Analysis

  • max time kernel
    151s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    29-12-2023 22:21

General

  • Target

    057bb2ade128476e59bac8ad60086d9e.dll

  • Size

    3.2MB

  • MD5

    057bb2ade128476e59bac8ad60086d9e

  • SHA1

    63c16b30db7718bc853802ede3e3d3f8563f7a5c

  • SHA256

    2fd1f1b0c7fb142aa3c4e81bedb7e6722acede96384123b60c86b2dca501b50a

  • SHA512

    3bbeba9f3ceae53a739e2689be4cb57cea9f96ee2aeb61ee3f118d3963fcfea082c05f0a1c162887a554c4b2289a4766fb6b9e8b14cc6911ad07a036429a6d61

  • SSDEEP

    12288:7VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:afP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\057bb2ade128476e59bac8ad60086d9e.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:816
  • C:\Windows\system32\osk.exe
    C:\Windows\system32\osk.exe
    1⤵
      PID:1484
    • C:\Users\Admin\AppData\Local\vKXB2V1Za\osk.exe
      C:\Users\Admin\AppData\Local\vKXB2V1Za\osk.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2968
    • C:\Windows\system32\BitLockerWizardElev.exe
      C:\Windows\system32\BitLockerWizardElev.exe
      1⤵
        PID:2944
      • C:\Users\Admin\AppData\Local\2jZyUH\BitLockerWizardElev.exe
        C:\Users\Admin\AppData\Local\2jZyUH\BitLockerWizardElev.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:108
      • C:\Windows\system32\msconfig.exe
        C:\Windows\system32\msconfig.exe
        1⤵
          PID:1696
        • C:\Users\Admin\AppData\Local\PFWHWG8\msconfig.exe
          C:\Users\Admin\AppData\Local\PFWHWG8\msconfig.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2984

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\2jZyUH\FVEWIZ.dll

          Filesize

          3.2MB

          MD5

          aa8647851f92c87f2e174fbdb2208842

          SHA1

          9f630a3fcfcf4cc37751a107ad301a5a26780ae3

          SHA256

          7c2da0e82df081ef17e4451457832056a43827d80422f71ee6da6ad28e958831

          SHA512

          a37e7474ffe4971a17ccf9c362b9f7ce43e5165a4c4d6879b5a16ad736ee24b185c350f6b0bc5fbb7915877a7c9e8d8393d3ef1448f6f35d616db1234db0ce7a

        • C:\Users\Admin\AppData\Local\PFWHWG8\VERSION.dll

          Filesize

          1.5MB

          MD5

          966f88d18a8f2728ca44993f228cefc8

          SHA1

          65c8baeb31b4c8bb7fadd24623aaebee77bdd710

          SHA256

          3da9b3376d0769503c3ea6c1de2cf871bc1c2199da1274d39a8e931ca249682c

          SHA512

          5f386156f999032d7a85c6c7e68013ca4b6cc71da30787ae83b64c6c680cc37b8aa0d3ce4add6b73d25adc10fb5aea5929a6e3a5527dd4c945dc7c60592ea24a

        • C:\Users\Admin\AppData\Local\vKXB2V1Za\UxTheme.dll

          Filesize

          83KB

          MD5

          22865f64942a35ac74e9e1de662f6187

          SHA1

          a0a0655bf377cba9308ac9886e005e01f1bc8165

          SHA256

          09b400db84593b024ebb0ba979c79a463c9f54953ff3e2db88151179dbe407dd

          SHA512

          ee0d789ef0cf25a952f8026d005905827f6bd4849b63bbe411405c5912a62c25188cbc72a1d7a2341db8da44998aa54aeb4edcd05eed6e2159e11b40b763de87

        • C:\Users\Admin\AppData\Local\vKXB2V1Za\osk.exe

          Filesize

          175KB

          MD5

          35272a16c4af43a850240bdc01eb34aa

          SHA1

          7431345b5818da148828cca7608c7f46eb0270c0

          SHA256

          db801a8805d39506ce60df4cf2f0197fdee534ded7747af14153023ffd87ff39

          SHA512

          de9b077e984d244e8cd5f704536825041f0d7496eafe67fd3ffee507010004c85625875ff0140fc9d5aad4b665f0b4758d30cca1275d5dab89ef62d995c5de7d

        • C:\Users\Admin\AppData\Local\vKXB2V1Za\osk.exe

          Filesize

          92KB

          MD5

          898f9e44da78d76a4f62d05bef5f5926

          SHA1

          94c1b10199a09cd711ab2bd2dbd91584bdf6b897

          SHA256

          1509b680653247b8086cdddd9994b1c719fe51abdeb92ca54584c850e48c86ad

          SHA512

          f7a080507a024740f28bd1bb0eaa0ee015ec4fdc1c91c627ed6cef902cdb19d231fb90673e3b53817fc412e43c8de3aa3107f60a4d916cd3167341e0b5c6bbcf

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Efrsxj.lnk

          Filesize

          1KB

          MD5

          c1e1f6de88099e5bf84c94dc1164a0a7

          SHA1

          6af22c95d21cae0bc4ab3946483c484ce9d3efc0

          SHA256

          2bfe0dd679ae026fa35b5b752c34ca00c402898f3e997952fa3072eb36ba449a

          SHA512

          7bf18afe46a49b604e8c8cd47862993d312dcee6861785121f7a1b850ef9cade954b80cea6ca6523157aa53acb2408777383dc3d8fd1a4f712a39b98896d6fde

        • C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\fRyH\VERSION.dll

          Filesize

          2.0MB

          MD5

          8731d1de7b8b62e75f63918c9546f526

          SHA1

          d5ac88bb4d6f826118aeb4a377b0baf8821198a1

          SHA256

          2077dfc770226f92f14f57a8a1dd24b7e70ccfcf52f9addc3bb7364edc93b9ea

          SHA512

          24bb17cb309070827c65b4d52dcf276e7143e13e71111cce397c7c4b2c3a936a2f6abd9328fb7b2323c482ef1f7f240a2552d14fa3b40b44c849501d1944410a

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\hpjMSAJ\UxTheme.dll

          Filesize

          3.2MB

          MD5

          96651dc9ee1fc6b648e4ec49cd8fed4c

          SHA1

          befc482e57da3b1165076969cbc957088f3fc8ae

          SHA256

          78d76173c90eac79aaabc26250f40419f84216dffb65428a31fcc30a6b1b5a1d

          SHA512

          669aade51f2478c437c52e8a018eb79508ab0f79d7997d1b148e43562c596cb655f5bf27d90c0a3617a2dde003e4403a82554154019f2ce4cf8956f2b4b90a8e

        • \Users\Admin\AppData\Local\2jZyUH\BitLockerWizardElev.exe

          Filesize

          98KB

          MD5

          73f13d791e36d3486743244f16875239

          SHA1

          ed5ec55dbc6b3bda505f0a4c699c257c90c02020

          SHA256

          2483d2f0ad481005cca081a86a07be9060bc6d4769c4570f92ad96fa325be9b8

          SHA512

          911a7b532312d50cc5e7f6a046d46ab5b322aa17ce59a40477173ea50f000a95db45f169f4ea3574e3e00ae4234b9f8363ac79329d683c14ebee1d423e6e43af

        • \Users\Admin\AppData\Local\2jZyUH\FVEWIZ.dll

          Filesize

          3.2MB

          MD5

          f55f199a48855e441c14ffbc9226c1af

          SHA1

          46afbdd481d6bd500f318bc9cb159094dde56885

          SHA256

          35cdead7a6b2f352e534808e7f960d2883497ee3096bd0606d1483b138542ef1

          SHA512

          1ec997812d92273a365fae47c65ffcc8eac66e509e723b104afbcfc9ec0ed745344f061d81f5f50ee24b1e7166ab877b238c23d14bf27047ae9b14dbdadc214a

        • \Users\Admin\AppData\Local\PFWHWG8\VERSION.dll

          Filesize

          1.2MB

          MD5

          6cd6f03144050649059edd44c5ddf317

          SHA1

          4d618d46c470d56dd896785a0e1cde2f15591b1c

          SHA256

          4e64b738c12290b6cbcf397817430861c91a84228a49b6a80d401c575cdf527f

          SHA512

          73910150335af660bbcd491d2cd4c785f523f8272e4800b6cd0ec74c21a8b99a03e05622172d9df27871cc0d58ace384334b3aec0029a19a0582ae38a3e2ba7e

        • \Users\Admin\AppData\Local\PFWHWG8\msconfig.exe

          Filesize

          293KB

          MD5

          e19d102baf266f34592f7c742fbfa886

          SHA1

          c9c9c45b7e97bb7a180064d0a1962429f015686d

          SHA256

          f3c8bb430f9c33e6caf06aaebde17b7fddcc55e8bb36cec2b9379038f1fca0b1

          SHA512

          1b9f1880dd3c26ae790b8eead641e73264f90dc7aa2645acc530aad20ad9d247db613e1725282c85bca98c4428ac255752a4f5c9b2a97f90908b7fe4167bb283

        • \Users\Admin\AppData\Local\vKXB2V1Za\UxTheme.dll

          Filesize

          50KB

          MD5

          4e4544649d2317c011ad1c2c978f2644

          SHA1

          57ccef9cbf2d088b8a5ef7cc3fdab4a3a524c8e8

          SHA256

          9276d5256acb2fc3cb22e07ec372f620ed145ece00f5f310767f0ee61966ca0a

          SHA512

          37134db0abc4585d273c1b9e84003238e3b35df799b206c0a1f2f40094c2eb808cc16b243dcb03bcc032d9d83eb757bf6fbdfb67b3e74b9007c4328f944aa83c

        • \Users\Admin\AppData\Local\vKXB2V1Za\osk.exe

          Filesize

          31KB

          MD5

          06d0bd2c078e2e114054dc291218037c

          SHA1

          118e0a2a0b22a51a32e2b77fe5f0a8a5e7649582

          SHA256

          250801b30ab992f654fee07a5acddb057e98a2c7b6b04acc9c28da4b1f613f77

          SHA512

          8c0fb37e518ca78b96a909273b64c0e976f125ee32d9ea8bedb3ad74c446b2c4b5b125c93653a3d741798b8695e48c49a235eff97ac6b7dbe1daa0b06851e230

        • memory/108-128-0x00000000000F0000-0x00000000000F7000-memory.dmp

          Filesize

          28KB

        • memory/816-7-0x0000000140000000-0x0000000140338000-memory.dmp

          Filesize

          3.2MB

        • memory/816-1-0x0000000140000000-0x0000000140338000-memory.dmp

          Filesize

          3.2MB

        • memory/816-0-0x0000000000330000-0x0000000000337000-memory.dmp

          Filesize

          28KB

        • memory/1200-41-0x0000000140000000-0x0000000140338000-memory.dmp

          Filesize

          3.2MB

        • memory/1200-50-0x0000000140000000-0x0000000140338000-memory.dmp

          Filesize

          3.2MB

        • memory/1200-27-0x0000000140000000-0x0000000140338000-memory.dmp

          Filesize

          3.2MB

        • memory/1200-26-0x0000000140000000-0x0000000140338000-memory.dmp

          Filesize

          3.2MB

        • memory/1200-25-0x0000000140000000-0x0000000140338000-memory.dmp

          Filesize

          3.2MB

        • memory/1200-24-0x0000000140000000-0x0000000140338000-memory.dmp

          Filesize

          3.2MB

        • memory/1200-23-0x0000000140000000-0x0000000140338000-memory.dmp

          Filesize

          3.2MB

        • memory/1200-22-0x0000000140000000-0x0000000140338000-memory.dmp

          Filesize

          3.2MB

        • memory/1200-19-0x0000000140000000-0x0000000140338000-memory.dmp

          Filesize

          3.2MB

        • memory/1200-18-0x0000000140000000-0x0000000140338000-memory.dmp

          Filesize

          3.2MB

        • memory/1200-17-0x0000000140000000-0x0000000140338000-memory.dmp

          Filesize

          3.2MB

        • memory/1200-31-0x0000000140000000-0x0000000140338000-memory.dmp

          Filesize

          3.2MB

        • memory/1200-30-0x0000000140000000-0x0000000140338000-memory.dmp

          Filesize

          3.2MB

        • memory/1200-35-0x0000000140000000-0x0000000140338000-memory.dmp

          Filesize

          3.2MB

        • memory/1200-36-0x0000000140000000-0x0000000140338000-memory.dmp

          Filesize

          3.2MB

        • memory/1200-34-0x0000000140000000-0x0000000140338000-memory.dmp

          Filesize

          3.2MB

        • memory/1200-33-0x0000000140000000-0x0000000140338000-memory.dmp

          Filesize

          3.2MB

        • memory/1200-32-0x0000000140000000-0x0000000140338000-memory.dmp

          Filesize

          3.2MB

        • memory/1200-29-0x0000000140000000-0x0000000140338000-memory.dmp

          Filesize

          3.2MB

        • memory/1200-28-0x0000000140000000-0x0000000140338000-memory.dmp

          Filesize

          3.2MB

        • memory/1200-39-0x0000000140000000-0x0000000140338000-memory.dmp

          Filesize

          3.2MB

        • memory/1200-40-0x0000000140000000-0x0000000140338000-memory.dmp

          Filesize

          3.2MB

        • memory/1200-38-0x0000000140000000-0x0000000140338000-memory.dmp

          Filesize

          3.2MB

        • memory/1200-37-0x0000000140000000-0x0000000140338000-memory.dmp

          Filesize

          3.2MB

        • memory/1200-21-0x0000000140000000-0x0000000140338000-memory.dmp

          Filesize

          3.2MB

        • memory/1200-42-0x0000000140000000-0x0000000140338000-memory.dmp

          Filesize

          3.2MB

        • memory/1200-44-0x0000000140000000-0x0000000140338000-memory.dmp

          Filesize

          3.2MB

        • memory/1200-45-0x0000000140000000-0x0000000140338000-memory.dmp

          Filesize

          3.2MB

        • memory/1200-43-0x0000000140000000-0x0000000140338000-memory.dmp

          Filesize

          3.2MB

        • memory/1200-46-0x0000000140000000-0x0000000140338000-memory.dmp

          Filesize

          3.2MB

        • memory/1200-47-0x0000000140000000-0x0000000140338000-memory.dmp

          Filesize

          3.2MB

        • memory/1200-48-0x0000000140000000-0x0000000140338000-memory.dmp

          Filesize

          3.2MB

        • memory/1200-49-0x0000000140000000-0x0000000140338000-memory.dmp

          Filesize

          3.2MB

        • memory/1200-20-0x0000000140000000-0x0000000140338000-memory.dmp

          Filesize

          3.2MB

        • memory/1200-52-0x0000000140000000-0x0000000140338000-memory.dmp

          Filesize

          3.2MB

        • memory/1200-51-0x0000000140000000-0x0000000140338000-memory.dmp

          Filesize

          3.2MB

        • memory/1200-53-0x0000000140000000-0x0000000140338000-memory.dmp

          Filesize

          3.2MB

        • memory/1200-54-0x0000000140000000-0x0000000140338000-memory.dmp

          Filesize

          3.2MB

        • memory/1200-56-0x0000000140000000-0x0000000140338000-memory.dmp

          Filesize

          3.2MB

        • memory/1200-55-0x0000000140000000-0x0000000140338000-memory.dmp

          Filesize

          3.2MB

        • memory/1200-58-0x0000000140000000-0x0000000140338000-memory.dmp

          Filesize

          3.2MB

        • memory/1200-57-0x0000000140000000-0x0000000140338000-memory.dmp

          Filesize

          3.2MB

        • memory/1200-60-0x0000000140000000-0x0000000140338000-memory.dmp

          Filesize

          3.2MB

        • memory/1200-59-0x0000000140000000-0x0000000140338000-memory.dmp

          Filesize

          3.2MB

        • memory/1200-61-0x0000000140000000-0x0000000140338000-memory.dmp

          Filesize

          3.2MB

        • memory/1200-62-0x0000000140000000-0x0000000140338000-memory.dmp

          Filesize

          3.2MB

        • memory/1200-64-0x0000000140000000-0x0000000140338000-memory.dmp

          Filesize

          3.2MB

        • memory/1200-63-0x0000000140000000-0x0000000140338000-memory.dmp

          Filesize

          3.2MB

        • memory/1200-65-0x0000000140000000-0x0000000140338000-memory.dmp

          Filesize

          3.2MB

        • memory/1200-67-0x00000000029C0000-0x00000000029C7000-memory.dmp

          Filesize

          28KB

        • memory/1200-75-0x0000000076E11000-0x0000000076E12000-memory.dmp

          Filesize

          4KB

        • memory/1200-76-0x0000000076F70000-0x0000000076F72000-memory.dmp

          Filesize

          8KB

        • memory/1200-12-0x0000000140000000-0x0000000140338000-memory.dmp

          Filesize

          3.2MB

        • memory/1200-13-0x0000000140000000-0x0000000140338000-memory.dmp

          Filesize

          3.2MB

        • memory/1200-14-0x0000000140000000-0x0000000140338000-memory.dmp

          Filesize

          3.2MB

        • memory/1200-16-0x0000000140000000-0x0000000140338000-memory.dmp

          Filesize

          3.2MB

        • memory/1200-15-0x0000000140000000-0x0000000140338000-memory.dmp

          Filesize

          3.2MB

        • memory/1200-8-0x0000000140000000-0x0000000140338000-memory.dmp

          Filesize

          3.2MB

        • memory/1200-9-0x0000000140000000-0x0000000140338000-memory.dmp

          Filesize

          3.2MB

        • memory/1200-10-0x0000000140000000-0x0000000140338000-memory.dmp

          Filesize

          3.2MB

        • memory/1200-96-0x0000000076C06000-0x0000000076C07000-memory.dmp

          Filesize

          4KB

        • memory/1200-4-0x0000000076C06000-0x0000000076C07000-memory.dmp

          Filesize

          4KB

        • memory/1200-5-0x00000000029F0000-0x00000000029F1000-memory.dmp

          Filesize

          4KB

        • memory/1200-11-0x0000000140000000-0x0000000140338000-memory.dmp

          Filesize

          3.2MB

        • memory/2968-104-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

        • memory/2984-147-0x0000000000290000-0x0000000000297000-memory.dmp

          Filesize

          28KB