Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    20-01-2024 01:37

General

  • Target

    692759203e392d71d9dee01161280ef1.dll

  • Size

    2.6MB

  • MD5

    692759203e392d71d9dee01161280ef1

  • SHA1

    dd9376cdcb27e27eafce10498630c75ca1b11432

  • SHA256

    3b12db2302d38fb3cb124b01f2f6bb81d2d14cc079e87406803e7883bc256a66

  • SHA512

    400a6dde11da33279d426345744481ee8a790a43b017a7d510222874d83ddd9014fe9a3abbe9b2b89e1c39e9da55663484ca4fbcaea7082303fa167e6d99633f

  • SSDEEP

    12288:gVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:FfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\692759203e392d71d9dee01161280ef1.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2092
  • C:\Windows\system32\p2phost.exe
    C:\Windows\system32\p2phost.exe
    1⤵
      PID:2576
    • C:\Users\Admin\AppData\Local\Z0VgzS\p2phost.exe
      C:\Users\Admin\AppData\Local\Z0VgzS\p2phost.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2612
    • C:\Windows\system32\iexpress.exe
      C:\Windows\system32\iexpress.exe
      1⤵
        PID:1928
      • C:\Users\Admin\AppData\Local\Ki2Bh6Dn4\iexpress.exe
        C:\Users\Admin\AppData\Local\Ki2Bh6Dn4\iexpress.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1396
      • C:\Windows\system32\psr.exe
        C:\Windows\system32\psr.exe
        1⤵
          PID:1816
        • C:\Users\Admin\AppData\Local\ZlEsTIdS\psr.exe
          C:\Users\Admin\AppData\Local\ZlEsTIdS\psr.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1900

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Ki2Bh6Dn4\VERSION.dll

          Filesize

          1.8MB

          MD5

          87b2e3a784a789de78b2a31ea1de4390

          SHA1

          f70cabca5a3c1e41c58ef2351b9de11eb4152fef

          SHA256

          dc484a974ec45d0983c429b0d919b89fff0226df28813aa041a73edd28d89f75

          SHA512

          ff2c63a82874d98bf40663a170a790e0a6cc314dad8d5e5c9ea56427f5f3dfbb6c47437defa97a0132d3f2f85c333c806a7ab568a3d7b224ba8bd8a087a83803

        • C:\Users\Admin\AppData\Local\Ki2Bh6Dn4\iexpress.exe

          Filesize

          163KB

          MD5

          46fd16f9b1924a2ea8cd5c6716cc654f

          SHA1

          99284bc91cf829e9602b4b95811c1d72977700b6

          SHA256

          9f993a1f6a133fa8375eab99bf1710471dd13ef177ef713acf8921fb4ff565a3

          SHA512

          52c91043f514f3f8ce07f8e60357786eb7236fcf6cdcccca0dd76000b9a23d6b138cebcdec53b01823cb2313ec850fc7bece326ec01d44ed33f4052b789b7629

        • C:\Users\Admin\AppData\Local\Z0VgzS\P2P.dll

          Filesize

          1.7MB

          MD5

          07a287432eda352e76eac111bb5e9098

          SHA1

          370c5e3e713f243b1c808518e9a6668d1d182d16

          SHA256

          fd114b54985c0e2bf29dfa98852fb012bc5178c424df47bc2c469800da143fb2

          SHA512

          6c0baea99784df1cc61c4c3aa9b30ed90872b38c0d5504155df202f3f951028411c75f3e7c01b5867b4deb99404ee29eee118d9cfea4ca6ba934b02fc270f567

        • C:\Users\Admin\AppData\Local\Z0VgzS\p2phost.exe

          Filesize

          60KB

          MD5

          d8cac9aa6c580f35485a011b11b5a4c9

          SHA1

          35e27d4140c5cfdd46c5ad7978c3ba3465c7d892

          SHA256

          3f13d679c3ad907664fec9a7ece931085aa40ec99a0af69d1c06c86bc9edfde1

          SHA512

          41218e851a483c181271f60ccaae55820500910a18f86ba429fa36ec694de8f993d3a4389e413c311cdacf2daa8426c4e98a7086fb12bdf069c89028ee1319fa

        • C:\Users\Admin\AppData\Local\ZlEsTIdS\VERSION.dll

          Filesize

          1.6MB

          MD5

          f7b1d37acf90859d126cd7db9bf33a04

          SHA1

          9bd7a9e4c93a4d8ef8b537b23e0b72c433edd4c7

          SHA256

          188dcc8d2566949336c28e61e00c775bb72938b88d1cdf503e88d42a625d3174

          SHA512

          3f26beb6c772311cb343703d4846b5d520b03cdd9267e1ee6af87b284dae7fe654d570bf77265abd47bda15a76468720107dca0ec116f36081079610a980461e

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zrkibbhbsqvuoso.lnk

          Filesize

          1KB

          MD5

          d33247ac2623a8e8da47e8ed7a7c0f15

          SHA1

          e20068ac70ce529f8bc01396dc03a99d24f84f4f

          SHA256

          afeb41e83ac78e60c81524239dc89e62e20f6a365951b2279d1fce0f6ced1db8

          SHA512

          a29939f7f60b1beca056f38dfe5627690f15145d09f6df338c2087c4d94327fbf5d5da85444214b8cc8c14c7761f4c73e772a5e18fd8bdcb724702a2e55a969c

        • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\H08\P2P.dll

          Filesize

          2.6MB

          MD5

          95ea9c54318ea1439b0b03346f944bb5

          SHA1

          a94667871a8d096c499de5d55a17a79049a550e6

          SHA256

          86ef970ea2ab6440cf11e3501c90035b485c7b56e5245e30fce6112a289d7222

          SHA512

          6fdac0be620fee1a844afd3834be8ab9caabcf82cf27d723e8827986ed9b8953d0a41ba152ea170f6cd4f15da6ffd79c4a38c0882c8103fa2986c0828ad530d4

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\ZHz\VERSION.dll

          Filesize

          2.6MB

          MD5

          a054aaafd87d279962e2f587cbe3c6cd

          SHA1

          39bb8bd45d8119240ceec9fc5d8056a878f8d1c5

          SHA256

          c843daa2634c4d6c0675249eab71a005f71d0fc2a723ccfecee56120d2520ff4

          SHA512

          0aca1c07d0d51c03d1a94101ab1b4ec36f781dc827c175ee350499f931bb681dbaa59753784b2d188b54a13490d67a9608c6da3c06917e077d38545d772e4c8b

        • \Users\Admin\AppData\Local\Ki2Bh6Dn4\VERSION.dll

          Filesize

          2.6MB

          MD5

          a988a5c7373c89ed5b84e40c117c2a6b

          SHA1

          a3827115dca4e0ec6e2053d0996fb1b62b141cba

          SHA256

          0366357d287fad33662e342dee63c338c402bd47c1da1fa43d2d1a8b3667b5ea

          SHA512

          4a267e8dbdb4750b370056cdcf9d2d5886c28ab234ee1a3b15de09c565877d0d253ba10d8f82707f8157f83bec6957cc07c45210d7a2a7e751d398552788081e

        • \Users\Admin\AppData\Local\Z0VgzS\P2P.dll

          Filesize

          917KB

          MD5

          1a959e119a7e5a0330aa6676703af19e

          SHA1

          cbe937a151baae703918e0f57a42e556c14f6c85

          SHA256

          5509bf34b8a981abb8c2cff8420f832d900f19ee3223b0237aebe210ac1d8354

          SHA512

          e655911074b1621e48ffb465e4a12fea925386ed84d0f215a2e126c6475ee7f7db9a9aaac9a71d8dd72e4f92075398a8ce15b9651adda1a11f943dae5f4c8fb3

        • \Users\Admin\AppData\Local\Z0VgzS\p2phost.exe

          Filesize

          172KB

          MD5

          0dbd420477352b278dfdc24f4672b79c

          SHA1

          df446f25be33ac60371557717073249a64e04bb2

          SHA256

          1baba169de6c8f3b3c33cea96314c67b709a171bdc8ea9c250a0d016db767345

          SHA512

          84014b2dcc00f9fa1a337089ad4d4abcaa9e3155171978ec07bc155ddaebebfabb529d8de3578e564b3aae59545f52d71af173ebb50d2af252f219ac60b453d1

        • \Users\Admin\AppData\Local\ZlEsTIdS\VERSION.dll

          Filesize

          785KB

          MD5

          bcab8a465870c6416ec9e79e29ff8808

          SHA1

          86b842872bca6f94279e0fb9691e9d0c5ee16fad

          SHA256

          99144373f8bc93a170d0bd725a54e4fb34c56cdff8c7ea13d4bad62f6685edf9

          SHA512

          5b1f22c86ca4e30c38248aad0f75f64e2a86d85c707d70ef56af1f44248691183019ea32d66fef9db5272af088c9c84c45411597b7636f40b535046deba7fbfb

        • \Users\Admin\AppData\Local\ZlEsTIdS\psr.exe

          Filesize

          715KB

          MD5

          a80527109d75cba125d940b007eea151

          SHA1

          facf32a9ede6abfaa09368bfdfcfec8554107272

          SHA256

          68910f8aae867e938b6a3b76cdf176898ba275d9ade85b4ce00b03232de4c495

          SHA512

          77b86a597c33af8d3fbd9711f4abe6e0ca33b86279b1d28a25dcf3545a34b221be1ad7d11004d016203809cead1ebfd4b7e889ee9df2efc100eabf77963c1774

        • memory/1312-20-0x0000000140000000-0x000000014028D000-memory.dmp

          Filesize

          2.6MB

        • memory/1312-43-0x0000000002AC0000-0x0000000002AC7000-memory.dmp

          Filesize

          28KB

        • memory/1312-17-0x0000000140000000-0x000000014028D000-memory.dmp

          Filesize

          2.6MB

        • memory/1312-4-0x0000000077576000-0x0000000077577000-memory.dmp

          Filesize

          4KB

        • memory/1312-19-0x0000000140000000-0x000000014028D000-memory.dmp

          Filesize

          2.6MB

        • memory/1312-21-0x0000000140000000-0x000000014028D000-memory.dmp

          Filesize

          2.6MB

        • memory/1312-22-0x0000000140000000-0x000000014028D000-memory.dmp

          Filesize

          2.6MB

        • memory/1312-23-0x0000000140000000-0x000000014028D000-memory.dmp

          Filesize

          2.6MB

        • memory/1312-24-0x0000000140000000-0x000000014028D000-memory.dmp

          Filesize

          2.6MB

        • memory/1312-25-0x0000000140000000-0x000000014028D000-memory.dmp

          Filesize

          2.6MB

        • memory/1312-26-0x0000000140000000-0x000000014028D000-memory.dmp

          Filesize

          2.6MB

        • memory/1312-27-0x0000000140000000-0x000000014028D000-memory.dmp

          Filesize

          2.6MB

        • memory/1312-28-0x0000000140000000-0x000000014028D000-memory.dmp

          Filesize

          2.6MB

        • memory/1312-30-0x0000000140000000-0x000000014028D000-memory.dmp

          Filesize

          2.6MB

        • memory/1312-29-0x0000000140000000-0x000000014028D000-memory.dmp

          Filesize

          2.6MB

        • memory/1312-31-0x0000000140000000-0x000000014028D000-memory.dmp

          Filesize

          2.6MB

        • memory/1312-32-0x0000000140000000-0x000000014028D000-memory.dmp

          Filesize

          2.6MB

        • memory/1312-33-0x0000000140000000-0x000000014028D000-memory.dmp

          Filesize

          2.6MB

        • memory/1312-34-0x0000000140000000-0x000000014028D000-memory.dmp

          Filesize

          2.6MB

        • memory/1312-36-0x0000000140000000-0x000000014028D000-memory.dmp

          Filesize

          2.6MB

        • memory/1312-35-0x0000000140000000-0x000000014028D000-memory.dmp

          Filesize

          2.6MB

        • memory/1312-37-0x0000000140000000-0x000000014028D000-memory.dmp

          Filesize

          2.6MB

        • memory/1312-38-0x0000000140000000-0x000000014028D000-memory.dmp

          Filesize

          2.6MB

        • memory/1312-39-0x0000000140000000-0x000000014028D000-memory.dmp

          Filesize

          2.6MB

        • memory/1312-41-0x0000000140000000-0x000000014028D000-memory.dmp

          Filesize

          2.6MB

        • memory/1312-18-0x0000000140000000-0x000000014028D000-memory.dmp

          Filesize

          2.6MB

        • memory/1312-42-0x0000000140000000-0x000000014028D000-memory.dmp

          Filesize

          2.6MB

        • memory/1312-40-0x0000000140000000-0x000000014028D000-memory.dmp

          Filesize

          2.6MB

        • memory/1312-50-0x0000000140000000-0x000000014028D000-memory.dmp

          Filesize

          2.6MB

        • memory/1312-52-0x00000000777E0000-0x00000000777E2000-memory.dmp

          Filesize

          8KB

        • memory/1312-51-0x0000000077681000-0x0000000077682000-memory.dmp

          Filesize

          4KB

        • memory/1312-61-0x0000000140000000-0x000000014028D000-memory.dmp

          Filesize

          2.6MB

        • memory/1312-67-0x0000000140000000-0x000000014028D000-memory.dmp

          Filesize

          2.6MB

        • memory/1312-13-0x0000000140000000-0x000000014028D000-memory.dmp

          Filesize

          2.6MB

        • memory/1312-16-0x0000000140000000-0x000000014028D000-memory.dmp

          Filesize

          2.6MB

        • memory/1312-15-0x0000000140000000-0x000000014028D000-memory.dmp

          Filesize

          2.6MB

        • memory/1312-5-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

          Filesize

          4KB

        • memory/1312-137-0x0000000077576000-0x0000000077577000-memory.dmp

          Filesize

          4KB

        • memory/1312-8-0x0000000140000000-0x000000014028D000-memory.dmp

          Filesize

          2.6MB

        • memory/1312-14-0x0000000140000000-0x000000014028D000-memory.dmp

          Filesize

          2.6MB

        • memory/1312-10-0x0000000140000000-0x000000014028D000-memory.dmp

          Filesize

          2.6MB

        • memory/1312-11-0x0000000140000000-0x000000014028D000-memory.dmp

          Filesize

          2.6MB

        • memory/1312-12-0x0000000140000000-0x000000014028D000-memory.dmp

          Filesize

          2.6MB

        • memory/1312-9-0x0000000140000000-0x000000014028D000-memory.dmp

          Filesize

          2.6MB

        • memory/1396-97-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

        • memory/1900-116-0x00000000000A0000-0x00000000000A7000-memory.dmp

          Filesize

          28KB

        • memory/2092-7-0x0000000140000000-0x000000014028D000-memory.dmp

          Filesize

          2.6MB

        • memory/2092-0-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB

        • memory/2092-1-0x0000000140000000-0x000000014028D000-memory.dmp

          Filesize

          2.6MB

        • memory/2612-85-0x0000000140000000-0x000000014028E000-memory.dmp

          Filesize

          2.6MB

        • memory/2612-80-0x0000000140000000-0x000000014028E000-memory.dmp

          Filesize

          2.6MB

        • memory/2612-79-0x0000000000080000-0x0000000000087000-memory.dmp

          Filesize

          28KB