Analysis
-
max time kernel
119s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
04/08/2024, 21:14
Static task
static1
Behavioral task
behavioral1
Sample
05b76b5a9bd812690471e49f77601b60N.dll
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
05b76b5a9bd812690471e49f77601b60N.dll
Resource
win10v2004-20240802-en
General
-
Target
05b76b5a9bd812690471e49f77601b60N.dll
-
Size
1.3MB
-
MD5
05b76b5a9bd812690471e49f77601b60
-
SHA1
a937bc2cae7cb618db8c71dccb6ffa84f668577e
-
SHA256
2f31806a63ab5c10dae9614dcb8702ecf21f9cc6a91262cc75934dae299b534e
-
SHA512
547485b7dc94388f7333988d9086d504c134b79f4e99124e53c5f0f172071abf98af1d7c2f49a7b854de69c2395703d5a763c5390e615de0962b41389bfd1251
-
SSDEEP
12288:JZgJtlQepQn+NDo7nIgegQCLDF/B9wvj/cLvVZFuwM+:JZK6F7nVeRmDFJivohZFV
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/3432-4-0x0000000002A70000-0x0000000002A71000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
pid Process 4448 Utilman.exe 4732 SystemPropertiesPerformance.exe 5080 isoburn.exe -
Loads dropped DLL 3 IoCs
pid Process 4448 Utilman.exe 4732 SystemPropertiesPerformance.exe 5080 isoburn.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qgfqnr = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\NV3SUJ~1\\SYSTEM~1.EXE" Process not Found -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Utilman.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesPerformance.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA isoburn.exe -
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4492 rundll32.exe 4492 rundll32.exe 4492 rundll32.exe 4492 rundll32.exe 4492 rundll32.exe 4492 rundll32.exe 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 4448 Utilman.exe 4448 Utilman.exe 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3432 Process not Found -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3432 wrote to memory of 4348 3432 Process not Found 86 PID 3432 wrote to memory of 4348 3432 Process not Found 86 PID 3432 wrote to memory of 4448 3432 Process not Found 87 PID 3432 wrote to memory of 4448 3432 Process not Found 87 PID 3432 wrote to memory of 3916 3432 Process not Found 88 PID 3432 wrote to memory of 3916 3432 Process not Found 88 PID 3432 wrote to memory of 4732 3432 Process not Found 89 PID 3432 wrote to memory of 4732 3432 Process not Found 89 PID 3432 wrote to memory of 1608 3432 Process not Found 90 PID 3432 wrote to memory of 1608 3432 Process not Found 90 PID 3432 wrote to memory of 5080 3432 Process not Found 91 PID 3432 wrote to memory of 5080 3432 Process not Found 91 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\05b76b5a9bd812690471e49f77601b60N.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4492
-
C:\Windows\system32\Utilman.exeC:\Windows\system32\Utilman.exe1⤵PID:4348
-
C:\Users\Admin\AppData\Local\Vul\Utilman.exeC:\Users\Admin\AppData\Local\Vul\Utilman.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4448
-
C:\Windows\system32\SystemPropertiesPerformance.exeC:\Windows\system32\SystemPropertiesPerformance.exe1⤵PID:3916
-
C:\Users\Admin\AppData\Local\aN1r2hE33\SystemPropertiesPerformance.exeC:\Users\Admin\AppData\Local\aN1r2hE33\SystemPropertiesPerformance.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4732
-
C:\Windows\system32\isoburn.exeC:\Windows\system32\isoburn.exe1⤵PID:1608
-
C:\Users\Admin\AppData\Local\Xel\isoburn.exeC:\Users\Admin\AppData\Local\Xel\isoburn.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5080
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Accessibility Features
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD5fb22ae95777f68257ecb30c62927666d
SHA119af39270397d26541f1b6a24d85211230aa8219
SHA2562fd17a02decfa72d363b4aff29418415114116d8731f19a793ea6e4dbba36d26
SHA512b1cff2f5af8b0503c7f45a0f12060cc3353d0e5b484fee8153a3863826e408f3eaf4f2d895ecc7a7d554e532aaa9a4afb1d99d7a0484a06f1d806a2b2d8b676b
-
Filesize
123KB
MD5a117edc0e74ab4770acf7f7e86e573f7
SHA15ceffb1a5e05e52aafcbc2d44e1e8445440706f3
SHA256b5bc4fce58403ea554691db678e6c8c448310fe59990990f0e37cd4357567d37
SHA51272883f794ff585fe7e86e818d4d8c54fa9781cab6c3fac6f6956f58a016a91f676e70d14691cbe054ae7b7469c6b4783152fbb694e92b940d9e3595fe3f41d97
-
Filesize
1.3MB
MD5a7d749a1096af11791d771185a00763c
SHA14d040826024ea57755b800f00e0bec23c00f54c5
SHA256e9729cd4e76dae7ea32e1d46e7ca2f2b0a81be62c49452e1279389a4cd19247c
SHA5122c9ab333512fe3c154f00ad4bb5d9bd7580fa0e75661c7222dfad5530655a76d9bb510ef075e47158032451f931fe5fd8fe888b0d4d46faa16031ffd3be4b68d
-
Filesize
119KB
MD568078583d028a4873399ae7f25f64bad
SHA1a3c928fe57856a10aed7fee17670627fe663e6fe
SHA2569478c095afe212bce91d2de1a3c3647109f2d54e46b9bf70843e839324458567
SHA51225503a47c53fe83eeb56726b5a5eec5cb01bc783e866306f92242a7a8cbafa20a3209217e0f4561febfec78d2f64f1725727a6b2d3ee6da512618984d0bb0bc1
-
Filesize
1.3MB
MD5f0c01c7b2e0479866995424c53dfb946
SHA16b8049991ad56657fc1e7e3baac112a5f0afb50a
SHA2560e213f3190b21cc3bcb3e33fb84f5a2d04a6921da9bc6dd54c29cd60fa73c0cd
SHA51207b297d7b59effd2d93f74a8b6e41a53437f05fbf3b56e7bace847e636b830db7c6023e2036c4c0f3052eefbf1aad622699ef11d364a5e838d8d983a64265fd9
-
Filesize
82KB
MD5e4fbf7cab8669c7c9cef92205d2f2ffc
SHA1adbfa782b7998720fa85678cc85863b961975e28
SHA256b266318d45a4245556a2e39b763f2f11eca780969105f6f103e53dd0a492bb30
SHA512c5c62578d04133352d6cb7b018df96a7b55c18d6111ab8bf2bfe232a3315a63b07047fa5b0b88551d152085776c66169b47566242c8c4c5e0333c55adc64e1b6
-
Filesize
1KB
MD5563bfab6f01cc64e861f1f3c9dc1ce31
SHA17652ec3dab56ecc107d0f7ea66c0123515af52b2
SHA256494e4d12f403cbf2c04d74a3232840e129093da675c9e988b5b3e8f36183251e
SHA5125f032e6f9c1caa220ecd4280a030b37d11f93600de017b5fdb44e88ddbb115607759df157236ff068a81de4548f10205cf09758cf776c7171e45be4c25a500e2