Analysis

  • max time kernel
    150s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    20-01-2024 12:24

General

  • Target

    6a6b1b2cfc389798b42fa591a501875a.dll

  • Size

    4.0MB

  • MD5

    6a6b1b2cfc389798b42fa591a501875a

  • SHA1

    a0139d22265f40b8571722655d128c58f500d50b

  • SHA256

    0aecdf55017f43fa0c4a2c407c639d854fb2fddd9400e047d573b163596ef7f5

  • SHA512

    652b3db7e0e0f19e7362f08ce418290fbec37c7e66a2ee6a5b8abd644caa056d6c5c4372a35eb607d40f0f3b60847130e29dc42a945d34c5147a3a2375b11813

  • SSDEEP

    24576:mfP7fWsK5z9A+WGAW+V5SB6Ct4bnbxXM0:qDW/e+WG0Vo6CtSn6

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\6a6b1b2cfc389798b42fa591a501875a.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1328
  • C:\Windows\system32\BdeUISrv.exe
    C:\Windows\system32\BdeUISrv.exe
    1⤵
      PID:2748
    • C:\Users\Admin\AppData\Local\78FYwIu\BdeUISrv.exe
      C:\Users\Admin\AppData\Local\78FYwIu\BdeUISrv.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2880
    • C:\Windows\system32\PresentationSettings.exe
      C:\Windows\system32\PresentationSettings.exe
      1⤵
        PID:2856
      • C:\Users\Admin\AppData\Local\kLV\PresentationSettings.exe
        C:\Users\Admin\AppData\Local\kLV\PresentationSettings.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2932
      • C:\Windows\system32\TpmInit.exe
        C:\Windows\system32\TpmInit.exe
        1⤵
          PID:1904
        • C:\Users\Admin\AppData\Local\S1xY\TpmInit.exe
          C:\Users\Admin\AppData\Local\S1xY\TpmInit.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1612

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\78FYwIu\BdeUISrv.exe

          Filesize

          47KB

          MD5

          1da6b19be5d4949c868a264bc5e74206

          SHA1

          d5ee86ba03a03ef8c93d93accafe40461084c839

          SHA256

          00330a0e0eb1dbb6ee84997963f8e15c7c15c1df787f1c7f109609d7b31bd35c

          SHA512

          9cee858c55eb0852e5bad53a675a094ae591b46b07afe9fb4224cac32e0be577fe36c1ed3e9f6bda4d4eb0c924a773d00e3181cd97f07e24c6c68c70f2b002c6

        • C:\Users\Admin\AppData\Local\78FYwIu\WTSAPI32.dll

          Filesize

          150KB

          MD5

          d0938eafa3aa38ec4042d798cf02009a

          SHA1

          2386635f38732b139df7f5f1644425b17740f5c7

          SHA256

          f95401c58cdd855647715d6028f7d20906b733db4509ea8e0178407f5be3ced9

          SHA512

          f091166901ac32d7a2db5b1fd6d558fefcd9dfeb1ecb8ca81e7f19a34de81223aaf5bc35460ba06c09955fce53a1a531fa8bdd2a621bc127384bf5a365a6f010

        • C:\Users\Admin\AppData\Local\S1xY\ACTIVEDS.dll

          Filesize

          54KB

          MD5

          8dfe271a2eee0e62cbd6265b7e6e0eaa

          SHA1

          6475b3db24a6bd213615102e74d84a80b30943ce

          SHA256

          c7eee6438f1e09bf57f2883c5f04f23c6d43911d2e218eabd75d2d3a1f4c7907

          SHA512

          6617f4a7926de203751d703caca5581536ba22502f9d051b05dc2b19e308721ab87db1b464d1add3e33e73cf9cbea025f0c77bd49287dd165116f57f0d38c8bc

        • C:\Users\Admin\AppData\Local\S1xY\TpmInit.exe

          Filesize

          92KB

          MD5

          f84bc948f77db38303ecfe1f92e39d73

          SHA1

          66492270dbce27b7ac06239cfbaf042ce9280bdb

          SHA256

          dff9f2bc2d3bc7444d7952566a0b7e3d73d69ab56387336860c1fff13f4ac72d

          SHA512

          155d65559f7d7431629a2b6355957d15c9e82f529cb93aeab2652df28abe88ff8b6495967c4ef26c3fe9157acfe966c647037fa6368e83f2af38a460d8b6b418

        • C:\Users\Admin\AppData\Local\kLV\PresentationSettings.exe

          Filesize

          1KB

          MD5

          9881ef3b0061047d87a3c953cada7ba5

          SHA1

          636b68dd77eb9f60ad317f09efc5ca25ef9d33d7

          SHA256

          2b35c8ef24690e7452cc443d4c5efac92ea831eec1240ec171c1f329279f26a2

          SHA512

          c28c31a2bad27bd02930156c8b31810bfc362b42eaf39ad007eea5fb1e6a4898d6a50507279d2ca39faf4aaaa849b5333983c6cce378fddfc2e762699ce8d67b

        • C:\Users\Admin\AppData\Local\kLV\PresentationSettings.exe

          MD5

          d41d8cd98f00b204e9800998ecf8427e

          SHA1

          da39a3ee5e6b4b0d3255bfef95601890afd80709

          SHA256

          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

          SHA512

          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

        • C:\Users\Admin\AppData\Local\kLV\WINMM.dll

          Filesize

          104KB

          MD5

          468d2c71bbfd85067a5dfe0b0e51f391

          SHA1

          5042fa756c67a0ab7bc3cb4a7233735de611264b

          SHA256

          07a6f7e5849f70f8b4515aecfa399ca3fce6811c7a4202f9d46d676cb15a99ff

          SHA512

          0a843d455510fb573c0d40b8c280024cb123fa0ea3303bf55d80690c4e0ad63c20f75f52d656d51374055cae75174d192494619e5d993b74ab33311122c33377

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqrvnhd.lnk

          Filesize

          1KB

          MD5

          6af3e4b186d76a6e4394b00e7479f4a3

          SHA1

          ea018f48d27fc13335767ff4784ce8da81bf0143

          SHA256

          3d7e3012b04da7ca139f0b5786f50a679d69975916638f6ef05a56667f7ad218

          SHA512

          36ba2a0b13f320e5ebd84ff8941f6e25b8cba471012cb487edd131305a00aac6b86f032d883b63cc84f58499f22983cb333961778b81257c5e76449dfb356728

        • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\vS2GjI\ACTIVEDS.dll

          Filesize

          28KB

          MD5

          79a1353d496f07f627cb487c588ea6da

          SHA1

          e8e0c725b1b01f3984d3d12d8b202dda554998cc

          SHA256

          4a96af6c8dceff06d888ad3d73edba02bdf41452301708bee4906adaf936f308

          SHA512

          a1e8201e9d528f7eac80371342ad0a8924e75e397f8086899e0d657c831b3ed1d45f61a746f2f171266ca6d5a80411d89ee186d1a7b32d362896606109d1ac85

        • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\vS2GjI\TpmInit.exe

          Filesize

          19KB

          MD5

          40837885276d2e7ee109a8e5fb3c810e

          SHA1

          0d69bb43bceddf249e9d23c04f6d63070d89651b

          SHA256

          adecd79c7125dec9f4f34aba7d81a2158c4f1bfb1ce4ac3c937ebce332c0eff9

          SHA512

          d928080c65cec0e3c99631393694cd01d45561ec398019596b14920a76e7bf4b732ae36d808292264acc546d1c22b80b540750c168d28e32e5c44cf46a5780d5

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\Low\6qzS02ZGQEk\WINMM.dll

          Filesize

          259KB

          MD5

          a9ec62a845004ec7d3448e8d5411575c

          SHA1

          a20790b48be83a45ceb349416a78b5d9e34983a3

          SHA256

          deddcc236ffe1dbfc556355073792dcda5f82796009226feef43d26c13188b09

          SHA512

          8855d120f418bfba4aaba8ee88e062a41ffce7ec3b76c1e346e2cd3df19938c4fde6b58c2752fc65af80af23e6264cb639345a146cd3eddc2a424293436eb397

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\7PV2N4\WTSAPI32.dll

          Filesize

          76KB

          MD5

          0652b3de3cf062d5383811c999ea413c

          SHA1

          808094b5ea7891d91522b729693ea034f1c1c565

          SHA256

          66a0d7df9ab3152078526d178dd4672c71d061919b0e95b1bc939f62f9dc443e

          SHA512

          4e49bb1ad3587daa3bcc3d51aaa21c7e54532c0e31259586ef192435adf81e71ddcea71deb76edd79a567a114b84c18821b71deac5ecbf33e14a00a11100da5e

        • \Users\Admin\AppData\Local\78FYwIu\WTSAPI32.dll

          Filesize

          116KB

          MD5

          0ed044f01d09402b5d18e434a4f80f27

          SHA1

          0eba20f35ee69cf7fec1cc11aac8a2850007c455

          SHA256

          98cb94003307f35c2a627afc90754bea7343266a2fd5b36983ac3936d1f4aaaf

          SHA512

          9c8c47dbfc4bf8af3bf7fee277204f454e51707725f44623c2e3e6698d4b5a03fff21bc3b8895e75ae0e21ade7043b19737591f366ea7ac8f0fdcaa3c595dda4

        • \Users\Admin\AppData\Local\S1xY\ACTIVEDS.dll

          Filesize

          119KB

          MD5

          33dc2ce41ff9f725adebbbc23c0689e8

          SHA1

          84aea24a4d475e74cda12952c8f58cbda9406502

          SHA256

          dabe8f9d76546415ddbe9de7f7e37212955d264ae59fb22e1ce0382d07ed3c05

          SHA512

          dcffda46aa6540588319ae6ac85da90c18f87bba77738e62bf1d3ed12526047fc0a6425b5add07b15cd98610576ed9bf21b92a8c34f68fcd73db2550a762e74f

        • \Users\Admin\AppData\Local\S1xY\TpmInit.exe

          Filesize

          85KB

          MD5

          60998f8a5e6a44be228dd1e9252008a4

          SHA1

          62e67c590cdfbf95310b00f0c1cdb2cfa815de10

          SHA256

          54a6767aef6e416039eb69fdd1477f6506df2ea4fe4a1c4186a283036c5a032f

          SHA512

          0e206622b2a0bf47b681d243141967973be0f60958896eb96a4b03a4560097ff4d2acc1f6c57ad87da30a8ab98969ad14e9dec2f8f52538c8f7a2015cd9dc70e

        • \Users\Admin\AppData\Local\kLV\PresentationSettings.exe

          Filesize

          88KB

          MD5

          f43111e470dc3ff167058422c7058255

          SHA1

          b9078991697074f2d0c15585e4a205ceaa2a563b

          SHA256

          a2ebeb1eb46d03e7cf29f0255db9ec4857917af2905f52421a2fea72797576ee

          SHA512

          4696d8eb1485b16eb6d0f6d94b9444f3344b83eecb11b9cd2066c2c5a2534325abee3769cc0c77f114096cd23fc70a88356af25561235aa27995222ef41c3f1b

        • \Users\Admin\AppData\Local\kLV\WINMM.dll

          Filesize

          70KB

          MD5

          b78e5ed769649523be9cd7e66dbae9eb

          SHA1

          a6fbae94665dd0cbdf72130f954a5b42644dda68

          SHA256

          7ef3160c3a03e77f12df97e1733696c84060ba9b43ff0d6e299ec8c98f4d1d43

          SHA512

          493815eb4d185b948c108d7c4fb23eee2304a59f3cd124145e64093cd16add028f291a66cc1247656ccebc10e5a460224ef0cc5890d8513311f5dfc7e03baae1

        • \Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\vS2GjI\TpmInit.exe

          Filesize

          13KB

          MD5

          823c5c9c82be14e0f57c116d633a25ad

          SHA1

          cfb9785cbf9cb784d18a3e0a09d24d99d19c73b9

          SHA256

          229fe92cb27bc94b3492ed294ef1117a77ede1310baf58f86b5bf9762b13d51f

          SHA512

          e441563aabf6470e7d4687ca61b5ce7aa8fdce73fa56d1ff8629c25801d0ab1d396760c5a085cb7197c04eb645c71a89bb8e777919d7e68083af25bde51e565b

        • memory/1328-7-0x0000000140000000-0x0000000140403000-memory.dmp

          Filesize

          4.0MB

        • memory/1328-1-0x0000000140000000-0x0000000140403000-memory.dmp

          Filesize

          4.0MB

        • memory/1328-0-0x0000000000330000-0x0000000000337000-memory.dmp

          Filesize

          28KB

        • memory/1376-48-0x0000000140000000-0x0000000140403000-memory.dmp

          Filesize

          4.0MB

        • memory/1376-32-0x0000000140000000-0x0000000140403000-memory.dmp

          Filesize

          4.0MB

        • memory/1376-46-0x0000000140000000-0x0000000140403000-memory.dmp

          Filesize

          4.0MB

        • memory/1376-50-0x0000000140000000-0x0000000140403000-memory.dmp

          Filesize

          4.0MB

        • memory/1376-52-0x0000000140000000-0x0000000140403000-memory.dmp

          Filesize

          4.0MB

        • memory/1376-54-0x0000000140000000-0x0000000140403000-memory.dmp

          Filesize

          4.0MB

        • memory/1376-55-0x0000000140000000-0x0000000140403000-memory.dmp

          Filesize

          4.0MB

        • memory/1376-58-0x0000000140000000-0x0000000140403000-memory.dmp

          Filesize

          4.0MB

        • memory/1376-59-0x0000000140000000-0x0000000140403000-memory.dmp

          Filesize

          4.0MB

        • memory/1376-61-0x0000000140000000-0x0000000140403000-memory.dmp

          Filesize

          4.0MB

        • memory/1376-62-0x0000000140000000-0x0000000140403000-memory.dmp

          Filesize

          4.0MB

        • memory/1376-63-0x0000000140000000-0x0000000140403000-memory.dmp

          Filesize

          4.0MB

        • memory/1376-65-0x0000000140000000-0x0000000140403000-memory.dmp

          Filesize

          4.0MB

        • memory/1376-69-0x0000000002AC0000-0x0000000002AC7000-memory.dmp

          Filesize

          28KB

        • memory/1376-64-0x0000000140000000-0x0000000140403000-memory.dmp

          Filesize

          4.0MB

        • memory/1376-60-0x0000000140000000-0x0000000140403000-memory.dmp

          Filesize

          4.0MB

        • memory/1376-57-0x0000000140000000-0x0000000140403000-memory.dmp

          Filesize

          4.0MB

        • memory/1376-78-0x0000000077A00000-0x0000000077A02000-memory.dmp

          Filesize

          8KB

        • memory/1376-77-0x00000000778A1000-0x00000000778A2000-memory.dmp

          Filesize

          4KB

        • memory/1376-56-0x0000000140000000-0x0000000140403000-memory.dmp

          Filesize

          4.0MB

        • memory/1376-53-0x0000000140000000-0x0000000140403000-memory.dmp

          Filesize

          4.0MB

        • memory/1376-51-0x0000000140000000-0x0000000140403000-memory.dmp

          Filesize

          4.0MB

        • memory/1376-49-0x0000000140000000-0x0000000140403000-memory.dmp

          Filesize

          4.0MB

        • memory/1376-40-0x0000000140000000-0x0000000140403000-memory.dmp

          Filesize

          4.0MB

        • memory/1376-47-0x0000000140000000-0x0000000140403000-memory.dmp

          Filesize

          4.0MB

        • memory/1376-45-0x0000000140000000-0x0000000140403000-memory.dmp

          Filesize

          4.0MB

        • memory/1376-44-0x0000000140000000-0x0000000140403000-memory.dmp

          Filesize

          4.0MB

        • memory/1376-43-0x0000000140000000-0x0000000140403000-memory.dmp

          Filesize

          4.0MB

        • memory/1376-41-0x0000000140000000-0x0000000140403000-memory.dmp

          Filesize

          4.0MB

        • memory/1376-38-0x0000000140000000-0x0000000140403000-memory.dmp

          Filesize

          4.0MB

        • memory/1376-36-0x0000000140000000-0x0000000140403000-memory.dmp

          Filesize

          4.0MB

        • memory/1376-35-0x0000000140000000-0x0000000140403000-memory.dmp

          Filesize

          4.0MB

        • memory/1376-33-0x0000000140000000-0x0000000140403000-memory.dmp

          Filesize

          4.0MB

        • memory/1376-42-0x0000000140000000-0x0000000140403000-memory.dmp

          Filesize

          4.0MB

        • memory/1376-31-0x0000000140000000-0x0000000140403000-memory.dmp

          Filesize

          4.0MB

        • memory/1376-29-0x0000000140000000-0x0000000140403000-memory.dmp

          Filesize

          4.0MB

        • memory/1376-26-0x0000000140000000-0x0000000140403000-memory.dmp

          Filesize

          4.0MB

        • memory/1376-24-0x0000000140000000-0x0000000140403000-memory.dmp

          Filesize

          4.0MB

        • memory/1376-23-0x0000000140000000-0x0000000140403000-memory.dmp

          Filesize

          4.0MB

        • memory/1376-22-0x0000000140000000-0x0000000140403000-memory.dmp

          Filesize

          4.0MB

        • memory/1376-20-0x0000000140000000-0x0000000140403000-memory.dmp

          Filesize

          4.0MB

        • memory/1376-18-0x0000000140000000-0x0000000140403000-memory.dmp

          Filesize

          4.0MB

        • memory/1376-17-0x0000000140000000-0x0000000140403000-memory.dmp

          Filesize

          4.0MB

        • memory/1376-15-0x0000000140000000-0x0000000140403000-memory.dmp

          Filesize

          4.0MB

        • memory/1376-13-0x0000000140000000-0x0000000140403000-memory.dmp

          Filesize

          4.0MB

        • memory/1376-12-0x0000000140000000-0x0000000140403000-memory.dmp

          Filesize

          4.0MB

        • memory/1376-11-0x0000000140000000-0x0000000140403000-memory.dmp

          Filesize

          4.0MB

        • memory/1376-9-0x0000000140000000-0x0000000140403000-memory.dmp

          Filesize

          4.0MB

        • memory/1376-8-0x0000000140000000-0x0000000140403000-memory.dmp

          Filesize

          4.0MB

        • memory/1376-4-0x0000000077696000-0x0000000077697000-memory.dmp

          Filesize

          4KB

        • memory/1376-5-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

          Filesize

          4KB

        • memory/1376-39-0x0000000140000000-0x0000000140403000-memory.dmp

          Filesize

          4.0MB

        • memory/1376-37-0x0000000140000000-0x0000000140403000-memory.dmp

          Filesize

          4.0MB

        • memory/1376-34-0x0000000140000000-0x0000000140403000-memory.dmp

          Filesize

          4.0MB

        • memory/1376-30-0x0000000140000000-0x0000000140403000-memory.dmp

          Filesize

          4.0MB

        • memory/1376-28-0x0000000140000000-0x0000000140403000-memory.dmp

          Filesize

          4.0MB

        • memory/1376-27-0x0000000140000000-0x0000000140403000-memory.dmp

          Filesize

          4.0MB

        • memory/1376-10-0x0000000140000000-0x0000000140403000-memory.dmp

          Filesize

          4.0MB

        • memory/1376-25-0x0000000140000000-0x0000000140403000-memory.dmp

          Filesize

          4.0MB

        • memory/1376-21-0x0000000140000000-0x0000000140403000-memory.dmp

          Filesize

          4.0MB

        • memory/1376-19-0x0000000140000000-0x0000000140403000-memory.dmp

          Filesize

          4.0MB

        • memory/1376-16-0x0000000140000000-0x0000000140403000-memory.dmp

          Filesize

          4.0MB

        • memory/1376-160-0x0000000077696000-0x0000000077697000-memory.dmp

          Filesize

          4KB

        • memory/1376-14-0x0000000140000000-0x0000000140403000-memory.dmp

          Filesize

          4.0MB

        • memory/1612-141-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

        • memory/2880-105-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

        • memory/2932-124-0x00000000001B0000-0x00000000001B7000-memory.dmp

          Filesize

          28KB