Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-10-2024 20:27
Static task
static1
Behavioral task
behavioral1
Sample
1e4aed6e957b55dad4f63b7d5f44cb8ce6a7216b6ad4e51d971d307007ed3d2a.dll
Resource
win7-20240903-en
General
-
Target
1e4aed6e957b55dad4f63b7d5f44cb8ce6a7216b6ad4e51d971d307007ed3d2a.dll
-
Size
940KB
-
MD5
e6ffe9204f9d5606d662bf6f355c3863
-
SHA1
1632dfd22740045fad5a1fa5149cde3eb694ae7c
-
SHA256
1e4aed6e957b55dad4f63b7d5f44cb8ce6a7216b6ad4e51d971d307007ed3d2a
-
SHA512
e08cde0affdc24597bd0bbde592fb78afcba4b187d25d3bb0b72949b3a2825c5f8e62d1ef8cf23ce495167517f16516d7448909b538085101c317845b3159ea3
-
SSDEEP
12288:CPVKLvdxQPKSoVXxTaGcb68Uzx2TBeOWhZJpK8:CtKTrsKSKBTSb6DUXWq8
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/3364-3-0x0000000003240000-0x0000000003241000-memory.dmp dridex_stager_shellcode -
resource yara_rule behavioral2/memory/3872-1-0x0000000140000000-0x00000001400EB000-memory.dmp dridex_payload behavioral2/memory/3364-24-0x0000000140000000-0x00000001400EB000-memory.dmp dridex_payload behavioral2/memory/3364-35-0x0000000140000000-0x00000001400EB000-memory.dmp dridex_payload behavioral2/memory/3872-38-0x0000000140000000-0x00000001400EB000-memory.dmp dridex_payload behavioral2/memory/3372-46-0x0000000140000000-0x00000001400EC000-memory.dmp dridex_payload behavioral2/memory/3372-50-0x0000000140000000-0x00000001400EC000-memory.dmp dridex_payload behavioral2/memory/4836-66-0x0000000140000000-0x00000001400EC000-memory.dmp dridex_payload behavioral2/memory/820-81-0x0000000140000000-0x00000001400EC000-memory.dmp dridex_payload -
Executes dropped EXE 3 IoCs
pid Process 3372 SystemPropertiesRemote.exe 4836 MusNotifyIcon.exe 820 isoburn.exe -
Loads dropped DLL 3 IoCs
pid Process 3372 SystemPropertiesRemote.exe 4836 MusNotifyIcon.exe 820 isoburn.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gbrhc = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\g5uJwj\\MusNotifyIcon.exe" Process not Found -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA isoburn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesRemote.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MusNotifyIcon.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3872 rundll32.exe 3872 rundll32.exe 3872 rundll32.exe 3872 rundll32.exe 3364 Process not Found 3364 Process not Found 3364 Process not Found 3364 Process not Found 3364 Process not Found 3364 Process not Found 3364 Process not Found 3364 Process not Found 3364 Process not Found 3364 Process not Found 3364 Process not Found 3364 Process not Found 3364 Process not Found 3364 Process not Found 3364 Process not Found 3364 Process not Found 3364 Process not Found 3364 Process not Found 3364 Process not Found 3364 Process not Found 3364 Process not Found 3364 Process not Found 3364 Process not Found 3364 Process not Found 3364 Process not Found 3364 Process not Found 3364 Process not Found 3364 Process not Found 3364 Process not Found 3364 Process not Found 3364 Process not Found 3364 Process not Found 3364 Process not Found 3364 Process not Found 3364 Process not Found 3364 Process not Found 3364 Process not Found 3364 Process not Found 3364 Process not Found 3364 Process not Found 3364 Process not Found 3364 Process not Found 3364 Process not Found 3364 Process not Found 3364 Process not Found 3364 Process not Found 3364 Process not Found 3364 Process not Found 3364 Process not Found 3364 Process not Found 3364 Process not Found 3364 Process not Found 3364 Process not Found 3364 Process not Found 3364 Process not Found 3364 Process not Found 3364 Process not Found 3364 Process not Found 3364 Process not Found 3364 Process not Found -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3364 Process not Found -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3364 wrote to memory of 2672 3364 Process not Found 86 PID 3364 wrote to memory of 2672 3364 Process not Found 86 PID 3364 wrote to memory of 3372 3364 Process not Found 87 PID 3364 wrote to memory of 3372 3364 Process not Found 87 PID 3364 wrote to memory of 3780 3364 Process not Found 88 PID 3364 wrote to memory of 3780 3364 Process not Found 88 PID 3364 wrote to memory of 4836 3364 Process not Found 89 PID 3364 wrote to memory of 4836 3364 Process not Found 89 PID 3364 wrote to memory of 3464 3364 Process not Found 90 PID 3364 wrote to memory of 3464 3364 Process not Found 90 PID 3364 wrote to memory of 820 3364 Process not Found 91 PID 3364 wrote to memory of 820 3364 Process not Found 91 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1e4aed6e957b55dad4f63b7d5f44cb8ce6a7216b6ad4e51d971d307007ed3d2a.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3872
-
C:\Windows\system32\SystemPropertiesRemote.exeC:\Windows\system32\SystemPropertiesRemote.exe1⤵PID:2672
-
C:\Users\Admin\AppData\Local\gvb\SystemPropertiesRemote.exeC:\Users\Admin\AppData\Local\gvb\SystemPropertiesRemote.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3372
-
C:\Windows\system32\MusNotifyIcon.exeC:\Windows\system32\MusNotifyIcon.exe1⤵PID:3780
-
C:\Users\Admin\AppData\Local\EyedR8\MusNotifyIcon.exeC:\Users\Admin\AppData\Local\EyedR8\MusNotifyIcon.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4836
-
C:\Windows\system32\isoburn.exeC:\Windows\system32\isoburn.exe1⤵PID:3464
-
C:\Users\Admin\AppData\Local\rE1kZ\isoburn.exeC:\Users\Admin\AppData\Local\rE1kZ\isoburn.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:820
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
629KB
MD5c54b1a69a21e03b83ebb0aeb3758b6f7
SHA1b32ee7e5b813554c4b8e8f96f176570e0f6e8b6c
SHA256ac3e12011b70144cc84539bbccacdfae35bd4ea3ee61b4a9fca5f082d044d8bf
SHA5122680ab501ffe7d40fed28eb207d812880c8a71d71a29d59ba3da27c0bae98c74893e04807d93fba7b5e673c3e13a1ad21bfaab10bdb871d83349ff4e7c614b19
-
Filesize
944KB
MD5cc9f5df006b6a91b9c57bdc58124600c
SHA149933a4b2a5ca0c1112e7500d1f6d815bcbff808
SHA2566c3fbdd81cd9878c5f6bc5353fffb577a01fc1c5673287eb334e1c7da0b2a181
SHA51246e1fbd19426a25c5c7ee3f35da39bd24765d5b661cf04713f51ee0a0df4d61fa08a527010d5f6de4ad0f4482f2c55f4c4f50db43319d0814078269c49df11bc
-
Filesize
944KB
MD55ea07bca61b6771aa3443cdef68aeca6
SHA184b2684ee5d4f05edda019c29225b487f2623801
SHA2560a02248046b75cba8602d27f5e3346b104ec5333bad1142eb0807e9d8c605edc
SHA512c0b5e2d8bfd64e9575ca487aca00f8ae86a4689e38edf3fe0967a1cb852e90229a75bb15254d2d633a6b3479d664b69017ff14af19a3f5fa18a95c5e2a4ddade
-
Filesize
82KB
MD5cdce1ee7f316f249a3c20cc7a0197da9
SHA1dadb23af07827758005ec0235ac1573ffcea0da6
SHA2567984e2bff295c8dbcbd3cd296d0741e3a6844b8db9f962abdbc8d333e9a83932
SHA512f1dc529ebfed814adcf3e68041243ee02ba33b56c356a63eba5ef2cb6ede1eda192e03349f6a200d34dfab67263df79cf295be3706f4197b9008ccdc53410c26
-
Filesize
944KB
MD59be4e1dd8859cf232e8c73ced853a2e6
SHA16900e3d21aa934c21bdc23bb78e0f2e5adc516d9
SHA256eaabc6c6c47983d921c10be8255121e3a93d7b2a5704a4e7f6205891f4fb5d0a
SHA5126af95b4ddb74011decbb3c1b46fc77056cbc6e09a48d955b3a524b8e99b637702fd67ff746c093cc9e71edbf0796cc052a254d098d31bcd1ef99899ef070b680
-
Filesize
119KB
MD568078583d028a4873399ae7f25f64bad
SHA1a3c928fe57856a10aed7fee17670627fe663e6fe
SHA2569478c095afe212bce91d2de1a3c3647109f2d54e46b9bf70843e839324458567
SHA51225503a47c53fe83eeb56726b5a5eec5cb01bc783e866306f92242a7a8cbafa20a3209217e0f4561febfec78d2f64f1725727a6b2d3ee6da512618984d0bb0bc1
-
Filesize
1KB
MD569e333244267a20c51eeedc35e06e451
SHA1741174a29ad3dcebfbf9c9114b64c00e7db14652
SHA256866185b6a66553e5441d89a9c605e100f9d32853191eef82bccb80a4c8c83866
SHA51209bc6bb4101d0e9f3fe5747c67550ba49363e656a46639bf4c9cb292b4e9c9b818ec49ce3b5cec57b5abe27dcef61270a6fbbaeaf321e2d1fdce08cf09dc6392