Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2023 15:14

General

  • Target

    d5124b4f11f73e615ab6573dc5bb02cf.dll

  • Size

    1.9MB

  • MD5

    d5124b4f11f73e615ab6573dc5bb02cf

  • SHA1

    8a2f582744a0cdca0d21e40ce81f2ce3067c8bee

  • SHA256

    9b64a70112f7e8f285ac2c020036d4fa5d3cc529daf0fbbfefab39630ec50a2b

  • SHA512

    889ca16bb6fdd0a1677111c340cf67f29d3b0d305ed5ced6e4a4ed129b1828cc72021b9544b8f545c534671be11034e50d40596a6924ebe024c6cfa800495451

  • SSDEEP

    12288:/VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1K:2fP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\d5124b4f11f73e615ab6573dc5bb02cf.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:2892
  • C:\Users\Admin\AppData\Local\23W8pEv0d\Dxpserver.exe
    C:\Users\Admin\AppData\Local\23W8pEv0d\Dxpserver.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Checks whether UAC is enabled
    PID:1720
  • C:\Windows\system32\Dxpserver.exe
    C:\Windows\system32\Dxpserver.exe
    1⤵
      PID:2396
    • C:\Windows\system32\dvdupgrd.exe
      C:\Windows\system32\dvdupgrd.exe
      1⤵
        PID:2760
      • C:\Users\Admin\AppData\Local\cO4z\dvdupgrd.exe
        C:\Users\Admin\AppData\Local\cO4z\dvdupgrd.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3008
      • C:\Windows\system32\BitLockerWizard.exe
        C:\Windows\system32\BitLockerWizard.exe
        1⤵
          PID:1772
        • C:\Users\Admin\AppData\Local\G6zUAd\BitLockerWizard.exe
          C:\Users\Admin\AppData\Local\G6zUAd\BitLockerWizard.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1768

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\23W8pEv0d\Dxpserver.exe

          Filesize

          127KB

          MD5

          426b0fb43500a70d8260e125bf9a7d6c

          SHA1

          baf92e8e83510ca718713461d0071bd66e118b07

          SHA256

          c7099f6c26c5e8a08af48451c103312e10e38bf05138c2f19fc82bcd7ce71901

          SHA512

          8850059611c415edd63b7342e2cd5c9c2a235636654e927f522f2d5a0528cfa10e64d92807f464ea6c83d94c5f1a9956a60e1f7583fc98aeef330d05c27f36a5

        • C:\Users\Admin\AppData\Local\23W8pEv0d\Dxpserver.exe

          Filesize

          155KB

          MD5

          b2b90d4bae34d66b93f5ae8bc827d365

          SHA1

          171e1f36a3bf11a52256658373b96f92b866765b

          SHA256

          0ac538393b0db5fdf98630af57ed5cbd970f2645768a9a9e01b65ca62d27453d

          SHA512

          4805a815d537772a15fb4616cb145f1eaea7ec2f0cb8f7f3e64cc47a24511bdae10e29406d21b36126ba0ca90f08c1c4e4cd70f185a795b46c2966d2840f43dc

        • C:\Users\Admin\AppData\Local\23W8pEv0d\dwmapi.dll

          Filesize

          335KB

          MD5

          25ac540676b8725738d2ec816c3fa5a0

          SHA1

          dae4883c054655e5120f022c683955415e4ba26f

          SHA256

          5774b6490f9270233f77b27d7e1e76b8edd3f04a9d88c8ff70d89278a9045bb8

          SHA512

          800d5e19136e2598ab3f90d75e54e91d3e838ddb1909464575681e4030fc1a9163a3abd0f35e057f5488f991e74202dd43b059e1942333665f2dc55147cf12fb

        • C:\Users\Admin\AppData\Local\G6zUAd\BitLockerWizard.exe

          Filesize

          47KB

          MD5

          1e10dd1d9e5d049b1b031d750c01d62c

          SHA1

          c0abaf35d883b10305cf5f4c6ee45160c33f460b

          SHA256

          4ca18c78dd9fb03ee3569ad6943aa8e4c421c330f70412d0c8396a822d8623cc

          SHA512

          d9a50f95605001669a7e24aafdcad2483a81e09099afa7aa629e83b1e2ec35ba2d38435f77e4199b8855ce3efd148b9b9481a826ddc6eb18f65048d1cbfb5de4

        • C:\Users\Admin\AppData\Local\G6zUAd\FVEWIZ.dll

          Filesize

          166KB

          MD5

          a9eaedc4895d58e66199d7d3461b6209

          SHA1

          7d635d5b75bed7abfdf5ed54cb57f68c977e4c54

          SHA256

          ee69ccf0a7d3c43d103f54919e8cd098dbcc6e889744f0a5e2298217795230c5

          SHA512

          2ab4117e37103287fbed7ee58f86a3c5e537695a8ec59aae034147eed27d28eeb794605fde9d31848d8181b3b7e747db3994d2286cd037b11738b202ca97b358

        • C:\Users\Admin\AppData\Local\cO4z\VERSION.dll

          Filesize

          33KB

          MD5

          a042e35cc4686adc0ea3a97f10b73b31

          SHA1

          af5a86e2fe561100a6dfa021482b17e99f7a12f9

          SHA256

          32a55a992705fadf2619e094ec654a4e1f1de037dbd4ee3fdfab2f9eaab74890

          SHA512

          d203bc6cd1062277df375faa92f1846d15d31ed6b9d56f4e5f1cb7069466691a73324617fe2461412a5b87fef80b353fb6b8a89decc7a076028f576af3e8c69b

        • C:\Users\Admin\AppData\Local\cO4z\dvdupgrd.exe

          Filesize

          25KB

          MD5

          75a9b4172eac01d9648c6d2133af952f

          SHA1

          63c7e1af762d2b584e9cc841e8b0100f2a482b81

          SHA256

          18f9f520c7157023b0e7dfe7433a63c4dedd47b04d24aac4038b795893050736

          SHA512

          5a7a2c7f184efd9c84256a1a0a5e7aeb95432d63a567196be54e7a9437a5ada9b922983c5fc0cafb16eab4493665d8e56e2f646f9f6a2d6179986925ffcdf769

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zrkibbhbsqvuoso.lnk

          Filesize

          1KB

          MD5

          27eb2c175b21f439a1342e8b6723ff6c

          SHA1

          a226a5d631e2e7fab2ddb77d43a3ca7ea272ae33

          SHA256

          6251b1f13936005111a5fb2a3f9c79d666295619a4f83c72df041cb1e28e4463

          SHA512

          906eb981cd97698f6b782f375e9da0d2d81ef5dc806551b090e9f3bcde1a2a48e326ca845c36936b888e5d8d7e0c72a5d6412c82ff33b934304682fa61f39581

        • C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\2yB3kZj\VERSION.dll

          Filesize

          448KB

          MD5

          649926126233964cafde5f3afca42a67

          SHA1

          1db6fd459354aec8a44382bfec2ecd58f82ec8d7

          SHA256

          7708a063f9aa86ca02cd98bd9e3da7a81a91cd0483852a9d190ca66595323b3b

          SHA512

          e3b7a20ab8eb915beae5415eb5a3d7570d8197a3b92840fe72a69924c8a2e96a02b9e402a34d2f26060e7f1c57e9d3c56f0391d9a7724389be2208d8c78f2420

        • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\KQGmUSXkiA\dwmapi.dll

          Filesize

          136KB

          MD5

          4397de773759859c95f80e8d25d2b3cc

          SHA1

          59f742995abbf7f27a4cb516e8dc9313ed6fa587

          SHA256

          da2a9d149952b2a2d3c79d2a4f7ba3003c50ec56224b7bdc980f9614b000c136

          SHA512

          b7725478a8e992ff6b32ab8e2cdf4218e7e0325bad0477b5cbe768abfdc68d8829009f18b3b6d095ade12a2b6fdc2c793503e3abd547917ce9c39ae2d5dcf226

        • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-452311807-3713411997-1028535425-1000\rnc\FVEWIZ.dll

          Filesize

          94KB

          MD5

          e062cafbddee4f91b0b6cb16a1f1f3e3

          SHA1

          a238a0063b4740c65ee2b9f3fe77233b8342dde9

          SHA256

          f464f8bd7a6cb24ca5b46242414ab34e824159990f5a41c5613151c71dc6c80e

          SHA512

          ba603954963df7d05983ad1cf735598d42699c8dccfcec6ffff337fb30cc239aa11614eab6f84bb3c51520310cc45bf31fde46fa2e17da1dc5282aa7987f331d

        • \Users\Admin\AppData\Local\23W8pEv0d\Dxpserver.exe

          Filesize

          259KB

          MD5

          4d38389fb92e43c77a524fd96dbafd21

          SHA1

          08014e52f6894cad4f1d1e6fc1a703732e9acd19

          SHA256

          070bc95c486c15d2edc3548ba416dc9565ead401cb03a0472f719fb55ac94e73

          SHA512

          02d8d130cff2b8de15139d309e1cd74a2148bb786fd749e5f22775d45e193b0f75adf40274375cabce33576480ff20456f25172d29a034cd134b8084d40a67ba

        • \Users\Admin\AppData\Local\23W8pEv0d\dwmapi.dll

          Filesize

          113KB

          MD5

          5f1f6b7685c47f28f195aaab4945f49a

          SHA1

          090e977f9122c6dfc3ba7691140e58d406c38183

          SHA256

          4705b824e6b5712b915d48a9a56b566da8d56fbf035736496cc0eb045d5da483

          SHA512

          92f153fd7dc02978813f8495301353ba2ac8c2a8c5147cf9d6911566a632543090fd1d8030cbe2ea44fe37d1aa9a6fc5d932fdc440f34f3ec6f6ad2cda3599e4

        • \Users\Admin\AppData\Local\G6zUAd\BitLockerWizard.exe

          Filesize

          98KB

          MD5

          08a761595ad21d152db2417d6fdb239a

          SHA1

          d84c1bc2e8c9afce9fb79916df9bca169f93a936

          SHA256

          ec0b9e5f29a43f9db44fa76b85701058f26776ab974044c1d4741591b74d0620

          SHA512

          8b07828e9c0edf09277f89294b8e1a54816f6f3d1fe132b3eb70370b81feb82d056ec31566793bd6f451725f79c3b4aeedb15a83216115e00943e0c19cab37c9

        • \Users\Admin\AppData\Local\G6zUAd\FVEWIZ.dll

          Filesize

          67KB

          MD5

          9153724d22ed91c487eb4fd2de22dfd5

          SHA1

          8b6c50d603676352db208a2e0b2d581e450fe3d4

          SHA256

          de2822595b29f813e06e2a4e9aae300c9a476211a3a26e22a288e4ab6c0e4e1c

          SHA512

          8d6bbb007f45dd3ffcf3254096255a603596a3aaf5b694b0223b4a182f7f61f33e6efa5cbca9ec642ea64e01c792bcf1db1ff60e7c2fda60c10de2d4005554a1

        • \Users\Admin\AppData\Local\cO4z\VERSION.dll

          Filesize

          310KB

          MD5

          9bc1a90180d3db43f2560b2393df03a6

          SHA1

          fc26125acfa598979d42c9b51304107423903e83

          SHA256

          17ed74bbe143f69de2d042c2a239cae89733608d4beca467f5cd65610267028e

          SHA512

          9e1d89acd15de106129477d64150ff583de28c1434caf77a3f14b530ac169bb05c49ad02911eeb78bd823403967e6ce7e537990316a664b0984ce3cf32012039

        • memory/1296-38-0x0000000140000000-0x00000001401ED000-memory.dmp

          Filesize

          1.9MB

        • memory/1296-46-0x0000000140000000-0x00000001401ED000-memory.dmp

          Filesize

          1.9MB

        • memory/1296-17-0x0000000140000000-0x00000001401ED000-memory.dmp

          Filesize

          1.9MB

        • memory/1296-16-0x0000000140000000-0x00000001401ED000-memory.dmp

          Filesize

          1.9MB

        • memory/1296-24-0x0000000140000000-0x00000001401ED000-memory.dmp

          Filesize

          1.9MB

        • memory/1296-23-0x0000000140000000-0x00000001401ED000-memory.dmp

          Filesize

          1.9MB

        • memory/1296-25-0x0000000140000000-0x00000001401ED000-memory.dmp

          Filesize

          1.9MB

        • memory/1296-26-0x0000000140000000-0x00000001401ED000-memory.dmp

          Filesize

          1.9MB

        • memory/1296-27-0x0000000140000000-0x00000001401ED000-memory.dmp

          Filesize

          1.9MB

        • memory/1296-30-0x0000000140000000-0x00000001401ED000-memory.dmp

          Filesize

          1.9MB

        • memory/1296-29-0x0000000140000000-0x00000001401ED000-memory.dmp

          Filesize

          1.9MB

        • memory/1296-28-0x0000000140000000-0x00000001401ED000-memory.dmp

          Filesize

          1.9MB

        • memory/1296-32-0x0000000140000000-0x00000001401ED000-memory.dmp

          Filesize

          1.9MB

        • memory/1296-33-0x0000000140000000-0x00000001401ED000-memory.dmp

          Filesize

          1.9MB

        • memory/1296-34-0x0000000140000000-0x00000001401ED000-memory.dmp

          Filesize

          1.9MB

        • memory/1296-31-0x0000000140000000-0x00000001401ED000-memory.dmp

          Filesize

          1.9MB

        • memory/1296-35-0x0000000140000000-0x00000001401ED000-memory.dmp

          Filesize

          1.9MB

        • memory/1296-36-0x0000000140000000-0x00000001401ED000-memory.dmp

          Filesize

          1.9MB

        • memory/1296-4-0x00000000777C6000-0x00000000777C7000-memory.dmp

          Filesize

          4KB

        • memory/1296-40-0x0000000140000000-0x00000001401ED000-memory.dmp

          Filesize

          1.9MB

        • memory/1296-39-0x0000000140000000-0x00000001401ED000-memory.dmp

          Filesize

          1.9MB

        • memory/1296-41-0x0000000140000000-0x00000001401ED000-memory.dmp

          Filesize

          1.9MB

        • memory/1296-37-0x0000000140000000-0x00000001401ED000-memory.dmp

          Filesize

          1.9MB

        • memory/1296-42-0x0000000140000000-0x00000001401ED000-memory.dmp

          Filesize

          1.9MB

        • memory/1296-43-0x0000000140000000-0x00000001401ED000-memory.dmp

          Filesize

          1.9MB

        • memory/1296-44-0x0000000140000000-0x00000001401ED000-memory.dmp

          Filesize

          1.9MB

        • memory/1296-45-0x0000000140000000-0x00000001401ED000-memory.dmp

          Filesize

          1.9MB

        • memory/1296-18-0x0000000140000000-0x00000001401ED000-memory.dmp

          Filesize

          1.9MB

        • memory/1296-47-0x0000000002930000-0x0000000002937000-memory.dmp

          Filesize

          28KB

        • memory/1296-48-0x0000000140000000-0x00000001401ED000-memory.dmp

          Filesize

          1.9MB

        • memory/1296-55-0x0000000140000000-0x00000001401ED000-memory.dmp

          Filesize

          1.9MB

        • memory/1296-57-0x0000000077B30000-0x0000000077B32000-memory.dmp

          Filesize

          8KB

        • memory/1296-56-0x00000000779D1000-0x00000000779D2000-memory.dmp

          Filesize

          4KB

        • memory/1296-66-0x0000000140000000-0x00000001401ED000-memory.dmp

          Filesize

          1.9MB

        • memory/1296-71-0x0000000140000000-0x00000001401ED000-memory.dmp

          Filesize

          1.9MB

        • memory/1296-72-0x0000000140000000-0x00000001401ED000-memory.dmp

          Filesize

          1.9MB

        • memory/1296-21-0x0000000140000000-0x00000001401ED000-memory.dmp

          Filesize

          1.9MB

        • memory/1296-22-0x0000000140000000-0x00000001401ED000-memory.dmp

          Filesize

          1.9MB

        • memory/1296-5-0x0000000002950000-0x0000000002951000-memory.dmp

          Filesize

          4KB

        • memory/1296-20-0x0000000140000000-0x00000001401ED000-memory.dmp

          Filesize

          1.9MB

        • memory/1296-19-0x0000000140000000-0x00000001401ED000-memory.dmp

          Filesize

          1.9MB

        • memory/1296-75-0x0000000140000000-0x00000001401ED000-memory.dmp

          Filesize

          1.9MB

        • memory/1296-13-0x0000000140000000-0x00000001401ED000-memory.dmp

          Filesize

          1.9MB

        • memory/1296-15-0x0000000140000000-0x00000001401ED000-memory.dmp

          Filesize

          1.9MB

        • memory/1296-14-0x0000000140000000-0x00000001401ED000-memory.dmp

          Filesize

          1.9MB

        • memory/1296-7-0x0000000140000000-0x00000001401ED000-memory.dmp

          Filesize

          1.9MB

        • memory/1296-143-0x00000000777C6000-0x00000000777C7000-memory.dmp

          Filesize

          4KB

        • memory/1296-9-0x0000000140000000-0x00000001401ED000-memory.dmp

          Filesize

          1.9MB

        • memory/1296-10-0x0000000140000000-0x00000001401ED000-memory.dmp

          Filesize

          1.9MB

        • memory/1296-12-0x0000000140000000-0x00000001401ED000-memory.dmp

          Filesize

          1.9MB

        • memory/1296-11-0x0000000140000000-0x00000001401ED000-memory.dmp

          Filesize

          1.9MB

        • memory/1720-84-0x00000000000F0000-0x00000000000F7000-memory.dmp

          Filesize

          28KB

        • memory/2892-8-0x0000000140000000-0x00000001401ED000-memory.dmp

          Filesize

          1.9MB

        • memory/2892-0-0x00000000001A0000-0x00000000001A7000-memory.dmp

          Filesize

          28KB

        • memory/2892-1-0x0000000140000000-0x00000001401ED000-memory.dmp

          Filesize

          1.9MB