Analysis

  • max time kernel
    45s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2023 15:44

General

  • Target

    deac37150b94c6871f020007e2d20de8.dll

  • Size

    2.0MB

  • MD5

    deac37150b94c6871f020007e2d20de8

  • SHA1

    3b89d6d3afb9fc1111676be750b79ee563e0b51c

  • SHA256

    b9a2afe692a14758fe22e04ec1d379839fcee981e7c82d4c884af960394ccf9a

  • SHA512

    d511b778312473f7987fe3d69b419350a6acf096e3cab9a45b9320e944493bc694da073d502249c2c5f0e4b6452d5c5cdf808f8f12530b4cedd16b8e402ac87f

  • SSDEEP

    12288:gVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:FfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\deac37150b94c6871f020007e2d20de8.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2664
  • C:\Windows\system32\winlogon.exe
    C:\Windows\system32\winlogon.exe
    1⤵
      PID:2644
    • C:\Users\Admin\AppData\Local\BrtoXMCfP\winlogon.exe
      C:\Users\Admin\AppData\Local\BrtoXMCfP\winlogon.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2300
    • C:\Windows\system32\sigverif.exe
      C:\Windows\system32\sigverif.exe
      1⤵
        PID:1936
      • C:\Users\Admin\AppData\Local\ueZuSbV\sigverif.exe
        C:\Users\Admin\AppData\Local\ueZuSbV\sigverif.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1908
      • C:\Windows\system32\SoundRecorder.exe
        C:\Windows\system32\SoundRecorder.exe
        1⤵
          PID:1716
        • C:\Users\Admin\AppData\Local\jeKL\SoundRecorder.exe
          C:\Users\Admin\AppData\Local\jeKL\SoundRecorder.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1388

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\jeKL\SoundRecorder.exe

          Filesize

          62KB

          MD5

          db7c1b84548aca9d303b28dd2c2e0d17

          SHA1

          0a6559e35d73c1f47e5197ad640478a2ccc62ea3

          SHA256

          fa6ecd0fc3541bc48f12a59c5a42a6f4af69f29071c0b1a29a7f698654e0f219

          SHA512

          a48a8a929488ebb64781b478dec43028dd988b5713c9e805b6ff861195ed4f12ffb7b41a3c72e9fc1d5516dcbf57690ab8f099fb2a59bb0907cabef59dbd3e55

        • C:\Users\Admin\AppData\Local\jeKL\UxTheme.dll

          Filesize

          377B

          MD5

          2a946d11466ddc75e1c74a3d569505cf

          SHA1

          291def04fe1bb2340483592b4a0c6f0430c77498

          SHA256

          d7b372133c284a3ac1eb2db7b7ecc7ad4beefc06d046bba64f0f377951f86156

          SHA512

          ad0f8e4c49ab44a1b2db1a2b10df498feb353d7feb197ca91b845e2a3030c5acb7f261a5ed3b6302a930028d03aa1e4328b4616f4769ba8642c9803be6579c8d

        • C:\Users\Admin\AppData\Local\ueZuSbV\VERSION.dll

          MD5

          d41d8cd98f00b204e9800998ecf8427e

          SHA1

          da39a3ee5e6b4b0d3255bfef95601890afd80709

          SHA256

          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

          SHA512

          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

        • C:\Users\Admin\AppData\Local\ueZuSbV\sigverif.exe

          Filesize

          73KB

          MD5

          e8e95ae5534553fc055051cee99a7f55

          SHA1

          4e0f668849fd546edd083d5981ed685d02a68df4

          SHA256

          9e107fd99892d08b15c223ac17c49af75a4cbca41b5e939bb91c9dca9f0d0bec

          SHA512

          5d3c32d136a264b6d2cfba4602e4d8f75e55ba0e199e0e81d7a515c34d8b9237db29647c10ab79081173010ff8e2c6a59b652c0a9cfa796433aed2d200f02da6

        • C:\Users\Admin\AppData\Local\ueZuSbV\sigverif.exe

          Filesize

          31KB

          MD5

          b9717042f141308df5f7f3c7d4d4ed07

          SHA1

          210ec93a0c81d09d8052e63ec66ae357d482a31b

          SHA256

          33be45b91bac6e9d43754ee7f5cb0f466ded5490578ea6f1e8c953850f4c70c0

          SHA512

          d7bb31274145906049e05bef1722c78a9a50e8150c6cc4eb844568db4267b864e6a120a03af663a20a9c46fb794eba0f27ea237bbb5d91ed14093598c5f863d0

        • \Users\Admin\AppData\Local\jeKL\SoundRecorder.exe

          Filesize

          77KB

          MD5

          6efb6e82714e11b7e67865bf814ece93

          SHA1

          31c2613b26793daee4d97f34aaebc58a31b9253d

          SHA256

          c948313f4d6969b0a212577b4af8e4ebaeb0d3fea1fb1a9f1f2f45a8b4493f95

          SHA512

          acaad443df07b1d7be19b80b93a0cd14d2d9bc8246fe475d4aee040e11eea22e0bd42610eff58bc2d81d2d5ba55ee9b6c2973d4ecde9d4f313f1ca9816528531

        • \Users\Admin\AppData\Local\ueZuSbV\VERSION.dll

          Filesize

          92KB

          MD5

          175f946cbf9d5d83935954661602a1f8

          SHA1

          8882840b914444fc072da44b8236a22699566f94

          SHA256

          0ab87944f4a2ebb2381f71a06c9d60180c37d2c467620b6a967c3a9e0bcab8bb

          SHA512

          6537f656ca41ae9efcda89227f1d24d91f28491758db5947232cb9b3cbf21668d0408f8ccd5c293aa6c872e1a62467927ab88552788bb1301bdd4a63d0b5c281

        • \Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\E2\SoundRecorder.exe

          Filesize

          32KB

          MD5

          0c9601edb5c26d816a4ade92604aeb30

          SHA1

          505ddffb06f07e8f7ce193e86204f4b6f15a1728

          SHA256

          e425496039ac6d193fd71b75f20a3f3475a0af1aeebf1205345b16a23f6f5def

          SHA512

          baee81ebdd97fb10ea6072b735938550b8f16fbc36712e79e52e08055236798395a3ce7172e820ef83d164c414bc24752b74a9e99ef49512f028fef9260333d1

        • memory/1264-11-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1264-22-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1264-35-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1264-34-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1264-38-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1264-41-0x0000000002680000-0x0000000002687000-memory.dmp

          Filesize

          28KB

        • memory/1264-49-0x0000000077C20000-0x0000000077C22000-memory.dmp

          Filesize

          8KB

        • memory/1264-48-0x0000000077AC1000-0x0000000077AC2000-memory.dmp

          Filesize

          4KB

        • memory/1264-47-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1264-39-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1264-37-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1264-36-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1264-58-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1264-33-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1264-64-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1264-31-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1264-30-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1264-29-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1264-141-0x00000000778B6000-0x00000000778B7000-memory.dmp

          Filesize

          4KB

        • memory/1264-4-0x00000000778B6000-0x00000000778B7000-memory.dmp

          Filesize

          4KB

        • memory/1264-5-0x00000000029A0000-0x00000000029A1000-memory.dmp

          Filesize

          4KB

        • memory/1264-28-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1264-24-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1264-25-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1264-23-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1264-32-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1264-21-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1264-19-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1264-18-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1264-17-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1264-15-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1264-16-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1264-13-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1264-12-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1264-14-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1264-10-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1264-7-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1264-9-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1264-27-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1264-26-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1264-20-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1388-118-0x00000000001B0000-0x00000000001B7000-memory.dmp

          Filesize

          28KB

        • memory/1908-101-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/1908-106-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/1908-100-0x00000000001A0000-0x00000000001A7000-memory.dmp

          Filesize

          28KB

        • memory/2300-76-0x0000000140000000-0x00000001401FA000-memory.dmp

          Filesize

          2.0MB

        • memory/2300-81-0x0000000140000000-0x00000001401FA000-memory.dmp

          Filesize

          2.0MB

        • memory/2300-77-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

        • memory/2664-1-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/2664-8-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/2664-0-0x0000000000330000-0x0000000000337000-memory.dmp

          Filesize

          28KB