Analysis
-
max time kernel
4294219s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20220310-en -
submitted
23-03-2022 08:06
General
-
Target
ab8f6d64918bfde8d603af28047f91c3bdfd82df3d965391fc1b480542d64b89.dll
-
Size
1.4MB
-
MD5
2a52d4cc48659ad06386e6f1ddb17613
-
SHA1
fb551a1f927e6b86fb2e8281d4f09a753e5a7f5b
-
SHA256
ab8f6d64918bfde8d603af28047f91c3bdfd82df3d965391fc1b480542d64b89
-
SHA512
c37af474e1defdc504f979dcdd11413ee2337baa6ebe49156e02999415cf8f3d5d69e6c3da8f8dd7ba58fec6e337ffdee4414c26e2ea79ad9ee1aa6d2381eec1
Malware Config
Signatures
-
Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
-
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 7 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ab8f6d64918bfde8d603af28047f91c3bdfd82df3d965391fc1b480542d64b89.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\rdpshell.exeC:\Windows\system32\rdpshell.exe1⤵
-
C:\Users\Admin\AppData\Local\okhiiw\rdpshell.exeC:\Users\Admin\AppData\Local\okhiiw\rdpshell.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\DisplaySwitch.exeC:\Windows\system32\DisplaySwitch.exe1⤵
-
C:\Users\Admin\AppData\Local\EQe\DisplaySwitch.exeC:\Users\Admin\AppData\Local\EQe\DisplaySwitch.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\SystemPropertiesPerformance.exeC:\Windows\system32\SystemPropertiesPerformance.exe1⤵
-
C:\Users\Admin\AppData\Local\OZERJQeL\SystemPropertiesPerformance.exeC:\Users\Admin\AppData\Local\OZERJQeL\SystemPropertiesPerformance.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\EQe\DisplaySwitch.exeMD5
b795e6138e29a37508285fc31e92bd78
SHA1d0fe0c38c7c61adbb77e58d48b96cd4bf98ecd4a
SHA25601a9733871baa8518092bade3fce62dcca14cdf6fc55b98218253580b38d7659
SHA5128312174a77bab5fef7c4e9efff66c43d3515b02f5766ed1d3b9bd0abb3d7344a9a22cbac228132098428c122293d2b1898b3a2d75f5e4247b1dcb9aa9c7913b1
-
C:\Users\Admin\AppData\Local\EQe\slc.dllMD5
7174470c1a2458b2a51e2e38da679e9e
SHA1158d90cda686f4aa1206d0cbd4e155b4c777f9ef
SHA2566f15a0e9f64cc8a14f79d1766d30e3e111d1dd092594a87282733330bf5d9f4a
SHA5128627724b2e223121e5e26988decb73687463c1a1d4262af01b8a99a23ca9f8903aa7040fe0e86009c61f6e179c00ff119f79191d160d11c69bbd3b6b32a7844e
-
C:\Users\Admin\AppData\Local\OZERJQeL\SYSDM.CPLMD5
183f326c6f4ac678c444244253ea7d26
SHA17642b95026213d081f464f6f579af36ae690b858
SHA256abe82597f6daa3ba2525e3b41a6c08825a22c6c0061639760793daa4131ec7d0
SHA512cc89ca7d19528ba1b00674a18c0edd105197dd16ec4cc043451474752a1bb924433794586eade441ad7a0148bbb216af6f0008315a75ab381e5145ed61c98b85
-
C:\Users\Admin\AppData\Local\OZERJQeL\SystemPropertiesPerformance.exeMD5
870726cdcc241a92785572628b89cc07
SHA163d47cc4fe9beb75862add1abca1d8ae8235710a
SHA2561ab77fa1ee0cbe59ca185c228c3c11abeba2b2008a162c91a06d3c40542e7fc6
SHA51289b961c2a2716fe0800e54e0206c8b349a26f1bc2a463ec9bd12f3ab22bfcb13e6402b4c20ddcf284d838a3c66e73335af8f6dc4554d76646382e387242c6f72
-
C:\Users\Admin\AppData\Local\okhiiw\WTSAPI32.dllMD5
dd44052425e0cbf01f9ccdff54e49cb1
SHA1bef7b3e026ec87f373a9033635fb66713d9de986
SHA2567721bf6672b571c62b7245c90eeba1b452a1a3c0062b470c339fc90e7140def5
SHA512ec3f9cb305e12eac7781f425a2d120ced6806b6fd987e960ca11e024494516b9792243036214f861aafc2d7801bada2392f12858f2cdee0ffd27e8639c39862b
-
C:\Users\Admin\AppData\Local\okhiiw\rdpshell.exeMD5
a62dfcea3a58ba8fcf32f831f018fe3f
SHA175f7690b19866f2c2b3dd3bfdff8a1c6fa8e958b
SHA256f8346a44f12e5b1ca6beaae5fbdf5f7f494ba204379c21d1875b03ba6da6152e
SHA5129a3df5be95017c23ab144302d2275654e86193e2cd94957d5f72bda3cb171ec2a6da14e6631a7fd4fd053b4529f4083aa287ada57484ad0ee01a8e5b2b54c603
-
\Users\Admin\AppData\Local\EQe\DisplaySwitch.exeMD5
b795e6138e29a37508285fc31e92bd78
SHA1d0fe0c38c7c61adbb77e58d48b96cd4bf98ecd4a
SHA25601a9733871baa8518092bade3fce62dcca14cdf6fc55b98218253580b38d7659
SHA5128312174a77bab5fef7c4e9efff66c43d3515b02f5766ed1d3b9bd0abb3d7344a9a22cbac228132098428c122293d2b1898b3a2d75f5e4247b1dcb9aa9c7913b1
-
\Users\Admin\AppData\Local\EQe\slc.dllMD5
7174470c1a2458b2a51e2e38da679e9e
SHA1158d90cda686f4aa1206d0cbd4e155b4c777f9ef
SHA2566f15a0e9f64cc8a14f79d1766d30e3e111d1dd092594a87282733330bf5d9f4a
SHA5128627724b2e223121e5e26988decb73687463c1a1d4262af01b8a99a23ca9f8903aa7040fe0e86009c61f6e179c00ff119f79191d160d11c69bbd3b6b32a7844e
-
\Users\Admin\AppData\Local\OZERJQeL\SYSDM.CPLMD5
183f326c6f4ac678c444244253ea7d26
SHA17642b95026213d081f464f6f579af36ae690b858
SHA256abe82597f6daa3ba2525e3b41a6c08825a22c6c0061639760793daa4131ec7d0
SHA512cc89ca7d19528ba1b00674a18c0edd105197dd16ec4cc043451474752a1bb924433794586eade441ad7a0148bbb216af6f0008315a75ab381e5145ed61c98b85
-
\Users\Admin\AppData\Local\OZERJQeL\SystemPropertiesPerformance.exeMD5
870726cdcc241a92785572628b89cc07
SHA163d47cc4fe9beb75862add1abca1d8ae8235710a
SHA2561ab77fa1ee0cbe59ca185c228c3c11abeba2b2008a162c91a06d3c40542e7fc6
SHA51289b961c2a2716fe0800e54e0206c8b349a26f1bc2a463ec9bd12f3ab22bfcb13e6402b4c20ddcf284d838a3c66e73335af8f6dc4554d76646382e387242c6f72
-
\Users\Admin\AppData\Local\okhiiw\WTSAPI32.dllMD5
dd44052425e0cbf01f9ccdff54e49cb1
SHA1bef7b3e026ec87f373a9033635fb66713d9de986
SHA2567721bf6672b571c62b7245c90eeba1b452a1a3c0062b470c339fc90e7140def5
SHA512ec3f9cb305e12eac7781f425a2d120ced6806b6fd987e960ca11e024494516b9792243036214f861aafc2d7801bada2392f12858f2cdee0ffd27e8639c39862b
-
\Users\Admin\AppData\Local\okhiiw\rdpshell.exeMD5
a62dfcea3a58ba8fcf32f831f018fe3f
SHA175f7690b19866f2c2b3dd3bfdff8a1c6fa8e958b
SHA256f8346a44f12e5b1ca6beaae5fbdf5f7f494ba204379c21d1875b03ba6da6152e
SHA5129a3df5be95017c23ab144302d2275654e86193e2cd94957d5f72bda3cb171ec2a6da14e6631a7fd4fd053b4529f4083aa287ada57484ad0ee01a8e5b2b54c603
-
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\Dt3EjyfN55\SystemPropertiesPerformance.exeMD5
870726cdcc241a92785572628b89cc07
SHA163d47cc4fe9beb75862add1abca1d8ae8235710a
SHA2561ab77fa1ee0cbe59ca185c228c3c11abeba2b2008a162c91a06d3c40542e7fc6
SHA51289b961c2a2716fe0800e54e0206c8b349a26f1bc2a463ec9bd12f3ab22bfcb13e6402b4c20ddcf284d838a3c66e73335af8f6dc4554d76646382e387242c6f72
-
memory/872-157-0x0000000000510000-0x0000000000517000-memory.dmpFilesize
28KB
-
memory/872-148-0x0000000000000000-mapping.dmp
-
memory/1084-138-0x0000000000000000-mapping.dmp
-
memory/1084-144-0x0000000000200000-0x0000000000207000-memory.dmpFilesize
28KB
-
memory/1196-167-0x0000000000020000-0x0000000000027000-memory.dmpFilesize
28KB
-
memory/1196-159-0x0000000000000000-mapping.dmp
-
memory/1200-82-0x0000000140000000-0x000000014015A000-memory.dmpFilesize
1.4MB
-
memory/1200-106-0x0000000140000000-0x000000014015A000-memory.dmpFilesize
1.4MB
-
memory/1200-75-0x0000000140000000-0x000000014015A000-memory.dmpFilesize
1.4MB
-
memory/1200-74-0x0000000140000000-0x000000014015A000-memory.dmpFilesize
1.4MB
-
memory/1200-73-0x0000000140000000-0x000000014015A000-memory.dmpFilesize
1.4MB
-
memory/1200-72-0x0000000140000000-0x000000014015A000-memory.dmpFilesize
1.4MB
-
memory/1200-96-0x0000000140000000-0x000000014015A000-memory.dmpFilesize
1.4MB
-
memory/1200-97-0x0000000140000000-0x000000014015A000-memory.dmpFilesize
1.4MB
-
memory/1200-95-0x0000000140000000-0x000000014015A000-memory.dmpFilesize
1.4MB
-
memory/1200-94-0x0000000140000000-0x000000014015A000-memory.dmpFilesize
1.4MB
-
memory/1200-93-0x0000000140000000-0x000000014015A000-memory.dmpFilesize
1.4MB
-
memory/1200-92-0x0000000140000000-0x000000014015A000-memory.dmpFilesize
1.4MB
-
memory/1200-91-0x0000000140000000-0x000000014015A000-memory.dmpFilesize
1.4MB
-
memory/1200-90-0x0000000140000000-0x000000014015A000-memory.dmpFilesize
1.4MB
-
memory/1200-89-0x0000000140000000-0x000000014015A000-memory.dmpFilesize
1.4MB
-
memory/1200-88-0x0000000140000000-0x000000014015A000-memory.dmpFilesize
1.4MB
-
memory/1200-87-0x0000000140000000-0x000000014015A000-memory.dmpFilesize
1.4MB
-
memory/1200-86-0x0000000140000000-0x000000014015A000-memory.dmpFilesize
1.4MB
-
memory/1200-85-0x0000000140000000-0x000000014015A000-memory.dmpFilesize
1.4MB
-
memory/1200-84-0x0000000140000000-0x000000014015A000-memory.dmpFilesize
1.4MB
-
memory/1200-83-0x0000000140000000-0x000000014015A000-memory.dmpFilesize
1.4MB
-
memory/1200-77-0x0000000140000000-0x000000014015A000-memory.dmpFilesize
1.4MB
-
memory/1200-81-0x0000000140000000-0x000000014015A000-memory.dmpFilesize
1.4MB
-
memory/1200-98-0x0000000140000000-0x000000014015A000-memory.dmpFilesize
1.4MB
-
memory/1200-99-0x0000000140000000-0x000000014015A000-memory.dmpFilesize
1.4MB
-
memory/1200-100-0x0000000140000000-0x000000014015A000-memory.dmpFilesize
1.4MB
-
memory/1200-101-0x0000000140000000-0x000000014015A000-memory.dmpFilesize
1.4MB
-
memory/1200-102-0x0000000140000000-0x000000014015A000-memory.dmpFilesize
1.4MB
-
memory/1200-103-0x0000000140000000-0x000000014015A000-memory.dmpFilesize
1.4MB
-
memory/1200-104-0x0000000140000000-0x000000014015A000-memory.dmpFilesize
1.4MB
-
memory/1200-105-0x0000000140000000-0x000000014015A000-memory.dmpFilesize
1.4MB
-
memory/1200-76-0x0000000140000000-0x000000014015A000-memory.dmpFilesize
1.4MB
-
memory/1200-107-0x0000000140000000-0x000000014015A000-memory.dmpFilesize
1.4MB
-
memory/1200-108-0x0000000140000000-0x000000014015A000-memory.dmpFilesize
1.4MB
-
memory/1200-109-0x0000000140000000-0x000000014015A000-memory.dmpFilesize
1.4MB
-
memory/1200-110-0x0000000140000000-0x000000014015A000-memory.dmpFilesize
1.4MB
-
memory/1200-112-0x0000000140000000-0x000000014015A000-memory.dmpFilesize
1.4MB
-
memory/1200-111-0x0000000140000000-0x000000014015A000-memory.dmpFilesize
1.4MB
-
memory/1200-113-0x0000000140000000-0x000000014015A000-memory.dmpFilesize
1.4MB
-
memory/1200-114-0x0000000140000000-0x000000014015A000-memory.dmpFilesize
1.4MB
-
memory/1200-118-0x0000000140000000-0x000000014015A000-memory.dmpFilesize
1.4MB
-
memory/1200-117-0x0000000140000000-0x000000014015A000-memory.dmpFilesize
1.4MB
-
memory/1200-116-0x0000000140000000-0x000000014015A000-memory.dmpFilesize
1.4MB
-
memory/1200-78-0x0000000140000000-0x000000014015A000-memory.dmpFilesize
1.4MB
-
memory/1200-79-0x0000000140000000-0x000000014015A000-memory.dmpFilesize
1.4MB
-
memory/1200-80-0x0000000140000000-0x000000014015A000-memory.dmpFilesize
1.4MB
-
memory/1200-71-0x0000000140000000-0x000000014015A000-memory.dmpFilesize
1.4MB
-
memory/1200-67-0x0000000140000000-0x000000014015A000-memory.dmpFilesize
1.4MB
-
memory/1200-68-0x0000000140000000-0x000000014015A000-memory.dmpFilesize
1.4MB
-
memory/1200-69-0x0000000140000000-0x000000014015A000-memory.dmpFilesize
1.4MB
-
memory/1200-70-0x0000000140000000-0x000000014015A000-memory.dmpFilesize
1.4MB
-
memory/1200-66-0x0000000140000000-0x000000014015A000-memory.dmpFilesize
1.4MB
-
memory/1200-65-0x0000000140000000-0x000000014015A000-memory.dmpFilesize
1.4MB
-
memory/1200-64-0x0000000140000000-0x000000014015A000-memory.dmpFilesize
1.4MB
-
memory/1200-63-0x0000000140000000-0x000000014015A000-memory.dmpFilesize
1.4MB
-
memory/1200-62-0x0000000140000000-0x000000014015A000-memory.dmpFilesize
1.4MB
-
memory/1200-61-0x0000000140000000-0x000000014015A000-memory.dmpFilesize
1.4MB
-
memory/1200-60-0x0000000140000000-0x000000014015A000-memory.dmpFilesize
1.4MB
-
memory/1200-59-0x0000000001E10000-0x0000000001E11000-memory.dmpFilesize
4KB
-
memory/1200-115-0x0000000140000000-0x000000014015A000-memory.dmpFilesize
1.4MB
-
memory/1200-136-0x0000000077CA0000-0x0000000077CA2000-memory.dmpFilesize
8KB
-
memory/1200-135-0x0000000001DF0000-0x0000000001DF7000-memory.dmpFilesize
28KB
-
memory/2004-54-0x000007FEF7290000-0x000007FEF73EA000-memory.dmpFilesize
1.4MB
-
memory/2004-58-0x0000000000280000-0x0000000000287000-memory.dmpFilesize
28KB