Analysis
-
max time kernel
151s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31-01-2024 04:39
Static task
static1
Behavioral task
behavioral1
Sample
837792f925aca842eba981ebc7aff9a1.dll
Resource
win7-20231215-en
General
-
Target
837792f925aca842eba981ebc7aff9a1.dll
-
Size
2.2MB
-
MD5
837792f925aca842eba981ebc7aff9a1
-
SHA1
527e5a2d67f6422ae44a5276ae6cf67f7e597823
-
SHA256
3806ec3c6ae591fb47c6b48f5dbfaf45d7500d6efb12c07311ecdc5e9c9d514d
-
SHA512
a4b0865d290225b514fd4b711ae83d5f659b19edf1fd2409920054ef706eb580e2d2a816ba34ceaa5778d1c43bce7149575b736e8828de9c942906800512c90f
-
SSDEEP
12288:eVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:DfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3480-4-0x0000000001350000-0x0000000001351000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
quickassist.exeMusNotificationUx.exeisoburn.exepid process 4832 quickassist.exe 4408 MusNotificationUx.exe 1008 isoburn.exe -
Loads dropped DLL 3 IoCs
Processes:
quickassist.exeMusNotificationUx.exeisoburn.exepid process 4832 quickassist.exe 4408 MusNotificationUx.exe 1008 isoburn.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ADMINI~1\\H9db\\MUSNOT~1.EXE" -
Processes:
quickassist.exeMusNotificationUx.exeisoburn.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA quickassist.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MusNotificationUx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA isoburn.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
regsvr32.exepid process 3904 regsvr32.exe 3904 regsvr32.exe 3904 regsvr32.exe 3904 regsvr32.exe 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 3480 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3480 wrote to memory of 656 3480 quickassist.exe PID 3480 wrote to memory of 656 3480 quickassist.exe PID 3480 wrote to memory of 4832 3480 quickassist.exe PID 3480 wrote to memory of 4832 3480 quickassist.exe PID 3480 wrote to memory of 4224 3480 MusNotificationUx.exe PID 3480 wrote to memory of 4224 3480 MusNotificationUx.exe PID 3480 wrote to memory of 4408 3480 MusNotificationUx.exe PID 3480 wrote to memory of 4408 3480 MusNotificationUx.exe PID 3480 wrote to memory of 2316 3480 isoburn.exe PID 3480 wrote to memory of 2316 3480 isoburn.exe PID 3480 wrote to memory of 1008 3480 isoburn.exe PID 3480 wrote to memory of 1008 3480 isoburn.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\837792f925aca842eba981ebc7aff9a1.dll1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3904
-
C:\Windows\system32\quickassist.exeC:\Windows\system32\quickassist.exe1⤵PID:656
-
C:\Users\Admin\AppData\Local\4cnzpoY\quickassist.exeC:\Users\Admin\AppData\Local\4cnzpoY\quickassist.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4832
-
C:\Windows\system32\MusNotificationUx.exeC:\Windows\system32\MusNotificationUx.exe1⤵PID:4224
-
C:\Users\Admin\AppData\Local\3J8wl4c\MusNotificationUx.exeC:\Users\Admin\AppData\Local\3J8wl4c\MusNotificationUx.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4408
-
C:\Windows\system32\isoburn.exeC:\Windows\system32\isoburn.exe1⤵PID:2316
-
C:\Users\Admin\AppData\Local\3ZobJ\isoburn.exeC:\Users\Admin\AppData\Local\3ZobJ\isoburn.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1008
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
615KB
MD5869a214114a81712199f3de5d69d9aad
SHA1be973e4188eff0d53fdf0e9360106e8ad946d89f
SHA256405c2df9a36d7cfb5c8382c96f04792eb88c11a6cfa36b1d2ec3e0bec8d17361
SHA512befcdeb8de6e68b9ee0bacd4cbc80f7393a0213d4039b239c98585e0cd5db1755c75559a62372374cbfb7132b6a7973ea9e6a31952e0e0ba007079c56e6d9012
-
Filesize
2.2MB
MD5dd3443ca746d2de4ad3fb6c39214650b
SHA1b09b644b86a0ab18eaaaf942fdcb8b3f159baac5
SHA25698cfdffaf902883364b3a625be4506ff6256507583b02fba5fc03071b775f517
SHA5126830ea76c35d5ccacc7de010244be71c8c76cea870ddb15990b036d9fb1b980d5ab719e331e2512faeacdde30868b4e44f88c47b4c6ecadc3a38f98b4c618c4e
-
Filesize
2.2MB
MD5eb00165aadcb47d6bee4a5d9dc587744
SHA13691011d5cb6bddc6f9a7f4d2e274b30fcb829ad
SHA25686f8d6993e9a48698cd8cc161b443172a2ed10aef2608b0f1ccdf53f2c18f544
SHA512c3699499943108e72e10f021b289c2d20d411c88f7ddfad4d01a2d85f8cc507c2cc914d1e28a761174cb0b34c57bbf958f2e1438c2c55d1d20732cdcf19194bc
-
Filesize
119KB
MD568078583d028a4873399ae7f25f64bad
SHA1a3c928fe57856a10aed7fee17670627fe663e6fe
SHA2569478c095afe212bce91d2de1a3c3647109f2d54e46b9bf70843e839324458567
SHA51225503a47c53fe83eeb56726b5a5eec5cb01bc783e866306f92242a7a8cbafa20a3209217e0f4561febfec78d2f64f1725727a6b2d3ee6da512618984d0bb0bc1
-
Filesize
2.2MB
MD5ed5bf30ce05e3cff7854bf9ffaca08f5
SHA1f5daaa1b33a039c224500c083bf8146eba59e97d
SHA256d42eb85ce48c35c3da642ea90ca87df59c7986ce45c09c475303af8d9ed0a11f
SHA512ff75b84b15328b5f5eb693c3fb0e75d673096701584aeb024f7302d2c02c675a97259911d92c5f0b3a0d2b0a16a14fb2c65261928402e41b0ebbe8502716f05c
-
Filesize
665KB
MD5d1216f9b9a64fd943539cc2b0ddfa439
SHA16fad9aeb7780bdfd88a9a5a73b35b3e843605e6c
SHA256c1e8fda00da574e8759ba262d76b6edc1d5f4a80620730ef0be7527e0d803db2
SHA512c5fd7d81d1d478056fcbed0ba887ce551832f0104e7c31753c3c8760b4d63f38324f74e996684042acc8f9682fce8a8c85172741a868257e87d5e0f988c4e567
-
Filesize
1KB
MD5f1f71ccfe60d089abd759eb656643c89
SHA1fb2aeecbf68609fa06fd80c529b72003d7a4a798
SHA25674005608bb7afc7bbdd14824ea760fd2282855943f740147c3b1263a8332fb9e
SHA512ee55544874138a3ff3a5b594d2ab3f639b730b87eab4ffa61412ffea2ef5f0a61576b09173eb5fdd4f29f488e45c17cfcbee4a4cc719bd485685dda77c188d4f