Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    29-12-2023 22:02

General

  • Target

    0512aedf039191c7a60c97cd87a5d490.dll

  • Size

    1.9MB

  • MD5

    0512aedf039191c7a60c97cd87a5d490

  • SHA1

    f5ffb6e18f6e8c2b06d040509d4542f13fdfa459

  • SHA256

    d168ef7be6e3b73f63a62c817c0d87e4dd84cbe577454da94b7cc8bf8ff55879

  • SHA512

    71b20bfb893dc6013c4d790b19dd92815a33b269ae2125ac7afaccf2821a196c843ee41696d978d2b1ef2789fa789c52d1829dcefa23e9cdbc02cbb973dfe6a3

  • SSDEEP

    12288:YVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:NfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\0512aedf039191c7a60c97cd87a5d490.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2168
  • C:\Windows\system32\calc.exe
    C:\Windows\system32\calc.exe
    1⤵
      PID:2584
    • C:\Users\Admin\AppData\Local\3wl\calc.exe
      C:\Users\Admin\AppData\Local\3wl\calc.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2600
    • C:\Windows\system32\DWWIN.EXE
      C:\Windows\system32\DWWIN.EXE
      1⤵
        PID:2892
      • C:\Users\Admin\AppData\Local\NoXU\DWWIN.EXE
        C:\Users\Admin\AppData\Local\NoXU\DWWIN.EXE
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2944
      • C:\Windows\system32\spreview.exe
        C:\Windows\system32\spreview.exe
        1⤵
          PID:1260
        • C:\Users\Admin\AppData\Local\8z76P5X4b\spreview.exe
          C:\Users\Admin\AppData\Local\8z76P5X4b\spreview.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1364

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\3wl\WINMM.dll

          Filesize

          8KB

          MD5

          8654cf4216544007779f89a886d42569

          SHA1

          c8470dd2db8dfc3b637a54229688026bdcc6351b

          SHA256

          68b958103987753014a8a795a37231245d6b52191ee48d87aef0392674ecda23

          SHA512

          068d224d759138e0c1922e2e90f29a73e6ad2d69204781a7a87f50305abde80287343ea62f851ee15804fb803b8fd98a9dcac62778d68f128b8c61f2e9bf9ba5

        • C:\Users\Admin\AppData\Local\3wl\calc.exe

          Filesize

          32KB

          MD5

          8be359cd66021a9ab74a5307febb3d02

          SHA1

          f9439922b985f6ab1b702d8be46135d8cdc36c39

          SHA256

          124e583d8e6ff0e066447d6129a4c200b27b6dca59c48b7e2aab3b273d6cba8f

          SHA512

          9e67af19009f0445cfbeaa1889eecf9464c1c1ad740add7bb227734671bf5756313053247595e0ff82549fdec623d3c82543f6ee25113b583f97dc6caedb1351

        • C:\Users\Admin\AppData\Local\3wl\calc.exe

          Filesize

          201KB

          MD5

          294385625197223728c6a6f7532240ff

          SHA1

          0ced12e7347d39187bef138e3deb49eaa7de1b51

          SHA256

          5bab01744e82f681beb02b83ae2dd5b620682c9ab7d2e2950683216d8808be34

          SHA512

          3272723052536662664258eefafc8f0f26a2099532c1879d5d284463855b1cf7df1c69a740a21d66c9a2608cecbc53dcbaab99f40098277725215130914bf45c

        • C:\Users\Admin\AppData\Local\8z76P5X4b\spreview.exe

          Filesize

          100KB

          MD5

          060aff2d94d9fed857d2324a8d5328cc

          SHA1

          2618a88285b4bd88b7c5d930908121f1ef9c3577

          SHA256

          bcee680f17d43d45728bb178c5b7535a683731dec99b34171f0bc3cb3c54f5a1

          SHA512

          4c349da0836115120c5a4bfa4373bc1992472c57a4abeaa46ed0ebabb3f08005149a76e8daeecdde7de29355b4a934549e5bb7b132aadd6eb26e19fc731580bc

        • C:\Users\Admin\AppData\Local\8z76P5X4b\sqmapi.dll

          Filesize

          172KB

          MD5

          3d669d1adf501966262fa3626ed7f4a3

          SHA1

          8a45b6f04fba8eb0075fbaee5f5ddc5b376fc158

          SHA256

          bd6d19b8a7ed037c37940369b612d30bcae7665951e9bff11d2326bbe93b6239

          SHA512

          454f5b8d1d37a3f86c2f99da4e338a998001ad50c36ae362b2ef305d00bd6d7bbbe70def9bfafd9396c9aba9f3746f2e4041dfba5926af2d9e7d85c73d7118d3

        • C:\Users\Admin\AppData\Local\NoXU\DWWIN.EXE

          Filesize

          134KB

          MD5

          08fb65553ecae21bd94a85fc88ae1b73

          SHA1

          5932b5b3912cc0962534496f2af9ed53b5968592

          SHA256

          cd186bffdd47ff17624da70131f68385fd1e3aa79cea67f7fabdba62599a6411

          SHA512

          8dfebef4306c6e56c9cf6957b415cdb51999b7297f52591b6d8cd59a241bfd1a50c5f953192e5a7bece9f68b0878ff09bd00f0273d95ec7b5a564b5361df70fc

        • C:\Users\Admin\AppData\Local\NoXU\VERSION.dll

          Filesize

          249KB

          MD5

          00c949b1d89379876d8d6d68cdecb511

          SHA1

          d1f9177960ed3927825d5f609d6545b152b865b7

          SHA256

          8f74ba69a9564c67c1ee4f0398d8b129d0ea7dad27955b536f135e69a48d32c5

          SHA512

          e1192708d12eb6742c471285c09c55b295d0cf2a6353ab05dd98603abb8049e1e11d008bbfef637b329d1feaa675fb786083098095ed1a5bf74f181acf731bfc

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zrkibbhbsqvuoso.lnk

          Filesize

          1KB

          MD5

          7b1397720ad81632d9bdfe543a913a57

          SHA1

          73d1aa1ebb23dd23c9e148dd79047d9a9c1f4ee1

          SHA256

          5cdf6705c29f1c94a976b15635ecfc52fccb025c5b49a91bd7a495bd65dd1d80

          SHA512

          7979acefe6757c216f92f8bf8d56f3f625f52642d7a3fa4881d7ff10fec8c5bc9c766e5b59604c607e4c054eec9933abfdbfce9836d508063e94c0cb3b3d825c

        • C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\rN1br3gMa36\WINMM.dll

          Filesize

          495KB

          MD5

          b3df8bdd9ecd09e0a69df46d46782b36

          SHA1

          cd20a3fa55e33fb8b67022f2ecd12cae7ef77eed

          SHA256

          0c349fe17caf4c8021a4571532619e3741ccca49660ae7e7ded3fb92c7892cd0

          SHA512

          b0dd6dccc5e41e368b9873fd80e485d3a88b3c1495cddb45a961107a43150b4d793572313eaed7ce23da42e5ff45494cb936d72325e4383fdc5af9509897e078

        • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\iO3QYVHA\spreview.exe

          Filesize

          142KB

          MD5

          c4708c48fbca2b94f19759aa67adbe42

          SHA1

          efd62b851ae3ab2f72c0ce8eec61f580d648f542

          SHA256

          aef0cc4508cc6f3e62fda1dce7d7cd00e47b8186985d0c23b0d59ba27c93176e

          SHA512

          088f3a11d2e862fbd5459c3e8366611c774a2dd627d33359ecb29d046ff1f11bae75f8b80e1ab3ed0252de8728274f9954c474d2e46550d11424b63a4981587b

        • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\iO3QYVHA\sqmapi.dll

          Filesize

          1.9MB

          MD5

          a199c45fa7d67f0dbbd569748536beb6

          SHA1

          23a730b8f04989bab2fc817d58d3f6d82c371112

          SHA256

          4c39b54751668e412ced8abe00bd5b39f6869fc5e8f0379b1a597935d5711f09

          SHA512

          fabff48b19ad2b93db766324fc0d2a27866e536ffcc41eb6e4b4f287b87f4a79f27524cd350424d3adff4059431966a56ec7e065eab067fd50c51d5a860224d2

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\R5KmR\VERSION.dll

          Filesize

          1.5MB

          MD5

          152a098fb248a7a78cfad9791c6053b0

          SHA1

          ba84bc3a98fef3ba2d51eb22ae86c8c693710a61

          SHA256

          4ed67f4d290ac4cc5dc09c900306fe32cf9b6326a7111ccacf6e11611422923e

          SHA512

          8f7914b473ecd2c6b22c7a03fa37cb318c4e2a7cb0e04d2d9dff9d48abe028c57de3abc1e8ee1e9fc78e0d6309bb7dc3fe74942e6e349576faca386b1d5d283e

        • \Users\Admin\AppData\Local\3wl\WINMM.dll

          Filesize

          64KB

          MD5

          7865ef64ac46aff236f9dc5d96e082de

          SHA1

          d5f9eb72af3205e6818e2529e67313b5e6351714

          SHA256

          6b638407e522feb643775978de2bfbaa6549b344dd8a72e615805cc3c970313d

          SHA512

          e83c7eea6e05f6344cb1411bb465e9fa8c339ec368fc05ad88f6459a5064cf15ee2dd3a1ad1d405adb8e59b30681e18c98ac66e2550e516ac6a2b09507e48112

        • \Users\Admin\AppData\Local\3wl\calc.exe

          Filesize

          1KB

          MD5

          e81caf1ca745db496798c904b8c43e63

          SHA1

          6536b8ee06e8de6dfe804b6d9bc331564bd87aed

          SHA256

          54ccc60ff473be99f852485ea18a224aa97cd71de4b3c978f7e1cbfc838d634d

          SHA512

          84f6e6a10acba9aca5266529751a523beaa6da8dc080926e908b6df3e12fabbc9abc414e81b89e44d9e4e3cdf20eca8d9e045a0bd22d15df6cb81d95a41b87b3

        • \Users\Admin\AppData\Local\8z76P5X4b\spreview.exe

          Filesize

          88KB

          MD5

          b3218a80063ea9b84cc8a887f2574588

          SHA1

          21a76a7ef9d239f96d39f9871203a882be7970af

          SHA256

          25837691bc812d6626f2c396f49ffbf189887273c412653ba2f141650673d5df

          SHA512

          e22da4b8b412e9da708823c85b7f70edb942188f5355ec90f77470f2892f12153b49057d427a97a63bce74c095defd2c467dff21040395cbf877baffb04668c3

        • \Users\Admin\AppData\Local\8z76P5X4b\sqmapi.dll

          Filesize

          93KB

          MD5

          19148e3efa7d03bff9ea61c190bd58ed

          SHA1

          3a0cbe868e7c9bd7c38b9b9b966365880a30de25

          SHA256

          5d7ff004e04df56323c79aa66be0cec54f519fbaef9b7245f42b8eaf20fda53c

          SHA512

          58687563c2788c190a6d182aaf9d007ab26c834b36c94fc5be405bc2d1783888da0826c436b48432efe313c1ca408c4db4fc9194dfaa204aefe06a41600f9bc7

        • \Users\Admin\AppData\Local\NoXU\DWWIN.EXE

          Filesize

          149KB

          MD5

          25247e3c4e7a7a73baeea6c0008952b1

          SHA1

          8087adb7a71a696139ddc5c5abc1a84f817ab688

          SHA256

          c740497a7e58f7678e25b68b03573b4136a364464ee97c02ce5e0fe00cec7050

          SHA512

          bc27946894e7775f772ac882740430c8b9d3f37a573e2524207f7bb32f44d4a227cb1e9a555e118d68af7f1e129abd2ac5cabbcd8bbf3551c485bae05108324b

        • \Users\Admin\AppData\Local\NoXU\VERSION.dll

          Filesize

          265KB

          MD5

          b358b6b76f40f3779fb31565bcb7edb6

          SHA1

          ca0b271c6c13f97c9cb3f401d147f1cc37d131dc

          SHA256

          b4ad5251329104a99195779d9f82a8019da57e565d1a4c226e190f04df5e8ad5

          SHA512

          551e4c236db0a406d4429cb747fa1f234cb07856e5adedc11c71a27389257fb6614515c394ff8fb8d4cdea6e9f648d800cd0478aae7ee8138c4d63392ffd4651

        • \Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\iO3QYVHA\spreview.exe

          Filesize

          173KB

          MD5

          6cd189936a8b983efd0dbee0dd768d38

          SHA1

          98069ebd4468441b13d0a5c22ae119aa0c1d8dea

          SHA256

          61d2d1945a8a825575cebe02b00ceece2cc66fc3a03b76ba40d71ecb0e8441fe

          SHA512

          5a35210c821f58c359c37a1c95a809a54546379d45ccb5f9d2853d3b03b5597b9a2a67074c1a2dc62a3e03b07190f237b858a43da8dc62b7272404b9d760357c

        • memory/1252-55-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/1252-18-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/1252-28-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/1252-26-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/1252-29-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/1252-30-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/1252-32-0x00000000024B0000-0x00000000024B7000-memory.dmp

          Filesize

          28KB

        • memory/1252-31-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/1252-39-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/1252-41-0x0000000077A30000-0x0000000077A32000-memory.dmp

          Filesize

          8KB

        • memory/1252-40-0x00000000778D1000-0x00000000778D2000-memory.dmp

          Filesize

          4KB

        • memory/1252-50-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/1252-56-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/1252-4-0x00000000776C6000-0x00000000776C7000-memory.dmp

          Filesize

          4KB

        • memory/1252-60-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/1252-24-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/1252-25-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/1252-23-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/1252-22-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/1252-5-0x00000000024D0000-0x00000000024D1000-memory.dmp

          Filesize

          4KB

        • memory/1252-8-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/1252-9-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/1252-11-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/1252-10-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/1252-13-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/1252-21-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/1252-85-0x00000000776C6000-0x00000000776C7000-memory.dmp

          Filesize

          4KB

        • memory/1252-19-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/1252-20-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/1252-12-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/1252-16-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/1252-17-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/1252-14-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/1252-15-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/1252-27-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/1364-113-0x0000000000280000-0x0000000000287000-memory.dmp

          Filesize

          28KB

        • memory/1364-118-0x0000000140000000-0x00000001401F2000-memory.dmp

          Filesize

          1.9MB

        • memory/2168-7-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/2168-0-0x0000000000240000-0x0000000000247000-memory.dmp

          Filesize

          28KB

        • memory/2168-1-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/2600-68-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB

        • memory/2600-73-0x0000000140000000-0x00000001401F3000-memory.dmp

          Filesize

          1.9MB

        • memory/2600-69-0x0000000140000000-0x00000001401F3000-memory.dmp

          Filesize

          1.9MB

        • memory/2944-93-0x00000000001F0000-0x00000000001F7000-memory.dmp

          Filesize

          28KB

        • memory/2944-98-0x0000000140000000-0x00000001401F2000-memory.dmp

          Filesize

          1.9MB

        • memory/2944-94-0x0000000140000000-0x00000001401F2000-memory.dmp

          Filesize

          1.9MB