Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    19-01-2024 07:50

General

  • Target

    6714db2df8a6f6b5c50d59629ec34c6c.dll

  • Size

    3.2MB

  • MD5

    6714db2df8a6f6b5c50d59629ec34c6c

  • SHA1

    a4b2879a300b905a63dce5114092208d4d1dec9a

  • SHA256

    d86ef2b5b3a29c907febf6d15d8f3fa781e1d5314549fed66df51d00db694818

  • SHA512

    7b6f0a5a4ea204821d3e513cb9a5c2926f06ab2ae2aea9d5baba857ec82867bf912edf75ab8e0250364ca81e015114d71b3e26dc9918ee734103fbc7456d1d56

  • SSDEEP

    12288:yVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:vfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\6714db2df8a6f6b5c50d59629ec34c6c.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2168
  • C:\Windows\system32\slui.exe
    C:\Windows\system32\slui.exe
    1⤵
      PID:2888
    • C:\Users\Admin\AppData\Local\1LYvp\slui.exe
      C:\Users\Admin\AppData\Local\1LYvp\slui.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3000
    • C:\Windows\system32\SoundRecorder.exe
      C:\Windows\system32\SoundRecorder.exe
      1⤵
        PID:784
      • C:\Users\Admin\AppData\Local\xTgeUD\SoundRecorder.exe
        C:\Users\Admin\AppData\Local\xTgeUD\SoundRecorder.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1864
      • C:\Windows\system32\rdrleakdiag.exe
        C:\Windows\system32\rdrleakdiag.exe
        1⤵
          PID:2832
        • C:\Users\Admin\AppData\Local\0ShrJ\rdrleakdiag.exe
          C:\Users\Admin\AppData\Local\0ShrJ\rdrleakdiag.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2828

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\0ShrJ\wer.dll

          Filesize

          1.5MB

          MD5

          49b55439a96b7003436742ad9e335996

          SHA1

          eadb0c32c6836ffddeb9bae3f628da1dc46eb354

          SHA256

          93db37691d69b750e9d8d4c76f7af600bb70ddd93f0570eefef06bf1475ae4ae

          SHA512

          abc9b4cb1eac592bab581dcd8aa872cd00a4ace2e6f567d2a59582403a1ea95515fbaf2ff8b7179ea27acd83ad60edd6681a75480330b25c6636c68a7988ae24

        • C:\Users\Admin\AppData\Local\1LYvp\WINBRAND.dll

          Filesize

          147KB

          MD5

          e5c9c7d7e52fd682e921e3e9460ac004

          SHA1

          17337c9052eb419454d6ae66c756ce22e76b3da0

          SHA256

          83d33081af1ef341e4047cce0ffab5a25f015d2e2b7dbf9914f90ee1dd89cf9e

          SHA512

          cd7cf70010aafb0472a879da5527144966c2317c511c3e2df31951be277bd038bbc89dd694dc7f6d75caf9e7efc5ff16b3996bd5e9a8b8fbcfc78f12e9ef2a83

        • C:\Users\Admin\AppData\Local\1LYvp\slui.exe

          Filesize

          64KB

          MD5

          4036533e7ad0a6f1fcf6bddd8915a3e7

          SHA1

          6a0607493719824ca744ee98288c6c3b93c27779

          SHA256

          a6fb08368d86b0d9923da90e0a9337fa73b7d28238fcb40c67697bbfafbc4be0

          SHA512

          5a65ddd9eb69f84ce7d668a6da990d47f5af8c91c045729a3db9c5329ca78ee55f6358773c23a77826704d9c6567592c781b26bc924e5c664a369968ee80f56c

        • C:\Users\Admin\AppData\Local\1LYvp\slui.exe

          Filesize

          142KB

          MD5

          4c69d77cedf7f93c32016dfcdd2e2d48

          SHA1

          42a775e41b551df80e6d0c10fe504ff229575cc6

          SHA256

          88a6c503b97735038aeecdbeacf977777507c6af2eca6cce77fddb1d581247af

          SHA512

          98d82edca5e42a2d05f2318f2612bcc2b47bf0f7f1a9b39dd722e8e798af27aee4eb8bfb1a798db4ed710191148758b2f645415c73e3979608c679cc56bc2d04

        • C:\Users\Admin\AppData\Local\xTgeUD\WINMM.dll

          Filesize

          266KB

          MD5

          5231bdcb06e75797eae0f5a2f04d5b62

          SHA1

          3823dce4039a449214f83fce7229039d3f66ab97

          SHA256

          f9c92587c6c8c6a035bbbb2ba3ad09843392df098f8d1b0b81f4dd66bbf692e0

          SHA512

          94c58fa06e6e467586cf9cd2d73056c8bdce88aeb77210540d8da157e9fc5998686913948f6ec77b207094cca46aebcacd2abfb542b23d5c888d33d65f75a448

        • C:\Users\Admin\AppData\Roaming\Identities\{EF0662BB-4AFF-4F56-815E-2ED0C139F855}\8F1\WINBRAND.dll

          Filesize

          3.2MB

          MD5

          798b239a9c885dd28e896ad5dd58cf29

          SHA1

          cd8a6df7f2291db2b5d33a7b40e8b7bf5d52e249

          SHA256

          25c36ce747691e368aa3ed7ebaf9e8290324e454299edeeda3e8a3ac69561f69

          SHA512

          66f7b5a56da76c46ac2ca290d38ae49b3a94482606580122763ab2c923d471bee8a090ad07eeeb61907b6e2a8f80e9c13708f370e61dd960cb3e6cd983a9f9f7

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yiudzqwx.lnk

          Filesize

          1KB

          MD5

          b211d9f88c0b1e77ca0b761adbf41af1

          SHA1

          d9deccd2217e6e372bebeae751275b1734bc146a

          SHA256

          24ba390e6461f4f0acf1292ba1dc6d3be1d5894768c1f4a18df92c485cf5c1ba

          SHA512

          8398a3b228588ea211c2918389ceae1b9bb13883a95345772583261e1b2ffed6eaf1fd060f93d862168c62502c5abbe5bbbff5914308e8290a6ec8182ee3987c

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IETldCache\62\wer.dll

          Filesize

          3.2MB

          MD5

          153901ab12c8a12a81b63dd43607377f

          SHA1

          01877819eab589c806804c8905ba17305240f364

          SHA256

          a4210f6342865988fd4c7bf8566649ccd2e48a5aa6574fbe5908533bb965ebc2

          SHA512

          0b119887d580fdefa41a9660e3f5acd50712682f011c7c2ae7652ce0715beedafe823dc62d33a8a9394a83bb07dfba91095184e36040802598978c06f9c8a4e6

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\4HBT6\WINMM.dll

          Filesize

          3.2MB

          MD5

          d7b4fb439c322922134c6d7ff180e548

          SHA1

          a225f6fa1effb287d372be66e143853c245b922d

          SHA256

          678b553820afccc2eee907367d2a1d38e2531ba2d3162e461705c5de4f687984

          SHA512

          1ad7fb22fabac3fa9d66c667055ff559b4fb3ff25903cc3b888a374d0fb1f24ad985e8b0983dfafd6dbb386b7a120227675c0cfa5bd359325fa84121d4937e31

        • \Users\Admin\AppData\Local\0ShrJ\rdrleakdiag.exe

          Filesize

          39KB

          MD5

          5e058566af53848541fa23fba4bb5b81

          SHA1

          769ce3bfc45e4d56ed01dbeeeca7be22f9b9eed6

          SHA256

          ae83b050fa722da7e4b19fc3d534f0126b1ec055643bb1f267b85b55160f4409

          SHA512

          352029cf0af7583a4c525cfd1da7467446bac410a885b2768d8052f39577ccce85b21d5bd946be6bf8341e7308c8e4f645e4d79232b93aaf6a92d6cd55f598d0

        • \Users\Admin\AppData\Local\0ShrJ\wer.dll

          Filesize

          2.4MB

          MD5

          b5e9c51fa887699fe07dfb07cac15ed1

          SHA1

          bec490f6765cf1f0f75d8f0d2004ccc87d984453

          SHA256

          ab72a3bb8f0fbf1e5a10ccebde5daa66156743e5e7eacebab537460d2f0e8387

          SHA512

          42e06786b64afa93d1ae3847f1660f06030e2fac6c703deb8c73b5d4754311e6e92032ddd4727d05b0af76d6de2b59466fe8556cda9494d7bc38878cd44faa38

        • \Users\Admin\AppData\Local\1LYvp\WINBRAND.dll

          Filesize

          119KB

          MD5

          f9d45b1dc0431c1e093e212c00b819ed

          SHA1

          2de9cb5e9acf358fcb627acdbfba13404a6ce04c

          SHA256

          a93123a4e1325c0025e8e91971536434dd4a6d54ce02af9ee659530b8be80237

          SHA512

          f918ce1a255da0523505aa9d0ceb4ed89bfdec5f3435df8c81aa3d7df9bc8c8d7e37e1b430601746415f4ee92af17d85920463ba0d95a73749bc99131c90bb91

        • \Users\Admin\AppData\Local\1LYvp\slui.exe

          Filesize

          138KB

          MD5

          5c70675645de3a5d03c151f37a2b8242

          SHA1

          2259f35ac4c77f3f2fc5bbe9811b3c24de1e2bf1

          SHA256

          9e26996c442389e61c4eef9048735b89adc8fa0d1a72b2b5e35a5efd78f64650

          SHA512

          df520d2857cfad413542f2ad846bff8664ac5ee9c532dcb6ee52a771387b8a0e1b5b3b59b2ab5af6f1642758daf0317b72b161399d35457d1163bf3b0d2ac118

        • \Users\Admin\AppData\Local\xTgeUD\SoundRecorder.exe

          Filesize

          139KB

          MD5

          47f0f526ad4982806c54b845b3289de1

          SHA1

          8420ea488a2e187fe1b7fcfb53040d10d5497236

          SHA256

          e81b11fe30b16fa4e3f08810513c245248adce8566355a8f2a19c63b1143ff5b

          SHA512

          4c9a1aa5ed55087538c91a77d7420932263b69e59dc57b1db738e59624265b734bf29e2b6ed8d0adb2e0dec5763bfbf86876fd7d1139c21e829001c7868d515d

        • \Users\Admin\AppData\Local\xTgeUD\WINMM.dll

          Filesize

          284KB

          MD5

          be6a135b25e5ddcb17a2e609fdc276f1

          SHA1

          ae8876baa92ece9ccf2b7c6c2bbab0bd529659bb

          SHA256

          e39a8c71a30523802383240a4cbb01369655afbf185a26efe97acf2ee93c9d6d

          SHA512

          350bbec3cc4468d598d2aaf1be61aab25c17eef9483a6dc9de814259299efc087fda0a4287ba7e3462cdf0fabc54abb4c73785dbdefa6d8e1ff089f205f0dfa0

        • memory/1360-49-0x0000000140000000-0x0000000140331000-memory.dmp

          Filesize

          3.2MB

        • memory/1360-56-0x0000000140000000-0x0000000140331000-memory.dmp

          Filesize

          3.2MB

        • memory/1360-21-0x0000000140000000-0x0000000140331000-memory.dmp

          Filesize

          3.2MB

        • memory/1360-17-0x0000000140000000-0x0000000140331000-memory.dmp

          Filesize

          3.2MB

        • memory/1360-25-0x0000000140000000-0x0000000140331000-memory.dmp

          Filesize

          3.2MB

        • memory/1360-26-0x0000000140000000-0x0000000140331000-memory.dmp

          Filesize

          3.2MB

        • memory/1360-27-0x0000000140000000-0x0000000140331000-memory.dmp

          Filesize

          3.2MB

        • memory/1360-29-0x0000000140000000-0x0000000140331000-memory.dmp

          Filesize

          3.2MB

        • memory/1360-30-0x0000000140000000-0x0000000140331000-memory.dmp

          Filesize

          3.2MB

        • memory/1360-31-0x0000000140000000-0x0000000140331000-memory.dmp

          Filesize

          3.2MB

        • memory/1360-32-0x0000000140000000-0x0000000140331000-memory.dmp

          Filesize

          3.2MB

        • memory/1360-28-0x0000000140000000-0x0000000140331000-memory.dmp

          Filesize

          3.2MB

        • memory/1360-34-0x0000000140000000-0x0000000140331000-memory.dmp

          Filesize

          3.2MB

        • memory/1360-35-0x0000000140000000-0x0000000140331000-memory.dmp

          Filesize

          3.2MB

        • memory/1360-38-0x0000000140000000-0x0000000140331000-memory.dmp

          Filesize

          3.2MB

        • memory/1360-39-0x0000000140000000-0x0000000140331000-memory.dmp

          Filesize

          3.2MB

        • memory/1360-40-0x0000000140000000-0x0000000140331000-memory.dmp

          Filesize

          3.2MB

        • memory/1360-41-0x0000000140000000-0x0000000140331000-memory.dmp

          Filesize

          3.2MB

        • memory/1360-36-0x0000000140000000-0x0000000140331000-memory.dmp

          Filesize

          3.2MB

        • memory/1360-42-0x0000000140000000-0x0000000140331000-memory.dmp

          Filesize

          3.2MB

        • memory/1360-37-0x0000000140000000-0x0000000140331000-memory.dmp

          Filesize

          3.2MB

        • memory/1360-43-0x0000000140000000-0x0000000140331000-memory.dmp

          Filesize

          3.2MB

        • memory/1360-45-0x0000000140000000-0x0000000140331000-memory.dmp

          Filesize

          3.2MB

        • memory/1360-44-0x0000000140000000-0x0000000140331000-memory.dmp

          Filesize

          3.2MB

        • memory/1360-46-0x0000000140000000-0x0000000140331000-memory.dmp

          Filesize

          3.2MB

        • memory/1360-47-0x0000000140000000-0x0000000140331000-memory.dmp

          Filesize

          3.2MB

        • memory/1360-48-0x0000000140000000-0x0000000140331000-memory.dmp

          Filesize

          3.2MB

        • memory/1360-4-0x00000000779A6000-0x00000000779A7000-memory.dmp

          Filesize

          4KB

        • memory/1360-52-0x0000000140000000-0x0000000140331000-memory.dmp

          Filesize

          3.2MB

        • memory/1360-53-0x0000000140000000-0x0000000140331000-memory.dmp

          Filesize

          3.2MB

        • memory/1360-51-0x0000000140000000-0x0000000140331000-memory.dmp

          Filesize

          3.2MB

        • memory/1360-50-0x0000000140000000-0x0000000140331000-memory.dmp

          Filesize

          3.2MB

        • memory/1360-54-0x0000000140000000-0x0000000140331000-memory.dmp

          Filesize

          3.2MB

        • memory/1360-55-0x0000000140000000-0x0000000140331000-memory.dmp

          Filesize

          3.2MB

        • memory/1360-33-0x0000000140000000-0x0000000140331000-memory.dmp

          Filesize

          3.2MB

        • memory/1360-22-0x0000000140000000-0x0000000140331000-memory.dmp

          Filesize

          3.2MB

        • memory/1360-57-0x0000000140000000-0x0000000140331000-memory.dmp

          Filesize

          3.2MB

        • memory/1360-59-0x0000000140000000-0x0000000140331000-memory.dmp

          Filesize

          3.2MB

        • memory/1360-61-0x0000000140000000-0x0000000140331000-memory.dmp

          Filesize

          3.2MB

        • memory/1360-62-0x0000000140000000-0x0000000140331000-memory.dmp

          Filesize

          3.2MB

        • memory/1360-60-0x0000000140000000-0x0000000140331000-memory.dmp

          Filesize

          3.2MB

        • memory/1360-64-0x0000000140000000-0x0000000140331000-memory.dmp

          Filesize

          3.2MB

        • memory/1360-63-0x0000000140000000-0x0000000140331000-memory.dmp

          Filesize

          3.2MB

        • memory/1360-65-0x0000000140000000-0x0000000140331000-memory.dmp

          Filesize

          3.2MB

        • memory/1360-66-0x0000000002590000-0x0000000002597000-memory.dmp

          Filesize

          28KB

        • memory/1360-58-0x0000000140000000-0x0000000140331000-memory.dmp

          Filesize

          3.2MB

        • memory/1360-74-0x0000000077AB1000-0x0000000077AB2000-memory.dmp

          Filesize

          4KB

        • memory/1360-77-0x0000000077C10000-0x0000000077C12000-memory.dmp

          Filesize

          8KB

        • memory/1360-23-0x0000000140000000-0x0000000140331000-memory.dmp

          Filesize

          3.2MB

        • memory/1360-24-0x0000000140000000-0x0000000140331000-memory.dmp

          Filesize

          3.2MB

        • memory/1360-18-0x0000000140000000-0x0000000140331000-memory.dmp

          Filesize

          3.2MB

        • memory/1360-5-0x00000000025C0000-0x00000000025C1000-memory.dmp

          Filesize

          4KB

        • memory/1360-7-0x0000000140000000-0x0000000140331000-memory.dmp

          Filesize

          3.2MB

        • memory/1360-9-0x0000000140000000-0x0000000140331000-memory.dmp

          Filesize

          3.2MB

        • memory/1360-10-0x0000000140000000-0x0000000140331000-memory.dmp

          Filesize

          3.2MB

        • memory/1360-20-0x0000000140000000-0x0000000140331000-memory.dmp

          Filesize

          3.2MB

        • memory/1360-19-0x0000000140000000-0x0000000140331000-memory.dmp

          Filesize

          3.2MB

        • memory/1360-16-0x0000000140000000-0x0000000140331000-memory.dmp

          Filesize

          3.2MB

        • memory/1360-14-0x0000000140000000-0x0000000140331000-memory.dmp

          Filesize

          3.2MB

        • memory/1360-15-0x0000000140000000-0x0000000140331000-memory.dmp

          Filesize

          3.2MB

        • memory/1360-157-0x00000000779A6000-0x00000000779A7000-memory.dmp

          Filesize

          4KB

        • memory/1360-13-0x0000000140000000-0x0000000140331000-memory.dmp

          Filesize

          3.2MB

        • memory/1360-12-0x0000000140000000-0x0000000140331000-memory.dmp

          Filesize

          3.2MB

        • memory/1360-11-0x0000000140000000-0x0000000140331000-memory.dmp

          Filesize

          3.2MB

        • memory/1864-118-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

        • memory/2168-8-0x0000000140000000-0x0000000140331000-memory.dmp

          Filesize

          3.2MB

        • memory/2168-1-0x0000000140000000-0x0000000140331000-memory.dmp

          Filesize

          3.2MB

        • memory/2168-0-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

        • memory/2828-135-0x00000000000F0000-0x00000000000F7000-memory.dmp

          Filesize

          28KB

        • memory/3000-98-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB