Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    20-01-2024 01:00

General

  • Target

    6913c976717f771261d42365e9ed8940.dll

  • Size

    2.5MB

  • MD5

    6913c976717f771261d42365e9ed8940

  • SHA1

    de6623f60ec96e264ee873aaf2ceeacf81313405

  • SHA256

    f3ca4c539c12c3d56e02f61e3aa2def83515305b89bcbe17274ac895313ad46a

  • SHA512

    68ee9ec13b10596eb96f2fb0a0b66a93149c49ac922aff3830ff81234af5f6b8c4326aa188c3f26a43809d10f2cb40da40e7d01957459526b858ce5a21b3a934

  • SSDEEP

    24576:zfP7fWsK5z9A+WGAW+V5SB6Ct4bnbcs+:DDW/e+WG0Vo6CtSn

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\6913c976717f771261d42365e9ed8940.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1964
  • C:\Users\Admin\AppData\Local\sqaZ7\osk.exe
    C:\Users\Admin\AppData\Local\sqaZ7\osk.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Checks whether UAC is enabled
    PID:2840
  • C:\Windows\system32\osk.exe
    C:\Windows\system32\osk.exe
    1⤵
      PID:2732
    • C:\Windows\system32\wbengine.exe
      C:\Windows\system32\wbengine.exe
      1⤵
        PID:2540
      • C:\Users\Admin\AppData\Local\xQu\wbengine.exe
        C:\Users\Admin\AppData\Local\xQu\wbengine.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2632
      • C:\Windows\system32\SystemPropertiesPerformance.exe
        C:\Windows\system32\SystemPropertiesPerformance.exe
        1⤵
          PID:1712
        • C:\Users\Admin\AppData\Local\Y4PRBO\SystemPropertiesPerformance.exe
          C:\Users\Admin\AppData\Local\Y4PRBO\SystemPropertiesPerformance.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:364

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Y4PRBO\SYSDM.CPL

          Filesize

          1KB

          MD5

          2bf62b235ab0a21be522f0ef6c8eda3e

          SHA1

          de35da9db87d8f833f278a93ad18df5c006f0fcb

          SHA256

          a2d7b9bc28b54f1a7be608232250d68848ebe1b595072f655ae816f26e3f163d

          SHA512

          62fa4d5e55bbca88e5abc25949ac34a5f0185f2ae919118ad834fb6b4661674e2e38f382d83a2542703ac5ae3a8673fe6c76c7f698b7763bb5158edab9d68797

        • C:\Users\Admin\AppData\Local\Y4PRBO\SystemPropertiesPerformance.exe

          Filesize

          68KB

          MD5

          74bd95429d5383e61874dad934730c21

          SHA1

          5000c16c2dd3f337d25315dc935db93a3bd51119

          SHA256

          f984ac688b17d9fae0fc811ce9a3f0d10eefd9189b7efa7fbecfa3869b314e27

          SHA512

          e4908a422586927b65d79366b554a20b24eadf835015929869de8ec09d11be96cf84abaabbe2b9f601c98ee032fabf71db0cc777b812471af558446534687c73

        • C:\Users\Admin\AppData\Local\Y4PRBO\SystemPropertiesPerformance.exe

          Filesize

          40KB

          MD5

          ad9722789e5ab34bd33286d1d7e2e9d6

          SHA1

          c0106ac69144502be89179dd0f19e3476172eb9e

          SHA256

          1b4c3a8c45d6af7541e81cef0877c18bda3e43681881563cdfddc6e1ff6e5735

          SHA512

          d262ec76c0062bbbf347d26e065f9b8e2be03cd752b55e687247ecca5c5ac6ece7ba2001681b96ae51c156c7c1ef6c73d4375b523ab1e2b4af34b2d2d0814336

        • C:\Users\Admin\AppData\Local\sqaZ7\UxTheme.dll

          Filesize

          110KB

          MD5

          94db4f643fdbceaed6936c7a0a074b79

          SHA1

          69998bb161ae3e65a7f8fc569d4975e8d9858174

          SHA256

          580db80103977869c05569b0b74a36b18822d4eb641a76b10e3aa4d94deab4b1

          SHA512

          3130fe329f4062dc5c00feac1fe075c1210793683d6ecd8fe46aa3455e63807510f34946681a27c6f2475c579f4b465c4dfe70faf1a7cc137a4b3b1a734c4b32

        • C:\Users\Admin\AppData\Local\sqaZ7\osk.exe

          Filesize

          65KB

          MD5

          82612ccff43b4bebd91d9be898bb905c

          SHA1

          08d8fccd8cd426736c0dbf8557390c95b03d1b0a

          SHA256

          ba6b30151a1b797b0057ff50b368dbfc0074038efdf61171d6dc1055abcf18a3

          SHA512

          18b72581f4dc265d4c3966023508a1aac6bb76c4ae51d68a52ab29d18c7510b565765df6f1a7c1474191a1a768139dcb172d8b8eebf4c8fb860b8e0eae153c60

        • C:\Users\Admin\AppData\Local\sqaZ7\osk.exe

          Filesize

          136KB

          MD5

          265b903c98fcaff6ed48b82e9b2627d9

          SHA1

          496b54a8e23731c1ec3fbe89cde134d9196df133

          SHA256

          e1fec0c9177b0aee052c7017a87cc73a36740617831fb6bd126b21030dddd9cf

          SHA512

          33dbf14321a4a8363b01412ad26c719cb144aab88fd3b3178a3ab9166a7fc5818be94398f78d8cc38a4d42c1c56ce6ce56ce8160e7e0095414b06307272bf9a9

        • C:\Users\Admin\AppData\Local\xQu\XmlLite.dll

          Filesize

          1KB

          MD5

          966f7a7d8a2a143c2af2c974c8b6ef19

          SHA1

          9c56fc1d48f5c24be522e8f2cc19a77ac97388c7

          SHA256

          3f80d06d08f23d2eb6da4bcb62cf1d5f5af62c3774c83c4079b5483b193b3c00

          SHA512

          8b9195f8b26f55803741186f1b0a17f6704dff24b8caa6c86f47015514a0268143d85eea53c1a25cc661257f0f67bd3f0f25f446c8a3465d929ffb8a245d9d2d

        • C:\Users\Admin\AppData\Local\xQu\wbengine.exe

          Filesize

          92KB

          MD5

          0e0bacce676a25aadcf28e49650761c2

          SHA1

          cd8e77787fdff7f3af285ee4a2fe826b205994d2

          SHA256

          dbfb61dbbce53afa43499ffa833ba1deaa141ad3d4551344b74dfa6a7f85d7ba

          SHA512

          3f505d7d6ba42bf7fd6cbe225b27089eed91565f8523c625568ab483399b4e2f0ffca59e86778b179ff68b3143eb1078756ab347a49877990040ccbb9f1c75f4

        • C:\Users\Admin\AppData\Local\xQu\wbengine.exe

          Filesize

          99KB

          MD5

          a76c3ac80448aadf2c712820e5bd3788

          SHA1

          d23bfb2be8b63eefa70f2f0da3a70f1946a7f5df

          SHA256

          bc0b7c0c6054854c5d81972ddd19467589e13d987612490afcb2305673faca5f

          SHA512

          aeabf290f8ba234c88fdfb4862372f70e1f56ec378df4542a887ba65506cc414dd66cf23bd024cda04f053c220f6a25622fda6aff10d3eb9de329579dc9ab019

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zrkibbhbsqvuoso.lnk

          Filesize

          1KB

          MD5

          77a4b3f3109d2eeddb0970ed422aa097

          SHA1

          4a005d623b99e448809b3828f3c37b3c91f8c7c5

          SHA256

          948bf86a8c4a53a80b161eff70f0024a9a9b28a94ce7348dd28fba94f3149a0c

          SHA512

          7b4e9de20ec264ecf4756108b9fc2719cf006b26f8481a4121cdd0c99457a6bc8066f2a38b7252fbe53c4c126a40af1e7c7198850cc05bac15c1546c70e02434

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEDownloadHistory\KVQ7cn49HUu\XmlLite.dll

          Filesize

          2.5MB

          MD5

          33dc3f101a3dd47cd9d27487ed4f0c89

          SHA1

          f3337514e88b278750e800bc6913b130ad82d74c

          SHA256

          0dc27192b4b5b64fa48e2af7de154d164e787d05d64b90add64d010ae504c6d7

          SHA512

          73178ec64ff165ac5ca39834ce0035b254fa72bd85e7bed3b8bb0add969d91ecf1709716afaee0af6405f8cc11097b0bcccb45f4fc364dcccb787ae765d1a937

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PrivacIE\OojEKAxl7wr\UxTheme.dll

          Filesize

          2.5MB

          MD5

          294380421a493ab1a2fbee72b2d34308

          SHA1

          b2571b067328f5cd842585bba832d5a4ebd498e5

          SHA256

          ed7384fd815236dbe2884caad341932453a7d0207fa5a7839f32032cfac7ed01

          SHA512

          5ba1340fca5534d09de2fa98226c957b21738e655ad859590668b540a0658fd2f9a1bd5c2481c0a1da7a542c23c58a4c55d9b31982f9f0cdbd38c21bc4512ed1

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\oM3MTl86Uy\SYSDM.CPL

          Filesize

          2.5MB

          MD5

          ff94c2777d864da474251275a67a6a21

          SHA1

          27cf58296d4d74217588073018aaf596d04b3324

          SHA256

          2998641fc3542ad418739e98697718594f28dc8eea0d9bd8adb8b9545082260d

          SHA512

          982dd91511c6d4d1a01acaf139600b7a81fe8f2756bc99963cdc038d7b619492a9115ead099480bc4f528888a4d133cd1c37453872f8662dc46ce78e69d5fb9f

        • \Users\Admin\AppData\Local\Y4PRBO\SYSDM.CPL

          Filesize

          45KB

          MD5

          d858aa91301e807f3d361ff0f9cc184f

          SHA1

          451c4b6353b780e7c4bde3f94c3710cf94008ed7

          SHA256

          d9a24787844f5d387b336f9cb390f1743acb9e9247cdeb1fa55b6ac7222e0507

          SHA512

          7cf63a2b5dd39cecca5e2d419ff0975d0747c872f1fb8b92263e36a45d7bb5032ce719b5a89d9cfcda9e2a961bc300013fe972d4c0271466e82ce946e2511ab5

        • \Users\Admin\AppData\Local\Y4PRBO\SystemPropertiesPerformance.exe

          Filesize

          44KB

          MD5

          2c78be1298c249d6c50a3105c5ab0d91

          SHA1

          f51bf8e2b7f395e38ea34476d3f2adab69a2efc2

          SHA256

          55a4b6983566e2d444068127b9226a3431144506b609723a29bee8f23321446f

          SHA512

          1ce3d2b7119ff0bdb498178e84d7ea07729199dbe04681df591af77ccf9c4309e0e30a3dacb223d85a24db4f206e42efcfa905599c875cfe831227f3c6f49acd

        • \Users\Admin\AppData\Local\sqaZ7\UxTheme.dll

          Filesize

          53KB

          MD5

          d39c9934e9c3afc06b325055bf1c1467

          SHA1

          b39c6e547f200b77b7336a45eda6067cafe16b8b

          SHA256

          32392eb6f8e0d41e363f943191f00e2b952bad593c935188047f0feb03fd2237

          SHA512

          26e71c6b236151b8a93ff36e4d1cd792ae8f4a188c40f1e2cf87ee737aa82aaa4630641cc7a92f15aa9d9c6afcf60e78583cd70df388845e97fcfe1218e1574f

        • \Users\Admin\AppData\Local\sqaZ7\osk.exe

          Filesize

          1KB

          MD5

          cbbaf202fbf1b2933fe2e757e4999acb

          SHA1

          e8bf1f6ee44a5e344e3707b48001b7583f5b0e75

          SHA256

          89bf6ace53974e3a014dac5105d88c0723e7ccab24acf7bd148cd182fc73a97b

          SHA512

          b30b1c5849f60f9d17e1e4ed7c341ba4b7a83ddca8720bd7cc7baa1fa6daf77d09ed68c938eac070170cd1b57d95f3813c5a374d4f66d647c7e54415609ac125

        • \Users\Admin\AppData\Local\xQu\XmlLite.dll

          Filesize

          45KB

          MD5

          83f261e4ff09b931b2ad336102616cb1

          SHA1

          8b3877159d4e72c79f8d204500b015eb34c84c60

          SHA256

          67a944af02e0dc98d6bd47c9bb5b69b55e738947fa5894f25cce201001f32d4d

          SHA512

          6f2e09def7f60c676ec1364fdfba5f7d124aa06e9e3d819391d0a653afb418e606b5c38523b98a37a9afa40a73254b29aa723def80e336e36ba1d67c8636254f

        • \Users\Admin\AppData\Local\xQu\wbengine.exe

          Filesize

          114KB

          MD5

          4b687288782ed067b8385b1ae0ba1040

          SHA1

          dbb9e216f72f5f8fbb5c36b0ddaf43622532bb66

          SHA256

          669a123f8ba35da35caaa9a830c2b28e5158cb834b36f39b4e8984e6bbe56ad2

          SHA512

          bee16120a3207a572031e3c4e324fc5ea1ed971f0161d0044011344887ed23078d0bfe9a355d3e9bce8ee0cd0d1ff768f5a879a7e0bea4b7e5d8e2068693ea76

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\oM3MTl86Uy\SystemPropertiesPerformance.exe

          Filesize

          80KB

          MD5

          870726cdcc241a92785572628b89cc07

          SHA1

          63d47cc4fe9beb75862add1abca1d8ae8235710a

          SHA256

          1ab77fa1ee0cbe59ca185c228c3c11abeba2b2008a162c91a06d3c40542e7fc6

          SHA512

          89b961c2a2716fe0800e54e0206c8b349a26f1bc2a463ec9bd12f3ab22bfcb13e6402b4c20ddcf284d838a3c66e73335af8f6dc4554d76646382e387242c6f72

        • memory/364-129-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

        • memory/1272-33-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/1272-57-0x00000000772A0000-0x00000000772A2000-memory.dmp

          Filesize

          8KB

        • memory/1272-28-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/1272-25-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/1272-36-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/1272-21-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/1272-39-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/1272-41-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/1272-42-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/1272-43-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/1272-40-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/1272-38-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/1272-37-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/1272-44-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/1272-20-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/1272-45-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/1272-47-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/1272-48-0x00000000029A0000-0x00000000029A7000-memory.dmp

          Filesize

          28KB

        • memory/1272-46-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/1272-18-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/1272-19-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/1272-55-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/1272-15-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/1272-12-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/1272-10-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/1272-8-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/1272-56-0x0000000077141000-0x0000000077142000-memory.dmp

          Filesize

          4KB

        • memory/1272-35-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/1272-62-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/1272-66-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/1272-71-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/1272-29-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/1272-34-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/1272-4-0x0000000076F36000-0x0000000076F37000-memory.dmp

          Filesize

          4KB

        • memory/1272-32-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/1272-5-0x00000000029D0000-0x00000000029D1000-memory.dmp

          Filesize

          4KB

        • memory/1272-30-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/1272-31-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/1272-27-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/1272-150-0x0000000076F36000-0x0000000076F37000-memory.dmp

          Filesize

          4KB

        • memory/1272-24-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/1272-26-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/1272-22-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/1272-23-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/1272-16-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/1272-17-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/1272-14-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/1272-11-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/1272-13-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/1272-9-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/1964-7-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/1964-0-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/1964-1-0x0000000000390000-0x0000000000397000-memory.dmp

          Filesize

          28KB

        • memory/2632-104-0x00000000001F0000-0x00000000001F7000-memory.dmp

          Filesize

          28KB

        • memory/2840-80-0x00000000002C0000-0x00000000002C7000-memory.dmp

          Filesize

          28KB