Overview
overview
10Static
static
10Dropper/Berbew.exe
windows7-x64
10Dropper/Berbew.exe
windows10-2004-x64
10Dropper/Phorphiex.exe
windows7-x64
10Dropper/Phorphiex.exe
windows10-2004-x64
10RAT/31.exe
windows7-x64
10RAT/31.exe
windows10-2004-x64
10RAT/XClient.exe
windows7-x64
10RAT/XClient.exe
windows10-2004-x64
10RAT/file.exe
windows7-x64
7RAT/file.exe
windows10-2004-x64
7Ransomware...-2.exe
windows7-x64
10Ransomware...-2.exe
windows10-2004-x64
10Ransomware...01.exe
windows7-x64
10Ransomware...01.exe
windows10-2004-x64
10Ransomware...lt.exe
windows7-x64
10Ransomware...lt.exe
windows10-2004-x64
10Stealers/Azorult.exe
windows7-x64
10Stealers/Azorult.exe
windows10-2004-x64
10Stealers/B...on.exe
windows7-x64
10Stealers/B...on.exe
windows10-2004-x64
10Stealers/Dridex.dll
windows7-x64
10Stealers/Dridex.dll
windows10-2004-x64
10Stealers/M..._2.exe
windows7-x64
10Stealers/M..._2.exe
windows10-2004-x64
10Stealers/lumma.exe
windows7-x64
10Stealers/lumma.exe
windows10-2004-x64
10Trojan/BetaBot.exe
windows7-x64
10Trojan/BetaBot.exe
windows10-2004-x64
10Trojan/Smo...er.exe
windows7-x64
10Trojan/Smo...er.exe
windows10-2004-x64
10Resubmissions
12-09-2024 02:23
240912-cvfznswere 1004-09-2024 00:09
240904-afvheascla 1003-09-2024 18:57
240903-xl8csavfrb 1003-09-2024 18:12
240903-ws828asgnm 10Analysis
-
max time kernel
149s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03-09-2024 18:12
Behavioral task
behavioral1
Sample
Dropper/Berbew.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Dropper/Berbew.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
Dropper/Phorphiex.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
Dropper/Phorphiex.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
RAT/31.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
RAT/31.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
RAT/XClient.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
RAT/XClient.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
RAT/file.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
RAT/file.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
Ransomware/Client-2.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
Ransomware/Client-2.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
Ransomware/criticalupdate01.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
Ransomware/criticalupdate01.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
Ransomware/default.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
Ransomware/default.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral17
Sample
Stealers/Azorult.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
Stealers/Azorult.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral19
Sample
Stealers/BlackMoon.exe
Resource
win7-20240729-en
Behavioral task
behavioral20
Sample
Stealers/BlackMoon.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral21
Sample
Stealers/Dridex.dll
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
Stealers/Dridex.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral23
Sample
Stealers/Masslogger/mouse_2.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
Stealers/Masslogger/mouse_2.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral25
Sample
Stealers/lumma.exe
Resource
win7-20240704-en
Behavioral task
behavioral26
Sample
Stealers/lumma.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral27
Sample
Trojan/BetaBot.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
Trojan/BetaBot.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral29
Sample
Trojan/SmokeLoader.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
Trojan/SmokeLoader.exe
Resource
win10v2004-20240802-en
General
-
Target
Stealers/Dridex.dll
-
Size
1.2MB
-
MD5
304109f9a5c3726818b4c3668fdb71fd
-
SHA1
2eb804e205d15d314e7f67d503940f69f5dc2ef8
-
SHA256
af26296c75ff26f7ee865df424522d75366ae3e2e80d7d9e89ef8c9398b0836d
-
SHA512
cf01fca33392dc40495f4c39eb1fd240b425018c7088ca9782d883bb135b5dd469a11941d0d680a69e881fa95c4147d70fe567aeba7e98ff6adfd5c0ca1a0e01
-
SSDEEP
24576:ZVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:ZV8hf6STw1ZlQauvzSq01ICe6zvm
Malware Config
Signatures
-
resource yara_rule behavioral21/memory/1160-5-0x0000000002D10000-0x0000000002D11000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
pid Process 3036 BitLockerWizard.exe 1600 irftp.exe 2896 SystemPropertiesProtection.exe -
Loads dropped DLL 7 IoCs
pid Process 1160 Process not Found 3036 BitLockerWizard.exe 1160 Process not Found 1600 irftp.exe 1160 Process not Found 2896 SystemPropertiesProtection.exe 1160 Process not Found -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rcoehfpd = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\IOuP0fc2IGv\\irftp.exe" Process not Found -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BitLockerWizard.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA irftp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesProtection.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 1160 Process not Found 1160 Process not Found 1160 Process not Found 1160 Process not Found 1160 Process not Found 1160 Process not Found 1160 Process not Found 1160 Process not Found 1160 Process not Found 1160 Process not Found 1160 Process not Found 1160 Process not Found 1160 Process not Found 1160 Process not Found 1160 Process not Found 1160 Process not Found 1160 Process not Found 1160 Process not Found 1160 Process not Found 1160 Process not Found 1160 Process not Found 1160 Process not Found 1160 Process not Found 1160 Process not Found 1160 Process not Found 1160 Process not Found 1160 Process not Found 1160 Process not Found 1160 Process not Found 1160 Process not Found 1160 Process not Found 1160 Process not Found 1160 Process not Found 1160 Process not Found 1160 Process not Found 1160 Process not Found 1160 Process not Found 1160 Process not Found 1160 Process not Found 1160 Process not Found 1160 Process not Found 1160 Process not Found 1160 Process not Found 1160 Process not Found 1160 Process not Found 1160 Process not Found 1160 Process not Found 1160 Process not Found 1160 Process not Found 1160 Process not Found 1160 Process not Found 1160 Process not Found 1160 Process not Found 1160 Process not Found 1160 Process not Found 1160 Process not Found 1160 Process not Found 1160 Process not Found 1160 Process not Found 1160 Process not Found 1160 Process not Found -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1160 wrote to memory of 1652 1160 Process not Found 30 PID 1160 wrote to memory of 1652 1160 Process not Found 30 PID 1160 wrote to memory of 1652 1160 Process not Found 30 PID 1160 wrote to memory of 3036 1160 Process not Found 31 PID 1160 wrote to memory of 3036 1160 Process not Found 31 PID 1160 wrote to memory of 3036 1160 Process not Found 31 PID 1160 wrote to memory of 336 1160 Process not Found 32 PID 1160 wrote to memory of 336 1160 Process not Found 32 PID 1160 wrote to memory of 336 1160 Process not Found 32 PID 1160 wrote to memory of 1600 1160 Process not Found 33 PID 1160 wrote to memory of 1600 1160 Process not Found 33 PID 1160 wrote to memory of 1600 1160 Process not Found 33 PID 1160 wrote to memory of 2940 1160 Process not Found 34 PID 1160 wrote to memory of 2940 1160 Process not Found 34 PID 1160 wrote to memory of 2940 1160 Process not Found 34 PID 1160 wrote to memory of 2896 1160 Process not Found 35 PID 1160 wrote to memory of 2896 1160 Process not Found 35 PID 1160 wrote to memory of 2896 1160 Process not Found 35 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\Stealers\Dridex.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2196
-
C:\Windows\system32\BitLockerWizard.exeC:\Windows\system32\BitLockerWizard.exe1⤵PID:1652
-
C:\Users\Admin\AppData\Local\BigD\BitLockerWizard.exeC:\Users\Admin\AppData\Local\BigD\BitLockerWizard.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3036
-
C:\Windows\system32\irftp.exeC:\Windows\system32\irftp.exe1⤵PID:336
-
C:\Users\Admin\AppData\Local\fjTMt\irftp.exeC:\Users\Admin\AppData\Local\fjTMt\irftp.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1600
-
C:\Windows\system32\SystemPropertiesProtection.exeC:\Windows\system32\SystemPropertiesProtection.exe1⤵PID:2940
-
C:\Users\Admin\AppData\Local\tGET\SystemPropertiesProtection.exeC:\Users\Admin\AppData\Local\tGET\SystemPropertiesProtection.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2896
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
98KB
MD508a761595ad21d152db2417d6fdb239a
SHA1d84c1bc2e8c9afce9fb79916df9bca169f93a936
SHA256ec0b9e5f29a43f9db44fa76b85701058f26776ab974044c1d4741591b74d0620
SHA5128b07828e9c0edf09277f89294b8e1a54816f6f3d1fe132b3eb70370b81feb82d056ec31566793bd6f451725f79c3b4aeedb15a83216115e00943e0c19cab37c9
-
Filesize
1.2MB
MD5ae35d6cbe83414c42435de962b00dc4c
SHA18f86c5bec6f652bd5e03ce124a0663736649e1a8
SHA2569b3f8e46b9191140bc3f866d0b282b37398aa72fbb8355a72f1569b2f1c54042
SHA51293c4c55e7ce1478d73d26ece2d505c715a1224dae96fca52148b4dcde10aaebaea6a9c161b94a7d737edc96bb6132dec808c0ca5fbb5b94b1ee41cd36e00f92c
-
Filesize
192KB
MD50cae1fb725c56d260bfd6feba7ae9a75
SHA1102ac676a1de3ec3d56401f8efd518c31c8b0b80
SHA256312f4107ff37dc988d99c5f56178708bb74a3906740cff4e337c0dde8f1e151d
SHA512db969064577c4158d6bf925354319766b0d0373ddefb03dbfc9a9d2cadf8ddcd50a7f99b7ddf2ffad5e7fdbb6f02090b5b678bdf792d265054bff3b56ee0b8ec
-
Filesize
80KB
MD505138d8f952d3fff1362f7c50158bc38
SHA1780bc59fcddf06a7494d09771b8340acffdcc720
SHA256753a43d8aa74341d06582bd6b3784dc5f8c6f46174c2a306cf284de238a9c6bd
SHA51227fa8c0af3d01f0816852d04693087f3c25d1307d8857a7ea75b0bb3e0ac927d262f5ac5a335afee150142fa3187354d33ebbcf6c3cd5cc33cb4e6cd00c50255
-
Filesize
1KB
MD518cd5c56ccea18752c9bdab181422727
SHA16146cbef215335a0a845827ccb8360638989ed12
SHA2563b7054340f55c2759a389c134d5d3a75ac0df2fa84b1e0a1747f15475e90c4c4
SHA5128235439b683639784eb27eeb7381cfe10fc576c89d63e66fc195071306dba6d41c7dae87fa8cb43391a2a0ebe1db98265951317c9156e4d214e97db90d1ba891
-
Filesize
1.2MB
MD56971260254b854f5e8531d01606fbe9b
SHA1fb7cafb667a2262e053b511e536980bd14714939
SHA256f9dea9f1dbff09d103ddd470c9c198710a9f4dad0935e969451667041f4eafbf
SHA512b81da80c907442199324f186be46bbf4f3bc195a17413ff9ea150e49f47ec9eeddcb688ff2cdd78c6721fca1c392c99e256e4028d06add94bcf5248898ed1f1e
-
Filesize
1.2MB
MD5940f9a3f3f3761e06bcdc6168320b579
SHA16351ac00614b6d64680d5874b1e2699092ffc99c
SHA256b362bb2f6c7af3ddb48febdab59b2569b56c0e7661fe800cd5aba6b6d6cd0491
SHA512df56d8759010aa1eafc701f137cbff533bcb912f9608fefdb2c3cdade5a418e4abc1db2f7bc0258d577e624be6fb254942738095acbc86e736c755f95c8d767a