Analysis

  • max time kernel
    153s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2023 17:21

General

  • Target

    ffc534d7f4ae842b482459d6c9bdf83b.dll

  • Size

    1.5MB

  • MD5

    ffc534d7f4ae842b482459d6c9bdf83b

  • SHA1

    df4a15d08f9d32f13438cf5b5f517f435efce2e9

  • SHA256

    edd5115e384baca646c21047b643317e71d268059851bb97426d07b1b9db9c23

  • SHA512

    7d5a0725bc4c191101647e0d979acc647c500e52fb8c4986a7ffff44224d5b5f331079acf77c734169a84e6c248c5f1661f74a5c1e9348d15c3392bc3cc69d78

  • SSDEEP

    12288:ZVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:YfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffc534d7f4ae842b482459d6c9bdf83b.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3044
  • C:\Windows\system32\icardagt.exe
    C:\Windows\system32\icardagt.exe
    1⤵
      PID:2092
    • C:\Users\Admin\AppData\Local\3DDyKG\icardagt.exe
      C:\Users\Admin\AppData\Local\3DDyKG\icardagt.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1988
    • C:\Windows\system32\SoundRecorder.exe
      C:\Windows\system32\SoundRecorder.exe
      1⤵
        PID:1020
      • C:\Users\Admin\AppData\Local\UV7ipgUQa\SoundRecorder.exe
        C:\Users\Admin\AppData\Local\UV7ipgUQa\SoundRecorder.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1452
      • C:\Windows\system32\SndVol.exe
        C:\Windows\system32\SndVol.exe
        1⤵
          PID:524
        • C:\Users\Admin\AppData\Local\rWeeZxI\SndVol.exe
          C:\Users\Admin\AppData\Local\rWeeZxI\SndVol.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:268

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\3DDyKG\VERSION.dll

          Filesize

          170KB

          MD5

          a31a80d976a7df97e62989a077184f8a

          SHA1

          13eb241115ad7db63f586276e352edb6a5f8b15a

          SHA256

          b4de51b9b50c0c02de9218302d4ac8774a925bc5522e0b97041102d6ee623734

          SHA512

          022976d01a37f6cef50ac319fd3b90e8ff19f16d5e1a5fc8c51e9740dd64b3c81a8c95f9c66663a020ac9113792e23ebeaa31563b299e414416c62573e351bfa

        • C:\Users\Admin\AppData\Local\3DDyKG\icardagt.exe

          Filesize

          133KB

          MD5

          fe114118c0989f57765e7579a931dc68

          SHA1

          142e96c7e490ffe22558b8c48dab6294478371e8

          SHA256

          0961b5506a1bbfdf39a887d3a59690b5a0a938a0ba42cdbf6c58f0be560075ca

          SHA512

          fad8cec6b27ac4c13a631d775404cb7109eed180da1aee0719c9e8e819049953f849f8443cd3aef9ac8b2ccef04282221b2c486e1a7ea3d20a595aba5cbc37e6

        • C:\Users\Admin\AppData\Local\3DDyKG\icardagt.exe

          Filesize

          127KB

          MD5

          7c406123a0548a1a9deca7dec9191a01

          SHA1

          eab8d75728cfc08e338a0cfba5f27cb40e1ebd0a

          SHA256

          4ebedd9561540ad1da4141d5eb3e8cec8916722d3d764d172705d63c3d116c30

          SHA512

          8eb727b879f0642468bddcd928016f043efc3664d9ce8da7e466bb0fc040b66374564fc9626c906fbc38b1801f1d73ff3dfb3958082801c3b9f9e3658efc28e1

        • C:\Users\Admin\AppData\Local\UV7ipgUQa\SoundRecorder.exe

          Filesize

          8KB

          MD5

          5c28dff02d93e6bc5b146ea5a197b68c

          SHA1

          9c3865393a3dd930315267bf2ae56f46a4cbb157

          SHA256

          24b89dce76f8e0b4e918a158d31d537a78aa2f0cb56dab89f62f6613dfb01ec4

          SHA512

          9761b0a6842be3f5686fc00cfd7075f2c3778480ccf20a343716914a9975d60d05fb687e36cf0d5ffe76411095f30920ed5b6e4b3f04087a2568dea5a76e4354

        • C:\Users\Admin\AppData\Local\UV7ipgUQa\SoundRecorder.exe

          Filesize

          102KB

          MD5

          0c1fb28a0de7cd99f98b6a4bd7a8069a

          SHA1

          5962ae20a002514fd5450e57e7e159e322b180bd

          SHA256

          04552d919ba006a39b9620fea2d4f88c2ae2facaf59473bd86b487f74d75d05a

          SHA512

          d7a45c347a50558e998cc8429572ac81e1d3a8bd9b5863880a13a7cb93d066251bb803120ab950b77dffcb1268ca03e49e890fe7e3f9ea4669b8f77dd3a23a3c

        • C:\Users\Admin\AppData\Local\UV7ipgUQa\WINMM.dll

          MD5

          d41d8cd98f00b204e9800998ecf8427e

          SHA1

          da39a3ee5e6b4b0d3255bfef95601890afd80709

          SHA256

          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

          SHA512

          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

        • C:\Users\Admin\AppData\Local\rWeeZxI\SndVol.exe

          Filesize

          111KB

          MD5

          d484e0302f0400a7586e52213d6f8db3

          SHA1

          a1ea3f124fe8abedac7debd7ed4a98bcea705d0b

          SHA256

          85b05a7497d53e64a726fec91507ebf9cbdc115f14d227f427e4fbb460e1f278

          SHA512

          90d89c186d345a9f7c298beb5d7711c87de0b199a7bfcfcef11653996613d5e83e3da632be97fe82d154b973617f1fb67ec2a51a331699c9b71e7dc408a83bd7

        • C:\Users\Admin\AppData\Local\rWeeZxI\SndVol.exe

          Filesize

          14KB

          MD5

          02b0c6f460c13666e88d39ed6cfd9d96

          SHA1

          c0759fce22f1ac862ffc92d1e79ee8bb0f3cb3d8

          SHA256

          45c61cadd1c6fea3baa517252ec2f59b117297ec137f8512de556daa23b951dc

          SHA512

          6678bcc7c7c48c34e08634a34ff90ee27ce900f62536b10f003df61e7fa8e60f57072b77c616df5493512380e49f971c8bd216277e3818d775b7ac3d0138c4e4

        • C:\Users\Admin\AppData\Local\rWeeZxI\dwmapi.dll

          Filesize

          63KB

          MD5

          f2e8483e992b9ed7b36728e4b28c4443

          SHA1

          e41b5cf157321e8e353b1c00ba4338d5cbe09bc3

          SHA256

          b53c9ba382fa2c5b57cef936c56e850c9cd7e63fca2895b0ea228f83fe4f8ee4

          SHA512

          7ffb77efe875406d563fdcee4d7699a13cf223edc1f925f722310c2997bffbb7e4165ba9b531270b27981804ba3c6b3da9b048b8847f2e5a08f955d1bcfd702a

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Hbeids.lnk

          Filesize

          1KB

          MD5

          4673d1947bbba2167a37796b87fee55b

          SHA1

          3136284bdf9c89e81da615c1cb694f1022a9ce63

          SHA256

          eff00e101c44f46905ef0d8b14752e3ca5b92e097f1a80888baae63e2d71d4c9

          SHA512

          38edcbd86f9d125c0ddec39fa9d7f2496baee679787dd329e810f8f0c88c0ab011384c34c89e0ae164186b6a3ebd44423dbf0e17d3ba8441b279172b5d9a37cc

        • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\4CgMM58Jp\WINMM.dll

          Filesize

          1.5MB

          MD5

          1afb2c18f96da77eab89b0afb55efe8f

          SHA1

          41426bd74a7761df70d7d6ab059053b9acc4f0ee

          SHA256

          7b98d9dba6bec66e7d824dcc36ef066a0d2a56935dd1cf10f8ae51313fcffaf5

          SHA512

          f121901ac0220a06ca3a5cd75f14b789430d3499a043e72f3d92407e73968e9272b68c8118a4f469624bc589af815880a3102e4cf801b3d68b39bf7bb34c832e

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\Low\qhxe\dwmapi.dll

          Filesize

          1.4MB

          MD5

          a519b5a7222eaf471b817f175795fb03

          SHA1

          28e81f8d2e45d954f2e943ed680f2b24d17006c8

          SHA256

          ca115d18ea55f4aa1c64b80b2aab183b910e1c60607157270d74213caddc965c

          SHA512

          b8114e5e691307fa13d106605da23dbf85ef8869bf9986691d679907ac1d60039ef1c9632e8ebcf606d4994fdf9cee4cf5ebffb076e5c9bc97fb7ecc9d24ee7d

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\iugqAeiOmi\VERSION.dll

          Filesize

          1.5MB

          MD5

          f016b71a7449a608d99362bd557a2520

          SHA1

          88c703b7f3f86c428008c3224b39e3e19f75ff83

          SHA256

          ed6938c029332ea842066b1f1c7b1210258636345d99173f556496468b6ee589

          SHA512

          5515b74e64be382b980523d586aca44e6ffcb0afd35ffe384463b9ac62dd13790dc2ba6ad2497ee881356bd60df0ec3a2d2145d74f6c942f3abcb0f6cd32d937

        • \Users\Admin\AppData\Local\3DDyKG\VERSION.dll

          Filesize

          116KB

          MD5

          2255f7b54f4983e50206f2948283a2bf

          SHA1

          2578e15b2cdf973a00289e4d7d3b8468c0829160

          SHA256

          d784f35948f3e05955708a56e47ab36c00e7960d1ab34e957e8fab7439bbba3a

          SHA512

          84c938e76879e19c219da349f9e97d843a167ffa103207596c723b28515f8795a96993036d03f298fbf26adae0a1158e139667542a15c14bb04bd3d2a3b703da

        • \Users\Admin\AppData\Local\3DDyKG\icardagt.exe

          Filesize

          60KB

          MD5

          4d0d61ac2062f6264a91868b20ba87db

          SHA1

          ec59d4b33e63c8615ee30faf4c91e2b12eff08e0

          SHA256

          dafabb3f979b4c4b5bafd9d64e8514bdd2cacf67b0fece899d55ac6cf96e2f25

          SHA512

          5b48462d31c3c0de3b0432afc218ea6f91d22b609ffa8f0f480dc2f22486e64ad26a1030f2065cd8b262635e78bfcdb16bba08303f7391d051e56021727b02f3

        • \Users\Admin\AppData\Local\UV7ipgUQa\SoundRecorder.exe

          Filesize

          139KB

          MD5

          47f0f526ad4982806c54b845b3289de1

          SHA1

          8420ea488a2e187fe1b7fcfb53040d10d5497236

          SHA256

          e81b11fe30b16fa4e3f08810513c245248adce8566355a8f2a19c63b1143ff5b

          SHA512

          4c9a1aa5ed55087538c91a77d7420932263b69e59dc57b1db738e59624265b734bf29e2b6ed8d0adb2e0dec5763bfbf86876fd7d1139c21e829001c7868d515d

        • \Users\Admin\AppData\Local\UV7ipgUQa\WINMM.dll

          Filesize

          44KB

          MD5

          246ef2064ce46caec8a8794077ca9490

          SHA1

          e8faf5c9d43dc801d07548d3a9338f766fb7e0d8

          SHA256

          0699ce390b7e03519421e14b08ae0409618153088d53bb3cbdeadfd2ec13a276

          SHA512

          db1951956212aa1d5086df997f3a6a9837c8da7ce001cbb8ea559c35c9c21ea39c70454b891ded5ec0fd2da6617295bc126dd214de4d520f1f507f85305f538c

        • \Users\Admin\AppData\Local\rWeeZxI\SndVol.exe

          Filesize

          127KB

          MD5

          e137c6bff3af6bdfa68e0d3aa2ee15b2

          SHA1

          84895c64a8df0c786a5526c7a5da77702bbf7d30

          SHA256

          bed1175c90e4a8fdcd5e7a4902abacca555380a238092abdbd1d23ddf50360d0

          SHA512

          16ee7fb5a2c86ae75380d347f1813cf86a680581f844ffc347fc15ade5c055d7684062e255707494617b54cd40fea7e32999771721d67376269e04dc69ab4d4c

        • \Users\Admin\AppData\Local\rWeeZxI\dwmapi.dll

          Filesize

          34KB

          MD5

          9793e6e55caf039e648a1708bbd509c1

          SHA1

          2111e34a18f785a9786e2a36bcb49d2cbb10c87d

          SHA256

          9aa57ecda8f9324ba13fc32e7fd7e65830014bbad45f82ec6143cfc05118bb77

          SHA512

          adac8a986a3673c9530369c4788d7c224eaba8e4325223299670f51a927229ad4ab365550ce96a52a08bf9e75f34d3d4e8df187a98cbe05653bf254ebf246507

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\Low\qhxe\SndVol.exe

          Filesize

          65KB

          MD5

          9c1e4218600731194bb2dc94b3b371e2

          SHA1

          8a7d6b87d0002338916f07d22ee96d01b97be20d

          SHA256

          e9d7d229d5cb548d3b5a18c666b7c724f737a2a828c19b631d8a7fe770f9d153

          SHA512

          c145e8d432674729b0005210d5b2abca96c7cd036b382112d4a39b416f4d11de5973eb3bc12ad20d1af7e80a2ac3681df419e0f5d283e6fa1c6415341af2d664

        • memory/268-133-0x0000000000180000-0x0000000000187000-memory.dmp

          Filesize

          28KB

        • memory/1196-26-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/1196-55-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/1196-25-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/1196-34-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/1196-35-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/1196-33-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/1196-32-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/1196-24-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/1196-23-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/1196-22-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/1196-21-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/1196-20-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/1196-36-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/1196-38-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/1196-37-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/1196-43-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/1196-46-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/1196-45-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/1196-44-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/1196-42-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/1196-41-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/1196-40-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/1196-39-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/1196-47-0x00000000027F0000-0x00000000027F7000-memory.dmp

          Filesize

          28KB

        • memory/1196-48-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/1196-59-0x0000000077480000-0x0000000077482000-memory.dmp

          Filesize

          8KB

        • memory/1196-56-0x0000000077321000-0x0000000077322000-memory.dmp

          Filesize

          4KB

        • memory/1196-28-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/1196-66-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/1196-72-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/1196-29-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/1196-30-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/1196-4-0x0000000077216000-0x0000000077217000-memory.dmp

          Filesize

          4KB

        • memory/1196-31-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/1196-5-0x0000000002A10000-0x0000000002A11000-memory.dmp

          Filesize

          4KB

        • memory/1196-27-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/1196-17-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/1196-19-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/1196-18-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/1196-9-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/1196-11-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/1196-16-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/1196-12-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/1196-15-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/1196-14-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/1196-13-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/1196-10-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/1196-153-0x0000000077216000-0x0000000077217000-memory.dmp

          Filesize

          4KB

        • memory/1196-7-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/1452-108-0x0000000000090000-0x0000000000097000-memory.dmp

          Filesize

          28KB

        • memory/1988-84-0x0000000000220000-0x0000000000227000-memory.dmp

          Filesize

          28KB

        • memory/3044-8-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/3044-1-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/3044-0-0x00000000001A0000-0x00000000001A7000-memory.dmp

          Filesize

          28KB