Analysis

  • max time kernel
    149s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    22-01-2024 02:08

General

  • Target

    6e701a6565714d75f57e4ac97c8b92cc.dll

  • Size

    1.5MB

  • MD5

    6e701a6565714d75f57e4ac97c8b92cc

  • SHA1

    25de2e09d2506a090f949c1091c99e8209029564

  • SHA256

    bd76a02a02d4a0c8c7837fe4c4985ace8f6249f11e0a71ed9ffa55e8f4639be6

  • SHA512

    b38cdaa350fc05950787cfe6fef67253e63f4c4d037f9708cd7f74845fb151a20693d20ce0b57ae6cc47e3d6a8a9e22384a5941a3bb2fe26c6466b296d122882

  • SSDEEP

    12288:bVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ177:6fP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6e701a6565714d75f57e4ac97c8b92cc.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:2324
  • C:\Users\Admin\AppData\Local\ve93MSX\cttune.exe
    C:\Users\Admin\AppData\Local\ve93MSX\cttune.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Checks whether UAC is enabled
    PID:2492
  • C:\Windows\system32\cttune.exe
    C:\Windows\system32\cttune.exe
    1⤵
      PID:2456
    • C:\Users\Admin\AppData\Local\Q9P\cttune.exe
      C:\Users\Admin\AppData\Local\Q9P\cttune.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2424
    • C:\Windows\system32\cttune.exe
      C:\Windows\system32\cttune.exe
      1⤵
        PID:2088
      • C:\Users\Admin\AppData\Local\5tU0cUbmK\msra.exe
        C:\Users\Admin\AppData\Local\5tU0cUbmK\msra.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2712
      • C:\Windows\system32\msra.exe
        C:\Windows\system32\msra.exe
        1⤵
          PID:908

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\5tU0cUbmK\UxTheme.dll

          Filesize

          175KB

          MD5

          af23e57e9f12570ae71a028da8e9f8b1

          SHA1

          d98c021043ddacbf2e6a39ece38681350af11ee0

          SHA256

          45d9dc9ff8b4b6d6936c916df570e3ef0e7363744b389cece4adc6652d7a3ba8

          SHA512

          ed5e7c5f27b838624b101d765b375e02b7a93f9d8149e6c169cd0e8575dc4af65df9283fd0e93b98573b4cf573a45dbb370972d419b5338549c86f8f8e47c21d

        • C:\Users\Admin\AppData\Local\5tU0cUbmK\msra.exe

          Filesize

          64KB

          MD5

          d58052adf867cf1cee08b892fb092b1d

          SHA1

          b74c7a8e8d212f1f4f4cb82362f44e7643394d05

          SHA256

          8653f9ab8986534f1b33eb01142a4442ff3192d784a894d00519e14197db4da2

          SHA512

          4420ab69c9b09467d6d15e2f302f39ad8c0954af5646f4fa2fc858b6f1e43d03a95a7e3e9529f1b5c704d8bba456ea484bee69cd5d205739d93c9bca48878468

        • C:\Users\Admin\AppData\Local\5tU0cUbmK\msra.exe

          Filesize

          130KB

          MD5

          f01c9d4555780b277c81718890ffc42f

          SHA1

          534cd3d56c599a2a126f11ec5b07169909ff0b10

          SHA256

          111398c6afa943d141fd7ebd62f0f1ff156f1a0b4faf9a370a771657f0a61927

          SHA512

          53f1924058da9d808c02c64d8a8ffc39cbcd6990acbaba57752f8972b8f20ef2ea727a2ff91220ca7a0744a780c1e17854ca09c85d8a1605b54ff30396fa06c9

        • C:\Users\Admin\AppData\Local\Q9P\UxTheme.dll

          Filesize

          217KB

          MD5

          b5d1885a2177af486ce85408de4526ec

          SHA1

          d336d19263c463ac017b3054c4b2e70c639e5291

          SHA256

          50fda92dcf2753b304ae2728f9d04e9e110950ca882d4e85ff2eef22bcd8a0d6

          SHA512

          ee7c4b1bd5bf98dbaba7951e836cf1cff485cf0253d968d4d0633ebd2d7fd1414e3be9eaff440546f3a957c1965cf42a6105c94d8b49966bef9b0a6d4fba5bd9

        • C:\Users\Admin\AppData\Local\Q9P\cttune.exe

          Filesize

          63KB

          MD5

          d1e20b16b60b6803510caef8881e1194

          SHA1

          93ccf27e3d3bea286447bd6ec675876048ed8e77

          SHA256

          b23e106251aa6f3311980f271ef823a14b27bd27631984969d219f768a435b89

          SHA512

          f556765774622c2fe8e15e4054b3a074cfe5d9c281142821b35513864c1de1438799c8a2e7cfdd3a4a5e89f70695cbbd871c4754909526dbdf1ef7d38101f4d5

        • C:\Users\Admin\AppData\Local\ve93MSX\OLEACC.dll

          Filesize

          57KB

          MD5

          d2fa98ad090b909b45b85e954dada722

          SHA1

          d25dcd5a4cf0fe9489606acb2af9addef107137f

          SHA256

          f610159f859e99638acf379b7e66c1510c4e0869a5fe6e06c4eddd72a7a9a89b

          SHA512

          f77005db07a07477260e112e7f50320f0c9ac21d44688be90ff52ecb861568741c338da0d4b32c068f4ce07f5e3935352852b9a50008db83d0dad548432ab5d9

        • C:\Users\Admin\AppData\Local\ve93MSX\cttune.exe

          Filesize

          155KB

          MD5

          44c3a38325752df5ee0d885f26e7b545

          SHA1

          a9261793401898ff86e0cf65cf47b70a2997794e

          SHA256

          10cc1b4430e82e7ab9ee72c494bf6d91b284ebe30f24ad9e48430be303c527cb

          SHA512

          2f41483506faaca0dd067bd79eeee2f875a8bef175a81db0dd08822fbe1c77feb4f9d818efc14d92fcb30ba4a98d5a6ddbbecdfbb9f0e438fcbd1199b22bb6e1

        • C:\Users\Admin\AppData\Local\ve93MSX\cttune.exe

          Filesize

          60KB

          MD5

          616858298155b77fb0d6bbb26a5cd1ba

          SHA1

          0e606db0dd24ec59c0c9112b10b50e2b99716e9d

          SHA256

          75a65e15de76118ad573bff1e6b3344cfd25ce9e196641103f66a23f7d0f0245

          SHA512

          1ad858b96a779698714c3687b7a0867fa33f8e8b1951144dfcaaf979c587a927f9ef6769ac24816701fb960884b0dac91fe0ffb43cf4da6fb02c02ce4af5acb5

        • C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\AssetCache\c2\UxTheme.dll

          Filesize

          1.6MB

          MD5

          386d206dfadbb216e26fee868466afb9

          SHA1

          5b9f741f2f72d97f48f9df97c14ed041ea8ae935

          SHA256

          0059b4b865c99b2ceb402aa45ab339aef29ca57fc6aa0b51075d2b8b204c247e

          SHA512

          f7f680af7ce1e9000107599a6c20a6566897101eb2a624876d8fd6b4558e508ed47e5597af76dfe91d1408b41312c19f2b2a2de82da715c47acdc3e8cb5fa983

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dbyxyty.lnk

          Filesize

          1KB

          MD5

          f3ca7089aadc220a5ae1b2ff2c97308b

          SHA1

          64b0d34c9af83edbe143ec190fe7f5582055b87d

          SHA256

          458035737261cfb51044c12dbc5806146f99a2be94936097782026423a5dddec

          SHA512

          6f7b894a8a8eec21d12d120a2bc38596f8c617d25bb6a5e212e281f00fecd47a4d9c1dfc5501fec1c71edefe0c7c3619ca04578c6650d58e744632a091788892

        • C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\qq\UxTheme.dll

          Filesize

          1.6MB

          MD5

          772fb215aabbe4e188ee8ab76f4dcb7c

          SHA1

          faf90ccaf93b95e166371e509d4549a44a67fc2f

          SHA256

          2948b756f13042294114378cb6bf1600728c93489b33703b87d636e74cbea516

          SHA512

          57ae1952d42ca74bebca4550ceeec29ca07b895083e74fdd878441484deaa0676846f5903a47dd46fb8d9e463df90b2b316f08ed9d8d3e05479d22f3b951dcc8

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\SXtSm77\OLEACC.dll

          Filesize

          1.6MB

          MD5

          7e7d055d97ce50462c911ba380bde4ba

          SHA1

          a41e20cbdbde6b4aee6f9da95d5be6ad469d2c23

          SHA256

          3f2a5f31ffa7bd2ae37dc9f31f79fbbab7810544fad6fd1afd2167bad01ac7fa

          SHA512

          3bd788451db22b6d9beecf84c310dc975b743ae420985b2543a5c20c7fb632496135162754e416b531c154a15cd0636dcc30762957937c4170147bd1f510f568

        • \Users\Admin\AppData\Local\5tU0cUbmK\UxTheme.dll

          Filesize

          100KB

          MD5

          c9f4655e2e65c349ea4d21556b7097af

          SHA1

          37bafdbc9109b9ec8a9017443960e9cc0edf4cac

          SHA256

          7b06676b80dbb6ac703c158914ec912b41f782fafd9fdfdff4206ee22c050232

          SHA512

          daf3de69239017a76af00842ff1c86f65bf6d4b04bb058d75ebd6ba8a0c90b4248229dc618749797f0959047d2043f8153bb227fe458ce7673d07f6090490828

        • \Users\Admin\AppData\Local\5tU0cUbmK\msra.exe

          Filesize

          357KB

          MD5

          acf25c1de82564b6517868ff6835d541

          SHA1

          d4e326eba523e7e7b47408d8aae1292a483d662d

          SHA256

          d06a5fc49b5e66e88bc685d83c271eb7019a6f17703034b37d3a4338aef639eb

          SHA512

          c71d575fb8eb80bc67279d8f5c067fceffeff5b13823cd0359ce73afbe37f00642de9f3e622054bc1299e6a6e7d022ebf2e7f37bd8bef67d269facb0c5bd411a

        • \Users\Admin\AppData\Local\Q9P\UxTheme.dll

          Filesize

          146KB

          MD5

          a25cf12a1f79cdc9676aca0a0ad6ddb6

          SHA1

          a2c409091408a83b3b9e516ba3e68c7990185480

          SHA256

          fbce1218619839b4565b7a25d201dea01b74ecb7525fe3043b15a4582527e8d5

          SHA512

          8cb770e0d50cde26e386c6460b6cd8946ff47de23af91ebc03a6d665b5e1fa4aadebfd91726c05bf11d218799ff89c735a69666e5744150da349c6658391606d

        • \Users\Admin\AppData\Local\Q9P\cttune.exe

          Filesize

          59KB

          MD5

          aa31ed5c61cfa7d5e5c2f635372ba429

          SHA1

          4424e6e7b36353e3b16903f8f438bd2dcdf89ebe

          SHA256

          7ee79d8602a1905d3ba50c84374490952be8c7bde744bf1915e5b02503df1a6d

          SHA512

          1b371e0e69e26e04dfcd881f5e142406c09f2a36e3534721d6a359b5c69c2e7ef2c24d2e618de4b39a29e39256a12b1cceb59fa83a3afaa47d1db7eb6fca061d

        • \Users\Admin\AppData\Local\ve93MSX\OLEACC.dll

          Filesize

          210KB

          MD5

          d29b3f13c7c69551767b77abcad4125e

          SHA1

          a9b279b870b45a58c1eac409147fd33a4646dcae

          SHA256

          d9c6ca875da779818afd6b2dbb205d5fd0e8490f22b5775a4708d4f991e1071d

          SHA512

          b60bf43b8520d5bd8298f142db75b8ad1d1da405c5c1153a142bbbab0252c264d3a2a79c7d5fc8db4deadb2e2980bfd1c51c482dca2844600ae53762b8df4669

        • \Users\Admin\AppData\Local\ve93MSX\cttune.exe

          Filesize

          127KB

          MD5

          2d601a6850c3ea535280c828ce7fb76b

          SHA1

          f9bb659886a6f3e35b377c4e197694f72edd1968

          SHA256

          0e2ccbf8f819dffea21ed3f0413cf85dd315ff497203818e94a6e229a5aade9a

          SHA512

          9f5fd75406597951dad4486afe5e48270ed9ba97279cc775124978ba306660d343f3169f76825af53842c6d6762104cb8c90171ce309d14dd37e2fde5f85bff8

        • \Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\qq\msra.exe

          Filesize

          92KB

          MD5

          794a278db74270984297b38c7d03e4d1

          SHA1

          adbc0ac6b6f1f3d2eaa081895e43e9873cf594d5

          SHA256

          3d229681ccdd324aea62113153e43c09ffe593bcd332e4fe165ddeaca286d619

          SHA512

          b24e4ae5f5103cdf84ed8714a46a45e6f48dd0eb33b7f1eb73904814cff79db861ac6ae8520be37248e438b100f670032d77ff56a2e37ed65dab65c7dce4eb47

        • memory/1352-29-0x0000000140000000-0x000000014018C000-memory.dmp

          Filesize

          1.5MB

        • memory/1352-18-0x0000000140000000-0x000000014018C000-memory.dmp

          Filesize

          1.5MB

        • memory/1352-55-0x0000000077A80000-0x0000000077A82000-memory.dmp

          Filesize

          8KB

        • memory/1352-37-0x0000000140000000-0x000000014018C000-memory.dmp

          Filesize

          1.5MB

        • memory/1352-64-0x0000000140000000-0x000000014018C000-memory.dmp

          Filesize

          1.5MB

        • memory/1352-70-0x0000000140000000-0x000000014018C000-memory.dmp

          Filesize

          1.5MB

        • memory/1352-72-0x0000000140000000-0x000000014018C000-memory.dmp

          Filesize

          1.5MB

        • memory/1352-35-0x0000000140000000-0x000000014018C000-memory.dmp

          Filesize

          1.5MB

        • memory/1352-4-0x0000000077716000-0x0000000077717000-memory.dmp

          Filesize

          4KB

        • memory/1352-5-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

          Filesize

          4KB

        • memory/1352-10-0x0000000140000000-0x000000014018C000-memory.dmp

          Filesize

          1.5MB

        • memory/1352-38-0x0000000140000000-0x000000014018C000-memory.dmp

          Filesize

          1.5MB

        • memory/1352-34-0x0000000140000000-0x000000014018C000-memory.dmp

          Filesize

          1.5MB

        • memory/1352-39-0x0000000140000000-0x000000014018C000-memory.dmp

          Filesize

          1.5MB

        • memory/1352-33-0x0000000140000000-0x000000014018C000-memory.dmp

          Filesize

          1.5MB

        • memory/1352-32-0x0000000140000000-0x000000014018C000-memory.dmp

          Filesize

          1.5MB

        • memory/1352-31-0x0000000140000000-0x000000014018C000-memory.dmp

          Filesize

          1.5MB

        • memory/1352-40-0x0000000140000000-0x000000014018C000-memory.dmp

          Filesize

          1.5MB

        • memory/1352-28-0x0000000140000000-0x000000014018C000-memory.dmp

          Filesize

          1.5MB

        • memory/1352-27-0x0000000140000000-0x000000014018C000-memory.dmp

          Filesize

          1.5MB

        • memory/1352-26-0x0000000140000000-0x000000014018C000-memory.dmp

          Filesize

          1.5MB

        • memory/1352-25-0x0000000140000000-0x000000014018C000-memory.dmp

          Filesize

          1.5MB

        • memory/1352-24-0x0000000140000000-0x000000014018C000-memory.dmp

          Filesize

          1.5MB

        • memory/1352-22-0x0000000140000000-0x000000014018C000-memory.dmp

          Filesize

          1.5MB

        • memory/1352-21-0x0000000140000000-0x000000014018C000-memory.dmp

          Filesize

          1.5MB

        • memory/1352-20-0x0000000140000000-0x000000014018C000-memory.dmp

          Filesize

          1.5MB

        • memory/1352-19-0x0000000140000000-0x000000014018C000-memory.dmp

          Filesize

          1.5MB

        • memory/1352-54-0x0000000077921000-0x0000000077922000-memory.dmp

          Filesize

          4KB

        • memory/1352-16-0x0000000140000000-0x000000014018C000-memory.dmp

          Filesize

          1.5MB

        • memory/1352-15-0x0000000140000000-0x000000014018C000-memory.dmp

          Filesize

          1.5MB

        • memory/1352-14-0x0000000140000000-0x000000014018C000-memory.dmp

          Filesize

          1.5MB

        • memory/1352-13-0x0000000140000000-0x000000014018C000-memory.dmp

          Filesize

          1.5MB

        • memory/1352-12-0x0000000140000000-0x000000014018C000-memory.dmp

          Filesize

          1.5MB

        • memory/1352-11-0x0000000140000000-0x000000014018C000-memory.dmp

          Filesize

          1.5MB

        • memory/1352-9-0x0000000140000000-0x000000014018C000-memory.dmp

          Filesize

          1.5MB

        • memory/1352-17-0x0000000140000000-0x000000014018C000-memory.dmp

          Filesize

          1.5MB

        • memory/1352-7-0x0000000140000000-0x000000014018C000-memory.dmp

          Filesize

          1.5MB

        • memory/1352-53-0x0000000140000000-0x000000014018C000-memory.dmp

          Filesize

          1.5MB

        • memory/1352-140-0x0000000077716000-0x0000000077717000-memory.dmp

          Filesize

          4KB

        • memory/1352-41-0x0000000140000000-0x000000014018C000-memory.dmp

          Filesize

          1.5MB

        • memory/1352-45-0x0000000140000000-0x000000014018C000-memory.dmp

          Filesize

          1.5MB

        • memory/1352-46-0x0000000002D40000-0x0000000002D47000-memory.dmp

          Filesize

          28KB

        • memory/1352-42-0x0000000140000000-0x000000014018C000-memory.dmp

          Filesize

          1.5MB

        • memory/1352-43-0x0000000140000000-0x000000014018C000-memory.dmp

          Filesize

          1.5MB

        • memory/1352-23-0x0000000140000000-0x000000014018C000-memory.dmp

          Filesize

          1.5MB

        • memory/1352-30-0x0000000140000000-0x000000014018C000-memory.dmp

          Filesize

          1.5MB

        • memory/1352-44-0x0000000140000000-0x000000014018C000-memory.dmp

          Filesize

          1.5MB

        • memory/1352-36-0x0000000140000000-0x000000014018C000-memory.dmp

          Filesize

          1.5MB

        • memory/2324-8-0x0000000140000000-0x000000014018C000-memory.dmp

          Filesize

          1.5MB

        • memory/2324-0-0x0000000140000000-0x000000014018C000-memory.dmp

          Filesize

          1.5MB

        • memory/2324-1-0x00000000001A0000-0x00000000001A7000-memory.dmp

          Filesize

          28KB

        • memory/2424-103-0x0000000000220000-0x0000000000227000-memory.dmp

          Filesize

          28KB

        • memory/2492-82-0x0000000140000000-0x000000014018D000-memory.dmp

          Filesize

          1.6MB

        • memory/2492-84-0x0000000000330000-0x0000000000337000-memory.dmp

          Filesize

          28KB

        • memory/2712-120-0x0000000000290000-0x0000000000297000-memory.dmp

          Filesize

          28KB