Analysis

  • max time kernel
    3s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    29-12-2023 19:17

General

  • Target

    017476e0432360ddcea82be7784d62c3.dll

  • Size

    1.1MB

  • MD5

    017476e0432360ddcea82be7784d62c3

  • SHA1

    76763b98160cd831bbb09e2d7c99bd62d5f326c0

  • SHA256

    442c78bea97cb5946f1754ba2e848784a617e377208e3c7f06f3e33b1a5192a1

  • SHA512

    67a6fed3bf7893abe319a3df10baa17b9fbb38604a990c59f0f93fed127dae0efe2084088210ccc61da9bb6c372d0eaff01c4f030df1108b4da59182d1f54b40

  • SSDEEP

    12288:vVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:GfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\017476e0432360ddcea82be7784d62c3.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2088
  • C:\Windows\system32\fvenotify.exe
    C:\Windows\system32\fvenotify.exe
    1⤵
      PID:2760
    • C:\Users\Admin\AppData\Local\A6gXC0\fvenotify.exe
      C:\Users\Admin\AppData\Local\A6gXC0\fvenotify.exe
      1⤵
        PID:2492
      • C:\Users\Admin\AppData\Local\qStPivP\raserver.exe
        C:\Users\Admin\AppData\Local\qStPivP\raserver.exe
        1⤵
          PID:636
        • C:\Windows\system32\raserver.exe
          C:\Windows\system32\raserver.exe
          1⤵
            PID:2992
          • C:\Users\Admin\AppData\Local\vt1FDm\SndVol.exe
            C:\Users\Admin\AppData\Local\vt1FDm\SndVol.exe
            1⤵
              PID:2772
            • C:\Windows\system32\SndVol.exe
              C:\Windows\system32\SndVol.exe
              1⤵
                PID:2792

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\A6gXC0\fvenotify.exe

                Filesize

                59KB

                MD5

                851a7861442df6b3e001570ed7f4aa62

                SHA1

                7f6700e3c83b09f6fbbc0940226fd3cdc59e2da6

                SHA256

                5e0dd77b527df8700a841447554b26fcaa3334b7fc2be6c87c723a5e4038bbe4

                SHA512

                e2b1e5dbb0b6d365baaa0d5b38cac3d82d3de492190f97dea7f70c8797bddea33c448f92a53e05e215b8de999cf0c10183b047eed56a39657b4f190bc7330798

              • C:\Users\Admin\AppData\Local\A6gXC0\slc.dll

                Filesize

                2KB

                MD5

                e7aed7bf76e000a08f9c0dca631f955f

                SHA1

                059d89c62fd9a2ac77e72f84228df6ea67d24a89

                SHA256

                84ff05ce8dd3ee9e90af1dd94e1367a103a3176b9990b92d0aafe60a71216c73

                SHA512

                c5494e2693c5c13888036687f51b721c9e5f40824cf5aee2a0df6336d3515c44d1e85cc8cffa0cdcc888772ecf7c052d23f922707b2f397e452de8ebb5ea75eb

              • C:\Users\Admin\AppData\Local\qStPivP\WTSAPI32.dll

                Filesize

                49KB

                MD5

                d6cd9197c1450e2c9f56cc828cc5425e

                SHA1

                e7a1678b9c0405eefcef5056ef446f048b5c9ddc

                SHA256

                591bfb171c80c9763d982957c2b44c8e710fe358f1a2c8c239676e60a3722180

                SHA512

                c5a0f46bbd2680c0732083296a83b4d5e097d4486b62e4f736e0e65e8cad4fd7853e470ed5b0b00d5c542648bab702360466967e184fa6717a083678387c73d3

              • C:\Users\Admin\AppData\Local\qStPivP\raserver.exe

                Filesize

                49KB

                MD5

                94a4bd796518cc17d93ac428169d05d3

                SHA1

                ede6ba9fb90f6d11c66df5491a958875d1f246d3

                SHA256

                497a78101ec3db281c8a0f05fd87d1a83ddc37ac3b1d0f387170277015ee21e8

                SHA512

                550e8e612550c318cc2c33c18701b7050c7d464a8df08a4c0350a82fc0fe2b4d38cf102eba427d187ff3a5dc0ee19a6a507294bae92cc93d16a39877066a6f90

              • C:\Users\Admin\AppData\Local\vt1FDm\SndVol.exe

                Filesize

                16KB

                MD5

                56e928c04bfe67fc11252fca637f5908

                SHA1

                15ce8e79ccb32c3fd5b804b3e9f4dc5c2f47a475

                SHA256

                3d81e3fc02cd493fef044e7595d2c34a865f149ac90a5c10fd3dd81bf4af438c

                SHA512

                c29341ce94988cfa75d5b6338ef7b320448c055df5f7b06444d7c6ea9ec7cafe9bca3283bbeb80ec8a55dc45479bbeee300b7e53348c3c45e10cad70af7c601c

              • C:\Users\Admin\AppData\Local\vt1FDm\SndVol.exe

                Filesize

                8KB

                MD5

                a4193ea7fb50ecd2e9753895ea65bdc6

                SHA1

                a52ca1b631db0b4f927c0821abc709e49ed8310a

                SHA256

                bb6f0a4d5b29c8394ae098d4ce9b25849f9587fe5820f7f06cca57eef5240920

                SHA512

                5d5ca7cc6eadce069734eba9ca549bec4463040c0dab4bb4caf1d4199c5fc39892bfd4f6747b5e661609e894105f1e650b22819c81541e2ad3a1d71e03084029

              • C:\Users\Admin\AppData\Local\vt1FDm\UxTheme.dll

                Filesize

                25KB

                MD5

                a491f37f08a8b09f90d7561205dbc690

                SHA1

                ccd89123981d767442ba26d5f1590c20bc520ecd

                SHA256

                0d437c11e6e4c24d14f9e9463171fee2dbf80042bcab049a40e7a3694a066a66

                SHA512

                ac2f2b96a32790947b7bb170bf08e8c5419a13e8f7bfde24423b619d9b03790f6f842655a5852bdc24365ff4a3f00322df2411d1c91dc85d5ef2ee395965b8d6

              • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqrvnhd.lnk

                Filesize

                1KB

                MD5

                c2d86fa691dd94bb1ed6735120394b55

                SHA1

                9911ea7b9956be6a9143a7f9ac07823070a8d0e4

                SHA256

                d238712a9aecc2b7216aac1705412addfc2e227549137703446b9e80a8a07c74

                SHA512

                4349d8b84403994eb1ff2f2c2e282083490d614de332d918449bbb4a0822a373f688fceaab76396818acef6b0c6bd4b1b4f8f4b085893d92cce01e71f478889a

              • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\QOvPRyNi\UxTheme.dll

                Filesize

                16KB

                MD5

                cb8efb99cb2b75695b596c57d20f7d70

                SHA1

                f7efe1212b0c1e5675a63fbf6ebdd735bd2ac213

                SHA256

                13bc85e674d511d5ec35690f42b2fc2617fa77c5460c5a050156474cb14f4ac6

                SHA512

                24279948da1a18df9b1441323345d94006325ad3a6708d586aeeaa57295c8987044b5e42d063b0427acfa03582d5b7a208ead588367970ea93ab9eff284bcc0b

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IETldCache\Low\BjkfbdMMZ\WTSAPI32.dll

                Filesize

                17KB

                MD5

                a0fbf5a93265ef8ae596209113430ebc

                SHA1

                bb593b6b6fd4f1fb67afd7400606e213063d7fd5

                SHA256

                5efac9c69975ae0f9f178407490bbffe19dc07ae03ac811d4ac01e5c498c7b46

                SHA512

                2bcab8a3ce0b10fee86d043dbc6e13ae3a588500c353466ca70f4c37e24828905797836573dc291ce5aab12ec7a2d9f724a87259668274e4ecf472d91709cc6b

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IETldCache\Low\BjkfbdMMZ\raserver.exe

                Filesize

                2KB

                MD5

                427164573ab0ad5cc4cca9714704388b

                SHA1

                063c6fbf3ca377d4669c5bfc381901fe031877d3

                SHA256

                0b258282621d0bab48ac6731fd0bf7ef4c2ef1352fd3c69c3ea014b224f23ae0

                SHA512

                4a658a2628172229a6485536bd1fe72911cd00209f6f22a65cde0ba3c3294e8d8bc22f11c692c3146d631268d5d8391abb144ddc4c10884fe7174ce3645bcff7

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\xyH0FpNM\fvenotify.exe

                Filesize

                4KB

                MD5

                efa6660d66cadf088cf6332ddc7b3c47

                SHA1

                eeac71f013857823de44f2e46045dcddf2ab6b1d

                SHA256

                24fd6aa1b69b8f1c88e7d7cf9b9cb5d3ef39b6d0ed623aefcb5d09587dfc5420

                SHA512

                33cea10930c79db2f33f55d90bc1e327f762ed22a0d3213e78910108818b8a7e99ad8e68be04f3a14e382d547e2f5367a6c8190944982904035719851597d5b7

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\xyH0FpNM\slc.dll

                Filesize

                62KB

                MD5

                837198683a145ec0b913664019e83f73

                SHA1

                a9a81f972b01ac9e7e28fb7f429cf30fc90bc4a5

                SHA256

                b8a603064a90cfa83fee07db4c06179fca34737f1c18684bd1a1e6d0120b9387

                SHA512

                d0591d1cbc61dd3f043db61ead37729d15dd86d825c7ece0a6e4202ab39c7d335836cfe15c23aa05f2216fdde087b587606057817776061cebc8e67ca3d4d0e0

              • \Users\Admin\AppData\Local\A6gXC0\fvenotify.exe

                Filesize

                22KB

                MD5

                908b10eff3f57115ca45c436e372dd0a

                SHA1

                0459b0d200c3e536a0ccf6ecb13628138ff1c702

                SHA256

                8e74f21167df8e75f6e5d0c1b6fdee3f4bed3af4811f90ee6cf28acc8e3e71c9

                SHA512

                9b47619b9e25a2c8b55aba133616ea89884a25b7eca55bd800887e298472b9c39dd58b09fbd6a1deddc741c605fd8e2b4f264c5633e1864f2a79090f1f35cafb

              • \Users\Admin\AppData\Local\A6gXC0\slc.dll

                Filesize

                1KB

                MD5

                426847f2f2ade9f7cd1ae6482785da5b

                SHA1

                61ae84672592f101ca3da5680d455e19966215f3

                SHA256

                45daebdc79ada74bb65c1fa350e3a9cd2614a80281543e7c94887e11add82d26

                SHA512

                7adce6ccbf8f930aa60c5e87436a0a4d25959baf3e623053312ddc3befcdaf8b9d8ae72312a6a74ba8bbe0ca69aa0c4f94c2b8bae77e8414054988f3220d4ca9

              • \Users\Admin\AppData\Local\qStPivP\WTSAPI32.dll

                Filesize

                18KB

                MD5

                9f5f8c9886bc0312fb14cf81870964c4

                SHA1

                c08c94c8a6165a431599052d4d45d5411dfde6ca

                SHA256

                bf86493506c133c5ac89a70d0f233fc79f678d981a82f7ce9e7237305db27459

                SHA512

                19b9139b9743280dbc26e245b73c3c22bc7b351f4919a37438888c4fcbf4b75218f875752f6ba550d206dd926e88569f2450be4669b9cfd71a4feae348eed531

              • \Users\Admin\AppData\Local\qStPivP\raserver.exe

                Filesize

                35KB

                MD5

                5f699aa5c4535998bbfb329cf7b74529

                SHA1

                3a2f5f87cd883e4eb4aeb250f0ffdf7078175f5c

                SHA256

                41c0451f7e2a9ef229389d5e5ee05d537132d56d5b8adcfe6d094c8b4dc47e37

                SHA512

                62712bb005dbb3dbde55b644fb7002c39b1e1a3d4230fbfd4a1856bdc7160993374b1bc242644b2a61fae77b1b6eec3b4b2ba84e1dd88873890e32eb51d09b5e

              • \Users\Admin\AppData\Local\vt1FDm\SndVol.exe

                Filesize

                5KB

                MD5

                91d35f998d06e4f0851b403ef9d345ba

                SHA1

                66cb105defc487f9ce203c86c4fd58e417bea5fc

                SHA256

                2a251a261d2c43bdbf6a5d79a0f174e7c3ae24f063c804d4a53ef494f4abdf4e

                SHA512

                62ed3b136157693e43d37a599a018261637c46e5db48edfab6cc4332f212ad0543c72b04f66fb9f33cb0893060e00b9b6dcce6b7ba948f612de76cb2781f7a23

              • \Users\Admin\AppData\Local\vt1FDm\UxTheme.dll

                Filesize

                3KB

                MD5

                7e49a31a2abe6ca3ee878b97421f23a3

                SHA1

                337b081978c310f3dd65bb8838dd4a09d78e35db

                SHA256

                352e8913f91918c22d9d731ec50ab97658c210acfca1baa06214509f13e5ca77

                SHA512

                93c07592aa7762b96193b8eff8acaf0770c213f7868dc5a7326b483f08c6681e8d7252752850938ef74669edc930338de20e6cb2c4de1aa756a99415a20d76c0

              • \Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\QOvPRyNi\SndVol.exe

                Filesize

                1KB

                MD5

                324c7d3342a3b0ff363d007ad5774cde

                SHA1

                adb12faad353b37618778f75a3b3a4a424fa8901

                SHA256

                31ee212c53d0d3dd2323c4036c761c97e94a22003e4cf7cb10088bd861282d74

                SHA512

                52ec6d05bef3de55f2d988b58a0cb24c90a397a6388133e5fbf93203edf5c9725744a82191cef6eda79d198b93f06062675d9a0d363f82f280e815119296448c

              • memory/636-91-0x0000000140000000-0x0000000140127000-memory.dmp

                Filesize

                1.2MB

              • memory/636-88-0x0000000000420000-0x0000000000427000-memory.dmp

                Filesize

                28KB

              • memory/1376-17-0x0000000140000000-0x0000000140126000-memory.dmp

                Filesize

                1.1MB

              • memory/1376-28-0x0000000140000000-0x0000000140126000-memory.dmp

                Filesize

                1.1MB

              • memory/1376-26-0x0000000140000000-0x0000000140126000-memory.dmp

                Filesize

                1.1MB

              • memory/1376-25-0x0000000140000000-0x0000000140126000-memory.dmp

                Filesize

                1.1MB

              • memory/1376-24-0x0000000140000000-0x0000000140126000-memory.dmp

                Filesize

                1.1MB

              • memory/1376-23-0x0000000140000000-0x0000000140126000-memory.dmp

                Filesize

                1.1MB

              • memory/1376-21-0x0000000140000000-0x0000000140126000-memory.dmp

                Filesize

                1.1MB

              • memory/1376-20-0x0000000140000000-0x0000000140126000-memory.dmp

                Filesize

                1.1MB

              • memory/1376-19-0x0000000140000000-0x0000000140126000-memory.dmp

                Filesize

                1.1MB

              • memory/1376-18-0x0000000140000000-0x0000000140126000-memory.dmp

                Filesize

                1.1MB

              • memory/1376-4-0x00000000777B6000-0x00000000777B7000-memory.dmp

                Filesize

                4KB

              • memory/1376-16-0x0000000140000000-0x0000000140126000-memory.dmp

                Filesize

                1.1MB

              • memory/1376-15-0x0000000140000000-0x0000000140126000-memory.dmp

                Filesize

                1.1MB

              • memory/1376-14-0x0000000140000000-0x0000000140126000-memory.dmp

                Filesize

                1.1MB

              • memory/1376-13-0x0000000140000000-0x0000000140126000-memory.dmp

                Filesize

                1.1MB

              • memory/1376-11-0x0000000140000000-0x0000000140126000-memory.dmp

                Filesize

                1.1MB

              • memory/1376-10-0x0000000140000000-0x0000000140126000-memory.dmp

                Filesize

                1.1MB

              • memory/1376-9-0x0000000140000000-0x0000000140126000-memory.dmp

                Filesize

                1.1MB

              • memory/1376-5-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

                Filesize

                4KB

              • memory/1376-12-0x0000000140000000-0x0000000140126000-memory.dmp

                Filesize

                1.1MB

              • memory/1376-7-0x0000000140000000-0x0000000140126000-memory.dmp

                Filesize

                1.1MB

              • memory/1376-27-0x0000000140000000-0x0000000140126000-memory.dmp

                Filesize

                1.1MB

              • memory/1376-131-0x00000000777B6000-0x00000000777B7000-memory.dmp

                Filesize

                4KB

              • memory/1376-22-0x0000000140000000-0x0000000140126000-memory.dmp

                Filesize

                1.1MB

              • memory/1376-31-0x0000000140000000-0x0000000140126000-memory.dmp

                Filesize

                1.1MB

              • memory/1376-57-0x0000000140000000-0x0000000140126000-memory.dmp

                Filesize

                1.1MB

              • memory/1376-29-0x0000000140000000-0x0000000140126000-memory.dmp

                Filesize

                1.1MB

              • memory/1376-51-0x0000000140000000-0x0000000140126000-memory.dmp

                Filesize

                1.1MB

              • memory/1376-30-0x0000000140000000-0x0000000140126000-memory.dmp

                Filesize

                1.1MB

              • memory/1376-32-0x0000000140000000-0x0000000140126000-memory.dmp

                Filesize

                1.1MB

              • memory/1376-33-0x0000000002A80000-0x0000000002A87000-memory.dmp

                Filesize

                28KB

              • memory/1376-42-0x0000000077B20000-0x0000000077B22000-memory.dmp

                Filesize

                8KB

              • memory/1376-40-0x0000000140000000-0x0000000140126000-memory.dmp

                Filesize

                1.1MB

              • memory/1376-41-0x00000000779C1000-0x00000000779C2000-memory.dmp

                Filesize

                4KB

              • memory/2088-8-0x0000000140000000-0x0000000140126000-memory.dmp

                Filesize

                1.1MB

              • memory/2088-1-0x0000000000110000-0x0000000000117000-memory.dmp

                Filesize

                28KB

              • memory/2088-0-0x0000000140000000-0x0000000140126000-memory.dmp

                Filesize

                1.1MB

              • memory/2492-71-0x0000000000380000-0x0000000000387000-memory.dmp

                Filesize

                28KB

              • memory/2492-74-0x0000000140000000-0x0000000140127000-memory.dmp

                Filesize

                1.2MB

              • memory/2492-69-0x0000000140000000-0x0000000140127000-memory.dmp

                Filesize

                1.2MB

              • memory/2772-106-0x00000000000E0000-0x00000000000E7000-memory.dmp

                Filesize

                28KB

              • memory/2772-108-0x0000000140000000-0x0000000140127000-memory.dmp

                Filesize

                1.2MB

              • memory/2772-141-0x00000000000E0000-0x00000000000E7000-memory.dmp

                Filesize

                28KB