Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
14-11-2024 17:04
Static task
static1
Behavioral task
behavioral1
Sample
60f896e781ccfa1f164aa659dfb8058697f6e0c5edd4afe0302b8d39476ffb4b.dll
Resource
win7-20241010-en
General
-
Target
60f896e781ccfa1f164aa659dfb8058697f6e0c5edd4afe0302b8d39476ffb4b.dll
-
Size
676KB
-
MD5
4d50c132ca23b8e8fa6f50c8e7db7e3b
-
SHA1
fc0fe7b8a046e550ed228581c381d5244a62c74c
-
SHA256
60f896e781ccfa1f164aa659dfb8058697f6e0c5edd4afe0302b8d39476ffb4b
-
SHA512
317ca386657544fb79e3a0529278ea096abcb30ad0aef492a4e9a97b87502154095fccde07882c0a98ea2a278860c765a3ea6283cf195085405e1d8048101614
-
SSDEEP
6144:C34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:CIKp/UWCZdCDh2IZDwAFRpR6Au
Malware Config
Signatures
-
Dridex family
-
resource yara_rule behavioral1/memory/1256-4-0x00000000029C0000-0x00000000029C1000-memory.dmp dridex_stager_shellcode -
resource yara_rule behavioral1/memory/1064-1-0x000007FEF7270000-0x000007FEF7319000-memory.dmp dridex_payload behavioral1/memory/1256-19-0x0000000140000000-0x00000001400A9000-memory.dmp dridex_payload behavioral1/memory/1256-26-0x0000000140000000-0x00000001400A9000-memory.dmp dridex_payload behavioral1/memory/1256-38-0x0000000140000000-0x00000001400A9000-memory.dmp dridex_payload behavioral1/memory/1256-37-0x0000000140000000-0x00000001400A9000-memory.dmp dridex_payload behavioral1/memory/1064-46-0x000007FEF7270000-0x000007FEF7319000-memory.dmp dridex_payload behavioral1/memory/2560-56-0x000007FEF7320000-0x000007FEF73D0000-memory.dmp dridex_payload behavioral1/memory/2560-60-0x000007FEF7320000-0x000007FEF73D0000-memory.dmp dridex_payload behavioral1/memory/2932-73-0x000007FEF71F0000-0x000007FEF729A000-memory.dmp dridex_payload behavioral1/memory/2932-77-0x000007FEF71F0000-0x000007FEF729A000-memory.dmp dridex_payload behavioral1/memory/1956-98-0x000007FEF71F0000-0x000007FEF729A000-memory.dmp dridex_payload -
Executes dropped EXE 3 IoCs
pid Process 2560 irftp.exe 2932 SystemPropertiesPerformance.exe 1956 VaultSysUi.exe -
Loads dropped DLL 8 IoCs
pid Process 1256 Process not Found 2560 irftp.exe 1256 Process not Found 2932 SystemPropertiesPerformance.exe 1256 Process not Found 1256 Process not Found 1956 VaultSysUi.exe 1256 Process not Found -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kgvptlq = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\RXR0ZE~1\\SYSTEM~1.EXE" Process not Found -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA irftp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesPerformance.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA VaultSysUi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1256 wrote to memory of 2656 1256 Process not Found 30 PID 1256 wrote to memory of 2656 1256 Process not Found 30 PID 1256 wrote to memory of 2656 1256 Process not Found 30 PID 1256 wrote to memory of 2560 1256 Process not Found 31 PID 1256 wrote to memory of 2560 1256 Process not Found 31 PID 1256 wrote to memory of 2560 1256 Process not Found 31 PID 1256 wrote to memory of 396 1256 Process not Found 32 PID 1256 wrote to memory of 396 1256 Process not Found 32 PID 1256 wrote to memory of 396 1256 Process not Found 32 PID 1256 wrote to memory of 2932 1256 Process not Found 33 PID 1256 wrote to memory of 2932 1256 Process not Found 33 PID 1256 wrote to memory of 2932 1256 Process not Found 33 PID 1256 wrote to memory of 2912 1256 Process not Found 34 PID 1256 wrote to memory of 2912 1256 Process not Found 34 PID 1256 wrote to memory of 2912 1256 Process not Found 34 PID 1256 wrote to memory of 1956 1256 Process not Found 35 PID 1256 wrote to memory of 1956 1256 Process not Found 35 PID 1256 wrote to memory of 1956 1256 Process not Found 35 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\60f896e781ccfa1f164aa659dfb8058697f6e0c5edd4afe0302b8d39476ffb4b.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1064
-
C:\Windows\system32\irftp.exeC:\Windows\system32\irftp.exe1⤵PID:2656
-
C:\Users\Admin\AppData\Local\JV8CNouK7\irftp.exeC:\Users\Admin\AppData\Local\JV8CNouK7\irftp.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2560
-
C:\Windows\system32\SystemPropertiesPerformance.exeC:\Windows\system32\SystemPropertiesPerformance.exe1⤵PID:396
-
C:\Users\Admin\AppData\Local\OTHTF\SystemPropertiesPerformance.exeC:\Users\Admin\AppData\Local\OTHTF\SystemPropertiesPerformance.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2932
-
C:\Windows\system32\VaultSysUi.exeC:\Windows\system32\VaultSysUi.exe1⤵PID:2912
-
C:\Users\Admin\AppData\Local\9GN5MnG4v\VaultSysUi.exeC:\Users\Admin\AppData\Local\9GN5MnG4v\VaultSysUi.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1956
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
680KB
MD5420d84ccd302ed510de1515a8abef45d
SHA1ae55ece95ee8c64ceebe945e88b70f7ca65274a2
SHA256c8d5bf653efb6368d14935959b2bcaafc3ddaa485ba54ffce2fd42971c7b36e2
SHA51285393dfa2951d525401b53498394f7ef22b908c10434fc0600c59c0a450931ea4e9101a2c5af515a82e8cae36e046ba1aeff8cc39e657dd3ebe91de7f87b1f9f
-
Filesize
704KB
MD5ed48dfeec071c97e397b7cd23c235716
SHA1e952f3866bdcc1a21060f3db16739738e9ef3185
SHA256e3bdacffe90236a84bab7cf197a0344b8b9065d1310d0756ad6cdc41da33b52e
SHA51281df672436680aa6c3b66fe05869eff61dc2a02a734356028fea52410813e363fd1576cfd1d309455ce13a19755817da5361cddd8beedd775e61114bbd5451cb
-
Filesize
680KB
MD51cb10d3dfdeae1e1ef9d64df3e4918c8
SHA1a01ebb7f3f4c6dc8255b1375cafa2f7bca5b207d
SHA2561a81a204d3c174acdc41c02d752b610be320e0a208d45d9841a906e8f121d697
SHA512b56bfc169276fbd2afbb4355c4de73eca4cdb26cb68913bf304d6c8536d1fdf26971534384796f91b47d97398c4094669d4b1d2c2a72a453becb83fc1754d501
-
Filesize
1KB
MD5136bacebc6dd6e893184974d886290b4
SHA19826ced37402593e73b644c5e79c7c16bd2436ad
SHA2566994d8d1f63328c53513622b51e829e054bb47100ba1ecc27f82097209a4ae28
SHA51217f430885161397a81f0c22c25193bc9a931f78b8c4160125741b9153649856e807a90ca68b4841845d952cbf2240708c7695c9f064cd53b3d1e6fe4d0da4e07
-
Filesize
39KB
MD5f40ef105d94350d36c799ee23f7fec0f
SHA1ee3a5cfe8b807e1c1718a27eb97fa134360816e3
SHA256eeb3f79be414b81f4eb8167390641787f14a033414533fb8de651c2247d054b2
SHA512f16bcca6f6cecbdae117d5a41de7e86a6d9dfdfa2ce8c75ebff10d097083c106e7f9d030debed8cb20fdd71815a8aa7723a1d3c68b38ec382e55370331c594a1
-
Filesize
192KB
MD50cae1fb725c56d260bfd6feba7ae9a75
SHA1102ac676a1de3ec3d56401f8efd518c31c8b0b80
SHA256312f4107ff37dc988d99c5f56178708bb74a3906740cff4e337c0dde8f1e151d
SHA512db969064577c4158d6bf925354319766b0d0373ddefb03dbfc9a9d2cadf8ddcd50a7f99b7ddf2ffad5e7fdbb6f02090b5b678bdf792d265054bff3b56ee0b8ec
-
Filesize
80KB
MD5870726cdcc241a92785572628b89cc07
SHA163d47cc4fe9beb75862add1abca1d8ae8235710a
SHA2561ab77fa1ee0cbe59ca185c228c3c11abeba2b2008a162c91a06d3c40542e7fc6
SHA51289b961c2a2716fe0800e54e0206c8b349a26f1bc2a463ec9bd12f3ab22bfcb13e6402b4c20ddcf284d838a3c66e73335af8f6dc4554d76646382e387242c6f72