Analysis

  • max time kernel
    157s
  • max time network
    130s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2023 15:47

General

  • Target

    e0766950c83a3551309ffe32a39cf502.dll

  • Size

    2.9MB

  • MD5

    e0766950c83a3551309ffe32a39cf502

  • SHA1

    91c525d856e976147ac070289ca9c749ede297e5

  • SHA256

    aa4895a92de07b083cd4ae91f0dfa52a25713b7103d573512465a75f23ffbdc4

  • SHA512

    c2c7b427e6e44f4b6114170e80bc4f9823882337489892a185b06418440bee9a25a0754e76a198b67f3af4b6f8b6fc91107a4af9591cbe2616b19bb2c28ce38e

  • SSDEEP

    12288:TVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ11:CfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\e0766950c83a3551309ffe32a39cf502.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:2504
  • C:\Windows\system32\wscript.exe
    C:\Windows\system32\wscript.exe
    1⤵
      PID:2032
    • C:\Users\Admin\AppData\Local\ZKwzQXQ\wscript.exe
      C:\Users\Admin\AppData\Local\ZKwzQXQ\wscript.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2932
    • C:\Windows\system32\OptionalFeatures.exe
      C:\Windows\system32\OptionalFeatures.exe
      1⤵
        PID:2692
      • C:\Users\Admin\AppData\Local\FMo0a\OptionalFeatures.exe
        C:\Users\Admin\AppData\Local\FMo0a\OptionalFeatures.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2972
      • C:\Windows\system32\EhStorAuthn.exe
        C:\Windows\system32\EhStorAuthn.exe
        1⤵
          PID:1380
        • C:\Users\Admin\AppData\Local\kug\EhStorAuthn.exe
          C:\Users\Admin\AppData\Local\kug\EhStorAuthn.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1368

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\FMo0a\OptionalFeatures.exe

          Filesize

          81KB

          MD5

          a4b95f129f100ef9349aeda03d5dc7ef

          SHA1

          d4fb62221cea37f760ae891bdb4b4b3fcf12e0d9

          SHA256

          4a0f4ceddcd53031ff9b8c3dcf9905cf93f1c3e5413e9dc3da0e4464791099c5

          SHA512

          e30598b0f8562c50c33457a5cfd4680503b796d171d87c2c95db526b0b4f21a94d563579cf3a9c9a02217b095648553fd80887e54bc228459da6a2418229716d

        • C:\Users\Admin\AppData\Local\FMo0a\appwiz.cpl

          Filesize

          101KB

          MD5

          184f4dda30fa08ca34e5bc2173c0946b

          SHA1

          ad5dbb58876c5c1fed1f7d8e3544612d33ad18fd

          SHA256

          ebf5fcde69ae5dc8fb21d4f63596a69597a8fdb7f4997ead029f21391db9e1c5

          SHA512

          62816d7d7e64610a21e29d44eed3b35aed57c8fd87cbc78bf7960673e113ce184122bbf41d7b3b27e540d256b7df5a6e948d5bc3b9173517bfca15dc8af7c6f0

        • C:\Users\Admin\AppData\Local\ZKwzQXQ\VERSION.dll

          Filesize

          54KB

          MD5

          2e82444dbbf00150e6aa5c74bc5611f8

          SHA1

          87ebcdaa95759aab7701ebaf48a5105cf532ca71

          SHA256

          935f1bb1532b33ae82018df082918341c5dd49b0b5c5e5591823e09e34d23d28

          SHA512

          a5b3acf0bbb8215c90fa9fa7d7594110398ac7b130c8c4225191ca82d52d23f5738ac1bfee902acef4079ee6df35d3f87ad46046e6c87d770666bbc8ff6179d8

        • C:\Users\Admin\AppData\Local\ZKwzQXQ\wscript.exe

          Filesize

          61KB

          MD5

          2b223b04bf8c80193f8311703f0babdc

          SHA1

          d1bdf83845b6d1877b11480d38b7db99023c5422

          SHA256

          d667a2ebf90219cbea4fe221ad689f10630ec7069ce92b61c12646023a7c69d5

          SHA512

          ef36727b9275e76eb8dc1c50465fa50d3b418f916867958049717cb392ed8134afaa52a0f3f2b9b86c302f6fcc19d0634075dc8a6d66f812ebf545509e1bf5e9

        • C:\Users\Admin\AppData\Local\ZKwzQXQ\wscript.exe

          Filesize

          95KB

          MD5

          0c0ec8ea6e93e18d0c9971044a176597

          SHA1

          0cf51bcc802d062358ad1d13065ebd16b30ac9cf

          SHA256

          8dfb879d7343048781310b7e992ab39cb2a52a2b95298aeb8c69da8479ed664d

          SHA512

          e8e6a2d92cad3f25d007d375c7b1b9ba0cc90c14d99b05f9d108a09fc0c724e1ad2f1da5bb589761cfe16c51107bbacd5cd7ffda079b329293e0c1a89070a9db

        • C:\Users\Admin\AppData\Local\kug\EhStorAuthn.exe

          Filesize

          64KB

          MD5

          5e88527a55c08ad842f452f2b1e0a8fb

          SHA1

          c4214b0047a1f3c83fd6178f1aa3d34595b4e38f

          SHA256

          8fc5e0bd3b28d0c979b05b922e46be6bae0a3a142767ba46d2804804075e32cb

          SHA512

          1a60e883188787aa2fe46274aa79c6dfe2f285541f1b0de7e7460b9e1b148909efbcbdab9f7b837313e7fd724218e46585f0dba6f1c57fc6a3520120fe23c21b

        • C:\Users\Admin\AppData\Local\kug\EhStorAuthn.exe

          Filesize

          92KB

          MD5

          bfd3f83302a2ee72fa811ee4f6643759

          SHA1

          ddc7e39087d686c641efe4df2424d1d73bcfe35a

          SHA256

          36b10dbadac14c62ffb04a77e5699ad3a9c4fb13869592e1672e11689aa6d7ab

          SHA512

          2f69987500ee4aee5d33a8e14a110550202e93f49b3c443c0a8f3c0deb0a8aa17ce5cf3ebc50e6afdc14f6d64be49376bcab754bcb5b54bacbc695dbfb2c78e6

        • C:\Users\Admin\AppData\Local\kug\UxTheme.dll

          Filesize

          162KB

          MD5

          3ac06460b0405301e277f8d2ddfacdd5

          SHA1

          b66daa7116fc1ed197e2cae7ab80770b9712a1ec

          SHA256

          3553dbdc7704a674ffed29b9347e8f375e66e1e21c366640a7237397b4dd44dc

          SHA512

          fe9ef55357b69a2342bbe407226c71a5f61f3794850a980fea479867a8319cd6b364ac1cf48050c9ad1fd933513878caa7a52dedd4658e1b1f38ac8ef141ad7e

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Efrsxj.lnk

          Filesize

          1KB

          MD5

          d3f1975c750dc0ee183f1d34ad999dfd

          SHA1

          de9cf834960e36144af4a7d13f16008fdcaa97f4

          SHA256

          fec3a4fd3c06909debb06292bda981e3fc5451cbdeb902176fa4db384ded9c45

          SHA512

          109d568aa13371248ed29811d462511c6ad46d6869c917b0027a99422fe63e6e5d5749f8c7483c9b1d58c4af4ee6fda45b64724bde7487f5b01ef89b96996571

        • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\bg\UxTheme.dll

          Filesize

          86KB

          MD5

          e8a252edd8ee8ef34cb029730440d290

          SHA1

          43e47d640886f6f2e8a48bcce71f199311543320

          SHA256

          bb59c825cdd0ec1af7399f2e24e40fbb8756e4aa9d7bff46eb0e013ba10b846b

          SHA512

          191d35f6a84116a1e129c7bde1972c4ae6fd2580b156004bbef609cd018fee1b1bce086ef94acb647c7093a0e08da2c2156af1e90bc059588f7c5ad02accfdc7

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\5m4\VERSION.dll

          Filesize

          1KB

          MD5

          fc69d44d6c061d5fce75de61cd579aa4

          SHA1

          c94b2309c4339c7593d6b95d6096516b4a63fdb9

          SHA256

          9ab73255e2808674d46bdee86695c4d0ddf9e43c2ae33e853f3a6c402d10033b

          SHA512

          67dce67192b99c67e6e21bcc20922815aa6b79ecd4addd5d97e500ae0a1433f4317d45bf80dbb096ac2858f060c4c6e55e335d885bcc431be47ec66d4112e21e

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\99LB0pkB56l\appwiz.cpl

          Filesize

          1KB

          MD5

          566c5256ca075e80018c5f5ead015f34

          SHA1

          d3efedc6f08410faf3ad8ebef72c6443e9ad117b

          SHA256

          16d1bf6e4d3c4c7947032bdc46264f353dcd16cc1c33cea4dece0fda234c9f5c

          SHA512

          fbe1fae4d43089443b31db48a245587cdf8f2285eb4edc0afb5d4d899a789147502b5f29984f9bbb2146dcab3e6a435ef1a378e5f673b71147127a5431ae892d

        • \Users\Admin\AppData\Local\FMo0a\OptionalFeatures.exe

          Filesize

          95KB

          MD5

          eae7af6084667c8f05412ddf096167fc

          SHA1

          0dbe8aba001447030e48e8ad5466fd23481e6140

          SHA256

          01feebd3aca961f31ba4eac45347b105d1c5772627b08f5538047721b61ff9bc

          SHA512

          172a8accaa35a6c9f86713a330c5899dfeeffe3b43413a3d276fc16d45cd62ed9237aa6bff29cc60a2022fba8dcc156959723c041df4b7463436a3bdabef2a9d

        • \Users\Admin\AppData\Local\FMo0a\appwiz.cpl

          Filesize

          73KB

          MD5

          5e79e740e29ab88bc686e008e09a6546

          SHA1

          29cbc3cf7e5511c1dc22ca4b8ee9239a48007dd1

          SHA256

          15dbee77b950fb7abc42920f5f60d798c6e2877acd62a6fcaa9d88b6312d3bf1

          SHA512

          df334daef490d0195beb863b24f1352cf51ce6d6ab8f3016c03352e820b8a428bb4da9205f505b54d51454a792450d742b5a05ed2eff72de89bb35a739bcf5ed

        • \Users\Admin\AppData\Local\ZKwzQXQ\VERSION.dll

          Filesize

          42KB

          MD5

          9ef49ba69a852310fe3f0d0d0dc8d303

          SHA1

          9fdd4177ba5ad0583453b12cdb2496c2cdb76921

          SHA256

          0618e1dc79d8c5f8e53df9f6deab8dcd6a28b2190a0cd3791a669ca9c20bb468

          SHA512

          cf8d49f3b863c2cbd7b951007c7e8f1ab89d0f4544b31911642aac77e657bd9bcdd8156ed2993ef13dc85586d1b0533e32b7ecf40779d85b6260c458e0884cef

        • \Users\Admin\AppData\Local\ZKwzQXQ\wscript.exe

          Filesize

          39KB

          MD5

          bb7a6a37321b5caf1625e9e56e836dd6

          SHA1

          b2721b24c2e5e29608e274d92c6fb1e14373d356

          SHA256

          cb99e5f89654927f7b69864dbd0917c3b15ece2bc840076491f4825269c30da1

          SHA512

          4642d87aabcb9ac305f0de340ee4971d6b500263a92500b23067bfa1167437f6b0bb18eb954d4d4383df98e17f656459b08e9960b93269dcb10c5d03ba33a9f0

        • \Users\Admin\AppData\Local\ZKwzQXQ\wscript.exe

          Filesize

          32KB

          MD5

          1adef384faf554a124d84a142b1c3802

          SHA1

          d855776ed411c27ca7bd1a5c2a0833e7719ac9c2

          SHA256

          fe130f371fa4fb5f67a97132a684f4d0416c4b33dcd9eed2afd9341c4805e235

          SHA512

          f45128a5c6996f75d35a18ea1bbc87f4ce42496a7b4d44d331138baa9811d5c4c1f448c36ddcdcc01d85c057e23304ac7e55bb5762747e633c4ea733ea38299d

        • \Users\Admin\AppData\Local\kug\EhStorAuthn.exe

          Filesize

          137KB

          MD5

          3abe95d92c80dc79707d8e168d79a994

          SHA1

          64b10c17f602d3f21c84954541e7092bc55bb5ab

          SHA256

          2159d9d5c9355521de859d1c40907fcdfef19f8cf68eda7485b89e9aa119e3ad

          SHA512

          70fee5e87121229bba5c5e5aaa9f028ac0546dc9d38b7a00a81b882c8f8ce4abfdc364a598976b1463cca05e9400db715f8a4478ec61b03a693bbeee18c6ae5c

        • \Users\Admin\AppData\Local\kug\UxTheme.dll

          Filesize

          94KB

          MD5

          f005c843e7d634ecd97da686d6df0cfe

          SHA1

          59ee1a70056ca0eb90251b5acdb623e423176418

          SHA256

          4d4579cfa59ee1d532567b8a9b38711bf731accecfd4ac6c6107da2f91f846cc

          SHA512

          4fe2d6adbb218802a8d05260337c8bd310a097e63bce486aa745166c694f696b86cb35870466590e37ea0e06bbc4f5c2946a3571c5b89929bdcbdd9c19373a35

        • \Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\bg\EhStorAuthn.exe

          Filesize

          85KB

          MD5

          27fc63ee98bc85c6ea207db041539866

          SHA1

          5cf11fb2666fe99bdbeb7051d159963602e52b2a

          SHA256

          39b5090e04f4d1b13e8d93c1869421bfa96aae5747bc31d10e6623c8b21698cc

          SHA512

          098a7358b3870d3b6fc950f3eeb12e56433c8a7fb090669be9ca35a1b98f4318ed5f38c352debe0a600e4ff5bfc94a4128d2f52e251b880b3ae931bc9d569d06

        • memory/1272-36-0x0000000140000000-0x00000001402E6000-memory.dmp

          Filesize

          2.9MB

        • memory/1272-33-0x0000000140000000-0x00000001402E6000-memory.dmp

          Filesize

          2.9MB

        • memory/1272-4-0x00000000779F6000-0x00000000779F7000-memory.dmp

          Filesize

          4KB

        • memory/1272-38-0x0000000140000000-0x00000001402E6000-memory.dmp

          Filesize

          2.9MB

        • memory/1272-37-0x0000000140000000-0x00000001402E6000-memory.dmp

          Filesize

          2.9MB

        • memory/1272-41-0x0000000140000000-0x00000001402E6000-memory.dmp

          Filesize

          2.9MB

        • memory/1272-42-0x0000000140000000-0x00000001402E6000-memory.dmp

          Filesize

          2.9MB

        • memory/1272-45-0x0000000140000000-0x00000001402E6000-memory.dmp

          Filesize

          2.9MB

        • memory/1272-48-0x0000000140000000-0x00000001402E6000-memory.dmp

          Filesize

          2.9MB

        • memory/1272-50-0x0000000140000000-0x00000001402E6000-memory.dmp

          Filesize

          2.9MB

        • memory/1272-51-0x0000000140000000-0x00000001402E6000-memory.dmp

          Filesize

          2.9MB

        • memory/1272-49-0x0000000140000000-0x00000001402E6000-memory.dmp

          Filesize

          2.9MB

        • memory/1272-46-0x0000000140000000-0x00000001402E6000-memory.dmp

          Filesize

          2.9MB

        • memory/1272-52-0x0000000140000000-0x00000001402E6000-memory.dmp

          Filesize

          2.9MB

        • memory/1272-53-0x0000000140000000-0x00000001402E6000-memory.dmp

          Filesize

          2.9MB

        • memory/1272-54-0x0000000140000000-0x00000001402E6000-memory.dmp

          Filesize

          2.9MB

        • memory/1272-56-0x0000000140000000-0x00000001402E6000-memory.dmp

          Filesize

          2.9MB

        • memory/1272-58-0x0000000140000000-0x00000001402E6000-memory.dmp

          Filesize

          2.9MB

        • memory/1272-59-0x0000000140000000-0x00000001402E6000-memory.dmp

          Filesize

          2.9MB

        • memory/1272-61-0x0000000140000000-0x00000001402E6000-memory.dmp

          Filesize

          2.9MB

        • memory/1272-62-0x0000000140000000-0x00000001402E6000-memory.dmp

          Filesize

          2.9MB

        • memory/1272-64-0x0000000140000000-0x00000001402E6000-memory.dmp

          Filesize

          2.9MB

        • memory/1272-65-0x0000000140000000-0x00000001402E6000-memory.dmp

          Filesize

          2.9MB

        • memory/1272-69-0x0000000002B00000-0x0000000002B07000-memory.dmp

          Filesize

          28KB

        • memory/1272-63-0x0000000140000000-0x00000001402E6000-memory.dmp

          Filesize

          2.9MB

        • memory/1272-60-0x0000000140000000-0x00000001402E6000-memory.dmp

          Filesize

          2.9MB

        • memory/1272-57-0x0000000140000000-0x00000001402E6000-memory.dmp

          Filesize

          2.9MB

        • memory/1272-55-0x0000000140000000-0x00000001402E6000-memory.dmp

          Filesize

          2.9MB

        • memory/1272-47-0x0000000140000000-0x00000001402E6000-memory.dmp

          Filesize

          2.9MB

        • memory/1272-44-0x0000000140000000-0x00000001402E6000-memory.dmp

          Filesize

          2.9MB

        • memory/1272-43-0x0000000140000000-0x00000001402E6000-memory.dmp

          Filesize

          2.9MB

        • memory/1272-77-0x0000000077C01000-0x0000000077C02000-memory.dmp

          Filesize

          4KB

        • memory/1272-39-0x0000000140000000-0x00000001402E6000-memory.dmp

          Filesize

          2.9MB

        • memory/1272-40-0x0000000140000000-0x00000001402E6000-memory.dmp

          Filesize

          2.9MB

        • memory/1272-34-0x0000000140000000-0x00000001402E6000-memory.dmp

          Filesize

          2.9MB

        • memory/1272-35-0x0000000140000000-0x00000001402E6000-memory.dmp

          Filesize

          2.9MB

        • memory/1272-78-0x0000000077D60000-0x0000000077D62000-memory.dmp

          Filesize

          8KB

        • memory/1272-25-0x0000000140000000-0x00000001402E6000-memory.dmp

          Filesize

          2.9MB

        • memory/1272-24-0x0000000140000000-0x00000001402E6000-memory.dmp

          Filesize

          2.9MB

        • memory/1272-23-0x0000000140000000-0x00000001402E6000-memory.dmp

          Filesize

          2.9MB

        • memory/1272-21-0x0000000140000000-0x00000001402E6000-memory.dmp

          Filesize

          2.9MB

        • memory/1272-16-0x0000000140000000-0x00000001402E6000-memory.dmp

          Filesize

          2.9MB

        • memory/1272-14-0x0000000140000000-0x00000001402E6000-memory.dmp

          Filesize

          2.9MB

        • memory/1272-12-0x0000000140000000-0x00000001402E6000-memory.dmp

          Filesize

          2.9MB

        • memory/1272-10-0x0000000140000000-0x00000001402E6000-memory.dmp

          Filesize

          2.9MB

        • memory/1272-5-0x0000000002B20000-0x0000000002B21000-memory.dmp

          Filesize

          4KB

        • memory/1272-32-0x0000000140000000-0x00000001402E6000-memory.dmp

          Filesize

          2.9MB

        • memory/1272-27-0x0000000140000000-0x00000001402E6000-memory.dmp

          Filesize

          2.9MB

        • memory/1272-30-0x0000000140000000-0x00000001402E6000-memory.dmp

          Filesize

          2.9MB

        • memory/1272-7-0x0000000140000000-0x00000001402E6000-memory.dmp

          Filesize

          2.9MB

        • memory/1272-31-0x0000000140000000-0x00000001402E6000-memory.dmp

          Filesize

          2.9MB

        • memory/1272-29-0x0000000140000000-0x00000001402E6000-memory.dmp

          Filesize

          2.9MB

        • memory/1272-28-0x0000000140000000-0x00000001402E6000-memory.dmp

          Filesize

          2.9MB

        • memory/1272-26-0x0000000140000000-0x00000001402E6000-memory.dmp

          Filesize

          2.9MB

        • memory/1272-22-0x0000000140000000-0x00000001402E6000-memory.dmp

          Filesize

          2.9MB

        • memory/1272-20-0x0000000140000000-0x00000001402E6000-memory.dmp

          Filesize

          2.9MB

        • memory/1272-170-0x00000000779F6000-0x00000000779F7000-memory.dmp

          Filesize

          4KB

        • memory/1272-19-0x0000000140000000-0x00000001402E6000-memory.dmp

          Filesize

          2.9MB

        • memory/1272-18-0x0000000140000000-0x00000001402E6000-memory.dmp

          Filesize

          2.9MB

        • memory/1272-17-0x0000000140000000-0x00000001402E6000-memory.dmp

          Filesize

          2.9MB

        • memory/1272-15-0x0000000140000000-0x00000001402E6000-memory.dmp

          Filesize

          2.9MB

        • memory/1272-13-0x0000000140000000-0x00000001402E6000-memory.dmp

          Filesize

          2.9MB

        • memory/1272-11-0x0000000140000000-0x00000001402E6000-memory.dmp

          Filesize

          2.9MB

        • memory/1272-9-0x0000000140000000-0x00000001402E6000-memory.dmp

          Filesize

          2.9MB

        • memory/2504-8-0x0000000140000000-0x00000001402E6000-memory.dmp

          Filesize

          2.9MB

        • memory/2504-0-0x00000000001A0000-0x00000000001A7000-memory.dmp

          Filesize

          28KB

        • memory/2504-1-0x0000000140000000-0x00000001402E6000-memory.dmp

          Filesize

          2.9MB

        • memory/2932-108-0x00000000000E0000-0x00000000000E7000-memory.dmp

          Filesize

          28KB

        • memory/2972-133-0x00000000000F0000-0x00000000000F7000-memory.dmp

          Filesize

          28KB