Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
14-10-2024 19:34
Static task
static1
Behavioral task
behavioral1
Sample
6dbd1df5459b17bb2c9fdb7849e4294657404971ac6495660b29464e4a69e176.dll
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
6dbd1df5459b17bb2c9fdb7849e4294657404971ac6495660b29464e4a69e176.dll
Resource
win10v2004-20241007-en
General
-
Target
6dbd1df5459b17bb2c9fdb7849e4294657404971ac6495660b29464e4a69e176.dll
-
Size
724KB
-
MD5
6a6345e39d25621d971721a635aa86e5
-
SHA1
36c3b301d60b34ebe4b206e1660d496f991a9a1d
-
SHA256
6dbd1df5459b17bb2c9fdb7849e4294657404971ac6495660b29464e4a69e176
-
SHA512
1b7cfcb8d052928407cc38126c7001140ed77f07c2162ef79128fef40bc3aea42b38ede6412b9c60e361a6a29cabdcc43d38cdbd83b5191d63d0296f3dde22ee
-
SSDEEP
12288:JqJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baed:JqGBHTxvt+g2gYed
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/1260-4-0x00000000031F0000-0x00000000031F1000-memory.dmp dridex_stager_shellcode -
resource yara_rule behavioral1/memory/1892-0-0x0000000140000000-0x00000001400B5000-memory.dmp dridex_payload behavioral1/memory/1260-24-0x0000000140000000-0x00000001400B5000-memory.dmp dridex_payload behavioral1/memory/1260-35-0x0000000140000000-0x00000001400B5000-memory.dmp dridex_payload behavioral1/memory/1260-36-0x0000000140000000-0x00000001400B5000-memory.dmp dridex_payload behavioral1/memory/1892-44-0x0000000140000000-0x00000001400B5000-memory.dmp dridex_payload behavioral1/memory/1644-54-0x0000000140000000-0x00000001400B6000-memory.dmp dridex_payload behavioral1/memory/1644-58-0x0000000140000000-0x00000001400B6000-memory.dmp dridex_payload behavioral1/memory/2216-71-0x0000000140000000-0x00000001400B7000-memory.dmp dridex_payload behavioral1/memory/2216-75-0x0000000140000000-0x00000001400B7000-memory.dmp dridex_payload behavioral1/memory/2268-91-0x0000000140000000-0x00000001400B6000-memory.dmp dridex_payload -
Executes dropped EXE 3 IoCs
pid Process 1644 irftp.exe 2216 tcmsetup.exe 2268 SystemPropertiesProtection.exe -
Loads dropped DLL 7 IoCs
pid Process 1260 Process not Found 1644 irftp.exe 1260 Process not Found 2216 tcmsetup.exe 1260 Process not Found 2268 SystemPropertiesProtection.exe 1260 Process not Found -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mcbsdqtxprcnbm = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\MAINTE~1\\BAXHR1~1\\tcmsetup.exe" Process not Found -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesProtection.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA irftp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tcmsetup.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1892 rundll32.exe 1892 rundll32.exe 1892 rundll32.exe 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1260 wrote to memory of 2576 1260 Process not Found 30 PID 1260 wrote to memory of 2576 1260 Process not Found 30 PID 1260 wrote to memory of 2576 1260 Process not Found 30 PID 1260 wrote to memory of 1644 1260 Process not Found 31 PID 1260 wrote to memory of 1644 1260 Process not Found 31 PID 1260 wrote to memory of 1644 1260 Process not Found 31 PID 1260 wrote to memory of 840 1260 Process not Found 32 PID 1260 wrote to memory of 840 1260 Process not Found 32 PID 1260 wrote to memory of 840 1260 Process not Found 32 PID 1260 wrote to memory of 2216 1260 Process not Found 33 PID 1260 wrote to memory of 2216 1260 Process not Found 33 PID 1260 wrote to memory of 2216 1260 Process not Found 33 PID 1260 wrote to memory of 2864 1260 Process not Found 35 PID 1260 wrote to memory of 2864 1260 Process not Found 35 PID 1260 wrote to memory of 2864 1260 Process not Found 35 PID 1260 wrote to memory of 2268 1260 Process not Found 36 PID 1260 wrote to memory of 2268 1260 Process not Found 36 PID 1260 wrote to memory of 2268 1260 Process not Found 36 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6dbd1df5459b17bb2c9fdb7849e4294657404971ac6495660b29464e4a69e176.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1892
-
C:\Windows\system32\irftp.exeC:\Windows\system32\irftp.exe1⤵PID:2576
-
C:\Users\Admin\AppData\Local\7ezR\irftp.exeC:\Users\Admin\AppData\Local\7ezR\irftp.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1644
-
C:\Windows\system32\tcmsetup.exeC:\Windows\system32\tcmsetup.exe1⤵PID:840
-
C:\Users\Admin\AppData\Local\44KoeDto\tcmsetup.exeC:\Users\Admin\AppData\Local\44KoeDto\tcmsetup.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2216
-
C:\Windows\system32\SystemPropertiesProtection.exeC:\Windows\system32\SystemPropertiesProtection.exe1⤵PID:2864
-
C:\Users\Admin\AppData\Local\lrUSS9Ss\SystemPropertiesProtection.exeC:\Users\Admin\AppData\Local\lrUSS9Ss\SystemPropertiesProtection.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2268
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
732KB
MD5be2a069dc6c22df2ab37e000c5ad2f10
SHA1bcda592b28f32476ea87e23c396eab39a6cf3415
SHA2566ec8e9b11c719c660fd8a8c46ed422abfd7280fcc8c50a787aa3938762101558
SHA51257ba5fc4ac650ab65eb5b487e00e1a091832d69079eb9ebbe68e1b8223554bce3d126c6a0abf2d6cc1129c2399d7e0937d6eb448b098aad0b78a2737f605f1b5
-
Filesize
728KB
MD5d2c235c2d8589e7fb33a2bc4d66f2f95
SHA118822bf0e016841621c2b2880a417d279173bc61
SHA256ec907b62fae2174ded7ec7b2581182fa98c453becb5dd89a2b56acced8ae78cd
SHA5121383143269a047f5d846a459a59bcd0c9fa8ca2ecbe620b6d5bbda0839bcc7d4adb2f4f04aa34f34c1fafb4e0609396d14b9b414dffb83306926a98fcd2c20ee
-
Filesize
728KB
MD5a24b6da79639ec25315573d5b98804a0
SHA1a393f09ea8eee4dc13ab7ca8df8c862897b99c4c
SHA256a0919302126e718abae04f9989282e9ce64c523274a62b00e0a98343f0d02400
SHA512a6c3a91e986b6aecd06f3e7e300fb8bba615031fc395bc90943357f83fd43cee22c392ac18f51d3c98c513a1a4aa8109d81e6bc3a7110dfa8c0ea5cc7be4c3e5
-
Filesize
1KB
MD56982b0f15433d6bd30ee28949e0ede35
SHA1d0bcbe67cb315c42bf200da507451893c3a526eb
SHA2567695b114b9daeb6b4e2a24ccae64ced5c6337dc14917f5eafc048549288c9adf
SHA5126a57bb75cc235226a0f7efa7dd5dfa85c354c53c5d9cddcbdb8b7a18252afb47c8b9f2b893afe81ed17215f6e7d59eb135756ecf10fe409c693fe4b8fb98088b
-
Filesize
15KB
MD50b08315da0da7f9f472fbab510bfe7b8
SHA133ba48fd980216becc532466a5ff8476bec0b31c
SHA256e19556bb7aa39bbd5f0d568a95aec0b3af18dda438cc5737f945243b24d106e7
SHA512c30501546efe2b0c003ef87ac381e901c69ddfc6791c6a5102cff3a07f56555d94995a4413b93036821aa214fc31501fa87eb519e1890ef75b2ec497983ffd58
-
Filesize
192KB
MD50cae1fb725c56d260bfd6feba7ae9a75
SHA1102ac676a1de3ec3d56401f8efd518c31c8b0b80
SHA256312f4107ff37dc988d99c5f56178708bb74a3906740cff4e337c0dde8f1e151d
SHA512db969064577c4158d6bf925354319766b0d0373ddefb03dbfc9a9d2cadf8ddcd50a7f99b7ddf2ffad5e7fdbb6f02090b5b678bdf792d265054bff3b56ee0b8ec
-
Filesize
80KB
MD505138d8f952d3fff1362f7c50158bc38
SHA1780bc59fcddf06a7494d09771b8340acffdcc720
SHA256753a43d8aa74341d06582bd6b3784dc5f8c6f46174c2a306cf284de238a9c6bd
SHA51227fa8c0af3d01f0816852d04693087f3c25d1307d8857a7ea75b0bb3e0ac927d262f5ac5a335afee150142fa3187354d33ebbcf6c3cd5cc33cb4e6cd00c50255