Analysis
-
max time kernel
149s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
16/05/2025, 10:35
Static task
static1
Behavioral task
behavioral1
Sample
250516-mhyztssqw8.dll
Resource
win10v2004-20250502-en
General
-
Target
250516-mhyztssqw8.dll
-
Size
1.8MB
-
MD5
05895a9a51666b349018181c47a225dd
-
SHA1
b668dcf35e678feb89d80132bd2caed305b00c4d
-
SHA256
7686f055f8b252f4896523a8991be23fdd27da4cd1c71e012c6f9643c3ba587a
-
SHA512
1fedf71e9ea9a6257bf1c8098e38b2043d9f52f21d06861166eeb626302833c4c58509c720b65d50a27a9db838cd0ffea05b81d5546f5ca787b81fc240a6f73a
-
SSDEEP
12288:oVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1icN:9fP7fWsK5z9A+WGAW+V5SB6Ct4bnbb
Malware Config
Signatures
-
Dridex family
-
resource yara_rule behavioral1/memory/3416-5-0x0000000002FC0000-0x0000000002FC1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 4 IoCs
pid Process 3704 MusNotifyIcon.exe 3512 RecoveryDrive.exe 1824 mblctr.exe 4328 RecoveryDrive.exe -
Loads dropped DLL 4 IoCs
pid Process 3704 MusNotifyIcon.exe 3512 RecoveryDrive.exe 1824 mblctr.exe 4328 RecoveryDrive.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Oifecqo = "C:\\Users\\Admin\\AppData\\Roaming\\Sun\\Java\\R8aLkWmX\\RecoveryDrive.exe" Process not Found -
Checks whether UAC is enabled 1 TTPs 4 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RecoveryDrive.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mblctr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RecoveryDrive.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3500 regsvr32.exe 3500 regsvr32.exe 3500 regsvr32.exe 3500 regsvr32.exe 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found 3416 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3416 Process not Found -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeShutdownPrivilege 3416 Process not Found Token: SeCreatePagefilePrivilege 3416 Process not Found Token: SeShutdownPrivilege 3416 Process not Found Token: SeCreatePagefilePrivilege 3416 Process not Found Token: SeShutdownPrivilege 3416 Process not Found Token: SeCreatePagefilePrivilege 3416 Process not Found Token: SeShutdownPrivilege 3416 Process not Found Token: SeCreatePagefilePrivilege 3416 Process not Found -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3416 Process not Found -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 3416 wrote to memory of 2920 3416 Process not Found 92 PID 3416 wrote to memory of 2920 3416 Process not Found 92 PID 3416 wrote to memory of 3704 3416 Process not Found 93 PID 3416 wrote to memory of 3704 3416 Process not Found 93 PID 3416 wrote to memory of 4568 3416 Process not Found 94 PID 3416 wrote to memory of 4568 3416 Process not Found 94 PID 3416 wrote to memory of 3512 3416 Process not Found 95 PID 3416 wrote to memory of 3512 3416 Process not Found 95 PID 3416 wrote to memory of 4428 3416 Process not Found 96 PID 3416 wrote to memory of 4428 3416 Process not Found 96 PID 3416 wrote to memory of 2532 3416 Process not Found 98 PID 3416 wrote to memory of 2532 3416 Process not Found 98 PID 3416 wrote to memory of 1824 3416 Process not Found 99 PID 3416 wrote to memory of 1824 3416 Process not Found 99 PID 4428 wrote to memory of 4328 4428 cmd.exe 100 PID 4428 wrote to memory of 4328 4428 cmd.exe 100 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\250516-mhyztssqw8.dll1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3500
-
C:\Windows\system32\MusNotifyIcon.exeC:\Windows\system32\MusNotifyIcon.exe1⤵PID:2920
-
C:\Users\Admin\AppData\Local\xWFyOjH2\MusNotifyIcon.exeC:\Users\Admin\AppData\Local\xWFyOjH2\MusNotifyIcon.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3704
-
C:\Windows\system32\RecoveryDrive.exeC:\Windows\system32\RecoveryDrive.exe1⤵PID:4568
-
C:\Users\Admin\AppData\Local\DS94\RecoveryDrive.exeC:\Users\Admin\AppData\Local\DS94\RecoveryDrive.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3512
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Sun\Java\R8aLkWmX\RecoveryDrive.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Users\Admin\AppData\Roaming\Sun\Java\R8aLkWmX\RecoveryDrive.exeC:\Users\Admin\AppData\Roaming\Sun\Java\R8aLkWmX\RecoveryDrive.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4328
-
-
C:\Windows\system32\mblctr.exeC:\Windows\system32\mblctr.exe1⤵PID:2532
-
C:\Users\Admin\AppData\Local\tfdRDWBc\mblctr.exeC:\Users\Admin\AppData\Local\tfdRDWBc\mblctr.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1824
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD5ac00e7059bd56a33dd871ec4e92ba4f8
SHA13cbc92f1adc50ccf9803bb5c1591546e09a968f1
SHA256f9fa40faecb6bf957f11673a18e18023e3bafef2c9c31e91b483d2ac250ee0c5
SHA512266bc6869546ac15a6ffc02923795af4af1fe5ddd549e1675031a519ccc2ec1ec70cd264336044b92f32779367a8cba08748462e92787b197ec6cf09b220ef7e
-
Filesize
911KB
MD5b9b3dc6f2eb89e41ff27400952602c74
SHA124ae07e0db3ace0809d08bbd039db3a9d533e81b
SHA256630518cb2e4636f889d12c98fb2e6be4e579c5eeb86f88695d3f7fff3f5515c4
SHA5127906954b881f1051a0c7f098e096bc28eddcc48643b8bf3134dd57b8c18d8beba4f9a0ac5d348de2f9b8ea607c3e9cb0e61d91e4f3ba1fefb02839f928e3e3fe
-
Filesize
1.8MB
MD583245557ecdb577db0d4d18db7935122
SHA1bfd8a39dbfd2c05ab3ab2e6eead1ea3b1b5e115d
SHA256951a3df2ac4933b636e0227a5aae6f8fce8e8ddd06abe99998cba53b03ebc4b5
SHA512c15dd5432930cbc811d40c7207fc9d40f922b5a65e019a1aca238302cba3768c2a6cea6045820c40cca0b4cb4f6314ad3b1346b5bffb803ed86fb9521e790753
-
Filesize
790KB
MD5d3db14eabb2679e08020bcd0c96fa9f6
SHA1578dca7aad29409634064579d269e61e1f07d9dd
SHA2563baa1dc0756ebb0c2c70a31be7147863d8d8ba056c1aa7f979307f8790d1ff69
SHA51214dc895ae458ff0ca13d9c27aa5b4cfc906d338603d43389bb5f4429be593a587818855d1fe938f9ebebf46467fb0c1ab28247e8f9f5357098e8b822ecd8fffe
-
Filesize
629KB
MD5c54b1a69a21e03b83ebb0aeb3758b6f7
SHA1b32ee7e5b813554c4b8e8f96f176570e0f6e8b6c
SHA256ac3e12011b70144cc84539bbccacdfae35bd4ea3ee61b4a9fca5f082d044d8bf
SHA5122680ab501ffe7d40fed28eb207d812880c8a71d71a29d59ba3da27c0bae98c74893e04807d93fba7b5e673c3e13a1ad21bfaab10bdb871d83349ff4e7c614b19
-
Filesize
1.8MB
MD55484764c9cff3a5e91e43f90ef967033
SHA14304dae70af13f0897e18123a2d65706c272284d
SHA2569d342eb0138f380bbb69155e37a5268e3b96fcf0364efab82daf07efc7975fe6
SHA512ae2ee9d79e7a6ff02746872ce56bc13a4122d73b644e5413d20ba94528c1bea33b891918e8487da40e196a77386f9a6e2796daac7764ce71c3718402216aa75a
-
Filesize
1KB
MD545b209adc59705aba471cf45a30f0868
SHA101df89f52d3f735c255dcaa5561a5926d5762657
SHA25660994acd3976f45236d04e26b49d42080d7c99802f83b21395723f5b05717601
SHA512213b9595022be1a89ed5cbdfd12c7d02e3afdd77595b0ba9e3d3eca3173ee46806c93a8eb83222cb44fa7ef76a283ebf34687a750e6b5ccce009180ab438ccb1