Analysis

  • max time kernel
    130s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    29-12-2023 19:19

General

  • Target

    017fef171fcb1bae625fadf3ff3a5b41.dll

  • Size

    1.1MB

  • MD5

    017fef171fcb1bae625fadf3ff3a5b41

  • SHA1

    f6807821506e43999eb3768fe506f9e4f364f489

  • SHA256

    bf60aa85ca8b3e356c3a27fa9f81014450da3e144866ed72f2f58c71e6ad2194

  • SHA512

    8f231509b877e7466db748422889bb8518267683a6f4e35a62e3d650ac922c65d0e96c2927564a2db6a5592bea653077c9ad9fe1b06338513a49c73125970dcd

  • SSDEEP

    12288:rkMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64C:rkMZ+gf4ltGd8H1fYO0q2G1Ah

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\017fef171fcb1bae625fadf3ff3a5b41.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1764
  • C:\Users\Admin\AppData\Local\haSL\mstsc.exe
    C:\Users\Admin\AppData\Local\haSL\mstsc.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2788
  • C:\Windows\system32\mstsc.exe
    C:\Windows\system32\mstsc.exe
    1⤵
      PID:2568
    • C:\Windows\system32\Utilman.exe
      C:\Windows\system32\Utilman.exe
      1⤵
        PID:2792
      • C:\Users\Admin\AppData\Local\XLZV\Utilman.exe
        C:\Users\Admin\AppData\Local\XLZV\Utilman.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2184
      • C:\Windows\system32\irftp.exe
        C:\Windows\system32\irftp.exe
        1⤵
          PID:796
        • C:\Users\Admin\AppData\Local\f7NuFe8Q\irftp.exe
          C:\Users\Admin\AppData\Local\f7NuFe8Q\irftp.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:676

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\XLZV\DUI70.dll

          Filesize

          21KB

          MD5

          78a4c4adada350ab78c8bdae21edd503

          SHA1

          9f768c4d084b9bef36a05a6ed1a6ee4c6f2a0ed2

          SHA256

          edeb7f9139aa5c13aac2d0a25fa74a131829619c917cdb1beea3ca0d77b05146

          SHA512

          cebd2fbe8aa66aea255ef25204382acb347fd4d084e1281da4428dd0a1aa4ee36dce09d5b5d6d4440671c430fd2779b8d91eee32a866b365071b65767a5c70d1

        • C:\Users\Admin\AppData\Local\XLZV\Utilman.exe

          Filesize

          4KB

          MD5

          474c935bf1091643402a3d09757f30f9

          SHA1

          6d7bd9f90b9ae2f9d9078ae96eee23633f597fa1

          SHA256

          5a7914cac3bf2c0dca54799064f72db903eb0ec0c80f56a7a9541816ec57cdcc

          SHA512

          b865c7e05cb825a59cdceab97818539a18ca05377134c9d3f45c30fa2727d4b984541b16c9da82ee7561e5c38d0635e68e25c5a1b5a3e6d1ffe43f955cd80768

        • C:\Users\Admin\AppData\Local\f7NuFe8Q\WINMM.dll

          Filesize

          13KB

          MD5

          8601ba06c5e9f95355b3c6c319d8a186

          SHA1

          a5e5430c47c0779c998632caeb0972e02e626b75

          SHA256

          79f512db45df78d533c33526bdaf75f064b8c24dc49d5b1c8951d04b97a78317

          SHA512

          b30e8113bf1db320507e17843b7eaa7074387ce71285fd067474e5d546b3623cd130e91050b7c2b2b61702bfdd46232c512e13f92599db28cd0d0a102e533c0c

        • C:\Users\Admin\AppData\Local\f7NuFe8Q\irftp.exe

          Filesize

          92KB

          MD5

          9e533dfa44971dd83d8b41872ce85aa7

          SHA1

          a9a2e75303b64639ea29ed479cd4c9ab08a74614

          SHA256

          1549c27b806996a0bb0ee2dc2ea793d9b080f47c47d5f1e8a6b66548b214a46f

          SHA512

          1e19ff23efb06d02bcaf97a5999942365d1399f8d433c9743a4658af51157fae4c4d0abcfd4625c34df4f8c98a46e2b1d4f9ab73de8a19e6520a1ffd263b6fd1

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqrvnhd.lnk

          Filesize

          1022B

          MD5

          00bd85e1680d973a887d9bb20258af9e

          SHA1

          fb6f14ce62296a68202c29bedea4f6c8ea4a594c

          SHA256

          b077c8d4612810ca8a13fd6cb7f5f1ac7c7b00e8f4cf73d4ce9b8b572f687d84

          SHA512

          b342f05cfef869fa817d119115aefbf55ecf05708bcadea41afd4e251f2309578563303c5835e17f4a497ff2fc65e5fed78fb495dbb0ef9a2220b6420af329b0

        • C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\2TMJZ\DUI70.dll

          Filesize

          1024KB

          MD5

          3cb6e6e33eb6f6170cd1178bcaa2a4f2

          SHA1

          0c9542ac9e43c0d0f9c0686f91a2b124adefe072

          SHA256

          eb56b0bf4eb3195314a036b54c95de68d6467b4e0ef8ee2899e8bb492db36dc0

          SHA512

          e7216c1dcd08b86f7192ac9bf713eb15e8f52c8468b4dcd4ea9948ed3d351051242730154463c0ae156c8511f4af3f4f9eee3d1f6b95f6bc548e99ef7e6e338d

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\5i\WINMM.dll

          Filesize

          92KB

          MD5

          55089f6209cdcc2f06f39ea1f5663020

          SHA1

          f51067be7aa740b6e6c4877e4002dfc5f4749e7d

          SHA256

          a7de3f813efe14853f81b382a0b19db849bdf6fcbe32d371b34c6b1073aee842

          SHA512

          00c05b647b8977eef013e1c3068873e0236c4bd94bb65c9e0e6caa4a0c12d8a80616d10105dd91242991d0f4490e810641367f65d96ab96f0ba5661d421fe9ed

        • \Users\Admin\AppData\Local\XLZV\DUI70.dll

          Filesize

          52KB

          MD5

          073b2775dc1ee5decc5de91c6e6f781a

          SHA1

          97de65c130cda9cb59f5bc43eafeb3b015ce547c

          SHA256

          1e5a44d735d8815c549880193f78613be5aa7016d568887df022c7e0836eebad

          SHA512

          7b57d3b9e6b355da5ce1221e27891cfabed9e4b5e454bd8a385ade3fee18b5bb49b21347c0547452626ab535f8a38198f958f8092760d9fd1645d631eb1afe7f

        • \Users\Admin\AppData\Local\XLZV\Utilman.exe

          Filesize

          92KB

          MD5

          f51c28f087bd74bc268264585a2243a1

          SHA1

          4449a44e82bb83d1a7d1ad105859ce693b05e82b

          SHA256

          4315aee21d47fa32bcc8ac364ff35866fcfe5cd09064b21ad83f59e12da79ef7

          SHA512

          9d145234f8cb640f667ad5830e7538d7aab590d02eb8bebf25307c8c4a1e4da55ec052e8d2102628230071b2722ff1ba19ce7269adf0b1a3cf6265ec5a11085a

        • \Users\Admin\AppData\Local\f7NuFe8Q\WINMM.dll

          MD5

          d41d8cd98f00b204e9800998ecf8427e

          SHA1

          da39a3ee5e6b4b0d3255bfef95601890afd80709

          SHA256

          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

          SHA512

          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

        • \Users\Admin\AppData\Local\f7NuFe8Q\irftp.exe

          Filesize

          25KB

          MD5

          1fa7d8fdadf7b9756cb63860598ef18d

          SHA1

          fa18e3aab3852354a3dc33756464e0dde62bda43

          SHA256

          62b7e04d8b12eee99759daa24751bcb9fd0413fd22d8d6baee495548ffeee9f8

          SHA512

          c4c1a29b39a5dc9fcd1ce2d01f3ccf0b7088fac09e0af3f3f54008b9e14c3c056e44fc1e95b14e230d3fbb413507e59b170b8dc104f27aad95fea0c4a67dd348

        • \Users\Admin\AppData\Roaming\Mozilla\Extensions\PDfMZ6Nr\irftp.exe

          Filesize

          87KB

          MD5

          cc69a0a2ec335920d0783e26c514461d

          SHA1

          bc7fd9b284d387fc0ce105b34b9160bf5c8d5777

          SHA256

          0f2e235b6dd7807a6c80df941344d32b4f1ca07f8b9c376f7560b78e9c328719

          SHA512

          43bacb97944afa0ab3a57b7cb34593bea38d8c626a30eb996744262e8cc49cd0beac758259cde58b7e52a15f3b8bcfcca66221f79774301720558acc25f98418

        • memory/676-187-0x0000000140000000-0x0000000140124000-memory.dmp

          Filesize

          1.1MB

        • memory/676-185-0x0000000000430000-0x0000000000437000-memory.dmp

          Filesize

          28KB

        • memory/1360-38-0x0000000140000000-0x0000000140122000-memory.dmp

          Filesize

          1.1MB

        • memory/1360-17-0x0000000140000000-0x0000000140122000-memory.dmp

          Filesize

          1.1MB

        • memory/1360-10-0x0000000140000000-0x0000000140122000-memory.dmp

          Filesize

          1.1MB

        • memory/1360-9-0x0000000140000000-0x0000000140122000-memory.dmp

          Filesize

          1.1MB

        • memory/1360-8-0x0000000140000000-0x0000000140122000-memory.dmp

          Filesize

          1.1MB

        • memory/1360-7-0x0000000140000000-0x0000000140122000-memory.dmp

          Filesize

          1.1MB

        • memory/1360-6-0x0000000140000000-0x0000000140122000-memory.dmp

          Filesize

          1.1MB

        • memory/1360-4-0x00000000025B0000-0x00000000025B1000-memory.dmp

          Filesize

          4KB

        • memory/1360-11-0x0000000140000000-0x0000000140122000-memory.dmp

          Filesize

          1.1MB

        • memory/1360-3-0x00000000770B6000-0x00000000770B7000-memory.dmp

          Filesize

          4KB

        • memory/1360-16-0x0000000140000000-0x0000000140122000-memory.dmp

          Filesize

          1.1MB

        • memory/1360-28-0x0000000077450000-0x0000000077452000-memory.dmp

          Filesize

          8KB

        • memory/1360-123-0x00000000770B6000-0x00000000770B7000-memory.dmp

          Filesize

          4KB

        • memory/1360-12-0x0000000140000000-0x0000000140122000-memory.dmp

          Filesize

          1.1MB

        • memory/1360-15-0x0000000140000000-0x0000000140122000-memory.dmp

          Filesize

          1.1MB

        • memory/1360-18-0x0000000002590000-0x0000000002597000-memory.dmp

          Filesize

          28KB

        • memory/1360-13-0x0000000140000000-0x0000000140122000-memory.dmp

          Filesize

          1.1MB

        • memory/1360-14-0x0000000140000000-0x0000000140122000-memory.dmp

          Filesize

          1.1MB

        • memory/1360-37-0x0000000140000000-0x0000000140122000-memory.dmp

          Filesize

          1.1MB

        • memory/1360-26-0x0000000140000000-0x0000000140122000-memory.dmp

          Filesize

          1.1MB

        • memory/1360-27-0x0000000077420000-0x0000000077422000-memory.dmp

          Filesize

          8KB

        • memory/1764-46-0x0000000140000000-0x0000000140122000-memory.dmp

          Filesize

          1.1MB

        • memory/1764-0-0x0000000140000000-0x0000000140122000-memory.dmp

          Filesize

          1.1MB

        • memory/1764-1-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB

        • memory/2184-144-0x0000000140000000-0x0000000140156000-memory.dmp

          Filesize

          1.3MB

        • memory/2184-141-0x0000000140000000-0x0000000140156000-memory.dmp

          Filesize

          1.3MB

        • memory/2788-54-0x0000000140000000-0x0000000140124000-memory.dmp

          Filesize

          1.1MB

        • memory/2788-58-0x0000000140000000-0x0000000140124000-memory.dmp

          Filesize

          1.1MB

        • memory/2788-56-0x00000000001B0000-0x00000000001B7000-memory.dmp

          Filesize

          28KB