Analysis

  • max time kernel
    156s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2023 15:47

General

  • Target

    e07278c27ec90b3d8fc7500d8180f0a8.dll

  • Size

    2.2MB

  • MD5

    e07278c27ec90b3d8fc7500d8180f0a8

  • SHA1

    2182eb858155c58ed16cab5d023fe4fde762a6be

  • SHA256

    ea2fba4b7d64dc7c14d8b7e2bbb4f2333976b93c5f6d32310925eda10593ca72

  • SHA512

    73b7d147fb8242d641315bf6e8f5824738dad17356ec8245b38754fd190f174278fdf69f1326a7f7e819de3aeebdbf563bbbf4a0e27ba461ceb8170d4a7cd8db

  • SSDEEP

    12288:bVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:6fP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e07278c27ec90b3d8fc7500d8180f0a8.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2404
  • C:\Windows\system32\icardagt.exe
    C:\Windows\system32\icardagt.exe
    1⤵
      PID:1516
    • C:\Users\Admin\AppData\Local\zIJHw3ib\icardagt.exe
      C:\Users\Admin\AppData\Local\zIJHw3ib\icardagt.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1564
    • C:\Windows\system32\SystemPropertiesProtection.exe
      C:\Windows\system32\SystemPropertiesProtection.exe
      1⤵
        PID:756
      • C:\Users\Admin\AppData\Local\u6AEzWV\SystemPropertiesProtection.exe
        C:\Users\Admin\AppData\Local\u6AEzWV\SystemPropertiesProtection.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1908
      • C:\Windows\system32\wextract.exe
        C:\Windows\system32\wextract.exe
        1⤵
          PID:2880
        • C:\Users\Admin\AppData\Local\X1MjLwJ\wextract.exe
          C:\Users\Admin\AppData\Local\X1MjLwJ\wextract.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1228

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\X1MjLwJ\VERSION.dll

          Filesize

          1KB

          MD5

          272bd1743fea94984d93cfec65b9c3d1

          SHA1

          2be3b0128d4e99d5b6413b86dd2ff0cebc3e78df

          SHA256

          59f6b9fb5836f66f0b82819ca111562f710f8dd440d48fd45eae8ae313131c17

          SHA512

          089492545b13794c027d0497fa549be3ac7f01c0e52e1ea96ba6386554ef51ce56d53b117c4c093de757dfb3523a2caaef58999e5bb71ef0d6d18e7d80307842

        • C:\Users\Admin\AppData\Local\X1MjLwJ\wextract.exe

          Filesize

          71KB

          MD5

          4974fab807ddb1d05fa4d31126b42f87

          SHA1

          1811d3fadc7806cd3351472d10b64e6996093ca0

          SHA256

          d37db080c90438ae46e4def81447cb40a660b9e0a07eb4e97e83b7a89c981453

          SHA512

          afd28307c03c830f6cc1b5a232cdeb607fc110202ace505063819e3354f17cd76c7cf6bd5d8c09bbb01bd38881dd8d6b047dda0249063cec0a88583b91002442

        • C:\Users\Admin\AppData\Local\X1MjLwJ\wextract.exe

          Filesize

          1KB

          MD5

          39422855658bd1be91f04154e050fc8b

          SHA1

          5b83ff414ee52f740212e439a33e20531b754c18

          SHA256

          1fabd9bef3058d78ca18b81515a6e64a71ee6273d6cf927a1860326ee4ca3b0e

          SHA512

          0c5587eee82532aa1ec319082cebca1f65eb98301adbf6303df2a038236a8cbdfeda7b57c1a7a0bdd5411a0d9b03601d5305b57c819f86fb47445ba288125f29

        • C:\Users\Admin\AppData\Local\u6AEzWV\SYSDM.CPL

          Filesize

          2KB

          MD5

          a8214c754d4f9e5b457de0261bc26aac

          SHA1

          2f7d337459a2f9122b475857565d599b6533395a

          SHA256

          adfe78b64e5be346ef3ff5a98fd81e887ba2092161f0185985be77d42052c447

          SHA512

          5d4add254839b79ba5a822b21356c1973031535fa173d6ab4ee4bb80bc6e3f4e7a29a6e1f1ecad6f86e4a14a501eb30120e2b6a29d601fc91f463aa432265b03

        • C:\Users\Admin\AppData\Local\u6AEzWV\SystemPropertiesProtection.exe

          Filesize

          39KB

          MD5

          4203aa3d1935214fb6d32c591d0d3aa1

          SHA1

          6099415b10972c0b31032fbf80a5edf2b31df8a3

          SHA256

          eb1713ead3e2fc6888361e8e5e9f23a503b49fcc15125203e186fef2f2d1b77d

          SHA512

          210386293616d7b210f0258fb579018a2c2906c9dd76970a8417d97869ca34503c3bca5077b0ccb84b259f20ed3954bb8ce81ca0b829c73eafd47f589f7cd883

        • C:\Users\Admin\AppData\Local\u6AEzWV\SystemPropertiesProtection.exe

          Filesize

          29KB

          MD5

          7e2b55fabcb6f591d64c520d5e334579

          SHA1

          aa85c361e282f878c2d886820227a57079c2247f

          SHA256

          04b723eb9b29bd2d2b0e34a7c23a5840a85931aff8a1b15b8b66516f65f8343d

          SHA512

          bd6febc1fd1b49d129d1e798cd20ee0a059cd02887e2b514292bbb3c3291e518b07b274c54db05fd0ac634811340e79266c032f73b89e0960f9db0c04059b4d0

        • C:\Users\Admin\AppData\Local\zIJHw3ib\UxTheme.dll

          Filesize

          219KB

          MD5

          70b9d70dcc909de160865eab88a90790

          SHA1

          233e7aa18f870f04371114590c227e25b5fafe53

          SHA256

          713e0e7a220b53329598e7d67ceb2613b7897a7a064757ede6c807e8b3940102

          SHA512

          829ce7767baf1e60ff50d314ba0b049d6336a55b5237971c5d1d46bca33e2f783f1dec6acbd8f4977f21276c85b4920cb9bc7d067204a75eff8adc2092a60daa

        • C:\Users\Admin\AppData\Local\zIJHw3ib\icardagt.exe

          Filesize

          1KB

          MD5

          c6adb32eaee9726a4e167d319a0e1c96

          SHA1

          170e5660d236d3bf13240a22dae52ac3d950d13b

          SHA256

          c00c10c1e688ba92f00d10dd57f9f83518834725d48373416954b6204ccd1477

          SHA512

          cbea5bf89ec0b71e03ccbe7192994effcc20b94d645b10a18120e736167963c74ceb5c6877a3fac239966b52316edc03542e2ac8772ed3a260e10bc885b51c3d

        • C:\Users\Admin\AppData\Local\zIJHw3ib\icardagt.exe

          Filesize

          139KB

          MD5

          19d68d32bbdd55227b836aea2c2506b9

          SHA1

          ff165dd031ee3c198d86182b2c3b00d6d6e6ac6c

          SHA256

          d455ac7eddd35cdedf5db54ef2a7a34130168015f6f9c8496c4319b5eb21d489

          SHA512

          ae015e2e98761cc1a1a1d5b03eefa7201b57125b2b713a4832acca823dfa8ed962dad84068bec6632ea5716410cd2f784c57836a73b2bf63b95d2cb11cec1a67

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Hbeids.lnk

          Filesize

          1KB

          MD5

          0e652aedf276de92cd4e3fbbe4bf1c40

          SHA1

          a3e48b8d333b4ed6ebed0425bf2f58b51c987bee

          SHA256

          46498af42a49bac7f9cb34104fcaa86d5b581e969cd6f8e62a53ae01ed7c3c4e

          SHA512

          e38d12aa1f451ab528d0791e1dcb3a6b7c499a06ae858873fd5ce7a832af0a0688234a712776aec0a7dda75da57bc08fe8dda5c82fac174b304c4bc3a60e7648

        • C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\OIO9GbO\UxTheme.dll

          Filesize

          2.2MB

          MD5

          20e9ce0abf848819ecc75072be2b8d81

          SHA1

          9e1b86dcfbb3ef34fe936dd170fc07662c755da2

          SHA256

          b39faa7a0ac3998e39f52b8ae9bee89bffb50b48af26f663e34f47dba46a3b9f

          SHA512

          cc4e35fd2c4fc69e5f8a24d817ab4bb9743778ee2b5321cd2333cb13b55386e593e6782e1ccc91a41a1dacad0c9c80b50c11b707e6af9a32ff0f503e427f5c87

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\24TdjKl\SYSDM.CPL

          Filesize

          1.1MB

          MD5

          dac7ec3b49ee04ec5897883f3346fa62

          SHA1

          e1d1ed8282a0647b2527a45bbd7f50cb7ab625cd

          SHA256

          418b731647d74b272fcf5444366759215d03fa43dc1ccdbbb51415b1ef77fb9b

          SHA512

          93b167fa4e1a62b09e41c8fd2a6cc2d91d8ee6e1c7c85f027244979c60807089c90078674bf63ec8fc1f703eed67f14d4a0e7d450799f623986f93ea9d17da44

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\J5WBRE3WJf\VERSION.dll

          Filesize

          479KB

          MD5

          975de0bb942081b89ba48de4c2d301ea

          SHA1

          795450e4ef5c795d80b8c6dafe0ea61360914806

          SHA256

          66111f70a833371d9eaa2074ae6ecd6c9192517d9ffbb8e6e0581fd5713b0d63

          SHA512

          1f728800e59a7096c83ade89743136226bc6238ef1c74ade91e1cc2f49cba0aefcee2f621b5a1e85b3658e1c717b3972efe8c8a1ec58538be7ad89b597228f64

        • \Users\Admin\AppData\Local\X1MjLwJ\VERSION.dll

          Filesize

          36KB

          MD5

          d24bf5d39a272d9bba62e0ccafc4e439

          SHA1

          5aba184c4988cfd9e4e4d1331cbfac2502fad38c

          SHA256

          c07ab1af13bab47be3a31c944b6029a404b3fdd6d4b9ab7ac857bbcc8c330d26

          SHA512

          8a833871ee404da9744e4e9f50fb55aa53aeed969bb792a8507469db71e75aa7e7a5b57be8cbead4fac5a9b43b7cd769f29fde2279e1f6f573af6cac1d5cf243

        • \Users\Admin\AppData\Local\X1MjLwJ\wextract.exe

          Filesize

          26KB

          MD5

          fa84912d3a38f86cb90fcdd2fe43870a

          SHA1

          2f91718dba700e5a905a7359f94ac31f2e099508

          SHA256

          4d0460518834a661f3ade086eecdca59281e8a05d63c1a5684e6fc5fb51fd161

          SHA512

          c59d1bb5c14dba9228c0fdd2b3530099cd15076f2833b54284f497c721d58ce854e4b19f3fff94533e80e427713b40cd8a705e013d647f710d42d7bc5295d84a

        • \Users\Admin\AppData\Local\u6AEzWV\SYSDM.CPL

          Filesize

          41KB

          MD5

          498eb31ac14dbd434d7886c24750fd6b

          SHA1

          b9d9f40705ca38cafe03506e751997d055c771e7

          SHA256

          000ed5e8e4dbcda01fd0a821c96139604920f07c971611de8fc9d811ff6ad9b2

          SHA512

          91f4ca7230059703267aeeaf88ce05702354ea834909ff2dc3c86bf4cf9ee63b4ea9664b636f955a9c4461605a99a82975e9927f4d5d427fbe95ae07ef664c3f

        • \Users\Admin\AppData\Local\u6AEzWV\SystemPropertiesProtection.exe

          Filesize

          39KB

          MD5

          365c3f59ebddb46b7c4fc632ea1b68da

          SHA1

          0acec6063c5a100eef85eccd7cd3f6c84f16631a

          SHA256

          f4bb65ce7c7e096d644c3417c32dc6658398c80fcc9d76c5e18a256b5e622def

          SHA512

          cc00aa8a039a10590b6a6d67d11f75e3ae141fed3309ac27d41fe4f1631255d1e2e986e39f6c383965f3a9aa691e6cc17b7d65d821b9d5e558bb5b7150bc7288

        • \Users\Admin\AppData\Local\zIJHw3ib\UxTheme.dll

          Filesize

          86KB

          MD5

          d55d466028efd8170bd29163b9b6758f

          SHA1

          bda4e8a5a8ff81b762836dfcebf0acc57ee269ff

          SHA256

          89c36919b0714702d8d094568089cdbc6557b0c1c5eb0d7f40e11bfd9c23fc59

          SHA512

          b9c37c88991cd570926f460f67e8256da832961dc3d5187527cdf0a94ccb48bf548861e96a7f1c3902867fd1598cded25b56c0646a8833a23e5033cbd0af349c

        • \Users\Admin\AppData\Local\zIJHw3ib\icardagt.exe

          MD5

          d41d8cd98f00b204e9800998ecf8427e

          SHA1

          da39a3ee5e6b4b0d3255bfef95601890afd80709

          SHA256

          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

          SHA512

          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\J5WBRE3WJf\wextract.exe

          Filesize

          140KB

          MD5

          1ea6500c25a80e8bdb65099c509af993

          SHA1

          6a090ef561feb4ae1c6794de5b19c5e893c4aafc

          SHA256

          99123d4e7bf93aa7f3315a432307c8b0cbaf24ad2cfb46edc149edbe24de4ca2

          SHA512

          b8f9f1ab48671e382d1385c34f0f19fc52fc0061e00db53bbbc2cdaee6d8a3f245707329f98e9167c53721aeaddcebfe66632729b6bcc98892031fd9914fb1fb

        • memory/1204-18-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1204-57-0x0000000077DB0000-0x0000000077DB2000-memory.dmp

          Filesize

          8KB

        • memory/1204-28-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1204-27-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1204-26-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1204-30-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1204-31-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1204-32-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1204-33-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1204-24-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1204-25-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1204-34-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1204-35-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1204-40-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1204-39-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1204-38-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1204-43-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1204-44-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1204-45-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1204-42-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1204-41-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1204-37-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1204-36-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1204-46-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1204-47-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1204-48-0x0000000002A10000-0x0000000002A17000-memory.dmp

          Filesize

          28KB

        • memory/1204-55-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1204-29-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1204-56-0x0000000077C51000-0x0000000077C52000-memory.dmp

          Filesize

          4KB

        • memory/1204-66-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1204-72-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1204-73-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1204-17-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1204-4-0x0000000077B46000-0x0000000077B47000-memory.dmp

          Filesize

          4KB

        • memory/1204-19-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1204-21-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1204-5-0x0000000002A30000-0x0000000002A31000-memory.dmp

          Filesize

          4KB

        • memory/1204-23-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1204-22-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1204-20-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1204-147-0x0000000077B46000-0x0000000077B47000-memory.dmp

          Filesize

          4KB

        • memory/1204-12-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1204-13-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1204-14-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1204-15-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1204-16-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1204-11-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1204-9-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1204-10-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1204-8-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1228-126-0x00000000000A0000-0x00000000000A7000-memory.dmp

          Filesize

          28KB

        • memory/1564-84-0x0000000000310000-0x0000000000317000-memory.dmp

          Filesize

          28KB

        • memory/1908-108-0x0000000000080000-0x0000000000087000-memory.dmp

          Filesize

          28KB

        • memory/2404-7-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/2404-1-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/2404-0-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB