Analysis

  • max time kernel
    188s
  • max time network
    35s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    27-12-2023 13:02

General

  • Target

    b122a91caaad5f9133a910107ab182f2.dll

  • Size

    728KB

  • MD5

    b122a91caaad5f9133a910107ab182f2

  • SHA1

    df8ac36b8382ec1a7cd5c52decdca2330fc57af1

  • SHA256

    f2ded2615a9ec37198c3ae0042de5ddb999eda4d0d89b5469d20c4b047e8759f

  • SHA512

    f9a9311958fbffcfbf5a6b71168add5e585a0d09daa4e748617aed1180eef1c0bbd997adda57561ed21106f4d4e62c64d99fa5dee4ce7dafcc3ba452a4b709f5

  • SSDEEP

    12288:G6BBWGJW6eC85Df97+yXUj7SncCxj8iHGo59S1WQSCtEdFO7YKJf6:G6BQBjlc728jo7S1bl6FbK

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\b122a91caaad5f9133a910107ab182f2.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2828
  • C:\Windows\system32\SystemPropertiesPerformance.exe
    C:\Windows\system32\SystemPropertiesPerformance.exe
    1⤵
      PID:1984
    • C:\Users\Admin\AppData\Local\uT6bhFB\SystemPropertiesPerformance.exe
      C:\Users\Admin\AppData\Local\uT6bhFB\SystemPropertiesPerformance.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1676
    • C:\Windows\system32\wusa.exe
      C:\Windows\system32\wusa.exe
      1⤵
        PID:1180
      • C:\Users\Admin\AppData\Local\dwhYGTu\wusa.exe
        C:\Users\Admin\AppData\Local\dwhYGTu\wusa.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1052
      • C:\Windows\system32\tcmsetup.exe
        C:\Windows\system32\tcmsetup.exe
        1⤵
          PID:1832
        • C:\Users\Admin\AppData\Local\23bjN\tcmsetup.exe
          C:\Users\Admin\AppData\Local\23bjN\tcmsetup.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:768

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\23bjN\TAPI32.dll

          Filesize

          736KB

          MD5

          a10dafdc447283f38823e97445bb0715

          SHA1

          7a8604b56d4d92f134e9f9f22b112589746b0613

          SHA256

          42e8a2a36f1fe9f6948696d9907f0866e6823c666777f28fde29f4cba44a4f81

          SHA512

          4ac57dbdd358157e2fc99b89e8bcb7703e9b5ec9452f1af3d489fcb70710b77b3dc9269d1607ba42b61a2a7976eb97c5a208c64b571d853022cacefc5834d3dd

        • C:\Users\Admin\AppData\Local\dwhYGTu\dpx.dll

          Filesize

          732KB

          MD5

          13caaa94ecd7fc7747b65ed2b12031b1

          SHA1

          b649ea8b1cc9bd697f53a22f1a7c7b791c538949

          SHA256

          b8793c85b611e20711edc20870845196ef0a2456abe6050a0ed8577e1302a4ce

          SHA512

          599d2b86400b60b2a57362e897d24b5001b3ffb4bf68de64d1fa73820861d771d6aa21d89b45d16a55003faa94357361dd7ba0b9c51486fedd2831e590f83f0e

        • C:\Users\Admin\AppData\Local\uT6bhFB\SYSDM.CPL

          Filesize

          732KB

          MD5

          d410067acd1b165ba2c7bb13e4c87f7b

          SHA1

          72de35b155e505c9983626024a8c5e5830a0295e

          SHA256

          e708a9ae513715b4f2a1dcac55a1eb0528bcdb5c228d4fbb3047147385338a05

          SHA512

          7a43d973e93a82046370d3ee9e80f8a7ccdda6fba5e8bfeef7766b7d31aa745ea004ee2c0d6beb61f5aff1513e9fb9d781f973562ca72de37834a456765ca69d

        • C:\Users\Admin\AppData\Local\uT6bhFB\SystemPropertiesPerformance.exe

          Filesize

          80KB

          MD5

          870726cdcc241a92785572628b89cc07

          SHA1

          63d47cc4fe9beb75862add1abca1d8ae8235710a

          SHA256

          1ab77fa1ee0cbe59ca185c228c3c11abeba2b2008a162c91a06d3c40542e7fc6

          SHA512

          89b961c2a2716fe0800e54e0206c8b349a26f1bc2a463ec9bd12f3ab22bfcb13e6402b4c20ddcf284d838a3c66e73335af8f6dc4554d76646382e387242c6f72

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Hbeids.lnk

          Filesize

          1KB

          MD5

          3a68295874964b48796955813ce9b7a6

          SHA1

          955fa74ab3c5b577bdd9753fef90bb2df483db87

          SHA256

          8efa420c7e4ccdddda0fdd646615df1768f17fd7c3356961381f5f00ba470980

          SHA512

          2d2b6ea3ee78540fa20d29802df6c10ff570659132a0d5f9a0703f89a6eaf7345f377e90a64b9599e56e938da1975e76c08d389c8bc0229b7ea8cdc9b2b94918

        • C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\yFHsBZI9b\TAPI32.dll

          Filesize

          449KB

          MD5

          3e5044fa5597f21bd0bc9cb2a002bb64

          SHA1

          0609f90f33db3ed3139bdd0800b3612d0f79e1a8

          SHA256

          c5191eb223716ea02c403b9d1eb276d2b98b7774ea99164edc141c34ba7be235

          SHA512

          20f80f4bbc47df23777db8d0945a0f1dbafdcc80696ddfdbab54d0002ed2a29f57108d39ccacc717298c36d639ef32ff6267e8ecdccced93e269d068e6d5c9ce

        • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\9vd3NH4t\SYSDM.CPL

          Filesize

          192KB

          MD5

          ce3dd7dc00d7ebe3fe2b45d2a66b726d

          SHA1

          bd2b67f99f97b8d376cfbcaaac8d0b321038816c

          SHA256

          02515cef327a9647c59453b2c5b1686f1cd27eb065ea3106b78589961b850de0

          SHA512

          dcf4a65804d84c7516c49edf367d2f7af2916e3817479a8bc9b8389af33cbef57eda7232f3e410f77a47664a731aca7850e6ee0a8b07ad038251e687e197bfa0

        • C:\Users\Admin\AppData\Roaming\Microsoft\YU\dpx.dll

          Filesize

          472KB

          MD5

          902fcc4fc8799c8f1f391d4f54ce6429

          SHA1

          8204c8e3e352a1968940d11b598c8218efb9afd3

          SHA256

          e92b9c6c75b4ac8c6b81c6b8358a37615c9a51164918591a326c3b6301f6cb28

          SHA512

          c96353ffe52a689f1352a5f22812b9192787ff41c116e2be9d4d4d2c6513d1d8f3b9441f5bcfa9bc0396a04c35907ff8648f4d39289118c7375dfb1106ceef99

        • \Users\Admin\AppData\Local\23bjN\tcmsetup.exe

          Filesize

          15KB

          MD5

          0b08315da0da7f9f472fbab510bfe7b8

          SHA1

          33ba48fd980216becc532466a5ff8476bec0b31c

          SHA256

          e19556bb7aa39bbd5f0d568a95aec0b3af18dda438cc5737f945243b24d106e7

          SHA512

          c30501546efe2b0c003ef87ac381e901c69ddfc6791c6a5102cff3a07f56555d94995a4413b93036821aa214fc31501fa87eb519e1890ef75b2ec497983ffd58

        • \Users\Admin\AppData\Local\dwhYGTu\wusa.exe

          Filesize

          300KB

          MD5

          c15b3d813f4382ade98f1892350f21c7

          SHA1

          a45c5abc6751bc8b9041e5e07923fa4fc1b4542b

          SHA256

          8f067da98eb3ea9f1db2f0063ff54e07d992fbf051779b467e222639be4127e3

          SHA512

          6d028fe81fe45d0ef291741513ecf939e412912647347d4d5bad89571f33e1084dc0fd26eb7313c7191f938c3f50243f453e2690e2475fc3f5539a20c2ff2f3c

        • memory/768-96-0x0000000140000000-0x00000001400B8000-memory.dmp

          Filesize

          736KB

        • memory/768-101-0x0000000140000000-0x00000001400B8000-memory.dmp

          Filesize

          736KB

        • memory/1052-80-0x00000000000F0000-0x00000000000F7000-memory.dmp

          Filesize

          28KB

        • memory/1052-84-0x0000000140000000-0x00000001400B7000-memory.dmp

          Filesize

          732KB

        • memory/1188-31-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

        • memory/1188-14-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

        • memory/1188-24-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

        • memory/1188-20-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

        • memory/1188-19-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

        • memory/1188-17-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

        • memory/1188-16-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

        • memory/1188-13-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

        • memory/1188-4-0x0000000077116000-0x0000000077117000-memory.dmp

          Filesize

          4KB

        • memory/1188-33-0x00000000774B0000-0x00000000774B2000-memory.dmp

          Filesize

          8KB

        • memory/1188-32-0x0000000077321000-0x0000000077322000-memory.dmp

          Filesize

          4KB

        • memory/1188-5-0x0000000002220000-0x0000000002221000-memory.dmp

          Filesize

          4KB

        • memory/1188-43-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

        • memory/1188-44-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

        • memory/1188-52-0x0000000077116000-0x0000000077117000-memory.dmp

          Filesize

          4KB

        • memory/1188-22-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

        • memory/1188-21-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

        • memory/1188-7-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

        • memory/1188-8-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

        • memory/1188-9-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

        • memory/1188-18-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

        • memory/1188-15-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

        • memory/1188-23-0x0000000002200000-0x0000000002207000-memory.dmp

          Filesize

          28KB

        • memory/1188-10-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

        • memory/1188-12-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

        • memory/1188-11-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

        • memory/1676-66-0x0000000140000000-0x00000001400B7000-memory.dmp

          Filesize

          732KB

        • memory/1676-62-0x0000000000070000-0x0000000000077000-memory.dmp

          Filesize

          28KB

        • memory/1676-60-0x0000000140000000-0x00000001400B7000-memory.dmp

          Filesize

          732KB

        • memory/2828-34-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

        • memory/2828-1-0x0000000000180000-0x0000000000187000-memory.dmp

          Filesize

          28KB

        • memory/2828-0-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB