Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    24-01-2024 02:55

General

  • Target

    7142569287a29d07ca328243db7a1f74.dll

  • Size

    1.7MB

  • MD5

    7142569287a29d07ca328243db7a1f74

  • SHA1

    0bb092d2cf5779d598f619d801bb1eda19a7f883

  • SHA256

    6d6b79a6bb6023fd10ffe393db35e78b77bc403f068b5ac7cfece64692b2edc1

  • SHA512

    9df2653a5f920d62b6d72d2f1e199d503e3328e63b7d0611fbcbcc1a084ac2b59a82739aedf665cdd64b6b08260e9b212e7d9ed20de363261dce6d2d2b4eb06f

  • SSDEEP

    12288:JVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:ofP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\7142569287a29d07ca328243db7a1f74.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1268
  • C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    1⤵
      PID:2776
    • C:\Users\Admin\AppData\Local\C6PQ\dialer.exe
      C:\Users\Admin\AppData\Local\C6PQ\dialer.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2544
    • C:\Windows\system32\msdt.exe
      C:\Windows\system32\msdt.exe
      1⤵
        PID:1628
      • C:\Users\Admin\AppData\Local\nlcR62a8n\msdt.exe
        C:\Users\Admin\AppData\Local\nlcR62a8n\msdt.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2920
      • C:\Users\Admin\AppData\Local\juqf81\DeviceDisplayObjectProvider.exe
        C:\Users\Admin\AppData\Local\juqf81\DeviceDisplayObjectProvider.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2864
      • C:\Windows\system32\DeviceDisplayObjectProvider.exe
        C:\Windows\system32\DeviceDisplayObjectProvider.exe
        1⤵
          PID:2872

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\C6PQ\TAPI32.dll

          Filesize

          224KB

          MD5

          87dce7f113ce1244076dc611b1cc1181

          SHA1

          6e6deddc0ab65e69c684ff66176968cb4df98c7d

          SHA256

          714ee2009d9869bdf43f843af2d920367cb4e0d4e62f45ffdc40953730600dfd

          SHA512

          0bb0d229895f68aed4b8cf124f370ebcc14a14e4e3b4726050c65be8b068ad972bef56764657442c3bf99013d3f9a749d4a8b86475c4bdb957e52b8c9a70e5a8

        • C:\Users\Admin\AppData\Local\C6PQ\dialer.exe

          Filesize

          34KB

          MD5

          46523e17ee0f6837746924eda7e9bac9

          SHA1

          d6b2a9cc6bd3588fa9804ada5197afda6a9e034b

          SHA256

          23d8a6a1d847a324c556c30e10c8f63c2004aeb42ac3f5a5ca362077f1517382

          SHA512

          c7117c3778650864e685bd89df599d7cdd9319d757344ddc7cfd9403d6673964127f6ff0c5ac48455fd3097af31a6ff09173f85dfa7be2d25f395cdf3692bb9a

        • C:\Users\Admin\AppData\Local\juqf81\DeviceDisplayObjectProvider.exe

          Filesize

          25KB

          MD5

          766bdc76c172eca7198e88bc35002825

          SHA1

          ef8ec7ed9f08c0b12b52fefc9f6a84548281dd3a

          SHA256

          d011aa8821ca757fe05f9678cfea839b68f3db7878d99fdefd667fafde2b8c6c

          SHA512

          edfea7f08a6b76b237e744f106ea2ffa848d34190475f73b911cc30abe00200ccbfa5c652bb3f632a1b450eba22bc6b32cd4d04d27d5d965ab211ea6be6c5251

        • C:\Users\Admin\AppData\Local\juqf81\XmlLite.dll

          Filesize

          159KB

          MD5

          897af3f9f864ebb548223b96d1c726d3

          SHA1

          0af783d3bf6faa7368eae6d090d06e13ca6d7815

          SHA256

          47031299ba92d377e11dc98785b77a36449dc1e5551ac31f6353054149d93b53

          SHA512

          f9c225ba1018a4b94ca6cc835d44db84588c15404d3ef2ff299f7b1acc198e64f0edbb67962db48c41893b9607e0fb21689c48b0ed42ebb0d65cb5026a5bdd3b

        • C:\Users\Admin\AppData\Local\nlcR62a8n\DUI70.dll

          Filesize

          174KB

          MD5

          1fb46e9d47984cda565618dc11399684

          SHA1

          895f9076c58df7415e4cbc7f3922c85720ae5d04

          SHA256

          b1e92baafe232d0f52302404633539cff0fa1c48bcacce99f50f79be8e5f8086

          SHA512

          be42a38f24a2bacd2d2b3915f964de595bdd9b854cd6aa92de44c8622bc560dbbcff274b844c41f9c83d62d02287399f860023d48541e8c64f2668a2e7e14d9a

        • C:\Users\Admin\AppData\Local\nlcR62a8n\msdt.exe

          Filesize

          155KB

          MD5

          0a552f1e62fd5328bb83db3d273c3db3

          SHA1

          44f9ef4e39b002265ebc190c27b30f38c42dcd2a

          SHA256

          04b2e2e11d44069379eb61b1a9c0bef8a1a3dc71ea7d81f20110e3368f9285ab

          SHA512

          fcd2e48539f39fcc0574d7fbf14e3f9c54b12f044af5d19220ec066bec7c086ce1f3c7119a5d2fb72277fe1e2cd7b3cf4002b3e876e91142f8db61775dc8d0a3

        • C:\Users\Admin\AppData\Local\nlcR62a8n\msdt.exe

          Filesize

          264KB

          MD5

          1662e5a4cf1c0cd5e63244b35f3bd2a3

          SHA1

          a303fd86075be7ef4466506e23de608b5940b01a

          SHA256

          2c254699ab821031465e70005ac496ab6b1da3c2da1d4ac79cb80849a42e3a6b

          SHA512

          10fe194c07ac0ab2cfcb182ed2625f61ffdb53f1112486df6f7598b6426bd4ccc1016acbe2427b5c9f89516c306e8d97a5636c16d99b366a350fdc67220db7bc

        • C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\Pge2m\DUI70.dll

          Filesize

          1.9MB

          MD5

          3ca7e7aff10214a70e9ca994261686ba

          SHA1

          8dbf76d5decd99de5462911b13c1489c7d1f76d3

          SHA256

          e3f884816a4ca4770059bedd158713fd54d306f1b53873c5e82c1b6c5738d31b

          SHA512

          2100672b3dc1d84f022f71cb78353ea71e13840d1d26b5806158d206a358d2c220c8d00ca937a9fd97a26de2d453aebfd15d367d03e15beba32db08f66ebfc0e

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Tiizeasb.lnk

          Filesize

          1KB

          MD5

          31939b4d300f13c796c322003cf4f287

          SHA1

          c32efbd993355c8ac324122ea7475fd9962b1cfa

          SHA256

          89695c4d6d5fbdd602694943837a6ab8b0b2e4700db7b2adcfaac5dc78c30cef

          SHA512

          dd52c114054ab222ff299ae9ffb0ae343d5e184ef1d10c180961ae2bb989ca52b808bb714b55f5990c2ccbb937332e361374418f7405d749f919c89340d94c72

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\GivzTUJV\TAPI32.dll

          Filesize

          1.7MB

          MD5

          d6c41a675080bd6ecbce53aca58aa24f

          SHA1

          5beb48e5ae1a596b29d622564fb7fe1838f2d79d

          SHA256

          8c9ad5e4e9e1a21e05e48787a64d533b44a7c40fd213e9695ed96c765955884b

          SHA512

          39743f90250b5d778a67f49690aa66178cbae108525c3ab586a4b82711ef37ebf5c9a3a781358aa7c52550230653b2538710475d265ee930ffa06af2b66cd145

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\5H5HnADA\XmlLite.dll

          Filesize

          1.7MB

          MD5

          5fd2cea554adc4518e494f95c2b16b05

          SHA1

          096d7c2f71e624d5141847116de3d415271a1f24

          SHA256

          df376156000d2db0387a1413c8581d4d81215a8f6d90eb223ccbd928b4cb2988

          SHA512

          cceb42344d0290d81dbda7ec25d0109c5c2c36209b491b34196afe3fa47ff909eafc32b116fb743f1c5252e87689896cdea3ebb05b3492407275add2a3f14f39

        • \Users\Admin\AppData\Local\C6PQ\TAPI32.dll

          Filesize

          189KB

          MD5

          8228889237218d499bfbc8a83044b376

          SHA1

          957fe603593cbdc6b8be1af573b123a7f9ea1acb

          SHA256

          57326ffe1a199bd4896af98fb3dfa62f956c4526cd6693db3b439c570da0ec16

          SHA512

          5d44b84ba3bc504f0574cfb067f52af02c15ebc81906df02e1337416115a571216f1ebbf6ba92ad7ad2d508d8c8e111d2086d35a406921b90e9ffd4ee0d77352

        • \Users\Admin\AppData\Local\juqf81\DeviceDisplayObjectProvider.exe

          Filesize

          21KB

          MD5

          65948731d59506bffe9157e6c357c8e3

          SHA1

          0daeb62efc36e43f1b0f526054bfb8acd3eaa40f

          SHA256

          488cb5d908475911dc8569543cbe5696b214aa5f439b2409d4984f2fe9d3d5ab

          SHA512

          9591a746ce17a418feb851e46aba242974463727f9bf51c696c22222e325f4325d5454e611ae49fe981e5f7f3a185100ad69e1a53c1f628c13cc8b0235fa89b7

        • \Users\Admin\AppData\Local\juqf81\XmlLite.dll

          Filesize

          5KB

          MD5

          0102165a38c46c3e9ed2a791fb18960c

          SHA1

          3b5f6cbdc92f355f08247f505869dcbc66b463c8

          SHA256

          dfefb88736426933cce32efaa10a02967064ebbb5be4985f75e91e0bf5d5db8b

          SHA512

          737570e00f4a6fe076ded9fe5633f6fd2a39a56aa12ace7eda076782ef4603c3b35ab18d0ce3c5936cedfb0113d2d0c94e2b77cb955754e8f009e08b4ce41e19

        • \Users\Admin\AppData\Local\nlcR62a8n\DUI70.dll

          Filesize

          106KB

          MD5

          058d610496e851e5b6b32d639e25e315

          SHA1

          4031ead23c79e423311dbf50fadd62738eb4a315

          SHA256

          a73fbf9ea33b0299e88ca6452eb6dbf0a931db450e598ab86b305ccf01bc44fe

          SHA512

          02adeecdfc97c458a59aad7cecf31766316a22325c9f84ef1a3f821f8f947b39ee2f0d49511ff9b4297b0a7ec7afd16204f8262a879fdece1f3e36a9a8282607

        • \Users\Admin\AppData\Local\nlcR62a8n\msdt.exe

          Filesize

          143KB

          MD5

          530211fdd0e6ed7bbdf74a3af4c2c767

          SHA1

          0155adfc9d4a8088f82d8ee999cb53300112b822

          SHA256

          62a34bb8c0252836309da6dd079cb040c447339407c45fae5b80758ebf1947b0

          SHA512

          306a190d2b29765173a763928acee2dd571ac84cb9aad107c22dd0bb1b23925853d120f75417b02cd55235b7a95b62b00c00675f8ac08b606af9a50bbc325e2f

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\5H5HnADA\DeviceDisplayObjectProvider.exe

          Filesize

          109KB

          MD5

          7e2eb3a4ae11190ef4c8a9b9a9123234

          SHA1

          72e98687a8d28614e2131c300403c2822856e865

          SHA256

          8481a8ec19cb656ce328c877d5817d317203ba34424a2e9d169ddce5bf2cd2b0

          SHA512

          18b1a0637f48929972a463d441182307725ebf1410dd461a1966bd040ac5dcced138155b7c713bfc924ea2f7b39527a084a08b44fa24c3eb9c654871f99caabf

        • memory/1192-18-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/1192-11-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/1192-26-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/1192-27-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/1192-25-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/1192-24-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/1192-23-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/1192-22-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/1192-29-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/1192-32-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/1192-35-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/1192-37-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/1192-39-0x00000000024B0000-0x00000000024B7000-memory.dmp

          Filesize

          28KB

        • memory/1192-38-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/1192-36-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/1192-47-0x0000000076D11000-0x0000000076D12000-memory.dmp

          Filesize

          4KB

        • memory/1192-48-0x0000000076E70000-0x0000000076E72000-memory.dmp

          Filesize

          8KB

        • memory/1192-46-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/1192-34-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/1192-33-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/1192-31-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/1192-30-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/1192-28-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/1192-57-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/1192-62-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/1192-10-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/1192-4-0x0000000076C06000-0x0000000076C07000-memory.dmp

          Filesize

          4KB

        • memory/1192-5-0x00000000024D0000-0x00000000024D1000-memory.dmp

          Filesize

          4KB

        • memory/1192-7-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/1192-138-0x0000000076C06000-0x0000000076C07000-memory.dmp

          Filesize

          4KB

        • memory/1192-19-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/1192-21-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/1192-9-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/1192-17-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/1192-20-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/1192-16-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/1192-12-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/1192-13-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/1192-14-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/1192-15-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/1268-8-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/1268-1-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/1268-0-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

        • memory/2544-75-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/2544-81-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/2544-77-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB

        • memory/2864-118-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/2920-98-0x0000000140000000-0x00000001401E9000-memory.dmp

          Filesize

          1.9MB

        • memory/2920-94-0x0000000140000000-0x00000001401E9000-memory.dmp

          Filesize

          1.9MB

        • memory/2920-93-0x0000000000280000-0x0000000000287000-memory.dmp

          Filesize

          28KB