Analysis

  • max time kernel
    150s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    23-01-2024 23:33

General

  • Target

    70d941d4f0bc1d1f47611a7b8ce5c05d.dll

  • Size

    2.6MB

  • MD5

    70d941d4f0bc1d1f47611a7b8ce5c05d

  • SHA1

    b66d763099541372aa30d4ccd5922b29c991ef3a

  • SHA256

    6f1a36b2dc535c3a9a2e9611c3261d7d5970599318c0811e556b9ee731865de2

  • SHA512

    5aaf75580bec3c99f034e60e8eac36b5a0f9d0921b206b17d93fd6920d0f6a3add25254e51c0605f4e8ca36e5b1573a2c7a89ae7b7c21c74b67c35b1d91a260f

  • SSDEEP

    12288:LVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:KfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\70d941d4f0bc1d1f47611a7b8ce5c05d.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2052
  • C:\Windows\system32\consent.exe
    C:\Windows\system32\consent.exe
    1⤵
      PID:2780
    • C:\Users\Admin\AppData\Local\nmF\consent.exe
      C:\Users\Admin\AppData\Local\nmF\consent.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2456
    • C:\Windows\system32\rekeywiz.exe
      C:\Windows\system32\rekeywiz.exe
      1⤵
        PID:1436
      • C:\Users\Admin\AppData\Local\n7jmwIl\rekeywiz.exe
        C:\Users\Admin\AppData\Local\n7jmwIl\rekeywiz.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1200
      • C:\Windows\system32\wscript.exe
        C:\Windows\system32\wscript.exe
        1⤵
          PID:2504
        • C:\Users\Admin\AppData\Local\S7ob6AW\wscript.exe
          C:\Users\Admin\AppData\Local\S7ob6AW\wscript.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2660

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\S7ob6AW\VERSION.dll

          Filesize

          2.6MB

          MD5

          2f50edab6ea1c65fa3881fd28a3c0b85

          SHA1

          d5cf691f8de06d7c4eb67031293436560f162d4e

          SHA256

          b17f7bc8962e1d9b71f6de690f42f5b0f38c33dfbb0b5b6bf1e84cef97f2350b

          SHA512

          2882cd79d6b86d0851eed2132c77b938bb5180468b653a5375d5a12b6f144aa50c577a820aa06ffb95b049cb871a0a04b8a12986edbbf6b517b987aa80d08d5f

        • C:\Users\Admin\AppData\Local\S7ob6AW\wscript.exe

          Filesize

          7KB

          MD5

          b464c81bbf5206b7eafe6c6d0a466e31

          SHA1

          2e38283f8d7e3cce25571aee0c7c047bb9e590d9

          SHA256

          8912cca64645c1b1b4339b6eb7824ff2b312fcc865d4e580252e45381a8e5719

          SHA512

          73e9b46174240bcdadcf6e410c0856179a9fae5d3ec8d875b08f190e357778675ccf801cc0b47f95ccc72f7069e2fe86f0edb6e27c3fe5789d228bcaa516e3cf

        • C:\Users\Admin\AppData\Local\n7jmwIl\slc.dll

          Filesize

          759KB

          MD5

          96e2f0de131df664ea78ffbf61bd91f4

          SHA1

          dcc279d24bb93f6a8f36a8592a76bcdb6bc8ab3b

          SHA256

          80b640a5c7c622b0c20fe6ba7d73d61a197d07684b2e0b791707373b02e1f682

          SHA512

          08042bc5ed96f605d676d0bf7501dd6c0c27eadaa450673d89efcfa650c67e46e2a64a76d83d778c4723db21066ef0bc923a22ea11c1d40e2d3740a9d45f5755

        • C:\Users\Admin\AppData\Local\nmF\WINSTA.dll

          Filesize

          2.6MB

          MD5

          20498b24731d8a6cf17865361ea8a819

          SHA1

          7799b23b9823af56cba2f20ec82ef76eff1ec73b

          SHA256

          0d36a6f3fa72984da71fcd0b69ba260ce3fbcba07c05fe41d067679c0c771587

          SHA512

          51acaa2a7599f9be226adf3db65938d3998125b8ba6c076a3e3ff83f158b199d4e8170090e41d0a93fd087dd07dd07d1e7f69e451010e75e74dfd0ca8fd46fff

        • C:\Users\Admin\AppData\Local\nmF\consent.exe

          Filesize

          109KB

          MD5

          0b5511674394666e9d221f8681b2c2e6

          SHA1

          6e4e720dfc424a12383f0b8194e4477e3bc346dc

          SHA256

          ccad775decb5aec98118b381eeccc6d540928035cfb955abcb4ad3ded390b79b

          SHA512

          00d28a00fd3ceaeae42ba6882ffb42aa4cc8b92b07a10f28df8e1931df4b806aebdcfab1976bf8d5ce0b98c64da19d4ee06a6315734fa5f885ecd1f6e1ff16a7

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk

          Filesize

          1KB

          MD5

          d254be37fc481cc40a9a1f27e10cf209

          SHA1

          7e7a6c9f28cf2a37e8b6c2298fdc4a2328cec7bb

          SHA256

          60fedac7b79c2e06f181609c24ff63ba91322b60472b37e479affd2e575b5343

          SHA512

          22b2694617ef1419b3a051b46ac1e3d54b957b4c48d1e606b3e85ba7191b27a8efa5e14ae20f246dc287b8e4c51b0975863b08fbe0bad94f96bb799993c47fe8

        • C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\fhhwBy8kM\slc.dll

          Filesize

          2.6MB

          MD5

          7d1ac477b19a81051d544b25fb83d3fb

          SHA1

          5e56b6a80f7d5d1b16adc0ff0999b3b6ae77c0ff

          SHA256

          04308e59f1b707bfba38e7d20424ffb219d3690674b63cda08505e7dbedba7d7

          SHA512

          41bd9fef9cc332fdaf4703a41dfed605823a301db861f6eb03761ad499c107dba504f7fcc98e45d4bccc06df9a8e590911d75b4c5c2c86e6b2759788c5f61145

        • \Users\Admin\AppData\Local\S7ob6AW\wscript.exe

          Filesize

          165KB

          MD5

          8886e0697b0a93c521f99099ef643450

          SHA1

          851bd390bf559e702b8323062dbeb251d9f2f6f7

          SHA256

          d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f

          SHA512

          fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

        • \Users\Admin\AppData\Local\n7jmwIl\rekeywiz.exe

          Filesize

          67KB

          MD5

          767c75767b00ccfd41a547bb7b2adfff

          SHA1

          91890853a5476def402910e6507417d400c0d3cb

          SHA256

          bd70e504871a2ac1c883d19b87970c8d1b8b251c784bf777ba77ed764f5f2395

          SHA512

          f096043452a1aa213a5e4d62638de3ee4b0b3ad3d12b7ee0372d8c79e00e2e13b4fd0ebc4206bbdb5124bed292dd5b30ef1641288046ef835f89c332985154f9

        • \Users\Admin\AppData\Local\n7jmwIl\slc.dll

          Filesize

          45KB

          MD5

          d1bdc2dc25fc70bc0196c0ff185cca28

          SHA1

          b3ab5ba55f6d9ef1f9c8e096ba5d066db6f0a90b

          SHA256

          408b8079536e714715966e950b60a24781f7ba2bfdf8c9992204d912b8710342

          SHA512

          ce6e78df07dda6e15f2dc97a991d4ef04ab85bfd2fa1786f4956932ee5059355e7d34f67384671de27a9777ffcb9a080103d5873d67039eb8eaa1ec3ce766fad

        • memory/1200-103-0x00000000002E0000-0x00000000002E7000-memory.dmp

          Filesize

          28KB

        • memory/1336-42-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/1336-47-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/1336-15-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/1336-24-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/1336-23-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/1336-22-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/1336-21-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/1336-20-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/1336-28-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/1336-27-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/1336-26-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/1336-25-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/1336-29-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/1336-30-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/1336-31-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/1336-32-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/1336-34-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/1336-33-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/1336-35-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/1336-36-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/1336-38-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/1336-37-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/1336-39-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/1336-4-0x0000000077786000-0x0000000077787000-memory.dmp

          Filesize

          4KB

        • memory/1336-40-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/1336-41-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/1336-44-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/1336-43-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/1336-48-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/1336-16-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/1336-46-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/1336-45-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/1336-51-0x0000000002700000-0x0000000002707000-memory.dmp

          Filesize

          28KB

        • memory/1336-57-0x0000000077891000-0x0000000077892000-memory.dmp

          Filesize

          4KB

        • memory/1336-56-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/1336-60-0x00000000779F0000-0x00000000779F2000-memory.dmp

          Filesize

          8KB

        • memory/1336-67-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/1336-72-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/1336-71-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/1336-76-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/1336-17-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/1336-19-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/1336-5-0x0000000002730000-0x0000000002731000-memory.dmp

          Filesize

          4KB

        • memory/1336-7-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/1336-143-0x0000000077786000-0x0000000077787000-memory.dmp

          Filesize

          4KB

        • memory/1336-12-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/1336-18-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/1336-14-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/1336-9-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/1336-10-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/1336-11-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/1336-13-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/2052-8-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/2052-1-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/2052-0-0x0000000000290000-0x0000000000297000-memory.dmp

          Filesize

          28KB

        • memory/2456-86-0x0000000000170000-0x0000000000177000-memory.dmp

          Filesize

          28KB

        • memory/2660-124-0x00000000000E0000-0x00000000000E7000-memory.dmp

          Filesize

          28KB