Analysis

  • max time kernel
    150s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2023 15:44

General

  • Target

    df0708fcf553fdf7b27a1591a96257db.dll

  • Size

    2.0MB

  • MD5

    df0708fcf553fdf7b27a1591a96257db

  • SHA1

    cb8d06051f06b38cba24df4ccf676c1be7090484

  • SHA256

    6dffce1ea68f5480f850e4b067f15d5950bca8d75f8d1a4b70059e11c0e02445

  • SHA512

    11ec4c936d13c08215f41a023f3846773aabfa0cc89d35cf2674cc9072e51537fc147b690a1bbb7d4fa1c845eed35345cf78ad43acde8cb8e55e612509d524d6

  • SSDEEP

    12288:AVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1xx:lfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\df0708fcf553fdf7b27a1591a96257db.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:2044
  • C:\Windows\system32\msconfig.exe
    C:\Windows\system32\msconfig.exe
    1⤵
      PID:2812
    • C:\Users\Admin\AppData\Local\5Thf1kxi\msconfig.exe
      C:\Users\Admin\AppData\Local\5Thf1kxi\msconfig.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2620
    • C:\Windows\system32\mblctr.exe
      C:\Windows\system32\mblctr.exe
      1⤵
        PID:2884
      • C:\Users\Admin\AppData\Local\Q6vgZ9\mblctr.exe
        C:\Users\Admin\AppData\Local\Q6vgZ9\mblctr.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:592
      • C:\Windows\system32\OptionalFeatures.exe
        C:\Windows\system32\OptionalFeatures.exe
        1⤵
          PID:2784
        • C:\Users\Admin\AppData\Local\pXBHn3G4e\OptionalFeatures.exe
          C:\Users\Admin\AppData\Local\pXBHn3G4e\OptionalFeatures.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2940

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\5Thf1kxi\MFC42u.dll

          MD5

          d41d8cd98f00b204e9800998ecf8427e

          SHA1

          da39a3ee5e6b4b0d3255bfef95601890afd80709

          SHA256

          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

          SHA512

          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

        • C:\Users\Admin\AppData\Local\5Thf1kxi\msconfig.exe

          Filesize

          37KB

          MD5

          cb557015032697289408d0eb7c85dba2

          SHA1

          1951fa5aa8e69165daa792b40d9ab0abf33afe34

          SHA256

          5253a4c6f0c186db473b0c3c81be6d4b8a7eb0da71eaf572b67ec8199b2eb46c

          SHA512

          5941d9d6085f6a337ede461326a229c842c9ebdcb376e74f821ce1322376681d8d275290b197761f9a961728ec4f8ceba4298b15397a4460ec2549130807bae3

        • C:\Users\Admin\AppData\Local\5Thf1kxi\msconfig.exe

          Filesize

          92KB

          MD5

          92ed19f8f1ba819b7758a9ae0ea8ff40

          SHA1

          cc012031585c35ed054920460c171efd424f96f0

          SHA256

          b88d336ba69571de72f949f6d5b07836345eeff6dad077fd3ea8bc96bb3c6053

          SHA512

          3ef87db59e6418f4c140bc9f537adffc0eca19fd61b82e5ec8896a88870dcb8accf76ed357a2d75060fde7fbe45e8aef0b73b8535ef4e639fce3b7abc2124e03

        • C:\Users\Admin\AppData\Local\Q6vgZ9\dwmapi.dll

          Filesize

          4KB

          MD5

          626cbb4f428f1f3f34e942d4ecd894fc

          SHA1

          c66280c4fd71f0b3026303f0883d8bfa0d87e2cf

          SHA256

          aa484e22a8de6109d08a9b13aa757d0de8e5585bf9782c73bed76f5c09210a56

          SHA512

          fdcb21efa81dad222feacf0f40a514fd0a1642cdd9950eb714c900afa5f9f7fd2483b836d89344d03721605755295e6eb47cdf2804e7892b318686eef63a67db

        • C:\Users\Admin\AppData\Local\Q6vgZ9\mblctr.exe

          Filesize

          109KB

          MD5

          b7345aa83f5d30dc4f26945b08051a63

          SHA1

          1e61be248a98505b2007a91afcfa69aa856487df

          SHA256

          c6e27232e43bab71261f3bb36c8a4a51dfbb33ab068c2defc8e1e23bc6d19735

          SHA512

          76e6205f3a97e7a9981a42256bbd7596ce16018d7ce701b01ba29f46467de5105536cf96711a5b7a7918271bf29773a627016fcc803db12ed1b44c1c69ce3fcd

        • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\XmQkeku\appwiz.cpl

          Filesize

          215KB

          MD5

          20f66e98be35c5986bf6a464a65388d6

          SHA1

          8f0fa737849b65cfb65fc237ef9194b02f24cec7

          SHA256

          24a0a70c87d531810640453ead68397ac639f67b83ddb1d2b8ad8d7462ad1146

          SHA512

          5a112e87bcbfeb9d66ecae41f4522a8dbef8bf56a75fd028160d095f9acf4ec1823deebcf29d9f124e15251cb0a704d93b5982d2bc0e877105f62b833251160d

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gmfoo.lnk

          Filesize

          1KB

          MD5

          c9f457cbe2c1cac83ac310666dddc046

          SHA1

          f7e8fdf3b5516f148c07fc0eaa1312e04f8b372f

          SHA256

          27c1d175e58e74c490fba42b1f9553e0bf6a00dee0be718a56f6036af9ddb12b

          SHA512

          35394b244f5c59df299d0a266f4c04ea71756dc89ddcd1f7558ab15af769fc339812a804a52c424dae521461aad279231c147c0bef404de50ca07ab70de13632

        • C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\QSHn3RCP\MFC42u.dll

          Filesize

          20KB

          MD5

          505ea6da480b671b9120644f05f4d507

          SHA1

          4acf7ce35414eceb070aba66b7c8b462e967630f

          SHA256

          addb52970376323fa60010c1fb5ba8eb75fbbe749f0e873675d4bbeb453eba8c

          SHA512

          8402201099b61d10e385b257949aaee8eb8e2c7a4b0a1a61028248aa861a65796cc9eb16a4f076b665c239d9bf872ff439415452d3671ae808a5099231680ae7

        • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\UId\dwmapi.dll

          Filesize

          102KB

          MD5

          db2a0c4f8b3b34a67c2b5d29cb4d146d

          SHA1

          8b39526cb57d8c5737983e917e326445a4dcf809

          SHA256

          45f6bd52669fa654ad9468150d62866407b986969476ff7b81677128e0cdb189

          SHA512

          ed0f393ac825a1ae3b35e9fbc9a705a9c25e2407f13ea41d0e45c3f2d9143390efaf536050efa17370ddbb22c2117bc58e23242323bc20ba3e7d36b473e2d75b

        • \Users\Admin\AppData\Local\5Thf1kxi\MFC42u.dll

          Filesize

          124KB

          MD5

          40dc107b24a9d73b3b34bb00ab9ad43a

          SHA1

          40d7f9fb1630f615449c1dc04d27fe0688fd1cd3

          SHA256

          36298f61cec6810d23b0acddaec5cf9d4116de9bee3585de886d20a04a0e18fb

          SHA512

          089ff96f86ba232dfba98d8f12dd68c8699faa5625d9313adde5baadafdc9ec015441e4ee57a4c9c35d184e960e33b195d3056a8a83dc3a93047e142c30aa9b8

        • \Users\Admin\AppData\Local\5Thf1kxi\msconfig.exe

          Filesize

          9KB

          MD5

          028ea2065ba5e788bc41461da8093a74

          SHA1

          ddfe32b5cd7575d5c1cf2643a02950dcdc226f60

          SHA256

          88012febc84cae83b37865a7463fa9e3a055515a6df5004635bcac43ab02ce26

          SHA512

          671056a45ce67895f8f63678fa60f7a663a5e8ae73b1a92be8d2e74ca60fd51885366be9609c2d76b178f521e0cbef4320c486e05dececd2a10258315f5c6e07

        • \Users\Admin\AppData\Local\Q6vgZ9\dwmapi.dll

          Filesize

          33KB

          MD5

          b83b0bc79339d2332db64a9c9e6b7f04

          SHA1

          e73562899f217ead516289cfe169b813e0f8dab0

          SHA256

          6503a998aa1ae5343bd218615a8057a9be333b06f3a61660b16e697a2b058583

          SHA512

          b616986a0b74e8531a21c7b09c2a62528531d013a30c033a5df91362029687cd9b2828207ce0b4b4e1a88ec56a4669ca3590d90620d9e6f7dacf46d87af2818d

        • \Users\Admin\AppData\Local\Q6vgZ9\mblctr.exe

          Filesize

          33KB

          MD5

          13fd77c1bba8d8880e3791c9a3b4cdc6

          SHA1

          66f331f558c9c23e009599185d0947915d2e8187

          SHA256

          b4de5a043304d12a8a62fdd02fbbfc4f51537744309284811ef8392ad3ea1178

          SHA512

          8397990ed95b9e21039b10e8f76fc01334cfd12df81bff2fcdcd11b554302ffbe1da0f94830e895be4731b46b4067dcc052c3e8ab597bf069a0d9a72add3149d

        • \Users\Admin\AppData\Local\pXBHn3G4e\OptionalFeatures.exe

          Filesize

          92KB

          MD5

          23ff9b897f560c459f3a4203d8a6b957

          SHA1

          cbd7c34554aea09a8c70e88d6e5314a8b9c1e3c0

          SHA256

          f54f0da3968d734a123bdf5ddf042597bef765fb1ca148e4ad393d03fa2438b6

          SHA512

          44c7f62c8614206f8feed98562ee6eb38e70db54bf8ecdcaa4979c24901a51bb4291b4f793fd769029c4d24db87930df9e0114b7ecbf3abde9c5e9bfb11bf1e7

        • memory/592-95-0x0000000000080000-0x0000000000087000-memory.dmp

          Filesize

          28KB

        • memory/592-100-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/592-96-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1212-21-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/1212-19-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/1212-41-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/1212-52-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/1212-29-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/1212-58-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/1212-61-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/1212-28-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/1212-27-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/1212-26-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/1212-24-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/1212-23-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/1212-22-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/1212-4-0x0000000076F66000-0x0000000076F67000-memory.dmp

          Filesize

          4KB

        • memory/1212-20-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/1212-18-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/1212-17-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/1212-16-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/1212-43-0x00000000771D0000-0x00000000771D2000-memory.dmp

          Filesize

          8KB

        • memory/1212-31-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/1212-33-0x00000000029C0000-0x00000000029C7000-memory.dmp

          Filesize

          28KB

        • memory/1212-5-0x00000000029E0000-0x00000000029E1000-memory.dmp

          Filesize

          4KB

        • memory/1212-150-0x0000000076F66000-0x0000000076F67000-memory.dmp

          Filesize

          4KB

        • memory/1212-11-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/1212-34-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/1212-32-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/1212-15-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/1212-14-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/1212-13-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/1212-30-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/1212-25-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/1212-42-0x0000000077071000-0x0000000077072000-memory.dmp

          Filesize

          4KB

        • memory/1212-7-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/1212-12-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/1212-9-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/1212-10-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/2044-8-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/2044-1-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/2044-0-0x00000000004B0000-0x00000000004B7000-memory.dmp

          Filesize

          28KB

        • memory/2620-70-0x0000000000270000-0x0000000000277000-memory.dmp

          Filesize

          28KB

        • memory/2620-75-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/2620-71-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/2940-120-0x00000000000F0000-0x00000000000F7000-memory.dmp

          Filesize

          28KB

        • memory/2940-124-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB