Overview
overview
10Static
static
10Archive.zip
windows10-1703-x64
1Dropper/Berbew.exe
windows10-1703-x64
10Dropper/Phorphiex.exe
windows10-1703-x64
10out.exe
windows10-1703-x64
3RAT/31.exe
windows10-1703-x64
10RAT/XClient.exe
windows10-1703-x64
10RAT/file.exe
windows10-1703-x64
7Ransomware...-2.exe
windows10-1703-x64
10Ransomware...01.exe
windows10-1703-x64
10Ransomware...lt.exe
windows10-1703-x64
10Stealers/Azorult.exe
windows10-1703-x64
10Stealers/B...on.exe
windows10-1703-x64
10Stealers/Dridex.dll
windows10-1703-x64
10Stealers/M..._2.exe
windows10-1703-x64
10Stealers/lumma.exe
windows10-1703-x64
10Trojan/BetaBot.exe
windows10-1703-x64
10Trojan/Smo...er.exe
windows10-1703-x64
10Resubmissions
12-09-2024 02:23
240912-cvfznswere 1004-09-2024 00:09
240904-afvheascla 1003-09-2024 18:57
240903-xl8csavfrb 1003-09-2024 18:12
240903-ws828asgnm 10Analysis
-
max time kernel
1799s -
max time network
1576s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
04-09-2024 00:09
Behavioral task
behavioral1
Sample
Archive.zip
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Dropper/Berbew.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
Dropper/Phorphiex.exe
Resource
win10-20240611-en
Behavioral task
behavioral4
Sample
out.exe
Resource
win10-20240404-en
Behavioral task
behavioral5
Sample
RAT/31.exe
Resource
win10-20240404-en
Behavioral task
behavioral6
Sample
RAT/XClient.exe
Resource
win10-20240404-en
Behavioral task
behavioral7
Sample
RAT/file.exe
Resource
win10-20240404-en
Behavioral task
behavioral8
Sample
Ransomware/Client-2.exe
Resource
win10-20240611-en
Behavioral task
behavioral9
Sample
Ransomware/criticalupdate01.exe
Resource
win10-20240404-en
Behavioral task
behavioral10
Sample
Ransomware/default.exe
Resource
win10-20240404-en
Behavioral task
behavioral11
Sample
Stealers/Azorult.exe
Resource
win10-20240404-en
Behavioral task
behavioral12
Sample
Stealers/BlackMoon.exe
Resource
win10-20240611-en
Behavioral task
behavioral13
Sample
Stealers/Dridex.dll
Resource
win10-20240404-en
Behavioral task
behavioral14
Sample
Stealers/Masslogger/mouse_2.exe
Resource
win10-20240611-en
Behavioral task
behavioral15
Sample
Stealers/lumma.exe
Resource
win10-20240404-en
Behavioral task
behavioral16
Sample
Trojan/BetaBot.exe
Resource
win10-20240404-en
Behavioral task
behavioral17
Sample
Trojan/SmokeLoader.exe
Resource
win10-20240404-en
General
-
Target
Stealers/Dridex.dll
-
Size
1.2MB
-
MD5
304109f9a5c3726818b4c3668fdb71fd
-
SHA1
2eb804e205d15d314e7f67d503940f69f5dc2ef8
-
SHA256
af26296c75ff26f7ee865df424522d75366ae3e2e80d7d9e89ef8c9398b0836d
-
SHA512
cf01fca33392dc40495f4c39eb1fd240b425018c7088ca9782d883bb135b5dd469a11941d0d680a69e881fa95c4147d70fe567aeba7e98ff6adfd5c0ca1a0e01
-
SSDEEP
24576:ZVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:ZV8hf6STw1ZlQauvzSq01ICe6zvm
Malware Config
Signatures
-
resource yara_rule behavioral13/memory/3408-7-0x0000000000660000-0x0000000000661000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 4 IoCs
pid Process 3064 sethc.exe 1656 sdclt.exe 3168 mblctr.exe 4336 sethc.exe -
Loads dropped DLL 4 IoCs
pid Process 3064 sethc.exe 1656 sdclt.exe 3168 mblctr.exe 4336 sethc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tfuhhiozesvy = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\3oyieI\\sdclt.exe" Process not Found -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sethc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdclt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mblctr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sethc.exe -
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance Process not Found Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2764 rundll32.exe 2764 rundll32.exe 2764 rundll32.exe 2764 rundll32.exe 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeShutdownPrivilege 3408 Process not Found Token: SeCreatePagefilePrivilege 3408 Process not Found Token: SeShutdownPrivilege 3408 Process not Found Token: SeCreatePagefilePrivilege 3408 Process not Found Token: SeShutdownPrivilege 3408 Process not Found Token: SeCreatePagefilePrivilege 3408 Process not Found Token: SeShutdownPrivilege 3408 Process not Found Token: SeCreatePagefilePrivilege 3408 Process not Found Token: SeShutdownPrivilege 3408 Process not Found Token: SeCreatePagefilePrivilege 3408 Process not Found Token: SeShutdownPrivilege 3408 Process not Found Token: SeCreatePagefilePrivilege 3408 Process not Found -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3408 wrote to memory of 3596 3408 Process not Found 73 PID 3408 wrote to memory of 3596 3408 Process not Found 73 PID 3408 wrote to memory of 3064 3408 Process not Found 74 PID 3408 wrote to memory of 3064 3408 Process not Found 74 PID 3408 wrote to memory of 4272 3408 Process not Found 75 PID 3408 wrote to memory of 4272 3408 Process not Found 75 PID 3408 wrote to memory of 1656 3408 Process not Found 76 PID 3408 wrote to memory of 1656 3408 Process not Found 76 PID 3408 wrote to memory of 1708 3408 Process not Found 77 PID 3408 wrote to memory of 1708 3408 Process not Found 77 PID 3408 wrote to memory of 3168 3408 Process not Found 78 PID 3408 wrote to memory of 3168 3408 Process not Found 78 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\Stealers\Dridex.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2764
-
C:\Windows\system32\sethc.exeC:\Windows\system32\sethc.exe1⤵PID:3596
-
C:\Users\Admin\AppData\Local\yhlzuLi\sethc.exeC:\Users\Admin\AppData\Local\yhlzuLi\sethc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3064
-
C:\Windows\system32\sdclt.exeC:\Windows\system32\sdclt.exe1⤵PID:4272
-
C:\Users\Admin\AppData\Local\xbZcn5\sdclt.exeC:\Users\Admin\AppData\Local\xbZcn5\sdclt.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1656
-
C:\Windows\system32\mblctr.exeC:\Windows\system32\mblctr.exe1⤵PID:1708
-
C:\Users\Admin\AppData\Local\LUUECOG\mblctr.exeC:\Users\Admin\AppData\Local\LUUECOG\mblctr.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3168
-
C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\UserData\QZCAQB~1\sethc.exeC:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\UserData\QZCAQB~1\sethc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4336
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Accessibility Features
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
781KB
MD5b0c3fd37171b242f88f2757ecdc1e9bd
SHA133fb495368f8e28603c5e6bec0fa01c501ef6306
SHA256d6f2cf2dca7c6fca164da85c60f7463b2575c0a5a19c038b025b41fa586d54fc
SHA5127ad8562907a6fbf94ae65f19df63c5ef27e65d34eb20ae52404456b1e52f0d1c1b351a87afb86e96e459063c32666303d0731730a95566ed67aac1fb7ba2e0c4
-
Filesize
1.2MB
MD5d583261d1da3e49fa34d0ed9fc550173
SHA164d55723f6fec895c7e8b50f42a815b125ce0b29
SHA2568577ef50c0dd969617fa313ebd927d6e4ca2faae24fa4516f643328a967c5e6a
SHA51277aceaf9992b40c859c95d6ee6d6b31c06add7a1227f8e2d1fc49245163a8ffdbf347bfdb0cffb400a9550b715cede3941e4c3f0499d0942dc5f7853db5cd0b5
-
Filesize
1.5MB
MD59a7ab32cb68d763ecc9b145774c34986
SHA1f2334bf33794eafd98a735e60865d1a1322d52cb
SHA256c413072fd2cead78c2039c1fe491fc368679481baa3e595c519b12bb1bb89d6d
SHA512506d264cb9814fd723a1e356c3abcd73cbbd04577e4e9460392454a6ae0ec37adeea028c8c28da0958f081658069df27110cea20c3b29f4adcd643564742da1e
-
Filesize
267KB
MD5acf1ee51ad73afb0faba2e10304df15a
SHA103ade95bbe89143d89a0c09c405610921e5046b3
SHA256e0bf9845f79c1b4fa09e334f460b6ef70f418eb46cd61b696dec772c6ff3839d
SHA512a399d58f9ce6b36a5851ef7955509a6c45764e1fa246f93900744f7a288bf3ff3f3513a5c201c4f8c7025daaec62fb0fb62aaf56cb9f6c79ffce203961fd0618
-
Filesize
1KB
MD595ba793dd9538ab2b4a9db2cf3f3d539
SHA114b6a33d88f48986b79ea818e704af156df2ee9e
SHA2568b986810c1e73aa6af3ca8ac2c4962c2627a438bee388659ba1bd34ef1deee69
SHA512d72a301902f6d2aabaea4409021e49245a7c46d8f0724cc2b0927b8c40f6e8db0bdfb54aa8ca532ae88f89568d8d30387d9c2e62e169fe8e02d3c01d189748f2
-
Filesize
1.2MB
MD5a36a15625a208db1cb3a59d73dcc8b1a
SHA1982af11df0df2a78d76fb97adc1bc7601a24992d
SHA256e874d354b3ae160d4959c3e82073eabdb805e7cf36cb62f9403710972c5b7196
SHA512bb8514d6ab19d7caf4f5ca070e7d0157513f6f20e5b34183c105bc9d56bf06ebb623004177d2c5d53c57e37fabd2b489eab25e2c4224032df984fa22fc6748df
-
Filesize
1.2MB
MD56ef0f045f0a0ce5744f81066d1e340fd
SHA1d9771aecde174376b7030258ecd764b5f5a420ff
SHA2560b7411a7070eb2c77207a65b6c04232f2c2e6547155f61a4d8198766a37ba0d8
SHA512c21299e6bd26c3765876d6fc5c9e4a1d2c4bc8ae97ac79d4015e0a85bf0c295fd88f74ba3e0d1a726d47e06f1e4c5672fcda8c90d39c4982a9b2dbc41c9de76e