Analysis
-
max time kernel
142s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
25-12-2023 19:44
Static task
static1
Behavioral task
behavioral1
Sample
38f8f403c494cd304763615d922a67fb.dll
Resource
win7-20231129-en
General
-
Target
38f8f403c494cd304763615d922a67fb.dll
-
Size
848KB
-
MD5
38f8f403c494cd304763615d922a67fb
-
SHA1
7706587dd4bc348037452e7833c6cd663111f440
-
SHA256
60df94d0fa102fe714906ec53efafa0308a79d6caf9e8688edc8525123a7b1e3
-
SHA512
8426cb54939bf66bcda1c537ecd0c574d64e548cbf04e03a38f15c670db0300c856a0ea5876b4c551edcdac8d33b266c6dc8f5f00944ffb1bc6fb796537679f8
-
SSDEEP
12288:AkbQEkWqv+157EYfxarhwLNuR7ek1tHffB/HzTyNQ6NIeGYr/R:AkbHkWfzZ5adwLNGeStHntqN7v
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1380-4-0x0000000002EA0000-0x0000000002EA1000-memory.dmp dridex_stager_shellcode -
Processes:
resource yara_rule behavioral1/memory/2992-0-0x000007FEF73D0000-0x000007FEF74A4000-memory.dmp dridex_payload behavioral1/memory/1380-27-0x0000000140000000-0x00000001400D4000-memory.dmp dridex_payload behavioral1/memory/1380-19-0x0000000140000000-0x00000001400D4000-memory.dmp dridex_payload behavioral1/memory/1380-38-0x0000000140000000-0x00000001400D4000-memory.dmp dridex_payload behavioral1/memory/1380-40-0x0000000140000000-0x00000001400D4000-memory.dmp dridex_payload behavioral1/memory/2992-41-0x000007FEF73D0000-0x000007FEF74A4000-memory.dmp dridex_payload behavioral1/memory/1780-59-0x000007FEF73D0000-0x000007FEF74A5000-memory.dmp dridex_payload behavioral1/memory/1780-55-0x000007FEF73D0000-0x000007FEF74A5000-memory.dmp dridex_payload behavioral1/memory/1980-73-0x000007FEF6DF0000-0x000007FEF6ECB000-memory.dmp dridex_payload behavioral1/memory/1980-77-0x000007FEF6DF0000-0x000007FEF6ECB000-memory.dmp dridex_payload behavioral1/memory/960-91-0x000007FEF6DF0000-0x000007FEF6EC5000-memory.dmp dridex_payload behavioral1/memory/960-94-0x000007FEF6DF0000-0x000007FEF6EC5000-memory.dmp dridex_payload -
Executes dropped EXE 3 IoCs
Processes:
wusa.exeirftp.exewisptis.exepid Process 1780 wusa.exe 1980 irftp.exe 960 wisptis.exe -
Loads dropped DLL 7 IoCs
Processes:
wusa.exeirftp.exewisptis.exepid Process 1380 1780 wusa.exe 1380 1980 irftp.exe 1380 960 wisptis.exe 1380 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mjgqrtoi = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\NETWOR~1\\4TVQXFM5\\irftp.exe" -
Processes:
irftp.exewisptis.exewusa.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA irftp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wisptis.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wusa.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
regsvr32.exewusa.exepid Process 2992 regsvr32.exe 2992 regsvr32.exe 2992 regsvr32.exe 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1780 wusa.exe 1780 wusa.exe 1380 1380 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid Process procid_target PID 1380 wrote to memory of 2636 1380 29 PID 1380 wrote to memory of 2636 1380 29 PID 1380 wrote to memory of 2636 1380 29 PID 1380 wrote to memory of 1780 1380 28 PID 1380 wrote to memory of 1780 1380 28 PID 1380 wrote to memory of 1780 1380 28 PID 1380 wrote to memory of 2284 1380 30 PID 1380 wrote to memory of 2284 1380 30 PID 1380 wrote to memory of 2284 1380 30 PID 1380 wrote to memory of 1980 1380 31 PID 1380 wrote to memory of 1980 1380 31 PID 1380 wrote to memory of 1980 1380 31 PID 1380 wrote to memory of 2200 1380 33 PID 1380 wrote to memory of 2200 1380 33 PID 1380 wrote to memory of 2200 1380 33 PID 1380 wrote to memory of 960 1380 32 PID 1380 wrote to memory of 960 1380 32 PID 1380 wrote to memory of 960 1380 32 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\38f8f403c494cd304763615d922a67fb.dll1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2992
-
C:\Users\Admin\AppData\Local\7oKdN\wusa.exeC:\Users\Admin\AppData\Local\7oKdN\wusa.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1780
-
C:\Windows\system32\wusa.exeC:\Windows\system32\wusa.exe1⤵PID:2636
-
C:\Windows\system32\irftp.exeC:\Windows\system32\irftp.exe1⤵PID:2284
-
C:\Users\Admin\AppData\Local\w6tj4DYpk\irftp.exeC:\Users\Admin\AppData\Local\w6tj4DYpk\irftp.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1980
-
C:\Users\Admin\AppData\Local\o003sK3rh\wisptis.exeC:\Users\Admin\AppData\Local\o003sK3rh\wisptis.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:960
-
C:\Windows\system32\wisptis.exeC:\Windows\system32\wisptis.exe1⤵PID:2200
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
300KB
MD5c15b3d813f4382ade98f1892350f21c7
SHA1a45c5abc6751bc8b9041e5e07923fa4fc1b4542b
SHA2568f067da98eb3ea9f1db2f0063ff54e07d992fbf051779b467e222639be4127e3
SHA5126d028fe81fe45d0ef291741513ecf939e412912647347d4d5bad89571f33e1084dc0fd26eb7313c7191f938c3f50243f453e2690e2475fc3f5539a20c2ff2f3c
-
Filesize
64KB
MD5d3bfe2cdc51a5dcb521f13789a5afab6
SHA1658979a43cd87918e7b44b264d559e35638cd38a
SHA256f42b797ddf5cf69b85a5fc11c7d3a054c39378bfe41f8398370def0ee91907bb
SHA5123b4526a60fe24043ccd6645587ed2e80adf85e8585c8ab5112a18a1914fce5e0cdf2cf30ea0b87f24eae08802278b0371eb54d39bda101d93c299d0f94eb6ac9
-
Filesize
192KB
MD50cae1fb725c56d260bfd6feba7ae9a75
SHA1102ac676a1de3ec3d56401f8efd518c31c8b0b80
SHA256312f4107ff37dc988d99c5f56178708bb74a3906740cff4e337c0dde8f1e151d
SHA512db969064577c4158d6bf925354319766b0d0373ddefb03dbfc9a9d2cadf8ddcd50a7f99b7ddf2ffad5e7fdbb6f02090b5b678bdf792d265054bff3b56ee0b8ec
-
Filesize
92KB
MD59e533dfa44971dd83d8b41872ce85aa7
SHA1a9a2e75303b64639ea29ed479cd4c9ab08a74614
SHA2561549c27b806996a0bb0ee2dc2ea793d9b080f47c47d5f1e8a6b66548b214a46f
SHA5121e19ff23efb06d02bcaf97a5999942365d1399f8d433c9743a4658af51157fae4c4d0abcfd4625c34df4f8c98a46e2b1d4f9ab73de8a19e6520a1ffd263b6fd1
-
Filesize
1KB
MD518d942ddafc8649cc693b08f60cd624f
SHA157c8c65c1c29af9cb4decc7e49748d07afe5cfe0
SHA2565bc2ab6b99d23447c1c627424f5fd62fb3eac661d08db99cce59860721d232bd
SHA5129dedad08c2235bc2aba6e33c687baa0764587377729cb3a34b9f2d136362d4c7b7e57fde8659f054d1479e4730ed420c18bddf2fcc7a9edefc6a5be83a70fd71
-
Filesize
204KB
MD5e3068892fb3a7dbca335b9d80fef74bc
SHA179c16222b4ee3f3293c2f8458858953008cff8d3
SHA256e387fcb89cf3ea1aa3480f6c9c7fd7fd8b5b21b3b92a2c33fad8b69f6fbd7399
SHA5124ff3d136ea31550a93efc379942dd163210c4dab4ddea0eebc9b7d6b4c3a198a505d019525a57dab21ae257e7a68e3954307937bd6646f30cd911e0d9ecfd578
-
Filesize
93KB
MD5e105c5ff1c41341c6cfc983dfa2d3b85
SHA1395c5490edd03084518326c48d693467384365a2
SHA256ddff5dc9314ef3520a7b6249265d3aa38dc7450a19715ab416d6a93d853a6e1f
SHA512cc6dd71fcc60edc5573e82dc088a96e6442cf742766005e2677dbf9e144bb5ced15920bbd29acb9ad7d74ffa377ed954ce2736a516c0ca0a83b9dee5295f5d87
-
Filesize
852KB
MD56b8215702b2b611702961429f547f1b0
SHA1ebac71e0f0a3f6eb64e96589a1637721b5281d73
SHA256a5a38bfc8e0cd0c149b6085f58e31bf3ba370940312f32fef389ae4d397d0812
SHA512efb28c94c36d42a792f962de89ab20d71dd81f5f2b6e930d1e38f73d019cc85eec37714da02d3b0e8e5f0739e9fd90707c9d3a01ddd9219832ff4785675162f3
-
Filesize
92KB
MD54081bb4b625db5ef7d7b382cf3382dc1
SHA156c5d23dedd55e02e0f40165f01d41e3bf252703
SHA2565eb7adaca9d4c400ecd61afdf1315b4389a788b73b992b6b9b5b191729d2c6a4
SHA512a6d32ebaeee27fe5b21f85d89b386392ac91a8cf723b6822a444446cb4028a8be6a2604416648f498c0d166a60918f1c2953b743928fbe66433d596cd9ee372d
-
Filesize
65KB
MD57b21b17231a5b82ddfdef670ae0bfdac
SHA1ca3a23edddb340adba0b0c86108a9a5eb11c5aeb
SHA256f8c886145f5f254286eae9e829efbe0ce1bfcf27fcc0fcf802d19001a128c13e
SHA5120ad7c7ce50cce630ffbeeff44fef4f53d25ba4df0cd8a073b7d68c8f1203617c37a4b4f3307b5bdf16104fb02cb90121af68713ea92f9696732def06ddc3bfce
-
Filesize
876KB
MD521c04396d9700c641f6b4d10d437d0ac
SHA1aeb6bed31e5b9cefad233b9f866953cbb533566e
SHA2560a30274f4042c5e5179f1bd4f6b34d6da3cc048101a3b21634a9d7184e846492
SHA5123d03767a555885b920887e267d2f8ee60bf8ab9da5d79b6bfae1798425af366dd78ee4ff83b8f9e3e1ec8a16f005a355c8ac0e81c8542ea85ed506da298e4acf
-
Filesize
92KB
MD50034faf01b54f76acc34ccb8c467ca45
SHA109d48ea6405d3da85cda38090d7e73a1d6efab9e
SHA256811da14b086003b32b1e58407b6c03d9e527837ee87e45c93b11d30f51ac19d3
SHA512090a432374bc0d765da6aed8c1e5dad42e6875f7d0e577a2e3059bb07550ed3be4d6b0cab304771895e2f346d2f1351d9f647f9e63222b8946c8eb87cbba3282