Analysis

  • max time kernel
    171s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    26-12-2023 14:55

General

  • Target

    772b68bf3048024e686be386fbfe5083.dll

  • Size

    652KB

  • MD5

    772b68bf3048024e686be386fbfe5083

  • SHA1

    458a9a79779cf07157ec419d9511975e2f8aa2c8

  • SHA256

    7c62dc19058fca240cc5e8942a240f7691e6066aa3d59a51185ac3209e8f1409

  • SHA512

    18164714b6ced7284218c0dc8c4e0013b1b08084e07f89322564bdd0bf5d37c62edcb947965e1384e26fe36dd7d613a82697a4429fc935ee1557edf3c9290d62

  • SSDEEP

    12288:8KYQ5LL540CV3UIeLPrleV1F0e8gMA/9L0l3HATpKR4:9YQ5p4f0POF0nkls3opKR

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\772b68bf3048024e686be386fbfe5083.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2796
  • C:\Windows\system32\spinstall.exe
    C:\Windows\system32\spinstall.exe
    1⤵
      PID:268
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\dzDlhu.cmd
      1⤵
        PID:776
      • C:\Windows\system32\mspaint.exe
        C:\Windows\system32\mspaint.exe
        1⤵
          PID:1980
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\yZdxQJ.cmd
          1⤵
          • Drops file in System32 directory
          PID:1940
        • C:\Windows\system32\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /Create /F /TN "Hkckipfn" /TR "C:\Windows\system32\7sKi\mspaint.exe" /SC minute /MO 60 /RL highest
          1⤵
          • Creates scheduled task(s)
          PID:1336
        • C:\Windows\system32\schtasks.exe
          C:\Windows\system32\schtasks.exe /Query /TN "Hkckipfn"
          1⤵
            PID:808
          • C:\Windows\system32\schtasks.exe
            C:\Windows\system32\schtasks.exe /Query /TN "Hkckipfn"
            1⤵
              PID:2908
            • C:\Windows\system32\schtasks.exe
              C:\Windows\system32\schtasks.exe /Query /TN "Hkckipfn"
              1⤵
                PID:2920
              • C:\Windows\system32\schtasks.exe
                C:\Windows\system32\schtasks.exe /Query /TN "Hkckipfn"
                1⤵
                  PID:436
                • C:\Windows\system32\schtasks.exe
                  C:\Windows\system32\schtasks.exe /Query /TN "Hkckipfn"
                  1⤵
                    PID:944

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\ZaB137.tmp

                    Filesize

                    656KB

                    MD5

                    661348b0acdfaf708e3bd361a53833ca

                    SHA1

                    7dea4d2ce50fc42a40c55196fb34d7e7498c07ac

                    SHA256

                    ba00572a4f9b40157ee9f43c165af8fb095239fe853163005e8ca482bc270f9d

                    SHA512

                    78aa4eda2cce84d3de63f58651b9eeb95476372e6038f8647e326ad4acda817a75ee50930d0f2660dba8ad0622959ecb86e566d7aa5f96fdbb8dd0d12835126a

                  • C:\Users\Admin\AppData\Local\Temp\dzDlhu.cmd

                    Filesize

                    230B

                    MD5

                    a4688edaf2def2f9ecb7e8c220f3de2f

                    SHA1

                    a14483444477d558a418bb8ece3de4403d4e69d2

                    SHA256

                    03f61e9d00a48feba9cf0317fa7c8cebed5b3cb25d5dcf1bd87e1202bd06a178

                    SHA512

                    850beecae69bce4273daf645827d9f9a386456e77429f49ab82c3adbb3b62446adf8edc90324f5463c8c34382d8e99edd38db33cc57bb849e2d20fcf8d115013

                  • C:\Users\Admin\AppData\Local\Temp\syr6671.tmp

                    Filesize

                    656KB

                    MD5

                    7026c5c2deefd569ca62985fff08ae6f

                    SHA1

                    5b46af69711e1a93ca2053edaece28a37dec0594

                    SHA256

                    efb120ed5a2cae5c0947fd03d160a178da26b20b36406c9b8909ae81ed2e13ee

                    SHA512

                    092006716dc09d6883bc854cb0a310b8154ce8a1007213b8daefe1ce15a0897df28ad4ee171c92a1e8318bd7ac065966d51ea1e77eb5cdaf727a0604ad2135bc

                  • C:\Users\Admin\AppData\Local\Temp\yZdxQJ.cmd

                    Filesize

                    193B

                    MD5

                    19b062469fb937864622c1da5a2903c0

                    SHA1

                    f5f7aba496c79045dc9c281e488a3de85bda0c30

                    SHA256

                    5152d241b15f07a021080a63a8fb37008df05c5872e4a848b6b334a7a5a5dda8

                    SHA512

                    7dc79b56593551012cdda3f9f7db61e8a7a174f418f8d5a5fba40916a4db079392d9fff6518d3ec5784cab0522246bfb72b1de955b5f3209f8641f7830c6d7ba

                  • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Fskzoiv.lnk

                    Filesize

                    793B

                    MD5

                    3225b1b3eaa5e1f4877abaf407b6e83e

                    SHA1

                    95ab5abe4ee59b878c2a51855076924621b1b8e3

                    SHA256

                    c28086e72ff84db7d5a6bb0d8f78387cef37ec403d1e53b9ee8bbbf5f3da5555

                    SHA512

                    beef4cfcc03a905fe467d255de5b015491802e3f1a9f19f8c986b98f0350fde88852a00fba90edcc2525b98b812b89d172910ca0081625a36a57cb991e2744d2

                  • \Users\Admin\AppData\Roaming\979G\spinstall.exe

                    Filesize

                    584KB

                    MD5

                    29c1d5b330b802efa1a8357373bc97fe

                    SHA1

                    90797aaa2c56fc2a667c74475996ea1841bc368f

                    SHA256

                    048bd22abf158346ab991a377cc6e9d2b20b4d73ccee7656c96a41f657e7be7f

                    SHA512

                    66f4f75a04340a1dd55dfdcc3ff1103ea34a55295f56c12e88d38d1a41e5be46b67c98bd66ac9f878ce79311773e374ed2bce4dd70e8bb5543e4ec1dd56625ee

                  • memory/1244-17-0x0000000140000000-0x00000001400A3000-memory.dmp

                    Filesize

                    652KB

                  • memory/1244-14-0x0000000140000000-0x00000001400A3000-memory.dmp

                    Filesize

                    652KB

                  • memory/1244-20-0x0000000140000000-0x00000001400A3000-memory.dmp

                    Filesize

                    652KB

                  • memory/1244-25-0x0000000140000000-0x00000001400A3000-memory.dmp

                    Filesize

                    652KB

                  • memory/1244-33-0x0000000077540000-0x0000000077542000-memory.dmp

                    Filesize

                    8KB

                  • memory/1244-32-0x00000000773E1000-0x00000000773E2000-memory.dmp

                    Filesize

                    4KB

                  • memory/1244-31-0x0000000140000000-0x00000001400A3000-memory.dmp

                    Filesize

                    652KB

                  • memory/1244-24-0x0000000002A60000-0x0000000002A67000-memory.dmp

                    Filesize

                    28KB

                  • memory/1244-19-0x0000000140000000-0x00000001400A3000-memory.dmp

                    Filesize

                    652KB

                  • memory/1244-18-0x0000000140000000-0x00000001400A3000-memory.dmp

                    Filesize

                    652KB

                  • memory/1244-42-0x0000000140000000-0x00000001400A3000-memory.dmp

                    Filesize

                    652KB

                  • memory/1244-47-0x0000000140000000-0x00000001400A3000-memory.dmp

                    Filesize

                    652KB

                  • memory/1244-3-0x00000000772D6000-0x00000000772D7000-memory.dmp

                    Filesize

                    4KB

                  • memory/1244-16-0x0000000140000000-0x00000001400A3000-memory.dmp

                    Filesize

                    652KB

                  • memory/1244-15-0x0000000140000000-0x00000001400A3000-memory.dmp

                    Filesize

                    652KB

                  • memory/1244-21-0x0000000140000000-0x00000001400A3000-memory.dmp

                    Filesize

                    652KB

                  • memory/1244-12-0x0000000140000000-0x00000001400A3000-memory.dmp

                    Filesize

                    652KB

                  • memory/1244-11-0x0000000140000000-0x00000001400A3000-memory.dmp

                    Filesize

                    652KB

                  • memory/1244-10-0x0000000140000000-0x00000001400A3000-memory.dmp

                    Filesize

                    652KB

                  • memory/1244-9-0x0000000140000000-0x00000001400A3000-memory.dmp

                    Filesize

                    652KB

                  • memory/1244-8-0x0000000140000000-0x00000001400A3000-memory.dmp

                    Filesize

                    652KB

                  • memory/1244-4-0x0000000002A80000-0x0000000002A81000-memory.dmp

                    Filesize

                    4KB

                  • memory/1244-6-0x0000000140000000-0x00000001400A3000-memory.dmp

                    Filesize

                    652KB

                  • memory/1244-55-0x00000000772D6000-0x00000000772D7000-memory.dmp

                    Filesize

                    4KB

                  • memory/1244-23-0x0000000140000000-0x00000001400A3000-memory.dmp

                    Filesize

                    652KB

                  • memory/1244-22-0x0000000140000000-0x00000001400A3000-memory.dmp

                    Filesize

                    652KB

                  • memory/1244-13-0x0000000140000000-0x00000001400A3000-memory.dmp

                    Filesize

                    652KB

                  • memory/2796-7-0x000007FEF6AF0000-0x000007FEF6B93000-memory.dmp

                    Filesize

                    652KB

                  • memory/2796-0-0x000007FEF6AF0000-0x000007FEF6B93000-memory.dmp

                    Filesize

                    652KB

                  • memory/2796-1-0x0000000001B30000-0x0000000001B37000-memory.dmp

                    Filesize

                    28KB