Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    21-01-2024 10:09

General

  • Target

    6d08db5aa8c6eec9c991d6a14bd58a5f.dll

  • Size

    1.5MB

  • MD5

    6d08db5aa8c6eec9c991d6a14bd58a5f

  • SHA1

    e2a82cb1cffee35083b1a7ff9461a7eb5fa6046c

  • SHA256

    b183bd1e5a5f6a08cdb529a91cb1a1049d1b0f9700f6a10bf3716e17acb79d43

  • SHA512

    7d01b699b05e93f4cc671652dbf9c263dde5a16804d653fad4bca51c900cf58c72d58c58c0074377f5e9c7c647a1770bf9476e4f9393a5f099cc6613d7b9f3dd

  • SSDEEP

    12288:yVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:vfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\6d08db5aa8c6eec9c991d6a14bd58a5f.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1944
  • C:\Windows\system32\msinfo32.exe
    C:\Windows\system32\msinfo32.exe
    1⤵
      PID:2576
    • C:\Users\Admin\AppData\Local\868\msinfo32.exe
      C:\Users\Admin\AppData\Local\868\msinfo32.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1624
    • C:\Users\Admin\AppData\Local\2f80XIFH\xpsrchvw.exe
      C:\Users\Admin\AppData\Local\2f80XIFH\xpsrchvw.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2788
    • C:\Windows\system32\xpsrchvw.exe
      C:\Windows\system32\xpsrchvw.exe
      1⤵
        PID:2736
      • C:\Users\Admin\AppData\Local\JoJxAa\TpmInit.exe
        C:\Users\Admin\AppData\Local\JoJxAa\TpmInit.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2456
      • C:\Windows\system32\TpmInit.exe
        C:\Windows\system32\TpmInit.exe
        1⤵
          PID:320

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\2f80XIFH\WINMM.dll

          Filesize

          89KB

          MD5

          b67ff48c55c945c9b7247e5b071fb7c3

          SHA1

          2e1f14451fda10972f47457f167d65212fadaeea

          SHA256

          4d3337a166d81eff02952ed134d58c92c9c2c87d563fa84e0d8cc76f264bbbf1

          SHA512

          32187972cfa0328b4d6768d5e2c60ab14e2122dc40e73a9b3a901e1fe688069d9802f96f5ddc0c73c7960b9a361ed5d2ae22bbee585836782bd79291dfe99070

        • C:\Users\Admin\AppData\Local\2f80XIFH\xpsrchvw.exe

          Filesize

          45KB

          MD5

          bd3ed549fbe90b5bf53b9ff14a4587a3

          SHA1

          e573e14e8d7d383118f8b86fd9af4ce4995c55c4

          SHA256

          7d9e2c06a9d29e08e4877064375360cdc8d7eb681ba5d0a7e7c1804f6f1d47cf

          SHA512

          1dc56e0226a8ad5798d0973e911af0c48e28d3a66d54f1979945e38a24ca7e1e9b2469ad69c0b5e52d94f9b9c2d434ec7bce3ddeae616e68d4197b85e259b98a

        • C:\Users\Admin\AppData\Local\2f80XIFH\xpsrchvw.exe

          Filesize

          160KB

          MD5

          559be0ae9c969221036690d0af24def1

          SHA1

          d78f92fe2b9af474cc3da69a760272def2f154c8

          SHA256

          6f0814a1c8890dff9fbbdd31544974611a83c5f5551e19076e973f36b4509041

          SHA512

          ade53016a9156c464251d701b8e8b53597f6eec3a8e58e436fc76da9725d02911374f0d68a9fb74bb847f9e16abf2562864893a80746ad8a337b9a6ba3ffae54

        • C:\Users\Admin\AppData\Local\868\MFC42u.dll

          Filesize

          177KB

          MD5

          cfcaae66df2588ac6682a159425fc137

          SHA1

          31d8a335bfec2adbe700706c8a2e5c230b663329

          SHA256

          c0c360cf0e4cba8780e1ad7d5478e700fc7cfa052e62ade387608b03b52b3d22

          SHA512

          0df8ce3c10aeb399202294baf97fccf493bc8c8ba9630aea37b90e130b64e9ae1fc9f7ee0641357ea7a16b22190e2be033b6bcd28842a22dfb7c7f1d8ffbb2a9

        • C:\Users\Admin\AppData\Local\868\msinfo32.exe

          Filesize

          112KB

          MD5

          6085258e9a717632c5229247f6b3d789

          SHA1

          803c2a0f417b1c44a3a0ca09c72e84c143d393c3

          SHA256

          d60484932618d925889b051d281ba1f9955ff00d1304d8d5e730b08f199402ad

          SHA512

          36e70f6912b3f8f9e2932d02a30e304a9d9ba857fdc667dcfd8bfe3bfcaa39fd051a4643e4446f874c04b40f7cb2cb3f03628b0329c148c2a2cf3c7457301b67

        • C:\Users\Admin\AppData\Local\868\msinfo32.exe

          Filesize

          64KB

          MD5

          25dde92c4b2706cea5bdb39797564a4f

          SHA1

          101ff7e3318f94cb676cb6b314af9cd5bb34fc3e

          SHA256

          677860e656a98a027999f8817e735cdb5460a7fb1c5bcdd26051e75edae1679e

          SHA512

          52b03ec3b3c7c3b53552b7d0526e32c1665741df5038f894bdfc987047e05b63fd75a3e223c4fda3c6b5479043e79a43103f46349ef6252d448d17259a4a90fd

        • C:\Users\Admin\AppData\Local\JoJxAa\ACTIVEDS.dll

          Filesize

          24KB

          MD5

          aca9f6792bf33eff7571038dc52f48c3

          SHA1

          3e758053eb5ac7535735dbb7fe2a5b85b8b52222

          SHA256

          0eb7ba97ef5c19b3c2d8214e1d25fb650929010a7784e7160038bbfa64d3605b

          SHA512

          11d357c2223fcfbbd060d11126c05a52b6076ce16fe4e412d15ff6f134a54b5f5b3dc8dc38388da9ff5212cbf0c9bf28cb1bc7011cbd08c63d6387396fe0c92f

        • C:\Users\Admin\AppData\Local\JoJxAa\TpmInit.exe

          Filesize

          112KB

          MD5

          8b5eb38e08a678afa129e23129ca1e6d

          SHA1

          a27d30bb04f9fabdb5c92d5150661a75c5c7bc42

          SHA256

          4befa614e1b434b2f58c9e7ce947a946b1cf1834b219caeff42b3e36f22fd97c

          SHA512

          a7245cde299c68db85370ae1bdf32a26208e2cda1311afd06b0efd410664f36cafb62bf4b7ce058e203dcc515c45ebdef01543779ead864f3154175b7b36647d

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Cuhrqknkppepky.lnk

          Filesize

          1KB

          MD5

          5f70884d5bcaa4397dca3193360643ba

          SHA1

          2ae500fe3e97192f4849e5613823828af5fe0558

          SHA256

          5188feb242b5096b16b1b374637534471fbe4b4d74661547606b1615324d5de4

          SHA512

          1ec5a8e3d1171913625e796483b4ba74c24d2c9146cee1119a33ad679f24b52a2c1c5a589dd65e309b90c826c256df22c1dc1111ca3c18701ab4ded978f8a7d8

        • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\NTPvJN\WINMM.dll

          Filesize

          1.1MB

          MD5

          f4bfc5406e65e0970e3a8ad7b9ff5c7c

          SHA1

          0959ec1b662bea47c8bac62e64b6d9a61048a8ee

          SHA256

          798f3839ad7a6050d9d0d1632dad094323d3990a4742e753db318a27e830a4e6

          SHA512

          0dcf92611438ba49b35afed1c218c6b2461c54ca5a8fbe75377ae45e1b2d1a7c77485f768f0d2c6c8f6e6b92b10f8f25f98cba8c0fd307736998f1800bd80579

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\etagMJSL\MFC42u.dll

          Filesize

          1.6MB

          MD5

          468a614e33bccee889aa0802a237ac8b

          SHA1

          642f6c4be8a0f805e50c4bd7bb9b19dde46ce27d

          SHA256

          c2f4dcf0cfcdd6fcbac0d12e7fe94396f86e5d942b41455f823aef9a410753f8

          SHA512

          f1e0e7934ea971c650003e19657b4663459734d261e53e43437d9fb39bf8164a646113b74e5abefd27ee0f8a540faaf8d0e9bb788f1c35c62979d527e31f4e33

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\KNas\ACTIVEDS.dll

          Filesize

          1.5MB

          MD5

          5da1615afc5108169c7431c08a0cab9d

          SHA1

          976bed6e59187f72f2e6f79b1bf098a5637193e1

          SHA256

          f2aa3c23ab988859e1d09358fab0459131664cf37e7652f05e327b999ecb15cd

          SHA512

          0f72e1a69363c5645cb7a6039b9ef01eb9a7580043df7758a1b53b2137a97f2747d0d0e1ffc7f5ec963df515588b922dfe879a16d518f3478190090c695a4a7a

        • \Users\Admin\AppData\Local\2f80XIFH\WINMM.dll

          Filesize

          158KB

          MD5

          f201ff7b4bc97c22fb95e6c1155f7cf3

          SHA1

          aa37cdbb19aed8b5cc8e001da99f2a73e990ae5e

          SHA256

          463c9ca2aa4e2552f3cf85545085bbc846139841cf748240c9b8869d4884c9e1

          SHA512

          6e07cccd16943b30023e20730fdb40bd5da37abe88c618c6a7578f971db005d1a8c907245b2001c25114ed9715116cf6b601748cdd08d1591983de86a3584b39

        • \Users\Admin\AppData\Local\2f80XIFH\xpsrchvw.exe

          Filesize

          177KB

          MD5

          58d7f04d6d936369fb6f3efe180c8e24

          SHA1

          3ec27d982d68a991c8fcae9b6500e7a7e86e9895

          SHA256

          2b06b8f0879cee09906e19034c3bae445a51678c0f7bc08926d3fcf79700263d

          SHA512

          32e0c3751b3f18bc0d31e4a3e3afcf9f45c564124fac34e334c2464add8a45e5996e3464ea6119fb1436cabf47a90e010892746bca8cb974d930101506583235

        • \Users\Admin\AppData\Local\868\MFC42u.dll

          Filesize

          107KB

          MD5

          9a8dc62e32501d04cb18ae5f7494bc04

          SHA1

          273b186014c267bd179f59509c803c7766bcfbdd

          SHA256

          ddda8b4645a8994e52b3136d7dc9485cb31367931da6fccae36dd6e0018f39bc

          SHA512

          d19575e20f016dd2666d3815f93acacd30aa3e5a82a6bde901a3f309ad191a57e00feb86a8e3f68d5016bb1ae90fa738a8bea8382d673d72ec109dd4187a0f4c

        • \Users\Admin\AppData\Local\868\msinfo32.exe

          Filesize

          134KB

          MD5

          97ce3c53764afd4faef6abbfb083fd61

          SHA1

          bfe281d6e83a8b69f7d18a8163330817255dc5d3

          SHA256

          8eee375af634ed26c1f51f857c2c98752c49160cb4ffc28689af8e1eb9273595

          SHA512

          251472e865bff70a40b3f8adb83637c392a3a14f162a30d2bd1a1464d55f821e1636752d8cc1996d112426c3ecf52999651a368fa43ea2e8bca6c88c1918b38b

        • \Users\Admin\AppData\Local\JoJxAa\ACTIVEDS.dll

          Filesize

          5KB

          MD5

          ff6af6b65238cf6431d67a9dc19688a2

          SHA1

          af729735a2cc11452f949eb4efa0b849696be39c

          SHA256

          94a86b8d722ef9103f1d6efc5f731b10639c0d56235f29d3321d2a3c34c5c750

          SHA512

          9194f2fdee55e41a5d481a03081773d2bcfa8d7c704064c1030217fe1ddc56969653d4756a6897706dad55df25807a059d816991ce75eecce97fd41f0996e55f

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\KNas\TpmInit.exe

          Filesize

          75KB

          MD5

          32cd4f02545a050fe870da7c0f7adfd5

          SHA1

          f123b4408f7bfdb82c7de079bf8366522bc63566

          SHA256

          4b25de3bde7cec30ec2e10ce4f9eeb0dd10dc8b526afd0c90c54819a9d6758c4

          SHA512

          3c71050ac52b202a276ff8e87d114dd475085422cc1937cce2b9d8628c8962d56eeffb74c9a483448577367898f00535cf6110921216ebe2a1aec871558d7674

        • memory/1188-25-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/1188-14-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/1188-40-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/1188-39-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/1188-38-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/1188-37-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/1188-70-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/1188-35-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/1188-34-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/1188-33-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/1188-31-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/1188-30-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/1188-29-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/1188-28-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/1188-27-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/1188-26-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/1188-42-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/1188-24-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/1188-23-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/1188-22-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/1188-21-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/1188-53-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/1188-58-0x0000000077320000-0x0000000077322000-memory.dmp

          Filesize

          8KB

        • memory/1188-20-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/1188-18-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/1188-17-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/1188-16-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/1188-64-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/1188-13-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/1188-12-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/1188-11-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/1188-9-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/1188-4-0x00000000770B6000-0x00000000770B7000-memory.dmp

          Filesize

          4KB

        • memory/1188-5-0x0000000002D50000-0x0000000002D51000-memory.dmp

          Filesize

          4KB

        • memory/1188-10-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/1188-15-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/1188-151-0x00000000770B6000-0x00000000770B7000-memory.dmp

          Filesize

          4KB

        • memory/1188-7-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/1188-54-0x00000000771C1000-0x00000000771C2000-memory.dmp

          Filesize

          4KB

        • memory/1188-44-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/1188-19-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/1188-49-0x0000000002D30000-0x0000000002D37000-memory.dmp

          Filesize

          28KB

        • memory/1188-45-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/1188-43-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/1188-41-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/1188-36-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/1188-32-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/1624-82-0x0000000000180000-0x0000000000187000-memory.dmp

          Filesize

          28KB

        • memory/1624-83-0x0000000140000000-0x000000014018F000-memory.dmp

          Filesize

          1.6MB

        • memory/1944-8-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/1944-1-0x00000000000A0000-0x00000000000A7000-memory.dmp

          Filesize

          28KB

        • memory/1944-0-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/2788-104-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB