Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2023 16:27

General

  • Target

    efedcd108046b223d56049091b408298.dll

  • Size

    1.5MB

  • MD5

    efedcd108046b223d56049091b408298

  • SHA1

    b0c68d9918ab0bfc3b2a165eafb67a5dc5de9d35

  • SHA256

    1f4c47d15d65d51f2b6dd680a7318d3639e0cfbcad702ba30e93a4a301d1ac06

  • SHA512

    682aa16df911870f710d7468cd87af0885572a043209797d0d092316811644e194187fdcb523502f79d30d85fa959be955eb8072e2815130f5b596d96f540f10

  • SSDEEP

    12288:iVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:/fP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\efedcd108046b223d56049091b408298.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2364
  • C:\Windows\system32\rrinstaller.exe
    C:\Windows\system32\rrinstaller.exe
    1⤵
      PID:2012
    • C:\Users\Admin\AppData\Local\xNIThL\rrinstaller.exe
      C:\Users\Admin\AppData\Local\xNIThL\rrinstaller.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1160
    • C:\Windows\system32\StikyNot.exe
      C:\Windows\system32\StikyNot.exe
      1⤵
        PID:2784
      • C:\Users\Admin\AppData\Local\KfEscQo\StikyNot.exe
        C:\Users\Admin\AppData\Local\KfEscQo\StikyNot.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2992
      • C:\Windows\system32\DWWIN.EXE
        C:\Windows\system32\DWWIN.EXE
        1⤵
          PID:2268
        • C:\Users\Admin\AppData\Local\jXoyCGCgT\DWWIN.EXE
          C:\Users\Admin\AppData\Local\jXoyCGCgT\DWWIN.EXE
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1764

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\KfEscQo\DUI70.dll

          Filesize

          816KB

          MD5

          96f5725b3f0abfa035459df34b31f995

          SHA1

          b21d41b41c5b2541b7aae98227bbee8311f03028

          SHA256

          c46e5139d8826c3b6a512d2e56c2d61c2bd9e63c932019b15f7cb5471b995a2f

          SHA512

          ae4a9ab9026f33d66e6611485e84e1d3be77b4ed9cbce1eb094aed6fa5a052160950675b12f11b712473ea0fd9b37739d4caf8734445ab5f13ee54a8422ee844

        • C:\Users\Admin\AppData\Local\KfEscQo\StikyNot.exe

          Filesize

          353KB

          MD5

          f7069cdec41e5f744ebb82db29304fbd

          SHA1

          6ec6ca11d62a9a779e28df81ea8393f679917eda

          SHA256

          eb498493eeb3cd763cff3d7fcfcecf9be76fff5db4e0a84c413864e86f61729f

          SHA512

          4e8f29ee76fa59e507fe48fb916b538580c7260d8bc9aa58b4f9d94a2487f7dcf8e18e0967f115e1d9a5bcdbcd2f677b3fbd4bbf446385314d49922b5145f424

        • C:\Users\Admin\AppData\Local\KfEscQo\StikyNot.exe

          Filesize

          371KB

          MD5

          b9833dcb6190910b20fca10dc3fb3d00

          SHA1

          7e8844054d0f391bf28d65580ecc46e338c3f5bb

          SHA256

          bd87e10ab8f3aeb14dfd07ce905a6bc4cba92804027362b75a1b5b1d77e40852

          SHA512

          1b57d662c78beda945bf68e4f8340b6fad23ec2722679345f4717574da21c491255d919f4d70a62f83908b6f45df395ca4ba9ce68d27106cfe6928c00003cef4

        • C:\Users\Admin\AppData\Local\jXoyCGCgT\DWWIN.EXE

          Filesize

          115KB

          MD5

          b089ca67f9aea4f61912323a36c4f652

          SHA1

          6376236e715aff2f5ef6f352b7d5c103812ef07a

          SHA256

          fae1fd9b58c102477bd133d9c5cd06c1e211426e10e72791f22539510189e4e3

          SHA512

          14e22372395995c2e9790fd944c2ff9f69a6c0c3d00a19fced770d8ee62e2353a33ba2537cefda913f6e48a099aa71e68eb5c007234d84ee6f45d6b49517ef19

        • C:\Users\Admin\AppData\Local\jXoyCGCgT\DWWIN.EXE

          Filesize

          76KB

          MD5

          f2395d6ff3b0a9243a1aff7ed14fc837

          SHA1

          a7aecf8d6bc354cad9519b071ffdb988650ddb73

          SHA256

          4a100031b7afff96c533b23c26fe356ab117d48394ebecda8514e09ba635aff2

          SHA512

          6e1d0da3b6ffe246bbc6d7b6126bcc2e04847baec482286e0b31955e69816d57d125e6acff5e3c63e255c616bc8c47a8be2c152e7a41e5d79803b6af794c930d

        • C:\Users\Admin\AppData\Local\jXoyCGCgT\wer.dll

          Filesize

          249KB

          MD5

          5d7fdb9d935b6c84431f4a9e206f2d73

          SHA1

          4b85ef432716e35fc556a323b2837528daa54720

          SHA256

          11f4a94bce0520fe17649fc7993730284a79ed4fa45f934d05cfe25a0ab0390a

          SHA512

          2e45d78943048515a86d82784c3d54a8822c53d9ee68d0bd703fbff6cb956e4bf92180e0f02175a94cac25f41ca35db4fec2f05e7d450b847134ba358fc063f1

        • C:\Users\Admin\AppData\Local\xNIThL\MFPlat.DLL

          Filesize

          593KB

          MD5

          3a6e988fa8c86c700b8f7b1dcc477e79

          SHA1

          13d7bac29d69c61c66aeb87d6de55df5327eceed

          SHA256

          428745065ec5613706cc571e42552dbb6c9385cf37707ce8c0912cb39a1b3695

          SHA512

          acff45c6eadc71c6c53422cc81e37d188297a1414cd21f3cf43b313893790f1f20b09f092efadb943b6ecbb6bc2c63a024d5d43b694c819e8472bb9c3bf57dc7

        • C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\AssetCache\bMv4n1\DUI70.dll

          Filesize

          1.7MB

          MD5

          17ba4c786c3d7c73ebbd8e576b124405

          SHA1

          8b8974edb0d7fb71e8d0baa59ad3201b5d1fc314

          SHA256

          421804beb73bea937a3e56289c594746389101f4d7a779de898797fee6e8d97d

          SHA512

          38e73dea39623843929a600c43df4985ab922e701c5809b03191ba75663405bb1910d27a0e54d74a5e7b13e7d077723d89c5e07d4620f34ab5b01438a1567cc3

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Efrsxj.lnk

          Filesize

          1KB

          MD5

          f9e97c908859b30bd88896e1e9918dd2

          SHA1

          d21494bab680dcb2d448b9fdc9e50f39ee6418fc

          SHA256

          669e0420d8fada0282759fbdeb1b3bc7a69c0b2af29beee728c3a1ea26a2f636

          SHA512

          179a9a2450eb874c4aad21bf0c64057d743bf3cb8216ccb6ed87fea0670a26b5c204ba20fb10289be0ed85e2ff2eb00678ff1e2f3d29c6e933a242a93f03325f

        • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\2U7v7yng\MFPlat.DLL

          Filesize

          1.5MB

          MD5

          aa3ece9bec1c908f714833d1daabf793

          SHA1

          61c14204e59faae01e925c936a4837068462035a

          SHA256

          f552160b7e3286f0d9c752744172ecbab5adb7ec93230d5e53b2e30b78473b80

          SHA512

          4e5bbbf749520daca4c435c5485f5a3f32b8ed92bce38b39d94e798250698a05901d24cf8e740c7122434b6fc8b3d74214acb9fc6a7903ca2c320d185869997f

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatCache\tIKFeICP\wer.dll

          Filesize

          1.5MB

          MD5

          78b8b474fada782935cff719f0abbf0a

          SHA1

          2b22aaae3a3a82c66160db655a484b4c42399e15

          SHA256

          c8780523d763b99857c84704f47d12d312003379f0a15817573dbf247e1eb071

          SHA512

          e8c9fee0a0458bfe1805d5699fcc45b85d6c3c235791e87ade7feec7bda104140a04acc7988bfe9d5e3dbbd4fbc1ac095b13a60f4ad24ac43c95a304b78cda8c

        • \Users\Admin\AppData\Local\KfEscQo\DUI70.dll

          Filesize

          522KB

          MD5

          4224abf5bd86e95e2915a69160f45d91

          SHA1

          d19061902a086bc98a22d9a2e839d01c05586208

          SHA256

          bc8432059efeef395c10e762663a92c36a3ffdc2eb2bf83c49fb2c9033aabca9

          SHA512

          d9334a57c7e965b7b4ee1ce3b2734b9a2094eb9e284933582004dfc93e241736951210f495cde4e91f7614cf9b2735ad84dd417a237a4ca66bc6b84ae843c9f5

        • \Users\Admin\AppData\Local\KfEscQo\StikyNot.exe

          Filesize

          417KB

          MD5

          b22cb67919ebad88b0e8bb9cda446010

          SHA1

          423a794d26d96d9f812d76d75fa89bffdc07d468

          SHA256

          2f744feac48ede7d6b6d2727f7ddfa80b26d9e3b0009741b00992b19ad85e128

          SHA512

          f40aad2a381b766aae0a353fae3ab759d5c536b2d00d135527bba37b601d2f24323f079bd09600355d79404d574ac59201d415ef64c1568877ad0ce0da2dd1d5

        • \Users\Admin\AppData\Local\jXoyCGCgT\DWWIN.EXE

          Filesize

          90KB

          MD5

          c944803fb67e2456172f78363aeb2aaa

          SHA1

          6a286cb48b49cef6f75e6c62a79c3f7c1be4a9ab

          SHA256

          ea00fd1f1c6c01f9bd9c97ce0aa59a22aa6b0bed4d5cedc180f4fbb4a046daac

          SHA512

          21183c1cf2e09da972b47498da3a5593c5b5467db19c6ff10a3adcc5c23f3541f0913ad46f7fb307635b206bf47c25b4b405199fbb049d04bff23081ee1a4677

        • \Users\Admin\AppData\Local\jXoyCGCgT\wer.dll

          Filesize

          111KB

          MD5

          6fe27e23025cb80c2406a1227624badb

          SHA1

          7649c7cd730f6114baec544ddd2e16b9ceb57452

          SHA256

          f9fb0428bb413d555bbba473c5da92cf4269adc6b7603af5e69b92449276d9e8

          SHA512

          13a54988f8e62be3b6f39589dbe271e711e75729812576d271f7d3083ac65a99865210a40027b9132cd032dd04caadb098d58c085c82337f09727c88a5e0edf7

        • \Users\Admin\AppData\Local\xNIThL\MFPlat.DLL

          Filesize

          429KB

          MD5

          688e308b194a8502cd52a647321c1af8

          SHA1

          3b053bd9e1f67e12677be1dfb6b8ee595ac9a698

          SHA256

          d1ca10f09b35a9d11d6eb47e1a32687bd9235dd162c30848fcc335c0adabdde9

          SHA512

          a6fa34a7b097fe30e260971a9eb19695cb526c7b21f8558df86552c9439ed9bf35467ddf4cb508602cd442d070362739e027766d74c14cca2375b77bccd0465a

        • \Users\Admin\AppData\Local\xNIThL\rrinstaller.exe

          Filesize

          54KB

          MD5

          0d3a73b0b30252680b383532f1758649

          SHA1

          9f098d2037e4dd94eca6d04c37b3d4ad8b0cc931

          SHA256

          fc8a992b6ac311e1b1491ec3e31e273a41f7fdf3f68176321307b68489a03fbc

          SHA512

          a7961f4d8d0e07959d1501d721c7751b01af6704c7da5c1f31e40de5372ee6a1fce2f3e0077c8e6a1bed017e11ce4be9b0d17c04e30b222fb3f0df67b870b2d4

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatCache\tIKFeICP\DWWIN.EXE

          Filesize

          149KB

          MD5

          25247e3c4e7a7a73baeea6c0008952b1

          SHA1

          8087adb7a71a696139ddc5c5abc1a84f817ab688

          SHA256

          c740497a7e58f7678e25b68b03573b4136a364464ee97c02ce5e0fe00cec7050

          SHA512

          bc27946894e7775f772ac882740430c8b9d3f37a573e2524207f7bb32f44d4a227cb1e9a555e118d68af7f1e129abd2ac5cabbcd8bbf3551c485bae05108324b

        • memory/1160-83-0x0000000140000000-0x0000000140178000-memory.dmp

          Filesize

          1.5MB

        • memory/1160-82-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB

        • memory/1264-36-0x0000000140000000-0x0000000140176000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-14-0x0000000140000000-0x0000000140176000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-39-0x0000000140000000-0x0000000140176000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-41-0x0000000140000000-0x0000000140176000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-40-0x0000000140000000-0x0000000140176000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-42-0x0000000140000000-0x0000000140176000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-43-0x0000000140000000-0x0000000140176000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-45-0x0000000140000000-0x0000000140176000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-46-0x0000000002B00000-0x0000000002B07000-memory.dmp

          Filesize

          28KB

        • memory/1264-44-0x0000000140000000-0x0000000140176000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-34-0x0000000140000000-0x0000000140176000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-32-0x0000000140000000-0x0000000140176000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-33-0x0000000140000000-0x0000000140176000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-53-0x0000000140000000-0x0000000140176000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-55-0x0000000076F60000-0x0000000076F62000-memory.dmp

          Filesize

          8KB

        • memory/1264-54-0x0000000076E01000-0x0000000076E02000-memory.dmp

          Filesize

          4KB

        • memory/1264-28-0x0000000140000000-0x0000000140176000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-27-0x0000000140000000-0x0000000140176000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-64-0x0000000140000000-0x0000000140176000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-24-0x0000000140000000-0x0000000140176000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-22-0x0000000140000000-0x0000000140176000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-21-0x0000000140000000-0x0000000140176000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-19-0x0000000140000000-0x0000000140176000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-68-0x0000000140000000-0x0000000140176000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-18-0x0000000140000000-0x0000000140176000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-35-0x0000000140000000-0x0000000140176000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-12-0x0000000140000000-0x0000000140176000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-73-0x0000000140000000-0x0000000140176000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-9-0x0000000140000000-0x0000000140176000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-7-0x0000000140000000-0x0000000140176000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-37-0x0000000140000000-0x0000000140176000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-38-0x0000000140000000-0x0000000140176000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-4-0x0000000076CF6000-0x0000000076CF7000-memory.dmp

          Filesize

          4KB

        • memory/1264-30-0x0000000140000000-0x0000000140176000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-31-0x0000000140000000-0x0000000140176000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-29-0x0000000140000000-0x0000000140176000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-26-0x0000000140000000-0x0000000140176000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-25-0x0000000140000000-0x0000000140176000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-23-0x0000000140000000-0x0000000140176000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-20-0x0000000140000000-0x0000000140176000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-16-0x0000000140000000-0x0000000140176000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-17-0x0000000140000000-0x0000000140176000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-15-0x0000000140000000-0x0000000140176000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-5-0x0000000002B30000-0x0000000002B31000-memory.dmp

          Filesize

          4KB

        • memory/1264-13-0x0000000140000000-0x0000000140176000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-11-0x0000000140000000-0x0000000140176000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-10-0x0000000140000000-0x0000000140176000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-139-0x0000000076CF6000-0x0000000076CF7000-memory.dmp

          Filesize

          4KB

        • memory/1764-117-0x0000000000270000-0x0000000000277000-memory.dmp

          Filesize

          28KB

        • memory/2364-8-0x0000000140000000-0x0000000140176000-memory.dmp

          Filesize

          1.5MB

        • memory/2364-0-0x0000000140000000-0x0000000140176000-memory.dmp

          Filesize

          1.5MB

        • memory/2364-1-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB