Analysis

  • max time kernel
    117s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    25-12-2023 18:39

General

  • Target

    3526a594f157e00abe6d9baf2c84e361.dll

  • Size

    652KB

  • MD5

    3526a594f157e00abe6d9baf2c84e361

  • SHA1

    08c79f37fa9c70dcae933bb77d8711ce083ea91c

  • SHA256

    8ee1f2fa3582a791cdfc6bae5a3282b82ac28ab60683d968041a4f39584e4d57

  • SHA512

    76b4432bb65d66d1725d7901973afe973e7a5120686b2dce8d4482eb9b97ab829cede0faf1839de61901203e2fc8ec9cc7fbbc050c2d60f9504db94fa8963158

  • SSDEEP

    12288:gKYQ5LL540CV3UIeLPrleV1F0e8gMA/9L0l3HATpKR4:ZYQ5p4f0POF0nkls3opKR

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\3526a594f157e00abe6d9baf2c84e361.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:780
  • C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\okXs.cmd
    1⤵
      PID:1832
    • C:\Windows\system32\Dxpserver.exe
      C:\Windows\system32\Dxpserver.exe
      1⤵
        PID:1760
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\qjdS.cmd
        1⤵
        • Drops file in System32 directory
        PID:2132
      • C:\Windows\system32\schtasks.exe
        "C:\Windows\system32\schtasks.exe" /Create /F /TN "Mppxofurfby" /TR "C:\Windows\system32\7QG8\lpksetup.exe" /SC minute /MO 60 /RL highest
        1⤵
        • Creates scheduled task(s)
        PID:2880
      • C:\Windows\system32\lpksetup.exe
        C:\Windows\system32\lpksetup.exe
        1⤵
          PID:2148
        • C:\Windows\system32\schtasks.exe
          C:\Windows\system32\schtasks.exe /Query /TN "Mppxofurfby"
          1⤵
            PID:2816
          • C:\Windows\system32\schtasks.exe
            C:\Windows\system32\schtasks.exe /Query /TN "Mppxofurfby"
            1⤵
              PID:1700
            • C:\Windows\system32\schtasks.exe
              C:\Windows\system32\schtasks.exe /Query /TN "Mppxofurfby"
              1⤵
                PID:2400
              • C:\Windows\system32\schtasks.exe
                C:\Windows\system32\schtasks.exe /Query /TN "Mppxofurfby"
                1⤵
                  PID:328
                • C:\Windows\system32\schtasks.exe
                  C:\Windows\system32\schtasks.exe /Query /TN "Mppxofurfby"
                  1⤵
                    PID:1940
                  • C:\Windows\system32\schtasks.exe
                    C:\Windows\system32\schtasks.exe /Query /TN "Mppxofurfby"
                    1⤵
                      PID:2044

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\okXs.cmd

                      Filesize

                      231B

                      MD5

                      472f38b504a240d744ec16dc0c052ec9

                      SHA1

                      2144bd911591df1e53fcbe6f8611ac13b7b1baef

                      SHA256

                      5845f910b51a62db0d9a073763c28558c868c348b841d7f460ca23755890dc2c

                      SHA512

                      7ad69a33668dec93fc6a98daab4c69065d7dea83d9a1e6f56064ac93de1bffac39d91c12a314cf66e4ce3085db14f963aa0cf0cd428711c537dc40529fe2504a

                    • C:\Users\Admin\AppData\Local\Temp\uwE3C55.tmp

                      MD5

                      d41d8cd98f00b204e9800998ecf8427e

                      SHA1

                      da39a3ee5e6b4b0d3255bfef95601890afd80709

                      SHA256

                      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                      SHA512

                      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                    • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Groztcac.lnk

                      Filesize

                      798B

                      MD5

                      c5b20ee47f6ced44a54711c5723bfcf8

                      SHA1

                      2b444df11fa9b084a2c3a20ff2e89517614394e1

                      SHA256

                      5e5da1a12b54afceaa6221be22df49ff084728fb9197ef794df54f2464caac07

                      SHA512

                      725d88bee73fb2f9b94ae3ea5c5f07a1ec5eefd973caf50e63d56dbbf61c17e74b6b1d280257deea284ca9493f89eca3f213830a7bb5337136ab2921a9345bcf

                    • \Users\Admin\AppData\Roaming\COiTo\Dxpserver.exe

                      Filesize

                      259KB

                      MD5

                      4d38389fb92e43c77a524fd96dbafd21

                      SHA1

                      08014e52f6894cad4f1d1e6fc1a703732e9acd19

                      SHA256

                      070bc95c486c15d2edc3548ba416dc9565ead401cb03a0472f719fb55ac94e73

                      SHA512

                      02d8d130cff2b8de15139d309e1cd74a2148bb786fd749e5f22775d45e193b0f75adf40274375cabce33576480ff20456f25172d29a034cd134b8084d40a67ba

                    • memory/780-1-0x0000000001D70000-0x0000000001D77000-memory.dmp

                      Filesize

                      28KB

                    • memory/780-0-0x000007FEF64C0000-0x000007FEF6563000-memory.dmp

                      Filesize

                      652KB

                    • memory/780-7-0x000007FEF64C0000-0x000007FEF6563000-memory.dmp

                      Filesize

                      652KB

                    • memory/1380-18-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB

                    • memory/1380-14-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB

                    • memory/1380-47-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB

                    • memory/1380-30-0x0000000003E10000-0x0000000003E17000-memory.dmp

                      Filesize

                      28KB

                    • memory/1380-23-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB

                    • memory/1380-22-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB

                    • memory/1380-21-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB

                    • memory/1380-20-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB

                    • memory/1380-19-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB

                    • memory/1380-42-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB

                    • memory/1380-17-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB

                    • memory/1380-16-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB

                    • memory/1380-15-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB

                    • memory/1380-32-0x0000000076DB1000-0x0000000076DB2000-memory.dmp

                      Filesize

                      4KB

                    • memory/1380-13-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB

                    • memory/1380-12-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB

                    • memory/1380-10-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB

                    • memory/1380-9-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB

                    • memory/1380-8-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB

                    • memory/1380-33-0x0000000076F10000-0x0000000076F12000-memory.dmp

                      Filesize

                      8KB

                    • memory/1380-6-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB

                    • memory/1380-4-0x0000000003E30000-0x0000000003E31000-memory.dmp

                      Filesize

                      4KB

                    • memory/1380-31-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB

                    • memory/1380-24-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB

                    • memory/1380-59-0x0000000076BA6000-0x0000000076BA7000-memory.dmp

                      Filesize

                      4KB

                    • memory/1380-11-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB

                    • memory/1380-3-0x0000000076BA6000-0x0000000076BA7000-memory.dmp

                      Filesize

                      4KB