Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
14-11-2024 17:10
Static task
static1
Behavioral task
behavioral1
Sample
3b8ccbf4ae592f02e2fbe743c82f523486fe5da1c6386edfce800ef4c4dd41f3.dll
Resource
win7-20241010-en
General
-
Target
3b8ccbf4ae592f02e2fbe743c82f523486fe5da1c6386edfce800ef4c4dd41f3.dll
-
Size
672KB
-
MD5
3aca1383a7540c9153c2064e5d66af1c
-
SHA1
c2afd47eb14d504194df17e550407989e34d91aa
-
SHA256
3b8ccbf4ae592f02e2fbe743c82f523486fe5da1c6386edfce800ef4c4dd41f3
-
SHA512
a513bc6cb4c62792ecc1a18e5927322535e9403c72b95b2181e1ef4aaaaf883e7cbcd19de0310dbc85dce93a53d2286cdf1272e2e5c9e6f3953d77542161dad7
-
SSDEEP
6144:934xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTh:9IKp/UWCZdCDh2IZDwAFRpR6AuXt
Malware Config
Signatures
-
Dridex family
-
resource yara_rule behavioral1/memory/1192-4-0x0000000002D10000-0x0000000002D11000-memory.dmp dridex_stager_shellcode -
resource yara_rule behavioral1/memory/2604-0-0x000007FEF6DB0000-0x000007FEF6E58000-memory.dmp dridex_payload behavioral1/memory/1192-17-0x0000000140000000-0x00000001400A8000-memory.dmp dridex_payload behavioral1/memory/1192-25-0x0000000140000000-0x00000001400A8000-memory.dmp dridex_payload behavioral1/memory/1192-38-0x0000000140000000-0x00000001400A8000-memory.dmp dridex_payload behavioral1/memory/1192-37-0x0000000140000000-0x00000001400A8000-memory.dmp dridex_payload behavioral1/memory/2604-45-0x000007FEF6DB0000-0x000007FEF6E58000-memory.dmp dridex_payload behavioral1/memory/2712-54-0x000007FEF6E60000-0x000007FEF6F09000-memory.dmp dridex_payload behavioral1/memory/2712-59-0x000007FEF6E60000-0x000007FEF6F09000-memory.dmp dridex_payload behavioral1/memory/2012-71-0x000007FEF62D0000-0x000007FEF637A000-memory.dmp dridex_payload behavioral1/memory/2012-76-0x000007FEF62D0000-0x000007FEF637A000-memory.dmp dridex_payload behavioral1/memory/2324-88-0x000007FEF64E0000-0x000007FEF6589000-memory.dmp dridex_payload behavioral1/memory/2324-91-0x000007FEF64E0000-0x000007FEF6589000-memory.dmp dridex_payload -
Executes dropped EXE 3 IoCs
pid Process 2712 SystemPropertiesAdvanced.exe 2012 irftp.exe 2324 dwm.exe -
Loads dropped DLL 7 IoCs
pid Process 1192 Process not Found 2712 SystemPropertiesAdvanced.exe 1192 Process not Found 2012 irftp.exe 1192 Process not Found 2324 dwm.exe 1192 Process not Found -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Uuyszikihxbb = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\MACROM~1.COM\\HW5OPRtr\\irftp.exe" Process not Found -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesAdvanced.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA irftp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2604 rundll32.exe 2604 rundll32.exe 2604 rundll32.exe 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 2712 SystemPropertiesAdvanced.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1192 wrote to memory of 2792 1192 Process not Found 31 PID 1192 wrote to memory of 2792 1192 Process not Found 31 PID 1192 wrote to memory of 2792 1192 Process not Found 31 PID 1192 wrote to memory of 2712 1192 Process not Found 32 PID 1192 wrote to memory of 2712 1192 Process not Found 32 PID 1192 wrote to memory of 2712 1192 Process not Found 32 PID 1192 wrote to memory of 2724 1192 Process not Found 33 PID 1192 wrote to memory of 2724 1192 Process not Found 33 PID 1192 wrote to memory of 2724 1192 Process not Found 33 PID 1192 wrote to memory of 2012 1192 Process not Found 34 PID 1192 wrote to memory of 2012 1192 Process not Found 34 PID 1192 wrote to memory of 2012 1192 Process not Found 34 PID 1192 wrote to memory of 2928 1192 Process not Found 35 PID 1192 wrote to memory of 2928 1192 Process not Found 35 PID 1192 wrote to memory of 2928 1192 Process not Found 35 PID 1192 wrote to memory of 2324 1192 Process not Found 36 PID 1192 wrote to memory of 2324 1192 Process not Found 36 PID 1192 wrote to memory of 2324 1192 Process not Found 36 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3b8ccbf4ae592f02e2fbe743c82f523486fe5da1c6386edfce800ef4c4dd41f3.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2604
-
C:\Windows\system32\SystemPropertiesAdvanced.exeC:\Windows\system32\SystemPropertiesAdvanced.exe1⤵PID:2792
-
C:\Users\Admin\AppData\Local\Fae\SystemPropertiesAdvanced.exeC:\Users\Admin\AppData\Local\Fae\SystemPropertiesAdvanced.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2712
-
C:\Windows\system32\irftp.exeC:\Windows\system32\irftp.exe1⤵PID:2724
-
C:\Users\Admin\AppData\Local\8LQ6iIQ\irftp.exeC:\Users\Admin\AppData\Local\8LQ6iIQ\irftp.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2012
-
C:\Windows\system32\dwm.exeC:\Windows\system32\dwm.exe1⤵PID:2928
-
C:\Users\Admin\AppData\Local\PCh\dwm.exeC:\Users\Admin\AppData\Local\PCh\dwm.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2324
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
680KB
MD5e68451236de7915030975d43950cc6b1
SHA19f9e04dc1e106de303568ff44dca3e95a743265d
SHA256ac54b89745ee799422b7557c1ef732006264143cdc86107a731a4f0fbe4e8b98
SHA512971a29ab66cdf89389729649aa046cc25d7d030db1dc259e44ab4e903b34f43e3c11f184cb0c2ef011e7438ec39f73938cff6d77747265693377ac18ecc8cc1f
-
Filesize
676KB
MD58d9744d157a5f7a53165d32fa31b4655
SHA13a83833dc78f3d6a52f0f710efe766ca374dbcfd
SHA2566024cfb7ce0400cfda39516eea5615dad1e0b15306b0914ef2972c91662c77d6
SHA512b4dfab2cc04fead8f959bb226c9d019093e70958b3b75c3b6f311e39379f37ea7b5a5bf5dabdd2235d70d8fa4ebdf85451e15f3ea91085347980f3401147e8bb
-
Filesize
676KB
MD5023a075fd89a2d02195ea85e7fdad212
SHA1f61725fedeaa56bce97c4f9b83cd45b6985898bf
SHA25657325e497d92bc2cb22735732fefc7fe7dfe84eb3b98e05b54450fef6a67b41e
SHA512e8948e0072246026327691feb1bc17cee7e8426f26d5b8b856201f88ddee0dbc3b8fb61421172b46b03bfd6d2d9a8c38cdb920a7d35057e71c3bb4a19e5ca17c
-
Filesize
1KB
MD551feed357bee86848741cbae1ff8d944
SHA159aba8289a7ab09a9189a4c13aaf52f0bdb309f3
SHA2561ec8cbf5ccdf24c5df657c6573f95e382a8a9a841116f97000bcd26a1a623c84
SHA512fb479ea94596fe4ca76a6b828fb769462582b62790b681919133fc91d753b9ff25b4c5859fe2743e3a7b15bf493647f54b5f658aadcea0b4fdbe736651101504
-
Filesize
192KB
MD50cae1fb725c56d260bfd6feba7ae9a75
SHA1102ac676a1de3ec3d56401f8efd518c31c8b0b80
SHA256312f4107ff37dc988d99c5f56178708bb74a3906740cff4e337c0dde8f1e151d
SHA512db969064577c4158d6bf925354319766b0d0373ddefb03dbfc9a9d2cadf8ddcd50a7f99b7ddf2ffad5e7fdbb6f02090b5b678bdf792d265054bff3b56ee0b8ec
-
Filesize
80KB
MD525dc1e599591871c074a68708206e734
SHA127a9dffa92d979d39c07d889fada536c062dac77
SHA256a13b2ba5892c11c731869410b1e3dd2f250d70ff9efd513a9f260ab506dd42ef
SHA512f7da9ce4c3e8aea9095fcc977084c042f85df48fca0b58fb136dfd835ce69b5b1e68f3c11eeb14c617ffcec7011ffc7e5d5a948f49dde653a2348b28e10adb72
-
Filesize
117KB
MD5f162d5f5e845b9dc352dd1bad8cef1bc
SHA135bc294b7e1f062ef5cb5fa1bd3fc942a3e37ae2
SHA2568a7b7528db30ab123b060d8e41954d95913c07bb40cdae32e97f9edb0baf79c7
SHA5127077e800453a4564a24af022636a2f6547bdae2c9c6f4ed080d0c98415ecc4fbf538109cbebd456e321b9b74a00613d647b63998e31925fbd841fc9d4613e851