Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    24-01-2024 08:16

General

  • Target

    71bb36f4bcc6b93c90c000f353db7173.dll

  • Size

    1.6MB

  • MD5

    71bb36f4bcc6b93c90c000f353db7173

  • SHA1

    4089e571bfda56a10036636485e1113cfb5fe669

  • SHA256

    bad6364c6a3a60c2e7982bb223a06f05ec95abf264dc500f75d2454642d84034

  • SHA512

    7845c3f5a2e5c78251e2accc1a0be49c9e0d6b3c85231bd417b2e806048e62389bb2d6088a6909f39e1573daf455f9cec629d98d9c0f02ab41099c5f96317615

  • SSDEEP

    12288:QVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:VfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\71bb36f4bcc6b93c90c000f353db7173.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1648
  • C:\Windows\system32\psr.exe
    C:\Windows\system32\psr.exe
    1⤵
      PID:2808
    • C:\Users\Admin\AppData\Local\9os\psr.exe
      C:\Users\Admin\AppData\Local\9os\psr.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2492
    • C:\Windows\system32\wextract.exe
      C:\Windows\system32\wextract.exe
      1⤵
        PID:2900
      • C:\Users\Admin\AppData\Local\mlkMx4Vdt\wextract.exe
        C:\Users\Admin\AppData\Local\mlkMx4Vdt\wextract.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2932
      • C:\Windows\system32\OptionalFeatures.exe
        C:\Windows\system32\OptionalFeatures.exe
        1⤵
          PID:2164
        • C:\Users\Admin\AppData\Local\o3T\OptionalFeatures.exe
          C:\Users\Admin\AppData\Local\o3T\OptionalFeatures.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1596

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\9os\XmlLite.dll

          Filesize

          175KB

          MD5

          ae4d9a51ab197f4deb6233644b38371d

          SHA1

          7e9a6267db2f7d30431c7cd1628b77b9337f462f

          SHA256

          9621a190c389556bcfe9f41a9571ebcb9ebb63b0eca5608a1caa0ff42ffe05eb

          SHA512

          ad7045298330ebe18ba566b0f270e559d8c981ce1b67c1d77c2ea42e84149b0b9816a3b7feb8efa5f440ed8534da157f5f7d7786b0df173369c2823bda5a84e4

        • C:\Users\Admin\AppData\Local\9os\psr.exe

          Filesize

          206KB

          MD5

          5c99e4193dd3aa88141ca929f6a3c4e8

          SHA1

          783fa2e62d23337686e3947e0ccadc21e96d0f13

          SHA256

          05da904e47cb862e42d242756c1aa93ae8a2b8bebed97f750c3337d3e2015d4f

          SHA512

          fb2f92b8536c1773272d33752150d62f9e3b78138bf3eae48bb9375b8e3e734ecb830190002eec55d3adcefc7a08be12080a871235cb76bb1071a13007cb30cd

        • C:\Users\Admin\AppData\Local\9os\psr.exe

          Filesize

          120KB

          MD5

          086a6fc0ea8b87ef2ef5fb9c70669e2e

          SHA1

          4e3cb3173428dea8e8801e0c3cb9511396907b86

          SHA256

          c4d36fbadf57642b750fce90bf9cad4de4d4c13bb6ec60292b9f8e5dc74b2dfd

          SHA512

          08e77eef5c32f39e4b7d4b428fd7c7504ef6a6282307f775eec3a6a53859db48fa48de5250126fd6036d2f14e2a22446ca59f37bc459f466b2d6f14eb197b4a2

        • C:\Users\Admin\AppData\Local\mlkMx4Vdt\VERSION.dll

          Filesize

          1KB

          MD5

          dd08b4fb2af05ec48bad2034e79ad1dc

          SHA1

          48d2438243a56c00c18393e2b1b2abc6fd46b2e2

          SHA256

          1c7bff58abf981c1fb1aa20adcabeb252e3dec3910b5011df76ad45e5a2b66db

          SHA512

          4633b70ce095aff6c791068534d11935c04b9a48770ba063baa09263e8cff99ec8eceeac6bf9e8100f0c700d058acdad0d7978cfd8fcd3b1b661e6e8b3cf95c0

        • C:\Users\Admin\AppData\Local\mlkMx4Vdt\wextract.exe

          Filesize

          140KB

          MD5

          1ea6500c25a80e8bdb65099c509af993

          SHA1

          6a090ef561feb4ae1c6794de5b19c5e893c4aafc

          SHA256

          99123d4e7bf93aa7f3315a432307c8b0cbaf24ad2cfb46edc149edbe24de4ca2

          SHA512

          b8f9f1ab48671e382d1385c34f0f19fc52fc0061e00db53bbbc2cdaee6d8a3f245707329f98e9167c53721aeaddcebfe66632729b6bcc98892031fd9914fb1fb

        • C:\Users\Admin\AppData\Local\o3T\OptionalFeatures.exe

          Filesize

          95KB

          MD5

          eae7af6084667c8f05412ddf096167fc

          SHA1

          0dbe8aba001447030e48e8ad5466fd23481e6140

          SHA256

          01feebd3aca961f31ba4eac45347b105d1c5772627b08f5538047721b61ff9bc

          SHA512

          172a8accaa35a6c9f86713a330c5899dfeeffe3b43413a3d276fc16d45cd62ed9237aa6bff29cc60a2022fba8dcc156959723c041df4b7463436a3bdabef2a9d

        • C:\Users\Admin\AppData\Local\o3T\appwiz.cpl

          Filesize

          150KB

          MD5

          0c33b412526e9097ad60baa514d39eb5

          SHA1

          41e92cab83764eec5c799dc4b2570616b66f4ef2

          SHA256

          1b01efcdd9147da56a932ae32ff3857094bc12e80a8f730f06c4723865943e45

          SHA512

          8465d6f6ea5acbbbff85d1692c0020d3dbb37e91ec241ffaad20d80e1822e7be895cc8a0b915be8c01fb98f703a51d8088bcffd7c3dd1d05a684cb2a74d02df6

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gmfoo.lnk

          Filesize

          1KB

          MD5

          58b98de503c5a8fa03e6c683eccb8c3e

          SHA1

          cc203352d8f9d6510a1f481f6c045bd54a9e8e1f

          SHA256

          62fcb79a114671eb9ce17dc74d248c56d2625534cd2b3dae899e052cb8c33650

          SHA512

          40300b2579b3147f24d2e177f944e664ae03a0f59103341ba6118d940a5e6326e9ceb4102e0ec642c0acbdca6b15b86de9d864748e5dd30880dddfd3ff7752f9

        • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\FEi\VERSION.dll

          Filesize

          367KB

          MD5

          bd635950f3935de24fafba42ce9cde15

          SHA1

          9281963e4c06c3573f08bfa478a5785340828e23

          SHA256

          b45e22f67760ef733c16aeedc06db7a7cd6818b45c1baf3a456381c0d4cf11c0

          SHA512

          728de018277c67786cdd65f65a7920367f6d467c360013bff5ce79c1aefa19803eec0b0901d3c909dd78a8c24d1da655935cf472b6a9c31e254763aede1a47db

        • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\FEi\wextract.exe

          Filesize

          100KB

          MD5

          386bedd3e9297b6698694935315a3a75

          SHA1

          d21656301f3c8c9dc7eef447c585566dcf1d5a5d

          SHA256

          83901776daf724e0801e8ee46d4e7e539f3b147d9dd7c05cfd0375b94b099f6c

          SHA512

          89f56acb215ba8345eb06901457b35d61ceb9ac82cd70795cb6c2c1e2a381edc673a8c348910eac39ef02f3efe0866372545a7fb5debad86f099b7128edefe40

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IETldCache\rj\XmlLite.dll

          Filesize

          279KB

          MD5

          24f103741537dc80c61eeb162dab5b9e

          SHA1

          aa63c903a6494e96c0c540a20ca0f8cd04761988

          SHA256

          0fd80968bc3438dc82905920983fa4d8dd312854bb31134d86214ea0f67460b0

          SHA512

          4e06ed0cc0406a2cac12861024f651902258ce84f33acafdc580a44e390a840c79feaff64ceb8a3297681c29f9650a67558fb8a81233cc502e47cba7b94ef984

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PrivacIE\Low\K0vm\appwiz.cpl

          Filesize

          324KB

          MD5

          efa5c77ac313c6d2b5972342e1315f33

          SHA1

          163445d2b7dbd824d5713815634f165794cc2328

          SHA256

          674591a92da6840ca90eb6702d6ef62145f6c8a310e777466fcd9d30f7ee214d

          SHA512

          05a21da39db8170556a46b0ce562dfec53bd850f84fefcfb1579992783352d4aea1e87461ee3555c339ffc1144c53b2032cd0ef6eb0911e161289a09f0bba4c0

        • \Users\Admin\AppData\Local\9os\XmlLite.dll

          Filesize

          371KB

          MD5

          d113579ab4c7113df0e1eb2de68aacbc

          SHA1

          dc9a63635878427b0c6f46bd7a4560e041824df6

          SHA256

          004331c8cb4532b1b29ad0a92ed23a9836714306bec423f56bdac176ae5a1169

          SHA512

          4ecd774375e0e5fb67e2e28cb5d6f2dec56b603e4fe358bdcce1a7786f53513bee9085dbb598ddd7fb2200ce8f9e4172ecf5e0c4d77774216b1e3e730ad60e70

        • \Users\Admin\AppData\Local\9os\psr.exe

          Filesize

          444KB

          MD5

          f2bee034b9ca681c49d46af20aa88b22

          SHA1

          944ea645b56ebc232b43c7756c70f095539a234a

          SHA256

          3608d15002a3ba1fef18e8e66e87031a6635957af8eead65aa886e9d79134c8e

          SHA512

          ec9f22341ad141355c69b01830d8ca596e2623fb2aff799070d5abee77b09eef5cdbf01bfb6e96ec1c42f76ba385a3c4d0064f63e4c290a55ffde66bcf6da509

        • \Users\Admin\AppData\Local\mlkMx4Vdt\VERSION.dll

          Filesize

          77KB

          MD5

          4858be73da7e2d68290ecf8e90f4b178

          SHA1

          fdd1ff52b606a9a935f08f2ddf0680c6eb748af5

          SHA256

          9a6dc28d9471ade2f5723f0cf30d255d2b13e503ac705edabca2a0162af9bd25

          SHA512

          9bf47afcf824e1e204b69439bbcebc79d39e86a498b7a6dd51730b1c5106b300760b5f0e8c49554941e2861c3752cfc14537e1d32bdcb1c55d8211462c5a656d

        • \Users\Admin\AppData\Local\mlkMx4Vdt\wextract.exe

          Filesize

          132KB

          MD5

          4141b588a2ea8c13de997f22fe2332fa

          SHA1

          5647b2782b44a90974509e7ebd9fbcdc26c19e36

          SHA256

          05996ee65769b30ddf8d7d2b2bed21fceccb568a83ec579624ffdb59290a6257

          SHA512

          3ee31b8a439df37a96358ecc5919804e23af90e26ee6815406ea1b5818410457a838cf7b97259a6b370874be93c010b08e67b10908b4046e8f162a5ffea80a5d

        • \Users\Admin\AppData\Local\o3T\OptionalFeatures.exe

          Filesize

          72KB

          MD5

          82bde8cccd8456883ea3227de6b2772b

          SHA1

          6e92ecddf9ba3a8ccda6a15b4e37c3d4d1b5753a

          SHA256

          13acda1155b61c8cd642f4c2112145d4e8fa91f7845eaec362e348cb66d50990

          SHA512

          8daf96db9b05246798e6ebcacf0a9b0d3c274f6fd665ed08b30628743803fa3111cfe1ee81c12cdfebf50edf73b0b4ec02a9619e1467dcf663337a1640c51fae

        • \Users\Admin\AppData\Local\o3T\appwiz.cpl

          Filesize

          203KB

          MD5

          859d83a8236cd5af5bf206cec8ef21c2

          SHA1

          934ac7c8013010d5e6618cfaf37381a69ff5cd62

          SHA256

          fa1ae4993775b1e2d04c48fd0a7bb45be02931739cfc6eeb2e36a1cc4df7ab19

          SHA512

          a319c6468b75019a197b36f5c13c6a167cd222ae9610bec46b13f327c5b04bc3cb5817caa609b401160f2868fe61552ffa0a6a9c48c140faca0dffe23c49af67

        • memory/1264-150-0x0000000076FF6000-0x0000000076FF7000-memory.dmp

          Filesize

          4KB

        • memory/1264-33-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/1264-38-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/1264-39-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/1264-41-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/1264-42-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/1264-44-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/1264-46-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/1264-50-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/1264-52-0x0000000002960000-0x0000000002967000-memory.dmp

          Filesize

          28KB

        • memory/1264-58-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/1264-64-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/1264-65-0x0000000077260000-0x0000000077262000-memory.dmp

          Filesize

          8KB

        • memory/1264-61-0x0000000077101000-0x0000000077102000-memory.dmp

          Filesize

          4KB

        • memory/1264-49-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/1264-68-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/1264-48-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/1264-47-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/1264-45-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/1264-34-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/1264-8-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/1264-30-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/1264-37-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/1264-36-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/1264-11-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/1264-15-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/1264-13-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/1264-4-0x0000000076FF6000-0x0000000076FF7000-memory.dmp

          Filesize

          4KB

        • memory/1264-40-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/1264-35-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/1264-32-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/1264-43-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/1264-5-0x0000000002990000-0x0000000002991000-memory.dmp

          Filesize

          4KB

        • memory/1264-26-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/1264-23-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/1264-21-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/1264-19-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/1264-17-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/1264-14-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/1264-12-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/1264-10-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/1264-9-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/1264-31-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/1264-29-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/1264-16-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/1264-25-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/1264-28-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/1264-27-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/1264-24-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/1264-22-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/1264-20-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/1264-18-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/1596-122-0x00000000000F0000-0x00000000000F7000-memory.dmp

          Filesize

          28KB

        • memory/1648-7-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/1648-1-0x0000000000330000-0x0000000000337000-memory.dmp

          Filesize

          28KB

        • memory/1648-0-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/2492-83-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

        • memory/2932-105-0x0000000000220000-0x0000000000227000-memory.dmp

          Filesize

          28KB