Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    19-01-2024 12:26

General

  • Target

    679f5677802f338adc80c1c2058b5f66.dll

  • Size

    1.4MB

  • MD5

    679f5677802f338adc80c1c2058b5f66

  • SHA1

    de3198e8574810a74dea319fa5f3646b2ed05b64

  • SHA256

    7c001fa46c93bc6147cf0e2fafbbf52213c1ec82788aa9bba51c89bb12cfe90f

  • SHA512

    1720b8eb1a8c1f0d35519c30089acf516f79bb4071636862b53d47a97a79f650dff53f823a7209a6099b884b4f898eedd1a7747d5b00fc21d268e8cd5561e11d

  • SSDEEP

    12288:SVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:PfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\679f5677802f338adc80c1c2058b5f66.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1700
  • C:\Windows\system32\psr.exe
    C:\Windows\system32\psr.exe
    1⤵
      PID:2588
    • C:\Users\Admin\AppData\Local\MV9PFCsb\psr.exe
      C:\Users\Admin\AppData\Local\MV9PFCsb\psr.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2632
    • C:\Windows\system32\rdpshell.exe
      C:\Windows\system32\rdpshell.exe
      1⤵
        PID:476
      • C:\Users\Admin\AppData\Local\rROJpS\rdpshell.exe
        C:\Users\Admin\AppData\Local\rROJpS\rdpshell.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1484
      • C:\Windows\system32\DWWIN.EXE
        C:\Windows\system32\DWWIN.EXE
        1⤵
          PID:2912
        • C:\Users\Admin\AppData\Local\8KCIv\DWWIN.EXE
          C:\Users\Admin\AppData\Local\8KCIv\DWWIN.EXE
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2596

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\8KCIv\DWWIN.EXE

          Filesize

          34KB

          MD5

          c40e3ac357d53db3e87cd9550d7f5673

          SHA1

          6838f08269981e8c2e9d1128bd8afe8ada1f69e2

          SHA256

          c9fe84f54804c39845ba0b0668a1cc713569f05cc9f2d1f3e7fc3efa12d64ee6

          SHA512

          7c15e2303e27b0d6b8ec56a40780510d99723d45f0739fb702dfb4330331cf6b3a8c5138e9bc91b9533ef6f829da6ca9edd7e86a2191fdacc872fc33ea15f704

        • C:\Users\Admin\AppData\Local\8KCIv\VERSION.dll

          Filesize

          35KB

          MD5

          6064b8f30bcd7072a98f9773e44c4035

          SHA1

          909f8c53d7db15c3a8e532ffb4770ff9e087904e

          SHA256

          87ff8d061e4ce447dff6893482f911a98945ce7525f3a052571a14526249f938

          SHA512

          0d6f2bc53525c4b1834a1c885a5cd5685364bb6604bd36c24131d7a8645da094878932b3f4a41386a93932f3a66018f8540c7b09c3ed0ee2a77bcf58c11d4bfd

        • C:\Users\Admin\AppData\Local\MV9PFCsb\VERSION.dll

          Filesize

          127KB

          MD5

          0ed3fa6e52776eb7028ebee97e05eba2

          SHA1

          f6b913e04b3d129c32e43b6278b1b849c1c58d34

          SHA256

          ef5a59e45bdcfd212ae07018d30a1be7ad71bbf27dfc9148867f09b8395acd4a

          SHA512

          3244ca4a90c75a005dffc7446f19e8c64e08f027b59f725a382bddae8e04dd5417d9348976ebf6806c55fb12bc695190459d24498c609c1f13fee840dfb57456

        • C:\Users\Admin\AppData\Local\MV9PFCsb\psr.exe

          Filesize

          96KB

          MD5

          38382d1273b37fbcf2ef43d20df39013

          SHA1

          68a68ac5f3cd728e417e0e58d226f95d6b52c473

          SHA256

          79ef84b0b50cd965742335555aaea1cf0f91e725c4034351b0895f76e84213cf

          SHA512

          53fa597cffcb481099b5fc72537cef7a3cb04e79dac7fcb540453a603a038f4fc639b302c1dd7d3284569f5e36cf91d22292c94648ff7246f38d263a29b67992

        • C:\Users\Admin\AppData\Local\MV9PFCsb\psr.exe

          Filesize

          70KB

          MD5

          51a63d55e43f4dc5655d271a18c1f7e3

          SHA1

          3034875b78e06a0ea7096031c22a2d5051f7522f

          SHA256

          1dc000cc391ac33ead458c91c4c6521c38f6552dd11ee4a3114f3d2f70194a8e

          SHA512

          b5feb2599e60ab1c4f60430dd2dfde4db84efb4ea87c9170af9ceabe7e9ac5e87c40c81933b2d49a363ece3527ca4b4df40b015a4e59e873ec004f594051f068

        • C:\Users\Admin\AppData\Local\rROJpS\WTSAPI32.dll

          Filesize

          134KB

          MD5

          be21b393717f06dbc9d05d1f77a2cfef

          SHA1

          649c0a10797212e0c6c648c7bb5c7998538a1acd

          SHA256

          21949c94bfdd978e7beb433143b95d5bbc2c4792735cf8707a3b83bc527838fa

          SHA512

          40301687134b4f0f369b371692ebe3f87187017194b2744db86778e9a0c7a2fd3f0c20797870b173001968cd663daf7d9a08c5342df7f4ff23149cbb3cd9be22

        • C:\Users\Admin\AppData\Local\rROJpS\rdpshell.exe

          Filesize

          216KB

          MD5

          754f7871ad9feabbafb79db819faad77

          SHA1

          9d2478c0128ef07a2100226294fa67a8639a4ac4

          SHA256

          98cbd1418286dc9c46031a5dd0391d820dba55eb8cfcb57d23ff6762bd642986

          SHA512

          fa2e2c9423a62c595893b325b85f0315fc8ac7e1086e22bbc12b2f24467db8800f7ccbb67a2cf6257bbc79df19df79cf7c4aad172551c6bdf9503beccbfd04f2

        • C:\Users\Admin\AppData\Local\rROJpS\rdpshell.exe

          Filesize

          96KB

          MD5

          a262e4b1669a85e0ba25a03a4039bab0

          SHA1

          6f08df16ff05ee4da069d1cc9089a02b95bf5a0d

          SHA256

          169faa2a633af682fdf36f3cfb193019df8028922fd3a6de18cb25128d26318c

          SHA512

          d6de0bddeb9015e387ce4744822e66adfee7fdb25b78c6fe995f02d87ba64d1881c5a7a633ea152a9b9d368334da50ee68e367c18873c04589f42f185f25c10f

        • C:\Users\Admin\AppData\Roaming\Identities\cNk17rkA1\WTSAPI32.dll

          Filesize

          1.4MB

          MD5

          d33238f17c7a871f8682c5593648a75d

          SHA1

          34eb2c0af8fc7b52e216f3251acdcea63d985006

          SHA256

          867f41b788727d482622e3c67c68c0473e743dc17d2ca71843a2b2fd526f6dd7

          SHA512

          4a72a6b1de4d69cd84cd4886d8d4028712ae414f4fbdd76c85298192f09326920b207b60b3479f646a2836600a8d27316019ae09cbbace76a8fb227a0df4fc06

        • C:\Users\Admin\AppData\Roaming\Identities\pWjIq\VERSION.dll

          Filesize

          1.4MB

          MD5

          76aed4a94b23acfdbf3282514aec5d5b

          SHA1

          85ccd29984bb1c65a7dadda5d4bfde710b776bdd

          SHA256

          71029c3bfe02745f049d22ae406b62bccec443ab40f0e16fb9d5c7b13bf57c89

          SHA512

          af12ee34091aa7a68c2556d0d2a70f0d30cb40b29e7ca6bb981fb34e0f6e13a7ae088281f71058ab0c5b45e55b9e563194e808a65280907b7a67fe5e48707388

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gmfoo.lnk

          Filesize

          1KB

          MD5

          f54832099084270f768a19b48b99b60a

          SHA1

          966a5a0917163e3433be36474b08a0209c5fad3c

          SHA256

          b92bc3831c873696b358d8bd962aa114d60d76f130f771463f268eb3ae21a3ca

          SHA512

          41183cb36af3b0970225010b6209ffa130f04cefeea91ebc378ddfb8c306311e08a327d7262893c2a83a2eb52623848efee3c5688c6cdf2e6762b015460f6ce5

        • C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\GYjwXoax4EI\DWWIN.EXE

          Filesize

          93KB

          MD5

          4d2171ba2993a7ad8ec778440920eb31

          SHA1

          20c34afda8ca4eae382c104e01f9d851d0410370

          SHA256

          a48c64a3e9c55b5b07345f27463dba1819e8d152706f059c3c7ce31f18286da3

          SHA512

          49313d05abc8539d6988df3ea7ac8de08142a0dbc9205039f7b3e2e15dca15db1b411acc5a74215ca9188953f3590f0d3818947d509569804103131e65118389

        • C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\GYjwXoax4EI\VERSION.dll

          Filesize

          1.4MB

          MD5

          3177bb54df3646e4820b31b9a53fb954

          SHA1

          8aeaddfeee5a443918e5b72d12508ee442f321a4

          SHA256

          4134fb688470ae345d6ed2b277793d38b5225f5968dd8ffe13479b4d4f987451

          SHA512

          adf893bb3d39edd58fae53490c48a036f7cf577baf6d1b54c1adda23689240251673369b474174c0461413f6e4b1b2466fe612914786e71db3da4e22ed8f7df0

        • \Users\Admin\AppData\Local\8KCIv\DWWIN.EXE

          Filesize

          59KB

          MD5

          cc593e93a39b5fb69a63c0f1793b49f4

          SHA1

          0b9f87865f469caabc5beaaa4b175f780ffa1104

          SHA256

          aeea8a47dcaa3d5e73a41e8d006319e9df51e1e5f983b2a6d91c7b8dd96e63a2

          SHA512

          885a70812880e4fad456606d2967fe05e9b4c55b0cc3028d5592555f28711e68cdd842f859753aa2a34d7823a0480537fb9230397f81a9a1e31dd07cde281f95

        • \Users\Admin\AppData\Local\8KCIv\VERSION.dll

          Filesize

          43KB

          MD5

          c25d0beb1bc99e68fbf790d7348e8e5e

          SHA1

          bc857c15b0c42429962979f01a937d1ef4c31c47

          SHA256

          5db0d61aee0b175106e67c26967b34b465ea67acc472992c46216a621f838baf

          SHA512

          1ec3d60496fe4b2005d36fac89fc82615f8eb239760dd24085738267ce7d4142dfd9d17803039e88b7b1219a939906bf14e1eeaa91b8f206eb19ece79daf1cb4

        • \Users\Admin\AppData\Local\MV9PFCsb\VERSION.dll

          Filesize

          70KB

          MD5

          32f8774a09ab9250133235037718eea5

          SHA1

          301f49f0a86b69bbe7fca85b23aa32c15a370160

          SHA256

          d45ce5dc62519739f1ddde8d57f17cfd4408a877b35dc839b1c300aad81ff377

          SHA512

          5f96b34e46b5a2b73e2c37fa83bedf27f1908322101e37a51086de92662fe4d408b364eec7931fd1304a9cb1eabce21703a14d2adb122f4bcdb3f8e1b856f971

        • \Users\Admin\AppData\Local\MV9PFCsb\psr.exe

          Filesize

          48KB

          MD5

          2b49d7a773b5bb08e31c56e849d7cdc2

          SHA1

          436483053909dd1125a45dcec3a2d9ade77e8600

          SHA256

          2bc0a0b3e5cf75831bad4055f4201fc59b9a293f1971b1d1d4e3bac53fc3e9ea

          SHA512

          427087c3fc497236e05c70de84cd848d227cb7415b67a1daab717e80027a9d92690765ce371d744aaf7fdb6d657883339b308f66412a162e640b37536615b9c6

        • \Users\Admin\AppData\Local\rROJpS\WTSAPI32.dll

          Filesize

          120KB

          MD5

          c2b92f11a11f174629d9fc04f2ea7eac

          SHA1

          3920473b698ed74413e5ee898955b53c6f8c5318

          SHA256

          433f4411b019ffb962dafaf42aa68c7be6a4f27c3819ba1bcdf6729e833e9136

          SHA512

          bb7c1df8112a0cf27e17bcd0fcd60be54af9eeb00c90be84ce232f642feaf9e272861d180a88f7644356497fcaa5ae6434f2bab74dfea2a7888c69e0f1636e0b

        • \Users\Admin\AppData\Local\rROJpS\rdpshell.exe

          Filesize

          147KB

          MD5

          b6c2251539732cabcac4402bedd804ec

          SHA1

          8baf7dc7cb7316066e59856f7928ba0b1de5bf84

          SHA256

          0199d976bbddeb1b16afbf85c6168301ddc4fb167cb3c3c4ec33e07f793a55a7

          SHA512

          529126a3507db4cef14f1021c8212f3d72a1f932a0f33ab637b300bc98894c478631a76312fcb4724ede4c8f00303dc037da78e7f44eb6eb86c3cf503c9ef2df

        • \Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\GYjwXoax4EI\DWWIN.EXE

          Filesize

          92KB

          MD5

          b81e20c086a21134104235aa45ca2623

          SHA1

          605f12cdf34813c6de77f8122d24fdf32eb9ef35

          SHA256

          4faafad24207b0a5320ee1ef71c25aaf9517542af0608d7f3c91103414fffcce

          SHA512

          aba1cb2b6261f59307d616b1429351178b611bbaa57d71c2c49a3e12bb499717bcdb9badf2a01e6c2ad13ae6b2d1871874dcc7d77d8ccbb11ea40d826f6a128c

        • memory/1256-56-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/1256-7-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/1256-39-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/1256-19-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/1256-17-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/1256-16-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/1256-14-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/1256-13-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/1256-11-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/1256-50-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/1256-4-0x00000000773A6000-0x00000000773A7000-memory.dmp

          Filesize

          4KB

        • memory/1256-10-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/1256-41-0x0000000077710000-0x0000000077712000-memory.dmp

          Filesize

          8KB

        • memory/1256-21-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/1256-25-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/1256-26-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/1256-5-0x00000000029A0000-0x00000000029A1000-memory.dmp

          Filesize

          4KB

        • memory/1256-131-0x00000000773A6000-0x00000000773A7000-memory.dmp

          Filesize

          4KB

        • memory/1256-15-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/1256-9-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/1256-8-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/1256-40-0x00000000775B1000-0x00000000775B2000-memory.dmp

          Filesize

          4KB

        • memory/1256-27-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/1256-28-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/1256-18-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/1256-20-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/1256-30-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/1256-31-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/1256-32-0x0000000001CD0000-0x0000000001CD7000-memory.dmp

          Filesize

          28KB

        • memory/1256-29-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/1256-24-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/1256-22-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/1256-23-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/1484-97-0x0000000140000000-0x000000014016B000-memory.dmp

          Filesize

          1.4MB

        • memory/1484-92-0x00000000000F0000-0x00000000000F7000-memory.dmp

          Filesize

          28KB

        • memory/1700-12-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/1700-0-0x00000000000A0000-0x00000000000A7000-memory.dmp

          Filesize

          28KB

        • memory/1700-1-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/2596-112-0x0000000000180000-0x0000000000187000-memory.dmp

          Filesize

          28KB

        • memory/2596-115-0x0000000140000000-0x000000014016B000-memory.dmp

          Filesize

          1.4MB

        • memory/2632-73-0x0000000140000000-0x000000014016B000-memory.dmp

          Filesize

          1.4MB

        • memory/2632-69-0x0000000140000000-0x000000014016B000-memory.dmp

          Filesize

          1.4MB

        • memory/2632-68-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB