Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    26-12-2023 07:26

General

  • Target

    5c73ce8acd26a01655041010b2d4ff6a.dll

  • Size

    848KB

  • MD5

    5c73ce8acd26a01655041010b2d4ff6a

  • SHA1

    d8781699300176bbbbd36489a1c82725c33edcb1

  • SHA256

    03691ec0a206c672022cbf25d02a4b0ab1f67bd6acf5782de498977d88e41474

  • SHA512

    9d73f66eb48fa1265751d612ac745f97780d97361b4ab864b8e9f37cbe3eb801fd85857191e0d0bfc10ec0add00e892a5b7a8c1b27ea5d378e277b713fbe384b

  • SSDEEP

    12288:3kbQEkWqv+157EYfxarhwLNuR7ek1tHffB/HzTyNQ6NIeGYr/R:3kbHkWfzZ5adwLNGeStHntqN7v

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Dridex payload 11 IoCs

    Detects Dridex x64 core DLL in memory.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\5c73ce8acd26a01655041010b2d4ff6a.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1888
  • C:\Windows\system32\mfpmp.exe
    C:\Windows\system32\mfpmp.exe
    1⤵
      PID:2600
    • C:\Users\Admin\AppData\Local\TWcSZI\mfpmp.exe
      C:\Users\Admin\AppData\Local\TWcSZI\mfpmp.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2512
    • C:\Windows\system32\perfmon.exe
      C:\Windows\system32\perfmon.exe
      1⤵
        PID:568
      • C:\Users\Admin\AppData\Local\N1yJU0zy\perfmon.exe
        C:\Users\Admin\AppData\Local\N1yJU0zy\perfmon.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1784
      • C:\Windows\system32\wermgr.exe
        C:\Windows\system32\wermgr.exe
        1⤵
          PID:1864
        • C:\Users\Admin\AppData\Local\nVSMvE\wermgr.exe
          C:\Users\Admin\AppData\Local\nVSMvE\wermgr.exe
          1⤵
          • Executes dropped EXE
          PID:2028
        • C:\Windows\system32\rdpinit.exe
          C:\Windows\system32\rdpinit.exe
          1⤵
            PID:1912
          • C:\Users\Admin\AppData\Local\wDHs08JC\rdpinit.exe
            C:\Users\Admin\AppData\Local\wDHs08JC\rdpinit.exe
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks whether UAC is enabled
            PID:1900

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\N1yJU0zy\Secur32.dll

            Filesize

            852KB

            MD5

            6b40e5433a62f7cd745f59d375112868

            SHA1

            35f16f3a2dac0ed9fb226d4bab356dc567bda4fb

            SHA256

            a3946aa3282391dc534903acf7a54d4fb3a7f50758cf2383b991293067b75ca1

            SHA512

            ea23552c722028aedc2ec46194a7a0a2dbe5caaf5d648e509d7e7a09a1ddd9fa3905ff52d36f754747145c044e1aa50aee08c69e9ccbbddc22714ff5c8796838

          • C:\Users\Admin\AppData\Local\TWcSZI\MFPlat.DLL

            Filesize

            856KB

            MD5

            269ad9f031e0c4e99d2e23c56de3d27a

            SHA1

            00fdfd4df643743e58daa755e61734bdf3b0b332

            SHA256

            1a9ee8e0308b959d4de8f935eb561ce0f6b597f66a377f6013236d6ef6c6e3e0

            SHA512

            df8dcab347cafaa72c16a04a04fbb01fc6b5e1af5d16d3b9ef33475a7c0237a02ca563c0faea1c93ef32eaaa9b35469b23f21ae6fb0dce00b804b5220ebe9998

          • C:\Users\Admin\AppData\Local\nVSMvE\wermgr.exe

            Filesize

            49KB

            MD5

            41df7355a5a907e2c1d7804ec028965d

            SHA1

            453263d230c6317eb4a2eb3aceeec1bbcf5e153d

            SHA256

            207bfec939e7c017c4704ba76172ee2c954f485ba593bc1bc8c7666e78251861

            SHA512

            59c9d69d3942543af4f387137226516adec1a4304bd5696c6c1d338f9e5f40d136450907351cce018563df1358e06a792005167f5c08c689df32d809c4cebdcf

          • C:\Users\Admin\AppData\Local\wDHs08JC\WTSAPI32.dll

            Filesize

            852KB

            MD5

            a82d4d876b3a3c95a0032c10e493d18f

            SHA1

            761ae78c931caac30214df59ddf5189ead808e7f

            SHA256

            40c5c397b920d94a41e51b02d00c026f966b08e7148596c567318e1815651af2

            SHA512

            078c3902c90e78b96b936a6b520c41c0ed3c468395ce0c91f6dd1bdc40d920c7c4cf6dc92bcd7766ac14f590652fd71ef40d34f7dfbedcbc1033dab3a246024d

          • C:\Users\Admin\AppData\Local\wDHs08JC\rdpinit.exe

            Filesize

            174KB

            MD5

            664e12e0ea009cc98c2b578ff4983c62

            SHA1

            27b302c0108851ac6cc37e56590dd9074b09c3c9

            SHA256

            00bd9c3c941a5a9b4fc8594d7b985f5f1ac48f0ba7495a728b8fa42b4b48a332

            SHA512

            f5eee4e924dcc3cf5e82eff36543e9d0e9c17dc2272b403cf30f8d2da42312821f5566249a98a952f5441b1f0d6d61a86b5c5198bc598d65ea9d4fb35822505d

          • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk

            Filesize

            1KB

            MD5

            d9e5b5a5773766bcba2c0bbd19dd0a69

            SHA1

            bbe07f1b81462453def556a5de30247cb034d6c3

            SHA256

            4c726263d9ebaebf2e1f3ac92489332f75cba263d8adf20539bf9140822160c5

            SHA512

            8455c9f674b0ca220fee424e0c6176a6c5ac4a5090c7b0ce19973916deda38acfa8cb452e4cb96436e1cc554330cf6ad303ba10285f140afaf70daec02b289e5

          • \Users\Admin\AppData\Local\N1yJU0zy\perfmon.exe

            Filesize

            168KB

            MD5

            3eb98cff1c242167df5fdbc6441ce3c5

            SHA1

            730b27a1c92e8df1e60db5a6fc69ea1b24f68a69

            SHA256

            6d8d5a244bb5a23c95653853fec3d04d2bdd2df5cff8cffb9848bddeb6adb081

            SHA512

            f42be2a52d97fd1db2ed5a1a1a81a186a0aab41204980a103df33a4190632ba03f3cbb88fcea8da7ed9a5e15f60732d49a924b025fe6d3e623195ec1d37dfb35

          • \Users\Admin\AppData\Local\TWcSZI\mfpmp.exe

            Filesize

            24KB

            MD5

            2d8600b94de72a9d771cbb56b9f9c331

            SHA1

            a0e2ac409159546183aa45875497844c4adb5aac

            SHA256

            7d8d8918761b8b6c95758375a6e7cf7fb8e43abfdd3846476219883ef3f8c185

            SHA512

            3aaa6619f29434c294b9b197c3b86fdc5d88b0254c8f35f010c9b5f254fd47fbc3272412907e2a5a4f490bda2acfbbd7a90f968e25067abf921b934d2616eafc

          • memory/1384-12-0x0000000140000000-0x00000001400D4000-memory.dmp

            Filesize

            848KB

          • memory/1384-10-0x0000000140000000-0x00000001400D4000-memory.dmp

            Filesize

            848KB

          • memory/1384-3-0x0000000076FE6000-0x0000000076FE7000-memory.dmp

            Filesize

            4KB

          • memory/1384-13-0x0000000140000000-0x00000001400D4000-memory.dmp

            Filesize

            848KB

          • memory/1384-14-0x0000000140000000-0x00000001400D4000-memory.dmp

            Filesize

            848KB

          • memory/1384-17-0x0000000140000000-0x00000001400D4000-memory.dmp

            Filesize

            848KB

          • memory/1384-15-0x0000000140000000-0x00000001400D4000-memory.dmp

            Filesize

            848KB

          • memory/1384-16-0x0000000140000000-0x00000001400D4000-memory.dmp

            Filesize

            848KB

          • memory/1384-18-0x0000000140000000-0x00000001400D4000-memory.dmp

            Filesize

            848KB

          • memory/1384-19-0x0000000140000000-0x00000001400D4000-memory.dmp

            Filesize

            848KB

          • memory/1384-21-0x00000000025D0000-0x00000000025D7000-memory.dmp

            Filesize

            28KB

          • memory/1384-27-0x0000000140000000-0x00000001400D4000-memory.dmp

            Filesize

            848KB

          • memory/1384-28-0x0000000077350000-0x0000000077352000-memory.dmp

            Filesize

            8KB

          • memory/1384-29-0x0000000077380000-0x0000000077382000-memory.dmp

            Filesize

            8KB

          • memory/1384-38-0x0000000140000000-0x00000001400D4000-memory.dmp

            Filesize

            848KB

          • memory/1384-4-0x00000000025F0000-0x00000000025F1000-memory.dmp

            Filesize

            4KB

          • memory/1384-39-0x0000000140000000-0x00000001400D4000-memory.dmp

            Filesize

            848KB

          • memory/1384-11-0x0000000140000000-0x00000001400D4000-memory.dmp

            Filesize

            848KB

          • memory/1384-9-0x0000000140000000-0x00000001400D4000-memory.dmp

            Filesize

            848KB

          • memory/1384-6-0x0000000140000000-0x00000001400D4000-memory.dmp

            Filesize

            848KB

          • memory/1384-72-0x0000000076FE6000-0x0000000076FE7000-memory.dmp

            Filesize

            4KB

          • memory/1384-7-0x0000000140000000-0x00000001400D4000-memory.dmp

            Filesize

            848KB

          • memory/1384-8-0x0000000140000000-0x00000001400D4000-memory.dmp

            Filesize

            848KB

          • memory/1784-74-0x000007FEF62F0000-0x000007FEF63C5000-memory.dmp

            Filesize

            852KB

          • memory/1784-73-0x0000000000370000-0x0000000000377000-memory.dmp

            Filesize

            28KB

          • memory/1784-78-0x000007FEF62F0000-0x000007FEF63C5000-memory.dmp

            Filesize

            852KB

          • memory/1888-44-0x000007FEF62F0000-0x000007FEF63C4000-memory.dmp

            Filesize

            848KB

          • memory/1888-0-0x000007FEF62F0000-0x000007FEF63C4000-memory.dmp

            Filesize

            848KB

          • memory/1888-1-0x0000000000310000-0x0000000000317000-memory.dmp

            Filesize

            28KB

          • memory/1900-102-0x00000000000E0000-0x00000000000E7000-memory.dmp

            Filesize

            28KB

          • memory/1900-105-0x000007FEF62F0000-0x000007FEF63C5000-memory.dmp

            Filesize

            852KB

          • memory/2512-60-0x000007FEF6950000-0x000007FEF6A26000-memory.dmp

            Filesize

            856KB

          • memory/2512-55-0x000007FEF6950000-0x000007FEF6A26000-memory.dmp

            Filesize

            856KB

          • memory/2512-56-0x00000000001E0000-0x00000000001E7000-memory.dmp

            Filesize

            28KB