Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
01-02-2024 04:04
Static task
static1
Behavioral task
behavioral1
Sample
85e07e2192815cfa564f16edf062c8af.dll
Resource
win7-20231215-en
General
-
Target
85e07e2192815cfa564f16edf062c8af.dll
-
Size
2.2MB
-
MD5
85e07e2192815cfa564f16edf062c8af
-
SHA1
843a10890c2c0c2df9d3bf43de2334cf020726d9
-
SHA256
04952d47ce4e62e8f4c7917d557ae78e8d6944b20d050e33444f5dfae68e784c
-
SHA512
45e193918f286b142000ca3a66afbc204262c0d03b88f5e54bf991aa8a5addb15e762a6dfaf9a1ace4ea0ede4a9afdb7297f894d9aa6e2d64f2ae106f21a5396
-
SSDEEP
12288:iVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1oeGf:/fP7fWsK5z9A+WGAW+V5SB6Ct4bnbod
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3452-4-0x0000000004080000-0x0000000004081000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
LicensingUI.exeRecoveryDrive.exeDisplaySwitch.exepid process 660 LicensingUI.exe 4564 RecoveryDrive.exe 1364 DisplaySwitch.exe -
Loads dropped DLL 3 IoCs
Processes:
LicensingUI.exeRecoveryDrive.exeDisplaySwitch.exepid process 660 LicensingUI.exe 4564 RecoveryDrive.exe 1364 DisplaySwitch.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tgnmvdx = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\dvy3\\RECOVE~1.EXE" -
Processes:
RecoveryDrive.exeDisplaySwitch.exerundll32.exeLicensingUI.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RecoveryDrive.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DisplaySwitch.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA LicensingUI.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2136 rundll32.exe 2136 rundll32.exe 2136 rundll32.exe 2136 rundll32.exe 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 3452 -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3452 Token: SeCreatePagefilePrivilege 3452 Token: SeShutdownPrivilege 3452 Token: SeCreatePagefilePrivilege 3452 Token: SeShutdownPrivilege 3452 Token: SeCreatePagefilePrivilege 3452 Token: SeShutdownPrivilege 3452 Token: SeCreatePagefilePrivilege 3452 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3452 3452 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3452 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3452 wrote to memory of 536 3452 LicensingUI.exe PID 3452 wrote to memory of 536 3452 LicensingUI.exe PID 3452 wrote to memory of 660 3452 LicensingUI.exe PID 3452 wrote to memory of 660 3452 LicensingUI.exe PID 3452 wrote to memory of 3176 3452 RecoveryDrive.exe PID 3452 wrote to memory of 3176 3452 RecoveryDrive.exe PID 3452 wrote to memory of 4564 3452 RecoveryDrive.exe PID 3452 wrote to memory of 4564 3452 RecoveryDrive.exe PID 3452 wrote to memory of 3552 3452 DisplaySwitch.exe PID 3452 wrote to memory of 3552 3452 DisplaySwitch.exe PID 3452 wrote to memory of 1364 3452 DisplaySwitch.exe PID 3452 wrote to memory of 1364 3452 DisplaySwitch.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\85e07e2192815cfa564f16edf062c8af.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2136
-
C:\Windows\system32\LicensingUI.exeC:\Windows\system32\LicensingUI.exe1⤵PID:536
-
C:\Users\Admin\AppData\Local\FKI5\LicensingUI.exeC:\Users\Admin\AppData\Local\FKI5\LicensingUI.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:660
-
C:\Windows\system32\DisplaySwitch.exeC:\Windows\system32\DisplaySwitch.exe1⤵PID:3552
-
C:\Users\Admin\AppData\Local\H0m8IOS\DisplaySwitch.exeC:\Users\Admin\AppData\Local\H0m8IOS\DisplaySwitch.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1364
-
C:\Users\Admin\AppData\Local\JPial\RecoveryDrive.exeC:\Users\Admin\AppData\Local\JPial\RecoveryDrive.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4564
-
C:\Windows\system32\RecoveryDrive.exeC:\Windows\system32\RecoveryDrive.exe1⤵PID:3176
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
149KB
MD5597ee22f75ea48c02b692a78086e743a
SHA17db50ce8413d59ded3cb48f7ddcfb815a228b552
SHA2567f2d44beb3898fba16880656abcd4ef29dbee5a6c6e3117ec865ababebe5384c
SHA512fb7114ad9016862fdfe12c9dbc1301abf5aa44544c9b86fd05892cc6fc151b8590d5ce180d19ac6c1c241d6f21d90e3ad8d46fa18f6ab102772d8de71c13713a
-
Filesize
144KB
MD5bee73c7867ededd226f7e90a6e292a24
SHA1fbad3701ec60d8c9a458b9002d96f3f61723563a
SHA256eacd0357f677df1fc194aab5f12c3538336c75e6075fd2ef0a19b4d99b5238ec
SHA51260e2333f2f157308d80abcee62ac65270f2a44d709a21d3047d3480ee0e3a9ca54eb69a99eee3a20d081ad0e951568754dd10441c2c7a7ebfce87637ab2d1c83
-
Filesize
142KB
MD58b4abc637473c79a003d30bb9c7a05e5
SHA1d1cab953c16d4fdec2b53262f56ac14a914558ca
SHA2560e9eb89aa0df9bb84a8f11b0bb3e9d89905355de34c91508968b4cb78bc3f6c5
SHA5125a40c846c5b3a53ae09114709239d8238c322a7d3758b20ed3fc8e097fc1409f62b4990557c1192e894eabfa89741a9d88bd5175850d039b97dfdf380d1c6eeb
-
Filesize
98KB
MD545a74f29bfa4209e84f4a40c7f40973e
SHA112f6a209cfc2f05c7b9eb2f12044fc4bc88242d9
SHA25675b298681ecfdc53f44d623e690aa2c85023f176cff9fec5676b6d309649f1db
SHA512a96a644c5c5c3d349c905678374c234903c4b97b27c8334e224aedd8565bdfd7e87b6254d51e9d6e9b0f38b6e1e2ec8d56b879e45c208b58296a6454deded386
-
Filesize
364KB
MD5d5695cf2b78ca077756c00c84a451cae
SHA19abed1c9c64b9b75f046213dd5ed97ff2c8b1ab4
SHA256822b70663928fc181a29d163386dda8f761278f0df7405c27aad6f38e75abd3b
SHA512147787ee4a8143942367116dd428b21f5afe1ffb2ed5addbd9a9ea213541349500c3cda2e1cbdae1db0285c91fa10dc7b16c11bb803da110b8a9fad116c9f90b
-
Filesize
353KB
MD5862f8be58fa3c88a5ec9cc7d6d24f5fc
SHA183f60f2ab310a16e49beb3990ca0975bfac11f56
SHA256f2132c13cdbd4bfc67fa6cb5a0bfa8635d58e0555ef73faab8b7e2749db4c651
SHA5129004d816875d3b7978e5656faf9169f30a24048622b830c1bbd31e4a225514807524bb62af896fc06a938b7e96ad53f0cf35396f5b48a1844d1e384d072eae0e
-
Filesize
21KB
MD535661b80f377796daa6919bede0c76c7
SHA114beccc011dc71df877d48422f568d9510949d9e
SHA256c5e541876a0ca81da859088183a7fcafd0338c08aa75d8047142949ba348ad2e
SHA51290c195b4d695e0a55507998f13c16a538fcddcc7c7f47706b807fb0d2217419b64a52929fc1eb5254731e97eda845deb372514fd15c4484e2c9a3197ec4ef057
-
Filesize
41KB
MD592a7a431ff406430593d2bb5eea68b0a
SHA1f85877ea075e73e8e97644fe43540d2a0d59959b
SHA256e5bdcd1d4014f621969651d5fc402f767decacd88e8433cb40a96b9acf606b5e
SHA512cabf6f0c1b8dbc23656e28f18a868b7deaa5e8c9916d42ecd00733fb0e01af98246d2ff092652697b9d8ea8820e6ee6bb39892c4abb5f17c35e9ac6a25d0bd36
-
Filesize
83KB
MD5e83e1287997473f2118102dd5cf38fa4
SHA14e7bfde741cabea9abef528c7f586e6bf6ab8515
SHA256109421e9389c179036b3d4de2b9020a6c4a15c211a6518e86d510732439e258d
SHA5127bde864f64631a99b4bec2c85fa43fc61490c9a6698417a5f298dac7eb7043c4f9666e4bb60fe7f8fe113ad4b029f24677c18f3cf7b1855203193988777dba38
-
Filesize
41KB
MD59318de3fab9388da342b8349bde9fef0
SHA1bff6ae6eba07ed136e34e9b6ecff86325b39ff64
SHA2561ef967d341e69be196d5c4c2458df2cda364fb360b856946d7badc0c04ea86ab
SHA512fa08683fcded3d42a21e7a844eae8cb8efe88a46aecda452fc303d6ad18234d2cbbce063d880654ba5f3ea8667e9a1927f620575b119b9421690074d1482555f
-
Filesize
78KB
MD5819f4f6a66b72a1b6d1179108e10862b
SHA1ecf126a3d089063bae8e2e28efe357096e9947c4
SHA256442a14a283172cba0ce8ca1db418ef78662178c6fdd02cd7d2a9cfd76a08cffd
SHA51242df10cff5c028e93ae9f0e9fae97ff0c59b872bd64a2092b6b2058453a079bb4b40eee8039269ab1a9b5fb42ec1736151b72e2cb4fa951f44080309ed45eca1
-
Filesize
62KB
MD539229701c166367982e04e7cf61dd619
SHA10a29e58fbd6612f94e4fb7bcc3d9c84bbfb9f829
SHA256a8da48ba6cc0b5a2ff7d9474398f222e7ea9b3bbe9da1823914ec31e32701595
SHA512e42a0ab3b6969c1ab6a7a5dbcdce544c29dad89e96a1bee1399e4b191354d41735d5053088240734034d42ff23661fad3351c056147f96711562f4ee194d579f
-
Filesize
1KB
MD5d1f591c64a16683d40dae45cc26805ac
SHA1b1c932de6da31c7257fb0ea6aea80d6f68ea1228
SHA256ee5d3d17630dee44212c92c15dbafdbca58e79c25ba382852504e319556455ca
SHA5121b333b0de9d44f8a1c24aee0638f0795430329ffbb82d67e6d5a7b7edcba789804fdd0d83171e9364fc579fa2f8a6c8ddfb029fb4892f6e00c28ccc1d1e1ebfe
-
Filesize
2.2MB
MD54bb5fbad8072db1e33204b6c0b97b57d
SHA176e54b3912192747f8a974fd453b95a685ae6618
SHA256437bc590b06702f6ab6b1766db98f30e14bfb79a2ed9872d8a6d5292045a8410
SHA5121c95ed01dac600ba983d807990410a179a88b3e9ea8fe6c520a0bb5d1096672508977799296a7d9f43e85549670c803c498f4017e8dd0602e83a1ec81269ed4d
-
Filesize
2.5MB
MD54762200a5a80b1dd8e69bec7e6674e82
SHA1cb6e3e0c77f70b7e6ed2d9dc26fb1d2af30929a2
SHA256aec08acf04f25ec5260428fdb3a53f8b345572314c88ef34442ecc0310c53c64
SHA512604d1eeaaaa339c4e8043c177f56172d7565881e36563233d6fd3f9175c7f04cf79a3c56624ffa73a4e19dc096aa6c2187bbeff45ad70c6fdc97d8cdb2465787
-
Filesize
2.2MB
MD542abe37bb4f5cf2c2a5dbd4134b87614
SHA1acfcbc1b06a65d0d3ccc85edfadf0f4c879b1305
SHA256e447f93f1b43f42b7783add163653e6484864e94faca1489014de62befaf040d
SHA512f334c4bc781240d12768741636b6b07cd9fbbc6fd221c501f3a32465115424dbb79c95c62a749f60806cee46b2a567d34bfbb70b83aed6ce50a7c3785d473553