Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    20-01-2024 16:15

General

  • Target

    6ae01647123bf97071130c123fe77e97.dll

  • Size

    1.6MB

  • MD5

    6ae01647123bf97071130c123fe77e97

  • SHA1

    b60d8943baf640b7bbc58e9f3639db832e430d2f

  • SHA256

    2432a727b7612212c6c75b5114e832254e05720df6fd9d38b7993973e74efd9f

  • SHA512

    79c82da530496865a77cd0bce988fe1e9e6b85ea71a951b478fbac3ff45ff86fe30c7aac23c5bcb33932e8ac9ff94899f33a40233fdaaf32b45ec66efdacc9c2

  • SSDEEP

    12288:FVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:cfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\6ae01647123bf97071130c123fe77e97.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1420
  • C:\Windows\system32\TpmInit.exe
    C:\Windows\system32\TpmInit.exe
    1⤵
      PID:2628
    • C:\Users\Admin\AppData\Local\Cw0\TpmInit.exe
      C:\Users\Admin\AppData\Local\Cw0\TpmInit.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2516
    • C:\Users\Admin\AppData\Local\jY3\dpnsvr.exe
      C:\Users\Admin\AppData\Local\jY3\dpnsvr.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1904
    • C:\Windows\system32\dpnsvr.exe
      C:\Windows\system32\dpnsvr.exe
      1⤵
        PID:1656
      • C:\Users\Admin\AppData\Local\S02ojB\BdeUISrv.exe
        C:\Users\Admin\AppData\Local\S02ojB\BdeUISrv.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1988
      • C:\Windows\system32\BdeUISrv.exe
        C:\Windows\system32\BdeUISrv.exe
        1⤵
          PID:2824

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Cw0\Secur32.dll

          Filesize

          465KB

          MD5

          dccc4ca5ea32372436872bd40463a8e5

          SHA1

          19fadba5723e77096e4ab1c580a1299524fc01ec

          SHA256

          083919c8ad03c137b966c6bec7ba22857514765f50731d53413bd7196e48fdbd

          SHA512

          5a2531e3a6bd71b75c9041e44e6baae609c9fe443dee8155122ce0e751ccd24c2666cc13d5cfd620cfbcdc49da22b5b6dafc409be4d2c18789ebba5a0b39c8bc

        • C:\Users\Admin\AppData\Local\Cw0\TpmInit.exe

          Filesize

          112KB

          MD5

          8b5eb38e08a678afa129e23129ca1e6d

          SHA1

          a27d30bb04f9fabdb5c92d5150661a75c5c7bc42

          SHA256

          4befa614e1b434b2f58c9e7ce947a946b1cf1834b219caeff42b3e36f22fd97c

          SHA512

          a7245cde299c68db85370ae1bdf32a26208e2cda1311afd06b0efd410664f36cafb62bf4b7ce058e203dcc515c45ebdef01543779ead864f3154175b7b36647d

        • C:\Users\Admin\AppData\Local\S02ojB\BdeUISrv.exe

          Filesize

          47KB

          MD5

          1da6b19be5d4949c868a264bc5e74206

          SHA1

          d5ee86ba03a03ef8c93d93accafe40461084c839

          SHA256

          00330a0e0eb1dbb6ee84997963f8e15c7c15c1df787f1c7f109609d7b31bd35c

          SHA512

          9cee858c55eb0852e5bad53a675a094ae591b46b07afe9fb4224cac32e0be577fe36c1ed3e9f6bda4d4eb0c924a773d00e3181cd97f07e24c6c68c70f2b002c6

        • C:\Users\Admin\AppData\Local\S02ojB\WTSAPI32.dll

          Filesize

          195KB

          MD5

          a79a3e86930c6026eae93a4342c73b1b

          SHA1

          f76744988a076e89e01962c7acb869393bcf3d00

          SHA256

          b122443a6a845b1ea7c293743c365e4fee9a4a761589de7f4921eb592dc3cbdc

          SHA512

          efdebdc873372b7c219aabda35c5cc9827a326c2ca1db613199238646e0680cc5616eb61721afd5be111182b66ed176354e80b9033d9b66a3e26d2a7031b6f86

        • C:\Users\Admin\AppData\Local\jY3\WINMM.dll

          Filesize

          277KB

          MD5

          f0463bc7a559dc0abca68cdd7987b25f

          SHA1

          ef5876158de7cd2efba8aa30ef87b3593aa9248f

          SHA256

          172bc5c0b189261c4c031cd1578ecd25115f30b7bb23ab34f6e2fb139f23dd6b

          SHA512

          98507190aece9081d44c470c2d4c53e90dc75f3b38ed6d194553374ee9d868e943850db0faebe9dd9ce8cabb6673204e624e3598442ed6a09ef5d0ace0934511

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dbyxyty.lnk

          Filesize

          1KB

          MD5

          7cb62f51179ae60df59468f7e1edac53

          SHA1

          780a16a7d029520365dc92108060e29fd857d21c

          SHA256

          a7cd31e621d7e81a36a885a734c721634cb20d3b10d57f8c7e65b948237e1beb

          SHA512

          d58ce1b22af6d9f38586e8430b000208a797e708285e1abf492a2443c70784ba88e923114634d8fd2295b639deab7196d3b878394de6c16185f8a97858c17c34

        • C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\thuZCOJ9jta\Secur32.dll

          Filesize

          1.6MB

          MD5

          bf189627646280052add855725891120

          SHA1

          1a824b1ba042cdccb78e57ef328125c9546a4d02

          SHA256

          5f3d38f5b66ba1e80b3c7340cb5b779854a17d20a4440d9acddccce628e629d4

          SHA512

          718523caa7e08c59e7220eeeddee91479a727a795f089cb156313d14b7e1b01a1a2d63aa4aad3b41ce5bdc2842ee38a486ce00319fe7d81426d2d9d1b23230ed

        • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\1gPy\WINMM.dll

          Filesize

          1.6MB

          MD5

          a0a809302f24c4c09ec411342183132c

          SHA1

          c8021fc93fc6a336cfe45b4a71adc23a8740435e

          SHA256

          b6ef55a3f9f0b148fbc12be1609da8b39907bb4a2b95801d220fb93746076266

          SHA512

          1f7b7955b50515b335f498359de08b17a340e127145f817d3d719cf2e9d0a4084da3091da781313f6cd2f79cfcd76d65eb06ffe761d5b0f2e57d73e6e40d0f4c

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\MX\WTSAPI32.dll

          Filesize

          1.6MB

          MD5

          3c9b51f9b30a3d678ec7963a71f9eddb

          SHA1

          44d5a4bcadc8821f77ae38726423ff84af4f5589

          SHA256

          6c1e735470113cffc72b268c9227c0954473534540aae56d6b759cfd80dd916c

          SHA512

          19484fbde74b60e3fd76f8313457f449f3f5ccc907724aade986e335e07d87a55815bee533e838f19f489e9ab5b8b75ee3948c29035df5d23bb85dd838edb04d

        • \Users\Admin\AppData\Local\Cw0\Secur32.dll

          Filesize

          40KB

          MD5

          2ea1934c7b1f3b431cd48dd0b5b99fcc

          SHA1

          82d5301c5fef81097cf9b7c951890f8af0242d2c

          SHA256

          f9c325fa1d38e247be6a16c5ee455f13526b5598beba2ab15dd43644e7a7356c

          SHA512

          f1adff3181b7ce7b63cacdc85cbbe9c209d06f108638db7796c9ed35c6c8fec372b5c4a1de2f1aecc847ae9286e59166c63e52c6b9046b5f4af0d17119eb1ba0

        • \Users\Admin\AppData\Local\S02ojB\WTSAPI32.dll

          Filesize

          277KB

          MD5

          e2c81c91a813cf58492e42505565382e

          SHA1

          fddac3b24fbc5f82b3d30b276e4fd5dd84f89c56

          SHA256

          4f81dee6f412a6b2949ee1e69f8ff834596e1c13e57070bc459bdf28fd2a5890

          SHA512

          23996a8fa6254b5840e237f73a198cbeb746d928ef900a1b29cb549f9588e86152913960c55ffe57f2201d6dfe807046d552eecd6aaf2dd2fa88ef156ec4cc33

        • \Users\Admin\AppData\Local\jY3\WINMM.dll

          Filesize

          133KB

          MD5

          9d349ebc4a163d3ce66171036541719f

          SHA1

          e2faf709171933e9e6bd99433338db228f36070f

          SHA256

          f284333a59194ce4128683a9e39586fae8ef9b4fec2311856e4748e9a83e1f02

          SHA512

          908cf7665f27e8eeebea242895cdfcc406593972d0bd3c819079e2724089ba003f24ed73c72d5f9357a0db474fc7726a02c569e05c28f3c526bb20e97b9567ef

        • \Users\Admin\AppData\Local\jY3\dpnsvr.exe

          Filesize

          33KB

          MD5

          6806b72978f6bd27aef57899be68b93b

          SHA1

          713c246d0b0b8dcc298afaed4f62aed82789951c

          SHA256

          3485ee4159c5f9e4ed9dd06e668d1e04148154ff40327a9ccb591e8c5a79958c

          SHA512

          43c942358b2e949751149ecc4be5ff6cb0634957ff1128ad5e6051e83379fb5643100cae2f6ef3eaf36aff016063c150e93297aa866e780d0e4d51656a251c7b

        • memory/1368-24-0x0000000140000000-0x000000014019B000-memory.dmp

          Filesize

          1.6MB

        • memory/1368-18-0x0000000140000000-0x000000014019B000-memory.dmp

          Filesize

          1.6MB

        • memory/1368-42-0x0000000140000000-0x000000014019B000-memory.dmp

          Filesize

          1.6MB

        • memory/1368-45-0x0000000077351000-0x0000000077352000-memory.dmp

          Filesize

          4KB

        • memory/1368-46-0x00000000774B0000-0x00000000774B2000-memory.dmp

          Filesize

          8KB

        • memory/1368-31-0x0000000140000000-0x000000014019B000-memory.dmp

          Filesize

          1.6MB

        • memory/1368-30-0x0000000140000000-0x000000014019B000-memory.dmp

          Filesize

          1.6MB

        • memory/1368-29-0x0000000140000000-0x000000014019B000-memory.dmp

          Filesize

          1.6MB

        • memory/1368-57-0x0000000140000000-0x000000014019B000-memory.dmp

          Filesize

          1.6MB

        • memory/1368-53-0x0000000140000000-0x000000014019B000-memory.dmp

          Filesize

          1.6MB

        • memory/1368-27-0x0000000140000000-0x000000014019B000-memory.dmp

          Filesize

          1.6MB

        • memory/1368-26-0x0000000140000000-0x000000014019B000-memory.dmp

          Filesize

          1.6MB

        • memory/1368-25-0x0000000140000000-0x000000014019B000-memory.dmp

          Filesize

          1.6MB

        • memory/1368-34-0x0000000140000000-0x000000014019B000-memory.dmp

          Filesize

          1.6MB

        • memory/1368-23-0x0000000140000000-0x000000014019B000-memory.dmp

          Filesize

          1.6MB

        • memory/1368-36-0x0000000002530000-0x0000000002537000-memory.dmp

          Filesize

          28KB

        • memory/1368-33-0x0000000140000000-0x000000014019B000-memory.dmp

          Filesize

          1.6MB

        • memory/1368-28-0x0000000140000000-0x000000014019B000-memory.dmp

          Filesize

          1.6MB

        • memory/1368-22-0x0000000140000000-0x000000014019B000-memory.dmp

          Filesize

          1.6MB

        • memory/1368-32-0x0000000140000000-0x000000014019B000-memory.dmp

          Filesize

          1.6MB

        • memory/1368-17-0x0000000140000000-0x000000014019B000-memory.dmp

          Filesize

          1.6MB

        • memory/1368-21-0x0000000140000000-0x000000014019B000-memory.dmp

          Filesize

          1.6MB

        • memory/1368-20-0x0000000140000000-0x000000014019B000-memory.dmp

          Filesize

          1.6MB

        • memory/1368-19-0x0000000140000000-0x000000014019B000-memory.dmp

          Filesize

          1.6MB

        • memory/1368-16-0x0000000140000000-0x000000014019B000-memory.dmp

          Filesize

          1.6MB

        • memory/1368-15-0x0000000140000000-0x000000014019B000-memory.dmp

          Filesize

          1.6MB

        • memory/1368-13-0x0000000140000000-0x000000014019B000-memory.dmp

          Filesize

          1.6MB

        • memory/1368-12-0x0000000140000000-0x000000014019B000-memory.dmp

          Filesize

          1.6MB

        • memory/1368-10-0x0000000140000000-0x000000014019B000-memory.dmp

          Filesize

          1.6MB

        • memory/1368-9-0x0000000140000000-0x000000014019B000-memory.dmp

          Filesize

          1.6MB

        • memory/1368-7-0x0000000140000000-0x000000014019B000-memory.dmp

          Filesize

          1.6MB

        • memory/1368-14-0x0000000140000000-0x000000014019B000-memory.dmp

          Filesize

          1.6MB

        • memory/1368-4-0x0000000077246000-0x0000000077247000-memory.dmp

          Filesize

          4KB

        • memory/1368-131-0x0000000077246000-0x0000000077247000-memory.dmp

          Filesize

          4KB

        • memory/1368-11-0x0000000140000000-0x000000014019B000-memory.dmp

          Filesize

          1.6MB

        • memory/1368-5-0x0000000002550000-0x0000000002551000-memory.dmp

          Filesize

          4KB

        • memory/1420-8-0x0000000140000000-0x000000014019B000-memory.dmp

          Filesize

          1.6MB

        • memory/1420-0-0x0000000140000000-0x000000014019B000-memory.dmp

          Filesize

          1.6MB

        • memory/1420-1-0x0000000000130000-0x0000000000137000-memory.dmp

          Filesize

          28KB

        • memory/1904-88-0x0000000140000000-0x000000014019D000-memory.dmp

          Filesize

          1.6MB

        • memory/1904-90-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

        • memory/1904-94-0x0000000140000000-0x000000014019D000-memory.dmp

          Filesize

          1.6MB

        • memory/1988-108-0x0000000000330000-0x0000000000337000-memory.dmp

          Filesize

          28KB

        • memory/1988-112-0x0000000140000000-0x000000014019C000-memory.dmp

          Filesize

          1.6MB

        • memory/2516-71-0x0000000140000000-0x000000014019C000-memory.dmp

          Filesize

          1.6MB

        • memory/2516-74-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

        • memory/2516-76-0x0000000140000000-0x000000014019C000-memory.dmp

          Filesize

          1.6MB