Analysis
-
max time kernel
130s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
29-12-2023 19:19
Static task
static1
Behavioral task
behavioral1
Sample
017fef171fcb1bae625fadf3ff3a5b41.dll
Resource
win7-20231129-en
General
-
Target
017fef171fcb1bae625fadf3ff3a5b41.dll
-
Size
1.1MB
-
MD5
017fef171fcb1bae625fadf3ff3a5b41
-
SHA1
f6807821506e43999eb3768fe506f9e4f364f489
-
SHA256
bf60aa85ca8b3e356c3a27fa9f81014450da3e144866ed72f2f58c71e6ad2194
-
SHA512
8f231509b877e7466db748422889bb8518267683a6f4e35a62e3d650ac922c65d0e96c2927564a2db6a5592bea653077c9ad9fe1b06338513a49c73125970dcd
-
SSDEEP
12288:rkMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64C:rkMZ+gf4ltGd8H1fYO0q2G1Ah
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1360-4-0x00000000025B0000-0x00000000025B1000-memory.dmp dridex_stager_shellcode -
Processes:
resource yara_rule behavioral1/memory/1764-0-0x0000000140000000-0x0000000140122000-memory.dmp dridex_payload behavioral1/memory/1360-26-0x0000000140000000-0x0000000140122000-memory.dmp dridex_payload behavioral1/memory/1360-38-0x0000000140000000-0x0000000140122000-memory.dmp dridex_payload behavioral1/memory/1360-37-0x0000000140000000-0x0000000140122000-memory.dmp dridex_payload behavioral1/memory/1764-46-0x0000000140000000-0x0000000140122000-memory.dmp dridex_payload behavioral1/memory/2788-58-0x0000000140000000-0x0000000140124000-memory.dmp dridex_payload behavioral1/memory/2788-54-0x0000000140000000-0x0000000140124000-memory.dmp dridex_payload behavioral1/memory/2184-141-0x0000000140000000-0x0000000140156000-memory.dmp dridex_payload behavioral1/memory/2184-144-0x0000000140000000-0x0000000140156000-memory.dmp dridex_payload behavioral1/memory/676-187-0x0000000140000000-0x0000000140124000-memory.dmp dridex_payload -
Executes dropped EXE 3 IoCs
Processes:
mstsc.exeUtilman.exeirftp.exepid Process 2788 mstsc.exe 2184 Utilman.exe 676 irftp.exe -
Loads dropped DLL 7 IoCs
Processes:
mstsc.exeUtilman.exeirftp.exepid Process 1360 2788 mstsc.exe 1360 2184 Utilman.exe 1360 676 irftp.exe 1360 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Groztcac = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\MACROM~1.COM\\2TMJZ\\Utilman.exe" -
Processes:
rundll32.exemstsc.exeUtilman.exeirftp.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mstsc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Utilman.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA irftp.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exemstsc.exepid Process 1764 rundll32.exe 1764 rundll32.exe 1764 rundll32.exe 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 2788 mstsc.exe 2788 mstsc.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid Process procid_target PID 1360 wrote to memory of 2568 1360 29 PID 1360 wrote to memory of 2568 1360 29 PID 1360 wrote to memory of 2568 1360 29 PID 1360 wrote to memory of 2788 1360 28 PID 1360 wrote to memory of 2788 1360 28 PID 1360 wrote to memory of 2788 1360 28 PID 1360 wrote to memory of 2792 1360 30 PID 1360 wrote to memory of 2792 1360 30 PID 1360 wrote to memory of 2792 1360 30 PID 1360 wrote to memory of 2184 1360 31 PID 1360 wrote to memory of 2184 1360 31 PID 1360 wrote to memory of 2184 1360 31 PID 1360 wrote to memory of 796 1360 32 PID 1360 wrote to memory of 796 1360 32 PID 1360 wrote to memory of 796 1360 32 PID 1360 wrote to memory of 676 1360 33 PID 1360 wrote to memory of 676 1360 33 PID 1360 wrote to memory of 676 1360 33 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\017fef171fcb1bae625fadf3ff3a5b41.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1764
-
C:\Users\Admin\AppData\Local\haSL\mstsc.exeC:\Users\Admin\AppData\Local\haSL\mstsc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2788
-
C:\Windows\system32\mstsc.exeC:\Windows\system32\mstsc.exe1⤵PID:2568
-
C:\Windows\system32\Utilman.exeC:\Windows\system32\Utilman.exe1⤵PID:2792
-
C:\Users\Admin\AppData\Local\XLZV\Utilman.exeC:\Users\Admin\AppData\Local\XLZV\Utilman.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2184
-
C:\Windows\system32\irftp.exeC:\Windows\system32\irftp.exe1⤵PID:796
-
C:\Users\Admin\AppData\Local\f7NuFe8Q\irftp.exeC:\Users\Admin\AppData\Local\f7NuFe8Q\irftp.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:676
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21KB
MD578a4c4adada350ab78c8bdae21edd503
SHA19f768c4d084b9bef36a05a6ed1a6ee4c6f2a0ed2
SHA256edeb7f9139aa5c13aac2d0a25fa74a131829619c917cdb1beea3ca0d77b05146
SHA512cebd2fbe8aa66aea255ef25204382acb347fd4d084e1281da4428dd0a1aa4ee36dce09d5b5d6d4440671c430fd2779b8d91eee32a866b365071b65767a5c70d1
-
Filesize
4KB
MD5474c935bf1091643402a3d09757f30f9
SHA16d7bd9f90b9ae2f9d9078ae96eee23633f597fa1
SHA2565a7914cac3bf2c0dca54799064f72db903eb0ec0c80f56a7a9541816ec57cdcc
SHA512b865c7e05cb825a59cdceab97818539a18ca05377134c9d3f45c30fa2727d4b984541b16c9da82ee7561e5c38d0635e68e25c5a1b5a3e6d1ffe43f955cd80768
-
Filesize
13KB
MD58601ba06c5e9f95355b3c6c319d8a186
SHA1a5e5430c47c0779c998632caeb0972e02e626b75
SHA25679f512db45df78d533c33526bdaf75f064b8c24dc49d5b1c8951d04b97a78317
SHA512b30e8113bf1db320507e17843b7eaa7074387ce71285fd067474e5d546b3623cd130e91050b7c2b2b61702bfdd46232c512e13f92599db28cd0d0a102e533c0c
-
Filesize
92KB
MD59e533dfa44971dd83d8b41872ce85aa7
SHA1a9a2e75303b64639ea29ed479cd4c9ab08a74614
SHA2561549c27b806996a0bb0ee2dc2ea793d9b080f47c47d5f1e8a6b66548b214a46f
SHA5121e19ff23efb06d02bcaf97a5999942365d1399f8d433c9743a4658af51157fae4c4d0abcfd4625c34df4f8c98a46e2b1d4f9ab73de8a19e6520a1ffd263b6fd1
-
Filesize
1022B
MD500bd85e1680d973a887d9bb20258af9e
SHA1fb6f14ce62296a68202c29bedea4f6c8ea4a594c
SHA256b077c8d4612810ca8a13fd6cb7f5f1ac7c7b00e8f4cf73d4ce9b8b572f687d84
SHA512b342f05cfef869fa817d119115aefbf55ecf05708bcadea41afd4e251f2309578563303c5835e17f4a497ff2fc65e5fed78fb495dbb0ef9a2220b6420af329b0
-
Filesize
1024KB
MD53cb6e6e33eb6f6170cd1178bcaa2a4f2
SHA10c9542ac9e43c0d0f9c0686f91a2b124adefe072
SHA256eb56b0bf4eb3195314a036b54c95de68d6467b4e0ef8ee2899e8bb492db36dc0
SHA512e7216c1dcd08b86f7192ac9bf713eb15e8f52c8468b4dcd4ea9948ed3d351051242730154463c0ae156c8511f4af3f4f9eee3d1f6b95f6bc548e99ef7e6e338d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\5i\WINMM.dll
Filesize92KB
MD555089f6209cdcc2f06f39ea1f5663020
SHA1f51067be7aa740b6e6c4877e4002dfc5f4749e7d
SHA256a7de3f813efe14853f81b382a0b19db849bdf6fcbe32d371b34c6b1073aee842
SHA51200c05b647b8977eef013e1c3068873e0236c4bd94bb65c9e0e6caa4a0c12d8a80616d10105dd91242991d0f4490e810641367f65d96ab96f0ba5661d421fe9ed
-
Filesize
52KB
MD5073b2775dc1ee5decc5de91c6e6f781a
SHA197de65c130cda9cb59f5bc43eafeb3b015ce547c
SHA2561e5a44d735d8815c549880193f78613be5aa7016d568887df022c7e0836eebad
SHA5127b57d3b9e6b355da5ce1221e27891cfabed9e4b5e454bd8a385ade3fee18b5bb49b21347c0547452626ab535f8a38198f958f8092760d9fd1645d631eb1afe7f
-
Filesize
92KB
MD5f51c28f087bd74bc268264585a2243a1
SHA14449a44e82bb83d1a7d1ad105859ce693b05e82b
SHA2564315aee21d47fa32bcc8ac364ff35866fcfe5cd09064b21ad83f59e12da79ef7
SHA5129d145234f8cb640f667ad5830e7538d7aab590d02eb8bebf25307c8c4a1e4da55ec052e8d2102628230071b2722ff1ba19ce7269adf0b1a3cf6265ec5a11085a
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
25KB
MD51fa7d8fdadf7b9756cb63860598ef18d
SHA1fa18e3aab3852354a3dc33756464e0dde62bda43
SHA25662b7e04d8b12eee99759daa24751bcb9fd0413fd22d8d6baee495548ffeee9f8
SHA512c4c1a29b39a5dc9fcd1ce2d01f3ccf0b7088fac09e0af3f3f54008b9e14c3c056e44fc1e95b14e230d3fbb413507e59b170b8dc104f27aad95fea0c4a67dd348
-
Filesize
87KB
MD5cc69a0a2ec335920d0783e26c514461d
SHA1bc7fd9b284d387fc0ce105b34b9160bf5c8d5777
SHA2560f2e235b6dd7807a6c80df941344d32b4f1ca07f8b9c376f7560b78e9c328719
SHA51243bacb97944afa0ab3a57b7cb34593bea38d8c626a30eb996744262e8cc49cd0beac758259cde58b7e52a15f3b8bcfcca66221f79774301720558acc25f98418