Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    19-01-2024 22:28

General

  • Target

    68ca805df0c74e02d25c86dd7d49303e.dll

  • Size

    1.5MB

  • MD5

    68ca805df0c74e02d25c86dd7d49303e

  • SHA1

    e62170c551c0f1edf022e1c6c8b2f54b755977b0

  • SHA256

    f613f68232c24e7b4c0e5a49431a159dbffb259080f66d7e773de9649da7235d

  • SHA512

    ab5f9da7cc894d7cdb6f07152b99cf3c284752d3078810eef4f2438170d2618ea35a869a71e4b486d081bfe312ab7942d2583f5bac15734491eb993ee732963b

  • SSDEEP

    12288:fVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:WfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\68ca805df0c74e02d25c86dd7d49303e.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2476
  • C:\Windows\system32\BitLockerWizardElev.exe
    C:\Windows\system32\BitLockerWizardElev.exe
    1⤵
      PID:2364
    • C:\Users\Admin\AppData\Local\oC6JnlpOk\BitLockerWizardElev.exe
      C:\Users\Admin\AppData\Local\oC6JnlpOk\BitLockerWizardElev.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2096
    • C:\Windows\system32\TpmInit.exe
      C:\Windows\system32\TpmInit.exe
      1⤵
        PID:3004
      • C:\Users\Admin\AppData\Local\heUhJ\TpmInit.exe
        C:\Users\Admin\AppData\Local\heUhJ\TpmInit.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3000
      • C:\Windows\system32\fvenotify.exe
        C:\Windows\system32\fvenotify.exe
        1⤵
          PID:620
        • C:\Users\Admin\AppData\Local\Qp4\fvenotify.exe
          C:\Users\Admin\AppData\Local\Qp4\fvenotify.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2012

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Qp4\fvenotify.exe

          Filesize

          98KB

          MD5

          d1e3d14ec7a5b08896990d6bb9840c18

          SHA1

          f3b92a639540ed8a23f722aeadfc7a80522bd5c0

          SHA256

          34218ae07defa4d2e29529aa72615162c5daae2aea652253f8b3312a5e7da919

          SHA512

          1879488bf270cd37381fc7c9c8a6f913ff3926da7f65424bcb9c45d3f1b647419366765ca992d27bb08bd6e15b92eea8c8ac4a13a70b4a2f84f7d8ec8e586388

        • C:\Users\Admin\AppData\Local\Qp4\fvenotify.exe

          Filesize

          38KB

          MD5

          1dac8319e3c12ec9df7e81c430ce6da4

          SHA1

          f46f37ae9d7b85106ea1f462226472fd0a6f2084

          SHA256

          9602ddd11d7b5930bf48f7558f7722fa274995f2461a69dde616f004c369a2d4

          SHA512

          69a6d9f1b41e008c56d8f098814d0c8f329c947bda36c638bf5539e845f14559b53a682ad6b740099342e56f8a74ae08785695b538f425ec29318819a5eebebe

        • C:\Users\Admin\AppData\Local\Qp4\slc.dll

          Filesize

          85KB

          MD5

          a31cdb0be3f78a3a6d19b279440b9d6a

          SHA1

          a0ba873515401c12ade3664a5ffa6503701bf78b

          SHA256

          53a3b93e52e37beb7ff0433a5f25d7489eef503f3302e4f4c1be2dd6cf92f3b7

          SHA512

          7ca26c98373ecb77656c9e32bd1c1b542c8cc6b1836758178c52e640363b0903abcdca0b8598a76a132016f14dd12ad540c0f09d79dd571353448aada5e9dd12

        • C:\Users\Admin\AppData\Local\heUhJ\Secur32.dll

          Filesize

          26KB

          MD5

          90fee0856fbe4df2342c45ec03deecca

          SHA1

          6cbcd55a006f59f4be2ba782c991c4e9391d45ca

          SHA256

          fe17c1d5bf26fb31a165e16140231e12ac66670696b9529941e49ef8e2e4463d

          SHA512

          342045baaca004077de786e4b40deb8b56b54424e04d44814513ffa9c4173fdc667a6bf9e9b2c9d5218de11b86d7488c82634741739616ecd5198e89309a75e8

        • C:\Users\Admin\AppData\Local\heUhJ\TpmInit.exe

          Filesize

          73KB

          MD5

          10a3cfe7254d403f7138388fdbfd07e9

          SHA1

          1cd35572784c24be2d708db39d8182c05c29f8e5

          SHA256

          d2d6ff09aa2377e5437eaa5270f5246a1314463d9a1af8d72811ade973bad7ff

          SHA512

          407f6ca76622901eefb3bc7f3d454e092ea19e25ebb2982d35292cdd2a23a0a84cb90c5e8b56cee473dd22af7e8a4cf6cdcd0c99834fc9615f052fe7df58ff5e

        • C:\Users\Admin\AppData\Local\heUhJ\TpmInit.exe

          Filesize

          26KB

          MD5

          f278003e9f0a687c2c743b491f23bc7d

          SHA1

          67b65464300a38007d55112830b76f067841f5fc

          SHA256

          768c554a90d673ac3544d67d37e3e912db734e12a3d462e0cd429a74cb614f79

          SHA512

          a5f15c658e448b32b0ac68e6790e0fd1b554db6d30e9702e3969372450173b1e266296beb405f23dcb73d7e8a82cb6b258f0701986a25cfdfe841df557c29e9b

        • C:\Users\Admin\AppData\Local\oC6JnlpOk\BitLockerWizardElev.exe

          Filesize

          25KB

          MD5

          babc017b98b03a8c28945de1fef64f59

          SHA1

          e4a9b3dfb7d7a56f645761485efe2ede337d2381

          SHA256

          9f5e1b545703b473712912e53799dc7e6459f67eb6f88b8478364fe4f12615d1

          SHA512

          f0d38e6101de4a8094d812ebd400a5ac706c486aba08d118eb0db4d0dbd81c888487b73ff3d7720b44952b8235ad2faa60814199b387de60b696619a2ae0c577

        • C:\Users\Admin\AppData\Local\oC6JnlpOk\FVEWIZ.dll

          Filesize

          11KB

          MD5

          d35ea6dbf9b954d4cfc9608eb4c8dfc6

          SHA1

          7c8c2d992f1b71e0a77565d0e57701c92958c514

          SHA256

          0f1c0f70648db61c10a52663e0040a2449a59afd4cddf879385dbeaba7be95f9

          SHA512

          70f5694423cae7c8c9948de58b8a373e1aaf4ade41b60b33770a997198f3ae0b95e7d5d60debe64fdfb24527899155bb9afdb092cbf3ed66cd60c5b08f87539b

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gmfoo.lnk

          Filesize

          1KB

          MD5

          25ce79429905ef53c780d561b9c041c3

          SHA1

          25cad8c52c94ea55156afd636c84cf2cfd3e4c8c

          SHA256

          96a9c16e7c295dac6c72309f30306a4a078efb3b29e27b683655fcbd2c726cdb

          SHA512

          f8b9960a08517a71cc0d30fdedf5d3ca3fcf21313642cb27ff95262542e72a1027cb4d05209fc71096a40e6d25b93f28f9e3237aa2bd83f143f626a260522091

        • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\DjWA5h\Secur32.dll

          Filesize

          1.5MB

          MD5

          079d114f0bef3506e5c48fb089d40887

          SHA1

          1a05966f9cebba45a67e65539d8a24c5cbc322a6

          SHA256

          c3e99e2c347e441d354dd13e6d201d2beb94df313f7fda7521953351090591c5

          SHA512

          548f364703e42f75759731a7ba1220c0b6ca8bf74cc4d58a537d61ed370037ed095bb9af7b0bc4c3f28cd4acf3361d7417b0a56120c840243959b194901cfcf4

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\9d\BitLockerWizardElev.exe

          Filesize

          92KB

          MD5

          10d4966e5a7c387df060ef1db2c0e727

          SHA1

          1b0d8ab3532a3063dd2733121d6991d377c8e290

          SHA256

          fa16d99a12600f3d8e8ac57f42917b09c9de1eb57837b1229fb392e94466d69c

          SHA512

          c40e4453c9d2f3e4e0391d70a4f35da54988a127fe896308591d3ab32342ea2ee94a4063e6a82b33b4ee65b6178c41de212a5867e6cb13da705ffc1ceef1bb07

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\9d\FVEWIZ.dll

          Filesize

          1.5MB

          MD5

          8b22b843282ccbed97044c4a3d319ac4

          SHA1

          7854554e45685fdcd1ba2f695b588cde3b700828

          SHA256

          f66ba86c4186ac7ee7f308c5c7600e7e52be6100b1aada623dcb42b76d0369f1

          SHA512

          371a1e7875bf91be2a63c646a45705ce89e86320e169f8943b4ef5a19acc19588b5020f152e2d8c13dcf26f38d4936dfbf2d6785b45d82dfad90853875608afa

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\9d\FnZ5EJNj\slc.dll

          Filesize

          1.5MB

          MD5

          5c0ffaafd4db1dc17d4f9308f002503f

          SHA1

          6f6a879e8a761c92c979159234cc61231397f69d

          SHA256

          47bfd48a5f9fbea616b46e9dbda249a4ba471d6d1a1ff5ea1b731ef787b8f142

          SHA512

          785fc2f52154a6564f78e2c3c74541d495ccad6cfbfb480e1d93f9c1775690108442f261c2f5f721ef380b11987fed8db6b8c7c424f902a1e1c140fa1380fa77

        • \Users\Admin\AppData\Local\Qp4\fvenotify.exe

          Filesize

          56KB

          MD5

          aadf8fb86c5c956cabb1ba956cfa326a

          SHA1

          c8b270bf02a5c5b1c858b327936518ada7ec40d6

          SHA256

          69b4da45817220c476e09b4c77505d66b631698484176227c57bdfa2591cef06

          SHA512

          ff30fbbf10e22fe0f123a09395cff15734ce6b448045929a7f03df857f6df3043c7aa79ef63bf258518c4e68eea1b9e5a1ea10350b8ef789f6018b31e3859250

        • \Users\Admin\AppData\Local\Qp4\slc.dll

          Filesize

          136KB

          MD5

          411da1a6843e2da784a4997560e7ad15

          SHA1

          7a389831be6e892d82c4419f5d59f8a1c5a2e5b6

          SHA256

          6a4fd8dc08d03eda65c117966d3b71e35b8be6a511f34932d90991bdaf7ddd2b

          SHA512

          374c4ec74fcf03ce7d01148c81e526b2195239f2a106e6ef83bdf9eeb97c341ee0f5947c559c58d95cd6f7dad944d41b96f09576e05030ea2b27d0dea341e61a

        • \Users\Admin\AppData\Local\heUhJ\Secur32.dll

          Filesize

          49KB

          MD5

          9513ee48b8c50a4ddabfb752ebc1da85

          SHA1

          920305216f307104a486deac764749f941a67ce8

          SHA256

          e60817d368b8418feb1259033fb853f05128ab89e4db9a7a672efcd01e72c1fb

          SHA512

          2328bdc773d6c8b402bd8aaca9e7bc2b21aaf7d9ad49881fc6b41141d9133cb93bc9a58a05a670ef0f6ea839be28431ac02954661b2a50bfef8a7366fa145b9a

        • \Users\Admin\AppData\Local\heUhJ\TpmInit.exe

          Filesize

          84KB

          MD5

          f0605b4c3753e6ec16a39b31c7921813

          SHA1

          3192b040cb830954281466499a29b755bb3099f2

          SHA256

          7ff0397e8d1f704bab94de01fbb9be8fa5d8a78bdc5dbd84d2c28da22dc53bf1

          SHA512

          674d737a5906c229cf66a66263892fdf1e736bed458795b8d19598f2a21b8d8c766973930834dfcf11371081093551f68ccecfec1239ccdaa3675e7fdc1a5c98

        • \Users\Admin\AppData\Local\oC6JnlpOk\BitLockerWizardElev.exe

          Filesize

          8KB

          MD5

          0cba4187bd397261930347cb203f0e91

          SHA1

          ca26eac633d06c2656f2bd8965b605a1b05b8c2c

          SHA256

          8b5e362f3b2183d6de02003f2222ec5d781c633f7fdcc28cbb61c6bb8b040f85

          SHA512

          62d8f0b93a7decd03bb3dfacd705c34a1c53b916363acf81613b5c4cb90effe4fcfb3e8766c37cb7467e4d904d0422a6e7dd4ffb1604d4c8cd56d9564824026f

        • \Users\Admin\AppData\Local\oC6JnlpOk\FVEWIZ.dll

          Filesize

          7KB

          MD5

          9139852848c2a5099bf361550b353160

          SHA1

          6e1e0290ff9d8ebf09914df99f692a9b7fdd1b04

          SHA256

          5de57e302d8f600328d6a3108fe6f72391f329793f5ee091ef9a3cf603f9180f

          SHA512

          25fb2af9cf01b626ee6c48efcbe2b4d01a983ff52ac9bbaa544515b09d8f19d0f700821fb8c719b5ce571c6991ce927c9d40b787c846fff248be218e6bd5af5b

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\9d\FnZ5EJNj\fvenotify.exe

          Filesize

          117KB

          MD5

          e61d644998e07c02f0999388808ac109

          SHA1

          183130ad81ff4c7997582a484e759bf7769592d6

          SHA256

          15a85cd6fbcb1ec57d78f986d6dd8908bd56231ce0cf65775075512303f7e5fa

          SHA512

          310141b73394ae12a35f8d4f0c097868ee8a8045a62dd402a5dfbe2151980dd4fe18409ae3ca9422e3b88b2fa9afb04c1acbf8ec23a937a0a242b32a9a1e9272

        • memory/1364-21-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1364-9-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1364-57-0x0000000077121000-0x0000000077122000-memory.dmp

          Filesize

          4KB

        • memory/1364-60-0x0000000077280000-0x0000000077282000-memory.dmp

          Filesize

          8KB

        • memory/1364-56-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1364-46-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1364-67-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1364-45-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1364-43-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1364-40-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1364-41-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1364-38-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1364-33-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1364-71-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1364-32-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1364-29-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1364-44-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1364-4-0x0000000076F16000-0x0000000076F17000-memory.dmp

          Filesize

          4KB

        • memory/1364-42-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1364-24-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1364-39-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1364-28-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1364-26-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1364-27-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1364-25-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1364-23-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1364-5-0x0000000002700000-0x0000000002701000-memory.dmp

          Filesize

          4KB

        • memory/1364-47-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1364-10-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1364-17-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1364-18-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1364-14-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1364-13-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1364-11-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1364-19-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1364-7-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1364-145-0x0000000076F16000-0x0000000076F17000-memory.dmp

          Filesize

          4KB

        • memory/1364-37-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1364-36-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1364-35-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1364-48-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1364-34-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1364-31-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1364-30-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1364-22-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1364-20-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1364-15-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1364-16-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1364-50-0x00000000026E0000-0x00000000026E7000-memory.dmp

          Filesize

          28KB

        • memory/1364-12-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/2012-120-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB

        • memory/2096-85-0x00000000001A0000-0x00000000001A7000-memory.dmp

          Filesize

          28KB

        • memory/2476-8-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/2476-0-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/2476-1-0x0000000000240000-0x0000000000247000-memory.dmp

          Filesize

          28KB

        • memory/3000-102-0x0000000000290000-0x0000000000297000-memory.dmp

          Filesize

          28KB