Analysis

  • max time kernel
    149s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2023 15:47

General

  • Target

    e06bc9c34016a67b0d3a56913db15515.dll

  • Size

    2.1MB

  • MD5

    e06bc9c34016a67b0d3a56913db15515

  • SHA1

    b6b8a5ac1eb6952a7d92c37b4b9c38745796b1f5

  • SHA256

    9defa598e8384355655dd2fcba9e94f1bfbb4fc1d14d4f43cef7ce3173cc8736

  • SHA512

    79c4dcb7ff48c177ceba1d84946fde02ec9a122bccdff124fd2092d4b063837ba97f43ca49d4f43dc9c47e2ffba730a26bdca8cdfebedcfba03a5d7ab85bc313

  • SSDEEP

    12288:2VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:rfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e06bc9c34016a67b0d3a56913db15515.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2752
  • C:\Windows\system32\shrpubw.exe
    C:\Windows\system32\shrpubw.exe
    1⤵
      PID:2492
    • C:\Users\Admin\AppData\Local\pcHqTgC5\shrpubw.exe
      C:\Users\Admin\AppData\Local\pcHqTgC5\shrpubw.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2532
    • C:\Users\Admin\AppData\Local\cQ1Qu7zw\tcmsetup.exe
      C:\Users\Admin\AppData\Local\cQ1Qu7zw\tcmsetup.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2520
    • C:\Windows\system32\tcmsetup.exe
      C:\Windows\system32\tcmsetup.exe
      1⤵
        PID:2772
      • C:\Users\Admin\AppData\Local\QlG\perfmon.exe
        C:\Users\Admin\AppData\Local\QlG\perfmon.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1864
      • C:\Windows\system32\perfmon.exe
        C:\Windows\system32\perfmon.exe
        1⤵
          PID:2172

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Identities\{85F2D219-4DA8-41B0-8F71-51D9FDB705AC}\yX\TAPI32.dll

          Filesize

          30KB

          MD5

          9a8b33a16eece2090094f7f06c7f3def

          SHA1

          94a7c772e20a502c2a28ac4ca14c344ff5b1b404

          SHA256

          f550b841b79dbda3025134baf8df84ee452c21527a44ef4e5b48ba07ae2c5b14

          SHA512

          eb670ea68a5ce9d0ec94aa55e2bd81a8f56f5e79d6b904939d33b1e4aff1851d71befdc4c718194c5b0d7fb7a7cb3e93128a026f1033870bb644f0d50f38ecf3

        • C:\Users\Admin\AppData\Roaming\Identities\{85F2D219-4DA8-41B0-8F71-51D9FDB705AC}\yX\oHmj\credui.dll

          Filesize

          124KB

          MD5

          de52fa31c439d86a2687b8254e816cbf

          SHA1

          6b0765a28aaf48ba54c80a68fa6c37043a847e6e

          SHA256

          d6a7e8fe85e67697f65271e6c19f3b77df0d7555bc44b3ec9319672bd4dcf021

          SHA512

          8a43704ef37a2a3018316531856101900abd40cbaaa36397a31ccefc34a02188d7b4ffbadc129a6739b05408ef236762af2845c88b81e60c0741f369176fde46

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\Rhm\MFC42u.dll

          Filesize

          11KB

          MD5

          4c31a16a7973693fb4e5873c36c77216

          SHA1

          5bbef481a1dda8817bd720a5c3727d0ed5894870

          SHA256

          4066d341d072c4b11c2fea12fe4f828b375631223db790647794e84fe114ee6c

          SHA512

          1acec6fde95eea48d2bb84f2de0cddb13fba5df69961257cff38233a5dc18cdd050381069e2a7e395b95a24d7fca87fd2794bcd9ab8a81be4f56811c8e3bd529

        • memory/1352-33-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/1352-30-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/1352-46-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/1352-52-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/1352-31-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/1352-61-0x0000000077A80000-0x0000000077A82000-memory.dmp

          Filesize

          8KB

        • memory/1352-60-0x0000000077921000-0x0000000077922000-memory.dmp

          Filesize

          4KB

        • memory/1352-75-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/1352-76-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/1352-70-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/1352-59-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/1352-50-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/1352-49-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/1352-48-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/1352-32-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/1352-47-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/1352-45-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/1352-44-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/1352-43-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/1352-42-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/1352-41-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/1352-40-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/1352-39-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/1352-38-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/1352-37-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/1352-35-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/1352-34-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/1352-4-0x0000000077716000-0x0000000077717000-memory.dmp

          Filesize

          4KB

        • memory/1352-5-0x0000000002D60000-0x0000000002D61000-memory.dmp

          Filesize

          4KB

        • memory/1352-51-0x0000000002D40000-0x0000000002D47000-memory.dmp

          Filesize

          28KB

        • memory/1352-36-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/1352-29-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/1352-28-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/1352-27-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/1352-26-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/1352-12-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/1352-25-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/1352-24-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/1352-22-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/1352-21-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/1352-20-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/1352-19-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/1352-18-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/1352-17-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/1352-16-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/1352-15-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/1352-14-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/1352-13-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/1352-11-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/1352-10-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/1352-9-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/1352-7-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/1352-23-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/1352-158-0x0000000077716000-0x0000000077717000-memory.dmp

          Filesize

          4KB

        • memory/1864-132-0x00000000001A0000-0x00000000001A7000-memory.dmp

          Filesize

          28KB

        • memory/2520-114-0x0000000000180000-0x0000000000187000-memory.dmp

          Filesize

          28KB

        • memory/2532-90-0x0000000000280000-0x0000000000287000-memory.dmp

          Filesize

          28KB

        • memory/2752-0-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/2752-1-0x0000000000120000-0x0000000000127000-memory.dmp

          Filesize

          28KB

        • memory/2752-8-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB