Analysis
-
max time kernel
145s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
01-02-2024 23:34
Static task
static1
Behavioral task
behavioral1
Sample
87f4ff988b3efc9a3e0d996f68db1be0.dll
Resource
win7-20231215-en
General
-
Target
87f4ff988b3efc9a3e0d996f68db1be0.dll
-
Size
2.0MB
-
MD5
87f4ff988b3efc9a3e0d996f68db1be0
-
SHA1
89c3b7a72d3dab1fbf000ec432f9e4bdf8169c67
-
SHA256
a7f598f265286347b55802674110210e08986dad0a49bdd83caf30ee6d6085f0
-
SHA512
7487d405c81a5a1fb200ffd92223569f782168a092fb09d318e55ba76faece7a8edfbaf97f727f9bff7c92f695a69f33b78d77e66a989e51071d9641669292c0
-
SSDEEP
12288:kVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1dP4bL:BfP7fWsK5z9A+WGAW+V5SB6Ct4bnbc
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3512-4-0x00000000021C0000-0x00000000021C1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
recdisc.exesigverif.exeRecoveryDrive.exepid process 3916 recdisc.exe 2232 sigverif.exe 1756 RecoveryDrive.exe -
Loads dropped DLL 3 IoCs
Processes:
recdisc.exesigverif.exeRecoveryDrive.exepid process 3916 recdisc.exe 2232 sigverif.exe 1756 RecoveryDrive.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\jpAhVM\\sigverif.exe" -
Processes:
rundll32.exerecdisc.exesigverif.exeRecoveryDrive.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA recdisc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sigverif.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RecoveryDrive.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 4528 rundll32.exe 4528 rundll32.exe 4528 rundll32.exe 4528 rundll32.exe 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 3512 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3512 wrote to memory of 4380 3512 recdisc.exe PID 3512 wrote to memory of 4380 3512 recdisc.exe PID 3512 wrote to memory of 3916 3512 recdisc.exe PID 3512 wrote to memory of 3916 3512 recdisc.exe PID 3512 wrote to memory of 2256 3512 sigverif.exe PID 3512 wrote to memory of 2256 3512 sigverif.exe PID 3512 wrote to memory of 2232 3512 sigverif.exe PID 3512 wrote to memory of 2232 3512 sigverif.exe PID 3512 wrote to memory of 3228 3512 RecoveryDrive.exe PID 3512 wrote to memory of 3228 3512 RecoveryDrive.exe PID 3512 wrote to memory of 1756 3512 RecoveryDrive.exe PID 3512 wrote to memory of 1756 3512 RecoveryDrive.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\87f4ff988b3efc9a3e0d996f68db1be0.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4528
-
C:\Windows\system32\recdisc.exeC:\Windows\system32\recdisc.exe1⤵PID:4380
-
C:\Users\Admin\AppData\Local\LktVSnhJ\recdisc.exeC:\Users\Admin\AppData\Local\LktVSnhJ\recdisc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3916
-
C:\Windows\system32\sigverif.exeC:\Windows\system32\sigverif.exe1⤵PID:2256
-
C:\Users\Admin\AppData\Local\xfp\sigverif.exeC:\Users\Admin\AppData\Local\xfp\sigverif.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2232
-
C:\Windows\system32\RecoveryDrive.exeC:\Windows\system32\RecoveryDrive.exe1⤵PID:3228
-
C:\Users\Admin\AppData\Local\GxkBE1a\RecoveryDrive.exeC:\Users\Admin\AppData\Local\GxkBE1a\RecoveryDrive.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1756
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
911KB
MD5b9b3dc6f2eb89e41ff27400952602c74
SHA124ae07e0db3ace0809d08bbd039db3a9d533e81b
SHA256630518cb2e4636f889d12c98fb2e6be4e579c5eeb86f88695d3f7fff3f5515c4
SHA5127906954b881f1051a0c7f098e096bc28eddcc48643b8bf3134dd57b8c18d8beba4f9a0ac5d348de2f9b8ea607c3e9cb0e61d91e4f3ba1fefb02839f928e3e3fe
-
Filesize
2.0MB
MD5a7187e1b01918bdf95ebec459e683e77
SHA1b8771c819a730929bc9dfc29939c4ed94fc665a5
SHA2569c8d0ca9065004ee29451ae723c400bb6de7981d255a1e2b3e25bb9b0da63f11
SHA512180c8acdf15cf575e766eaebcb3c96abe524e6282a32a3b6760359383775c2d01bad24357e154ce43953cfe23e91f4dda5534e778e27290ed475f1e2fcaa44a9
-
Filesize
2.0MB
MD51fc3dab81aeebf591611ed194b253474
SHA1acf6e6675e2eae91e1f2a2af5cc072041096e191
SHA256ff6d0d7c75c5a24c55c1b66d8b2a57bb0e9a02bda73bf25cfcf3de878fec2999
SHA51268671b46e86a18928b81617fc6340842a8b955377a2c4878b81ad31278de5a7ea6aafe50a41b5c7f85b602e2675f72d097e3450106e77489cc5ad4a18a941fab
-
Filesize
193KB
MD518afee6824c84bf5115bada75ff0a3e7
SHA1d10f287a7176f57b3b2b315a5310d25b449795aa
SHA2560787b37cf197595b8149ffe3784f9c59eacde3616011f185513ff5c075a5ac4e
SHA512517356165b401dbebf15437d3b17746aef5a6a4cc62a0afe45966abc92b4cf377eee4514a36ee28b1e88e55a22a2f8a6c997df45971e7f354b66ac7d9e141845
-
Filesize
2.0MB
MD57c913b1bdd914f5095423d140cfdb629
SHA1f5ad9fc8c9ca0c0cc64948a50c7bd211de27c7bf
SHA25665fadb8fc3668ab38b06e9023936e1ef21d1dbffb297405f40f28ac0046bcd55
SHA5125a0dfce14dabd72d6ec81f1efdf73923421be552d2c44bd12eca2529054b698a45f4c64d19dfa3e0115ae0f24485550bb54139d4f85159d0a00a94a959abc96c
-
Filesize
77KB
MD52151a535274b53ba8a728e542cbc07a8
SHA1a2304c0f2616a7d12298540dce459dd9ccf07443
SHA256064de47877b00dc35886e829a697e4adb3d3cfdf294ddba13b6009a0f415b1bd
SHA512e6fd520ee1bd80a5fe8a7c2ae6446dcaabd4e335a602c36356f85305abef751b7dffa7eaac1ec13c105ccd8c3e9070bd32ed4b14bc8a9e52dc5f47b936d69a9f
-
Filesize
1KB
MD57882f51af209ebc104f8a198599e7841
SHA13bc43e7f92aa7aea9f8e5eee81b4d157fbf6b7e5
SHA2562a32c2a6814b97c911cf1a48a4719106178bc128edda4f5442035d3e04ed7252
SHA512e5bb24d8dd73002bdc991a726d2ce3f4b95ecbcc4b69bf0167be9910665549be9c435d21681c7d0cd461de63ca4ba14dd5ec91a3474949f7fba1911e5ef4b820