Analysis

  • max time kernel
    150s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    21-01-2024 20:49

General

  • Target

    6dfd7436bd4deb041e0a6690557c4397.dll

  • Size

    1.5MB

  • MD5

    6dfd7436bd4deb041e0a6690557c4397

  • SHA1

    8689cb744b5e5d497a20d4f95a479cf3d1b07ef7

  • SHA256

    670c71a7ce5a1d03db1879db686c7f2ba96a4e6488cc14aa093b3831ea02405d

  • SHA512

    a86ae46acc04e5f976c9410544c1977949ba48fc26bd05d0324ae59db0cfe178873e18029290f81950ac2b58fb4a2a43b699e15123b46dfd282b011f159fc085

  • SSDEEP

    12288:qVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:3fP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\6dfd7436bd4deb041e0a6690557c4397.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2756
  • C:\Windows\system32\ComputerDefaults.exe
    C:\Windows\system32\ComputerDefaults.exe
    1⤵
      PID:572
    • C:\Users\Admin\AppData\Local\MsXOWmAi\ComputerDefaults.exe
      C:\Users\Admin\AppData\Local\MsXOWmAi\ComputerDefaults.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1092
    • C:\Windows\system32\tabcal.exe
      C:\Windows\system32\tabcal.exe
      1⤵
        PID:2944
      • C:\Users\Admin\AppData\Local\QDQuFPry\tabcal.exe
        C:\Users\Admin\AppData\Local\QDQuFPry\tabcal.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3032
      • C:\Windows\system32\tcmsetup.exe
        C:\Windows\system32\tcmsetup.exe
        1⤵
          PID:876
        • C:\Users\Admin\AppData\Local\UX9Uw\tcmsetup.exe
          C:\Users\Admin\AppData\Local\UX9Uw\tcmsetup.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2244

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\MsXOWmAi\appwiz.cpl

          Filesize

          1.5MB

          MD5

          b8554068bd6c3121358109635a556da1

          SHA1

          aec59f313bcd222dedbc5488bb272ced14705a0e

          SHA256

          94ba3aa954d3dc42f3bbdccae1d0d4f8f16a8f391bc028242f03bb0ae0e4dca3

          SHA512

          f99a982ba9fd305acde98dce52e7410f5fe85469c351bab3e5cc8c180a7b91e09bbc41c676b93a6e5fc13d5a3a12a4ac56b4f4dc551c156bc299cdb8d466ae7d

        • C:\Users\Admin\AppData\Local\QDQuFPry\HID.DLL

          Filesize

          1.5MB

          MD5

          71492b8eae659ad08cb7330d134f1768

          SHA1

          896685756517d798d3edd5c9186b12cd5c4b9ce4

          SHA256

          fc9d90dea7bb405e6d448d281a07c2c443a90dc2423c7b0bf6c0eb3b4c54bab0

          SHA512

          c2e8768833e43900a55f0a7e32f24112052f0f56ec72e1541455f6bfd7b725e8472417297c379676a915e9499ab020319accae1fd2509694af0ca2f59b201a58

        • C:\Users\Admin\AppData\Local\UX9Uw\TAPI32.dll

          Filesize

          1.5MB

          MD5

          ceaa4716997b5f11fd6b7504e2349d8b

          SHA1

          5c30a3d20f4ab162b31c7f6d65c6053070ef2880

          SHA256

          91e1d9c2ba1894fcaacf183cde4df92795c64afec3e77a82d09ee7037f128602

          SHA512

          9497a8e78f8144a1dd504c060fb48dea8d5cc979c988dd18c34ffc4b926a2508b34c1d4cbb5160b9af309767c267cb76c85ae9c3e5977454bb6ef4acee06dc9f

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk

          Filesize

          1KB

          MD5

          c8024ba02c7fd5bfec58f9468eded68d

          SHA1

          5e561c40c37a0dd603334f8323669479f0e6c63c

          SHA256

          cfa4148b047f6071db8b4a52055eff8d92d95d6b7969a3824f5d57aebab9d938

          SHA512

          e05943e29481df33c15399a9b4e9200adb25640e07e6f15bf1f7071775e66b6aaa54c116f9a60bda0e1a9a2d8d1a6976088304edb0b714f30903c135f9994307

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\4MrYue\HID.DLL

          Filesize

          418KB

          MD5

          228a2abbbd298ad38631b2f89873fc16

          SHA1

          d506bb9be6a2e07de0a7e39dca38c059c35b1943

          SHA256

          19d247cd6b7882c393dc7fcb9b81ef51f6a6e1cbffc4b70a8dffdcf3fb44b943

          SHA512

          6d7a2093b111d5fd50a199abed763318ee1a695f26cd97abe521a2fb8e3c3c2acba413e4e4f4970dd20b0af53f71a12f8dc5a788899c98184fc223573bac8c9e

        • \Users\Admin\AppData\Local\MsXOWmAi\ComputerDefaults.exe

          Filesize

          36KB

          MD5

          86bd981f55341273753ac42ea200a81e

          SHA1

          14fe410efc9aeb0a905b984ac27719ff0dd10ea7

          SHA256

          40b194be2bad2d3d4d1b69f9aec2853c8b663130810a11607ff72a9e3a06d5b3

          SHA512

          49bb6d4bf7a9356fadde7f6165af6973630827d28b69db10ad477a84d98b08fb82e4daae777166e1ddddb5b5efcdf634e4e9bd34b255dae87462ba32e8bba143

        • \Users\Admin\AppData\Local\QDQuFPry\tabcal.exe

          Filesize

          77KB

          MD5

          98e7911befe83f76777317ce6905666d

          SHA1

          2780088dffe1dd1356c5dd5112a9f04afee3ee8d

          SHA256

          3fe8b63367b4298e70d46e87ce04cc7af5f30dfdb86b79eae41d0731d9415ea1

          SHA512

          fc0226381d9a6984cccac8282697c78966524e1359f7f6044559b8223e773d3c108dda08a2dd283aa171dca3390801f2c92a5d1dbb978dd7f92a67bd8877b8b6

        • \Users\Admin\AppData\Local\UX9Uw\tcmsetup.exe

          Filesize

          15KB

          MD5

          0b08315da0da7f9f472fbab510bfe7b8

          SHA1

          33ba48fd980216becc532466a5ff8476bec0b31c

          SHA256

          e19556bb7aa39bbd5f0d568a95aec0b3af18dda438cc5737f945243b24d106e7

          SHA512

          c30501546efe2b0c003ef87ac381e901c69ddfc6791c6a5102cff3a07f56555d94995a4413b93036821aa214fc31501fa87eb519e1890ef75b2ec497983ffd58

        • memory/1092-86-0x0000000000410000-0x0000000000417000-memory.dmp

          Filesize

          28KB

        • memory/1276-39-0x0000000140000000-0x0000000140186000-memory.dmp

          Filesize

          1.5MB

        • memory/1276-41-0x0000000140000000-0x0000000140186000-memory.dmp

          Filesize

          1.5MB

        • memory/1276-17-0x0000000140000000-0x0000000140186000-memory.dmp

          Filesize

          1.5MB

        • memory/1276-18-0x0000000140000000-0x0000000140186000-memory.dmp

          Filesize

          1.5MB

        • memory/1276-20-0x0000000140000000-0x0000000140186000-memory.dmp

          Filesize

          1.5MB

        • memory/1276-21-0x0000000140000000-0x0000000140186000-memory.dmp

          Filesize

          1.5MB

        • memory/1276-19-0x0000000140000000-0x0000000140186000-memory.dmp

          Filesize

          1.5MB

        • memory/1276-22-0x0000000140000000-0x0000000140186000-memory.dmp

          Filesize

          1.5MB

        • memory/1276-23-0x0000000140000000-0x0000000140186000-memory.dmp

          Filesize

          1.5MB

        • memory/1276-24-0x0000000140000000-0x0000000140186000-memory.dmp

          Filesize

          1.5MB

        • memory/1276-25-0x0000000140000000-0x0000000140186000-memory.dmp

          Filesize

          1.5MB

        • memory/1276-27-0x0000000140000000-0x0000000140186000-memory.dmp

          Filesize

          1.5MB

        • memory/1276-26-0x0000000140000000-0x0000000140186000-memory.dmp

          Filesize

          1.5MB

        • memory/1276-28-0x0000000140000000-0x0000000140186000-memory.dmp

          Filesize

          1.5MB

        • memory/1276-29-0x0000000140000000-0x0000000140186000-memory.dmp

          Filesize

          1.5MB

        • memory/1276-30-0x0000000140000000-0x0000000140186000-memory.dmp

          Filesize

          1.5MB

        • memory/1276-31-0x0000000140000000-0x0000000140186000-memory.dmp

          Filesize

          1.5MB

        • memory/1276-32-0x0000000140000000-0x0000000140186000-memory.dmp

          Filesize

          1.5MB

        • memory/1276-33-0x0000000140000000-0x0000000140186000-memory.dmp

          Filesize

          1.5MB

        • memory/1276-34-0x0000000140000000-0x0000000140186000-memory.dmp

          Filesize

          1.5MB

        • memory/1276-35-0x0000000140000000-0x0000000140186000-memory.dmp

          Filesize

          1.5MB

        • memory/1276-36-0x0000000140000000-0x0000000140186000-memory.dmp

          Filesize

          1.5MB

        • memory/1276-37-0x0000000140000000-0x0000000140186000-memory.dmp

          Filesize

          1.5MB

        • memory/1276-4-0x0000000076DB6000-0x0000000076DB7000-memory.dmp

          Filesize

          4KB

        • memory/1276-38-0x0000000140000000-0x0000000140186000-memory.dmp

          Filesize

          1.5MB

        • memory/1276-40-0x0000000140000000-0x0000000140186000-memory.dmp

          Filesize

          1.5MB

        • memory/1276-42-0x0000000140000000-0x0000000140186000-memory.dmp

          Filesize

          1.5MB

        • memory/1276-16-0x0000000140000000-0x0000000140186000-memory.dmp

          Filesize

          1.5MB

        • memory/1276-44-0x0000000140000000-0x0000000140186000-memory.dmp

          Filesize

          1.5MB

        • memory/1276-43-0x0000000140000000-0x0000000140186000-memory.dmp

          Filesize

          1.5MB

        • memory/1276-45-0x0000000140000000-0x0000000140186000-memory.dmp

          Filesize

          1.5MB

        • memory/1276-46-0x0000000140000000-0x0000000140186000-memory.dmp

          Filesize

          1.5MB

        • memory/1276-47-0x0000000140000000-0x0000000140186000-memory.dmp

          Filesize

          1.5MB

        • memory/1276-48-0x0000000140000000-0x0000000140186000-memory.dmp

          Filesize

          1.5MB

        • memory/1276-50-0x00000000021D0000-0x00000000021D7000-memory.dmp

          Filesize

          28KB

        • memory/1276-49-0x0000000140000000-0x0000000140186000-memory.dmp

          Filesize

          1.5MB

        • memory/1276-57-0x0000000140000000-0x0000000140186000-memory.dmp

          Filesize

          1.5MB

        • memory/1276-58-0x0000000076FC1000-0x0000000076FC2000-memory.dmp

          Filesize

          4KB

        • memory/1276-59-0x0000000077120000-0x0000000077122000-memory.dmp

          Filesize

          8KB

        • memory/1276-68-0x0000000140000000-0x0000000140186000-memory.dmp

          Filesize

          1.5MB

        • memory/1276-71-0x0000000140000000-0x0000000140186000-memory.dmp

          Filesize

          1.5MB

        • memory/1276-15-0x0000000140000000-0x0000000140186000-memory.dmp

          Filesize

          1.5MB

        • memory/1276-14-0x0000000140000000-0x0000000140186000-memory.dmp

          Filesize

          1.5MB

        • memory/1276-13-0x0000000140000000-0x0000000140186000-memory.dmp

          Filesize

          1.5MB

        • memory/1276-12-0x0000000140000000-0x0000000140186000-memory.dmp

          Filesize

          1.5MB

        • memory/1276-11-0x0000000140000000-0x0000000140186000-memory.dmp

          Filesize

          1.5MB

        • memory/1276-5-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

          Filesize

          4KB

        • memory/1276-7-0x0000000140000000-0x0000000140186000-memory.dmp

          Filesize

          1.5MB

        • memory/1276-144-0x0000000076DB6000-0x0000000076DB7000-memory.dmp

          Filesize

          4KB

        • memory/1276-9-0x0000000140000000-0x0000000140186000-memory.dmp

          Filesize

          1.5MB

        • memory/1276-10-0x0000000140000000-0x0000000140186000-memory.dmp

          Filesize

          1.5MB

        • memory/2244-122-0x00000000001F0000-0x00000000001F7000-memory.dmp

          Filesize

          28KB

        • memory/2756-8-0x0000000140000000-0x0000000140186000-memory.dmp

          Filesize

          1.5MB

        • memory/2756-1-0x0000000140000000-0x0000000140186000-memory.dmp

          Filesize

          1.5MB

        • memory/2756-0-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

        • memory/3032-104-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB