Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    22-01-2024 02:52

General

  • Target

    6e878d3bec87e1562cd7b8f267d6511c.dll

  • Size

    1.4MB

  • MD5

    6e878d3bec87e1562cd7b8f267d6511c

  • SHA1

    5babe29f33e7fb0f4d7327d937e71373645490e8

  • SHA256

    9e34e48ce49ec56aa42b037c0bb4dee15418333d5374dbb3084a0787d254f2a5

  • SHA512

    6358e14c1008bc891540650adfaf3afe328ce4306e30f5b4e9363f5609c090c13caa106322e0b64e17158d881aacd545e8d03b0e1f9a3652d0e7968539df67cd

  • SSDEEP

    12288:lVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:8fP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\6e878d3bec87e1562cd7b8f267d6511c.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2644
  • C:\Windows\system32\rdpclip.exe
    C:\Windows\system32\rdpclip.exe
    1⤵
      PID:2808
    • C:\Users\Admin\AppData\Local\gXwt2no\rdpclip.exe
      C:\Users\Admin\AppData\Local\gXwt2no\rdpclip.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2476
    • C:\Windows\system32\MpSigStub.exe
      C:\Windows\system32\MpSigStub.exe
      1⤵
        PID:2440
      • C:\Users\Admin\AppData\Local\M1lXF8\MpSigStub.exe
        C:\Users\Admin\AppData\Local\M1lXF8\MpSigStub.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2540
      • C:\Windows\system32\AdapterTroubleshooter.exe
        C:\Windows\system32\AdapterTroubleshooter.exe
        1⤵
          PID:1616
        • C:\Users\Admin\AppData\Local\lWDq\AdapterTroubleshooter.exe
          C:\Users\Admin\AppData\Local\lWDq\AdapterTroubleshooter.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1196

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\M1lXF8\MpSigStub.exe

          Filesize

          264KB

          MD5

          2e6bd16aa62e5e95c7b256b10d637f8f

          SHA1

          350be084477b1fe581af83ca79eb58d4defe260f

          SHA256

          d795968b8067bb610033fa4a5b21eb2f96cef61513aba62912b8eb5c6a5ff7b3

          SHA512

          1f37150f6bcbe0df54bb85a5ad585824cea9332baa9be1649a95c1dfb41723de85c09d98fb2ca8261a49c2184d3bda638b84b2b7b60b97fe42a15ab1620a2542

        • C:\Users\Admin\AppData\Local\M1lXF8\VERSION.dll

          Filesize

          1.4MB

          MD5

          1aee649895241074597762d92442dc77

          SHA1

          4b84bfa9b8f32bfce9b27892141661bc3b1724c7

          SHA256

          c08bea5cb8262370b757a44cf7e20b9b6c4ec98f4441987ae23676ec3181df77

          SHA512

          663927e22bad28e5c54aca3454dea2a4c4a4b49a4df23c3af9be632904035be5ee0083d86d5dee76053fa44b51347fe34b943ce582979670f36159f5bda7a4cb

        • C:\Users\Admin\AppData\Local\gXwt2no\WINSTA.dll

          Filesize

          1.4MB

          MD5

          b51bd94a3a909f8bdd18578a9833fb66

          SHA1

          f05a9ccbde744b57e338e6bf516f97622485429c

          SHA256

          ab84fac1ee6a084951cc6d93bc1f302b5adbedcf67b628d0127ae83997e2484f

          SHA512

          de16a60fbd986683d53a98ed0ce60be3df90fa879688f4aa800a8e58ae46e12681f9e00b9e1439cd72bcbe00a885419f85c6ddf173657036bde3ba22fbb12cfb

        • C:\Users\Admin\AppData\Local\lWDq\d3d9.dll

          Filesize

          1.4MB

          MD5

          b659a4ea82d7457a70888141f644faac

          SHA1

          5e92c75b6137867c09c8981fad8da9a66d25a34d

          SHA256

          7343e0047308277739264437c11625ed096013a2427b8f6c04b7d0b473b548a8

          SHA512

          546c9031f4238ab19517bb105393996f9691d42298f3a7e0cb7782ed65e2ff7e2829c12356a6396d08f02d9913599e7d76b0901bc872195676629534225f7f6f

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk

          Filesize

          993B

          MD5

          428ff21e5606907e66d0122e9990901c

          SHA1

          b916139008a7b57a85b103638bed87b3205caf66

          SHA256

          6fabbe7ad769b7d99c698d7535b0a78ec8e35692c9bbf5f2ca0c8cb815765b94

          SHA512

          013f448e8695256dbfbbb25e8023442370c373c134ad9b1867bb5158b90996ac99d0bd133c34b676adaf7d75dd4ee57db322478069f14e51b0cb1ba5f5d594ec

        • \Users\Admin\AppData\Local\gXwt2no\rdpclip.exe

          Filesize

          206KB

          MD5

          25d284eb2f12254c001afe9a82575a81

          SHA1

          cf131801fdd5ec92278f9e0ae62050e31c6670a5

          SHA256

          837e0d864c474956c0d9d4e7ae5f884007f19b7f420db9afcf0d266aefa6608b

          SHA512

          7b4f208fa1681a0a139577ebc974e7acfc85e3c906a674e111223783460585eb989cb6b38f215d79f89e747a0e9224d90e1aa43e091d2042edb8bac7b27b968b

        • \Users\Admin\AppData\Local\lWDq\AdapterTroubleshooter.exe

          Filesize

          39KB

          MD5

          d4170c9ff5b2f85b0ce0246033d26919

          SHA1

          a76118e8775e16237cf00f2fb79718be0dc84db1

          SHA256

          d05e010a2570cdd5a67f62c99483aeeecb6a8d5ecc523cd49b158a460c9be5da

          SHA512

          9c85a9ea4002bd55cf9c51e470dd1bec527ff04b5d0d6f83094a998c541416cd47c9f42c6ca7e35ffa2842877f79e3c2e989489b9bf81644c5c57bb406b89608

        • memory/1196-108-0x0000000140000000-0x0000000140165000-memory.dmp

          Filesize

          1.4MB

        • memory/1196-103-0x00000000000F0000-0x00000000000F7000-memory.dmp

          Filesize

          28KB

        • memory/1348-30-0x0000000002590000-0x0000000002597000-memory.dmp

          Filesize

          28KB

        • memory/1348-57-0x0000000140000000-0x0000000140164000-memory.dmp

          Filesize

          1.4MB

        • memory/1348-17-0x0000000140000000-0x0000000140164000-memory.dmp

          Filesize

          1.4MB

        • memory/1348-18-0x0000000140000000-0x0000000140164000-memory.dmp

          Filesize

          1.4MB

        • memory/1348-19-0x0000000140000000-0x0000000140164000-memory.dmp

          Filesize

          1.4MB

        • memory/1348-20-0x0000000140000000-0x0000000140164000-memory.dmp

          Filesize

          1.4MB

        • memory/1348-21-0x0000000140000000-0x0000000140164000-memory.dmp

          Filesize

          1.4MB

        • memory/1348-22-0x0000000140000000-0x0000000140164000-memory.dmp

          Filesize

          1.4MB

        • memory/1348-23-0x0000000140000000-0x0000000140164000-memory.dmp

          Filesize

          1.4MB

        • memory/1348-24-0x0000000140000000-0x0000000140164000-memory.dmp

          Filesize

          1.4MB

        • memory/1348-26-0x0000000140000000-0x0000000140164000-memory.dmp

          Filesize

          1.4MB

        • memory/1348-25-0x0000000140000000-0x0000000140164000-memory.dmp

          Filesize

          1.4MB

        • memory/1348-27-0x0000000140000000-0x0000000140164000-memory.dmp

          Filesize

          1.4MB

        • memory/1348-28-0x0000000140000000-0x0000000140164000-memory.dmp

          Filesize

          1.4MB

        • memory/1348-29-0x0000000140000000-0x0000000140164000-memory.dmp

          Filesize

          1.4MB

        • memory/1348-4-0x0000000076C26000-0x0000000076C27000-memory.dmp

          Filesize

          4KB

        • memory/1348-37-0x0000000140000000-0x0000000140164000-memory.dmp

          Filesize

          1.4MB

        • memory/1348-38-0x0000000076E31000-0x0000000076E32000-memory.dmp

          Filesize

          4KB

        • memory/1348-39-0x0000000076F90000-0x0000000076F92000-memory.dmp

          Filesize

          8KB

        • memory/1348-48-0x0000000140000000-0x0000000140164000-memory.dmp

          Filesize

          1.4MB

        • memory/1348-54-0x0000000140000000-0x0000000140164000-memory.dmp

          Filesize

          1.4MB

        • memory/1348-16-0x0000000140000000-0x0000000140164000-memory.dmp

          Filesize

          1.4MB

        • memory/1348-15-0x0000000140000000-0x0000000140164000-memory.dmp

          Filesize

          1.4MB

        • memory/1348-10-0x0000000140000000-0x0000000140164000-memory.dmp

          Filesize

          1.4MB

        • memory/1348-127-0x0000000076C26000-0x0000000076C27000-memory.dmp

          Filesize

          4KB

        • memory/1348-5-0x00000000025C0000-0x00000000025C1000-memory.dmp

          Filesize

          4KB

        • memory/1348-7-0x0000000140000000-0x0000000140164000-memory.dmp

          Filesize

          1.4MB

        • memory/1348-14-0x0000000140000000-0x0000000140164000-memory.dmp

          Filesize

          1.4MB

        • memory/1348-13-0x0000000140000000-0x0000000140164000-memory.dmp

          Filesize

          1.4MB

        • memory/1348-9-0x0000000140000000-0x0000000140164000-memory.dmp

          Filesize

          1.4MB

        • memory/1348-12-0x0000000140000000-0x0000000140164000-memory.dmp

          Filesize

          1.4MB

        • memory/1348-11-0x0000000140000000-0x0000000140164000-memory.dmp

          Filesize

          1.4MB

        • memory/2476-72-0x0000000140000000-0x0000000140166000-memory.dmp

          Filesize

          1.4MB

        • memory/2476-66-0x0000000000080000-0x0000000000087000-memory.dmp

          Filesize

          28KB

        • memory/2476-67-0x0000000140000000-0x0000000140166000-memory.dmp

          Filesize

          1.4MB

        • memory/2540-90-0x0000000140000000-0x0000000140165000-memory.dmp

          Filesize

          1.4MB

        • memory/2540-85-0x0000000140000000-0x0000000140165000-memory.dmp

          Filesize

          1.4MB

        • memory/2540-84-0x0000000001B40000-0x0000000001B47000-memory.dmp

          Filesize

          28KB

        • memory/2644-0-0x0000000000290000-0x0000000000297000-memory.dmp

          Filesize

          28KB

        • memory/2644-1-0x0000000140000000-0x0000000140164000-memory.dmp

          Filesize

          1.4MB

        • memory/2644-8-0x0000000140000000-0x0000000140164000-memory.dmp

          Filesize

          1.4MB