Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2023 16:27

General

  • Target

    ef80a26b9b53544e6ece76e1f163edfe.dll

  • Size

    3.5MB

  • MD5

    ef80a26b9b53544e6ece76e1f163edfe

  • SHA1

    c15d4c24a6039135c6d9c694c547afe9d5f32941

  • SHA256

    3e4452a0f8ad4d71bf7fa8a9f39acd16c2dc8480781308d33208229f188f6540

  • SHA512

    d5504b28d1c8197f1419f42f3f6eb3f68683facc95957a3d1b2a7e221fba07aeccdb3cfc1adb097637b8a92f7db6289ddf2a31a5a56ae02d20c108dffdc0ed5a

  • SSDEEP

    12288:6VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ17dv:nfP7fWsK5z9A+WGAW+V5SB6Ct4bnbZ

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ef80a26b9b53544e6ece76e1f163edfe.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:2032
  • C:\Windows\system32\fveprompt.exe
    C:\Windows\system32\fveprompt.exe
    1⤵
      PID:1184
    • C:\Users\Admin\AppData\Local\iuLTb\fveprompt.exe
      C:\Users\Admin\AppData\Local\iuLTb\fveprompt.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1772
    • C:\Windows\system32\vmicsvc.exe
      C:\Windows\system32\vmicsvc.exe
      1⤵
        PID:1080
      • C:\Users\Admin\AppData\Local\m5ww5z\vmicsvc.exe
        C:\Users\Admin\AppData\Local\m5ww5z\vmicsvc.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2520
      • C:\Windows\system32\spinstall.exe
        C:\Windows\system32\spinstall.exe
        1⤵
          PID:1488
        • C:\Users\Admin\AppData\Local\DAXqf\spinstall.exe
          C:\Users\Admin\AppData\Local\DAXqf\spinstall.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1500

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\DAXqf\spinstall.exe

          Filesize

          584KB

          MD5

          29c1d5b330b802efa1a8357373bc97fe

          SHA1

          90797aaa2c56fc2a667c74475996ea1841bc368f

          SHA256

          048bd22abf158346ab991a377cc6e9d2b20b4d73ccee7656c96a41f657e7be7f

          SHA512

          66f4f75a04340a1dd55dfdcc3ff1103ea34a55295f56c12e88d38d1a41e5be46b67c98bd66ac9f878ce79311773e374ed2bce4dd70e8bb5543e4ec1dd56625ee

        • C:\Users\Admin\AppData\Local\DAXqf\wer.dll

          Filesize

          3.5MB

          MD5

          78de0b7d33a5cc6198e5dd1827179030

          SHA1

          3ba19cc89923b3921d311440f45a41f0fd055dab

          SHA256

          1e8269aa0a7a6ec478ca1b25b6c1c603d5085c760a24ba84419fb477d8609da4

          SHA512

          0f4379fe7b7b22d90197e5d7f338fdcd5425f9ef3068fdd5aa7eaadba92a8a1bff80fa584a713ad6d2cb452f0b92e9d6304c28b85b453d78cb540351b9988765

        • C:\Users\Admin\AppData\Local\iuLTb\slc.dll

          Filesize

          3.5MB

          MD5

          328ccef172dc5e8a8c396d36fba2551b

          SHA1

          9d0b2e41a398c3ab0409b84e92ae35b12775efdf

          SHA256

          bb2db008dd95d05a6aea5ae9c5574821ab658eb80e7688d6b0b3dc471c0f636b

          SHA512

          c3dda410bbdc734c0d0702bb818d141b1c5253272684ecce90a2ccae949512ac4cdf13e588e6aa13bcf3a287da1d9c33950e85e984c48d68f39638221a28b56a

        • C:\Users\Admin\AppData\Local\m5ww5z\ACTIVEDS.dll

          Filesize

          3.5MB

          MD5

          309c032f61cb6b6e4f85d083eb6eab2b

          SHA1

          5efb986efe2112a5cd17c8376ddbae6bd488c23b

          SHA256

          57f6c5dc7ae4cb8d2b3893cedfa27c68d1492107374e16a5f83408ebf6a5ca91

          SHA512

          8796eae17928ecbb7fefffacfa4448bc91111aae797fcedfce8af699c1c15174560152639fbbce529e4862cf81d82310558e7ab6bd735f763234cbd26c10ce7a

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk

          Filesize

          1KB

          MD5

          b22410cba545caa35d03c869f92fbd1e

          SHA1

          62e50801a38c1be96ff26356899a22e69da74ab6

          SHA256

          a1fc6344065578caf335ca4181bd69ce0d9e17d639e481acdab41ef18fa77b54

          SHA512

          bce4263393b4ea4d8f84163fc0da4ecebe90eaffe96e45ff7f53a5eb0601acb5fe223e0e838bf50fae357ef56d42be0ef09adebec8ca9aebae1fb406f9a414fb

        • \Users\Admin\AppData\Local\DAXqf\spinstall.exe

          Filesize

          256KB

          MD5

          6c2f0a55f91dec2b88dd1c42ce6fde72

          SHA1

          aba5287888d06e844fee88afac434e9bd42a17cf

          SHA256

          71a4d830171741a1a3009f7ad79b878647aefd1a5edc748480f1a26b409aa88a

          SHA512

          b46b0d4fb10f98542e089f7b0f6d2f0dc593d48451e7271e05b42973afe2701ff37710f3494c11d71c69afe82416bf8a151752951786ca03b91d27490607abe3

        • \Users\Admin\AppData\Local\iuLTb\fveprompt.exe

          Filesize

          104KB

          MD5

          dc2c44a23b2cd52bd53accf389ae14b2

          SHA1

          e36c7b6f328aa2ab2f52478169c52c1916f04b5f

          SHA256

          7f5b19f2c6a94833196ee1929d48094889b33b504d73d3af88dd857ceaf67921

          SHA512

          ff083f74777a9cfc940d4e0cb55886397e27c85f867de9a5dd9ea2c2751d2a77bf75fe0734e424d9678c83e927788d07d0b3072024f7e5a9848c7ff1aa4090dc

        • \Users\Admin\AppData\Local\m5ww5z\vmicsvc.exe

          Filesize

          238KB

          MD5

          79e14b291ca96a02f1eb22bd721deccd

          SHA1

          4c8dbff611acd8a92cd2280239f78bebd2a9947e

          SHA256

          d829166db30923406a025bf33d6a0997be0a3df950114d1f34547a9525b749e8

          SHA512

          f3d1fa7732b6b027bbaf22530331d27ede85f92c9fd64f940139fd262bd7468211a8a54c835d3934b1974b3d8ecddefa79ea77901b9ef49ab36069963693f988

        • memory/1348-44-0x0000000140000000-0x000000014037D000-memory.dmp

          Filesize

          3.5MB

        • memory/1348-19-0x0000000140000000-0x000000014037D000-memory.dmp

          Filesize

          3.5MB

        • memory/1348-16-0x0000000140000000-0x000000014037D000-memory.dmp

          Filesize

          3.5MB

        • memory/1348-17-0x0000000140000000-0x000000014037D000-memory.dmp

          Filesize

          3.5MB

        • memory/1348-18-0x0000000140000000-0x000000014037D000-memory.dmp

          Filesize

          3.5MB

        • memory/1348-50-0x0000000140000000-0x000000014037D000-memory.dmp

          Filesize

          3.5MB

        • memory/1348-20-0x0000000140000000-0x000000014037D000-memory.dmp

          Filesize

          3.5MB

        • memory/1348-21-0x0000000140000000-0x000000014037D000-memory.dmp

          Filesize

          3.5MB

        • memory/1348-22-0x0000000140000000-0x000000014037D000-memory.dmp

          Filesize

          3.5MB

        • memory/1348-49-0x0000000140000000-0x000000014037D000-memory.dmp

          Filesize

          3.5MB

        • memory/1348-24-0x0000000140000000-0x000000014037D000-memory.dmp

          Filesize

          3.5MB

        • memory/1348-25-0x0000000140000000-0x000000014037D000-memory.dmp

          Filesize

          3.5MB

        • memory/1348-26-0x0000000140000000-0x000000014037D000-memory.dmp

          Filesize

          3.5MB

        • memory/1348-27-0x0000000140000000-0x000000014037D000-memory.dmp

          Filesize

          3.5MB

        • memory/1348-28-0x0000000140000000-0x000000014037D000-memory.dmp

          Filesize

          3.5MB

        • memory/1348-29-0x0000000140000000-0x000000014037D000-memory.dmp

          Filesize

          3.5MB

        • memory/1348-30-0x0000000140000000-0x000000014037D000-memory.dmp

          Filesize

          3.5MB

        • memory/1348-31-0x0000000140000000-0x000000014037D000-memory.dmp

          Filesize

          3.5MB

        • memory/1348-32-0x0000000140000000-0x000000014037D000-memory.dmp

          Filesize

          3.5MB

        • memory/1348-33-0x0000000140000000-0x000000014037D000-memory.dmp

          Filesize

          3.5MB

        • memory/1348-34-0x0000000140000000-0x000000014037D000-memory.dmp

          Filesize

          3.5MB

        • memory/1348-35-0x0000000140000000-0x000000014037D000-memory.dmp

          Filesize

          3.5MB

        • memory/1348-36-0x0000000140000000-0x000000014037D000-memory.dmp

          Filesize

          3.5MB

        • memory/1348-37-0x0000000140000000-0x000000014037D000-memory.dmp

          Filesize

          3.5MB

        • memory/1348-38-0x0000000140000000-0x000000014037D000-memory.dmp

          Filesize

          3.5MB

        • memory/1348-40-0x0000000140000000-0x000000014037D000-memory.dmp

          Filesize

          3.5MB

        • memory/1348-39-0x0000000140000000-0x000000014037D000-memory.dmp

          Filesize

          3.5MB

        • memory/1348-41-0x0000000140000000-0x000000014037D000-memory.dmp

          Filesize

          3.5MB

        • memory/1348-42-0x0000000140000000-0x000000014037D000-memory.dmp

          Filesize

          3.5MB

        • memory/1348-43-0x0000000140000000-0x000000014037D000-memory.dmp

          Filesize

          3.5MB

        • memory/1348-4-0x0000000076C26000-0x0000000076C27000-memory.dmp

          Filesize

          4KB

        • memory/1348-45-0x0000000140000000-0x000000014037D000-memory.dmp

          Filesize

          3.5MB

        • memory/1348-46-0x0000000140000000-0x000000014037D000-memory.dmp

          Filesize

          3.5MB

        • memory/1348-48-0x0000000140000000-0x000000014037D000-memory.dmp

          Filesize

          3.5MB

        • memory/1348-9-0x0000000140000000-0x000000014037D000-memory.dmp

          Filesize

          3.5MB

        • memory/1348-15-0x0000000140000000-0x000000014037D000-memory.dmp

          Filesize

          3.5MB

        • memory/1348-23-0x0000000140000000-0x000000014037D000-memory.dmp

          Filesize

          3.5MB

        • memory/1348-51-0x0000000140000000-0x000000014037D000-memory.dmp

          Filesize

          3.5MB

        • memory/1348-52-0x0000000140000000-0x000000014037D000-memory.dmp

          Filesize

          3.5MB

        • memory/1348-53-0x0000000140000000-0x000000014037D000-memory.dmp

          Filesize

          3.5MB

        • memory/1348-54-0x0000000140000000-0x000000014037D000-memory.dmp

          Filesize

          3.5MB

        • memory/1348-56-0x0000000140000000-0x000000014037D000-memory.dmp

          Filesize

          3.5MB

        • memory/1348-55-0x0000000140000000-0x000000014037D000-memory.dmp

          Filesize

          3.5MB

        • memory/1348-57-0x0000000140000000-0x000000014037D000-memory.dmp

          Filesize

          3.5MB

        • memory/1348-58-0x0000000140000000-0x000000014037D000-memory.dmp

          Filesize

          3.5MB

        • memory/1348-59-0x0000000140000000-0x000000014037D000-memory.dmp

          Filesize

          3.5MB

        • memory/1348-60-0x0000000140000000-0x000000014037D000-memory.dmp

          Filesize

          3.5MB

        • memory/1348-61-0x0000000140000000-0x000000014037D000-memory.dmp

          Filesize

          3.5MB

        • memory/1348-62-0x0000000140000000-0x000000014037D000-memory.dmp

          Filesize

          3.5MB

        • memory/1348-63-0x0000000140000000-0x000000014037D000-memory.dmp

          Filesize

          3.5MB

        • memory/1348-64-0x0000000140000000-0x000000014037D000-memory.dmp

          Filesize

          3.5MB

        • memory/1348-65-0x0000000140000000-0x000000014037D000-memory.dmp

          Filesize

          3.5MB

        • memory/1348-81-0x0000000002590000-0x0000000002597000-memory.dmp

          Filesize

          28KB

        • memory/1348-90-0x0000000076E31000-0x0000000076E32000-memory.dmp

          Filesize

          4KB

        • memory/1348-91-0x0000000076F90000-0x0000000076F92000-memory.dmp

          Filesize

          8KB

        • memory/1348-14-0x0000000140000000-0x000000014037D000-memory.dmp

          Filesize

          3.5MB

        • memory/1348-13-0x0000000140000000-0x000000014037D000-memory.dmp

          Filesize

          3.5MB

        • memory/1348-5-0x00000000025C0000-0x00000000025C1000-memory.dmp

          Filesize

          4KB

        • memory/1348-12-0x0000000140000000-0x000000014037D000-memory.dmp

          Filesize

          3.5MB

        • memory/1348-11-0x0000000140000000-0x000000014037D000-memory.dmp

          Filesize

          3.5MB

        • memory/1348-158-0x0000000076C26000-0x0000000076C27000-memory.dmp

          Filesize

          4KB

        • memory/1348-8-0x0000000140000000-0x000000014037D000-memory.dmp

          Filesize

          3.5MB

        • memory/1348-47-0x0000000140000000-0x000000014037D000-memory.dmp

          Filesize

          3.5MB

        • memory/1348-10-0x0000000140000000-0x000000014037D000-memory.dmp

          Filesize

          3.5MB

        • memory/1772-119-0x0000000000090000-0x0000000000097000-memory.dmp

          Filesize

          28KB

        • memory/2032-7-0x0000000140000000-0x000000014037D000-memory.dmp

          Filesize

          3.5MB

        • memory/2032-1-0x0000000140000000-0x000000014037D000-memory.dmp

          Filesize

          3.5MB

        • memory/2032-0-0x0000000000120000-0x0000000000127000-memory.dmp

          Filesize

          28KB

        • memory/2520-136-0x00000000000F0000-0x00000000000F7000-memory.dmp

          Filesize

          28KB