Analysis

  • max time kernel
    150s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    20-01-2024 07:08

General

  • Target

    69cd7320b88e1819f445bb8db3d0e43f.dll

  • Size

    1.7MB

  • MD5

    69cd7320b88e1819f445bb8db3d0e43f

  • SHA1

    5564a3813c18c1a44a3808c4f148ff3cace908c7

  • SHA256

    bcdd2a40691235cb270bc9cdcf08b99de975ddb77896eb02fd19508fdd2a57d5

  • SHA512

    9d357c5c0f48eac03bd63dbed69bf075054401a629e0ecd467a7a6ff6cbaa9081d90bcecb0c755361c3f0774ce43abd64463aad3230d5ba156af814e57735611

  • SSDEEP

    12288:6VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:nfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\69cd7320b88e1819f445bb8db3d0e43f.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2968
  • C:\Windows\system32\icardagt.exe
    C:\Windows\system32\icardagt.exe
    1⤵
      PID:1204
    • C:\Users\Admin\AppData\Local\sIuNUZy\icardagt.exe
      C:\Users\Admin\AppData\Local\sIuNUZy\icardagt.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:592
    • C:\Windows\system32\tcmsetup.exe
      C:\Windows\system32\tcmsetup.exe
      1⤵
        PID:988
      • C:\Users\Admin\AppData\Local\pfaKg9vz\tcmsetup.exe
        C:\Users\Admin\AppData\Local\pfaKg9vz\tcmsetup.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3020
      • C:\Windows\system32\dpapimig.exe
        C:\Windows\system32\dpapimig.exe
        1⤵
          PID:1672
        • C:\Users\Admin\AppData\Local\7Z9\dpapimig.exe
          C:\Users\Admin\AppData\Local\7Z9\dpapimig.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2212

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\7Z9\DUI70.dll

          Filesize

          77KB

          MD5

          cc3b1bff8e1bd665f18b92448c84ca8c

          SHA1

          aad725560d3ae8283e096c1fae686ba1d2fa519f

          SHA256

          176bf96ea3f0bdad235c04eb5f973d778400292cc3c1e2e3726fd48dd41716db

          SHA512

          f20162eb8f59f92a94c659b95e5a62a959f656f3f76b9e7408bf91b2704791f51eeaf859cc0a7b551a2cd99fc80c4956b5627d692d837a76a3ba02b4dd318b10

        • C:\Users\Admin\AppData\Local\7Z9\dpapimig.exe

          Filesize

          73KB

          MD5

          0e8b8abea4e23ddc9a70614f3f651303

          SHA1

          6d332ba4e7a78039f75b211845514ab35ab467b2

          SHA256

          66fc6b68e54b8840a38b4de980cc22aed21009afc1494a9cc68e892329f076a1

          SHA512

          4feded78f9b953472266693e0943030d00f82a5cc8559df60ae0479de281164155e19687afc67cba74d04bb9ad092f5c7732f2d2f9b06274ca2ae87dc2d4a6dc

        • C:\Users\Admin\AppData\Local\pfaKg9vz\TAPI32.dll

          Filesize

          72KB

          MD5

          6966bec7cae45006a7c0f9eadcbc25c2

          SHA1

          419c5e7bdbccafd37bec70ece2684ed67da3264e

          SHA256

          c0cf1ca579251cf3ce8c66774ee5eb7fc488070adbe0fcf2993324294c8b8651

          SHA512

          abd94d2ab6d403116fc7b2d42670f4b47801c90be7f0f05d031fe4e1bf0aac2d98998e1b801a214201420b8e8c0be4a82cf07708afd793b6b9df2a9609e6fb8d

        • C:\Users\Admin\AppData\Local\pfaKg9vz\tcmsetup.exe

          Filesize

          1KB

          MD5

          fd020b037e6517def1d8d1322c77c0d9

          SHA1

          3fbc7d70929d2781f2178626cfc489aa188ef9dd

          SHA256

          2cca676a08c2ab765a4bd8368e9a4a6228ee31d1959d3aca7c15bb9a464f30cf

          SHA512

          1f3da985bb180ac287ae1ba6b6aee1c91198345ef7fb0e554701a0ed0d0aebe6fdb8caee8cf3ae9f7b8281657c2ae0bebed6d352f43639b07fdbf0e9c787d85c

        • C:\Users\Admin\AppData\Local\pfaKg9vz\tcmsetup.exe

          Filesize

          15KB

          MD5

          0b08315da0da7f9f472fbab510bfe7b8

          SHA1

          33ba48fd980216becc532466a5ff8476bec0b31c

          SHA256

          e19556bb7aa39bbd5f0d568a95aec0b3af18dda438cc5737f945243b24d106e7

          SHA512

          c30501546efe2b0c003ef87ac381e901c69ddfc6791c6a5102cff3a07f56555d94995a4413b93036821aa214fc31501fa87eb519e1890ef75b2ec497983ffd58

        • C:\Users\Admin\AppData\Local\sIuNUZy\VERSION.dll

          Filesize

          140KB

          MD5

          c9385c0ba09767995bf2e8407e68dd8d

          SHA1

          415308c0e13ded65c22197797b2629d351163856

          SHA256

          458a5b9bf16fadb417c090c8b94370abcb0ed6f061d924095eed19597e7e9a8c

          SHA512

          c01f7b154b5e50e136a4c8a060453a91247fdabf122ae27d7cb3ed4cded4298f23fb909aaa28f7f54ae7cc0f7b275b978f47ab93631487ecaf2e1573d3127783

        • C:\Users\Admin\AppData\Local\sIuNUZy\icardagt.exe

          Filesize

          136KB

          MD5

          2763c73ec27fbf4f66b7c183b48393d0

          SHA1

          051aee887fef944ed7a42491f17bfc5b105e28f5

          SHA256

          8894ba0eaa73094990ea8143b959a321f3a2b6076e6ba3150ceb10b811f6cf52

          SHA512

          16c34a52ab483797e3273bd2aaed4ecfd289aed00a19d9fb2d566a804215c5c8c43371c0f872cfe4b7e920df2705a11a5169bb8cc562abe1dd48b191661eac20

        • C:\Users\Admin\AppData\Local\sIuNUZy\icardagt.exe

          Filesize

          347KB

          MD5

          a5ad94dc8a9820653956e68f2e5c9040

          SHA1

          38a29fddff6724054c283f5e9ee2c4efb368d8d8

          SHA256

          cb61bb1a071dddbe0558aa7f404fccdb9be24786da034a35419d57312d0cdc44

          SHA512

          283dd737c5bb20e73ea1602fe5d96bde6d4e04016696da00258487d1d647017e7953806038dd7de847d57da711a77c62e182628b1c7378875e66457cbd8ca6d1

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yiudzqwx.lnk

          Filesize

          1KB

          MD5

          207310677cc002610410a30bc19e6fff

          SHA1

          675ca1e0b8c9aa12cab7578be8491cc11092c6c6

          SHA256

          f343a860fd73002e16e8c157c4844c96b1ec64f18dc4c75a562c25e4e782e589

          SHA512

          fcf7c4957f5870f6d72299edc36ada9b2efb944890a7eb1c6d4771db1467a7d57a6ba42a2cb45d530201930118873a489a2caba81d02d3922b57210ba6d0df61

        • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\pER6T\DUI70.dll

          Filesize

          1.9MB

          MD5

          417f25949c36271d81c3f1964461d04d

          SHA1

          772ab65d28206b935c4d5e02a18cd729fd58e349

          SHA256

          084727b10e99bd67df09aa6b5f66f5fa61ffee6d1ae671ba15e8893bc512abc1

          SHA512

          474daced1ae18dcc459c933a4e5d92439642304a3a49f03e301c09c5e3bb16b17494ddbe58654b0020cb977947665dabaa17179ca1473ab32ff05f8320a5bfa5

        • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\wr8pTpN92\TAPI32.dll

          Filesize

          1.7MB

          MD5

          7bdcfc7b01c9ab7ad29835541d536349

          SHA1

          a6458ee7519ae2f197abf25ad7d3d004c8c7c2f0

          SHA256

          740dc4f183d739d0bab0814b27cd9b62d833f7492d460ba6aa1923f066c0eb8f

          SHA512

          23d32f5740e3fa09245576a4e58512eca1465ad2b75ddbb63cfb332c8844cf7b2b79a5b0430af058416a052ab6eee747dbccd145b525416fb54c6547864bcf02

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\w3Gkhdk8977\VERSION.dll

          Filesize

          1.7MB

          MD5

          dd7f0f99c3c00e31b8fd20fbd5ad4f93

          SHA1

          c3cc11ee96968210eb68c4161d19b334e2ec33db

          SHA256

          42ae418173af25bc4f280134099cbbd2fb106feeb83bc812f346e18329a802ad

          SHA512

          04e6c5f66b7de6a292ebe3d090613b2121652f2cc714056411a4ee3e3cd7c8575b9f1abae3aad032fe4582cf6e5846dce26a32d83696e2c442add16569842b5e

        • \Users\Admin\AppData\Local\7Z9\DUI70.dll

          Filesize

          40KB

          MD5

          6097680372b9004823b13dc918d382a9

          SHA1

          f1142332ad4459604772acf3efdd1e7519809f5f

          SHA256

          4fe16c88764089187c0bd478b51cf25607f29db8381e5c2f07a53d64e3a46976

          SHA512

          bc12856fe00cc8db72d276b8a66aec3e6600c64e27276cecec593833fe5af9c5b1af28d045d845e29570b4b8cd282498a94e1af94f7d71eaf6460323e2a1e87e

        • \Users\Admin\AppData\Local\7Z9\dpapimig.exe

          Filesize

          58KB

          MD5

          168921893dcac96e79bfc4a76c0d8016

          SHA1

          940d9ebdb7376fddc442a36b9151609f5ccb096c

          SHA256

          c7030fbac527514b789dd81f37059c5291ae2184f8b1f1f672e0d59cb428265a

          SHA512

          51974963fe861463d52ece22dd8aa4135d93d9449e9ce3923271f4dbb897566e30156c1e94de91be53658359d8d9527fab395a3766c633ba8285dfa629ab2229

        • \Users\Admin\AppData\Local\pfaKg9vz\TAPI32.dll

          Filesize

          12KB

          MD5

          5ee00be4e9cc8211ce9774f3bf983804

          SHA1

          585d0af75a51405f9c05fe41b15d12cd9e31887c

          SHA256

          42b6b09325e0b644ddb22980538dc760d311e8cc62b1e6d5fec4e6ee59b9ea58

          SHA512

          e534cb000f86dc37586b15e9b1c98a079229a179716c5986e5d70468544ec66ef6688fdfb1f2e6f946adceb18abbdc2033251658327992eafb61a87545a47a99

        • \Users\Admin\AppData\Local\sIuNUZy\VERSION.dll

          Filesize

          45KB

          MD5

          42ac48bdaf6d69917b60fc7e3f51cdb0

          SHA1

          c7b479813d2f0f35548d1ec2871ea73c3136d7ff

          SHA256

          4a0c116ca7d509b38726121b38bc8bd0b86099bb55ec7dc1f383998ab521d39e

          SHA512

          75d4c670894196570c9df00be23842454ff1c6b59ee44779954c3d80d7faf42981d50f31f3fe2088db3e54e07ad64938d27864fefc257cc638ade28f0ab05dea

        • \Users\Admin\AppData\Local\sIuNUZy\icardagt.exe

          Filesize

          80KB

          MD5

          a520593b050b99f2b09815c3d37c69e4

          SHA1

          3a1064b06131d2c187c2be46c01a8830e4a9919c

          SHA256

          0287143d4ecf9600418d343c655ed945832aa071e2a1326e398e4039dc41f11c

          SHA512

          b98686e1449e629f70c67a8ea0f618ceed0b3e8c02a0d47c18c071f3777ad4f78d237ab2f5bc06d7f4d02f0cd263ee9de46a6c2926246d207165e477a8141ac4

        • memory/592-85-0x0000000140000000-0x00000001401BB000-memory.dmp

          Filesize

          1.7MB

        • memory/592-81-0x0000000140000000-0x00000001401BB000-memory.dmp

          Filesize

          1.7MB

        • memory/592-80-0x00000000003C0000-0x00000000003C7000-memory.dmp

          Filesize

          28KB

        • memory/1212-26-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1212-62-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1212-28-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1212-25-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1212-24-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1212-23-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1212-22-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1212-21-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1212-20-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1212-33-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1212-32-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1212-35-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1212-36-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1212-37-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1212-38-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1212-34-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1212-39-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1212-40-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1212-42-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1212-41-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1212-43-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1212-44-0x0000000002A80000-0x0000000002A87000-memory.dmp

          Filesize

          28KB

        • memory/1212-52-0x0000000076FC1000-0x0000000076FC2000-memory.dmp

          Filesize

          4KB

        • memory/1212-53-0x0000000077120000-0x0000000077122000-memory.dmp

          Filesize

          8KB

        • memory/1212-51-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1212-29-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1212-68-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1212-31-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1212-30-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1212-27-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1212-4-0x0000000076DB6000-0x0000000076DB7000-memory.dmp

          Filesize

          4KB

        • memory/1212-19-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1212-18-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1212-17-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1212-16-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1212-7-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1212-5-0x0000000002B20000-0x0000000002B21000-memory.dmp

          Filesize

          4KB

        • memory/1212-144-0x0000000076DB6000-0x0000000076DB7000-memory.dmp

          Filesize

          4KB

        • memory/1212-11-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1212-12-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1212-13-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1212-15-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1212-10-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1212-14-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1212-9-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/2212-119-0x0000000000220000-0x0000000000227000-memory.dmp

          Filesize

          28KB

        • memory/2968-8-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/2968-0-0x0000000000390000-0x0000000000397000-memory.dmp

          Filesize

          28KB

        • memory/2968-1-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/3020-101-0x0000000000270000-0x0000000000277000-memory.dmp

          Filesize

          28KB