Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    22-01-2024 05:38

General

  • Target

    6edcb3e9a95b87f3dd31d12871219ad1.dll

  • Size

    1.4MB

  • MD5

    6edcb3e9a95b87f3dd31d12871219ad1

  • SHA1

    0f9808dbdb07056ce6154ff9ec192a829382527e

  • SHA256

    fcec9ee59606ca5763dd3f779b2fb2e60ec8a2382cf095b0b00634a4c5ff6bee

  • SHA512

    eae92f278b0b7d945a43c8eed204f8bc86e62713fc1700b6f04962361d1c76400b43e955ec168f20aeb4895984e9789654ad7c4cdc4b40bc741f623e617aa802

  • SSDEEP

    12288:jVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:yfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6edcb3e9a95b87f3dd31d12871219ad1.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:2524
  • C:\Windows\system32\DisplaySwitch.exe
    C:\Windows\system32\DisplaySwitch.exe
    1⤵
      PID:1796
    • C:\Users\Admin\AppData\Local\wzL\DisplaySwitch.exe
      C:\Users\Admin\AppData\Local\wzL\DisplaySwitch.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2624
    • C:\Windows\system32\DevicePairingWizard.exe
      C:\Windows\system32\DevicePairingWizard.exe
      1⤵
        PID:1664
      • C:\Users\Admin\AppData\Local\ychYVY\DevicePairingWizard.exe
        C:\Users\Admin\AppData\Local\ychYVY\DevicePairingWizard.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2484
      • C:\Windows\system32\TpmInit.exe
        C:\Windows\system32\TpmInit.exe
        1⤵
          PID:3032
        • C:\Users\Admin\AppData\Local\4Ne\TpmInit.exe
          C:\Users\Admin\AppData\Local\4Ne\TpmInit.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3036

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\4Ne\ACTIVEDS.dll

          Filesize

          1.4MB

          MD5

          132f99eecf5e54ab873fcfeaadec55b4

          SHA1

          b40978bf6c2e1962ed09c65cacf134e936e04fc7

          SHA256

          26fd23d965e04b30c85dd36046b343aaa85dce9704c02668d85446b810eaf08e

          SHA512

          bb3a77a1d454e77db1e5891f7a2203777f02a34a04e4025a8dcc015aef3696df85ae4d689640d427f621538d55b372e34125b144b4f8586c04709eb8a1a03cf4

        • C:\Users\Admin\AppData\Local\wzL\DisplaySwitch.exe

          Filesize

          517KB

          MD5

          b795e6138e29a37508285fc31e92bd78

          SHA1

          d0fe0c38c7c61adbb77e58d48b96cd4bf98ecd4a

          SHA256

          01a9733871baa8518092bade3fce62dcca14cdf6fc55b98218253580b38d7659

          SHA512

          8312174a77bab5fef7c4e9efff66c43d3515b02f5766ed1d3b9bd0abb3d7344a9a22cbac228132098428c122293d2b1898b3a2d75f5e4247b1dcb9aa9c7913b1

        • C:\Users\Admin\AppData\Local\wzL\slc.dll

          Filesize

          1.3MB

          MD5

          5ddca64654e7e37fd357ef3c2876116e

          SHA1

          954a35290383c3900c30e79593e8883f0e991eb3

          SHA256

          f65626d967fe0f91986e667db87d4d79f80a413e3d1a1da698b43052a17cdd7b

          SHA512

          dca4a6810bcd1b8fb3dc49b3c482c90b1cf5a544fb8880ae92dc2f3660d54b3c0e44f6c29fbcec621949d0c70983b60c15dd7aa832206312f0b61aa7a68a5311

        • C:\Users\Admin\AppData\Local\ychYVY\DevicePairingWizard.exe

          Filesize

          45KB

          MD5

          35e5c945b96057c572620a4bbe0500d9

          SHA1

          4dc483b7dd19323e47b8830d9130c21bf8ee317a

          SHA256

          0e0810be544e957f73fecb0f2cb1b8ff5b81ea8d2bc5871c6273c0708ad1a33e

          SHA512

          5222d97b56e5ac9d8f13eb5d1e532340e5b50b87dda0491516db15a7be10c876f308ca45532bbc3fd46d68479a29c6a83c6a98e1a5a22a9086379e834a094af7

        • C:\Users\Admin\AppData\Local\ychYVY\MFC42u.dll

          Filesize

          45KB

          MD5

          bd8d60f9767810b4d8231ec8ad0e7341

          SHA1

          9fe98631cd201bfd2b8216394714d01c0e609a22

          SHA256

          2b961fc86097b9a919e90e343592f13d0efa14acbab2f81c71f43eb6801353b0

          SHA512

          e8fd254a61cd986d307ce5337312073afe805bfaa343b8fef52d2be8ddbfc216d9f9d88a134d22321e5c4f0af962092506fd1771f8e4e5f0c8d51260ac9ed71e

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Hbeids.lnk

          Filesize

          1KB

          MD5

          a8155de67e25a43b4a6db05ed3f50740

          SHA1

          6130434ef041453b33859afab24bf8da3be1397f

          SHA256

          78d1ea12d159280d2f6964fd0d6ca95edae92a4ead2aa8b498a98b50d2ca098e

          SHA512

          a589eccf75cc56222a858210780801c4156a59a633e616449ef139e000e5c381c7a3318c65a72f62bce93a0cc4cc9d2df986ebd498479b09ecafcf5022463c95

        • C:\Users\Admin\AppData\Roaming\Macromedia\UPVinfCysLm\MFC42u.dll

          Filesize

          1.4MB

          MD5

          93d73c749b402259eefee7541382b8fd

          SHA1

          f5d21c00580f48d7ada754063e0ad03435a0ec67

          SHA256

          2410496537f6a650c5d3738ed47f1cf98cc915b491ca91bb4176d1ee174de6f0

          SHA512

          07bf980ab63e0fa9abfc33fc29131482af6f6b5d654e5b931348237d25ceef4e3de8156b3c331281a77e5405c09fa46116f88a3f8c5ad752038b7cab9f83847d

        • C:\Users\Admin\AppData\Roaming\Microsoft\Credentials\d9SM\slc.dll

          Filesize

          1.4MB

          MD5

          e3811f428799ef0e1549ef6544b5f2ce

          SHA1

          fa25624a97af0deceb0cf5b2b275a4621ee5fae8

          SHA256

          5077e7211019b4da96d980f0e8ee82ce546853a7a43d9e4d93c298baa0678ad7

          SHA512

          36c0bdef26197d76616da79b1c3406e00be632978e6331b2a8e45e6ec84330d5333e4f75b2f03d0e4f7fbf009491ece8df2b9378e25205f6a9a96822e19ae952

        • \Users\Admin\AppData\Local\4Ne\TpmInit.exe

          Filesize

          112KB

          MD5

          8b5eb38e08a678afa129e23129ca1e6d

          SHA1

          a27d30bb04f9fabdb5c92d5150661a75c5c7bc42

          SHA256

          4befa614e1b434b2f58c9e7ce947a946b1cf1834b219caeff42b3e36f22fd97c

          SHA512

          a7245cde299c68db85370ae1bdf32a26208e2cda1311afd06b0efd410664f36cafb62bf4b7ce058e203dcc515c45ebdef01543779ead864f3154175b7b36647d

        • \Users\Admin\AppData\Local\wzL\slc.dll

          Filesize

          1.3MB

          MD5

          4e894969f989fb8e7bc98273ed64ce24

          SHA1

          eb3bd1c1217dd622d485fcefabb34c00de435fb6

          SHA256

          1cf85f751986445565ada0424f4530549e2ec940d75372c646d80aa05021d10f

          SHA512

          91c3cd7b3f421cc28c3259d25bdad3be5e2cd1342934e23eb505efd3a166c9c0cb641a7c806d1bf8acc51c9fd4c7b90b393e6eb28ee409aa71915168156390e3

        • \Users\Admin\AppData\Local\ychYVY\DevicePairingWizard.exe

          Filesize

          73KB

          MD5

          9728725678f32e84575e0cd2d2c58e9b

          SHA1

          dd9505d3548f08e5198a8d6ba6bcd60b1da86d5c

          SHA256

          d95d3aa065a657c354244e3d9d4dc62673dc36c1bed60650fade7d128ddab544

          SHA512

          a5d22240450e7b659cba507f9abe7e6d861e9712ca2335ea5ceb69e3557362b00f5d02bf84c3a6fed82a09eda555866dcab43741ad9c6db96e1e302ef2363377

        • \Users\Admin\AppData\Local\ychYVY\MFC42u.dll

          Filesize

          7KB

          MD5

          2aa868b9a1d668c0101dbb992e5182e7

          SHA1

          c471c1ff6e721290d03c8af9ff273b03404874ce

          SHA256

          c34e7714e9a733cd7caf32808abadf5f6d6783b3e0cdb219d7da21e407fed650

          SHA512

          9bd9f0a42a3478b5c4311f06cd5d06d17ee3d9f0c76fa327fe96e9261a4eed467b843ebb3b1810f05cacd134436cb12d963dbb09913872919574ae518ca4715d

        • memory/1228-16-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

        • memory/1228-7-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

        • memory/1228-17-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

        • memory/1228-18-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

        • memory/1228-20-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

        • memory/1228-21-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

        • memory/1228-19-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

        • memory/1228-22-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

        • memory/1228-23-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

        • memory/1228-27-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

        • memory/1228-26-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

        • memory/1228-25-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

        • memory/1228-24-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

        • memory/1228-28-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

        • memory/1228-29-0x00000000029D0000-0x00000000029D7000-memory.dmp

          Filesize

          28KB

        • memory/1228-36-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

        • memory/1228-37-0x0000000077291000-0x0000000077292000-memory.dmp

          Filesize

          4KB

        • memory/1228-38-0x00000000773F0000-0x00000000773F2000-memory.dmp

          Filesize

          8KB

        • memory/1228-47-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

        • memory/1228-53-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

        • memory/1228-15-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

        • memory/1228-4-0x0000000077086000-0x0000000077087000-memory.dmp

          Filesize

          4KB

        • memory/1228-126-0x0000000077086000-0x0000000077087000-memory.dmp

          Filesize

          4KB

        • memory/1228-5-0x00000000029F0000-0x00000000029F1000-memory.dmp

          Filesize

          4KB

        • memory/1228-14-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

        • memory/1228-13-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

        • memory/1228-56-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

        • memory/1228-9-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

        • memory/1228-10-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

        • memory/1228-11-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

        • memory/1228-12-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

        • memory/2484-84-0x00000000000F0000-0x00000000000F7000-memory.dmp

          Filesize

          28KB

        • memory/2484-83-0x0000000140000000-0x0000000140169000-memory.dmp

          Filesize

          1.4MB

        • memory/2484-89-0x0000000140000000-0x0000000140169000-memory.dmp

          Filesize

          1.4MB

        • memory/2524-8-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

        • memory/2524-1-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

        • memory/2524-0-0x00000000001A0000-0x00000000001A7000-memory.dmp

          Filesize

          28KB

        • memory/2624-70-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

        • memory/2624-65-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

        • memory/2624-66-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

        • memory/3036-103-0x0000000000090000-0x0000000000097000-memory.dmp

          Filesize

          28KB

        • memory/3036-107-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB