Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    21-01-2024 09:39

General

  • Target

    6cf99878a472700f873bfe4ba861b27e.dll

  • Size

    1.6MB

  • MD5

    6cf99878a472700f873bfe4ba861b27e

  • SHA1

    0b3c08f07d5cdc9b5d916ac6588361d426bc0d5f

  • SHA256

    770fabafd2e9368ab8dfdcce39b8dfde8df9439be93f5fc9184c90206dae4d16

  • SHA512

    bed1c895105fca948804d5cdb88b5146a13d03eb1dde422c21810e055a94ec7a10898b2d0b79827a0dbd404fc8b50f7474b0f5acb759bf0d843d4d56cc4d1513

  • SSDEEP

    12288:4VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:tfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\6cf99878a472700f873bfe4ba861b27e.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2664
  • C:\Users\Admin\AppData\Local\5f1\SoundRecorder.exe
    C:\Users\Admin\AppData\Local\5f1\SoundRecorder.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Checks whether UAC is enabled
    PID:1292
  • C:\Windows\system32\SoundRecorder.exe
    C:\Windows\system32\SoundRecorder.exe
    1⤵
      PID:2708
    • C:\Users\Admin\AppData\Local\IuyJ1\SystemPropertiesAdvanced.exe
      C:\Users\Admin\AppData\Local\IuyJ1\SystemPropertiesAdvanced.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2920
    • C:\Windows\system32\SystemPropertiesAdvanced.exe
      C:\Windows\system32\SystemPropertiesAdvanced.exe
      1⤵
        PID:2924
      • C:\Users\Admin\AppData\Local\Yqj\msconfig.exe
        C:\Users\Admin\AppData\Local\Yqj\msconfig.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1844
      • C:\Windows\system32\msconfig.exe
        C:\Windows\system32\msconfig.exe
        1⤵
          PID:2500

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\5f1\SoundRecorder.exe

          Filesize

          607B

          MD5

          cd01476ba10d363fc923283d8cd56b08

          SHA1

          59a3d2b8d0727cfe24856c657c810fb2e3db30b1

          SHA256

          06862f900a1604875d8b17cd667507a00d0679de55f2c8962dd7eba91f8f5d9f

          SHA512

          a8f1440490ec9d807491ff894c1a8184aab13abe403f291e33d0d9324240d4d4c316722301f346056cb2458b8fb33b7f56658a61b79ccfa3046c512fe2bcad88

        • C:\Users\Admin\AppData\Local\5f1\SoundRecorder.exe

          Filesize

          5KB

          MD5

          19265727d110d662cf6bfadfdd4e00c9

          SHA1

          1b4d702be0fd50246b245098a867b50182563bea

          SHA256

          813e356f5f23e11bcf0ac4632d36520548c88330547aa0c5adecb7c87bf62472

          SHA512

          f0a1aa49f8a1c90ec866a6037ee5a5b4d91f180ac4c804c119caacb2b60e7378faa4f9ea0003063430a7592b9f7fc83f8bd668033e6b303ea80b33202a5f8fe7

        • C:\Users\Admin\AppData\Local\5f1\WINMM.dll

          Filesize

          19KB

          MD5

          7b806a720dbe39890f2eca2e11ba8309

          SHA1

          5fa8378b8505d50005575e6bb90a51398ff6ba01

          SHA256

          899d791bd78375862e69e47ec08adc1cee40a64814ca5331888cf850133a2a71

          SHA512

          c198537de4dd921a0916749afade24375141c2ba902f573f93430599b41b173659e9ae2ea8e5884b369c9b0aecf63f3656c337d61750b567f55616a376f68688

        • C:\Users\Admin\AppData\Local\IuyJ1\SYSDM.CPL

          Filesize

          42KB

          MD5

          ee0f110169b129e276b969de2c51355c

          SHA1

          6842d2c73c8f36f134c29f8652351fb4a7d60c3f

          SHA256

          51ec7a6268d026fb5fc87b85fb098b500352acabddbdf026b2315fc82292ffc0

          SHA512

          ee77528055bca2aa6fd82b7b06157320cf44435655623cacec0d99df63275f89f169465ba8e0cd2630dd07b349cc66de41f428ddc7b2b3d943ce8b830aa52a96

        • C:\Users\Admin\AppData\Local\IuyJ1\SystemPropertiesAdvanced.exe

          Filesize

          5KB

          MD5

          52677ccf0e00e6a1c3a6a4e670c316e3

          SHA1

          0d717bdbd63a293e780b92ad954a60f4ee81870d

          SHA256

          cedff001376a5cf428ed711aaa0d4a1a6a9148950bdc5deeaebb362f05329da7

          SHA512

          809fb48ccc627a78930c9125cc80226e1e5deb0d27d60d3a7a703eaefd91b88859aaa347d23c21432d54e1b2a41302b86e45eb0740410475e47316a4bb2d7a53

        • C:\Users\Admin\AppData\Local\Yqj\VERSION.dll

          Filesize

          48KB

          MD5

          04c87c34c3ed8efc420aa4fa397c7004

          SHA1

          ae3326ba4338a68ca9c00f0ba01facd932ae1f46

          SHA256

          dd7de0badd6bf4b5a7e3aa4b1fe5919b1f87df95cc772b97f895e644904b941b

          SHA512

          8fa2d8f13d33bd696d205a54effa306dfa6063b6c59b546a0451b3fa4526d23c6f6f8a981b89e8283f7f1e775abad2d1ec286aca182dfde320fd7b3fa0e2fbab

        • C:\Users\Admin\AppData\Local\Yqj\msconfig.exe

          Filesize

          25KB

          MD5

          5ac21c76b5fab933065fd80c63bde06a

          SHA1

          c31f17a297091fad0277999490914f03f63bce28

          SHA256

          c617230df9e34186f289425c9cef70e581eb746294dc61fdb30dd3586acebe15

          SHA512

          855deeb825b6ddb197b6db0749b3c1e751daaf4f9d995289c9abd14a232d21d155b653e45f69b92cc3b4f992d499922db6d4263eb61cf340326c403434d2e6c5

        • C:\Users\Admin\AppData\Local\Yqj\msconfig.exe

          Filesize

          27KB

          MD5

          9eab35db34fa05dd5d69117173a726af

          SHA1

          442fbeaa5cfd402bd2848c2118a1dfdc3f93916d

          SHA256

          cf1bf7e109bac823cf549f676cfc4302768e14a1214d260cccaf6f185c3f86f8

          SHA512

          740273cef0e9d8780b08cd5b3c21a23f183fd1999b0a9ca2a5aafb30e477848daef4f54250e700b8d2635786d32555b238e4aae4b6e7f61bc4606bfac02a348c

        • C:\Users\Admin\AppData\Roaming\Identities\0kZ\VERSION.dll

          Filesize

          1.6MB

          MD5

          dd616d9b615128f716552a26bd3f3961

          SHA1

          8e4c76d02e686bd93ed1dffe3365950edeb7026a

          SHA256

          57b06fbe0baba6e08c0a94f3e94282b6a474f6bbb9e989ca4888a5dd493e6940

          SHA512

          91ff79058c63fc6a022071ec13a61861aa7da4f768cb0d29652022b474ffe006846bdcb9a4b48bbf9fee4efee6199b2b5d433a07298f95f45d49ed7a5f11145a

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Cuhrqknkppepky.lnk

          Filesize

          904B

          MD5

          7f422ca1159b41e1a07f6feea4b0eeb2

          SHA1

          5d4b2370e91163eb23cf635379617c9c0fa418a6

          SHA256

          fe5f2fab05b725d7a167bb747e81d33fcea2570089056fcbf74a100e1d9cc054

          SHA512

          9366bcaeba91fd716520f0ba10d538be1d5e3d023ed283dbc3eeefe9d2e68ddb6bca5df68fd721fba0224af8cbf0d07f9b80202f24b90493cec5bcfe65cd3577

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low\xy9FZ\SYSDM.CPL

          Filesize

          1.6MB

          MD5

          c155d0a18267ea1d067e6bc36173bb9f

          SHA1

          33bab8653f5dbed520720e9b6af844b2a4c35685

          SHA256

          0f82ca53c025ffdba719dc7508d8910c3d8bab25e721f97d1550352d58941e0d

          SHA512

          b7af5a805ad6c192a89d502d065a110ed965990c30c19cf41f44acc8427be0a5e213acda0b8d0023e9a396e718dbba5e297a8c5bec4a6b694d73b70c3bcc3468

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low\xy9FZ\SystemPropertiesAdvanced.exe

          Filesize

          78KB

          MD5

          ead965d732d239d5474dacdf4afebf28

          SHA1

          8d39ac4ccb96bddbb7dc5df01438933b46981233

          SHA256

          070dea755a2c6d99c7d49dc267b45d0d9d6c7b0ec7bdc4c1cef130756c1de155

          SHA512

          2a16d6aa4f07eb344cea864ead90e6606e427c7aa7300f70708c62dd3dbfb6353d10650c92d79893b91f2a640eb3ccc8f9f4a22e1f7a4fcaf6ef7466f52b3c35

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\LJQSpXMwGH\WINMM.dll

          Filesize

          1.6MB

          MD5

          01e287f87e336e8a39ce70bc054d6de7

          SHA1

          dfaa3c8ba7ebee54c57ffada7ce3e3a8030fb91e

          SHA256

          1a6d91fff1d991c4f8fa17af63be5c962ca44edf0a4efc4201b9194ae1b1962c

          SHA512

          a2996bd25a5ec3a40097a7610823c68a05dc50795c4e9e77f2300d2507a9992e82ee50f2b7a5dfa2522f77ca5f33fe9ff2c95d30cf62fe5b39437426d9aafb1f

        • \Users\Admin\AppData\Local\5f1\SoundRecorder.exe

          Filesize

          16KB

          MD5

          730191b71f3aeba67026482ab955d5b6

          SHA1

          768675473ab90e82c87df9c2210eed07c591eeea

          SHA256

          12634afa07a7c7307291581b3c6971ad7e30424fd2f2d59833d668fd0e115c8b

          SHA512

          44c1374d497889f2abe15d4d0b9f56e8554da832297655d2a019edc2192ddb949d14f84c0ab5e7ccfddebe3d46a32df4bf20c29893384a5e00ab5675c1c8e2b0

        • \Users\Admin\AppData\Local\5f1\WINMM.dll

          Filesize

          10KB

          MD5

          3c606c386ce5723f7a3a9266f33dc4e1

          SHA1

          226ff7ec913cf874cda957ee78fb4ab9d57b4751

          SHA256

          46839127b2c6e29412191f16f9c1f75155a6dfb42cc8a2123aba7e363eb29a06

          SHA512

          d545e2fd9dd90616601ae3d3e2fe283445e5dfed934b8c194a647ce39597a26663aac3572dd9a1dc3d5f0d729cab027667b5ee7b8b637b3cf61423924b8122bb

        • \Users\Admin\AppData\Local\IuyJ1\SYSDM.CPL

          Filesize

          5KB

          MD5

          95e0b25bf51f48d7f9474a834dc9d1ce

          SHA1

          524eb97726b9e69b47db6f2e8f3222e874a72b17

          SHA256

          374e7edc13b23a3a0873385e79c035bae3413a5f9ddd84c046bda29c04691228

          SHA512

          f5516b722fd51b8b183ea59c9b483a4ad87aa9a6c81f82dbef1ad871e6cf1438e996b1e8ac6ad19306ed8d8f02655907781694098ab67c86b3748da72e188a8f

        • \Users\Admin\AppData\Local\IuyJ1\SystemPropertiesAdvanced.exe

          Filesize

          9KB

          MD5

          f592f69aaba7e985c06d07aad25d8f4b

          SHA1

          d6b11806331fdae75f731da5e4c21ebf380c1ba6

          SHA256

          7fb944af8bdfba90c9a845cb5964b7f27037da221c16dc460365fdf2eaedbe60

          SHA512

          f822841b218efa2f62dbaec8d26f093cf764eb22babe1d8487dd3be9d8d39dc87bc86b8bf57f94ea9f16a78d7e0d5c36691206e1b7ad80dbb8022102f57b62c9

        • \Users\Admin\AppData\Local\Yqj\VERSION.dll

          Filesize

          45KB

          MD5

          6a8017b0690ed6aeb9d12c41b873597c

          SHA1

          a6b6fe9e236b7fcaac311d153cbb818e5d707c16

          SHA256

          f81b2b9fef8d8e5a63819037d432cd8667f1c7ee926819cf99b05bd1311f5215

          SHA512

          7589572d35cac717028b98ad77322b20c9a52f44bf79b95343500f1d7609f8989b54ec7e97b4e343ede2e43c822df40a086466ae29070c830d14b396ad2c4adb

        • \Users\Admin\AppData\Local\Yqj\msconfig.exe

          Filesize

          1KB

          MD5

          aae2999ee9a060773660f375b64ec492

          SHA1

          d56d28e90dba3b60eafd09695da5eca97755e071

          SHA256

          22cad07bfc5784085ad6a7f33482d418265933e2cb6e15a23a7314c9925176bc

          SHA512

          41d5533dc89733edf4035e39b5702d37d7d0937f97b6139bad2cd73742c5fecbbf626d751dd26cbb533c80448e0972adb6595052ca8fd30cecb05a80d7ba6866

        • \Users\Admin\AppData\Roaming\Identities\0kZ\msconfig.exe

          Filesize

          9KB

          MD5

          0c60d317dd776c0377f574ab777cfeab

          SHA1

          f44ec7ccd9b3dac70c53e736b52f805701dd80e8

          SHA256

          b6aa5aa94c0ffd2eaace97f77ba50bc8e65b7debadf2422631512d6fa8bbc9a9

          SHA512

          b047f411c285aa158139060722d95b30d1b412a67576d79be1eb000e91e3ebe07d2d7f2df4b4716f2ef4e8115085970868ee0452ce8e3aa178cdcbb00c39aeab

        • memory/1216-26-0x0000000140000000-0x0000000140192000-memory.dmp

          Filesize

          1.6MB

        • memory/1216-41-0x0000000140000000-0x0000000140192000-memory.dmp

          Filesize

          1.6MB

        • memory/1216-24-0x0000000140000000-0x0000000140192000-memory.dmp

          Filesize

          1.6MB

        • memory/1216-42-0x0000000140000000-0x0000000140192000-memory.dmp

          Filesize

          1.6MB

        • memory/1216-23-0x0000000140000000-0x0000000140192000-memory.dmp

          Filesize

          1.6MB

        • memory/1216-40-0x0000000140000000-0x0000000140192000-memory.dmp

          Filesize

          1.6MB

        • memory/1216-39-0x0000000140000000-0x0000000140192000-memory.dmp

          Filesize

          1.6MB

        • memory/1216-38-0x0000000140000000-0x0000000140192000-memory.dmp

          Filesize

          1.6MB

        • memory/1216-37-0x0000000140000000-0x0000000140192000-memory.dmp

          Filesize

          1.6MB

        • memory/1216-35-0x0000000140000000-0x0000000140192000-memory.dmp

          Filesize

          1.6MB

        • memory/1216-34-0x0000000140000000-0x0000000140192000-memory.dmp

          Filesize

          1.6MB

        • memory/1216-33-0x0000000140000000-0x0000000140192000-memory.dmp

          Filesize

          1.6MB

        • memory/1216-32-0x0000000140000000-0x0000000140192000-memory.dmp

          Filesize

          1.6MB

        • memory/1216-31-0x0000000140000000-0x0000000140192000-memory.dmp

          Filesize

          1.6MB

        • memory/1216-30-0x0000000140000000-0x0000000140192000-memory.dmp

          Filesize

          1.6MB

        • memory/1216-29-0x0000000140000000-0x0000000140192000-memory.dmp

          Filesize

          1.6MB

        • memory/1216-28-0x0000000140000000-0x0000000140192000-memory.dmp

          Filesize

          1.6MB

        • memory/1216-27-0x0000000140000000-0x0000000140192000-memory.dmp

          Filesize

          1.6MB

        • memory/1216-75-0x0000000140000000-0x0000000140192000-memory.dmp

          Filesize

          1.6MB

        • memory/1216-4-0x0000000077556000-0x0000000077557000-memory.dmp

          Filesize

          4KB

        • memory/1216-15-0x0000000140000000-0x0000000140192000-memory.dmp

          Filesize

          1.6MB

        • memory/1216-18-0x0000000140000000-0x0000000140192000-memory.dmp

          Filesize

          1.6MB

        • memory/1216-153-0x0000000077556000-0x0000000077557000-memory.dmp

          Filesize

          4KB

        • memory/1216-69-0x0000000140000000-0x0000000140192000-memory.dmp

          Filesize

          1.6MB

        • memory/1216-22-0x0000000140000000-0x0000000140192000-memory.dmp

          Filesize

          1.6MB

        • memory/1216-45-0x0000000140000000-0x0000000140192000-memory.dmp

          Filesize

          1.6MB

        • memory/1216-50-0x0000000140000000-0x0000000140192000-memory.dmp

          Filesize

          1.6MB

        • memory/1216-25-0x0000000140000000-0x0000000140192000-memory.dmp

          Filesize

          1.6MB

        • memory/1216-43-0x0000000140000000-0x0000000140192000-memory.dmp

          Filesize

          1.6MB

        • memory/1216-44-0x0000000140000000-0x0000000140192000-memory.dmp

          Filesize

          1.6MB

        • memory/1216-59-0x0000000077761000-0x0000000077762000-memory.dmp

          Filesize

          4KB

        • memory/1216-21-0x0000000140000000-0x0000000140192000-memory.dmp

          Filesize

          1.6MB

        • memory/1216-20-0x0000000140000000-0x0000000140192000-memory.dmp

          Filesize

          1.6MB

        • memory/1216-19-0x0000000140000000-0x0000000140192000-memory.dmp

          Filesize

          1.6MB

        • memory/1216-17-0x0000000140000000-0x0000000140192000-memory.dmp

          Filesize

          1.6MB

        • memory/1216-16-0x0000000140000000-0x0000000140192000-memory.dmp

          Filesize

          1.6MB

        • memory/1216-14-0x0000000140000000-0x0000000140192000-memory.dmp

          Filesize

          1.6MB

        • memory/1216-13-0x0000000140000000-0x0000000140192000-memory.dmp

          Filesize

          1.6MB

        • memory/1216-12-0x0000000140000000-0x0000000140192000-memory.dmp

          Filesize

          1.6MB

        • memory/1216-11-0x0000000140000000-0x0000000140192000-memory.dmp

          Filesize

          1.6MB

        • memory/1216-10-0x0000000140000000-0x0000000140192000-memory.dmp

          Filesize

          1.6MB

        • memory/1216-9-0x0000000140000000-0x0000000140192000-memory.dmp

          Filesize

          1.6MB

        • memory/1216-36-0x0000000140000000-0x0000000140192000-memory.dmp

          Filesize

          1.6MB

        • memory/1216-7-0x0000000140000000-0x0000000140192000-memory.dmp

          Filesize

          1.6MB

        • memory/1216-47-0x0000000140000000-0x0000000140192000-memory.dmp

          Filesize

          1.6MB

        • memory/1216-48-0x0000000140000000-0x0000000140192000-memory.dmp

          Filesize

          1.6MB

        • memory/1216-49-0x0000000140000000-0x0000000140192000-memory.dmp

          Filesize

          1.6MB

        • memory/1216-62-0x00000000778C0000-0x00000000778C2000-memory.dmp

          Filesize

          8KB

        • memory/1216-58-0x0000000140000000-0x0000000140192000-memory.dmp

          Filesize

          1.6MB

        • memory/1216-51-0x0000000002A30000-0x0000000002A37000-memory.dmp

          Filesize

          28KB

        • memory/1216-46-0x0000000140000000-0x0000000140192000-memory.dmp

          Filesize

          1.6MB

        • memory/1216-5-0x0000000002DC0000-0x0000000002DC1000-memory.dmp

          Filesize

          4KB

        • memory/1292-89-0x0000000000090000-0x0000000000097000-memory.dmp

          Filesize

          28KB

        • memory/1844-127-0x00000000003A0000-0x00000000003A7000-memory.dmp

          Filesize

          28KB

        • memory/2664-8-0x0000000140000000-0x0000000140192000-memory.dmp

          Filesize

          1.6MB

        • memory/2664-1-0x0000000140000000-0x0000000140192000-memory.dmp

          Filesize

          1.6MB

        • memory/2664-0-0x0000000000430000-0x0000000000437000-memory.dmp

          Filesize

          28KB

        • memory/2920-108-0x0000000000180000-0x0000000000187000-memory.dmp

          Filesize

          28KB