Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
28-01-2024 06:25
Static task
static1
Behavioral task
behavioral1
Sample
7c6145fc88e55d7bac1db14f71a9f30c.dll
Resource
win7-20231215-en
General
-
Target
7c6145fc88e55d7bac1db14f71a9f30c.dll
-
Size
1.6MB
-
MD5
7c6145fc88e55d7bac1db14f71a9f30c
-
SHA1
b799ed57dd7fcd9ab9cfe839a89f4cf802460e05
-
SHA256
0d2b503372e4dc3d29a19e708d6309e96fc04a5845900e890b883a4af1e22bb2
-
SHA512
02fcd9932d8464e0c88e5aaf4bca5658ff89cd1aa26c80f4ae30b410fc22d03beb63994591d7b7e2d88ead258a17d30d11007c01cf3d35dd9c755455a498aa17
-
SSDEEP
12288:4VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:tfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1280-5-0x0000000002AE0000-0x0000000002AE1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
irftp.exemstsc.exeSoundRecorder.exepid process 2592 irftp.exe 2968 mstsc.exe 524 SoundRecorder.exe -
Loads dropped DLL 7 IoCs
Processes:
irftp.exemstsc.exeSoundRecorder.exepid process 1280 2592 irftp.exe 1280 2968 mstsc.exe 1280 524 SoundRecorder.exe 1280 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\Niubkzso = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\ASSETC~1\\WsWmLl\\mstsc.exe" -
Processes:
rundll32.exeirftp.exemstsc.exeSoundRecorder.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA irftp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mstsc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SoundRecorder.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2480 rundll32.exe 2480 rundll32.exe 2480 rundll32.exe 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid process target process PID 1280 wrote to memory of 2832 1280 irftp.exe PID 1280 wrote to memory of 2832 1280 irftp.exe PID 1280 wrote to memory of 2832 1280 irftp.exe PID 1280 wrote to memory of 2592 1280 irftp.exe PID 1280 wrote to memory of 2592 1280 irftp.exe PID 1280 wrote to memory of 2592 1280 irftp.exe PID 1280 wrote to memory of 1688 1280 mstsc.exe PID 1280 wrote to memory of 1688 1280 mstsc.exe PID 1280 wrote to memory of 1688 1280 mstsc.exe PID 1280 wrote to memory of 2968 1280 mstsc.exe PID 1280 wrote to memory of 2968 1280 mstsc.exe PID 1280 wrote to memory of 2968 1280 mstsc.exe PID 1280 wrote to memory of 1152 1280 SoundRecorder.exe PID 1280 wrote to memory of 1152 1280 SoundRecorder.exe PID 1280 wrote to memory of 1152 1280 SoundRecorder.exe PID 1280 wrote to memory of 524 1280 SoundRecorder.exe PID 1280 wrote to memory of 524 1280 SoundRecorder.exe PID 1280 wrote to memory of 524 1280 SoundRecorder.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7c6145fc88e55d7bac1db14f71a9f30c.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2480
-
C:\Windows\system32\irftp.exeC:\Windows\system32\irftp.exe1⤵PID:2832
-
C:\Users\Admin\AppData\Local\spbVX\irftp.exeC:\Users\Admin\AppData\Local\spbVX\irftp.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2592
-
C:\Windows\system32\mstsc.exeC:\Windows\system32\mstsc.exe1⤵PID:1688
-
C:\Users\Admin\AppData\Local\6ueMzQ4\mstsc.exeC:\Users\Admin\AppData\Local\6ueMzQ4\mstsc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2968
-
C:\Windows\system32\SoundRecorder.exeC:\Windows\system32\SoundRecorder.exe1⤵PID:1152
-
C:\Users\Admin\AppData\Local\m14\SoundRecorder.exeC:\Users\Admin\AppData\Local\m14\SoundRecorder.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:524
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD5f4eaebde9ae07a34ff4740cf770cbd2d
SHA19253135d739d105fe6f943668b8c8efcd24b2e4d
SHA2560b82c5c6b4e642c9f1c59f148cf60d148082f71e75c81a1fbef02e6321f42e8f
SHA51226a33aa9616eccb336ba7de1d32622af9a30c64a1f6770851bcd18c0ef77695a529ddb8973fde33c39d81c8219ba96ca57d3e5b8606d93fd88b4e4449b499470
-
Filesize
1.6MB
MD5581595d5454aa244a38ce8eedb247583
SHA1e2f02ad4a30263b5ce0d8a656002165eaf7e2b6a
SHA2568454a51b2b1286fc682fa9918fac5f6faf49a2a54a7bc49a1bad1b9ce7439c16
SHA5129c53d94b39fd6348f092777c164bd5641a4ce6d18ffbfd2fca0105189a6c2bd2b7b380f6e5ba8425c6657f1781003b368b15ded86cfb7e437a036aa8af5967e9
-
Filesize
571KB
MD52ea89c90fd859c987f234efd38b5ae02
SHA1fe32eb168aeebfde4866051129c8d400ccd34025
SHA256400feafec263bc6f38041ce5003b7adc8274ebcd95ff253fde81883d8f775d8b
SHA512d98531d35d4a1d3736cc65543840b5ab53fa57a35a2e7d8b6477bc84f0a6bb92f72c14778d6b0dd99bafdd5e3dc45f81fc36e4ab6078d1a27331580016a2e131
-
Filesize
192KB
MD50cae1fb725c56d260bfd6feba7ae9a75
SHA1102ac676a1de3ec3d56401f8efd518c31c8b0b80
SHA256312f4107ff37dc988d99c5f56178708bb74a3906740cff4e337c0dde8f1e151d
SHA512db969064577c4158d6bf925354319766b0d0373ddefb03dbfc9a9d2cadf8ddcd50a7f99b7ddf2ffad5e7fdbb6f02090b5b678bdf792d265054bff3b56ee0b8ec
-
Filesize
1KB
MD504010e0b7931ec21c9b8aa7025231bd8
SHA18439a38100c36aeec223c203405a02d8e100efeb
SHA256c8a41ba14c502f0ec3dc239f8c036cc87564a9043ec14a074781e8fafbd70795
SHA5126d11cb597c8844a7462fd35cefd37e7ec1d83fabe3eec73559dcb37a1e630ff9512b429219f9dfb6b57a22d31c2b8e2033131ee46630f66be427aab21879ee90
-
Filesize
1.6MB
MD57191d466bac98bd59c983c12d39b72ec
SHA1e6423cc4adb5d806a3f858d41880c7cb54198848
SHA2569f11febcd2703ba53220b60ad6e339cf31ca8fedc85c4b57055d26a37ae86c6c
SHA512508558d3395c7d1a4d3f25dcee6a64935ba104ff1db9f1f7ef5e493db46bcb61877e8d98e60365d7b9479778e992a341dc43b370a5740d5c2b9792265c962e8f
-
Filesize
1.1MB
MD550f739538ef014b2e7ec59431749d838
SHA1b439762b8efe8cfb977e7374c11a7e4d8ed05eb3
SHA25685c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3
SHA51202e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8
-
Filesize
139KB
MD547f0f526ad4982806c54b845b3289de1
SHA18420ea488a2e187fe1b7fcfb53040d10d5497236
SHA256e81b11fe30b16fa4e3f08810513c245248adce8566355a8f2a19c63b1143ff5b
SHA5124c9a1aa5ed55087538c91a77d7420932263b69e59dc57b1db738e59624265b734bf29e2b6ed8d0adb2e0dec5763bfbf86876fd7d1139c21e829001c7868d515d
-
Filesize
383KB
MD59bee71871bd83a30c802e4bd738e575e
SHA1f118f32a57530508546400437138fe56a42d0046
SHA256d52acb80d3bc194da0be78c388f094d5e34d62bd74662552d14be910b25606c8
SHA512b0048545526dfcb8a304a46c07033839ebf45806437147626bd8f17b922f99cf1733238236542c7d0ad6e7923bc94729c4c5d6b382f27b34d83478ec35fc0cc2