Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2023 15:34

General

  • Target

    da5e3cb85be5b54edb1e3b5ff9d733a2.dll

  • Size

    3.1MB

  • MD5

    da5e3cb85be5b54edb1e3b5ff9d733a2

  • SHA1

    e93524cf92f6c04fad09162a1462920dd0d48ec1

  • SHA256

    e441dc66366d37c4598e91b6779169dcbc71f386ca494b9d6c9d8137b45233f7

  • SHA512

    640fffd35412cc5100aaf4c14ce6359b7c6fcb4df6e22bf3d501b342cc16fe65dc07ad431d22544f49ba0b37b2da7e2c0c7b121d64cb078ccdb4a1d66da60c33

  • SSDEEP

    12288:hVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1po:QfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\da5e3cb85be5b54edb1e3b5ff9d733a2.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2296
  • C:\Windows\system32\tabcal.exe
    C:\Windows\system32\tabcal.exe
    1⤵
      PID:3012
    • C:\Users\Admin\AppData\Local\oXYk8tF\tabcal.exe
      C:\Users\Admin\AppData\Local\oXYk8tF\tabcal.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1668
    • C:\Windows\system32\dpnsvr.exe
      C:\Windows\system32\dpnsvr.exe
      1⤵
        PID:524
      • C:\Users\Admin\AppData\Local\gD4S\dpnsvr.exe
        C:\Users\Admin\AppData\Local\gD4S\dpnsvr.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:528
      • C:\Windows\system32\SystemPropertiesRemote.exe
        C:\Windows\system32\SystemPropertiesRemote.exe
        1⤵
          PID:1664
        • C:\Users\Admin\AppData\Local\NO5MhWON\SystemPropertiesRemote.exe
          C:\Users\Admin\AppData\Local\NO5MhWON\SystemPropertiesRemote.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1696

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\NO5MhWON\SYSDM.CPL

          Filesize

          1.8MB

          MD5

          1250db6ac1f80e45ce1726ba98793343

          SHA1

          eb021697afca15898dd7bb1ba53d512dac78830c

          SHA256

          19f54da06b319e7b5ddd37ff7e5403d4573c4986f1a69d97acda7b1a0d1fc214

          SHA512

          f54124419765a1b61c30b549ad32453173efdc6e79972dc55a7b4af0219492686f2583b3e3e3177d284d24c36cf24ea2576968f7d1c4b1b4ab0ecc855968b08c

        • C:\Users\Admin\AppData\Local\gD4S\WINMM.dll

          Filesize

          3.1MB

          MD5

          072b04e6776057474fc519aeb3d8b12a

          SHA1

          7cf332a81bc22e37c66cd9bb06ef169274050011

          SHA256

          5245485248efa5729a881f980bd1245b6747a3864ba6af3e4d35271402955737

          SHA512

          569aac00250e46bd04ec3e1e79193c4dcd3016d1ec5362f6fa4a6a5c5264235a77b565cf6abb0cb3a7a55d4c036d08c3526d1b6e2850f178c1c4ca4999b679d9

        • C:\Users\Admin\AppData\Local\oXYk8tF\HID.DLL

          Filesize

          44KB

          MD5

          8e6eb2c8c9c0d0e3f0bc1350c8f3a86f

          SHA1

          4712a31ad4a7bb50b76282083dd21565752adad6

          SHA256

          4153ce1e942c93aa1983a973d2359361cc69748706477523ed60c31cb2aacdb2

          SHA512

          ebabdea2085658f879c979199289f2e5f6485a39a42bc4b416b2fc15a87dcffd6f5aa47a89d28f39796bc0b82be505783a4c96297397ac43843f30efd1cb1b67

        • C:\Users\Admin\AppData\Local\oXYk8tF\tabcal.exe

          Filesize

          46KB

          MD5

          b3c72b28e07f3f742ff6aa0426fec6e7

          SHA1

          fe71de6002c0efede6cb17374b83bde0d694add8

          SHA256

          f9073bf77382a9a62f7895185c5152eb8381b9aae1978dcf7325bcde02543ec3

          SHA512

          a1c616f7aad1ccbb7f268b7e2feca0f9933779389641fc7032b0199b44befeba2d323d64d5dcc7e412f5ad8c476b98d0b32b40b8e4c2c513c96f39182842e746

        • C:\Users\Admin\AppData\Local\oXYk8tF\tabcal.exe

          Filesize

          22KB

          MD5

          2b69b69d48b35982a0787d1b113975a1

          SHA1

          b6bfcfab4c908d618d6a18b0b7a04fa2df8eb7a6

          SHA256

          9e993b122e3b9ad80870a436de7faf97d1bdb56ddd407e2a27b54ed3137dd894

          SHA512

          7421c2c9b5ba49f5f64ee9c4ff3bd4d651a71819d4c6a6759cd787b0dc80b062324ac65502bbcd0c1ad560d743e35d9a423f9df00fc19ce4f7f147b78adf6d7e

        • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\ElHsIedO\SYSDM.CPL

          Filesize

          3.1MB

          MD5

          9ab2835b115a98cccfa4d62ab8da6463

          SHA1

          c105c41f0cc8bb1ce146b50d2b44350a6aa92ee8

          SHA256

          45f882b528ec7be6e43e46fce5f2176bc832dc577c918c2942d9ab7630fcce6c

          SHA512

          5160dc55ce37677c438af6196435dd9923ebf66919811445bdc19a337e8e5f8a94e7a05c89ba136523e71c350e3d71476c812018f778cfe0e1f5f84a0420cc16

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zrkibbhbsqvuoso.lnk

          Filesize

          1KB

          MD5

          5cc627bad2cbc7106c0bc92a6aa624bb

          SHA1

          4456bc5d974d14fc7b87708dc62436c49677bd4e

          SHA256

          7fa583800a791102333db04b0eacf12709a9f8dcf2ff6ffd7abcdd200e3adbdd

          SHA512

          e27684d3ff3696adf895faeb4b6f7593e5c6275d50c141d07177eeafb7fabe0ebb6ccc6660f982efdb2c9c2db83577a1c69ce8a0a8627263c5949993a192f1a8

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\gL9Gr7N\HID.DLL

          Filesize

          3.1MB

          MD5

          ae43e5f6f5c66979c219bf5a7d6ec421

          SHA1

          10bf8fa2186bbf1ded89e64156b64ce4b2091a65

          SHA256

          f8dd8ee2ae90c37a26fee41b8fb9d27ac1f0946f48efefc6d3c6815c7975da4e

          SHA512

          bc424839b141902e26af8a8273ad2ab905620d3205801c09b3d1b462d7779d93f77742b0dcb2c333f621159de168e417e61495fd69bbd1543a81461ca3a76553

        • \Users\Admin\AppData\Local\NO5MhWON\SYSDM.CPL

          Filesize

          1.8MB

          MD5

          c73758b3f03ab17fe2a91b9507674c45

          SHA1

          aaf3dd30dcbfc2390615720ed5235fa667d5a97e

          SHA256

          7b50c0af29415a4af44dc4c4b291a165f98b548420f4b3c8e53afb83d2e9c45b

          SHA512

          af524821dd26b2324875864bfd02aad6d74e89d475797e2304a23fa49725790944cbc7c0d8bf82041a29fc53aea9ce86dd425acd0774d246b1c7c2cb520762ff

        • \Users\Admin\AppData\Local\NO5MhWON\SystemPropertiesRemote.exe

          Filesize

          80KB

          MD5

          d0d7ac869aa4e179da2cc333f0440d71

          SHA1

          e7b9a58f5bfc1ec321f015641a60978c0c683894

          SHA256

          5762e1570de6ca4ff4254d03c8f6e572f3b9c065bf5c78fd5a9ea3769c33818a

          SHA512

          1808b10dc85f8755a0074d1ea00794b46b4254573b6862c2813a89ca171ad94f95262e8b59a8f9a596c9bd6a724f440a14a813eab93aa140e818ee97af106db7

        • \Users\Admin\AppData\Local\gD4S\dpnsvr.exe

          Filesize

          33KB

          MD5

          6806b72978f6bd27aef57899be68b93b

          SHA1

          713c246d0b0b8dcc298afaed4f62aed82789951c

          SHA256

          3485ee4159c5f9e4ed9dd06e668d1e04148154ff40327a9ccb591e8c5a79958c

          SHA512

          43c942358b2e949751149ecc4be5ff6cb0634957ff1128ad5e6051e83379fb5643100cae2f6ef3eaf36aff016063c150e93297aa866e780d0e4d51656a251c7b

        • \Users\Admin\AppData\Local\oXYk8tF\HID.DLL

          Filesize

          22KB

          MD5

          2f457fb6d3dee00266721055c40e5343

          SHA1

          7f2716c36667219f28697b844e29d7f7c6c2f8f7

          SHA256

          dd3dfde1c0738c443ffe66a9df434812a5cd7ac1e7b2963cee51abc262c2d20d

          SHA512

          5db9742eec66e3ae75e74979099823919daf3e6b668b3b9a33ecd821486a4cb12fde25d45dc7989fdfbea3a4d9471e4f7c25027c58d9b1ddbde9acc368b05b87

        • \Users\Admin\AppData\Local\oXYk8tF\tabcal.exe

          Filesize

          17KB

          MD5

          633d5773e99bfd0ca90c67045e3be81c

          SHA1

          96915b689e2a7d4010fef4c3cec7c93c447fb165

          SHA256

          ca86412221a6d96e93ef8111f55eb9d165ebe62487976ddc8c91b641e9a48c52

          SHA512

          81c38181f47b181fe0c251735e07ff11787d6ac9b9370db1b473dac292c879311fa970f913b1bcbd9d4dcaf600181fe06c0ddf979a3ed0ce3eefd50789c6a267

        • memory/1192-43-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/1192-61-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/1192-21-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/1192-23-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/1192-22-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/1192-25-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/1192-24-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/1192-27-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/1192-26-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/1192-28-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/1192-29-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/1192-30-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/1192-32-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/1192-31-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/1192-34-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/1192-33-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/1192-36-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/1192-37-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/1192-35-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/1192-38-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/1192-39-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/1192-42-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/1192-41-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/1192-40-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/1192-46-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/1192-45-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/1192-44-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/1192-4-0x0000000076D86000-0x0000000076D87000-memory.dmp

          Filesize

          4KB

        • memory/1192-47-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/1192-49-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/1192-50-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/1192-48-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/1192-51-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/1192-52-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/1192-53-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/1192-19-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/1192-60-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/1192-59-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/1192-64-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/1192-65-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/1192-63-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/1192-62-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/1192-58-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/1192-57-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/1192-56-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/1192-55-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/1192-54-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/1192-68-0x00000000029B0000-0x00000000029B7000-memory.dmp

          Filesize

          28KB

        • memory/1192-76-0x0000000076E91000-0x0000000076E92000-memory.dmp

          Filesize

          4KB

        • memory/1192-77-0x0000000076FF0000-0x0000000076FF2000-memory.dmp

          Filesize

          8KB

        • memory/1192-20-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/1192-16-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/1192-17-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/1192-5-0x00000000029E0000-0x00000000029E1000-memory.dmp

          Filesize

          4KB

        • memory/1192-18-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/1192-7-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/1192-115-0x0000000076D86000-0x0000000076D87000-memory.dmp

          Filesize

          4KB

        • memory/1192-13-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/1192-15-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/1192-14-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/1192-9-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/1192-12-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/1192-10-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/1192-11-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/1668-104-0x00000000000F0000-0x00000000000F7000-memory.dmp

          Filesize

          28KB

        • memory/1696-140-0x0000000000170000-0x0000000000177000-memory.dmp

          Filesize

          28KB

        • memory/2296-1-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/2296-0-0x0000000001B60000-0x0000000001B67000-memory.dmp

          Filesize

          28KB

        • memory/2296-8-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB