Analysis

  • max time kernel
    14s
  • max time network
    29s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    29-12-2023 22:49

General

  • Target

    06194ae42efb4403b501d255e4ee8a4e.dll

  • Size

    2.9MB

  • MD5

    06194ae42efb4403b501d255e4ee8a4e

  • SHA1

    865df6831aee519d1619f07d5bfe5474fd5d5d26

  • SHA256

    3c710eec70ecf93ecdf44c999dafdab9edc3552a0c7a546116441691499be7b7

  • SHA512

    299da5d167d66a68f2ae5bbdf7bc64921840aa1a1a7bcbb9226bb8863fb8ba05ac383589eb6275e107c89ee5c130bef616f85fb2c1c28fb06aeb5efc915d6cf3

  • SSDEEP

    12288:hVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:QfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\06194ae42efb4403b501d255e4ee8a4e.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2216
  • C:\Windows\system32\SystemPropertiesRemote.exe
    C:\Windows\system32\SystemPropertiesRemote.exe
    1⤵
      PID:2960
    • C:\Users\Admin\AppData\Local\nVENOP6\SystemPropertiesRemote.exe
      C:\Users\Admin\AppData\Local\nVENOP6\SystemPropertiesRemote.exe
      1⤵
        PID:2928
      • C:\Windows\system32\mblctr.exe
        C:\Windows\system32\mblctr.exe
        1⤵
          PID:1212
        • C:\Users\Admin\AppData\Local\HsHEoIOt\mblctr.exe
          C:\Users\Admin\AppData\Local\HsHEoIOt\mblctr.exe
          1⤵
            PID:2032
          • C:\Windows\system32\spreview.exe
            C:\Windows\system32\spreview.exe
            1⤵
              PID:2640
            • C:\Users\Admin\AppData\Local\cVcIHm\spreview.exe
              C:\Users\Admin\AppData\Local\cVcIHm\spreview.exe
              1⤵
                PID:320

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\HsHEoIOt\WINMM.dll

                Filesize

                11KB

                MD5

                d63f012429a572ecf304be3128fa48b2

                SHA1

                240d51bd1afae65286c155417b7b8c66d5339e9e

                SHA256

                1c2fbc2a0378965adc0822534561fee6a56df0ef6cfefa1ce8d3f0b956b23af7

                SHA512

                691d098f2d9495b2317bdc6839847ff565799cce6a2271411624b8ff80a0a18c0b24f9596e7bb641dd6b0387a94ad67e85e58d8d16db7139a8968c7ae5a67a89

              • C:\Users\Admin\AppData\Local\HsHEoIOt\mblctr.exe

                Filesize

                9KB

                MD5

                e2405f02b089b396abcf8e4a934ae6ce

                SHA1

                bf373f04d83ae82b62242ca914572eb773de820f

                SHA256

                9aa8525c8a80710480b0a0e4c84ed423451810dda879da6142da3463f974ec9d

                SHA512

                938bda52d28d2eacd482a8a7617d36261ca9e7e134811128c2fbb79becff662c62569c86fa80d81895c1b45984d2ff5db3cdd0f5f39f55f768d69db7b4b9bb93

              • C:\Users\Admin\AppData\Local\HsHEoIOt\mblctr.exe

                Filesize

                2KB

                MD5

                d23dbdf459b919b2f57f4bc65f5a2f2a

                SHA1

                a2ddb5b1119f9bc4e30cf3658fac6605203b7ade

                SHA256

                49b3c27489c93c9e8d68a872a3a9da30544ebeda83e858176b8e6956830d4acc

                SHA512

                02bd54f19b2bbeeb4cdf9dfded07d570f27bd7580f60351adb824f64fa39067efcecf4a84142b133c20d0d4e5437c38435f28e56576348df5d49211594be9bca

              • C:\Users\Admin\AppData\Local\cVcIHm\spreview.exe

                Filesize

                17KB

                MD5

                6cec599d3319d3c9aa062708de3ea645

                SHA1

                bd3eb26e40692424d28b65c5754fe8f1f442361a

                SHA256

                7f6f6baed15e7f1a8e07cce3166efe95b1422595a66a17a21504da7dceecf4f2

                SHA512

                2f0b3723266c717a351b2e59e8e6ce2bdebe09657919b5914079ab72515b483d4ee8522a75b02a4a7ef9b3b1523f7a95367224cdb5ca3cd8778a95a0a11e374e

              • C:\Users\Admin\AppData\Local\cVcIHm\spreview.exe

                Filesize

                7KB

                MD5

                36a3ac541f4aa4215dc06b61f8110ddd

                SHA1

                a881dcf2cde16fd9e703a19b90172fb1b704bb59

                SHA256

                c2348c600af4a907b4b65a121a8f5a1852f4d0f1b5478227836fab85c24d318c

                SHA512

                b86e2325d10bfd5e553abffc77ea202aa83fc771da86a424c89bf244d248ac8fc42a9f12f4ce3828af533ec4ebd16fb728ceb6f3be11cbfb82abdd030e129fbf

              • C:\Users\Admin\AppData\Local\cVcIHm\sqmapi.dll

                Filesize

                47KB

                MD5

                620b7f54d33545822801e7fbd907d257

                SHA1

                9b668ab07c43e381fbe721de9388df729a587732

                SHA256

                d9d8908a829e27a644ff8848db5679e875acd46bf5935d7be13622f157c8da6b

                SHA512

                d75d45e20b32169dff0bfff5077dd6a6be7b82619ec055492d87f0f40dfcccea665744511e119f4d93a84d832921db45fc90b4f56e171ee8683acd434d24bad2

              • C:\Users\Admin\AppData\Local\nVENOP6\SYSDM.CPL

                Filesize

                18KB

                MD5

                9b350d7503908265a154b47a86345b07

                SHA1

                1d2284776d1e6012f4fcc29f158ff7ff1070110a

                SHA256

                b263cda02f09f8697d35b40c5e57b2a37982739c7f895ba067c15c9d492be300

                SHA512

                35e86331f51f8b7d46acee13a2803bd62a705cc5202620906e265b34a120ed159f475ce5384bdb2310ce2bf3739268243dcc926278a0f201b12e70a35d1f9c1b

              • C:\Users\Admin\AppData\Local\nVENOP6\SystemPropertiesRemote.exe

                Filesize

                38KB

                MD5

                6d1fa6ea29440c4bdbd46221a3a44f2c

                SHA1

                20e3b306b37639ee19d1768bad0532789be03f95

                SHA256

                345f5285ca213160f522c3fe056e123bbc9443bf49641df8e7d841f999cd9bff

                SHA512

                7f7a656dfb73b5bd83ed54536a5fb1127e54b974698c4f21dae63b5a1ba92a6b20c6d03370c21f2cf970e3de8adb9a1193586af0e1165f39b8e61df964da6517

              • C:\Users\Admin\AppData\Local\nVENOP6\SystemPropertiesRemote.exe

                Filesize

                40KB

                MD5

                c0a3f16a87082bc6c206b9c672291c51

                SHA1

                c39a6960fc55efa770f65b7ddd2b87e1f15144b7

                SHA256

                c73b1d233b97cc85ddda8e9dcaf59caf343b88c95821fbd6fd09b37d1f6092d2

                SHA512

                7ff97c023b6f0bc229c098efb6fb3020a126b9fcb3b89896ec8fd00000cb7016a08ed879da08141ce6abc812cb490b139b2a835cbd6f135769fa6216331d85d7

              • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ekhyqsv.lnk

                Filesize

                1KB

                MD5

                950bc70858795a7415c82993942da0f5

                SHA1

                730c31588c6c4e11607a449cdbce07bfb0d3a58c

                SHA256

                6c65e58f55ac8ead5a9ba150c389299bb71bf6333386bf32dd597d33e304ebb0

                SHA512

                0792381cef6e7ecd38972351a4b9b1ac50220c4771c509d8913171e9d41d32fb72ef2e48ac25b02462995243d2013aaedf306679e6d9245fd862a23211d777ea

              • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\2q1cwLw7\SYSDM.CPL

                MD5

                d41d8cd98f00b204e9800998ecf8427e

                SHA1

                da39a3ee5e6b4b0d3255bfef95601890afd80709

                SHA256

                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                SHA512

                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\Low\y2x8\WINMM.dll

                Filesize

                45KB

                MD5

                9de9c1d4c3e3e7c69c0e4ee671f9571b

                SHA1

                a02a21b15139ef773542cc7c1f873fdaa3fcb969

                SHA256

                dea2f77c3f5cdb542da97e91c786ca1cf9176da5aacab4314797dfcb9daf7417

                SHA512

                35aaf88bb06a62cd5ae5732f87a1425f870270318bf819217508e02b30d809a959b7e7988ccecdd88865c3331cc9a88d8803581f2567f999bf0c69e33e2b50bd

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\NbrratlK8d0\sqmapi.dll

                Filesize

                92KB

                MD5

                42c6271b1037471ac8ded3d43045e3c9

                SHA1

                cf977c241f4359ad28a932ec544c2c8350260ec4

                SHA256

                6ac80942a610a7eb6b24618702c05380dfed7bdcaec8852da9fc148c1de19b41

                SHA512

                bb5799eb06264d59a01a93e11879e7cb143e7241aa30f8baa989e881fd20be2b7532ca21b147e076077e86e46b41c4672022268fc7e20416cb8c1df9ee417d1d

              • \Users\Admin\AppData\Local\HsHEoIOt\WINMM.dll

                Filesize

                6KB

                MD5

                3c9449697bdf87d8ba458d18602c33e7

                SHA1

                bc97a1843028b508ef98d07e99bbf2c54e83e3f6

                SHA256

                46074f83fc78e7f921a911f2b8a3e174a59ed9737dbc6466fb42372faf8cd61b

                SHA512

                1465e4eb504bbb7db0a704d1c4ebf939153591e76875993e3f14250168fb9501aaa1f52b5ab9628130ca59b382063356d829ae9aef8454acefe04b0ed7024b44

              • \Users\Admin\AppData\Local\HsHEoIOt\mblctr.exe

                Filesize

                19KB

                MD5

                122ad10f0ac43029d94373388acaa6ae

                SHA1

                2da9c6e57a73979292863e546c285a56d18999cc

                SHA256

                5389fee1c97cd9338b953e42c7e532025ff85860cdb75ab3753fbc2903cb0528

                SHA512

                244301dd553fd1c014d67d4724d9e845c8cda2fec26a267786c0118d53ad531e4c9ca83af67bde6c367a2a8672162cace91b77917953d3bf7a8aeb0cbeb203b4

              • \Users\Admin\AppData\Local\cVcIHm\spreview.exe

                Filesize

                21KB

                MD5

                a80eaf6005b3b2e5bb482459d5a7ad93

                SHA1

                c25169efc10c0e866689f96b3493e65cb019e681

                SHA256

                84e23a78ec26922b0d509be66ab8969ebc267d9ed2d8f0d5ad82480e388b54f4

                SHA512

                2a82b4e0efeac04350714f6d0148b53efb6dbbc70971b2f42ac29c5f9c4be467c5a4201bac08e1ef9bbcd3bb19501333561de15c10fe4c82b1e608ad954c02b7

              • \Users\Admin\AppData\Local\cVcIHm\sqmapi.dll

                Filesize

                23KB

                MD5

                8175040c62a7688ddb35ef888ff0c469

                SHA1

                b4698e7733d12b21df5ca04c3aa6db20923e7381

                SHA256

                b4ea29d81135db7891a8e5f9da9a2a07f72272fea3dc8e5284d25fc2f825fd17

                SHA512

                2f5b528cbd033bcc36dd1ce644e524505beed13c87563882eb7723eede8fe9cc4c5c4da8c3c25eec62dbbb42fe9990eb71c525ece351ef1d0a0df32d5422c04a

              • \Users\Admin\AppData\Local\nVENOP6\SYSDM.CPL

                Filesize

                18KB

                MD5

                ceff312d77ba782d8e2797573c994c2a

                SHA1

                625081b6a87cf683c98fac4d028d0e5e74c4a81d

                SHA256

                45d936c1cb11c236f8b8987f676ff0a70c328620285b1aba9dbfd4248fe2483b

                SHA512

                566cc2a39fced1ef25277c42c5927cdacd48cffc3e56b480b8721b2f617396dab81ab1603823e0d62a5f0ef8f4e5d3ce938e220abe24ce7a72cf0b236058bf5e

              • \Users\Admin\AppData\Local\nVENOP6\SystemPropertiesRemote.exe

                Filesize

                16KB

                MD5

                03e3076ddc7cd2192d08d8afb6404114

                SHA1

                0d1229e4298b1050028bd0f06bdee3fca23e9c27

                SHA256

                27d95401d42bf8988a2e84b7fe18efa4fe635a5ab293f42fe965dfb2bca70ebb

                SHA512

                cc2e6c7e81f9ed125feb32365665ed11357dc7a0902dfa9852081d9051a63dd0849cfffe483fd66a9f041be1daeea1933738c5fd832256860da0dcbf6344678e

              • \Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\NbrratlK8d0\spreview.exe

                Filesize

                24KB

                MD5

                eaa499deb3bec72b3d51fb149ffb9310

                SHA1

                54f4b0cd85ade3de0b917a91612bc4eb99a24d76

                SHA256

                d77d63dd7dff52d1196b70156e081d2f878a523409d4535d91343397a4cc67e4

                SHA512

                9b98705591a82cd66d35634508b086dc243bb68556a15c681277cb98b005213f3606ea72dddf715c44cf518f6b6db0f28e781805fc23795005fa91a0087bb326

              • memory/320-148-0x0000000000380000-0x0000000000387000-memory.dmp

                Filesize

                28KB

              • memory/1220-38-0x0000000140000000-0x00000001402E0000-memory.dmp

                Filesize

                2.9MB

              • memory/1220-27-0x0000000140000000-0x00000001402E0000-memory.dmp

                Filesize

                2.9MB

              • memory/1220-61-0x0000000140000000-0x00000001402E0000-memory.dmp

                Filesize

                2.9MB

              • memory/1220-64-0x0000000140000000-0x00000001402E0000-memory.dmp

                Filesize

                2.9MB

              • memory/1220-65-0x0000000140000000-0x00000001402E0000-memory.dmp

                Filesize

                2.9MB

              • memory/1220-63-0x0000000140000000-0x00000001402E0000-memory.dmp

                Filesize

                2.9MB

              • memory/1220-70-0x00000000029E0000-0x00000000029E7000-memory.dmp

                Filesize

                28KB

              • memory/1220-62-0x0000000140000000-0x00000001402E0000-memory.dmp

                Filesize

                2.9MB

              • memory/1220-60-0x0000000140000000-0x00000001402E0000-memory.dmp

                Filesize

                2.9MB

              • memory/1220-78-0x0000000077581000-0x0000000077582000-memory.dmp

                Filesize

                4KB

              • memory/1220-79-0x00000000776E0000-0x00000000776E2000-memory.dmp

                Filesize

                8KB

              • memory/1220-59-0x0000000140000000-0x00000001402E0000-memory.dmp

                Filesize

                2.9MB

              • memory/1220-57-0x0000000140000000-0x00000001402E0000-memory.dmp

                Filesize

                2.9MB

              • memory/1220-55-0x0000000140000000-0x00000001402E0000-memory.dmp

                Filesize

                2.9MB

              • memory/1220-54-0x0000000140000000-0x00000001402E0000-memory.dmp

                Filesize

                2.9MB

              • memory/1220-53-0x0000000140000000-0x00000001402E0000-memory.dmp

                Filesize

                2.9MB

              • memory/1220-51-0x0000000140000000-0x00000001402E0000-memory.dmp

                Filesize

                2.9MB

              • memory/1220-49-0x0000000140000000-0x00000001402E0000-memory.dmp

                Filesize

                2.9MB

              • memory/1220-46-0x0000000140000000-0x00000001402E0000-memory.dmp

                Filesize

                2.9MB

              • memory/1220-44-0x0000000140000000-0x00000001402E0000-memory.dmp

                Filesize

                2.9MB

              • memory/1220-42-0x0000000140000000-0x00000001402E0000-memory.dmp

                Filesize

                2.9MB

              • memory/1220-41-0x0000000140000000-0x00000001402E0000-memory.dmp

                Filesize

                2.9MB

              • memory/1220-39-0x0000000140000000-0x00000001402E0000-memory.dmp

                Filesize

                2.9MB

              • memory/1220-56-0x0000000140000000-0x00000001402E0000-memory.dmp

                Filesize

                2.9MB

              • memory/1220-36-0x0000000140000000-0x00000001402E0000-memory.dmp

                Filesize

                2.9MB

              • memory/1220-34-0x0000000140000000-0x00000001402E0000-memory.dmp

                Filesize

                2.9MB

              • memory/1220-33-0x0000000140000000-0x00000001402E0000-memory.dmp

                Filesize

                2.9MB

              • memory/1220-4-0x0000000077376000-0x0000000077377000-memory.dmp

                Filesize

                4KB

              • memory/1220-10-0x0000000140000000-0x00000001402E0000-memory.dmp

                Filesize

                2.9MB

              • memory/1220-13-0x0000000140000000-0x00000001402E0000-memory.dmp

                Filesize

                2.9MB

              • memory/1220-52-0x0000000140000000-0x00000001402E0000-memory.dmp

                Filesize

                2.9MB

              • memory/1220-31-0x0000000140000000-0x00000001402E0000-memory.dmp

                Filesize

                2.9MB

              • memory/1220-30-0x0000000140000000-0x00000001402E0000-memory.dmp

                Filesize

                2.9MB

              • memory/1220-28-0x0000000140000000-0x00000001402E0000-memory.dmp

                Filesize

                2.9MB

              • memory/1220-50-0x0000000140000000-0x00000001402E0000-memory.dmp

                Filesize

                2.9MB

              • memory/1220-58-0x0000000140000000-0x00000001402E0000-memory.dmp

                Filesize

                2.9MB

              • memory/1220-25-0x0000000140000000-0x00000001402E0000-memory.dmp

                Filesize

                2.9MB

              • memory/1220-24-0x0000000140000000-0x00000001402E0000-memory.dmp

                Filesize

                2.9MB

              • memory/1220-22-0x0000000140000000-0x00000001402E0000-memory.dmp

                Filesize

                2.9MB

              • memory/1220-21-0x0000000140000000-0x00000001402E0000-memory.dmp

                Filesize

                2.9MB

              • memory/1220-19-0x0000000140000000-0x00000001402E0000-memory.dmp

                Filesize

                2.9MB

              • memory/1220-18-0x0000000140000000-0x00000001402E0000-memory.dmp

                Filesize

                2.9MB

              • memory/1220-17-0x0000000140000000-0x00000001402E0000-memory.dmp

                Filesize

                2.9MB

              • memory/1220-15-0x0000000140000000-0x00000001402E0000-memory.dmp

                Filesize

                2.9MB

              • memory/1220-14-0x0000000140000000-0x00000001402E0000-memory.dmp

                Filesize

                2.9MB

              • memory/1220-12-0x0000000140000000-0x00000001402E0000-memory.dmp

                Filesize

                2.9MB

              • memory/1220-11-0x0000000140000000-0x00000001402E0000-memory.dmp

                Filesize

                2.9MB

              • memory/1220-9-0x0000000140000000-0x00000001402E0000-memory.dmp

                Filesize

                2.9MB

              • memory/1220-16-0x0000000140000000-0x00000001402E0000-memory.dmp

                Filesize

                2.9MB

              • memory/1220-7-0x0000000140000000-0x00000001402E0000-memory.dmp

                Filesize

                2.9MB

              • memory/1220-5-0x0000000002A80000-0x0000000002A81000-memory.dmp

                Filesize

                4KB

              • memory/1220-48-0x0000000140000000-0x00000001402E0000-memory.dmp

                Filesize

                2.9MB

              • memory/1220-47-0x0000000140000000-0x00000001402E0000-memory.dmp

                Filesize

                2.9MB

              • memory/1220-45-0x0000000140000000-0x00000001402E0000-memory.dmp

                Filesize

                2.9MB

              • memory/1220-169-0x0000000077376000-0x0000000077377000-memory.dmp

                Filesize

                4KB

              • memory/1220-43-0x0000000140000000-0x00000001402E0000-memory.dmp

                Filesize

                2.9MB

              • memory/1220-40-0x0000000140000000-0x00000001402E0000-memory.dmp

                Filesize

                2.9MB

              • memory/1220-37-0x0000000140000000-0x00000001402E0000-memory.dmp

                Filesize

                2.9MB

              • memory/1220-35-0x0000000140000000-0x00000001402E0000-memory.dmp

                Filesize

                2.9MB

              • memory/1220-32-0x0000000140000000-0x00000001402E0000-memory.dmp

                Filesize

                2.9MB

              • memory/1220-29-0x0000000140000000-0x00000001402E0000-memory.dmp

                Filesize

                2.9MB

              • memory/1220-26-0x0000000140000000-0x00000001402E0000-memory.dmp

                Filesize

                2.9MB

              • memory/1220-23-0x0000000140000000-0x00000001402E0000-memory.dmp

                Filesize

                2.9MB

              • memory/1220-20-0x0000000140000000-0x00000001402E0000-memory.dmp

                Filesize

                2.9MB

              • memory/2032-124-0x00000000000F0000-0x00000000000F7000-memory.dmp

                Filesize

                28KB

              • memory/2216-8-0x0000000140000000-0x00000001402E0000-memory.dmp

                Filesize

                2.9MB

              • memory/2216-0-0x0000000000110000-0x0000000000117000-memory.dmp

                Filesize

                28KB

              • memory/2216-1-0x0000000140000000-0x00000001402E0000-memory.dmp

                Filesize

                2.9MB

              • memory/2928-106-0x0000000000090000-0x0000000000097000-memory.dmp

                Filesize

                28KB