Analysis

  • max time kernel
    149s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    21-01-2024 08:51

General

  • Target

    6ce094e7633ddc304e6c7b56a7e56e86.dll

  • Size

    1.7MB

  • MD5

    6ce094e7633ddc304e6c7b56a7e56e86

  • SHA1

    693a8ad317cc0ece3f05edc77e1fd28d452483dd

  • SHA256

    dcb4e6dfc9dea7413fcd611f3f06c684dc85f48b698fe86c13fe9884756f81da

  • SHA512

    8f28d13f798af1fc4adef5339271054e165f0f18852c1482c8e685566a1cb77df217511fd3a01150ef7a27ed91d1ef58bbb9c160f0b0f925eace7c0d40f4c42b

  • SSDEEP

    12288:9VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:kfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\6ce094e7633ddc304e6c7b56a7e56e86.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3032
  • C:\Users\Admin\AppData\Local\Gwuh\TpmInit.exe
    C:\Users\Admin\AppData\Local\Gwuh\TpmInit.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Checks whether UAC is enabled
    PID:2864
  • C:\Windows\system32\TpmInit.exe
    C:\Windows\system32\TpmInit.exe
    1⤵
      PID:2752
    • C:\Windows\system32\unregmp2.exe
      C:\Windows\system32\unregmp2.exe
      1⤵
        PID:2612
      • C:\Users\Admin\AppData\Local\AycmYUL\unregmp2.exe
        C:\Users\Admin\AppData\Local\AycmYUL\unregmp2.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2664
      • C:\Windows\system32\msinfo32.exe
        C:\Windows\system32\msinfo32.exe
        1⤵
          PID:1984
        • C:\Users\Admin\AppData\Local\YAi75\msinfo32.exe
          C:\Users\Admin\AppData\Local\YAi75\msinfo32.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2888

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\AycmYUL\slc.dll

          Filesize

          64KB

          MD5

          afebc581cf19402bdb835bb1f8a16bd5

          SHA1

          1ae3c4282abb14f3d4ca47d9816c4b9b15a19abd

          SHA256

          75e1a6557292300eacad5912515444d1250f8dae2b7f968f6a9084b7ec993a7d

          SHA512

          5bb0319df0ebc65dd61f59152da0cdf31b3b0e0b999c142b9b0e57411df23a8730bb645617c1b2c711ed66b62ce0093bbb9caf7f26e1783570b4b8c07a04d6ed

        • C:\Users\Admin\AppData\Local\AycmYUL\unregmp2.exe

          Filesize

          1KB

          MD5

          fc25e5af88252293ccefbc61e065ba5f

          SHA1

          e598ec93f597d2337c53d3d8a712f48cd4d9d291

          SHA256

          1c88b47094b366e8597f5776fb59a9820ee853c596071616b855835b5b47f31c

          SHA512

          a1c6543ebe3c0bf4c5ab9c1d177a5dab2903372ce5bb191bddde57a099bcd96afbe3aaee47cb522fa38221222a2e642e02f9d922ca441d791ea3f639196469d0

        • C:\Users\Admin\AppData\Local\AycmYUL\unregmp2.exe

          Filesize

          212KB

          MD5

          c9615633a77670762da82aa30b726ac9

          SHA1

          2ad4a23c8193c03ae971b96f51f4f3d6918ae10d

          SHA256

          615f5497fd774a734d1d5df0d4b163c5538fad60c079570074a50a2270727211

          SHA512

          bd18d75e8d82387d4e7ef88d19b750f9f7147a445431b7635878fe801115dcf055e5739db397bcafd2908acd8608b0122d219d540f81884b36cdb5a8f962c76d

        • C:\Users\Admin\AppData\Local\Gwuh\ACTIVEDS.dll

          Filesize

          411KB

          MD5

          00e01b38231bed66de5c95fe7acc110f

          SHA1

          f25d792b6e1f700cc5128121f91f3ece3207cfbe

          SHA256

          bdf05171fe6239b30262d7ac2315208f5187a79f14f69de9918c79d53cb02bfa

          SHA512

          10223c5af05e7ccdc3c68071cf6167162337aebc778fa6cca403f83b146a5d57c6659c3865bd0af1fa37c9e4cd7b18e2b1663399cdd84ff0d02b85086c8b9182

        • C:\Users\Admin\AppData\Local\Gwuh\TpmInit.exe

          Filesize

          112KB

          MD5

          8b5eb38e08a678afa129e23129ca1e6d

          SHA1

          a27d30bb04f9fabdb5c92d5150661a75c5c7bc42

          SHA256

          4befa614e1b434b2f58c9e7ce947a946b1cf1834b219caeff42b3e36f22fd97c

          SHA512

          a7245cde299c68db85370ae1bdf32a26208e2cda1311afd06b0efd410664f36cafb62bf4b7ce058e203dcc515c45ebdef01543779ead864f3154175b7b36647d

        • C:\Users\Admin\AppData\Local\YAi75\MFC42u.dll

          Filesize

          83KB

          MD5

          2581517c201fa6f7ab9fd5c3e2ce8738

          SHA1

          187228ae91f866b70f8ecf0b0eb638c0b74b102e

          SHA256

          ec65cdcc97fb8aaf786dc021abf119b5184a7e3e1fd40d3a8177d7e4ac54a288

          SHA512

          238284ed2893235a536dbb30ff51764f7206ba88687e401a7e07e3ca51501b96f8e5d640cee4e86006e96d78eba11bb722a1db80085f81b54ca8fc1ae67be7b9

        • C:\Users\Admin\AppData\Local\YAi75\msinfo32.exe

          Filesize

          93KB

          MD5

          ada57928e757c164cf3c1b4eb0f3b8b8

          SHA1

          e65211865c96a026b7cecddfdfa7d63ab655c0b0

          SHA256

          3efbfc7392529f70aa5c25fb92182ecc8c861be8546cae018caa163075569187

          SHA512

          31b9674f387b578de7b3cf3e9881d2e6aa3393faa4b31cd908b31ed2ae5756939f199855d05ff43068627d548cf0db6bebef3957647354297c08d30ae64548e4

        • C:\Users\Admin\AppData\Local\YAi75\msinfo32.exe

          Filesize

          5KB

          MD5

          9174227d74c673e6486312640a80aa63

          SHA1

          4e46a053ded6f3b952a7ad7c4a8b7b10247c6385

          SHA256

          eeeed330460844aad5216bd66dec3e0a6ac5bb300041e995b21e7b3d29f95380

          SHA512

          c5de6e34c771020cd249222a1ad1b6ab9aee884f4dbd239c3352fe6847512d9d0b3881b33d9ccee7c2d35a2ec1684497f8b0b092d675251e61127835fb1f3141

        • C:\Users\Admin\AppData\Roaming\Identities\M3CyXJ\slc.dll

          Filesize

          1.7MB

          MD5

          b3c89196e161b4f793aee1eba04089d1

          SHA1

          f81da082da9aa095b0a5e8f97fcad94119dbdd74

          SHA256

          429fcf869391e5e1aad004404f6c9b50f6dda7feb8f6422241d56ee8ddcea485

          SHA512

          fb946868e701e1c9d8d9c6aba542d8855acb6bb39b3bf44b480b1b64d768ac8b24198bf44543ae3a318d5655d4d8770cc30c44bb9195306ae6d8a4a4f2d72ec8

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Tiizeasb.lnk

          Filesize

          1KB

          MD5

          cc442d178c24a3f2780b1b2170163a68

          SHA1

          7f6c7a10827a6dae674d1477cfce688ebe9c6176

          SHA256

          c69a6625685b397d59975b9a9d963d8dd1be6dfb7764673e340533e26e9b1912

          SHA512

          52222f7933d801de02eaf2329cb4b1878221534531f25e49fa8ee48c754852326f076cb2911341973f998e0beded5a9ced29b47f9edfccac69c1985237a7e442

        • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\oZNvn\MFC42u.dll

          Filesize

          1.7MB

          MD5

          19056485ca943ece677f81bba2f1e4c5

          SHA1

          7c007ff03a9b0a972c5cbeff711ab326628ea280

          SHA256

          fa57ae9b61b89443cd48954d0e4024b943e14abe91be8bd1ec0026d9675c1b6d

          SHA512

          7ab26e5338bf1e6b793ec555e37c74450f78a3c111e881416c939f0cab20991413eedb509af7fa8be9937b50465e86afcfca7145b4efbdc471703178b2197bc3

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low\Beqdv5A\ACTIVEDS.dll

          Filesize

          1.7MB

          MD5

          9ce521f467f2f7e60445bd3d19305b98

          SHA1

          8226150bfc517ca56b014b7c8bb3d7404b640780

          SHA256

          2c4845c5be438b8b095afc0fce8dc7986348f5535295ee3a61abe976dc27e4f9

          SHA512

          b86670d8aae6dff84eef95fef58b89719a9e1f3a260a98343c2227f3d0ec210efb619923022e83f4875008a8da25f9f74e17bec84fa29400dc8132b4e004ccbd

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low\Beqdv5A\TpmInit.exe

          Filesize

          64KB

          MD5

          cb661681711ea898dbcb4e2c1d2bed15

          SHA1

          8c292d24e45dcfb4c600be237afb48dd7e4eb692

          SHA256

          30d7058651694f3d1ffa8970213fc4d47a4f761c62d6ae4e8a55cc639d976d6e

          SHA512

          ce8fa00f93c347d62595c14de78deca2311ede41e64775c63db4565cd2311b69379d008ad5e6482478fee9348c4eac2dcff248991ddab666c82b55074cb2173f

        • \Users\Admin\AppData\Local\AycmYUL\slc.dll

          Filesize

          26KB

          MD5

          e062276aaf615d105b92946b855446e3

          SHA1

          94340f21567d9fcd445ed2dd81bcb2ab9a4940ac

          SHA256

          a7a85e3a935105040f3dc50f20364faf2aae5be952f5e8174a454dbc37dfabef

          SHA512

          79fcb5e7428a64bcdcd12a891092b22a567a5f37b619531c1ecc68521b8c1a4a770d9d313da4f494dbda3a8189b0795f6ff029cd45e3e26a76fb3d7e1a737b57

        • \Users\Admin\AppData\Local\AycmYUL\unregmp2.exe

          Filesize

          145KB

          MD5

          bd0f1822dd39b3ca55c9298204b9536b

          SHA1

          2bde816582dea428cba88829127d3986f6947d2e

          SHA256

          8f4f4fc6805bd315a2312f0e2dd673f9d4f896a45ef0166a8b3acb1bf310e33c

          SHA512

          0930630659b6edb84c833a3495c6f5e953e7ed901ad7e7751da84578cbc84d72bd35429f15421c3bdc53ac8c6dfb8404dadbbebfa5d2b73bfb4651696f9036a8

        • \Users\Admin\AppData\Local\Gwuh\ACTIVEDS.dll

          Filesize

          189KB

          MD5

          6618e8ab0096b8d6141684ed364e59df

          SHA1

          55c34e3de75ce3933578190fde85a2b7a25d5dd5

          SHA256

          7c168c1146ebcb2d1f385d51678fb88345cee87c5759e0b2a78f883cab8b088b

          SHA512

          b18b3cc9ca32cbf721e3279a035718b323f123f5d33e2c8b4e17b159d056da503cdf5f8db26d9ff93e8b13e276a8156b130d307d33892abf8226e2239d56bd6c

        • \Users\Admin\AppData\Local\YAi75\MFC42u.dll

          Filesize

          54KB

          MD5

          5e824247b1c8ca0d72749c0bb383430d

          SHA1

          caebaccebaba4ce99d8874e8f209905970d07ab8

          SHA256

          d57daa881f013540532ba9cf6755e76a21dea69cb596bd8f240123a5a3c1de64

          SHA512

          29ae78cba5498dcaa45252c1963aa3e174f133dc7e99e0eb88a803d953dd5f495c273bfea1552a7d22aa220e4d7a74daf8df67fd80bf92ab01a35794356d6084

        • \Users\Admin\AppData\Local\YAi75\msinfo32.exe

          Filesize

          74KB

          MD5

          b8580c902fdd73ca9ba81047609c49b3

          SHA1

          f53fbc2f4c4946ee7680ebf3cd2026a192752787

          SHA256

          0a2e1b2da02240139ef3a606d70a1335205d9e8ecb39c7d08f528132b8e7736c

          SHA512

          a3f8ed5a14795d4b29e7b49a1c7d13a852bc09af9e29213978c7dc59155900f5e23091ab3aef81749a3e4f5419da5259968943c4708359b3dcd8612f13ebc55b

        • \Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\oZNvn\msinfo32.exe

          Filesize

          336KB

          MD5

          803cdd34d755785f1a4c14d600694b51

          SHA1

          687e81231f63b402c00237ee4d6cdd4f0bd61809

          SHA256

          fd465e202417142bb7bff6d45d761af3821f62203be17e3cb3ed40c4a5ecb8bb

          SHA512

          475a4ff175d5389a6f29c3d4d6378232f2fb7cd6260886ce4211ab0936a37555ea5ac693ed61f0ff44c7d24096bd1a93095aacec9aa3c3c6b14ec160bfbfadae

        • memory/1208-30-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-7-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-25-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-27-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-4-0x0000000077976000-0x0000000077977000-memory.dmp

          Filesize

          4KB

        • memory/1208-5-0x0000000002D40000-0x0000000002D41000-memory.dmp

          Filesize

          4KB

        • memory/1208-10-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-28-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-56-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-23-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-22-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-21-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-20-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-19-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-18-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-17-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-16-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-14-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-13-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-12-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-11-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-9-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-130-0x0000000077976000-0x0000000077977000-memory.dmp

          Filesize

          4KB

        • memory/1208-26-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-15-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-52-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-24-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-29-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-41-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-42-0x0000000077A81000-0x0000000077A82000-memory.dmp

          Filesize

          4KB

        • memory/1208-43-0x0000000077BE0000-0x0000000077BE2000-memory.dmp

          Filesize

          8KB

        • memory/1208-31-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-32-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-34-0x0000000002D50000-0x0000000002D57000-memory.dmp

          Filesize

          28KB

        • memory/1208-33-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/2664-87-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

        • memory/2664-92-0x0000000140000000-0x00000001401B4000-memory.dmp

          Filesize

          1.7MB

        • memory/2864-70-0x0000000000280000-0x0000000000287000-memory.dmp

          Filesize

          28KB

        • memory/2864-71-0x0000000140000000-0x00000001401B4000-memory.dmp

          Filesize

          1.7MB

        • memory/2864-75-0x0000000140000000-0x00000001401B4000-memory.dmp

          Filesize

          1.7MB

        • memory/2888-106-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/2888-110-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/3032-1-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/3032-8-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/3032-0-0x0000000000230000-0x0000000000237000-memory.dmp

          Filesize

          28KB