Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    20-01-2024 10:27

General

  • Target

    6a2f78fd728fdf56e1674632e7f5a5ed.dll

  • Size

    1.5MB

  • MD5

    6a2f78fd728fdf56e1674632e7f5a5ed

  • SHA1

    ff8ef932fc913e7f6affbaf71c85ef9e39651c7b

  • SHA256

    7cdb42626487138e394194e7d97f06affc9a4cba685fca6d1a496bd1765140f9

  • SHA512

    355a81750538976caaac04368d5bcfe05f31f8e22cf993a45e8ba54e113770c16a4ee36cf57f1b7b625bbd5d02b8c8c7d5e70f330e7861907844496ed23a9a44

  • SSDEEP

    12288:lVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:8fP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\6a2f78fd728fdf56e1674632e7f5a5ed.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1260
  • C:\Windows\system32\UI0Detect.exe
    C:\Windows\system32\UI0Detect.exe
    1⤵
      PID:2492
    • C:\Users\Admin\AppData\Local\U7W1KzRoy\UI0Detect.exe
      C:\Users\Admin\AppData\Local\U7W1KzRoy\UI0Detect.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:340
    • C:\Windows\system32\msra.exe
      C:\Windows\system32\msra.exe
      1⤵
        PID:1288
      • C:\Users\Admin\AppData\Local\BiEXiyRj5\msra.exe
        C:\Users\Admin\AppData\Local\BiEXiyRj5\msra.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2576
      • C:\Windows\system32\wisptis.exe
        C:\Windows\system32\wisptis.exe
        1⤵
          PID:1692
        • C:\Users\Admin\AppData\Local\6TSM6N\wisptis.exe
          C:\Users\Admin\AppData\Local\6TSM6N\wisptis.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2428

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\6TSM6N\slc.dll

          Filesize

          81KB

          MD5

          2336c0f56dccd8f96a169900ae2bbfe6

          SHA1

          26b3db6fa0ebd0acbeee6dbac4cdef028604f442

          SHA256

          0b8940037dee65f28228ea43500198900696ad3c8d4ab5d958c5e105af2f7192

          SHA512

          4d0b541f07e01df1126f346b1a77ca52fafd0145fb59af6c308cfd45b0cd20123105c98b1f5e52155b3f00f2de4c07dd72a03deab7cfc8f0f305ad16c76f6dad

        • C:\Users\Admin\AppData\Local\6TSM6N\wisptis.exe

          Filesize

          165KB

          MD5

          09ebfd500a4a587f863c4f0f277feb5c

          SHA1

          b4a18906e52b2d4181e9ced75bf7d2e3a4ba40ad

          SHA256

          2cba12b737d65ee62ce2ac0855dd5025b152f250d0b6d8160c8fd700be2b1748

          SHA512

          ab6ef415580a0b323ffe53b0f475b8a086fda0540b7401bed1c35306b9ad16368897b1a0b2ebd60f3d0d661ebbc4432618a1f56ec6a64de1894458dc0bc14ba9

        • C:\Users\Admin\AppData\Local\6TSM6N\wisptis.exe

          Filesize

          129KB

          MD5

          18c67e5ce2ae53072e87f4261fb19573

          SHA1

          dfd22545efaa88860c80e69e5730c469bcf0f1d0

          SHA256

          3abd7437170d934aad976566c9831a1c175cfac5b3354d98d194c4d3915fb188

          SHA512

          b975f9877282cc4df77043735d1f8a9f877e0f15a054dc7b5a172b0b4cbf7fa49630709dd0ec19c81f22ee4acc5b9735225391a41cc1d479690b6ae7c3e8a03c

        • C:\Users\Admin\AppData\Local\BiEXiyRj5\UxTheme.dll

          Filesize

          13KB

          MD5

          ce41b25e0d70084d084ab2803c48c121

          SHA1

          18d76fbdbf05880e5a0da38f95440e017342605f

          SHA256

          e44c80281cad960f66e836c074b239d0bcf083dc20b9fb095f3bf06ba79eb56d

          SHA512

          142794c1165eacb88dd305083b621519b488c7a4926233cda6d77ccf4b429ea12627db025291d9bd40b63531ee1d7134cf4a447b24b3263a1df1d6876224ea4b

        • C:\Users\Admin\AppData\Local\BiEXiyRj5\msra.exe

          Filesize

          168KB

          MD5

          6928e6457abcd76fb59d12f5295b5b02

          SHA1

          dadb6bf2266af54bd810c8fa4fcad12ffad6bdad

          SHA256

          3725e6b589937bfd87beda11cf8dbe5c76fecc795067009c2f6a828eded43e22

          SHA512

          d6ef34e6ea4852c599039bbaf4f61f379c759e6bb9c0605b6d273f3dde1a5185a6ca9a876e99e5d0294b67a93020ff348b9f3010d30f927d8fbb226be68cf797

        • C:\Users\Admin\AppData\Local\BiEXiyRj5\msra.exe

          Filesize

          58KB

          MD5

          cba485ea0586f7152462c665887898f9

          SHA1

          8618aacf0c603887a0ead7c77a67d477b564faa2

          SHA256

          7bcbfa72e4aae0d23af59ae95c1164b179d7fdeab911ccddb6930eae457efaab

          SHA512

          741fb9a4052c0902118a3a7b01fb99c27eeac3cb2844755c56713875ccc724da4f3f445367c5749322d7ac6a3525525cf21aabd30facb49cee4d5f1d493f5a38

        • C:\Users\Admin\AppData\Local\U7W1KzRoy\UI0Detect.exe

          Filesize

          40KB

          MD5

          3cbdec8d06b9968aba702eba076364a1

          SHA1

          6e0fcaccadbdb5e3293aa3523ec1006d92191c58

          SHA256

          b8dab8aa804fc23021bfebd7ae4d40fbe648d6c6ba21cc008e26d1c084972f9b

          SHA512

          a8e434c925ef849ecef0efcb4873dbb95eea2821c967b05afbbe5733071cc2293fc94e7fdf1fdaee51cbcf9885b3b72bfd4d690f23af34558b056920263e465d

        • C:\Users\Admin\AppData\Local\U7W1KzRoy\WTSAPI32.dll

          Filesize

          93KB

          MD5

          5df72b7ff775d0cdeacb4d3f742af984

          SHA1

          a2bc7a78018bb92ab577a88bbe94687a07904785

          SHA256

          d6e30e2758dc0214a3fd28b28a6209552da1750f02edcdd3b7acf9397ef05c09

          SHA512

          e404d1115673a025ae3b51afa4f69dde9c83c72303f78221a4e2cc1ad35b42e4f73ed39b9564272bd23c2c114b580a3354afc3e6dc43cf7bb8e47ee1ad842941

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ekhyqsv.lnk

          Filesize

          1005B

          MD5

          cc63ed61c9e8122e94eb479e78baf4db

          SHA1

          cfbcca37e00de91fda9e1ebcd92c04263ebb9ca4

          SHA256

          ae131e06d3438359d96db167b7dbe932cb0509e043548839e397e8252a257342

          SHA512

          0ba9ae7ea72246ccba1f977e2f00021d7addadca4c5ba69dd0df37addac11e622e894e3ecc0f51d900b284a3d0957d8ee57df22507fa82131d4558faf4d5df6b

        • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\D18Q\slc.dll

          Filesize

          1.5MB

          MD5

          7b3e290c5511b499ddd97233232277b0

          SHA1

          d0982391e8c36394427ce3c8530e2230422aff16

          SHA256

          061180e622f68bc66381ba6c19815964a781354cd5b150e6203dffcce9fc458b

          SHA512

          1fce864fd6d3a4a056e134a6b34afeb4bd3936750ca0dad93251a009468c034cd5c56722b93c250989ff8d145c053e344989c9f2a5b7b5a6a7baeb051d348e1e

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\hRko\WTSAPI32.dll

          Filesize

          1.5MB

          MD5

          4d9851868a2bb15d5503102710d02203

          SHA1

          2cb280b371ea9e4d36544dc306a601707b43de77

          SHA256

          0c56e8722a7e37db166cd384492213cf0612da08c331cba71fadb62d9d8ccf50

          SHA512

          e33d0bc07df029aa880506b8566d6df1bb53bc5f7e7d247bc1d1b049c64ae031cf242e3c36885e8bb3e24f16c270c6c87769963dc39423f207b83ef982f22055

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f28\UxTheme.dll

          Filesize

          1.5MB

          MD5

          3c4c8150e692cbd172f35e16233936ee

          SHA1

          605834abc5a34cf930fbb7fc79e922f7dec0e14a

          SHA256

          72f29a00214da27b8138cb9b953acc95ddae4a1d9c9c84c4509769540a4dc526

          SHA512

          9af063f7f5ce8f0fa6561bbc94be59f5d8777e82eea8a4e04c667dd032537ef52519d2b839e430718866f041253a7fc274c2744f634aa57e992f669dc3244b3e

        • \Users\Admin\AppData\Local\6TSM6N\slc.dll

          Filesize

          113KB

          MD5

          66f08c70c26a0f130615adcbfd1bf690

          SHA1

          b440f55a7d25a5bb208494bbd81d27585e6c07d7

          SHA256

          a224b076db149507e9dc78f29ec72e5bb266266e1718470a239ca3ab8c5547df

          SHA512

          e5c45200460adf8db3dce4aa0ea5909bc2187683102254066505dec5fbfd35fa94eff8ef72dba52a55e72e11e9b7002c79843cb99d510f0026a587013e24ba3a

        • \Users\Admin\AppData\Local\6TSM6N\wisptis.exe

          Filesize

          73KB

          MD5

          da180031f453d94500826072e3b33e8f

          SHA1

          c881623ab607873fb7923d138ca15fe495b52656

          SHA256

          c61b662f6c6a23c64e4e79c9aab29e0e72698907cbdddf188015cf035c8d956f

          SHA512

          b2bc81c0b000ac949180c207fa860559cc5e6cdfd286bd8396444cadbd4412cd67320ce2e5f0f691e4d55826cc4fea9be3d3f8d5fc481169c782d3d8861faa72

        • \Users\Admin\AppData\Local\BiEXiyRj5\UxTheme.dll

          Filesize

          75KB

          MD5

          1b0b2bdd0c652c9be7c5d4315916b8d5

          SHA1

          04ca92977b3a9c1feb1bbe06bbc0d87ecc809c71

          SHA256

          f0ff30c8802f95df51dcbd4a6c627d79b421e103d81b4ad69144b51ecb4d9bad

          SHA512

          8f15194724cba39fb41172bdf9c06f1fb2f2134a4b268bfa4ef179dfc0b899fc4d2a2db1519879fd08fc2729e9ea4bd650a073ba68b13bfb7afd688a3d2bf55f

        • \Users\Admin\AppData\Local\BiEXiyRj5\msra.exe

          Filesize

          37KB

          MD5

          d2731d1a4bc7d28ffba1b828ff48a484

          SHA1

          049f5c1caae03863e69de87e89cdf94e1bdf318c

          SHA256

          a2ef5aa53f6e633b37525db713fd9edb2c3d9ccad5375e81a92327897a26875c

          SHA512

          497c75930dfeac346ceb0c5a86b1fc2ce841a5ac76969209563e2ea3dd49d276fbb05028d6996722e36a6f3fdc31d59a344cc7e90762d4d1da618f0e706da222

        • \Users\Admin\AppData\Local\U7W1KzRoy\WTSAPI32.dll

          Filesize

          182KB

          MD5

          eed85e8ef4905811a325c7e8d7d91e3c

          SHA1

          aa5fff61d50412d037e133d1bd01474595735593

          SHA256

          a5a8e8ab8f34ddf1876f9be68df8884a40c984eecafd7ecd24566bcb3f5277c6

          SHA512

          64e35b1dfd82071aa92a6865ff030271940491849b51ea0eb331fbfc955d656e1cfc0c3cfcb324499bc61c4bb70273444a2940b24c4add3305317fa97cfd2a77

        • \Users\Admin\AppData\Roaming\Microsoft\Protect\D18Q\wisptis.exe

          Filesize

          204KB

          MD5

          1cf2fdc1839baa5c4f3bd029f906a541

          SHA1

          ccfc8b72fd5b73f0d624056410979b8638ef649c

          SHA256

          16a0bb8ae6b3befa92ccf7155b67ff60b2525ae0e1233342c73030925b03422f

          SHA512

          e2433c7cb364e624e6d4568ea27dc9de99ff6d7eb7afb25923b126c7cfb9fa26a9c44a3bce6470186b5d8c46adfeeb2b43843bb6abf9aaceba79b8d84b500f95

        • memory/340-90-0x0000000000170000-0x0000000000177000-memory.dmp

          Filesize

          28KB

        • memory/1220-23-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/1220-45-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/1220-21-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/1220-20-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/1220-26-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/1220-32-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/1220-33-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/1220-31-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/1220-30-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/1220-29-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/1220-28-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/1220-27-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/1220-38-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/1220-39-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/1220-37-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/1220-36-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/1220-42-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/1220-41-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/1220-40-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/1220-35-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/1220-34-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/1220-44-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/1220-47-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/1220-48-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/1220-46-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/1220-52-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/1220-51-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/1220-50-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/1220-49-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/1220-22-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/1220-43-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/1220-54-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/1220-53-0x0000000003860000-0x0000000003867000-memory.dmp

          Filesize

          28KB

        • memory/1220-63-0x0000000077B20000-0x0000000077B22000-memory.dmp

          Filesize

          8KB

        • memory/1220-62-0x00000000779C1000-0x00000000779C2000-memory.dmp

          Filesize

          4KB

        • memory/1220-61-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/1220-72-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/1220-4-0x00000000778B6000-0x00000000778B7000-memory.dmp

          Filesize

          4KB

        • memory/1220-25-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/1220-24-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/1220-14-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/1220-17-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/1220-19-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/1220-18-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/1220-5-0x0000000003950000-0x0000000003951000-memory.dmp

          Filesize

          4KB

        • memory/1220-15-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/1220-16-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/1220-9-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/1220-10-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/1220-11-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/1220-163-0x00000000778B6000-0x00000000778B7000-memory.dmp

          Filesize

          4KB

        • memory/1220-13-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/1220-12-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/1220-7-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/1260-8-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/1260-0-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/1260-2-0x00000000000A0000-0x00000000000A7000-memory.dmp

          Filesize

          28KB

        • memory/2428-132-0x0000000000090000-0x0000000000097000-memory.dmp

          Filesize

          28KB

        • memory/2576-108-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB