Overview
overview
10Static
static
10Archive.zip
windows10-1703-x64
1Dropper/Berbew.exe
windows10-1703-x64
10Dropper/Phorphiex.exe
windows10-1703-x64
10out.exe
windows10-1703-x64
3RAT/31.exe
windows10-1703-x64
10RAT/XClient.exe
windows10-1703-x64
10RAT/file.exe
windows10-1703-x64
7Ransomware...-2.exe
windows10-1703-x64
10Ransomware...01.exe
windows10-1703-x64
10Ransomware...lt.exe
windows10-1703-x64
10Stealers/Azorult.exe
windows10-1703-x64
10Stealers/B...on.exe
windows10-1703-x64
10Stealers/Dridex.dll
windows10-1703-x64
10Stealers/M..._2.exe
windows10-1703-x64
10Stealers/lumma.exe
windows10-1703-x64
10Trojan/BetaBot.exe
windows10-1703-x64
10Trojan/Smo...er.exe
windows10-1703-x64
10Resubmissions
03-09-2024 14:02
240903-rb57sazdqf 1003-09-2024 13:51
240903-q59avszclf 1002-09-2024 19:51
240902-yk8gtsxbpd 1002-09-2024 02:27
240902-cxh7tazflg 1002-09-2024 02:26
240902-cwxc2sygll 1021-06-2024 19:37
240621-yca7cszgnd 1009-06-2024 17:07
240609-vm7rjadd73 1013-05-2024 17:36
240513-v6qblafe3y 1012-05-2024 17:17
240512-vty3zafh5s 10Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
02-09-2024 02:27
Behavioral task
behavioral1
Sample
Archive.zip
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Dropper/Berbew.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
Dropper/Phorphiex.exe
Resource
win10-20240404-en
Behavioral task
behavioral4
Sample
out.exe
Resource
win10-20240611-en
Behavioral task
behavioral5
Sample
RAT/31.exe
Resource
win10-20240404-en
Behavioral task
behavioral6
Sample
RAT/XClient.exe
Resource
win10-20240404-en
Behavioral task
behavioral7
Sample
RAT/file.exe
Resource
win10-20240404-en
Behavioral task
behavioral8
Sample
Ransomware/Client-2.exe
Resource
win10-20240404-en
Behavioral task
behavioral9
Sample
Ransomware/criticalupdate01.exe
Resource
win10-20240404-en
Behavioral task
behavioral10
Sample
Ransomware/default.exe
Resource
win10-20240404-en
Behavioral task
behavioral11
Sample
Stealers/Azorult.exe
Resource
win10-20240404-en
Behavioral task
behavioral12
Sample
Stealers/BlackMoon.exe
Resource
win10-20240404-en
Behavioral task
behavioral13
Sample
Stealers/Dridex.dll
Resource
win10-20240404-en
Behavioral task
behavioral14
Sample
Stealers/Masslogger/mouse_2.exe
Resource
win10-20240611-en
Behavioral task
behavioral15
Sample
Stealers/lumma.exe
Resource
win10-20240404-en
Behavioral task
behavioral16
Sample
Trojan/BetaBot.exe
Resource
win10-20240404-en
Behavioral task
behavioral17
Sample
Trojan/SmokeLoader.exe
Resource
win10-20240404-en
General
-
Target
Stealers/Dridex.dll
-
Size
1.2MB
-
MD5
304109f9a5c3726818b4c3668fdb71fd
-
SHA1
2eb804e205d15d314e7f67d503940f69f5dc2ef8
-
SHA256
af26296c75ff26f7ee865df424522d75366ae3e2e80d7d9e89ef8c9398b0836d
-
SHA512
cf01fca33392dc40495f4c39eb1fd240b425018c7088ca9782d883bb135b5dd469a11941d0d680a69e881fa95c4147d70fe567aeba7e98ff6adfd5c0ca1a0e01
-
SSDEEP
24576:ZVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:ZV8hf6STw1ZlQauvzSq01ICe6zvm
Malware Config
Signatures
-
resource yara_rule behavioral13/memory/3392-7-0x0000000000CE0000-0x0000000000CE1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
pid Process 2620 WMPDMC.exe 3488 FXSCOVER.exe 5088 dialer.exe -
Loads dropped DLL 3 IoCs
pid Process 2620 WMPDMC.exe 3488 FXSCOVER.exe 5088 dialer.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rkdrqy = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\FbZX4c3N\\FXSCOVER.exe" Process not Found -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WMPDMC.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA FXSCOVER.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dialer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 3392 Process not Found 3392 Process not Found 3392 Process not Found 3392 Process not Found 3392 Process not Found 3392 Process not Found 3392 Process not Found 3392 Process not Found 3392 Process not Found 3392 Process not Found 3392 Process not Found 3392 Process not Found 3392 Process not Found 3392 Process not Found 3392 Process not Found 3392 Process not Found 3392 Process not Found 3392 Process not Found 3392 Process not Found 3392 Process not Found 3392 Process not Found 3392 Process not Found 3392 Process not Found 3392 Process not Found 3392 Process not Found 3392 Process not Found 3392 Process not Found 3392 Process not Found 3392 Process not Found 3392 Process not Found 3392 Process not Found 3392 Process not Found 3392 Process not Found 3392 Process not Found 3392 Process not Found 3392 Process not Found 3392 Process not Found 3392 Process not Found 3392 Process not Found 3392 Process not Found 3392 Process not Found 3392 Process not Found 3392 Process not Found 3392 Process not Found 3392 Process not Found 3392 Process not Found 3392 Process not Found 3392 Process not Found 3392 Process not Found 3392 Process not Found 3392 Process not Found 3392 Process not Found 3392 Process not Found 3392 Process not Found 3392 Process not Found 3392 Process not Found 3392 Process not Found 3392 Process not Found 3392 Process not Found 3392 Process not Found -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3392 wrote to memory of 196 3392 Process not Found 73 PID 3392 wrote to memory of 196 3392 Process not Found 73 PID 3392 wrote to memory of 2620 3392 Process not Found 74 PID 3392 wrote to memory of 2620 3392 Process not Found 74 PID 3392 wrote to memory of 4084 3392 Process not Found 75 PID 3392 wrote to memory of 4084 3392 Process not Found 75 PID 3392 wrote to memory of 3488 3392 Process not Found 76 PID 3392 wrote to memory of 3488 3392 Process not Found 76 PID 3392 wrote to memory of 1468 3392 Process not Found 77 PID 3392 wrote to memory of 1468 3392 Process not Found 77 PID 3392 wrote to memory of 5088 3392 Process not Found 78 PID 3392 wrote to memory of 5088 3392 Process not Found 78 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\Stealers\Dridex.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2464
-
C:\Windows\system32\WMPDMC.exeC:\Windows\system32\WMPDMC.exe1⤵PID:196
-
C:\Users\Admin\AppData\Local\2CnLaz\WMPDMC.exeC:\Users\Admin\AppData\Local\2CnLaz\WMPDMC.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2620
-
C:\Windows\system32\FXSCOVER.exeC:\Windows\system32\FXSCOVER.exe1⤵PID:4084
-
C:\Users\Admin\AppData\Local\BvRNb\FXSCOVER.exeC:\Users\Admin\AppData\Local\BvRNb\FXSCOVER.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3488
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe1⤵PID:1468
-
C:\Users\Admin\AppData\Local\j5DC\dialer.exeC:\Users\Admin\AppData\Local\j5DC\dialer.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5088
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD512be28c65ee592bdfa3a1f7b5777cf13
SHA19d1074200aa6c4d149efd35fbc16f94509a2c9e0
SHA2562d22fe076b1feedb7caab017492e93014cb07fd04ca56b3151a6378580959fee
SHA512ed598602ed71334e01f41f7d0b4665243606e2761df7d336e3858033c39a112ee0b81eb318e258a53630afe80095812f0d7e5d843922772d149adae804468fde
-
Filesize
1.4MB
MD50632f00532261c963595b8cbb5e8ebe6
SHA1545792bc47d20f561770406b37c0e999a1d84fe1
SHA2562d1e7220672aba2d404b6ae2e2f44b80d2fbc1ff73a4fb27b3a3b11f1b06dfbb
SHA5126a8df7d6057d8da7fb28ad0a573f39cc990c21e138c28150661fdb74f6fd9778b3abb16bfc4d20489ce168fec7503c84397fdf6c2f1b88f8ca9c2d193fdca472
-
Filesize
232KB
MD5fd8a15f70619a553acd265264c3e435d
SHA1394f6a1db57b502eb5196d9276d1c00afc791663
SHA256b9eec80e92a71b7405db190ac0d1fc177ba3d1f97411c43328a340d30a9d71a4
SHA512af30027401e97a69aa57847c00c73ccafd4113e58349efd9addf5e7c3a5809f5ff35430d181844c5acd0abba947ff9acb450ff3e0383ef7c187bd9b7808a8799
-
Filesize
1.3MB
MD5167108bed79f586ec3440d343f3ebef1
SHA1302f3613f6b0ffd7ee065fabd21e6b03bbf0a95a
SHA2568c149f9bc1f35620013c24d9ddd2167b5957d651e13d92509e3a7d3f5cb10cc1
SHA51245c638488fe86aa33fb7d3744604e28bbf93cd37406cd7628b9dedbebcc67d6ab4d47db212eb9d80e3cba801ae21dd4ef9a1855237abed14747bc643929e54a4
-
Filesize
1.2MB
MD54f648eae76417101db64aa65be59c281
SHA1896de17e676cd16da7a7e316a26c6e68f0b90fde
SHA256b3a35fe3dfa59ea5c98cfd22a43dbcd15300eebb264ce7649bb0e436e88e8132
SHA5126767067d616769ee113f963a65e0e25afa5104e0b6ac48d2c2858f85626744bada4fab6dfdc3c8737fb8712fc0a4177641c0cfe467717022c3d8685e1b386d3c
-
Filesize
36KB
MD5e75f0a3bfcdb235c0c18d4774cdc93ef
SHA161051b9c38ec222dd35c3ceea706397e87d0f45a
SHA256d4daee1f259b1071d380556ea220eec06fdfc7ad3acd18cc0509813f48e869ce
SHA5124a7dd330e37483ecbfca9020fb7be08ee1f9e16d325358db57334aa78caff6be2e8fdbd538cc44da036f08755e269abaefa72f7cafb8ade4b1e44f36ea79d964
-
Filesize
1KB
MD55010e1571244631d75fbbc9b68c1d576
SHA169213767fdf20c77be700d4f8c8c186b979ce004
SHA2562fc82465709151b99e9c3215dba44d15963b39f0652c8c544dc67a7ed9b3f71e
SHA512cfab809402bd34a06bf4b9b99b0dfba5fb23a765a908b63f7d06ce8631c6e1bc20b85cb1787b2187f96b8a9be1b84faa4dc07c51f8399c9090d206c11a2266e0