Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    24-01-2024 08:37

General

  • Target

    71c41494c927e33c33dadf1925c47cd5.dll

  • Size

    1.5MB

  • MD5

    71c41494c927e33c33dadf1925c47cd5

  • SHA1

    d9522d823725eced87e847799aac6e00e0d9c985

  • SHA256

    6a19ea54058dfc1a9678abc823f1ed3697c8e77fba5279d998dadaef5e7ebf04

  • SHA512

    1e0f16a9f44cbe3f6a807a86b6d0a45fa8186463bb4fd17aa76792d532d7695017442642d488fd43ba725b8a5dece1bafae44ae512d897252d5dde90184a1ee4

  • SSDEEP

    12288:FVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:cfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\71c41494c927e33c33dadf1925c47cd5.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2524
  • C:\Windows\system32\tcmsetup.exe
    C:\Windows\system32\tcmsetup.exe
    1⤵
      PID:2344
    • C:\Users\Admin\AppData\Local\8QBgwy\tcmsetup.exe
      C:\Users\Admin\AppData\Local\8QBgwy\tcmsetup.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2272
    • C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
      C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
      1⤵
        PID:2924
      • C:\Users\Admin\AppData\Local\LTcJmDDfC\WindowsAnytimeUpgradeResults.exe
        C:\Users\Admin\AppData\Local\LTcJmDDfC\WindowsAnytimeUpgradeResults.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2996
      • C:\Users\Admin\AppData\Local\Sh4si\iexpress.exe
        C:\Users\Admin\AppData\Local\Sh4si\iexpress.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1960
      • C:\Windows\system32\iexpress.exe
        C:\Windows\system32\iexpress.exe
        1⤵
          PID:1248

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\8QBgwy\tcmsetup.exe

          Filesize

          15KB

          MD5

          0b08315da0da7f9f472fbab510bfe7b8

          SHA1

          33ba48fd980216becc532466a5ff8476bec0b31c

          SHA256

          e19556bb7aa39bbd5f0d568a95aec0b3af18dda438cc5737f945243b24d106e7

          SHA512

          c30501546efe2b0c003ef87ac381e901c69ddfc6791c6a5102cff3a07f56555d94995a4413b93036821aa214fc31501fa87eb519e1890ef75b2ec497983ffd58

        • C:\Users\Admin\AppData\Local\LTcJmDDfC\WINBRAND.dll

          Filesize

          82KB

          MD5

          62e80ab94e81f2ba8314581ea90247af

          SHA1

          82ad70c55b862ce01224d523f692fed5c2b65f0d

          SHA256

          a4d500538c235461fa99eb5ecb2b79ed2dff241bb0ef0a7457572d1fd892d0de

          SHA512

          5a59138394ab3f243991d963c912d5969f5d97e718c87d7d3b416b5338516ec79c78efe4f463cab3eb950fb259eef44c347739fcef8ba6e4eb44240d8816d141

        • C:\Users\Admin\AppData\Local\LTcJmDDfC\WindowsAnytimeUpgradeResults.exe

          Filesize

          100KB

          MD5

          4ce30803fe1b2f91a4c50a736dd8ea5e

          SHA1

          f6cfd96b319162da2e3e0173e7ecb0d4cefd70ac

          SHA256

          04034e248d35c49ff3db4a8f1ea73a4c80ba295f91e4e5060fc97786a040740b

          SHA512

          00a1392b715ff0ff86c055e0fa010dea6829b92b6e5b163e8c5269277203ea2d2e16c02a461e07f34db8975aaf9694e69580423b4ecc823a7c4d074206c9d2be

        • C:\Users\Admin\AppData\Local\LTcJmDDfC\WindowsAnytimeUpgradeResults.exe

          Filesize

          100KB

          MD5

          f5b608370ff97e655c584bc84e92b08b

          SHA1

          214597b0a6c4eef50ef68b5fd7e247ae234b132c

          SHA256

          5fdd03790ea41a631a0b9cbb5893a8bd6c793aa5e885bdf1c79b2e6e5bbecfcb

          SHA512

          930d7dfcdbb772845b0d742f11cbe9be0b2ac6f9a1a4220ad99326a2ba12fed1972a446281041f3697c6b12cbcc3588416d659af856fa06648c4b037333579a7

        • C:\Users\Admin\AppData\Local\Sh4si\VERSION.dll

          Filesize

          71KB

          MD5

          70355dafda1ad274740c6f8aa1a9bdc8

          SHA1

          4134311e39a83ab92cb7a41d10634c3d019f6766

          SHA256

          7ad16e800ca65642cfa8f708304c9f4b6069e87818b038818263704ad26ae923

          SHA512

          4d244aa7c8fc5146df63b1534013747be7a6f65aa93afd4302f27dd7b6842c0c43074e6c184e157dce9219abda34db9ec08918d1dace6021743b9ad6a6534244

        • C:\Users\Admin\AppData\Local\Sh4si\iexpress.exe

          Filesize

          62KB

          MD5

          b477b89e38889a8d36afa6552d7566cd

          SHA1

          bef192a09e78ae0c5bcf9de3b55edbd7f7c46971

          SHA256

          9a7dc98c3406fea6429b35f7d6edb8b06de74a7164498f7016756ef2d6672c11

          SHA512

          87f527eddeae665e5e8532fec04de0e96fa36aecdb2ac668996d69aeff96dd9e968c6e0f31010773e4be56f7aae7b32866425541545838274ac934089579b549

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ekhyqsv.lnk

          Filesize

          1KB

          MD5

          04b2a26562a12c8d17a9e1ccb05a3979

          SHA1

          03807408d3643b30cc27f0edf73504e4e1f6e3ce

          SHA256

          608cc1a569ab1174b426bcac88811c3103920b0dea546bde5369dcf942f74eb7

          SHA512

          0ad9c8866bfbe60639df0c779bf3ba32284b982a887ffbc64b0a211306f56ae4cc9f5e44b9799ac32af59e9c3ccda0201900f2df65faa42c6bfe2b6deec42565

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatCache\Low\dQYhzbi1rd\WINBRAND.dll

          Filesize

          1.5MB

          MD5

          2980575998a8a21f7a1f3fecb4accbdc

          SHA1

          b9f9060689ad9dcf4a3969de23818a72ea26dc47

          SHA256

          29d34e78b031d33b6fed294738a03fd74a15b0466c4c50a3a2b724267e9e94a4

          SHA512

          7df68c27efb99e2f72eb0ec709f209af41203df55db09aac634944ebf6b16354a1be0f6323e7c1005a0e00fc09a9f0aec331604fc5753d07e22f8fbf5389cf8b

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\IidO\VERSION.dll

          Filesize

          1.5MB

          MD5

          6fa2f6f34feeff9da50297744a175815

          SHA1

          e9f936f7abc7a05ff93c8809e8d4e9f356abcc76

          SHA256

          3db7789c331823216fcc0b84dc839762877f5ef2f1e7d6302f156bc87655411d

          SHA512

          0124167f1411250a32aa71c09da05cfa2fcacb7307ccaf2d9b386f5cbbf8e9eab85581f4e544d243bbc432d50dae1bf302581b764106a22ae842a21014b78353

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\IidO\iexpress.exe

          Filesize

          49KB

          MD5

          f58a4a422453cbde4a28416a42b6f8a4

          SHA1

          a991911500174def40026385282f162c15879f80

          SHA256

          7267b1f60c0b24d7554c6edb1a600f36afed921ff1d46654aa1bd2f229d1dd49

          SHA512

          0c0cee49238c5cd47915e234140eef0d63b748ba76aa03692a2e1fc8ffd1607c35ed7f04c179f9cacedc60b4c06bde6167655dd9616f7e99b97421777189ffae

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\kAs\TAPI32.dll

          Filesize

          724KB

          MD5

          79b47f8b6428b181596c68b50d5d4190

          SHA1

          1f63e25da12c47289cc91c0c1f673c55911f800f

          SHA256

          e277c110a0254cf5a0c367a58c10f06a61bcdd51e0adfbe696d6c2aa25fab8ca

          SHA512

          ade9146ca5b89def6d38964c29e04d96598cce53a462ad02b0662e072a9b308873cf7a7f11d40b35d5f22b30ef4cf8c0439af1e5ec5d4a2c8fe8ff08b3a1eb6f

        • \Users\Admin\AppData\Local\8QBgwy\TAPI32.dll

          Filesize

          1KB

          MD5

          0e8580bb505f37f55a9ccc6410025006

          SHA1

          c63e91ab81aa134484710977167d7a3b5c243601

          SHA256

          d0524353ecaec64f35fe6d35a8c97fbc344ebece3c41245c4afb091229580cd5

          SHA512

          8ee29562c447b9bb90ab992cdfce22c6a30591c9f0464a663861da45d05ad71a6e3f4d15d3141b5340123ec9db00902a2f7381e8384819422deaf26c073f278e

        • \Users\Admin\AppData\Local\LTcJmDDfC\WINBRAND.dll

          Filesize

          83KB

          MD5

          150675ee71427332e1efa4ef3936b201

          SHA1

          99b97e3ec7a07b783a67be2a330f67fb8c4d3538

          SHA256

          9c0cbffcb730fcf4c5e22d6085eda94289735a31d3ec8711aaa8c3ab6731268c

          SHA512

          d8494a7f9e507b061b1955e2c530dd17b3179e8cc769c95ac0dc4573428e524ce15a1d9dc330ee0d43b7faf9d8c344c3a2c090699880b0693a4816a6b50ae013

        • \Users\Admin\AppData\Local\LTcJmDDfC\WindowsAnytimeUpgradeResults.exe

          Filesize

          60KB

          MD5

          6e3cd2b208d684c37038107cb1193320

          SHA1

          cd00bfab8a32c17ccf39b1e097369c894349e3ce

          SHA256

          b9295b2141b35234a68e60b826af20677295435adc3eee5a36e3963e8a16693d

          SHA512

          ba0429147fbf71c4a894c188ff097855790e7fc7d929c6b6e46b7a7d139cd060b9b699c8a3615e83266bca378905aa37516fca66b95bc88b67a22a49a249edc7

        • \Users\Admin\AppData\Local\Sh4si\VERSION.dll

          Filesize

          73KB

          MD5

          e424e5b5f27e99dc7d70641d10633010

          SHA1

          83fc389674aac7d797d1926dbd9510cc66a26413

          SHA256

          ecd8875e1034788c812e4747f9a64532aad5142e2173056fb69ba76b6f16cc70

          SHA512

          e031594389b6971fa05111c8369062b036a661cc4313040ef4dd6bf30ce97933e190560fb282e2b19ff64cbf8b47387bb0931a06c34aab78cbd4a4016189856f

        • \Users\Admin\AppData\Local\Sh4si\iexpress.exe

          Filesize

          97KB

          MD5

          7e4922fba02f84e550aaba4932097b59

          SHA1

          d84aed8d3faf480f7e41e7e5291854793311492c

          SHA256

          ce49ac77a5536549ea398f53917457918b02857c207b424c23e4ff7e4035a238

          SHA512

          f2bbf5dae69ee9a85bdd2258f0b39906e091e0669db6160d8b746eb441237bf32a72c9ffec51b8ad1aa6f337518ff2a6a0dba8f91bf8ef6fb7e1baf33178b254

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\IidO\iexpress.exe

          Filesize

          18KB

          MD5

          c6ab788e4ffdbf72567f967a696d6de4

          SHA1

          174075b0bf4d2cb25139ad413af9a0b01fae8f80

          SHA256

          2abedddaf86b25562675c636c0abc5d6dd65ddde66b4533ba45927748c434947

          SHA512

          dc2bbadd503d2d174c042404d774f26544450aeda58a90b574c30eadb981fba5a2d0015aed90d9085994e7a20299e0a48f4b5abd3a6c9e8749d740aac9870e72

        • memory/1212-38-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1212-23-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1212-4-0x0000000077996000-0x0000000077997000-memory.dmp

          Filesize

          4KB

        • memory/1212-40-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1212-43-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1212-44-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1212-42-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1212-41-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1212-39-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1212-37-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1212-36-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1212-35-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1212-34-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1212-33-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1212-32-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1212-31-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1212-30-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1212-29-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1212-45-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1212-47-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1212-48-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1212-46-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1212-49-0x00000000029C0000-0x00000000029C7000-memory.dmp

          Filesize

          28KB

        • memory/1212-28-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1212-27-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1212-26-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1212-24-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1212-25-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1212-22-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1212-21-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1212-57-0x0000000077AA1000-0x0000000077AA2000-memory.dmp

          Filesize

          4KB

        • memory/1212-58-0x0000000077C00000-0x0000000077C02000-memory.dmp

          Filesize

          8KB

        • memory/1212-56-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1212-67-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1212-73-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1212-5-0x00000000029E0000-0x00000000029E1000-memory.dmp

          Filesize

          4KB

        • memory/1212-8-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1212-19-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1212-9-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1212-10-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1212-11-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1212-12-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1212-145-0x0000000077996000-0x0000000077997000-memory.dmp

          Filesize

          4KB

        • memory/1212-13-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1212-14-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1212-15-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1212-16-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1212-17-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1212-20-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1212-18-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/1960-124-0x0000000000380000-0x0000000000387000-memory.dmp

          Filesize

          28KB

        • memory/2272-85-0x00000000000F0000-0x00000000000F7000-memory.dmp

          Filesize

          28KB

        • memory/2524-7-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/2524-1-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/2524-0-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

        • memory/2996-104-0x0000000000090000-0x0000000000097000-memory.dmp

          Filesize

          28KB