Analysis
-
max time kernel
65s -
max time network
71s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
10-12-2022 05:56
Static task
static1
Behavioral task
behavioral1
Sample
Ref_Sept24-2020.scr
Resource
win7-20220901-en
General
-
Target
Ref_Sept24-2020.scr
-
Size
734KB
-
MD5
d594e8a2098a81c9bfa24f3c17c992e6
-
SHA1
b9c820973407c7b4bef5b9ce98b7af62cafa397d
-
SHA256
fad001d463e892e7844040cabdcfa8f8431c07e7ef1ffd76ffbd190f49d7693d
-
SHA512
50049d1ded3f8cfcb6aa839c0341e91bb39b46dbd5376533f2725ce27e6ae5059d3f5af71100dd025b03b7a3cf90bfa920a93818ac1bafb30c65460514c4fd47
-
SSDEEP
12288:EY20AljdZgBPfKfi1leppjfQxAogJfqsUsz0cX0rLfGLEXTMd8MQ5B5rxVCz:Z20gPgFKLfQxAVBbIcXQGL+MWMwTrxMz
Malware Config
Extracted
dridex
10555
151.236.219.181:443
142.4.6.57:14043
162.144.127.197:3786
103.40.116.68:5443
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
PLS.exepid process 1528 PLS.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Ref_Sept24-2020.scrWScript.execmd.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation Ref_Sept24-2020.scr Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation WScript.exe -
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 1176 regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 4 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exepid process 4400 timeout.exe 2220 timeout.exe 4224 timeout.exe 4644 timeout.exe -
Modifies registry class 2 IoCs
Processes:
Ref_Sept24-2020.scrcmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings Ref_Sept24-2020.scr Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings cmd.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
Ref_Sept24-2020.scrWScript.execmd.exeWScript.execmd.exedescription pid process target process PID 5052 wrote to memory of 1672 5052 Ref_Sept24-2020.scr WScript.exe PID 5052 wrote to memory of 1672 5052 Ref_Sept24-2020.scr WScript.exe PID 5052 wrote to memory of 1672 5052 Ref_Sept24-2020.scr WScript.exe PID 1672 wrote to memory of 4368 1672 WScript.exe cmd.exe PID 1672 wrote to memory of 4368 1672 WScript.exe cmd.exe PID 1672 wrote to memory of 4368 1672 WScript.exe cmd.exe PID 4368 wrote to memory of 4400 4368 cmd.exe timeout.exe PID 4368 wrote to memory of 4400 4368 cmd.exe timeout.exe PID 4368 wrote to memory of 4400 4368 cmd.exe timeout.exe PID 4368 wrote to memory of 1528 4368 cmd.exe PLS.exe PID 4368 wrote to memory of 1528 4368 cmd.exe PLS.exe PID 4368 wrote to memory of 1528 4368 cmd.exe PLS.exe PID 4368 wrote to memory of 2220 4368 cmd.exe timeout.exe PID 4368 wrote to memory of 2220 4368 cmd.exe timeout.exe PID 4368 wrote to memory of 2220 4368 cmd.exe timeout.exe PID 4368 wrote to memory of 1544 4368 cmd.exe WScript.exe PID 4368 wrote to memory of 1544 4368 cmd.exe WScript.exe PID 4368 wrote to memory of 1544 4368 cmd.exe WScript.exe PID 4368 wrote to memory of 4224 4368 cmd.exe timeout.exe PID 4368 wrote to memory of 4224 4368 cmd.exe timeout.exe PID 4368 wrote to memory of 4224 4368 cmd.exe timeout.exe PID 1544 wrote to memory of 4636 1544 WScript.exe cmd.exe PID 1544 wrote to memory of 4636 1544 WScript.exe cmd.exe PID 1544 wrote to memory of 4636 1544 WScript.exe cmd.exe PID 4636 wrote to memory of 4060 4636 cmd.exe attrib.exe PID 4636 wrote to memory of 4060 4636 cmd.exe attrib.exe PID 4636 wrote to memory of 4060 4636 cmd.exe attrib.exe PID 4636 wrote to memory of 4644 4636 cmd.exe timeout.exe PID 4636 wrote to memory of 4644 4636 cmd.exe timeout.exe PID 4636 wrote to memory of 4644 4636 cmd.exe timeout.exe PID 4636 wrote to memory of 1176 4636 cmd.exe regsvr32.exe PID 4636 wrote to memory of 1176 4636 cmd.exe regsvr32.exe PID 4636 wrote to memory of 1176 4636 cmd.exe regsvr32.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ref_Sept24-2020.scr"C:\Users\Admin\AppData\Local\Temp\Ref_Sept24-2020.scr" /S1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\XIU\configurate\selector.vbs" /f=CREATE_NO_WINDOW install.cmd2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\XIU\configurate\dsep.bat" "3⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
-
C:\XIU\configurate\PLS.exe"PLS.exe" e -pVersion hl.rar4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\timeout.exetimeout 54⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\XIU\configurate\fatless.vbs"4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\XIU\configurate\lll.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\XIU"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\timeout.exetimeout 26⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 -s CONFIG.dll6⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\timeout.exetimeout 44⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\XIU\configurate\CONFIG.dllFilesize
324KB
MD5031f318c8ab815cda0d447904a925cf7
SHA12bbca22cb0355f1ad4acedd9dd69ebaaeddf6b9e
SHA2569492c6842475059a6af7f4b8c42e03944f08938243fa393713a5a6a930d79bcd
SHA512519a54859e82861cf3f73b3a6ac400b57bd560a53867b8396aa8c286a5ee4e675c75c3f80ddc0cb4e0ef80300ada6b4e985bd4bb73bdc8d1c56a673240a83c4d
-
C:\XIU\configurate\CONFIG.dllFilesize
324KB
MD5031f318c8ab815cda0d447904a925cf7
SHA12bbca22cb0355f1ad4acedd9dd69ebaaeddf6b9e
SHA2569492c6842475059a6af7f4b8c42e03944f08938243fa393713a5a6a930d79bcd
SHA512519a54859e82861cf3f73b3a6ac400b57bd560a53867b8396aa8c286a5ee4e675c75c3f80ddc0cb4e0ef80300ada6b4e985bd4bb73bdc8d1c56a673240a83c4d
-
C:\XIU\configurate\PLS.exeFilesize
551KB
MD5061f64173293969577916832be29b90d
SHA1b05b80385de20463a80b6c9c39bd1d53123aab9b
SHA25634dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce
SHA51266e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da
-
C:\XIU\configurate\SLP.txtFilesize
212KB
MD524fdf4791a3efa0178e677b0e03c12b1
SHA1f5f45b8c35cf303eff77aa1fbe02e9bd4318c7d7
SHA2566740389c8266848199851648c4228df7401dd30c8dec89ab7827f1bec7ab522b
SHA512f9b71717cdd61a9539dd93267f4d039e0de7dd8933b9f63679466a881884b06ccdc666d27bb6b9909127101a63879b33a1165a83fff9d6ce3009ed5e7b97b6da
-
C:\XIU\configurate\dsep.batFilesize
569B
MD59318a04c2d4d80719382a7e73c28736b
SHA1ddb5096d2841b575a941ecaf79fee8e2365563ae
SHA256db74d354ad34fa9a0dafd9b846574855b480590ebf06879d87844060cf50ff4b
SHA5120dd33ebf730e77a1d55996b14a560f1584e17e55e5a6efdedd3bce2ecdd0e7f892c9ae2b4bef8ee68a723ef9d02717e9f9fb3939f1b95cacaeacd29b28e70717
-
C:\XIU\configurate\fatless.vbsFilesize
99B
MD575214af723ca4720e0aa365eb3ef6f5b
SHA1a6b73a92246cd3b857e32e2a8a26ee8fc52fdcb4
SHA25606d4a788d4c91c141b933199826ac3b4df8d6027f818fc2b198043773ea132e4
SHA51291b7752a63e694641f17187cdb8e1a7876eda195f3070d6fee210b6210e2897833bc08b770db6e82cfec7a99e3fae5c01588872eb2aa60dccdc4064363f54c58
-
C:\XIU\configurate\lll.batFilesize
692B
MD570c1b14895a29502d3e94e395606f82d
SHA1a02fff1f3a0c1c8ff5453a5de715cbe5ba227185
SHA256b449d3d5b476b1a53bbe6b5d6fef93e89d8456450e84b1c349237c6a8df3b65d
SHA5128f9a8975124738b7a5ad1e0d92549f45a06c6efa8fac7d3c07ce16399a6aeed5644c14bf56cec56c83a293835cfb994a99d3e75dc5e9ea7f41e9e354760f742c
-
C:\XIU\configurate\selector.vbsFilesize
82B
MD59cce3084f1850c3be989cc47fab4ee71
SHA1e490f01a46f85c155c2848affda6d2c7b0791c8b
SHA256332462b21eed1bcbd9c198851e28b789893628410e7268ddc022a40e2f7f94c1
SHA51230cc59e8e1a5b20a1c59bb437dc96cf65f7bbfa798617a77a613ae89012be78bda38c51278411ba511a7058eaca728e160a0d6d29f5defaeafa4dc7f64458f88
-
memory/1176-154-0x0000000001190000-0x0000000001196000-memory.dmpFilesize
24KB
-
memory/1176-151-0x0000000074190000-0x00000000741E1000-memory.dmpFilesize
324KB
-
memory/1176-148-0x0000000000000000-mapping.dmp
-
memory/1528-138-0x0000000000000000-mapping.dmp
-
memory/1544-142-0x0000000000000000-mapping.dmp
-
memory/1672-132-0x0000000000000000-mapping.dmp
-
memory/2220-140-0x0000000000000000-mapping.dmp
-
memory/4060-146-0x0000000000000000-mapping.dmp
-
memory/4224-143-0x0000000000000000-mapping.dmp
-
memory/4368-135-0x0000000000000000-mapping.dmp
-
memory/4400-136-0x0000000000000000-mapping.dmp
-
memory/4636-145-0x0000000000000000-mapping.dmp
-
memory/4644-147-0x0000000000000000-mapping.dmp