Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    24-12-2023 20:15

General

  • Target

    103bce51e2fb20c197343aaf2d602bad.dll

  • Size

    656KB

  • MD5

    103bce51e2fb20c197343aaf2d602bad

  • SHA1

    3df0dcccbce4abeb9639358e234e30055f569a7a

  • SHA256

    b95c5ad1c557db07298ed44764a8ba2b022c508ccef0f1a4ff87bf813e3e2463

  • SHA512

    31240770fd9725ba0d28450f245f28d4a1eb751067aa0252bb5c35e31ff9c8bdf406dbf2d2715d78fb8508fbfc3808a0f04ab59c195763e2b12b267ba924be6b

  • SSDEEP

    12288:cKYQ5LL540CV3UIeLPrleV1F0e8gMA/9L0l3HATpKR4:dYQ5p4f0POF0nkls3opKR

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\103bce51e2fb20c197343aaf2d602bad.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2552
  • C:\Windows\system32\irftp.exe
    C:\Windows\system32\irftp.exe
    1⤵
      PID:2892
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\kf6DDxh.cmd
      1⤵
        PID:2572
      • C:\Windows\system32\SystemPropertiesComputerName.exe
        C:\Windows\system32\SystemPropertiesComputerName.exe
        1⤵
          PID:1780
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\DaYQDk.cmd
          1⤵
          • Drops file in System32 directory
          PID:2948
        • C:\Windows\system32\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /Create /F /TN "Ojgiqrnnmvt" /TR "C:\Windows\system32\ecr7WC\SystemPropertiesComputerName.exe" /SC minute /MO 60 /RL highest
          1⤵
          • Creates scheduled task(s)
          PID:2988
        • C:\Windows\system32\schtasks.exe
          C:\Windows\system32\schtasks.exe /Query /TN "Ojgiqrnnmvt"
          1⤵
            PID:2876
          • C:\Windows\system32\schtasks.exe
            C:\Windows\system32\schtasks.exe /Query /TN "Ojgiqrnnmvt"
            1⤵
              PID:1472
            • C:\Windows\system32\schtasks.exe
              C:\Windows\system32\schtasks.exe /Query /TN "Ojgiqrnnmvt"
              1⤵
                PID:1680
              • C:\Windows\system32\schtasks.exe
                C:\Windows\system32\schtasks.exe /Query /TN "Ojgiqrnnmvt"
                1⤵
                  PID:2244
                • C:\Windows\system32\schtasks.exe
                  C:\Windows\system32\schtasks.exe /Query /TN "Ojgiqrnnmvt"
                  1⤵
                    PID:2452
                  • C:\Windows\system32\schtasks.exe
                    C:\Windows\system32\schtasks.exe /Query /TN "Ojgiqrnnmvt"
                    1⤵
                      PID:2052

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\DaYQDk.cmd

                      Filesize

                      219B

                      MD5

                      8f65102679a797e1d6cf1331df48cdb5

                      SHA1

                      a2d86564d6a853c2f350c25ec613e67c836bd55a

                      SHA256

                      05538498de3bb028dff952c8b7d0095b91316a221db7cc7e4f28ae77b1ad4a01

                      SHA512

                      76fe0381251775d510fb55885a953e2ca5942f99c39b0436fefdd2409759822678407fcff4021dac1ceb5641b9fc785ad58f71065b6795c3de61a5ff86733bed

                    • C:\Users\Admin\AppData\Local\Temp\X0s7EA2.tmp

                      Filesize

                      252KB

                      MD5

                      8fc395aa31a9c420a791f9c4f298b3f3

                      SHA1

                      d1f0bd62c3b94b4ec36de6114e6e12c262195800

                      SHA256

                      8a0150b7265fe0aeb386cb646a81a0c3df3ba8c1e8489fcbb1f47f04770887de

                      SHA512

                      d42712eac209edd664533f3d54f093db1f86bf93acb3ad3368b9855d116848efecf754e40f7363e02cabc7d005db21669d778b73e55ed1b88eb5f6c172930246

                    • C:\Users\Admin\AppData\Local\Temp\gAMA6CB.tmp

                      Filesize

                      660KB

                      MD5

                      3120d790c2bc14f86f79328a6f9ad7bf

                      SHA1

                      b6e7c3b639d3e3adf321f195b36534368d48dc50

                      SHA256

                      81a06da30f6926ffa8e5ba03b85ee4fbb380c64b3bc4f45bd63095950ba50de2

                      SHA512

                      96a8e26a5a09e866f813fbcba9cb5736ea268d486ccd7c2992bf762b050de4b46e85f18fe8af27c48dcfb0c35e5ec0cf5c274d7bf6d4225deeb47ac314e8f19b

                    • C:\Users\Admin\AppData\Local\Temp\kf6DDxh.cmd

                      Filesize

                      226B

                      MD5

                      cd3baf9942fe93ad163fd0df3781a26f

                      SHA1

                      fcdcc345457638ff7033b4a401888bd656f85879

                      SHA256

                      cd0fb084e88d02dc0636be4269d1649b2c8358849d85d3486d54fcaa885e1d27

                      SHA512

                      289e9701db962fea25ff25536cfcfd1091c277a976c3681b0209e4f5b9a2e9d6ff6115aeeeba778a09b037887aedad8582a58528a48fc1453aa83f1e25b662fd

                    • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Xkgbzoakajt.lnk

                      Filesize

                      774B

                      MD5

                      c0fe02a7a110db9fbb4946e37666a96f

                      SHA1

                      da91c7da5f809541e489b2d9dd79a6842e0a0878

                      SHA256

                      0c469d02dee9d7bf65ace0c763cb0053ce55cdd619ae490ffc59a14ec1eb2e70

                      SHA512

                      92c79e6845388cb9a1db225ee62188a04ae4d83c0a6c973c6c129078581ad94514e0a5f364b6f7107670efafb1968cef442ff7fcdc57f7fbf194a5675ca79442

                    • C:\Users\Admin\AppData\Roaming\i5vkk\irftp.exe

                      Filesize

                      124KB

                      MD5

                      b391898b1e6148ebed70b06d1d9c23c6

                      SHA1

                      259fba7c9af61f10634d760d7cf016c8028af981

                      SHA256

                      216f090a96cb080deffeca03acc3658745fef452b8997af2e375baae7c41aef4

                      SHA512

                      e6996956f47ad03135db5f4cef0e921f6e492c2b815d12fafb50b2659f18b15921d0b046405c671a462803fe869b28118f541fff1bd5f31e26adc2a6c473ac81

                    • \Users\Admin\AppData\Roaming\i5vkk\irftp.exe

                      Filesize

                      155KB

                      MD5

                      44401cb131a4a863e32b51d5ed9517d8

                      SHA1

                      efa3b47571e6c8ec81f4661ce6287b1e2039c95b

                      SHA256

                      35c1b56d28b799e11c8b6dfe6ab1be0c6ac2e430a889610b4bafe9cac9a6c87b

                      SHA512

                      bf7ed126f48c1925bda0b631fc3284c20a08227215d829eca10649dc9d478ce2c2ae834b7e3cbb1f5f9a168913c67161d698f59e5fb6e915d4181002f26dd79f

                    • memory/1228-33-0x0000000077291000-0x0000000077292000-memory.dmp

                      Filesize

                      4KB

                    • memory/1228-11-0x0000000140000000-0x00000001400A4000-memory.dmp

                      Filesize

                      656KB

                    • memory/1228-20-0x0000000140000000-0x00000001400A4000-memory.dmp

                      Filesize

                      656KB

                    • memory/1228-21-0x0000000140000000-0x00000001400A4000-memory.dmp

                      Filesize

                      656KB

                    • memory/1228-19-0x0000000140000000-0x00000001400A4000-memory.dmp

                      Filesize

                      656KB

                    • memory/1228-23-0x0000000140000000-0x00000001400A4000-memory.dmp

                      Filesize

                      656KB

                    • memory/1228-26-0x0000000140000000-0x00000001400A4000-memory.dmp

                      Filesize

                      656KB

                    • memory/1228-25-0x00000000029D0000-0x00000000029D7000-memory.dmp

                      Filesize

                      28KB

                    • memory/1228-24-0x0000000140000000-0x00000001400A4000-memory.dmp

                      Filesize

                      656KB

                    • memory/1228-22-0x0000000140000000-0x00000001400A4000-memory.dmp

                      Filesize

                      656KB

                    • memory/1228-32-0x0000000140000000-0x00000001400A4000-memory.dmp

                      Filesize

                      656KB

                    • memory/1228-3-0x0000000077086000-0x0000000077087000-memory.dmp

                      Filesize

                      4KB

                    • memory/1228-34-0x00000000773F0000-0x00000000773F2000-memory.dmp

                      Filesize

                      8KB

                    • memory/1228-18-0x0000000140000000-0x00000001400A4000-memory.dmp

                      Filesize

                      656KB

                    • memory/1228-12-0x0000000140000000-0x00000001400A4000-memory.dmp

                      Filesize

                      656KB

                    • memory/1228-17-0x0000000140000000-0x00000001400A4000-memory.dmp

                      Filesize

                      656KB

                    • memory/1228-10-0x0000000140000000-0x00000001400A4000-memory.dmp

                      Filesize

                      656KB

                    • memory/1228-9-0x0000000140000000-0x00000001400A4000-memory.dmp

                      Filesize

                      656KB

                    • memory/1228-8-0x0000000140000000-0x00000001400A4000-memory.dmp

                      Filesize

                      656KB

                    • memory/1228-43-0x0000000140000000-0x00000001400A4000-memory.dmp

                      Filesize

                      656KB

                    • memory/1228-4-0x00000000029F0000-0x00000000029F1000-memory.dmp

                      Filesize

                      4KB

                    • memory/1228-48-0x0000000140000000-0x00000001400A4000-memory.dmp

                      Filesize

                      656KB

                    • memory/1228-6-0x0000000140000000-0x00000001400A4000-memory.dmp

                      Filesize

                      656KB

                    • memory/1228-15-0x0000000140000000-0x00000001400A4000-memory.dmp

                      Filesize

                      656KB

                    • memory/1228-16-0x0000000140000000-0x00000001400A4000-memory.dmp

                      Filesize

                      656KB

                    • memory/1228-60-0x0000000077086000-0x0000000077087000-memory.dmp

                      Filesize

                      4KB

                    • memory/1228-13-0x0000000140000000-0x00000001400A4000-memory.dmp

                      Filesize

                      656KB

                    • memory/1228-14-0x0000000140000000-0x00000001400A4000-memory.dmp

                      Filesize

                      656KB

                    • memory/2552-7-0x000007FEF6980000-0x000007FEF6A24000-memory.dmp

                      Filesize

                      656KB

                    • memory/2552-0-0x000007FEF6980000-0x000007FEF6A24000-memory.dmp

                      Filesize

                      656KB

                    • memory/2552-1-0x0000000000110000-0x0000000000117000-memory.dmp

                      Filesize

                      28KB