Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    23-01-2024 22:19

General

  • Target

    70b4e740a07d198ec5ac903eaed6ff43.dll

  • Size

    2.0MB

  • MD5

    70b4e740a07d198ec5ac903eaed6ff43

  • SHA1

    7f30bccf96428c20875a437c2995388987fa2e84

  • SHA256

    718a533c6fd5cccfb5c4afd72ad1d850327a0b4e6a37aed68679e7bb4afce5ce

  • SHA512

    c0e2e1771108c56358814da4618a4d6c5fdfcb3e8ad536e6ecbb1c12afb47819f7a3c5770b4033e73011dd117249474fb6ac44bb017c041b2f5c289ebd74834e

  • SSDEEP

    12288:uVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1+o6:zfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\70b4e740a07d198ec5ac903eaed6ff43.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1940
  • C:\Windows\system32\sdclt.exe
    C:\Windows\system32\sdclt.exe
    1⤵
      PID:2680
    • C:\Users\Admin\AppData\Local\2gBC6gHGV\sdclt.exe
      C:\Users\Admin\AppData\Local\2gBC6gHGV\sdclt.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1664
    • C:\Users\Admin\AppData\Local\1mE5tc\rekeywiz.exe
      C:\Users\Admin\AppData\Local\1mE5tc\rekeywiz.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2844
    • C:\Windows\system32\rekeywiz.exe
      C:\Windows\system32\rekeywiz.exe
      1⤵
        PID:1688
      • C:\Windows\system32\WFS.exe
        C:\Windows\system32\WFS.exe
        1⤵
          PID:280
        • C:\Users\Admin\AppData\Local\Pse2t\WFS.exe
          C:\Users\Admin\AppData\Local\Pse2t\WFS.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1712

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\1mE5tc\rekeywiz.exe

          Filesize

          67KB

          MD5

          767c75767b00ccfd41a547bb7b2adfff

          SHA1

          91890853a5476def402910e6507417d400c0d3cb

          SHA256

          bd70e504871a2ac1c883d19b87970c8d1b8b251c784bf777ba77ed764f5f2395

          SHA512

          f096043452a1aa213a5e4d62638de3ee4b0b3ad3d12b7ee0372d8c79e00e2e13b4fd0ebc4206bbdb5124bed292dd5b30ef1641288046ef835f89c332985154f9

        • C:\Users\Admin\AppData\Local\1mE5tc\slc.dll

          Filesize

          267KB

          MD5

          e07858204845210b6f67b04fd69d5dfd

          SHA1

          0d79a6e50dc5c579b26825a171189c36f48e67ef

          SHA256

          e77160f9a8af23cd09f9535184fec47078f7a76c049e152c395b858fabd1ad0d

          SHA512

          ea7192d3886e01b4a9ff7feff866ed3d62c164c03a27b2a0ac5fc575ec273dd69b8128a3eef2fe3cb661dd2d7f785af922134c345eba136c8514c9334dcfacdf

        • C:\Users\Admin\AppData\Local\2gBC6gHGV\ReAgent.dll

          Filesize

          62KB

          MD5

          dd4aff5307fbbf2b0cff9363ec608f02

          SHA1

          63a267b1c6acdedfd7dfcc526e3493909538e614

          SHA256

          d17543c8a22146f1e9a520bf173f667520a566ad1e81e9bf4c361e3816b0413a

          SHA512

          a1d5a51d804abc8f10b3de04799cedc2676f6385d8bac0e1b1d869a654f972881f32ca292706d37ce213336b6e292249023e3c1f9206afd8f3c5df5c20b5a37d

        • C:\Users\Admin\AppData\Local\2gBC6gHGV\sdclt.exe

          Filesize

          107KB

          MD5

          f2f2c9236757972919d937cec1ecd98d

          SHA1

          93b815ce93a8b2cdccb8b29ef447ea61bb51ce81

          SHA256

          57f9b6a01bb88737e9314f6ea4b3871269cf9dcd34dee51867549a2ced0f8507

          SHA512

          6800c345efe3054a10b7f105eac83e8c23c11d46ba65a5e8858a17914a1540bcf513c40a70f2aa62479e05f22ee13ead640e394e8548092aed073a7618893f61

        • C:\Users\Admin\AppData\Local\2gBC6gHGV\sdclt.exe

          Filesize

          212KB

          MD5

          5e337a70c60cf4e0227bed0587e394bb

          SHA1

          fa0635b9b68beefc33b1c9914ce01465c3479bf1

          SHA256

          85d2156a9c549a7e8130b9d95bc7ac29e7731edab93d9d9b03572da69ae3af61

          SHA512

          1e6a220dfe0e4490d1f945b9ebc645fcadc5cb5abf7f08dd7136f5d549241e3523cfa009712028909cbfb7de8b9eac05a3abc90fd2ad4ffe7c52280a9ba28bc3

        • C:\Users\Admin\AppData\Local\Pse2t\WFS.exe

          Filesize

          299KB

          MD5

          ed17bfb811bbd973eb8e68f2ce1a3577

          SHA1

          12612dc723d00c7a63afc39df60b5f977cd142a3

          SHA256

          7ab208b039eb4c594b5e2388d528107410b7077336129dc4b930bf2f15f8dd15

          SHA512

          191a792479a97b4f3b1d12fabfa5a41fbf5c2050bfaf48b62aaa74ea5eec2d73da1c6994024ed953fd7a6272cfceead939fdc89d0fd7664bf806ac70c3db87b4

        • C:\Users\Admin\AppData\Local\Pse2t\WFS.exe

          Filesize

          192KB

          MD5

          99c81cf4a496f3f7c15675cfaa1084f2

          SHA1

          edbf4ec02cc5d1a351c0e375939ac7260b2875b1

          SHA256

          b85a848ff829930b536938563100fb26eefc38aa09efef3b7a9cee0bea94a2a3

          SHA512

          7f3fef3b41d5b4dceb54c8aeb10d8e0099547043d2f8a38a325c41dbeb581fe0d488bdf766ce0026bf98a9e76ce520a38740a3622c2a931fad427f202fdbc523

        • C:\Users\Admin\AppData\Local\Pse2t\WINMM.dll

          Filesize

          26KB

          MD5

          ed7b90e5848238dab736e50693bc7861

          SHA1

          9aaf8a80dcefbb1bf7021526cf1591394f36dc39

          SHA256

          007c48b87e41be8cbc9697c10abc111716c8e87ed65583edb6a92e050a783eee

          SHA512

          8911fa5308ac82687b26023bfb458b3233a67adda9eea17fb8e472e591936fe539e860d952b304b2a92e774c239fc5247d0fd381039b1f4552a1d57b5cd712d4

        • C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\AssetCache\44URQ43K\31\rekeywiz.exe

          Filesize

          9KB

          MD5

          391b327bc982d40baf2f1e125f230c1f

          SHA1

          f1e508f3d14f44a5fd2e692c31988c7b416a58b2

          SHA256

          ed55034a0ea2b67f1948905a0f79adcb8368dc8539f7d5f9008466e5fb9f29fd

          SHA512

          4d3e71cd6c340ecbaf95f4433554ab41bb0d0aad8dfc8c910c299c67dc038ae50dcb03c1b3554f5495f587917010e25e3f163f1b2be093fd623bce3fbf645e4b

        • C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\AssetCache\44URQ43K\31\slc.dll

          Filesize

          2.0MB

          MD5

          1901dbef283abf9de000cc1fb8ff6858

          SHA1

          23af6d74c3fdea5396fb9abb0c73a699b44d1832

          SHA256

          9bee9d7bd8bac17443340a7a4beb3f29ee81ecf7d52eb69ae02d14cbe97d1b0f

          SHA512

          4aa4df2e371ed81bef3d76446af25806c737ede95b6ccc205d2a64172072d83b5350bfcd09a69177723ffdb9ac88bd151580fe6718c22c7488da7b337b2632fc

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Tiizeasb.lnk

          Filesize

          1KB

          MD5

          8a60736349bdcfdcc152136d6aed71bd

          SHA1

          5cc6c138836ace26a6bba30c80f03ab07fd71ac4

          SHA256

          ef49f17f0ccf2dfb4cd04d508ecb2ef63e9a1181f83d640560e1b9646210fcbe

          SHA512

          2b956b42aa79dd7b15b5ae26bf76e617108c28e51873c8cfeed61cec1ffe125c8166e2a0d108ceaacd3ef0c2378d7024b10235f1d71cc9b2b79def01d592062f

        • C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\r0W0sH\ReAgent.dll

          Filesize

          2.0MB

          MD5

          99eb6ccd39d5985c94ef90d6eac3d4e9

          SHA1

          8d6e7227c55fac5c604a06a337d671cbf168906a

          SHA256

          aa02869970cdee8a0744c9da2f45d87acb868929241f7f3c245ea1a53a3bc575

          SHA512

          2377e15136b5c52dd394433b036123e68c6c21b661762f2b20edced0d5491e9928168a5615e28d350ef1388534b7be41f172e63852f13528be1e947a76a339a9

        • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\ukCnzcZs\WINMM.dll

          Filesize

          2.0MB

          MD5

          bff0ec3d31c16c6146034b25d0bbd48a

          SHA1

          79ff181c2ae88a3708334b426105dd59f446cb46

          SHA256

          f104fdf6052e4e0bef6adc14dc7c9f32e8077598419afdbed7c21551c87a61fb

          SHA512

          84f3694ed92e2a8e2fb1cb03379f057b2d40bccb5d32ff9a79d2dd86046c9f8ee8eaca990fcad4611dfe32daa7461560bfc9f80652bc710e1304f7dae4514ca3

        • \Users\Admin\AppData\Local\1mE5tc\slc.dll

          Filesize

          268KB

          MD5

          e2d71330c89a6614be16a986455e4e14

          SHA1

          467b72da16532707892cc3fb0db29d790b997156

          SHA256

          2e366232cfc006093bce3e9a9df813779aa49ccca9a55621c07768f10446fa7c

          SHA512

          508e48f75a06c34b0699e6f4117b09dffdd68482058fbe460f0c2330b59d13160998c015d9491d90f74d383aaf302257b57fcc1ffd770ef85db54db49831fb29

        • \Users\Admin\AppData\Local\2gBC6gHGV\ReAgent.dll

          Filesize

          668KB

          MD5

          3d074088395502aebb8fcae47a0e51b7

          SHA1

          fc7272b5e7d609e909f58010774ea507768f5499

          SHA256

          9bdb22866fa2a398c21fdba7c3e68ee2ff7006ded224f68948618558122f77da

          SHA512

          b45202ffc0c22fe471e3455fe642a038d8016ffba1d266e6212670322914a7f3e3de8e136288c08e1075e34904ed48e2c291c07f15ee60ac1ac79e0173b4eed2

        • \Users\Admin\AppData\Local\2gBC6gHGV\sdclt.exe

          Filesize

          162KB

          MD5

          edcb85cac2d68fb9d1f1e7d11d609767

          SHA1

          01d5fd64707fb339c7443bc46db576b084a157cf

          SHA256

          e8cc0e80627458de060ffcab82b81371c931c697fbcc38a6f5cf37e4d4e43e69

          SHA512

          d6f6071399fb9729f2f51c75e08b341af3a2906264a7b7c3c7164b9283474e158ba09d7ccf2f018d42fe87bff023589f942f9ded73e4be6bdfd00a2c985a93dc

        • \Users\Admin\AppData\Local\Pse2t\WFS.exe

          Filesize

          304KB

          MD5

          c6891385852a00edce28a47f02ade7ba

          SHA1

          865c266e0742d206eebd9fb5cdb38d6b2a425c00

          SHA256

          b05fad7dd31d3a7621c9941698ccf186f2195401eef1683c9eefc1fe6ffb3598

          SHA512

          9dbb59ae37b041be482523939659acf32301a40c42c814c2b3960bf8e195ce9cc68c2612c667d05729a29aaef1a341d015311df94f24049637f926de91045ce2

        • \Users\Admin\AppData\Local\Pse2t\WINMM.dll

          Filesize

          1KB

          MD5

          ca9c7773818844fad518af7cb09a79d8

          SHA1

          65d2f9a254f4ea74c123c5ae6e358b099165aef9

          SHA256

          6fc660a671b0537486209e029e8220c470c318dde976dbe98905df44b19eaebf

          SHA512

          b614f76435fe50cd6af2839416b361ffae7ad4fd123507a1d92cb7dbab36736bdd8e9b8dfd77f656958caa6a5d2901dc747867ea11a8d33570102e7a307c1759

        • \Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\ukCnzcZs\WFS.exe

          Filesize

          53KB

          MD5

          8b983c4a7034807392eb6d6750e51e77

          SHA1

          a6878f8c8b3677dbe76ba4e96e59de3eb107a28b

          SHA256

          6915ad8ea73b50da494129a9fc9ddc9723ce0d04139cf72c4c359224696fc5f9

          SHA512

          865e7a25a6c878a8dfc0ddfb1a206e6be99952f45f45d44665bc2e2979d012ed727efecfdec9ef49f3eae3d934a06425cca68bd5cc69582d1c435fac207d5f98

        • memory/1144-22-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1144-67-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1144-30-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1144-29-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1144-38-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1144-37-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1144-36-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1144-35-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1144-34-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1144-33-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1144-28-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1144-27-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1144-25-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1144-24-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1144-23-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1144-19-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1144-18-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1144-40-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1144-39-0x0000000002DF0000-0x0000000002DF7000-memory.dmp

          Filesize

          28KB

        • memory/1144-48-0x00000000776C1000-0x00000000776C2000-memory.dmp

          Filesize

          4KB

        • memory/1144-49-0x0000000077820000-0x0000000077822000-memory.dmp

          Filesize

          8KB

        • memory/1144-47-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1144-58-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1144-63-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1144-64-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1144-31-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1144-32-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1144-26-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1144-4-0x00000000775B6000-0x00000000775B7000-memory.dmp

          Filesize

          4KB

        • memory/1144-5-0x0000000002E10000-0x0000000002E11000-memory.dmp

          Filesize

          4KB

        • memory/1144-15-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1144-21-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1144-143-0x00000000775B6000-0x00000000775B7000-memory.dmp

          Filesize

          4KB

        • memory/1144-20-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1144-17-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1144-14-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1144-13-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1144-16-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1144-7-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1144-12-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1144-9-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1144-10-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1144-11-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1664-81-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/1664-78-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

        • memory/1664-76-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/1712-118-0x0000000000220000-0x0000000000227000-memory.dmp

          Filesize

          28KB

        • memory/1940-8-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1940-1-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1940-0-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB

        • memory/2844-103-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/2844-100-0x0000000000170000-0x0000000000177000-memory.dmp

          Filesize

          28KB