Analysis

  • max time kernel
    153s
  • max time network
    130s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2023 17:05

General

  • Target

    fb1badc1eca5035ae1b98513d0cfef32.dll

  • Size

    2.8MB

  • MD5

    fb1badc1eca5035ae1b98513d0cfef32

  • SHA1

    86c4360f82192f01f05460d7ec2c70ebe8682ef1

  • SHA256

    a5c474972a6ac68a91e311ba343163c82cd7762e663ddf5b030c5bae06d1e9eb

  • SHA512

    d863d9e1b7c5b2a57de8992797fc09357c6af64611bb05af78fa37bd5db7179b77c32267c7ee39c3c7cf4923369ee067493f1849e0a08bcf93c67efe83eb8254

  • SSDEEP

    12288:YVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:NfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\fb1badc1eca5035ae1b98513d0cfef32.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1796
  • C:\Windows\system32\perfmon.exe
    C:\Windows\system32\perfmon.exe
    1⤵
      PID:2640
    • C:\Users\Admin\AppData\Local\XNj\perfmon.exe
      C:\Users\Admin\AppData\Local\XNj\perfmon.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2056
    • C:\Windows\system32\dccw.exe
      C:\Windows\system32\dccw.exe
      1⤵
        PID:2916
      • C:\Users\Admin\AppData\Local\Kn7CY2il\dccw.exe
        C:\Users\Admin\AppData\Local\Kn7CY2il\dccw.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2920
      • C:\Windows\system32\osk.exe
        C:\Windows\system32\osk.exe
        1⤵
          PID:1364
        • C:\Users\Admin\AppData\Local\CD5\osk.exe
          C:\Users\Admin\AppData\Local\CD5\osk.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1496

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\CD5\dwmapi.dll

          Filesize

          41KB

          MD5

          4871ac84db39df25c4fa2a90ce3389cf

          SHA1

          52c31ef73cc5f7105a2300c73a8f80a3d657a370

          SHA256

          622a78ebfdc1a052de9519d2c61be74c190951ad46fa16aa8f4d3ff8a7adc176

          SHA512

          a7ce8a92a857733edca1b7c3f1a65174f372a3a36c63411cd5b4974240d460f57764c9b9f2421da29cbe0be06cd69fd58073c6c06cf64251bee1b12ffbba8cab

        • C:\Users\Admin\AppData\Local\CD5\osk.exe

          Filesize

          66KB

          MD5

          80a8659bfe6ca1fa40eb00225ed45725

          SHA1

          6cf3002eb06919d115169e1f998cb986f6caf731

          SHA256

          b2e24119135aef077b0849250901cf25684bb4b4641e8ef157a0e3bb3bcb3b19

          SHA512

          a1791844f689805e0c1b57a6a9ba9a1f5b9f2bc5af4b29f2449800aedde9fcdabf77a0543764e0cb791c8e71d0ca98c2ddd43c0e870cc090001b969e1343d56b

        • C:\Users\Admin\AppData\Local\CD5\osk.exe

          Filesize

          218KB

          MD5

          0c9d499f2d6b50da10187633d0783bea

          SHA1

          c4beffc25de6b57f7f1d1873721cdabe344d7461

          SHA256

          b720bddfddb0a3381b063e87d4724ac1ae5251d8f7d8d4b7f5c732a68b55c05e

          SHA512

          a9c386b717bca5c4e9e9d379113f51fb50a771546c072ee9162ecba0cbd424bec802f6041a5288a764cd261acf3fd6b21819b8f0f0893fcdc5a969b46e7cd602

        • C:\Users\Admin\AppData\Local\Kn7CY2il\dccw.exe

          Filesize

          178KB

          MD5

          423199194601c75041c17f11d75be503

          SHA1

          c04b110a4800d018ca1af40c1624cca9360d2256

          SHA256

          bfc48f22aaa40519a95148042296b4ffc3deea9e5c5b7c76ade55ff42128598f

          SHA512

          f6547d5db1dd7aae483e5aa91a54398ca28ed90fb68fa3437daefc9a47e4504bf85ca143e5366bbbde518efc0ed7a7af88f7413c0faa08fd8048ccafe9364b63

        • C:\Users\Admin\AppData\Local\Kn7CY2il\dccw.exe

          Filesize

          230KB

          MD5

          1f137257c90f4157a0e7e3bd9e23ace7

          SHA1

          5a3aeb6a77610c370d14636575051b680f26b49c

          SHA256

          2eb89efa073d8f5166255273eecd31f6f4cbdc2384ea4dcc3776dc94a54fa33f

          SHA512

          26127cfaeddcc442dd0d743a2ef2800209d07d70173259d3723458520e120485a73619cbf4d3b0312e195c873052efc257c599f4798d182fb86afdcdc80ec3ba

        • C:\Users\Admin\AppData\Local\Kn7CY2il\dxva2.dll

          Filesize

          272KB

          MD5

          f010a9e86036d89e1ea908e68f039462

          SHA1

          00e8ec37ee5febe2699b63a9a37e212e74e7d2cc

          SHA256

          fb35d8df0dbf287b8b97e933806b19436e40573f71f9a4ebe63e1da53c170b3b

          SHA512

          3b347f8d1a4e4e7a64bc45e3d3e0b80554718624c56cf183f651e45a338e20f571500e4ac2961cd06c977cf51a46f32945751e2ec2446d5c135b213b78c96dc3

        • C:\Users\Admin\AppData\Local\XNj\credui.dll

          Filesize

          190KB

          MD5

          b5d33f82005d2c6139b776fce209b014

          SHA1

          75847efb949f21e53d1760a76ea923fc2b50b137

          SHA256

          ced60dc29e70a6c80c1b9126f6e163055f7fe52b15d6bf5abb03d62252d54b6d

          SHA512

          b1b54d6581c64a85876d6aaa93c50d12561226587720e50eac495a70d5892cef62697765583ec19bee9919a9ad197491e78c743af61d8241798a9f57806ab146

        • C:\Users\Admin\AppData\Local\XNj\perfmon.exe

          Filesize

          168KB

          MD5

          3eb98cff1c242167df5fdbc6441ce3c5

          SHA1

          730b27a1c92e8df1e60db5a6fc69ea1b24f68a69

          SHA256

          6d8d5a244bb5a23c95653853fec3d04d2bdd2df5cff8cffb9848bddeb6adb081

          SHA512

          f42be2a52d97fd1db2ed5a1a1a81a186a0aab41204980a103df33a4190632ba03f3cbb88fcea8da7ed9a5e15f60732d49a924b025fe6d3e623195ec1d37dfb35

        • C:\Users\Admin\AppData\Local\XNj\perfmon.exe

          Filesize

          145KB

          MD5

          06d9864e20223f24dd313e9508beedfb

          SHA1

          a08e5bdd5ebb7e92216944621f2c8ab02e933927

          SHA256

          23d601e7cd7f6e938d398402ec3590aaac5e62a092bb69c330046b5438a8474a

          SHA512

          ea04d53fb1e5e3cb7000ec23976366170f90a73df7dac74a0243290f5204dc33dde8bf592d75576ed9f3d3e5efe56fbcafc3ff0f8f516243d2405df88dcde0db

        • C:\Users\Admin\AppData\Roaming\Identities\{EF0662BB-4AFF-4F56-815E-2ED0C139F855}\tYhhRx\dxva2.dll

          Filesize

          2.8MB

          MD5

          029956aacdaed94c84e4304ff879b6d8

          SHA1

          9690a6b5a53d9ab36dc6f4bdaeb7b4b076af5cb0

          SHA256

          0444c3899250a8618c79bf389cf17ab99c388e34d90fab16492584d1dc6eb822

          SHA512

          1a8c558aae2bb9cdcc8734b9475c1aea9ce4b524d63b55753cbaebe9e42dc7a5d45bb669f7a0ea04f79795c92b881904eb187e2843913f3521e51ed58161d2d0

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yiudzqwx.lnk

          Filesize

          1KB

          MD5

          a4703b869afaedd5d6f9253b0e1e43ac

          SHA1

          ae37bacb154982ba50a776e0ad859fd21310ec76

          SHA256

          6673372c486953b7ffcbcc73f2986c407e74dc87dfb197b0f221f58d61671593

          SHA512

          fa74cfb09f7315d18b490e50056cdece3ef3fd3f68a71900a3cd4393faf57cbc4a8dbf2838ac9a55b71a236a7bf41fb7d2341beba39086cee6bb0ce267b8539d

        • C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\SSH9HALG\Y7VPhZ\dwmapi.dll

          Filesize

          2.8MB

          MD5

          df6f13d91f2eb1b37179abd79da2e5c5

          SHA1

          8c6cb2c0d0294006a78f465cab45a7d7a48b830a

          SHA256

          b3433d54b3c3ddf0a09db041963471f2f30bb527bc5ead670e410a1111dd6796

          SHA512

          5f0256e7c6f9e79e354bcc28b270eee43ee0ae422f41a9ec27ba80e79b0f9207962695f923a6709e1211f2d0e9898d1cf5d398c7efdd7e765412f7498133ba65

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\KqjAkpkG5F\credui.dll

          Filesize

          2.8MB

          MD5

          a7addbf8c2395e11314cba64ab287da9

          SHA1

          8635fa24ab4722a2f4543de1f10ca21f819d5b71

          SHA256

          21e117841fa3941c6d93c333e5ba63bc5ac6937eddeccefd2555f10644f4338f

          SHA512

          99172ab80ccec325af96e8a3a93dc936ccac1f043ad243aeb4a1ec5943059d4d1def36b908aa87e8c66e08791109adfc09e540aab3e973002e9d849365d0fb67

        • \Users\Admin\AppData\Local\CD5\dwmapi.dll

          Filesize

          191KB

          MD5

          86963b4bdf19693de34ceb0863ef8fdd

          SHA1

          baa51faae22096aaf2840b98765c5352f96eab46

          SHA256

          34ce8bf1d2fdcc17b024f924e116e75b8ef83d65c2ac7022b9525e4da8f8d4a0

          SHA512

          336dec509008a99fe00591567a21cef3e206da0ac26bc3e95dbb2985166ed64afda1bf5b7c4b323afb0ff2558f3da34455e64129d21a3642bb3a7b4d875c20da

        • \Users\Admin\AppData\Local\CD5\osk.exe

          Filesize

          161KB

          MD5

          28e17df8e1150cf5fefa03e35bfd16e5

          SHA1

          f4af067e8d7e10370208b340a684972be9e4cab1

          SHA256

          ea224589e3aaffc048939068999f9aad79ace348e0391d37f025d59bce61da48

          SHA512

          8005a34a20e046f41d687f46d153ef853497dd888a07ec0b116e1fe7635965dc79dd41bc81b48f4fe71a8fb5ecbb2df673f67adb3684a5160625d83c5f061cdd

        • \Users\Admin\AppData\Local\Kn7CY2il\dccw.exe

          Filesize

          208KB

          MD5

          debdc8a1916441f58d28a87eabc1c8e7

          SHA1

          7b2ed6eae33118de2355add9a3c9d5204e07ce62

          SHA256

          42542c4de7ec72c2048965fb1e0e449ab2deb104dc662e72e69389f6380c2569

          SHA512

          ed94d07edcfd6a880d3a3e00c91001a4704c563e70fddf15df7d92aaf3441cf59953ad8cc92d43277c81f318cad80730e1fe183a4dff3785cac11ca2ac01419a

        • \Users\Admin\AppData\Local\Kn7CY2il\dxva2.dll

          Filesize

          213KB

          MD5

          25b6920fe8f99dadf02dcef4e965c469

          SHA1

          b65addde11f4ae02aeb716f51c9c69d0b43521be

          SHA256

          2946d1a6e2a4a1c1d1ac9f58389a79a6263820ed442c511938463b9e70e84076

          SHA512

          17a1d55b5c3b6e276fd3ee7621c029386b95fa4b6a6ef230ead6d785bbf805f27ca8f8588037ce7e77f546e86e2750d78d625bbcdb3b1bd151780aa168c412ca

        • \Users\Admin\AppData\Local\XNj\credui.dll

          Filesize

          239KB

          MD5

          7234ee8c6a1282f42cd71b4f0b6135bb

          SHA1

          a0a46155c8289822877fd4fc05995ffde0d67d52

          SHA256

          6e76e78cc0d106fd1ef5f39cfadd6a54b11c9c2708c3c55714ca56c098f15d89

          SHA512

          84317c8c9c00bbfbc821d3131f2a73cfedd05c4b34430701c2bc4002e50ef3ed8d143cd5ac67ca2c6a23d50df3ea82680d15afb252432f8e6010e725889380bf

        • \Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\SSH9HALG\Y7VPhZ\osk.exe

          Filesize

          45KB

          MD5

          0fa7ce2eceda9893bb82a9305111d451

          SHA1

          bdb3b79d8bf7f8f50be59eb4a899daba5d9c9a5c

          SHA256

          33426059111f000ba8be77ec2a43a3bbcbfe10f388b27cefca4cfdcca415b42d

          SHA512

          81008b6999cc678013f344487b27962c5a8d2b8448f0984786d0f293322fd1d193f34f5c680d62906dbb7d126edc9190acf62b212b869e8a9390e270f4c91671

        • memory/1240-29-0x0000000140000000-0x00000001402C6000-memory.dmp

          Filesize

          2.8MB

        • memory/1240-36-0x0000000140000000-0x00000001402C6000-memory.dmp

          Filesize

          2.8MB

        • memory/1240-38-0x0000000002A40000-0x0000000002A47000-memory.dmp

          Filesize

          28KB

        • memory/1240-34-0x0000000140000000-0x00000001402C6000-memory.dmp

          Filesize

          2.8MB

        • memory/1240-35-0x0000000140000000-0x00000001402C6000-memory.dmp

          Filesize

          2.8MB

        • memory/1240-31-0x0000000140000000-0x00000001402C6000-memory.dmp

          Filesize

          2.8MB

        • memory/1240-30-0x0000000140000000-0x00000001402C6000-memory.dmp

          Filesize

          2.8MB

        • memory/1240-28-0x0000000140000000-0x00000001402C6000-memory.dmp

          Filesize

          2.8MB

        • memory/1240-46-0x0000000077721000-0x0000000077722000-memory.dmp

          Filesize

          4KB

        • memory/1240-45-0x0000000140000000-0x00000001402C6000-memory.dmp

          Filesize

          2.8MB

        • memory/1240-47-0x0000000077880000-0x0000000077882000-memory.dmp

          Filesize

          8KB

        • memory/1240-21-0x0000000140000000-0x00000001402C6000-memory.dmp

          Filesize

          2.8MB

        • memory/1240-20-0x0000000140000000-0x00000001402C6000-memory.dmp

          Filesize

          2.8MB

        • memory/1240-17-0x0000000140000000-0x00000001402C6000-memory.dmp

          Filesize

          2.8MB

        • memory/1240-18-0x0000000140000000-0x00000001402C6000-memory.dmp

          Filesize

          2.8MB

        • memory/1240-16-0x0000000140000000-0x00000001402C6000-memory.dmp

          Filesize

          2.8MB

        • memory/1240-14-0x0000000140000000-0x00000001402C6000-memory.dmp

          Filesize

          2.8MB

        • memory/1240-11-0x0000000140000000-0x00000001402C6000-memory.dmp

          Filesize

          2.8MB

        • memory/1240-12-0x0000000140000000-0x00000001402C6000-memory.dmp

          Filesize

          2.8MB

        • memory/1240-4-0x0000000077516000-0x0000000077517000-memory.dmp

          Filesize

          4KB

        • memory/1240-56-0x0000000140000000-0x00000001402C6000-memory.dmp

          Filesize

          2.8MB

        • memory/1240-62-0x0000000140000000-0x00000001402C6000-memory.dmp

          Filesize

          2.8MB

        • memory/1240-64-0x0000000140000000-0x00000001402C6000-memory.dmp

          Filesize

          2.8MB

        • memory/1240-37-0x0000000140000000-0x00000001402C6000-memory.dmp

          Filesize

          2.8MB

        • memory/1240-33-0x0000000140000000-0x00000001402C6000-memory.dmp

          Filesize

          2.8MB

        • memory/1240-32-0x0000000140000000-0x00000001402C6000-memory.dmp

          Filesize

          2.8MB

        • memory/1240-5-0x0000000002A60000-0x0000000002A61000-memory.dmp

          Filesize

          4KB

        • memory/1240-8-0x0000000140000000-0x00000001402C6000-memory.dmp

          Filesize

          2.8MB

        • memory/1240-139-0x0000000077516000-0x0000000077517000-memory.dmp

          Filesize

          4KB

        • memory/1240-9-0x0000000140000000-0x00000001402C6000-memory.dmp

          Filesize

          2.8MB

        • memory/1240-27-0x0000000140000000-0x00000001402C6000-memory.dmp

          Filesize

          2.8MB

        • memory/1240-26-0x0000000140000000-0x00000001402C6000-memory.dmp

          Filesize

          2.8MB

        • memory/1240-24-0x0000000140000000-0x00000001402C6000-memory.dmp

          Filesize

          2.8MB

        • memory/1240-25-0x0000000140000000-0x00000001402C6000-memory.dmp

          Filesize

          2.8MB

        • memory/1240-10-0x0000000140000000-0x00000001402C6000-memory.dmp

          Filesize

          2.8MB

        • memory/1240-23-0x0000000140000000-0x00000001402C6000-memory.dmp

          Filesize

          2.8MB

        • memory/1240-22-0x0000000140000000-0x00000001402C6000-memory.dmp

          Filesize

          2.8MB

        • memory/1240-19-0x0000000140000000-0x00000001402C6000-memory.dmp

          Filesize

          2.8MB

        • memory/1240-15-0x0000000140000000-0x00000001402C6000-memory.dmp

          Filesize

          2.8MB

        • memory/1240-13-0x0000000140000000-0x00000001402C6000-memory.dmp

          Filesize

          2.8MB

        • memory/1496-116-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB

        • memory/1796-0-0x0000000000390000-0x0000000000397000-memory.dmp

          Filesize

          28KB

        • memory/1796-7-0x0000000140000000-0x00000001402C6000-memory.dmp

          Filesize

          2.8MB

        • memory/1796-1-0x0000000140000000-0x00000001402C6000-memory.dmp

          Filesize

          2.8MB

        • memory/2056-74-0x0000000000280000-0x0000000000287000-memory.dmp

          Filesize

          28KB

        • memory/2056-79-0x0000000140000000-0x00000001402C7000-memory.dmp

          Filesize

          2.8MB

        • memory/2056-75-0x0000000140000000-0x00000001402C7000-memory.dmp

          Filesize

          2.8MB

        • memory/2920-97-0x0000000140000000-0x00000001402C7000-memory.dmp

          Filesize

          2.8MB