Analysis

  • max time kernel
    150s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    24-01-2024 23:02

General

  • Target

    7315a7e24b903536485987c77dc91956.dll

  • Size

    2.9MB

  • MD5

    7315a7e24b903536485987c77dc91956

  • SHA1

    526cd2d7389cda304cc3c81c002c1114073f1c92

  • SHA256

    17b5bae1fc1b7efdbcd4dc107c246ffe24201cdb7e3bafe80e23b7e5f3c1169b

  • SHA512

    b3399a9415848cb351726ff2bebf8124086f61d5cb5823a7789dab291da8780f5ef313b662a1a925054e8ffde76f5f5b960b774f51b9b894d02733bd4ef33489

  • SSDEEP

    12288:RVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:gfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\7315a7e24b903536485987c77dc91956.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2288
  • C:\Windows\system32\wscript.exe
    C:\Windows\system32\wscript.exe
    1⤵
      PID:1036
    • C:\Users\Admin\AppData\Local\gMz\wscript.exe
      C:\Users\Admin\AppData\Local\gMz\wscript.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:860
    • C:\Windows\system32\msdtc.exe
      C:\Windows\system32\msdtc.exe
      1⤵
        PID:1564
      • C:\Users\Admin\AppData\Local\Hjs7J\msdtc.exe
        C:\Users\Admin\AppData\Local\Hjs7J\msdtc.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:940
      • C:\Windows\system32\icardagt.exe
        C:\Windows\system32\icardagt.exe
        1⤵
          PID:1552
        • C:\Users\Admin\AppData\Local\AUG\icardagt.exe
          C:\Users\Admin\AppData\Local\AUG\icardagt.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1612

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\AUG\VERSION.dll

          Filesize

          2.9MB

          MD5

          1feced945acdba9cffa5857aaf4cf3b1

          SHA1

          f2e6379208a8805cffdc5697d81039fe7c1acd5e

          SHA256

          0a57215cfc9614a7a1e91fd0c2c783558e2c90f8074d2508a683346905715e70

          SHA512

          7f875feef529cba7895a82507fc97645da754d61531d8efbaf3609efa412ff2a0c40d6d735cecce2493ac51528ad7e845c8650b9182509a893b4b9d7ef179e86

        • C:\Users\Admin\AppData\Local\Hjs7J\VERSION.dll

          Filesize

          1.3MB

          MD5

          6cb5da01b3c308053acc932a666da9b4

          SHA1

          24ae405cd4f9e64ef4ee71cc0060ca1376c0bf3f

          SHA256

          513e685cb234c597bfc0b1fd5943a134ad43347a7cd052fb61651df1e3d2b7c6

          SHA512

          c684358c469b2b9c3379fb3cfe500f02ccd4e191e4c7ed87600fae8f6f130b3d4893eff876c7045e6f84221e31d13cb58f00fcf79ec4f86a7322935903aa8a80

        • C:\Users\Admin\AppData\Local\gMz\VERSION.dll

          Filesize

          2.2MB

          MD5

          f301ce161f4e5901bebc84edd901b633

          SHA1

          5f83391c8e688a7e44ee5fb6502db12bf59c7490

          SHA256

          0ca37c01232d26c506161be201a8a5685a970f6c3745410b26dc6ae16ace56c8

          SHA512

          55a6a833c688aefe89fe6d68d30f8ee95578d97f148a737bd009f8c086d7a789d945b390a9cacbab68f811bfd3e1976f8e1deb3d34e8f5403f22d4e4f1387bed

        • C:\Users\Admin\AppData\Local\gMz\wscript.exe

          MD5

          d41d8cd98f00b204e9800998ecf8427e

          SHA1

          da39a3ee5e6b4b0d3255bfef95601890afd80709

          SHA256

          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

          SHA512

          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

        • C:\Users\Admin\AppData\Roaming\Identities\ZJw\VERSION.dll

          Filesize

          2.9MB

          MD5

          86730aa899ad6b76e3af31a5aeb6ea0e

          SHA1

          e76113e2615dfb8eceac823c439d2f2be3dd5763

          SHA256

          9541a2e6b0ea8e86a5c25687e67a2b00d494cfad903f717cce643822ac961c1c

          SHA512

          8461a7b9dc262db561143c34b704ac599e147d7e5358d4aebfc0c0f8b3bfa7b288d4a36dec1c8cd496ffd2dfa41c1a2bb220e7141eee70fdc1b583bba1f0ba77

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk

          Filesize

          1KB

          MD5

          d7560a198e835b762d7f29ad7948b4f0

          SHA1

          de190517f4235553696fe11da3c35df232cb31a6

          SHA256

          e8b1f13dad3831f33dd01fff3956d8f3bffc67fa705bd93090464d625234210c

          SHA512

          acfc3b4c9d70618a54444883c04c31e200048e2c364f0ce9257bedb13f8ad1c3f5848ce9a270670bf12280c8c9bc9fd62359f71f5b2250fe006820c8049f341f

        • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\S0\VERSION.dll

          Filesize

          2.9MB

          MD5

          91f2f20b0cec218466f6022cb7092aec

          SHA1

          f115a3a5367492dcd7f75c45a9cc9860f6ae0ba5

          SHA256

          50cca8d5eb9493a36055935c91f0dfd73bde6f61d1eb1fc6458eedbc1a6130ef

          SHA512

          094a50e80ca34fd62303fa912e501d05fb8d743897c542d53872ed41d53dd3f93c796abe5b978377ff5201d1ef4f10d817fc64d5a9b00441861b609574aa72aa

        • \Users\Admin\AppData\Local\AUG\icardagt.exe

          Filesize

          1.3MB

          MD5

          2fe97a3052e847190a9775431292a3a3

          SHA1

          43edc451ac97365600391fa4af15476a30423ff6

          SHA256

          473d17e571d6947ce93103454f1e9fe27136403125152b97acb6cad5cc2a9ac7

          SHA512

          93ed1f9ef6fb256b53df9c6f2ce03301c0d3a0ef49c3f0604872653e4ba3fce369256f50604dd8386f543e1ea9231f5700213e683d3ea9af9e4d6c427a19117a

        • \Users\Admin\AppData\Local\Hjs7J\VERSION.dll

          Filesize

          2.2MB

          MD5

          647d63dd709fea183e7ff4abd4beeddd

          SHA1

          781aba8a06fe07f331a8142d7b9057292d571d20

          SHA256

          175503d866f535352d45f9b657f7e503cb71fa605683963876c08a975a52282e

          SHA512

          12f90397896c7877c74e1a641042b2d2c5a4547d520638368eb312a9cfa67032c968a78f476b9c5fbe30cfe1b253a6d964429aac3135485decdc6d5324328e12

        • \Users\Admin\AppData\Local\Hjs7J\msdtc.exe

          Filesize

          138KB

          MD5

          de0ece52236cfa3ed2dbfc03f28253a8

          SHA1

          84bbd2495c1809fcd19b535d41114e4fb101466c

          SHA256

          2fbbec4cacb5161f68d7c2935852a5888945ca0f107cf8a1c01f4528ce407de3

          SHA512

          69386134667626c60c99d941c8ab52f8e5235e3897b5af76965572287afd5dcd42b8207a520587844a57a268e4decb3f3c550e5b7a06230ee677dc5e40c50bb3

        • \Users\Admin\AppData\Local\gMz\VERSION.dll

          Filesize

          2.9MB

          MD5

          9bf0a0010974f2e6c7e2ab90066b57aa

          SHA1

          4710d39a533d994acefea96074bb2a45985a36b5

          SHA256

          ded74e8affe0ca3f41904cb0c98b233d3eab76d85644c31e154c99babf4289a7

          SHA512

          6947f0fb7c011f7e6e76d90bde2cebb0e192a8666f008b4eae0d1a08542175836ef85ac727661294fe7073ff814aaded71f3f52c33a70463cbdeac126af618e8

        • \Users\Admin\AppData\Local\gMz\wscript.exe

          Filesize

          165KB

          MD5

          8886e0697b0a93c521f99099ef643450

          SHA1

          851bd390bf559e702b8323062dbeb251d9f2f6f7

          SHA256

          d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f

          SHA512

          fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

        • memory/860-110-0x00000000001E0000-0x00000000001E7000-memory.dmp

          Filesize

          28KB

        • memory/940-132-0x0000000000170000-0x0000000000177000-memory.dmp

          Filesize

          28KB

        • memory/1336-46-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/1336-51-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/1336-23-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/1336-24-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/1336-22-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/1336-25-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/1336-26-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/1336-27-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/1336-30-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/1336-29-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/1336-28-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/1336-33-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/1336-32-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/1336-31-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/1336-36-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/1336-37-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/1336-35-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/1336-34-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/1336-38-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/1336-41-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/1336-42-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/1336-39-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/1336-40-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/1336-43-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/1336-44-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/1336-45-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/1336-4-0x0000000077786000-0x0000000077787000-memory.dmp

          Filesize

          4KB

        • memory/1336-48-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/1336-49-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/1336-47-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/1336-54-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/1336-53-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/1336-52-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/1336-21-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/1336-50-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/1336-58-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/1336-57-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/1336-56-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/1336-55-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/1336-59-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/1336-65-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/1336-64-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/1336-63-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/1336-62-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/1336-61-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/1336-60-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/1336-71-0x0000000002700000-0x0000000002707000-memory.dmp

          Filesize

          28KB

        • memory/1336-79-0x0000000077891000-0x0000000077892000-memory.dmp

          Filesize

          4KB

        • memory/1336-82-0x00000000779F0000-0x00000000779F2000-memory.dmp

          Filesize

          8KB

        • memory/1336-20-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/1336-19-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/1336-18-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/1336-17-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/1336-15-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/1336-16-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/1336-14-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/1336-7-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/1336-130-0x0000000077786000-0x0000000077787000-memory.dmp

          Filesize

          4KB

        • memory/1336-9-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/1336-10-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/1336-11-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/1336-5-0x0000000002730000-0x0000000002731000-memory.dmp

          Filesize

          4KB

        • memory/1336-13-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/1336-12-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/1612-149-0x0000000000210000-0x0000000000217000-memory.dmp

          Filesize

          28KB

        • memory/2288-0-0x0000000000430000-0x0000000000437000-memory.dmp

          Filesize

          28KB

        • memory/2288-1-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/2288-8-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB