Analysis
-
max time kernel
161s -
max time network
139s -
platform
windows7_x64 -
resource
win7-en -
submitted
15-09-2021 07:38
General
-
Target
c7df81957b115f26c8fd50231ac26abecb98e85aeddc9331492b1c7ff7e6640f.dll
-
Size
1.5MB
-
MD5
198fae5aa298ab457d3de1a0544fe063
-
SHA1
60dc910a2342f96f0132a83e86213d55f01168c7
-
SHA256
c7df81957b115f26c8fd50231ac26abecb98e85aeddc9331492b1c7ff7e6640f
-
SHA512
4d8450c3cba80edc044215f4a36643260080cb1d66ba4504fc9b175c84086f829a11502d4120ef8aeb954b052d1fda852bc9fba370d89c70fa8b9eb09374a2a6
Malware Config
Signatures
-
Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
-
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 7 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of FindShellTrayWindow 24 IoCs
-
Suspicious use of SendNotifyMessage 26 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c7df81957b115f26c8fd50231ac26abecb98e85aeddc9331492b1c7ff7e6640f.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\winlogon.exeC:\Windows\system32\winlogon.exe1⤵
-
C:\Users\Admin\AppData\Local\kvcj\winlogon.exeC:\Users\Admin\AppData\Local\kvcj\winlogon.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\DevicePairingWizard.exeC:\Windows\system32\DevicePairingWizard.exe1⤵
-
C:\Users\Admin\AppData\Local\02p\DevicePairingWizard.exeC:\Users\Admin\AppData\Local\02p\DevicePairingWizard.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\cmstp.exeC:\Windows\system32\cmstp.exe1⤵
-
C:\Users\Admin\AppData\Local\hTj4DoK\cmstp.exeC:\Users\Admin\AppData\Local\hTj4DoK\cmstp.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\02p\DevicePairingWizard.exeMD5
9728725678f32e84575e0cd2d2c58e9b
SHA1dd9505d3548f08e5198a8d6ba6bcd60b1da86d5c
SHA256d95d3aa065a657c354244e3d9d4dc62673dc36c1bed60650fade7d128ddab544
SHA512a5d22240450e7b659cba507f9abe7e6d861e9712ca2335ea5ceb69e3557362b00f5d02bf84c3a6fed82a09eda555866dcab43741ad9c6db96e1e302ef2363377
-
C:\Users\Admin\AppData\Local\hTj4DoK\VERSION.dllMD5
07b67cbbb9200c90ca35b4825f37ee34
SHA196570dee6fb22400802bff871bfdda018a7f65f7
SHA256a35031c1172d373ca55cc5233b1a4dd47a49ea075965431403d40d3329d2ed4f
SHA5124d18f2d470b3eb14ff18d98ea18fc74e12f4cc520c3a14a4e0216239ee960cc585681a86397730ac90ab599d7c7e9b0092c8c50ae0b7d84d817fb56b578a8c14
-
C:\Users\Admin\AppData\Local\hTj4DoK\cmstp.exeMD5
74c6da5522f420c394ae34b2d3d677e3
SHA1ba135738ef1fb2f4c2c6c610be2c4e855a526668
SHA25651d298b1a8a2d00d5c608c52dba0655565d021e9798ee171d7fa92cc0de729a6
SHA512bfd76b1c3e677292748f88bf595bfef0b536eb22f2583b028cbf08f6ae4eda1aa3787c4e892aad12b7681fc2363f99250430a0e7019a7498e24db391868e787a
-
C:\Users\Admin\AppData\Local\kvcj\WINSTA.dllMD5
300b21c59eb3190f3e3c02d04426092b
SHA120a089e99351aff9c384927f74c0df8ca5ffcab8
SHA256e8307ad0a4af5726bbf318e5db9bd60d02e4bea012570afa67f055f143bf28d6
SHA5126a7bfbd70d05345ea03da9d136203bd8a32b22a499e61bb639aa1f7516556a8e845179132194d20100031fabbfa61f0a9a59c228ef7a10766d04e47e2497dccf
-
C:\Users\Admin\AppData\Local\kvcj\winlogon.exeMD5
1151b1baa6f350b1db6598e0fea7c457
SHA1434856b834baf163c5ea4d26434eeae775a507fb
SHA256b1506e0a7e826eff0f5252ef5026070c46e2235438403a9a24d73ee69c0b8a49
SHA512df728d06238da1dece96f8b8d67a2423ed4dcb344b42d5958768d23bd570a79e7189e7c5ba783c1628fe8ddd1deaebeacb1b471c59c8a7c9beb21b4f1eb9edab
-
\Users\Admin\AppData\Local\02p\DevicePairingWizard.exeMD5
9728725678f32e84575e0cd2d2c58e9b
SHA1dd9505d3548f08e5198a8d6ba6bcd60b1da86d5c
SHA256d95d3aa065a657c354244e3d9d4dc62673dc36c1bed60650fade7d128ddab544
SHA512a5d22240450e7b659cba507f9abe7e6d861e9712ca2335ea5ceb69e3557362b00f5d02bf84c3a6fed82a09eda555866dcab43741ad9c6db96e1e302ef2363377
-
\Users\Admin\AppData\Local\02p\MFC42u.dllMD5
029eea34c8f38c63e40bf52b63e7bab2
SHA113e5d5cd9b84cee338c5ceaabbd92ccb8aab3ca4
SHA256b5cef85f0e97f21875c980018a1e5e1e91cd5a4850aa47caf99f2ff33b77aa07
SHA512aeebbf8518eceb68c9a76c4819fa0ba4db57ad96a161408ff4079fb2b30981510eaa068441b2e1665af91f0ed06208e5cebcc34250e927f0b86b518b9553c67a
-
\Users\Admin\AppData\Local\hTj4DoK\VERSION.dllMD5
07b67cbbb9200c90ca35b4825f37ee34
SHA196570dee6fb22400802bff871bfdda018a7f65f7
SHA256a35031c1172d373ca55cc5233b1a4dd47a49ea075965431403d40d3329d2ed4f
SHA5124d18f2d470b3eb14ff18d98ea18fc74e12f4cc520c3a14a4e0216239ee960cc585681a86397730ac90ab599d7c7e9b0092c8c50ae0b7d84d817fb56b578a8c14
-
\Users\Admin\AppData\Local\hTj4DoK\cmstp.exeMD5
74c6da5522f420c394ae34b2d3d677e3
SHA1ba135738ef1fb2f4c2c6c610be2c4e855a526668
SHA25651d298b1a8a2d00d5c608c52dba0655565d021e9798ee171d7fa92cc0de729a6
SHA512bfd76b1c3e677292748f88bf595bfef0b536eb22f2583b028cbf08f6ae4eda1aa3787c4e892aad12b7681fc2363f99250430a0e7019a7498e24db391868e787a
-
\Users\Admin\AppData\Local\kvcj\WINSTA.dllMD5
300b21c59eb3190f3e3c02d04426092b
SHA120a089e99351aff9c384927f74c0df8ca5ffcab8
SHA256e8307ad0a4af5726bbf318e5db9bd60d02e4bea012570afa67f055f143bf28d6
SHA5126a7bfbd70d05345ea03da9d136203bd8a32b22a499e61bb639aa1f7516556a8e845179132194d20100031fabbfa61f0a9a59c228ef7a10766d04e47e2497dccf
-
\Users\Admin\AppData\Local\kvcj\winlogon.exeMD5
1151b1baa6f350b1db6598e0fea7c457
SHA1434856b834baf163c5ea4d26434eeae775a507fb
SHA256b1506e0a7e826eff0f5252ef5026070c46e2235438403a9a24d73ee69c0b8a49
SHA512df728d06238da1dece96f8b8d67a2423ed4dcb344b42d5958768d23bd570a79e7189e7c5ba783c1628fe8ddd1deaebeacb1b471c59c8a7c9beb21b4f1eb9edab
-
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\etUNZJ7STO\cmstp.exeMD5
74c6da5522f420c394ae34b2d3d677e3
SHA1ba135738ef1fb2f4c2c6c610be2c4e855a526668
SHA25651d298b1a8a2d00d5c608c52dba0655565d021e9798ee171d7fa92cc0de729a6
SHA512bfd76b1c3e677292748f88bf595bfef0b536eb22f2583b028cbf08f6ae4eda1aa3787c4e892aad12b7681fc2363f99250430a0e7019a7498e24db391868e787a
-
memory/920-106-0x0000000140000000-0x0000000140179000-memory.dmpFilesize
1.5MB
-
memory/920-102-0x0000000000000000-mapping.dmp
-
memory/1156-55-0x00000000002A0000-0x00000000002A7000-memory.dmpFilesize
28KB
-
memory/1156-53-0x0000000140000000-0x0000000140177000-memory.dmpFilesize
1.5MB
-
memory/1260-82-0x0000000140000000-0x0000000140177000-memory.dmpFilesize
1.5MB
-
memory/1260-91-0x0000000140000000-0x0000000140177000-memory.dmpFilesize
1.5MB
-
memory/1260-76-0x0000000140000000-0x0000000140177000-memory.dmpFilesize
1.5MB
-
memory/1260-75-0x0000000140000000-0x0000000140177000-memory.dmpFilesize
1.5MB
-
memory/1260-74-0x0000000140000000-0x0000000140177000-memory.dmpFilesize
1.5MB
-
memory/1260-73-0x0000000140000000-0x0000000140177000-memory.dmpFilesize
1.5MB
-
memory/1260-72-0x0000000140000000-0x0000000140177000-memory.dmpFilesize
1.5MB
-
memory/1260-71-0x0000000140000000-0x0000000140177000-memory.dmpFilesize
1.5MB
-
memory/1260-90-0x0000000140000000-0x0000000140177000-memory.dmpFilesize
1.5MB
-
memory/1260-89-0x0000000140000000-0x0000000140177000-memory.dmpFilesize
1.5MB
-
memory/1260-88-0x0000000140000000-0x0000000140177000-memory.dmpFilesize
1.5MB
-
memory/1260-70-0x0000000140000000-0x0000000140177000-memory.dmpFilesize
1.5MB
-
memory/1260-69-0x0000000140000000-0x0000000140177000-memory.dmpFilesize
1.5MB
-
memory/1260-67-0x0000000140000000-0x0000000140177000-memory.dmpFilesize
1.5MB
-
memory/1260-66-0x0000000140000000-0x0000000140177000-memory.dmpFilesize
1.5MB
-
memory/1260-65-0x0000000140000000-0x0000000140177000-memory.dmpFilesize
1.5MB
-
memory/1260-64-0x0000000140000000-0x0000000140177000-memory.dmpFilesize
1.5MB
-
memory/1260-63-0x0000000140000000-0x0000000140177000-memory.dmpFilesize
1.5MB
-
memory/1260-62-0x0000000140000000-0x0000000140177000-memory.dmpFilesize
1.5MB
-
memory/1260-61-0x0000000140000000-0x0000000140177000-memory.dmpFilesize
1.5MB
-
memory/1260-60-0x0000000140000000-0x0000000140177000-memory.dmpFilesize
1.5MB
-
memory/1260-79-0x0000000140000000-0x0000000140177000-memory.dmpFilesize
1.5MB
-
memory/1260-92-0x0000000140000000-0x0000000140177000-memory.dmpFilesize
1.5MB
-
memory/1260-93-0x0000000140000000-0x0000000140177000-memory.dmpFilesize
1.5MB
-
memory/1260-94-0x0000000140000000-0x0000000140177000-memory.dmpFilesize
1.5MB
-
memory/1260-100-0x0000000077480000-0x0000000077482000-memory.dmpFilesize
8KB
-
memory/1260-80-0x0000000140000000-0x0000000140177000-memory.dmpFilesize
1.5MB
-
memory/1260-81-0x0000000140000000-0x0000000140177000-memory.dmpFilesize
1.5MB
-
memory/1260-83-0x0000000140000000-0x0000000140177000-memory.dmpFilesize
1.5MB
-
memory/1260-84-0x0000000140000000-0x0000000140177000-memory.dmpFilesize
1.5MB
-
memory/1260-85-0x0000000140000000-0x0000000140177000-memory.dmpFilesize
1.5MB
-
memory/1260-87-0x0000000140000000-0x0000000140177000-memory.dmpFilesize
1.5MB
-
memory/1260-86-0x0000000140000000-0x0000000140177000-memory.dmpFilesize
1.5MB
-
memory/1260-56-0x0000000002AA0000-0x0000000002AA1000-memory.dmpFilesize
4KB
-
memory/1260-77-0x0000000140000000-0x0000000140177000-memory.dmpFilesize
1.5MB
-
memory/1260-78-0x0000000140000000-0x0000000140177000-memory.dmpFilesize
1.5MB
-
memory/1260-68-0x0000000140000000-0x0000000140177000-memory.dmpFilesize
1.5MB
-
memory/1260-57-0x0000000140000000-0x0000000140177000-memory.dmpFilesize
1.5MB
-
memory/1260-59-0x0000000140000000-0x0000000140177000-memory.dmpFilesize
1.5MB
-
memory/1260-58-0x0000000140000000-0x0000000140177000-memory.dmpFilesize
1.5MB
-
memory/1416-113-0x0000000000000000-mapping.dmp
-
memory/1416-117-0x0000000140000000-0x0000000140178000-memory.dmpFilesize
1.5MB
-
memory/2004-109-0x0000000000000000-mapping.dmp