Analysis

  • max time kernel
    152s
  • max time network
    41s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25-12-2023 18:58

General

  • Target

    362efdb462f7563b069081e0de821389.dll

  • Size

    696KB

  • MD5

    362efdb462f7563b069081e0de821389

  • SHA1

    3d2f676e15b6d677c2e77edd2b5d4aae009423de

  • SHA256

    36cce483a655202788e541b658a2c9afe18d4b1868199231874dd1c10fb8962c

  • SHA512

    4afa497167ff9b93001d04052f4757e0376c6fd088a1d531691132ca53581bf0f0cb4047b942abafafb3c06e110eee9e02f4ffb50d28795ff7d3bd2e8fbe0362

  • SSDEEP

    12288:MEwgKnIhABTW0HcD5a1PKxdZhC+k+V9Hgeb/tf/B9P632vHAA:MEwXnOAx5HcDM1Sxd3ChCHg2/P9yGo

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\362efdb462f7563b069081e0de821389.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2976
  • C:\Windows\system32\DevicePairingWizard.exe
    C:\Windows\system32\DevicePairingWizard.exe
    1⤵
      PID:1500
    • C:\Users\Admin\AppData\Local\iwfkVgNb3\DevicePairingWizard.exe
      C:\Users\Admin\AppData\Local\iwfkVgNb3\DevicePairingWizard.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2884
    • C:\Users\Admin\AppData\Local\RFFvRDXM\isoburn.exe
      C:\Users\Admin\AppData\Local\RFFvRDXM\isoburn.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2912
    • C:\Windows\system32\isoburn.exe
      C:\Windows\system32\isoburn.exe
      1⤵
        PID:1052
      • C:\Users\Admin\AppData\Local\L3G\wermgr.exe
        C:\Users\Admin\AppData\Local\L3G\wermgr.exe
        1⤵
        • Executes dropped EXE
        PID:1808
      • C:\Windows\system32\wermgr.exe
        C:\Windows\system32\wermgr.exe
        1⤵
          PID:1268
        • C:\Windows\system32\icardagt.exe
          C:\Windows\system32\icardagt.exe
          1⤵
            PID:2504
          • C:\Users\Admin\AppData\Local\FkR\icardagt.exe
            C:\Users\Admin\AppData\Local\FkR\icardagt.exe
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks whether UAC is enabled
            PID:2496

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\FkR\UxTheme.dll

            Filesize

            125KB

            MD5

            dbd9bcfc5e1723ec725bd87b42786c4f

            SHA1

            9c39b2806668741dad49354f8b6739711c7ef964

            SHA256

            004b888330a9893a0312daa49487f77e0e12ce2aed604a8f65595550ca68118d

            SHA512

            5d2299487870262c7c247de26b4fbb2c83878d95925fb6334a017c0718354df6a43c36295c6d8b2d432dde93012e2d8edde675eb8cb28b6ad7c7f6122f42be3d

          • C:\Users\Admin\AppData\Local\FkR\icardagt.exe

            Filesize

            31KB

            MD5

            2288d3b6d05f84b40aef932a4848120c

            SHA1

            11260bacdb663fb04e0ec6ef2b2b204778fe7362

            SHA256

            39142fee79a058d4b67357fa00c39385d8a7e59eb235dc285852fbd99b08a030

            SHA512

            721e81d76bb0041397108b654f8fc6fc3c278f65decba37ca4c90c6be1fc73e99f8aebe06e48a3375030fa9f040a2ef828e452fc038896442bd1b940306f42ce

          • C:\Users\Admin\AppData\Local\FkR\icardagt.exe

            Filesize

            86KB

            MD5

            c02f61848cb04603350ed53b69e08b2c

            SHA1

            5a3ed41c57456441023c7b484ae8ae1ed7cff04b

            SHA256

            7271996f23c832f0cd32cfddd376d8a30c3dd62300de9a2f145a2c81c5e0ef91

            SHA512

            23fcfcb349198ce0a9461c0b8fae56b64a30d0a6a7ebd19b168d3351d2d47d2d8337388fb14f43dca2bdf38db16a4f0faff5a4eead1e33703b2e77ad197b3be2

          • C:\Users\Admin\AppData\Local\L3G\wermgr.exe

            Filesize

            49KB

            MD5

            41df7355a5a907e2c1d7804ec028965d

            SHA1

            453263d230c6317eb4a2eb3aceeec1bbcf5e153d

            SHA256

            207bfec939e7c017c4704ba76172ee2c954f485ba593bc1bc8c7666e78251861

            SHA512

            59c9d69d3942543af4f387137226516adec1a4304bd5696c6c1d338f9e5f40d136450907351cce018563df1358e06a792005167f5c08c689df32d809c4cebdcf

          • C:\Users\Admin\AppData\Local\RFFvRDXM\UxTheme.dll

            Filesize

            120KB

            MD5

            bf05c1f0cede1ce92cc2ee3e7b6f0a2f

            SHA1

            e0ef49f41f4212c448e8ddea5e1dfe4ba0ac61d7

            SHA256

            85b770e24a6d75935f7516b0500766518da39cbe2d10e557a955cb8c893851cb

            SHA512

            4f58651d22d69af84ce0674be3bc7f6f47dd3699ebebf4385a349213663a20beffe3a460acc98cc09b6fc56005e1d097fc09c8ce530e55d56fb9c6b56828ad41

          • C:\Users\Admin\AppData\Local\RFFvRDXM\isoburn.exe

            Filesize

            89KB

            MD5

            f8051f06e1c4aa3f2efe4402af5919b1

            SHA1

            bbcf3711501dfb22b04b1a6f356d95a6d5998790

            SHA256

            50dcb4be409f50d26c0fc32dd9cdbf96bff4e19bf624221cb566ebeb3e09ce1a

            SHA512

            5f664d937abe4426ee7e0d8491a395f9ef4ffe7a51dba05b54b7ba27e80c9be37833400911c5878d3dec659f4fa1579ec8ba4cfc485fb2ce24dd37c321006daa

          • C:\Users\Admin\AppData\Local\iwfkVgNb3\DevicePairingWizard.exe

            Filesize

            73KB

            MD5

            9728725678f32e84575e0cd2d2c58e9b

            SHA1

            dd9505d3548f08e5198a8d6ba6bcd60b1da86d5c

            SHA256

            d95d3aa065a657c354244e3d9d4dc62673dc36c1bed60650fade7d128ddab544

            SHA512

            a5d22240450e7b659cba507f9abe7e6d861e9712ca2335ea5ceb69e3557362b00f5d02bf84c3a6fed82a09eda555866dcab43741ad9c6db96e1e302ef2363377

          • C:\Users\Admin\AppData\Local\iwfkVgNb3\MFC42u.dll

            Filesize

            150KB

            MD5

            0c9b13defb490d13937d56de9c2367df

            SHA1

            a11d94638e69cc5a2fcd3f6c7cb61a924027c72b

            SHA256

            8388a07ecbc1c55aab4509a94107616a607948a17bf0c0dcaf6a10563977b6d8

            SHA512

            d7149319a59dac441f8fe846638933d62666232cd0550160f0d0f939b42a86bb7ebbff4dddbbf3bd485e71e39a3bfcce6da478ca686de48c42e906adef0ba606

          • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ekhyqsv.lnk

            Filesize

            1KB

            MD5

            5b70ceeb0d90403f90f3b6ad53899933

            SHA1

            e965c52554411ae62e9d405ae2bf665e01076f25

            SHA256

            c1592880fb41040eb3848f642ec0169803bc31f19259c306dc1c3103b5bea920

            SHA512

            2e34d6ef4a33d2a25032a247f18f0aadbdea489cefd69e552327a5398667f46744e5f3ab4ae7e97c89736cd31bcf780fe2ae0e10c2527813d9861988597dc2b2

          • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\NT\UxTheme.dll

            Filesize

            44KB

            MD5

            b5dfaacb58e04a624efe333ab5b50a42

            SHA1

            50c21475b111c4bb6135b526bcfc105e4392806a

            SHA256

            f9a9a871a19f7ece776f467053a3cf74c9b0a11118bab50f5b156d46edcd00cb

            SHA512

            50d71c541edeaee1656c8ee6fa651da61149f5dffa872fbb0c2d8361a7d08f18dc2d5cd99d13fd8c21b3ea79e4dc988e6ed0301894291f3158320ecb2b3821f4

          • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\NT\isoburn.exe

            Filesize

            22KB

            MD5

            33c1a81df7f9cf9556dc66751f9cf3b8

            SHA1

            8046e6da99778f893650f76c1dfeb452a8ae379c

            SHA256

            fdf76764af52efaec55874a8f34653027700008d9136f78be867cfead2b7b4ab

            SHA512

            73933983c0ce595edb5fc292e7b5cff1572f9ff5862a5ee24992b2a362834f85d18f5a738a0e6940cd9979456e49836ead6535b8767f6c4964a0be8b1f057e42

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\UU\MFC42u.dll

            Filesize

            724KB

            MD5

            da2a5426976e984fc6cef2bf16c2de4d

            SHA1

            b3b1c1ebafa1f54c65ce7b37d2115f5d0fcd4f7a

            SHA256

            700c30076555e5b2ec81bcbda00d6931cc86e4670897566b733f6150de8fb6d7

            SHA512

            4b2cc748a0ba26473719c30f8b321144d35cc04c4e8312f40a6786fef1be9ea0cc6e262c703e249832c55733717dbf2e94e5773231ab90e14c396bdca1db8e2b

          • \Users\Admin\AppData\Local\FkR\UxTheme.dll

            Filesize

            43KB

            MD5

            3f8b567b9ecb1d9c6bd8a980d6262adb

            SHA1

            40b78c32d15112c0044e25095d79ad12c9c4255a

            SHA256

            33bbece7295f1465bdd106b058ffc53f29cb78d6b279fd40811bf91f6f84e6dd

            SHA512

            b5939b4c8bc80ce99ea707c8c2c1e739fead7977ceba63b1237171ab5c1703ba703be65b92bbb92db4909abfd54219cac6a334092bde9422367e7d0c41df5fbf

          • \Users\Admin\AppData\Local\FkR\icardagt.exe

            Filesize

            100KB

            MD5

            a3930bc881089abb2df025abfeac46fa

            SHA1

            d4488e5b9db6b0d294dcbe5f1601535d4593768a

            SHA256

            7982639ca04b46befc2ff1d4a19830b33bc198ef49e04d2f041609bc55168b5f

            SHA512

            e1fa2a5e8fe937b4233c334f682e916e2bf960bdde6372dce8d57928368e9355a292587768fbd732fafd624f1c6d963040a510640e5a55784aaf990196ad175a

          • \Users\Admin\AppData\Local\L3G\wermgr.exe

            Filesize

            45KB

            MD5

            16d5b66819e4e4ae8ca357f7aa02ffaa

            SHA1

            0889ea9c0ec516bc6b1aec5ab6ed34d484665856

            SHA256

            cce68dd60f7c84dd555bda1ab0097b2fc280ba8bb395bc6013cfd3633af2a665

            SHA512

            35472e2a0f1a650d27a98d89b711b18d82e2dd7e74a594242b9f3490eb83f5e6fdf505137f2cc39b714ae072c0c4481c06385659beb242eecf84c6cde1f5632d

          • \Users\Admin\AppData\Local\RFFvRDXM\UxTheme.dll

            Filesize

            95KB

            MD5

            46d8a51aea115f4314007c3f5047a460

            SHA1

            6b269fcdcdc8c03aa039f2d5e0ea1c7fbe474d2d

            SHA256

            a2f4ac0cd30589f10819c8626ee1b9b5ee870f9c2b139c7a3a1469316ab5cece

            SHA512

            cb109949a41a8ca3cf62851893741739680962247fedc631f9ee7f826c4fecc1279b141c0b5957c4e13e5b09c9135db13530c338303e750ff6cd0c6dfdc4be0e

          • \Users\Admin\AppData\Local\RFFvRDXM\isoburn.exe

            Filesize

            17KB

            MD5

            c4002c6e4e91b4a659f5b51882aa26ec

            SHA1

            bacfbc6f5b3be3e3e416cf872f3c087a90aede0d

            SHA256

            918d0a3592293179291b692f8172be3418b45041b285cd6b62d56130ade4c037

            SHA512

            01b9ef6a896c9a9b0954bd2a051ff050d0e5b88863a0f35f4ac4a241b5243182705f6ef8e079c6c8d42110683816fb23378fd57fb8f9a9b944a851291cdd1188

          • \Users\Admin\AppData\Local\iwfkVgNb3\MFC42u.dll

            Filesize

            81KB

            MD5

            adc269dafc7051b4c624cbba2d451801

            SHA1

            dabba25df48ae71364b27cbb409b5b169f6b9ffd

            SHA256

            c71edc0a27b5325587a941e7e09cbf000fb55163bd561476115b80e236511e90

            SHA512

            26989ac9d515fe0f6d1f90a7f49648507d651a5691a01439c387f9c1a00e9ccfe9eee89756bbc7336d96132e27af4a0a26f856fe378f502738a37a798ea30c70

          • \Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\ogAHD81arQ\icardagt.exe

            Filesize

            56KB

            MD5

            00ba321bb13c59d14c3eb3dffecfa04a

            SHA1

            73ef4eb00227b9bf6846d61be1182599ce1bcc19

            SHA256

            a69aaaf07193de10c28897f3bdd3dc566a192c2ea71de1068f16eadd6b06db00

            SHA512

            d4c1abfefed2e60e12942a519272fa1cae4e4b4682e47e6db2f75199bd0c07ee55454041fa32b3011c202cf7c1917c8573ff27ca9945aafd0c59c2cdb74037f1

          • memory/1204-25-0x0000000077910000-0x0000000077912000-memory.dmp

            Filesize

            8KB

          • memory/1204-12-0x0000000140000000-0x00000001400AE000-memory.dmp

            Filesize

            696KB

          • memory/1204-3-0x0000000077676000-0x0000000077677000-memory.dmp

            Filesize

            4KB

          • memory/1204-36-0x0000000140000000-0x00000001400AE000-memory.dmp

            Filesize

            696KB

          • memory/1204-13-0x0000000140000000-0x00000001400AE000-memory.dmp

            Filesize

            696KB

          • memory/1204-15-0x0000000001D80000-0x0000000001D87000-memory.dmp

            Filesize

            28KB

          • memory/1204-14-0x0000000140000000-0x00000001400AE000-memory.dmp

            Filesize

            696KB

          • memory/1204-34-0x0000000140000000-0x00000001400AE000-memory.dmp

            Filesize

            696KB

          • memory/1204-4-0x0000000002B50000-0x0000000002B51000-memory.dmp

            Filesize

            4KB

          • memory/1204-9-0x0000000140000000-0x00000001400AE000-memory.dmp

            Filesize

            696KB

          • memory/1204-46-0x0000000077676000-0x0000000077677000-memory.dmp

            Filesize

            4KB

          • memory/1204-11-0x0000000140000000-0x00000001400AE000-memory.dmp

            Filesize

            696KB

          • memory/1204-6-0x0000000140000000-0x00000001400AE000-memory.dmp

            Filesize

            696KB

          • memory/1204-23-0x0000000140000000-0x00000001400AE000-memory.dmp

            Filesize

            696KB

          • memory/1204-24-0x00000000778E0000-0x00000000778E2000-memory.dmp

            Filesize

            8KB

          • memory/1204-10-0x0000000140000000-0x00000001400AE000-memory.dmp

            Filesize

            696KB

          • memory/1204-7-0x0000000140000000-0x00000001400AE000-memory.dmp

            Filesize

            696KB

          • memory/1204-8-0x0000000140000000-0x00000001400AE000-memory.dmp

            Filesize

            696KB

          • memory/2496-99-0x0000000140000000-0x00000001400AF000-memory.dmp

            Filesize

            700KB

          • memory/2496-95-0x00000000003B0000-0x00000000003B7000-memory.dmp

            Filesize

            28KB

          • memory/2884-52-0x0000000140000000-0x00000001400B5000-memory.dmp

            Filesize

            724KB

          • memory/2884-57-0x0000000140000000-0x00000001400B5000-memory.dmp

            Filesize

            724KB

          • memory/2884-53-0x0000000000200000-0x0000000000207000-memory.dmp

            Filesize

            28KB

          • memory/2912-73-0x0000000140000000-0x00000001400AF000-memory.dmp

            Filesize

            700KB

          • memory/2912-69-0x0000000140000000-0x00000001400AF000-memory.dmp

            Filesize

            700KB

          • memory/2912-71-0x0000000000270000-0x0000000000277000-memory.dmp

            Filesize

            28KB

          • memory/2976-0-0x0000000140000000-0x00000001400AE000-memory.dmp

            Filesize

            696KB

          • memory/2976-37-0x0000000140000000-0x00000001400AE000-memory.dmp

            Filesize

            696KB

          • memory/2976-1-0x0000000000330000-0x0000000000337000-memory.dmp

            Filesize

            28KB