Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
28-01-2024 04:12
Static task
static1
Behavioral task
behavioral1
Sample
7c1e2e5883295d072f73627f00279333.dll
Resource
win7-20231215-en
General
-
Target
7c1e2e5883295d072f73627f00279333.dll
-
Size
3.2MB
-
MD5
7c1e2e5883295d072f73627f00279333
-
SHA1
d0308ecef0df53a4b448d8d59ed4c99efb0bb9c4
-
SHA256
20d290a43af5edaff7a58b11a463755ee38c570a6e9258e9672146566ed58ced
-
SHA512
cc59d338eddee33127471a1ce20f6021889b7d2d795111804105c93127c28dcbfcd23d5e04711e011629a932eb5d62fe7a8d7987c9e42963508a5bc353d6538b
-
SSDEEP
12288:0VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:xfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1184-5-0x0000000002490000-0x0000000002491000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
irftp.exeUI0Detect.exeSystemPropertiesDataExecutionPrevention.exepid process 2756 irftp.exe 1584 UI0Detect.exe 2152 SystemPropertiesDataExecutionPrevention.exe -
Loads dropped DLL 7 IoCs
Processes:
irftp.exeUI0Detect.exeSystemPropertiesDataExecutionPrevention.exepid process 1184 2756 irftp.exe 1184 1584 UI0Detect.exe 1184 2152 SystemPropertiesDataExecutionPrevention.exe 1184 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtxtioiynm = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\A4\\UI0Detect.exe" -
Processes:
rundll32.exeirftp.exeUI0Detect.exeSystemPropertiesDataExecutionPrevention.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA irftp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA UI0Detect.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesDataExecutionPrevention.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2488 rundll32.exe 2488 rundll32.exe 2488 rundll32.exe 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1184 wrote to memory of 2892 1184 irftp.exe PID 1184 wrote to memory of 2892 1184 irftp.exe PID 1184 wrote to memory of 2892 1184 irftp.exe PID 1184 wrote to memory of 2756 1184 irftp.exe PID 1184 wrote to memory of 2756 1184 irftp.exe PID 1184 wrote to memory of 2756 1184 irftp.exe PID 1184 wrote to memory of 1768 1184 UI0Detect.exe PID 1184 wrote to memory of 1768 1184 UI0Detect.exe PID 1184 wrote to memory of 1768 1184 UI0Detect.exe PID 1184 wrote to memory of 1584 1184 UI0Detect.exe PID 1184 wrote to memory of 1584 1184 UI0Detect.exe PID 1184 wrote to memory of 1584 1184 UI0Detect.exe PID 1184 wrote to memory of 1084 1184 SystemPropertiesDataExecutionPrevention.exe PID 1184 wrote to memory of 1084 1184 SystemPropertiesDataExecutionPrevention.exe PID 1184 wrote to memory of 1084 1184 SystemPropertiesDataExecutionPrevention.exe PID 1184 wrote to memory of 2152 1184 SystemPropertiesDataExecutionPrevention.exe PID 1184 wrote to memory of 2152 1184 SystemPropertiesDataExecutionPrevention.exe PID 1184 wrote to memory of 2152 1184 SystemPropertiesDataExecutionPrevention.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7c1e2e5883295d072f73627f00279333.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2488
-
C:\Windows\system32\irftp.exeC:\Windows\system32\irftp.exe1⤵PID:2892
-
C:\Users\Admin\AppData\Local\Ffhcg2RwK\irftp.exeC:\Users\Admin\AppData\Local\Ffhcg2RwK\irftp.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2756
-
C:\Windows\system32\UI0Detect.exeC:\Windows\system32\UI0Detect.exe1⤵PID:1768
-
C:\Users\Admin\AppData\Local\6OnPwGdDt\UI0Detect.exeC:\Users\Admin\AppData\Local\6OnPwGdDt\UI0Detect.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1584
-
C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exeC:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe1⤵PID:1084
-
C:\Users\Admin\AppData\Local\aY8\SystemPropertiesDataExecutionPrevention.exeC:\Users\Admin\AppData\Local\aY8\SystemPropertiesDataExecutionPrevention.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2152
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40KB
MD53cbdec8d06b9968aba702eba076364a1
SHA16e0fcaccadbdb5e3293aa3523ec1006d92191c58
SHA256b8dab8aa804fc23021bfebd7ae4d40fbe648d6c6ba21cc008e26d1c084972f9b
SHA512a8e434c925ef849ecef0efcb4873dbb95eea2821c967b05afbbe5733071cc2293fc94e7fdf1fdaee51cbcf9885b3b72bfd4d690f23af34558b056920263e465d
-
Filesize
226KB
MD568752e53704704ce4cb6be677d37a111
SHA138533b77ff0a07627e3fd5ba5154eea96eb2618a
SHA256a24d5935905c1c1cafc9212a3215890001149e1be9dcd1fb8a229b058f890dc3
SHA5121bd4f0e5f160ba7872e87f4469e7c15189301a960824c2ca2ea8dba9f12ed1db616cb03188841deefe98a84af0e63224e82a7b16154512aa83f54823d4bf2e43
-
Filesize
104KB
MD5ff9e1cc81480937a3ccfdd61e8fb072e
SHA174c83a58c44c62e57b25c9aeea2607650eb74d3a
SHA25672409a4f54ac0f049b119fa92795adba88f66e5cd4658610a7dc588a5a290736
SHA5128898480142795d16f60027039773e6fc974fd8e9f88939493eb998f29567287b1dccd47ba819b33294ce4159cc1dbc5db1805949629f01fb06a3905f6e2498ca
-
Filesize
192KB
MD50cae1fb725c56d260bfd6feba7ae9a75
SHA1102ac676a1de3ec3d56401f8efd518c31c8b0b80
SHA256312f4107ff37dc988d99c5f56178708bb74a3906740cff4e337c0dde8f1e151d
SHA512db969064577c4158d6bf925354319766b0d0373ddefb03dbfc9a9d2cadf8ddcd50a7f99b7ddf2ffad5e7fdbb6f02090b5b678bdf792d265054bff3b56ee0b8ec
-
Filesize
82KB
MD527fb112b432868929145a202c6454755
SHA1c17b31ed1de523b938325976bb29298dd70f497e
SHA256fdadc65ea3df6b291df31f45c1b892805987831e7e09b68fcd0363454928e839
SHA5121a2763efa72aa8d006776c5b0e4aacd446618e806d18c08bc5de95e6a327b9f745b54055bedae4402fee3aae057899bb224ee17bb60cd123e91ae5621c7c770f
-
Filesize
17KB
MD534654c5000e25d14c8a41452db1a553e
SHA1ed65fb9d871ce63b75e31388a934876c070896c2
SHA256a38f49f4df8c8e0a8917df787b105ead4a35aa5d0ec45e2ce133815b56220e90
SHA5124fca48e6b7bdc0c3cc986af658c896eea4e642b40715f1580d4e2ad55c402a18f32d8219e3e6863a7da43fbce636c1aa5e806c8653acf28943be458a838f4995
-
Filesize
5KB
MD51ffb9b9f012a216822509e82a49c4c14
SHA14fa1cda19d8c9062cbca69c9f767249fd25f42fa
SHA2568c404130d92403cb5325b25b875172d853b8d71e4b030cf616e4e535863e4b66
SHA51202ca1cfff20c18dc6d131fda2832703bbe5523ee1dd2fc098859178af5276a4e75b5baa634ba878818c4b738f8e917c638e1d01b62f44a544e58b0ee54196e7f
-
Filesize
9KB
MD5d4c2b5fe916656bddd76e1bf691ae971
SHA1935eaebb779ec946911093e0aa4463be70685edf
SHA2561ba6bd7ec0739aacc91b968409687e794aabd79133a2e820f5da8b33c634aa20
SHA512c7fc1c2285cf889c9e88d4604ed0023ed78e262853a5a3c4ef35a7b55611f0a65df2d362c7dc62a96f321ab34e4523018e9c084588ce1bf75f11f0babe0acc9b
-
Filesize
1KB
MD56b1dca5693f3ac7f92a17db60931ade2
SHA10e6c4cc2169670af5eaf3d736f998ee24b6f38e6
SHA256d070d405953093fbb0bf50271daa424dd4ba22617cda3827578d10799c5ae5c4
SHA512a8877c4e2e208440d82b98b5fb1b456ac5228c01a807af74d4cb0d7a5d0c59e0c0abea9d88395657b5b02fd2d6ae11e36db0fcd5834c20eead1455acfc67b72b
-
Filesize
39KB
MD5207cc835694fae24ae6fea7e09952d59
SHA18f940bbf87120d7232c57e5e09e82be6a82f5b11
SHA2564efc72953b0307f9e2993a11432580c32fc6582cc6e15a0f7243b75d0c89c8d2
SHA51280e376423ec2cbf3d258f25e3b19b48bf31ab45338197b8b62bf34b3f0b492b9b7358d1f4e03a52b5219ca943214b85c52dd15f1eb2788c994846d18adbb3dac
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\MAu\WINMM.dll
Filesize96KB
MD5b183edf18ce06e56745b7ebfa899bc6d
SHA132334b2983308a662b75cd08ab5e2c228e481248
SHA25616dd3d9e834358931a104cb4a37505739b41cb02336bf0c268fc1a0419643389
SHA512fc2c03d29f76d626360817d8b6ab133fa62a1dc0976b42bc142b0063a57f4a8506227f3bd52ecf8bf63fa16544c600c5d91e643c035b9afb95f7e4cbe5f482b5
-
Filesize
95KB
MD5c2b99394bd095dc1265d08a72212b81b
SHA1b235a71bcf2d5e2f21d627060b33636ca40ac421
SHA25693891343d0cda68c20854f7840c416340a867e69e1518dd98a44461fe4df1bf0
SHA5122837897b8766fc5151de177b3db991764e97c37e6a95e078e8d2ed300c46b659eeab83bd9df67e3f0c6c546d770b802379ecb7306f8197072147116fd358954f
-
Filesize
140KB
MD5db9b7a3833105bf60ec88807b8cdded2
SHA1383d6ac1a6134ce560821fe3954797712829f0ae
SHA2564454e2dd955165912a3543ddc8480046229c412bbf1669198fb8df11a51bd97d
SHA5122c998948a477d8726d4c9a74f959e1c1c9f7e3c11e5c75c57de50913cd78a6af59a131566c20614736f95a3ccfbcf235b21fbee3638c276c4db245dc9e37b80f
-
Filesize
150KB
MD52acaeb2b67afc582b4279ccc27b849da
SHA1c0bda7cacf86b7ef2b6532230d32505dfe1c7189
SHA256f623770873077f03464469bc2ce5e19618f895e43f47f3f18b97efe47bb5699b
SHA51272a7970ba953691f106faaf5ce44c6962c7433beb29c8dcb94456b88da5f659b5c33ed16b092f47df321410499ef5e91b39d5741111547660ff0f7314c9eb954
-
Filesize
99KB
MD5eed01552ad4c50a00ab99a6f4c3619b2
SHA17de99f2e499ac1f0548eec510a38ecc2d8f75242
SHA256891138dc953c701c432aa98bd32b926785a6fe4aa0980fd2364e66938008f630
SHA512fccbd6fa434e237faf7abcec1600ec6b02dd9cadcb31bec6c9793b4a8aa91e1f1ff9190aa30a1a75f02003c64c5898fc86dceb3b67e7b9052f98a02a46a5fb0b
-
Filesize
37KB
MD5e119cce8ae2101e65574939c90b400f7
SHA197d78fad300f914f2f2eb30ed46df56785a9ae15
SHA256343aeb53f1a67d767e8f6e4aef650bf1313eff22f87c8caa255bf5860a0a14e2
SHA51256f3a0df37764bf19b36d552a54763e1d0953956684164b57a1de82f644c3900d5c66ca17da9aa3a85958b79737baf27c3a8b885deb2a339300f86f08faa2c56
-
Filesize
53KB
MD55ff88343abd37e15a5c072d4aae85730
SHA182bd3c054fedb317bab5b7ce9b940f1c176d36bc
SHA256d6909dbe019ac80ee65fc6eaed9dce84d7ad89a4383924e4393947bc90067cb9
SHA51240792986d93124322c42e84f2e4e2b326c939e8b55a96e22a6b955b3e9f200e4012d6a2ccf09a68309d708938b1435e7a2261b061cb2d92c1563e3493334ef9b
-
\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\wz\SystemPropertiesDataExecutionPrevention.exe
Filesize57KB
MD578f14b763b3697606cfc5fe4a646badb
SHA189716f9885570e252ce9bd84a986a14ef822d82c
SHA25689d1cbcc525009e189e16c85d64569ca6749cf909ecdda485cb569db360095c7
SHA5124f6c019fc32b4ab9a474c2df99847505bdca1221bd758a1e9a461145c1ec8132d03157e730f6f8d45d7ed4c3310dd66ea4624dc65db0096cf9f8d1163d22314f