Overview
overview
10Static
static
10Dropper/Berbew.exe
windows10-2004-x64
10Dropper/Phorphiex.exe
windows10-2004-x64
10RAT/31.exe
windows10-2004-x64
10RAT/XClient.exe
windows10-2004-x64
10RAT/file.exe
windows10-2004-x64
7Ransomware...-2.exe
windows10-2004-x64
10Ransomware...01.exe
windows10-2004-x64
10Ransomware...lt.exe
windows10-2004-x64
10Stealers/Azorult.exe
windows10-2004-x64
10Stealers/B...on.exe
windows10-2004-x64
10Stealers/Dridex.dll
windows10-2004-x64
10Stealers/M..._2.exe
windows10-2004-x64
10Stealers/lumma.exe
windows10-2004-x64
10Trojan/BetaBot.exe
windows10-2004-x64
10Trojan/Smo...er.exe
windows10-2004-x64
10Resubmissions
03-09-2024 14:02
240903-rb57sazdqf 1003-09-2024 13:51
240903-q59avszclf 1002-09-2024 19:51
240902-yk8gtsxbpd 1002-09-2024 02:27
240902-cxh7tazflg 1002-09-2024 02:26
240902-cwxc2sygll 1021-06-2024 19:37
240621-yca7cszgnd 1009-06-2024 17:07
240609-vm7rjadd73 1013-05-2024 17:36
240513-v6qblafe3y 1012-05-2024 17:17
240512-vty3zafh5s 10Analysis
-
max time kernel
98s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-05-2024 17:36
Behavioral task
behavioral1
Sample
Dropper/Berbew.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral2
Sample
Dropper/Phorphiex.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
RAT/31.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
RAT/XClient.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
RAT/file.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral6
Sample
Ransomware/Client-2.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
Ransomware/criticalupdate01.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral8
Sample
Ransomware/default.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
Stealers/Azorult.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral10
Sample
Stealers/BlackMoon.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
Stealers/Dridex.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
Stealers/Masslogger/mouse_2.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
Stealers/lumma.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral14
Sample
Trojan/BetaBot.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
Trojan/SmokeLoader.exe
Resource
win10v2004-20240426-en
General
-
Target
Stealers/Dridex.dll
-
Size
1.2MB
-
MD5
304109f9a5c3726818b4c3668fdb71fd
-
SHA1
2eb804e205d15d314e7f67d503940f69f5dc2ef8
-
SHA256
af26296c75ff26f7ee865df424522d75366ae3e2e80d7d9e89ef8c9398b0836d
-
SHA512
cf01fca33392dc40495f4c39eb1fd240b425018c7088ca9782d883bb135b5dd469a11941d0d680a69e881fa95c4147d70fe567aeba7e98ff6adfd5c0ca1a0e01
-
SSDEEP
24576:ZVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:ZV8hf6STw1ZlQauvzSq01ICe6zvm
Malware Config
Signatures
-
resource yara_rule behavioral11/memory/3536-4-0x0000000002ED0000-0x0000000002ED1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
pid Process 3184 cmstp.exe 2028 WFS.exe 2144 CloudNotifications.exe -
Loads dropped DLL 3 IoCs
pid Process 3184 cmstp.exe 2028 WFS.exe 2144 CloudNotifications.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pruztwesow = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\OneNote\\4KM\\WFS.exe" Process not Found -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmstp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WFS.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA CloudNotifications.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 3536 Process not Found 3536 Process not Found 3536 Process not Found 3536 Process not Found 3536 Process not Found 3536 Process not Found 3536 Process not Found 3536 Process not Found 3536 Process not Found 3536 Process not Found 3536 Process not Found 3536 Process not Found 3536 Process not Found 3536 Process not Found 3536 Process not Found 3536 Process not Found 3536 Process not Found 3536 Process not Found 3536 Process not Found 3536 Process not Found 3536 Process not Found 3536 Process not Found 3536 Process not Found 3536 Process not Found 3536 Process not Found 3536 Process not Found 3536 Process not Found 3536 Process not Found 3536 Process not Found 3536 Process not Found 3536 Process not Found 3536 Process not Found 3536 Process not Found 3536 Process not Found 3536 Process not Found 3536 Process not Found 3536 Process not Found 3536 Process not Found 3536 Process not Found 3536 Process not Found 3536 Process not Found 3536 Process not Found 3536 Process not Found 3536 Process not Found 3536 Process not Found 3536 Process not Found 3536 Process not Found 3536 Process not Found 3536 Process not Found 3536 Process not Found 3536 Process not Found 3536 Process not Found 3536 Process not Found 3536 Process not Found 3536 Process not Found 3536 Process not Found 3536 Process not Found 3536 Process not Found 3536 Process not Found 3536 Process not Found -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3536 wrote to memory of 5112 3536 Process not Found 87 PID 3536 wrote to memory of 5112 3536 Process not Found 87 PID 3536 wrote to memory of 3184 3536 Process not Found 88 PID 3536 wrote to memory of 3184 3536 Process not Found 88 PID 3536 wrote to memory of 4596 3536 Process not Found 89 PID 3536 wrote to memory of 4596 3536 Process not Found 89 PID 3536 wrote to memory of 2028 3536 Process not Found 90 PID 3536 wrote to memory of 2028 3536 Process not Found 90 PID 3536 wrote to memory of 2548 3536 Process not Found 91 PID 3536 wrote to memory of 2548 3536 Process not Found 91 PID 3536 wrote to memory of 2144 3536 Process not Found 92 PID 3536 wrote to memory of 2144 3536 Process not Found 92 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\Stealers\Dridex.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1464
-
C:\Windows\system32\cmstp.exeC:\Windows\system32\cmstp.exe1⤵PID:5112
-
C:\Users\Admin\AppData\Local\NNj4rS\cmstp.exeC:\Users\Admin\AppData\Local\NNj4rS\cmstp.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3184
-
C:\Windows\system32\WFS.exeC:\Windows\system32\WFS.exe1⤵PID:4596
-
C:\Users\Admin\AppData\Local\ySwp\WFS.exeC:\Users\Admin\AppData\Local\ySwp\WFS.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2028
-
C:\Windows\system32\CloudNotifications.exeC:\Windows\system32\CloudNotifications.exe1⤵PID:2548
-
C:\Users\Admin\AppData\Local\f8H\CloudNotifications.exeC:\Users\Admin\AppData\Local\f8H\CloudNotifications.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2144
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD584408343ba07da6f98e6b0a18707917b
SHA1800a6144eba3a751f093d345602ba1beef58e3e9
SHA256d76db6d9d99f7a197a7cf700b0045bbedf3f8c44a6f3a214cb40fdd154fe0988
SHA51219536f9c1f2dce0a71bdcc5ae78ff1066fa7bdcad58783e4da65a03a4f3d616912dfd4dac128693dfe393ac6545c44b9d01082ebb468983541e3d19713264639
-
Filesize
96KB
MD54cc43fe4d397ff79fa69f397e016df52
SHA18fd6cf81ad40c9b123cd75611860a8b95c72869c
SHA256f2d3905ee38b2b5c0b724d582f14eb1db7621ffb8f3826df686a20784341614c
SHA512851ef9fa5a03ec8b9fea0094c6e4bfa0b9e71cee3412ee86b2dfc34682aa5fb6455fefe7fc0092b711956d7c880cf8a5761b63ee990aa8e72f3473086ac0f157
-
Filesize
59KB
MD5b50dca49bc77046b6f480db6444c3d06
SHA1cc9b38240b0335b1763badcceac37aa9ce547f9e
SHA25696e7e1a3f0f4f6fc6bda3527ab8a739d6dfcab8e534aa7a02b023daebb3c0775
SHA5122a0504ca336e86b92b2f5eff1c458ebd9df36c496331a7247ef0bb8b82eabd86ade7559ddb47ca4169e8365a97e80e5f1d3c1fc330364dea2450608bd692b1d3
-
Filesize
1.2MB
MD51e694dcb23ac2db0f1513aa6b79c2e5e
SHA1f3e6c3a841782a8d920ce64ecccbe7524f9f68e8
SHA256e7a2310762f16e536522da16bb80cbe15faaec852084d1de2669212557669c05
SHA512e43e744612ffcd8f46ec644527ac431b0f1c439ecf340f574d9cb0cc0132fae73aa75b0dc0777ce204ae6c536a1141adc67584b88f8f260569dfde0d8ae0e407
-
Filesize
944KB
MD53cbc8d0f65e3db6c76c119ed7c2ffd85
SHA1e74f794d86196e3bbb852522479946cceeed7e01
SHA256e23e4182efe7ed61aaf369696e1ce304c3818df33d1663872b6d3c75499d81f4
SHA51226ae5845a804b9eb752078f1ffa80a476648a8a9508b4f7ba56c94acd4198f3ba59c77add4feb7e0420070222af56521ca5f6334f466d5db272c816930513f0a
-
Filesize
1.2MB
MD539974e2f3e0492a98f280abce8e83f99
SHA145dc0ca68133a11cf95b04a3aabb1ab8f64ba375
SHA25674c6fa10e71c3088e7908b394e72ebec57bf3a3ed92ce33303160bf4723e0d89
SHA512bd3ab514871f5d1b716383ac38cce9d63cb01ca03227bbd9e0cd54db145276a299d041eb91dd5446cfb8e283d5dff4a8ee5eb8e134d17531dfd3a3d2991a7144
-
Filesize
1KB
MD583548801a2dd0bc34dac11b3a57de64b
SHA1d5d5802f10598d2af97c09f3542ee7869790574f
SHA256c02634b220084aaa1e2276eb935a3345ab2e2601d4aadbc1a3a081007813df19
SHA512378cc135d2e946b8f502c04c95c30e44072ecef8fd7aa2a373a456f60fd134583d70879217fafee0fe52ba1c13a6f08b9e4acbbc9fb83101742d01ff391f7bea