc11f62582f1714ac14032850ccbed1344f5af8aa5dd49768393cebf765a1
-
Filesize
1.7MB
MD512478287df165eb6e16307330512ddae
SHA1a5ad952ea4873a37f49ae3bb74d7ddebf9ce6884
SHA25682b3fa7ad1ecdf13a7c98fc166b23c037934c80c10fc98c6f67c2bf7211689f7
SHA512225bb02a8befe337e197dfefa35e7d3989c6c1ffe10b3de41fd90cc37d43c3d588553da38b25151d9b5fe5632f96fd8bf193c6aa5cb8c87ddd26789e22ba4f5d