Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    20-01-2024 02:11

General

  • Target

    661942dec5f555ea16390ab0b8805570.dll

  • Size

    848KB

  • MD5

    661942dec5f555ea16390ab0b8805570

  • SHA1

    1c0cf8507b8ab448424fe88f164143291e17f4d8

  • SHA256

    9fc724df4f2ae0f2d2b3a04540cf737782e0b77e296a03ec25418f3f36f05a6b

  • SHA512

    09353633455251bb230592ca21328a63cee419b11b2d28ff9d2ad0da6b3b55d6a4c9614e3f99502001b6444e0e19ed8d0dcecd7a079bf5cd30f148f455be4606

  • SSDEEP

    12288:wkbQEkWqv+157EYfxarhwLNuR7ek1tHffB/HzTyNQ6NIeGYr/R:wkbHkWfzZ5adwLNGeStHntqN7v

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Dridex payload 12 IoCs

    Detects Dridex x64 core DLL in memory.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\661942dec5f555ea16390ab0b8805570.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1268
  • C:\Windows\system32\SystemPropertiesAdvanced.exe
    C:\Windows\system32\SystemPropertiesAdvanced.exe
    1⤵
      PID:2648
    • C:\Users\Admin\AppData\Local\H8rgbmeSz\SystemPropertiesAdvanced.exe
      C:\Users\Admin\AppData\Local\H8rgbmeSz\SystemPropertiesAdvanced.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2744
    • C:\Windows\system32\xpsrchvw.exe
      C:\Windows\system32\xpsrchvw.exe
      1⤵
        PID:3032
      • C:\Users\Admin\AppData\Local\SBqVTmcXy\xpsrchvw.exe
        C:\Users\Admin\AppData\Local\SBqVTmcXy\xpsrchvw.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3020
      • C:\Windows\system32\mstsc.exe
        C:\Windows\system32\mstsc.exe
        1⤵
          PID:748
        • C:\Users\Admin\AppData\Local\C0aS\mstsc.exe
          C:\Users\Admin\AppData\Local\C0aS\mstsc.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1984

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\C0aS\Secur32.dll

          Filesize

          852KB

          MD5

          240aad42236aeb13e86146f82702e653

          SHA1

          fb2728ae3870730256f927cfb327effa0db99eef

          SHA256

          b97ada4dee841c40002f69601879ff0b22a8a0c51bc152038352947e5b2469be

          SHA512

          66093dc83b492f7d118d7aeefabf0319d59961c04dab3adc55933f84d8721b4ff94ac93a77d97126b0cf7b7dfca24629f57679e3916dc561d9836f5f4fd300b8

        • C:\Users\Admin\AppData\Local\H8rgbmeSz\SYSDM.CPL

          Filesize

          852KB

          MD5

          7c71547fee3b5b517809132b9771e082

          SHA1

          d89b5d1fae6f7d45cb0638caa14d2fcc50aa06fe

          SHA256

          cdb78b85e57a96c59be403c1d58c23d3a05fc4837f5b92c00cf7934b4ee9f5d4

          SHA512

          69fab62d9daa4ee725d158f26c412f812dc9e6e258c47480c3fbf8d1d140c06533a530a3a657865bb04f5b2393a4a98cb52d8d3988d731ba3cf19a91f5863701

        • C:\Users\Admin\AppData\Local\SBqVTmcXy\WINMM.dll

          Filesize

          856KB

          MD5

          e5ce4daf77f8d529ed3a1f2e7c0875ec

          SHA1

          83fe8477f27611668034c55e340a28d4cf14f9f6

          SHA256

          3074d49a74805ba97c408c512a9f1644ddcb3516c22d652a8aa55667153c37fb

          SHA512

          a055022c3c006650f3eb11afe7a50e78ea67ddb920ed489fc2e116b03dc45296b123dc649bd78e593df332926f47de6ddcc707a78d99e704375a1b4608863b20

        • C:\Users\Admin\AppData\Local\SBqVTmcXy\xpsrchvw.exe

          Filesize

          4.2MB

          MD5

          051bdf75fa2555be765d21abff20cd7a

          SHA1

          c1d63d4f22f5a3290c47a7f796fff1d0ccdb994c

          SHA256

          1c8afcc609898fd39f6e46858779679009f8799d5bfa3be4c44a74a5307f4dd9

          SHA512

          d2c51be95d0246221272f80ba0374f9f6ccd6b79d0e8c2a34a197a20776605827c2e1f8488cba6faeefd52835b0367e08ce01c6d16f0fb130898a8fa2fe31825

        • C:\Users\Admin\AppData\Local\SBqVTmcXy\xpsrchvw.exe

          Filesize

          4.6MB

          MD5

          492cb6a624d5dad73ee0294b5db37dd6

          SHA1

          e74806af04a5147ccabfb5b167eb95a0177c43b3

          SHA256

          ccb4ecd48561ce024ea176b7036f0f2713b98bc82aa37347a30d8187762a8784

          SHA512

          63bf2931764efe767fb42f9576702dd585a032f74ad2be2481eaf309f34950f05974d77b5cb220a3ff89c92af0c7693dc558f8e3a3ee2a0be6c5c07171d03835

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zrkibbhbsqvuoso.lnk

          Filesize

          1KB

          MD5

          28a3210bb8de6ea2c17095e313b4b481

          SHA1

          8948483251500430c10e7514a23ce511ef95add5

          SHA256

          33c95fd4753130fce135f7ad669550ed3c523aae9995a9a77c7e085141f883ce

          SHA512

          b9d612c011c6117d0e5751cdb274e07deb8020c612a985d154cbd6154455c02ec620415c9d8585eb06b7f1a1e561125a4877f41428d53b1fce1196bba259626c

        • \Users\Admin\AppData\Local\C0aS\mstsc.exe

          Filesize

          1.1MB

          MD5

          50f739538ef014b2e7ec59431749d838

          SHA1

          b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

          SHA256

          85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

          SHA512

          02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

        • \Users\Admin\AppData\Local\H8rgbmeSz\SystemPropertiesAdvanced.exe

          Filesize

          80KB

          MD5

          25dc1e599591871c074a68708206e734

          SHA1

          27a9dffa92d979d39c07d889fada536c062dac77

          SHA256

          a13b2ba5892c11c731869410b1e3dd2f250d70ff9efd513a9f260ab506dd42ef

          SHA512

          f7da9ce4c3e8aea9095fcc977084c042f85df48fca0b58fb136dfd835ce69b5b1e68f3c11eeb14c617ffcec7011ffc7e5d5a948f49dde653a2348b28e10adb72

        • \Users\Admin\AppData\Local\SBqVTmcXy\xpsrchvw.exe

          Filesize

          2.7MB

          MD5

          b1a23481a00c0d3f60e9c78a16870359

          SHA1

          4b42250c20415b4fa0f874336f10d4441c3904e7

          SHA256

          a51782b21b224399b500d9bc5588863afdbf2e9aa117106d2cfda27924c73e05

          SHA512

          16307a68a5057c5fdd2b399bbf101639b252bd03871d1915a209842bcb8aa7fd98dfa4653ab613591af0d25a37bad8cc4451a9579c4c9974bf572c9f0c4c3167

        • memory/1268-1-0x0000000001B40000-0x0000000001B47000-memory.dmp

          Filesize

          28KB

        • memory/1268-0-0x000007FEF69D0000-0x000007FEF6AA4000-memory.dmp

          Filesize

          848KB

        • memory/1268-41-0x000007FEF69D0000-0x000007FEF6AA4000-memory.dmp

          Filesize

          848KB

        • memory/1276-40-0x0000000140000000-0x00000001400D4000-memory.dmp

          Filesize

          848KB

        • memory/1276-73-0x0000000077116000-0x0000000077117000-memory.dmp

          Filesize

          4KB

        • memory/1276-14-0x0000000140000000-0x00000001400D4000-memory.dmp

          Filesize

          848KB

        • memory/1276-12-0x0000000140000000-0x00000001400D4000-memory.dmp

          Filesize

          848KB

        • memory/1276-10-0x0000000140000000-0x00000001400D4000-memory.dmp

          Filesize

          848KB

        • memory/1276-9-0x0000000140000000-0x00000001400D4000-memory.dmp

          Filesize

          848KB

        • memory/1276-6-0x0000000140000000-0x00000001400D4000-memory.dmp

          Filesize

          848KB

        • memory/1276-27-0x0000000140000000-0x00000001400D4000-memory.dmp

          Filesize

          848KB

        • memory/1276-29-0x00000000774B0000-0x00000000774B2000-memory.dmp

          Filesize

          8KB

        • memory/1276-28-0x0000000077480000-0x0000000077482000-memory.dmp

          Filesize

          8KB

        • memory/1276-19-0x0000000140000000-0x00000001400D4000-memory.dmp

          Filesize

          848KB

        • memory/1276-38-0x0000000140000000-0x00000001400D4000-memory.dmp

          Filesize

          848KB

        • memory/1276-20-0x0000000002B50000-0x0000000002B57000-memory.dmp

          Filesize

          28KB

        • memory/1276-18-0x0000000140000000-0x00000001400D4000-memory.dmp

          Filesize

          848KB

        • memory/1276-16-0x0000000140000000-0x00000001400D4000-memory.dmp

          Filesize

          848KB

        • memory/1276-3-0x0000000077116000-0x0000000077117000-memory.dmp

          Filesize

          4KB

        • memory/1276-4-0x0000000002B70000-0x0000000002B71000-memory.dmp

          Filesize

          4KB

        • memory/1276-7-0x0000000140000000-0x00000001400D4000-memory.dmp

          Filesize

          848KB

        • memory/1276-15-0x0000000140000000-0x00000001400D4000-memory.dmp

          Filesize

          848KB

        • memory/1276-13-0x0000000140000000-0x00000001400D4000-memory.dmp

          Filesize

          848KB

        • memory/1276-11-0x0000000140000000-0x00000001400D4000-memory.dmp

          Filesize

          848KB

        • memory/1276-8-0x0000000140000000-0x00000001400D4000-memory.dmp

          Filesize

          848KB

        • memory/1276-17-0x0000000140000000-0x00000001400D4000-memory.dmp

          Filesize

          848KB

        • memory/1984-97-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

        • memory/1984-98-0x000007FEF6470000-0x000007FEF6545000-memory.dmp

          Filesize

          852KB

        • memory/1984-102-0x000007FEF6470000-0x000007FEF6545000-memory.dmp

          Filesize

          852KB

        • memory/2744-60-0x000007FEF6AB0000-0x000007FEF6B85000-memory.dmp

          Filesize

          852KB

        • memory/2744-57-0x0000000000170000-0x0000000000177000-memory.dmp

          Filesize

          28KB

        • memory/2744-55-0x000007FEF6AB0000-0x000007FEF6B85000-memory.dmp

          Filesize

          852KB

        • memory/3020-72-0x000007FEF6470000-0x000007FEF6546000-memory.dmp

          Filesize

          856KB

        • memory/3020-77-0x000007FEF6470000-0x000007FEF6546000-memory.dmp

          Filesize

          856KB

        • memory/3020-74-0x00000000001E0000-0x00000000001E7000-memory.dmp

          Filesize

          28KB