Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    20-01-2024 17:41

General

  • Target

    6b0a5e806359b4b92fc00861e1bf8bff.dll

  • Size

    3.2MB

  • MD5

    6b0a5e806359b4b92fc00861e1bf8bff

  • SHA1

    a4fccec989a80717b2561e7ee9e049406e6d8449

  • SHA256

    7687e9f3abc61ee051493a66f54044eea80c149788100ff4295211af104676cb

  • SHA512

    491512bfc8cf2ceabe5d36137820711af46091bbbf64751eb93f0a90361ee8a347959b6227a77285ebf8528d9e12ff9f1d2175df9039c99f3586070859bfae66

  • SSDEEP

    12288:rVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:qfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\6b0a5e806359b4b92fc00861e1bf8bff.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2284
  • C:\Users\Admin\AppData\Local\eVcdx6Q\SystemPropertiesComputerName.exe
    C:\Users\Admin\AppData\Local\eVcdx6Q\SystemPropertiesComputerName.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Checks whether UAC is enabled
    PID:2868
  • C:\Windows\system32\SystemPropertiesComputerName.exe
    C:\Windows\system32\SystemPropertiesComputerName.exe
    1⤵
      PID:2844
    • C:\Windows\system32\AdapterTroubleshooter.exe
      C:\Windows\system32\AdapterTroubleshooter.exe
      1⤵
        PID:1572
      • C:\Users\Admin\AppData\Local\N0t\AdapterTroubleshooter.exe
        C:\Users\Admin\AppData\Local\N0t\AdapterTroubleshooter.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1616
      • C:\Windows\system32\dpnsvr.exe
        C:\Windows\system32\dpnsvr.exe
        1⤵
          PID:2968
        • C:\Users\Admin\AppData\Local\stU\dpnsvr.exe
          C:\Users\Admin\AppData\Local\stU\dpnsvr.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2508

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\N0t\AdapterTroubleshooter.exe

          Filesize

          39KB

          MD5

          d4170c9ff5b2f85b0ce0246033d26919

          SHA1

          a76118e8775e16237cf00f2fb79718be0dc84db1

          SHA256

          d05e010a2570cdd5a67f62c99483aeeecb6a8d5ecc523cd49b158a460c9be5da

          SHA512

          9c85a9ea4002bd55cf9c51e470dd1bec527ff04b5d0d6f83094a998c541416cd47c9f42c6ca7e35ffa2842877f79e3c2e989489b9bf81644c5c57bb406b89608

        • C:\Users\Admin\AppData\Local\N0t\AdapterTroubleshooter.exe

          Filesize

          32KB

          MD5

          3b48c060089db96efa0fad2c5308a248

          SHA1

          b97b715cb72a6525143e0ffb2f8a13abb5ee3fdd

          SHA256

          3c9070561d2510f624f812c93959f8794f4f52c12b74358749833eeb051c544a

          SHA512

          b638d1148f151f7416da2e898ec5a602bd13b4e35d87b5fc80776e290e925460fcb13364cc77ef0f840095d71772b29fec1439bd34771417c1a05f07fa4a22bf

        • C:\Users\Admin\AppData\Local\N0t\d3d9.dll

          Filesize

          90KB

          MD5

          58e9a380a2f917a71cd6718882149d2d

          SHA1

          dca0dd8e13c1673cfb38f306e5325bd9f5b028c8

          SHA256

          fb32fa5dea1a60a2220d5ecda1852d17f0a5f3f1c1a77f61afbd9188f1b0c017

          SHA512

          7256608ab354917f477506ef30c0b165994fddfb4bb22fb8085086a4422eff37868d38c85586894b0c7af85987b5fae316e34b535baafd5fe83c05fcc79c7e33

        • C:\Users\Admin\AppData\Local\eVcdx6Q\SYSDM.CPL

          Filesize

          44KB

          MD5

          db6e76817f6b921100213fcc6171ced1

          SHA1

          c3954c7c73ba7cd6307ecfd87722da007ae2643c

          SHA256

          76fee30ee84579b11b51ea9e9a145955eb1ae55528eb36a5da2893fdc25a3c87

          SHA512

          673cefc9147f34f32484696e7f2ec11385c235138d9bdf8fbb3386d1a940bed644638bd9f00e36c0a77d4bda22afa41ff929d1d52993b8dc9622246f4615c0d2

        • C:\Users\Admin\AppData\Local\eVcdx6Q\SystemPropertiesComputerName.exe

          Filesize

          80KB

          MD5

          bd889683916aa93e84e1a75802918acf

          SHA1

          5ee66571359178613a4256a7470c2c3e6dd93cfa

          SHA256

          0e22894595891a9ff9706e03b3db31a751541c4a773f82420fce57237d6c47cf

          SHA512

          9d76de848b319f44657fb7fbe5a3b927774ae999362ff811a199002ffa77ad9e1638a65a271388e605ab5e5a7cb6ce5aa7fcabc3ed583ade00eaa4c265552026

        • C:\Users\Admin\AppData\Local\stU\WINMM.dll

          Filesize

          142KB

          MD5

          e8068ffce7078cacf0dc983764c9d662

          SHA1

          ec7c9ae56f903f272678545270007d3d67d41917

          SHA256

          a03b44754e3d439af4036fa5ccfa145f5621c07e4457e9a4690ab142a61318d2

          SHA512

          995b9ea2289d7549c4f592f6b09fff8357bc281208708114642a82b19ffda22dea6816831fc665062af9bae6e4cc3cd9b658774532fc346c1eec9cd5ef25e16e

        • C:\Users\Admin\AppData\Local\stU\dpnsvr.exe

          Filesize

          1KB

          MD5

          02f20a0d2ffd3d30776460e3d8114d36

          SHA1

          9e0bcdc06cabe007c1b3a1196081be84c06b36f2

          SHA256

          df99daf6b19e24272171186bf9c7ec9e3dbbbd2653bf78d68564d274e364bd4d

          SHA512

          71d9e2367de0794294d2937ea1802d74b307b32cb990290daea0a113326dedc0888c65c3bf222aa6822f7dc98fe1e80fc3da058d1593231f178b63b54b227f9a

        • C:\Users\Admin\AppData\Local\stU\dpnsvr.exe

          Filesize

          33KB

          MD5

          6806b72978f6bd27aef57899be68b93b

          SHA1

          713c246d0b0b8dcc298afaed4f62aed82789951c

          SHA256

          3485ee4159c5f9e4ed9dd06e668d1e04148154ff40327a9ccb591e8c5a79958c

          SHA512

          43c942358b2e949751149ecc4be5ff6cb0634957ff1128ad5e6051e83379fb5643100cae2f6ef3eaf36aff016063c150e93297aa866e780d0e4d51656a251c7b

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Cuhrqknkppepky.lnk

          Filesize

          1KB

          MD5

          cb7dbbb252bed6fd3dc2c97d85b3a758

          SHA1

          06d0604ab488fdc29c0988451881c010e3fd9092

          SHA256

          c8bfae9d1a56ad145a0622a361eb97ac03459ae92a07f86dd98d77ad8cbb5681

          SHA512

          c6d0786492145c266ddf2a100a071238f88e1ff7f846ad3972a51ff7d328040d6efc7777dd54dd3a15b43057f0f830bf5ebb471dbfed5e37092a939774b2f02e

        • C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\YL32BKDN\h7ZDza\WINMM.dll

          Filesize

          3.2MB

          MD5

          f6867104198a685b2c187b047871b7a1

          SHA1

          5c50224f9fa1b3408095a046454985256e321935

          SHA256

          e6d525f7b9f95731299af758c4d3e97b9eafcc7bec8f2f3b2241e30b23d32da2

          SHA512

          8581781f015a9dc393a41f8bdde2bf4d0daa2aeacc96de5a11ee3769703be87231b6d97d4ea57b0d00ff22eb86f88c3d35bfa51bd0ae59c7c60d750e8e3d87d1

        • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\DGtvy\d3d9.dll

          Filesize

          3.2MB

          MD5

          c19d5ba1d09b3f6416974e9705ddba57

          SHA1

          e5104acab769c1f5f64a83d564f713a430cbf7fb

          SHA256

          e076b25bc81949aa563be6a0a6052c6945b448f23041fa2de68dc16da5c148f2

          SHA512

          e4489dff5cb4502169e7c3b6272675ba696d08628f9df534cc9dc6228b3158b5edf0867faf6b629eebf1206b55ed749b7a9a786cca5a3afaa3a723fee8135e57

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\gMBz\SYSDM.CPL

          Filesize

          3.2MB

          MD5

          57598b8effd9ee00bb9de1de4d698579

          SHA1

          4682b4932c529c6b78e539658f28c2149b70069f

          SHA256

          74a48260144c9372547f173309c8cdda7c8df0316f8948697bc76fe4b3b2f839

          SHA512

          a06bba19bc24855c7992155a1a5cbcd6cca4ddc3d3d87768b4440256fe2cfa21e22f2aa71924be0a2aa32e52cbc7b08178ee33155dfe433c666cfae21fcc43ff

        • \Users\Admin\AppData\Local\N0t\d3d9.dll

          Filesize

          33KB

          MD5

          a1591bc662091ead517847a064f14cf6

          SHA1

          a5d10698602c9767b3176492a272d43f3de6baa1

          SHA256

          e1981dae2bd02e643cff6d1f6a5d7ee3198e75a5fc1b4c48921854c7aaf1a19f

          SHA512

          9ab1c02e141819c81379958cd0a7a21d368682bde24612bae103feb1695762a2c43b8b2d6ba4f8dec2669e806603f4c01c2e2599677f99c4a2404a539822572a

        • \Users\Admin\AppData\Local\eVcdx6Q\SYSDM.CPL

          Filesize

          133KB

          MD5

          15135e1f03dab43c3f9a0321548de50f

          SHA1

          3b6f4854ef23d845801330a557edec239d22d42a

          SHA256

          0bff4aef44e56fd5f6b3a25720e4090e389f3e76f83bd5175a019f41dfc3b99a

          SHA512

          0bf537006ba79c68d4b429d01b8dcdf448ba463fee93529c22d885b2e9592940401fc6b4457baa2fbb3b3112a2535f56cf281e3e8015114c5db8e222dc727314

        • \Users\Admin\AppData\Local\stU\WINMM.dll

          Filesize

          40KB

          MD5

          4703e6f90b33c7508108d97a7692a978

          SHA1

          b331de0af673898bdb661c73a19b7399e7d5a583

          SHA256

          044aa37ae09ed70843d7d1093cb07ac8a62cde0ad9c8fc3a091d867486d84d6e

          SHA512

          7577d6c1a20a127abd300e3207b8e1f1dde6d6b206f8b7d1cc44876785837eb7eb60a2a08da8b526e0478206af9d0c1334857b02c13f676c19dacee3726c5b14

        • \Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\YL32BKDN\h7ZDza\dpnsvr.exe

          Filesize

          5KB

          MD5

          863c35161b01888e38e8a356f3010119

          SHA1

          59559dee41fd93429304de9ea883c5b237a31190

          SHA256

          cd039241e8e09ce9f4b440ccef19124bf34e22f165b76c786378a8d939aa17cf

          SHA512

          b410e2e1af216c85b49ddff713b5bde0bab1805bf361c5d9233687761c12bc10a716cd3f45a402c45edb4066631673489cf51b74c4d2784ed64c958a2e40eec1

        • memory/1196-49-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/1196-57-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/1196-25-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/1196-24-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/1196-23-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/1196-22-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/1196-19-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/1196-16-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/1196-32-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/1196-39-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/1196-38-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/1196-37-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/1196-36-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/1196-35-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/1196-40-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/1196-34-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/1196-33-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/1196-45-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/1196-44-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/1196-43-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/1196-42-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/1196-41-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/1196-31-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/1196-30-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/1196-46-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/1196-48-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/1196-4-0x0000000076FE6000-0x0000000076FE7000-memory.dmp

          Filesize

          4KB

        • memory/1196-47-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/1196-50-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/1196-51-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/1196-52-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/1196-54-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/1196-55-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/1196-53-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/1196-58-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/1196-26-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/1196-56-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/1196-59-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/1196-64-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/1196-65-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/1196-68-0x00000000024C0000-0x00000000024C7000-memory.dmp

          Filesize

          28KB

        • memory/1196-63-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/1196-62-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/1196-61-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/1196-60-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/1196-77-0x0000000077250000-0x0000000077252000-memory.dmp

          Filesize

          8KB

        • memory/1196-76-0x00000000770F1000-0x00000000770F2000-memory.dmp

          Filesize

          4KB

        • memory/1196-29-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/1196-5-0x00000000024E0000-0x00000000024E1000-memory.dmp

          Filesize

          4KB

        • memory/1196-7-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/1196-9-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/1196-163-0x0000000076FE6000-0x0000000076FE7000-memory.dmp

          Filesize

          4KB

        • memory/1196-27-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/1196-28-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/1196-20-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/1196-21-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/1196-17-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/1196-18-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/1196-12-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/1196-13-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/1196-10-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/1196-14-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/1196-15-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/1196-11-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/2284-8-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/2284-1-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB

        • memory/2284-0-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/2508-140-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

        • memory/2868-108-0x0000000000280000-0x0000000000287000-memory.dmp

          Filesize

          28KB