Analysis

  • max time kernel
    150s
  • max time network
    32s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    10-03-2023 11:30

General

  • Target

    6712500bb0de148a99ec940160d3d61850e2ce3803adca8f39e9fa8621b8ea6f.dll

  • Size

    1.0MB

  • MD5

    369638ac700f3c41ebaba447d4048ff8

  • SHA1

    6c50a1abf9dc992e74a73279d40fb1a09368cdfe

  • SHA256

    6712500bb0de148a99ec940160d3d61850e2ce3803adca8f39e9fa8621b8ea6f

  • SHA512

    5f7a1913e83cd443a3339af0a52c04a4de17c67be480646d9bb02c984196a0a1ec3d7419ee88ca12d219af927aad1859c47372e08ba6a7a35ad956d5dc4ce7f5

  • SSDEEP

    12288:ClORVEAueQmTmQKO2nMlqVaSEwzH7YxiCyJ86azEZy1f11pNxWOLPa:GORVEVNmaDznMlqVNE27dJ8J2inNxn

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\6712500bb0de148a99ec940160d3d61850e2ce3803adca8f39e9fa8621b8ea6f.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1888
  • C:\Users\Admin\AppData\Local\Ad6ASuN\sigverif.exe
    C:\Users\Admin\AppData\Local\Ad6ASuN\sigverif.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:924
  • C:\Windows\system32\sigverif.exe
    C:\Windows\system32\sigverif.exe
    1⤵
      PID:572
    • C:\Windows\system32\SystemPropertiesAdvanced.exe
      C:\Windows\system32\SystemPropertiesAdvanced.exe
      1⤵
        PID:2028
      • C:\Users\Admin\AppData\Local\Yktf0\SystemPropertiesAdvanced.exe
        C:\Users\Admin\AppData\Local\Yktf0\SystemPropertiesAdvanced.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1092

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Discovery

      System Information Discovery

      1
      T1082

      Query Registry

      1
      T1012

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Ad6ASuN\VERSION.dll
        Filesize

        1.0MB

        MD5

        804d57c536f8e0301766a277c441ad89

        SHA1

        002052a1b1f5a191a718d55e92d6ec3f697b4d14

        SHA256

        9c102443609540fdb537cb7b15ce30a5c74c7270a3396eb16265bef71aa5681b

        SHA512

        6c2b08bd7c5b8fd47b0b3d66c424bf9babd4d612024d72bb2e9115aa80b2754a93ebeb2fb5606f95512c28f1244ad72497ba963d9e5349d4e43adf885525f7b2

      • C:\Users\Admin\AppData\Local\Ad6ASuN\sigverif.exe
        Filesize

        73KB

        MD5

        e8e95ae5534553fc055051cee99a7f55

        SHA1

        4e0f668849fd546edd083d5981ed685d02a68df4

        SHA256

        9e107fd99892d08b15c223ac17c49af75a4cbca41b5e939bb91c9dca9f0d0bec

        SHA512

        5d3c32d136a264b6d2cfba4602e4d8f75e55ba0e199e0e81d7a515c34d8b9237db29647c10ab79081173010ff8e2c6a59b652c0a9cfa796433aed2d200f02da6

      • C:\Users\Admin\AppData\Local\Ad6ASuN\sigverif.exe
        Filesize

        73KB

        MD5

        e8e95ae5534553fc055051cee99a7f55

        SHA1

        4e0f668849fd546edd083d5981ed685d02a68df4

        SHA256

        9e107fd99892d08b15c223ac17c49af75a4cbca41b5e939bb91c9dca9f0d0bec

        SHA512

        5d3c32d136a264b6d2cfba4602e4d8f75e55ba0e199e0e81d7a515c34d8b9237db29647c10ab79081173010ff8e2c6a59b652c0a9cfa796433aed2d200f02da6

      • C:\Users\Admin\AppData\Local\Yktf0\SYSDM.CPL
        Filesize

        1.0MB

        MD5

        a8d366cef8f860c0033bdc8290188dd3

        SHA1

        dc19361ee49471c45d3a358904738d1f56c2f1b3

        SHA256

        123b12985f928a65036a5b154928f222c790e9202580e120f6581f5c8ffaffa6

        SHA512

        e851fd28e757a408c344f98c5352f7457403d9b465f3013a224f23ecab049d538ab0c1284fc7452e2701c68a4e1f9b84f5fffc25aa74573656459dbf9ab62ae4

      • C:\Users\Admin\AppData\Local\Yktf0\SystemPropertiesAdvanced.exe
        Filesize

        80KB

        MD5

        25dc1e599591871c074a68708206e734

        SHA1

        27a9dffa92d979d39c07d889fada536c062dac77

        SHA256

        a13b2ba5892c11c731869410b1e3dd2f250d70ff9efd513a9f260ab506dd42ef

        SHA512

        f7da9ce4c3e8aea9095fcc977084c042f85df48fca0b58fb136dfd835ce69b5b1e68f3c11eeb14c617ffcec7011ffc7e5d5a948f49dde653a2348b28e10adb72

      • C:\Users\Admin\AppData\Local\Yktf0\SystemPropertiesAdvanced.exe
        Filesize

        80KB

        MD5

        25dc1e599591871c074a68708206e734

        SHA1

        27a9dffa92d979d39c07d889fada536c062dac77

        SHA256

        a13b2ba5892c11c731869410b1e3dd2f250d70ff9efd513a9f260ab506dd42ef

        SHA512

        f7da9ce4c3e8aea9095fcc977084c042f85df48fca0b58fb136dfd835ce69b5b1e68f3c11eeb14c617ffcec7011ffc7e5d5a948f49dde653a2348b28e10adb72

      • \Users\Admin\AppData\Local\Ad6ASuN\VERSION.dll
        Filesize

        1.0MB

        MD5

        804d57c536f8e0301766a277c441ad89

        SHA1

        002052a1b1f5a191a718d55e92d6ec3f697b4d14

        SHA256

        9c102443609540fdb537cb7b15ce30a5c74c7270a3396eb16265bef71aa5681b

        SHA512

        6c2b08bd7c5b8fd47b0b3d66c424bf9babd4d612024d72bb2e9115aa80b2754a93ebeb2fb5606f95512c28f1244ad72497ba963d9e5349d4e43adf885525f7b2

      • \Users\Admin\AppData\Local\Ad6ASuN\sigverif.exe
        Filesize

        73KB

        MD5

        e8e95ae5534553fc055051cee99a7f55

        SHA1

        4e0f668849fd546edd083d5981ed685d02a68df4

        SHA256

        9e107fd99892d08b15c223ac17c49af75a4cbca41b5e939bb91c9dca9f0d0bec

        SHA512

        5d3c32d136a264b6d2cfba4602e4d8f75e55ba0e199e0e81d7a515c34d8b9237db29647c10ab79081173010ff8e2c6a59b652c0a9cfa796433aed2d200f02da6

      • \Users\Admin\AppData\Local\Yktf0\SYSDM.CPL
        Filesize

        1.0MB

        MD5

        a8d366cef8f860c0033bdc8290188dd3

        SHA1

        dc19361ee49471c45d3a358904738d1f56c2f1b3

        SHA256

        123b12985f928a65036a5b154928f222c790e9202580e120f6581f5c8ffaffa6

        SHA512

        e851fd28e757a408c344f98c5352f7457403d9b465f3013a224f23ecab049d538ab0c1284fc7452e2701c68a4e1f9b84f5fffc25aa74573656459dbf9ab62ae4

      • \Users\Admin\AppData\Local\Yktf0\SystemPropertiesAdvanced.exe
        Filesize

        80KB

        MD5

        25dc1e599591871c074a68708206e734

        SHA1

        27a9dffa92d979d39c07d889fada536c062dac77

        SHA256

        a13b2ba5892c11c731869410b1e3dd2f250d70ff9efd513a9f260ab506dd42ef

        SHA512

        f7da9ce4c3e8aea9095fcc977084c042f85df48fca0b58fb136dfd835ce69b5b1e68f3c11eeb14c617ffcec7011ffc7e5d5a948f49dde653a2348b28e10adb72

      • memory/924-104-0x000007FEFB460000-0x000007FEFB565000-memory.dmp
        Filesize

        1.0MB

      • memory/924-101-0x0000000000100000-0x0000000000107000-memory.dmp
        Filesize

        28KB

      • memory/924-98-0x000007FEFB460000-0x000007FEFB565000-memory.dmp
        Filesize

        1.0MB

      • memory/1092-116-0x000007FEF6C70000-0x000007FEF6D75000-memory.dmp
        Filesize

        1.0MB

      • memory/1092-119-0x00000000001E0000-0x00000000001E7000-memory.dmp
        Filesize

        28KB

      • memory/1092-122-0x000007FEF6C70000-0x000007FEF6D75000-memory.dmp
        Filesize

        1.0MB

      • memory/1372-67-0x0000000140000000-0x0000000140105000-memory.dmp
        Filesize

        1.0MB

      • memory/1372-73-0x0000000002200000-0x0000000002207000-memory.dmp
        Filesize

        28KB

      • memory/1372-86-0x0000000140000000-0x0000000140105000-memory.dmp
        Filesize

        1.0MB

      • memory/1372-80-0x0000000140000000-0x0000000140105000-memory.dmp
        Filesize

        1.0MB

      • memory/1372-79-0x0000000077950000-0x0000000077952000-memory.dmp
        Filesize

        8KB

      • memory/1372-76-0x0000000140000000-0x0000000140105000-memory.dmp
        Filesize

        1.0MB

      • memory/1372-63-0x0000000140000000-0x0000000140105000-memory.dmp
        Filesize

        1.0MB

      • memory/1372-64-0x0000000140000000-0x0000000140105000-memory.dmp
        Filesize

        1.0MB

      • memory/1372-66-0x0000000140000000-0x0000000140105000-memory.dmp
        Filesize

        1.0MB

      • memory/1372-89-0x0000000140000000-0x0000000140105000-memory.dmp
        Filesize

        1.0MB

      • memory/1372-59-0x0000000002690000-0x0000000002691000-memory.dmp
        Filesize

        4KB

      • memory/1372-69-0x0000000140000000-0x0000000140105000-memory.dmp
        Filesize

        1.0MB

      • memory/1372-68-0x0000000140000000-0x0000000140105000-memory.dmp
        Filesize

        1.0MB

      • memory/1372-65-0x0000000140000000-0x0000000140105000-memory.dmp
        Filesize

        1.0MB

      • memory/1372-61-0x0000000140000000-0x0000000140105000-memory.dmp
        Filesize

        1.0MB

      • memory/1888-54-0x000007FEFB350000-0x000007FEFB455000-memory.dmp
        Filesize

        1.0MB

      • memory/1888-58-0x000007FEFB350000-0x000007FEFB455000-memory.dmp
        Filesize

        1.0MB

      • memory/1888-57-0x0000000000220000-0x0000000000227000-memory.dmp
        Filesize

        28KB