Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    22-01-2024 15:12

General

  • Target

    6fc1300c924c848e73451dec1a26af99.dll

  • Size

    1.5MB

  • MD5

    6fc1300c924c848e73451dec1a26af99

  • SHA1

    356d8a25843e120f2e5974fbd4c2cb992dc4b881

  • SHA256

    b18bf10683e2178f9b1f99b4ced10b08880b29eac55ba5d252c34e3b0d70833b

  • SHA512

    e5ae18253c6d93810db46d694d798097c1d5706df51889f03faeaa8a12d9de9691c71914f4fc6589c863e4269ad69ec2b041d77a37ea5efe5aaf196f5914b3b2

  • SSDEEP

    12288:LVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:KfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\6fc1300c924c848e73451dec1a26af99.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2108
  • C:\Users\Admin\AppData\Local\mQJ6BDuo1\MpSigStub.exe
    C:\Users\Admin\AppData\Local\mQJ6BDuo1\MpSigStub.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Checks whether UAC is enabled
    PID:2640
  • C:\Windows\system32\MpSigStub.exe
    C:\Windows\system32\MpSigStub.exe
    1⤵
      PID:2596
    • C:\Windows\system32\Magnify.exe
      C:\Windows\system32\Magnify.exe
      1⤵
        PID:1508
      • C:\Users\Admin\AppData\Local\V61vQ\Magnify.exe
        C:\Users\Admin\AppData\Local\V61vQ\Magnify.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2836
      • C:\Users\Admin\AppData\Local\1NMR1\rekeywiz.exe
        C:\Users\Admin\AppData\Local\1NMR1\rekeywiz.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2156
      • C:\Windows\system32\rekeywiz.exe
        C:\Windows\system32\rekeywiz.exe
        1⤵
          PID:2128

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\1NMR1\slc.dll

          Filesize

          168KB

          MD5

          013d457ae3111ab1dfa0a8e8853bf61d

          SHA1

          92ed82292a6df64fa7a63ebcbbdd24b9bf1b030d

          SHA256

          00884b26164d293f7c72f4cc8fc596613c1950e7cd326abcbde23fd9d1f42792

          SHA512

          6f2a10c133f97c81b1b8c5bc8aebc1cbaccd154ea15ec8d18fe995ae94fe0e4451f67358699cc959fd41c3cb6249d40b37c9fcdb3cc4e9460d228423e403b189

        • C:\Users\Admin\AppData\Local\V61vQ\MAGNIFICATION.dll

          Filesize

          64KB

          MD5

          443afb161b51a0fc7f7919da764ed1f0

          SHA1

          65c39c309d626bec5ffb582e22dc1502e3c308f7

          SHA256

          102e79a1d1ebfe82d25476205a859238b321311be58d2800b5931c6d71774865

          SHA512

          f7d6a3b49f40e05b8b02f3368edd1e89708aa0cbbcb376766ba6ec80cec5b45ca43bca0780e6422ebf730aceb7f754d1b5da3bacff220666de178291ab0607af

        • C:\Users\Admin\AppData\Local\V61vQ\Magnify.exe

          Filesize

          2KB

          MD5

          0d8aeeefe9d95e647498859530c70bf9

          SHA1

          0ebcdb64d8e142e4a63e23f6c56e395f8025ede4

          SHA256

          c777a047cd8e99b1a07827657d18ad5d5a4f412fe88b2f4a1c5e1f6b8f77503a

          SHA512

          e2cf387896c5d71e499e2514287de3855e0a0035ecc38c5607f4ba54af52d5f71e55073eecc193d3c6d4e8ed0d4acca1a9c677c5da3a512d0bb43f54c6a35b25

        • C:\Users\Admin\AppData\Local\V61vQ\Magnify.exe

          Filesize

          153KB

          MD5

          bb189e398e1f7baf7c5ea75a69f7e06a

          SHA1

          45f769e84b3290ae8b0a3029a082740f29eb8b8d

          SHA256

          ee545400ad3c0c32bc8503647a72aebc893df4587f6cc96d6048d2cc07cb3116

          SHA512

          3a39d344f9cb72571969e6b24fc979f64b04e595fdba768220b02e2e122c84d2ca35d2371f9415a4e44e26b1d6fa960ef68c472036a835e276cd19b0be90bff7

        • C:\Users\Admin\AppData\Local\mQJ6BDuo1\MpSigStub.exe

          Filesize

          264KB

          MD5

          2e6bd16aa62e5e95c7b256b10d637f8f

          SHA1

          350be084477b1fe581af83ca79eb58d4defe260f

          SHA256

          d795968b8067bb610033fa4a5b21eb2f96cef61513aba62912b8eb5c6a5ff7b3

          SHA512

          1f37150f6bcbe0df54bb85a5ad585824cea9332baa9be1649a95c1dfb41723de85c09d98fb2ca8261a49c2184d3bda638b84b2b7b60b97fe42a15ab1620a2542

        • C:\Users\Admin\AppData\Local\mQJ6BDuo1\VERSION.dll

          Filesize

          155KB

          MD5

          13838a89f2e53c4899765056e774385a

          SHA1

          a718e55cd18b7af7af86c3caea7ee6d26deb8c26

          SHA256

          44a5d21e293e0fcc0bfc9e69716dc69af528ea531fb1f7fe56102211480bca40

          SHA512

          900ee8af6d2fe4dfd79ef5862e8a02f00d5850e165d679544dc2ee644c5bab2a6e8ea74b9e692f1877e576ca7d4a28a261834943001bf688192f8817ae19f44d

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Tiizeasb.lnk

          Filesize

          1KB

          MD5

          08f45fedbdc3f3d5d8c8d6cfbbe7daa2

          SHA1

          f51620dcbd69238e055700750e0edd5a8c1da381

          SHA256

          a51955435f82f26327208d4a42710bacd57e375b193bbec36aef68cbb9c09792

          SHA512

          1ab517e4ae233de5a3ea3f070487dabb0654730d53c76b48adfeb41ec1fffe99b3a0d2dc3e5ba5b7fef56ca86dc434ad083264cf149a5f2be9aaf09cc6281ff1

        • C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\GtBW\slc.dll

          Filesize

          1.5MB

          MD5

          d3db31435367004bc910a39391724041

          SHA1

          3138ffe7fad70b6c9f39c6e942378b644448ac67

          SHA256

          450b1f12f1b9d80d1c297751c8db6a9912c0ae34c6575a6d8362d5fe581f9769

          SHA512

          5f96decca98e79578201359042f3397fde42b78a7bb1e7085f80e49db62b83655b5a34c214b0db547039a36044ea82cb2b1f83db6bd1c8caff49c960bcdc70b8

        • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\6Mk\VERSION.dll

          Filesize

          1.5MB

          MD5

          c956ca66000ff6455f1f646fefc764d1

          SHA1

          05796b3d3389b0212f21aeffd360485df47d3e7a

          SHA256

          7e715eba02bbb8d7bc36186a47aecd6979d363ef702a0b4894c4ebc3e802dc05

          SHA512

          cc7078b027a511e80427ec85dd48b906f516a724ef2353275972883ea1832c58630a85931530afa70aa1eeda9c1288caa6098b2eec28b48b2980b28a07e4fbde

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatCache\xUyXBowgs\MAGNIFICATION.dll

          Filesize

          1.5MB

          MD5

          ea71c1fd5e7b0edddf97c9ca7d3661f9

          SHA1

          f305830c79470b9b32b07051c10e2c27a66f060e

          SHA256

          9434c21c2a06d2cf773e779495f339f27f0d2001eecad26367ada2381ffd1162

          SHA512

          45bbb6a8c8d68164b72a820fa132229b32590dc23d20d393d274891e58f368f59b29068bcae9f1f2aeffc4f2d32e94e365924d60a09882ee3380810b36f41265

        • \Users\Admin\AppData\Local\1NMR1\rekeywiz.exe

          Filesize

          67KB

          MD5

          767c75767b00ccfd41a547bb7b2adfff

          SHA1

          91890853a5476def402910e6507417d400c0d3cb

          SHA256

          bd70e504871a2ac1c883d19b87970c8d1b8b251c784bf777ba77ed764f5f2395

          SHA512

          f096043452a1aa213a5e4d62638de3ee4b0b3ad3d12b7ee0372d8c79e00e2e13b4fd0ebc4206bbdb5124bed292dd5b30ef1641288046ef835f89c332985154f9

        • \Users\Admin\AppData\Local\1NMR1\slc.dll

          Filesize

          250KB

          MD5

          df31e22d3438239f7649d433f0c1fc30

          SHA1

          f8289fc1b582d458fb600dc6c6bbb5975450fdc0

          SHA256

          4775fa5304da47c2f91bcf98ac29d12a85bf665d3ea34e3400b034a9a16510a7

          SHA512

          e269def62bc6bce94e774b657591479a50f6e8cfe28360ea8b05e88b582abf6fc810d2f8c04bc5d6e7b1a003f1f2290cfb2d1e450ff6e155bb0ac702435e44b1

        • \Users\Admin\AppData\Local\V61vQ\MAGNIFICATION.dll

          Filesize

          45KB

          MD5

          fe208b3c74a20468811be570c4f8c60c

          SHA1

          eeda6ea0c3dd012bc590f11102b0b54776922be9

          SHA256

          2d29b01562283bd5b7dc7533e9288af1e47f1e13d84d0246616c7db516b60ed6

          SHA512

          14c71d937adeb968b9736b242e70d4d3b3021e2a7b7692b2e48d4134ad13cc2a076c7e223bcda941949f68eafba56bcc92ee664e7228da3a8018e0fb977fae3c

        • \Users\Admin\AppData\Local\V61vQ\Magnify.exe

          Filesize

          42KB

          MD5

          62ed47d318d148c700f88a1b843181ed

          SHA1

          f9c1012ec40f9dc3ce2c7d981072a1c14475914d

          SHA256

          06a3411810af492deedf81406a4fe84f48eb1c239ef01d3aac6ffc4723a07ccc

          SHA512

          4bb5dff25a3e7baa1e6545772b923b233342734f14ae86011139c6bf43924199c1e9c9fe36a333bdb87f516eda9055f9d5ab67e4674d3d09ea55d6978aab7e35

        • \Users\Admin\AppData\Local\mQJ6BDuo1\VERSION.dll

          Filesize

          118KB

          MD5

          910c48d6c2ce35d9b8ad175b8a25e2e4

          SHA1

          98a3cb09d09f7b99912b80a4142990146fa84198

          SHA256

          17e9437f4b86f48ea3d8853fe9df5a20edd62496492fe3746fb865a214c002a1

          SHA512

          70cd1c864ce43d00b19cf1a59145cddf081100686fc0f7b043336d204256b30cf27afbc0abc8f9e52bd166d340527db71562bf579d3f97dfc955544d5fc07dcd

        • memory/1200-29-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/1200-20-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/1200-43-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/1200-63-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/1200-42-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/1200-69-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/1200-53-0x0000000077961000-0x0000000077962000-memory.dmp

          Filesize

          4KB

        • memory/1200-4-0x0000000077756000-0x0000000077757000-memory.dmp

          Filesize

          4KB

        • memory/1200-5-0x0000000003A20000-0x0000000003A21000-memory.dmp

          Filesize

          4KB

        • memory/1200-54-0x0000000077AC0000-0x0000000077AC2000-memory.dmp

          Filesize

          8KB

        • memory/1200-46-0x0000000003050000-0x0000000003057000-memory.dmp

          Filesize

          28KB

        • memory/1200-41-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/1200-39-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/1200-38-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/1200-37-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/1200-35-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/1200-34-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/1200-32-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/1200-31-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/1200-147-0x0000000077756000-0x0000000077757000-memory.dmp

          Filesize

          4KB

        • memory/1200-28-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/1200-27-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/1200-26-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/1200-24-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/1200-25-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/1200-22-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/1200-21-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/1200-52-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/1200-19-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/1200-18-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/1200-17-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/1200-15-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/1200-14-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/1200-12-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/1200-11-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/1200-10-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/1200-9-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/1200-44-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/1200-13-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/1200-40-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/1200-36-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/1200-33-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/1200-30-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/1200-7-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/1200-23-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/1200-16-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/2108-8-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/2108-1-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

        • memory/2108-0-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/2156-125-0x0000000001C20000-0x0000000001C27000-memory.dmp

          Filesize

          28KB

        • memory/2640-152-0x0000000000180000-0x0000000000187000-memory.dmp

          Filesize

          28KB

        • memory/2640-84-0x0000000000180000-0x0000000000187000-memory.dmp

          Filesize

          28KB

        • memory/2640-81-0x0000000140000000-0x0000000140180000-memory.dmp

          Filesize

          1.5MB

        • memory/2836-102-0x0000000000130000-0x0000000000137000-memory.dmp

          Filesize

          28KB