Analysis

  • max time kernel
    150s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    29-12-2023 20:46

General

  • Target

    038fac256867b97309719d78ffada177.dll

  • Size

    1.7MB

  • MD5

    038fac256867b97309719d78ffada177

  • SHA1

    fa48e8a93c0d26cdd5f4a442655f634d7a5e89e8

  • SHA256

    824b3fcc72e9e5493e7be24f46d26c1f5972846b947ce1782207faaf9458429a

  • SHA512

    59ba340ca23e03f969d0f62df6a1de329a90f8084a8fcb33e6393c7a3b80df28b5d12ed3802f2eee0cbb571f70c8381774ccabdcbb3caece35c22782880b84a0

  • SSDEEP

    12288:MVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:5fP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\038fac256867b97309719d78ffada177.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1040
  • C:\Windows\system32\SnippingTool.exe
    C:\Windows\system32\SnippingTool.exe
    1⤵
      PID:2616
    • C:\Users\Admin\AppData\Local\jJ3o07Ih\SnippingTool.exe
      C:\Users\Admin\AppData\Local\jJ3o07Ih\SnippingTool.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1336
    • C:\Windows\system32\WFS.exe
      C:\Windows\system32\WFS.exe
      1⤵
        PID:2916
      • C:\Users\Admin\AppData\Local\GRfUG51h5\WFS.exe
        C:\Users\Admin\AppData\Local\GRfUG51h5\WFS.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2848
      • C:\Windows\system32\iexpress.exe
        C:\Windows\system32\iexpress.exe
        1⤵
          PID:1232
        • C:\Users\Admin\AppData\Local\Ysj5\iexpress.exe
          C:\Users\Admin\AppData\Local\Ysj5\iexpress.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1712
        • C:\Windows\system32\mmc.exe
          C:\Windows\system32\mmc.exe
          1⤵
            PID:652
          • C:\Users\Admin\AppData\Local\k5IbmYi\mmc.exe
            C:\Users\Admin\AppData\Local\k5IbmYi\mmc.exe
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks whether UAC is enabled
            PID:3020

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\GRfUG51h5\WFS.exe

            Filesize

            215KB

            MD5

            7ab42fbca12fcf43e84a4616cadf7628

            SHA1

            1c7730d668c4b3bd30ccc2226e53ecd9ec4ad7b4

            SHA256

            66cf9e6e5f1899db4d20cccef0507ffdcea48e3d4da70473bf285e0532af74f2

            SHA512

            a8dbbc126f2b75e02e2c878e5e5db9abfaa01c48ab8721b425bebe63db71fd24f62b56e3c2bca6994060c4c4a7e4f25ec8ff678196b9ab3e1f62b7c2216b8d5a

          • C:\Users\Admin\AppData\Local\GRfUG51h5\WFS.exe

            Filesize

            113KB

            MD5

            b8ea20a1033540fac5d6c39ebdb58cf4

            SHA1

            f44b0122258b2492baffb996d8935f58ec7bb035

            SHA256

            4b08b0b33edcc5b77932d95e4d5cf5d37813b90abcfa655123a59b8a26ed1ff6

            SHA512

            f8786dc8f807de21a016f3f18543b9ec208086946250439556b3643b6c6f43cd0479534b9600ecad712ad67ca6b0b6d5f1dc9ca5fbee2812bae98ef277ed7147

          • C:\Users\Admin\AppData\Local\GRfUG51h5\credui.dll

            Filesize

            254KB

            MD5

            afca11f26908e24b913e9a083b8cef0c

            SHA1

            6801c93aa01e60cf7055a3285c89577b70672922

            SHA256

            eb8748e9a2b3429ed5b4ebe4c33d21783b5a6c1ae626a4fa506fc8c62b9942f7

            SHA512

            41ce3b0781f8efe34bd846fc4bf83387956e24bd73ebee7f08c9f07e3661e3b7a26d3a75becd981a264415397da63d32e34342892e5d04533edee36512c90a53

          • C:\Users\Admin\AppData\Local\Ysj5\VERSION.dll

            Filesize

            1.7MB

            MD5

            8a6fb281c6ed7ec00d7da29e20e8dd87

            SHA1

            5da96e0ce45fd37eaa4d756eee0497e884009dbe

            SHA256

            ea91a08fcb14d19a80610534e5232fc8192cd35e5f88c9ab609c4c44de82733c

            SHA512

            ed650c6e014fdfd07f38720979ecb5b7615e73004f8d443e322611f9d28660be67ae24241d0d1245390d336050239065405ff791493dd381613e5072fb7f7948

          • C:\Users\Admin\AppData\Local\jJ3o07Ih\OLEACC.dll

            Filesize

            378KB

            MD5

            aadc5bbc9150aebc63e13556f6abe27a

            SHA1

            991985ee5bfe67d09e1ee6a1381481136d1a0941

            SHA256

            64b6c9748e0d4f001697d1524c51402c12464e75df9b14cd5c04618a318a7203

            SHA512

            651ec2b436da88a7f95255a94e8c72963743f0e09b47f448c07c7d47bdc66ea9a66dee219c72e4855d92bede13d7cd8efe73d30c3e02747d88571122f62b0bab

          • C:\Users\Admin\AppData\Local\jJ3o07Ih\SnippingTool.exe

            Filesize

            178KB

            MD5

            84b201fadfbcf1ce26955ba23887e1cd

            SHA1

            0dd5d527c0b6aeb6b0519e65a0b4bbf8b7f4a383

            SHA256

            977e036d98d91c4a6518f3f0b3ca48722d9e8465bf8f3a584394a01f379c456b

            SHA512

            960f212163c4e565bdc5eb74e2203345528295b187c1f5e310afb7df1b18f65f09c6bb837e78c20e4062ce66fd60f2c14375e47671d80e2880fc7da44f9e291f

          • C:\Users\Admin\AppData\Local\jJ3o07Ih\SnippingTool.exe

            Filesize

            103KB

            MD5

            ae6f30914c0fa5d298ee5e3808addf13

            SHA1

            14ceac0e4ddfcc16939bbc9a4e189834ed5f1748

            SHA256

            fc1424658496f34bc1aefb5c1c8b5649148491e29f2622af7b29caa893be1e0a

            SHA512

            e500196089517b5c9406307efb5b230e9e92b74c4b3b15de4110f0aed1d4e32f0daa16c5155e63206422784280db81ec60ca46e3108ebb7465c24f9d45b29316

          • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Efrsxj.lnk

            Filesize

            1KB

            MD5

            6ee65acc3a8ac2b8b25ceebad45ade6a

            SHA1

            ef2920319b7688352f30c0f46513257a8bb0d6ed

            SHA256

            32809f315960eab615fb0b674c89d62f6bc0db3780c7ce78160c43607eb1fc5c

            SHA512

            4df730d2021be96eeabdb8a9a4909973ede593cbd6c495cabb6a7efbed6967cc79df1eacb2ab21ebab40a2c02b2eb1ea608e9f1f2f41180c7aa3c9821ace21bd

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\eoZQsB\UxTheme.dll

            Filesize

            1.0MB

            MD5

            3948a3f3f7fbd491c0686e84ba9fc03a

            SHA1

            527693e1a20189ed80d464d0d8fa548b4f93f873

            SHA256

            5a950cde840e8f1c5c63490fd509ed3ae96c3f2f3ce31d131d87a071bf36f751

            SHA512

            26a49c9ec00a3fb05d23c3c9e81c73e62ea0405cbd607a3dd20f2d2a9e090c538a45b2097f3df4ccce6a7b2d756f941700d1859f9483df9ce286062ca62b4830

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hxr\credui.dll

            Filesize

            1.7MB

            MD5

            37c6bde3a4996bd5f98e47b62ead2157

            SHA1

            abacbbcc12ce94a5c10892cd684eb2661528ac08

            SHA256

            d9de421deeba7dc03f790bf4c6a266a24ebcafb40176745db4432b451ef37e03

            SHA512

            cd1e31c57cfa73c64f970640948fbb234ccfef7701aad087f3c21e7df706fcbf607e45ae4cb5bd19c55b5928091728fcab9a9059a88cc12c41f4ef679964074f

          • \Users\Admin\AppData\Local\GRfUG51h5\WFS.exe

            Filesize

            252KB

            MD5

            61dec248231314aad706e956b7225dd9

            SHA1

            53ff6ab70bbe436843f4a984531745a0ad3b37cd

            SHA256

            45b48007f699f1cad9491471b0ea719d3b176c8ad8535a73ac62b61c347b5d2b

            SHA512

            485a20a5bd14c8b0c06ef5507f9a3434a2407ef84a282bd4e6d71dfca19f431734e74b116dd0924030863b1ff55718ec9caa29b4c7563f52e7e08ea1dd52f336

          • \Users\Admin\AppData\Local\GRfUG51h5\credui.dll

            Filesize

            216KB

            MD5

            eafee89e622955d6a0f27e0ffa9973d9

            SHA1

            8e12aa04aa0a7dc9a6891a47317ef86c5c2cfc2d

            SHA256

            153b223b93a5a53201d65e998ed4182eb18f86e26b5b76afa56b6f1ee42c6ae6

            SHA512

            a75dd6f43c05cf114d6c886527382016ffa0068be750d518bf0226e4594f14955af2e10bf24054a770a04fcb7fffccfca32dfd7098dd818a25f129724a6753bd

          • \Users\Admin\AppData\Local\Ysj5\iexpress.exe

            Filesize

            163KB

            MD5

            46fd16f9b1924a2ea8cd5c6716cc654f

            SHA1

            99284bc91cf829e9602b4b95811c1d72977700b6

            SHA256

            9f993a1f6a133fa8375eab99bf1710471dd13ef177ef713acf8921fb4ff565a3

            SHA512

            52c91043f514f3f8ce07f8e60357786eb7236fcf6cdcccca0dd76000b9a23d6b138cebcdec53b01823cb2313ec850fc7bece326ec01d44ed33f4052b789b7629

          • \Users\Admin\AppData\Local\jJ3o07Ih\OLEACC.dll

            Filesize

            290KB

            MD5

            6c0995128d501edbf35ae2bf56de809c

            SHA1

            2d94ddd3496b0b28cb31d2920eb7f23c63c45180

            SHA256

            7379d0aaa97c74a968df83a00a261216c3cef394310bd8cdc0a8d7976a605f08

            SHA512

            02850064fcd226dce5ffeefe672e3cdd7a2b57c6e000f4d0776ac84ae4f60a611e2176d91e51c8eb641804155dcf074cf49c544d4a01e46c1ba8c10f9d3c2380

          • \Users\Admin\AppData\Local\jJ3o07Ih\SnippingTool.exe

            Filesize

            136KB

            MD5

            79382ad57678cb38bc57de62829e66c6

            SHA1

            9f93bca069df1b5492f377976d3a3229e5e28e45

            SHA256

            1ed47b4b7ef9f5def330f2f7f744217b1effd812662a6713b9f495d756b52ec6

            SHA512

            f5ffe8d8d2d15e42c3aa13dc54379e5310b3030b47af7caa352b32043cf8ca1e07f65bb214f6cbccb3e59da14997f1567ccdb25cbcee4d61646b3f4a3c0cb212

          • \Users\Admin\AppData\Local\k5IbmYi\UxTheme.dll

            Filesize

            1.7MB

            MD5

            547a835a27e3bc0747da8a3a2380bb36

            SHA1

            c0d4e69592fe7eee856db17ab855d702f82034ff

            SHA256

            f50394f89c05055b4684bf227df1390d27a336067541dae8a677b8909f135c28

            SHA512

            cd7ca9b80b916e9906cbd26b86d0651df76b206f6ead309f981b3d5a07319e224b28a305334377c6d99a8b8b1d06536c91b5f0b58c96678ebfb8a54fe9bbc14a

          • \Users\Admin\AppData\Local\k5IbmYi\mmc.exe

            Filesize

            2.0MB

            MD5

            9fea051a9585f2a303d55745b4bf63aa

            SHA1

            f5dc12d658402900a2b01af2f018d113619b96b8

            SHA256

            b212e59e4c7fe77f6f189138d9d8b151e50eb83a35d6eadfb1e4bb0b4262c484

            SHA512

            beba79f0b6710929871fbdf378d3c0a41f230ac30cbfa87173f7b77c35e06425f48db42ed3b16d5d9bcb7ef0098dffcd0d2947da8fb7ec1136ea62205f1afc76

          • memory/1040-8-0x0000000140000000-0x00000001401B2000-memory.dmp

            Filesize

            1.7MB

          • memory/1040-0-0x0000000140000000-0x00000001401B2000-memory.dmp

            Filesize

            1.7MB

          • memory/1040-1-0x0000000000230000-0x0000000000237000-memory.dmp

            Filesize

            28KB

          • memory/1200-29-0x0000000140000000-0x00000001401B2000-memory.dmp

            Filesize

            1.7MB

          • memory/1200-30-0x0000000140000000-0x00000001401B2000-memory.dmp

            Filesize

            1.7MB

          • memory/1200-20-0x0000000140000000-0x00000001401B2000-memory.dmp

            Filesize

            1.7MB

          • memory/1200-31-0x0000000140000000-0x00000001401B2000-memory.dmp

            Filesize

            1.7MB

          • memory/1200-33-0x0000000140000000-0x00000001401B2000-memory.dmp

            Filesize

            1.7MB

          • memory/1200-35-0x0000000140000000-0x00000001401B2000-memory.dmp

            Filesize

            1.7MB

          • memory/1200-36-0x0000000140000000-0x00000001401B2000-memory.dmp

            Filesize

            1.7MB

          • memory/1200-37-0x0000000140000000-0x00000001401B2000-memory.dmp

            Filesize

            1.7MB

          • memory/1200-39-0x0000000140000000-0x00000001401B2000-memory.dmp

            Filesize

            1.7MB

          • memory/1200-38-0x0000000140000000-0x00000001401B2000-memory.dmp

            Filesize

            1.7MB

          • memory/1200-42-0x0000000002210000-0x0000000002217000-memory.dmp

            Filesize

            28KB

          • memory/1200-48-0x0000000076EA1000-0x0000000076EA2000-memory.dmp

            Filesize

            4KB

          • memory/1200-49-0x0000000077000000-0x0000000077002000-memory.dmp

            Filesize

            8KB

          • memory/1200-47-0x0000000140000000-0x00000001401B2000-memory.dmp

            Filesize

            1.7MB

          • memory/1200-34-0x0000000140000000-0x00000001401B2000-memory.dmp

            Filesize

            1.7MB

          • memory/1200-32-0x0000000140000000-0x00000001401B2000-memory.dmp

            Filesize

            1.7MB

          • memory/1200-18-0x0000000140000000-0x00000001401B2000-memory.dmp

            Filesize

            1.7MB

          • memory/1200-15-0x0000000140000000-0x00000001401B2000-memory.dmp

            Filesize

            1.7MB

          • memory/1200-10-0x0000000140000000-0x00000001401B2000-memory.dmp

            Filesize

            1.7MB

          • memory/1200-9-0x0000000140000000-0x00000001401B2000-memory.dmp

            Filesize

            1.7MB

          • memory/1200-7-0x0000000140000000-0x00000001401B2000-memory.dmp

            Filesize

            1.7MB

          • memory/1200-58-0x0000000140000000-0x00000001401B2000-memory.dmp

            Filesize

            1.7MB

          • memory/1200-64-0x0000000140000000-0x00000001401B2000-memory.dmp

            Filesize

            1.7MB

          • memory/1200-23-0x0000000140000000-0x00000001401B2000-memory.dmp

            Filesize

            1.7MB

          • memory/1200-25-0x0000000140000000-0x00000001401B2000-memory.dmp

            Filesize

            1.7MB

          • memory/1200-26-0x0000000140000000-0x00000001401B2000-memory.dmp

            Filesize

            1.7MB

          • memory/1200-27-0x0000000140000000-0x00000001401B2000-memory.dmp

            Filesize

            1.7MB

          • memory/1200-4-0x0000000076D96000-0x0000000076D97000-memory.dmp

            Filesize

            4KB

          • memory/1200-5-0x0000000002A90000-0x0000000002A91000-memory.dmp

            Filesize

            4KB

          • memory/1200-11-0x0000000140000000-0x00000001401B2000-memory.dmp

            Filesize

            1.7MB

          • memory/1200-28-0x0000000140000000-0x00000001401B2000-memory.dmp

            Filesize

            1.7MB

          • memory/1200-24-0x0000000140000000-0x00000001401B2000-memory.dmp

            Filesize

            1.7MB

          • memory/1200-22-0x0000000140000000-0x00000001401B2000-memory.dmp

            Filesize

            1.7MB

          • memory/1200-21-0x0000000140000000-0x00000001401B2000-memory.dmp

            Filesize

            1.7MB

          • memory/1200-13-0x0000000140000000-0x00000001401B2000-memory.dmp

            Filesize

            1.7MB

          • memory/1200-19-0x0000000140000000-0x00000001401B2000-memory.dmp

            Filesize

            1.7MB

          • memory/1200-12-0x0000000140000000-0x00000001401B2000-memory.dmp

            Filesize

            1.7MB

          • memory/1200-17-0x0000000140000000-0x00000001401B2000-memory.dmp

            Filesize

            1.7MB

          • memory/1200-106-0x0000000076D96000-0x0000000076D97000-memory.dmp

            Filesize

            4KB

          • memory/1200-16-0x0000000140000000-0x00000001401B2000-memory.dmp

            Filesize

            1.7MB

          • memory/1200-14-0x0000000140000000-0x00000001401B2000-memory.dmp

            Filesize

            1.7MB

          • memory/1336-80-0x0000000140000000-0x00000001401B3000-memory.dmp

            Filesize

            1.7MB

          • memory/1336-77-0x0000000140000000-0x00000001401B3000-memory.dmp

            Filesize

            1.7MB

          • memory/1336-76-0x0000000000100000-0x0000000000107000-memory.dmp

            Filesize

            28KB

          • memory/1712-114-0x0000000000300000-0x0000000000307000-memory.dmp

            Filesize

            28KB

          • memory/2848-98-0x0000000140000000-0x00000001401B3000-memory.dmp

            Filesize

            1.7MB

          • memory/2848-93-0x0000000000120000-0x0000000000127000-memory.dmp

            Filesize

            28KB

          • memory/3020-132-0x00000000006F0000-0x00000000006F7000-memory.dmp

            Filesize

            28KB