Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    24-01-2024 10:46

General

  • Target

    72069f253d65873ca37d22ed502e1911.dll

  • Size

    3.7MB

  • MD5

    72069f253d65873ca37d22ed502e1911

  • SHA1

    551a0c0ea3996301997e8f133c3ab4933456b7db

  • SHA256

    95675ed8705063e78d6feec16544b7d5bbe62b4bc34b13462280c0ec046f0d71

  • SHA512

    113a86c3fd39d5cb43ccfbee1a8ca8a0f2c08d76439eb39c228f1a56432ab121f61696087b21df958b15b16b16c3169d5109aac638ab60b91eb4ce76b9dc52a1

  • SSDEEP

    12288:bVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1K8yQy:6fP7fWsK5z9A+WGAW+V5SB6Ct4bnbKn

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\72069f253d65873ca37d22ed502e1911.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3000
  • C:\Windows\system32\BdeUISrv.exe
    C:\Windows\system32\BdeUISrv.exe
    1⤵
      PID:2756
    • C:\Users\Admin\AppData\Local\vO6mC\BdeUISrv.exe
      C:\Users\Admin\AppData\Local\vO6mC\BdeUISrv.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2932
    • C:\Windows\system32\WFS.exe
      C:\Windows\system32\WFS.exe
      1⤵
        PID:1324
      • C:\Users\Admin\AppData\Local\3EzN\WFS.exe
        C:\Users\Admin\AppData\Local\3EzN\WFS.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1624
      • C:\Windows\system32\xpsrchvw.exe
        C:\Windows\system32\xpsrchvw.exe
        1⤵
          PID:2740
        • C:\Users\Admin\AppData\Local\eSnT4YjY\xpsrchvw.exe
          C:\Users\Admin\AppData\Local\eSnT4YjY\xpsrchvw.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:660

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\3EzN\WFS.exe

          Filesize

          89KB

          MD5

          8f20249758d6982a016560c01f3a26ab

          SHA1

          8044eb22f0c30289071c1bda3899694eb8f4520e

          SHA256

          ac2c57348bffd7f2e3bffd2d46fdc206ea8171cab049212da4177308ace73268

          SHA512

          a580f7725de17c59097fc8682ab6a746bf8db2938c6559111390f30b4eee199626b4b62855f8eb07af52cf9f6cfeca0b9ce3d3f3761d236123898ef9682d840b

        • C:\Users\Admin\AppData\Local\3EzN\WFS.exe

          Filesize

          194KB

          MD5

          2700cf7fad30f650eb8bae4ad14cd789

          SHA1

          7ae736913d0e5e653fb9ecf78db728cc02e8c7c5

          SHA256

          b0a605836be4d3363df0083660f6ce5e506ae67261b4767db8c2f57b0a33f3ce

          SHA512

          24a1ec8f70cfe69906a1429d059e1b7dce57eeef0d5076d205fed2be300d7e194e04cd09719fa6f12be1a8e50898f7bbc9c5a5ca282c0d07896c3a41c637a12c

        • C:\Users\Admin\AppData\Local\3EzN\WINMM.dll

          Filesize

          36KB

          MD5

          116b328d5248bdc6f56ea5688f35521d

          SHA1

          725b240e1320140154ee684f2ef3977ddbf6bc99

          SHA256

          d97f86c6d79d4bbe54a30b649a85a1e05f211e94cc3fdb285f3c80c6a35506cc

          SHA512

          685a7176014d8e94d7e101e7701dbfc402882d5609afe9d0838260ef6996e4ae95423a48ee4d50a247aaf439c6b121f305863170b605d1a63919982ee4d1af9d

        • C:\Users\Admin\AppData\Local\eSnT4YjY\WINMM.dll

          Filesize

          71KB

          MD5

          ff112775613be272d655da374e7b72c3

          SHA1

          3a270c68d61b9b14465b70619dc304bf2126d781

          SHA256

          6d3a99dd94ad5a62c0d654ab4c6b17df78babe3d447a8a47bcfef372671f1fba

          SHA512

          350594b9e647253d2e52ebc04115d7952c282b592537195fc753f8d747721ce9c3cb3012d887739b4a9b0358d9af0b4a0c8b55838e34a3348bbfc7abbb1007ca

        • C:\Users\Admin\AppData\Local\eSnT4YjY\xpsrchvw.exe

          Filesize

          11KB

          MD5

          a419b97ad08f24d52700575f506b202a

          SHA1

          54b87b9becf67ad9e3c03815f6d304bc6e363eb2

          SHA256

          acdc1947e48ff26eeed7f945795fd5293d66609449b22e75574db1c5218e7c99

          SHA512

          61a9afb5828e5e037d5a220a7bc573ea431ff222ccc59aa045bb4ca47591acf464bd77a898f26fe4edf1f479ea3a91391a84c05421e7ce439f97ebc9914c3914

        • C:\Users\Admin\AppData\Local\eSnT4YjY\xpsrchvw.exe

          Filesize

          237KB

          MD5

          0fbaab96ccc53e466d3adf7a39d45037

          SHA1

          480c2bb23feaef2d04fa77f6ffb48eacab1fa3b1

          SHA256

          072b253815d41b57f78ff31783eef94200233209ad30ee1d99ccb398f8dcff0e

          SHA512

          0fd2b4a3e57b02f9baa15b5a8fd76d726f6cce71452812562e821cb549731b3486863c69f29d994b1f89f9fdfe3fa2495b27cd62c65a87f537d51586cf72d08b

        • C:\Users\Admin\AppData\Local\vO6mC\BdeUISrv.exe

          Filesize

          21KB

          MD5

          d526dab478969eb6fab7a82d4be6cb59

          SHA1

          200f04e2a2fb2f04d12775cd9fe40b40f76db705

          SHA256

          bb5ff742ef3ac2a5f08e2cb8b3e5e62fcb0afa4ce9012ac720192de11e228bdf

          SHA512

          252803d5f46b721d3f0bb082dde3058f0414e71ec5ee9cc327c8b21981acd8c99e960c85d0e793d6dfefe67726e1483f87ca0897b4aac04c318f81967712f951

        • C:\Users\Admin\AppData\Local\vO6mC\WTSAPI32.dll

          Filesize

          62KB

          MD5

          441810deb20a0beeaca793e5dd68b04d

          SHA1

          f07bb853f68fc07b61f98aa462fb3495ee7faeed

          SHA256

          4997997f49f99e9150f448064918a848933a787d3956f6bfa7ec37bd9bbbf0a4

          SHA512

          8e732739e4e0e2aebcd65475230f6edaea2effa611e90c5fae2d7e6744d4874eb4ae60d5fb3c6897a92c68d55c0a4365af60456e14821d316e75315737fa54ec

        • C:\Users\Admin\AppData\Roaming\Identities\{EF0662BB-4AFF-4F56-815E-2ED0C139F855}\v8Pt7S7N\WTSAPI32.dll

          Filesize

          1.8MB

          MD5

          2bf2f71bab5cad10b47031fc14915362

          SHA1

          2fff2c6089aed41d9ca06d8956f7ddeaf3a449fd

          SHA256

          a104192f8299b6cf53f3595e3a0d7d7beb3a2521473b72feef84507b6513c249

          SHA512

          e38cfcc75b1a2ed1564dde7479824b6f5cc9a84d506468b46c7abaeb686e429a7f77b69b1bc68771e122b3b456949a3220fcd7933484d574ed42ac7e0eb2c56c

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yiudzqwx.lnk

          Filesize

          1KB

          MD5

          708be9c3e850df602c1d752162510606

          SHA1

          3d48f749f90966c3cd64a1e13d4b6711e5724034

          SHA256

          dd367f316b6bf89cfccecc636a6cda7ee0502864472b6a19666757d6ee160893

          SHA512

          756274739b4032a04f755aa835ef06206a99a88b9d3d24125317323e130a4913bed0d10e3c2cf781de5d34df78882f83451e5a173feee288b4dbe661e7a95db3

        • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\srvnYygizj\WINMM.dll

          Filesize

          3.8MB

          MD5

          92568ffe50d507281f62ab24bd01ee14

          SHA1

          4e4c552b664118b7e7726c013c3214315d0f6d9a

          SHA256

          a11f1e009014e9d75227f6d200d12b9ba0ae409287ac0b9a4832d53ac4ee3807

          SHA512

          4430fa89f22c62d2ab5718acb203674b2a76fb8873b256a7d22bc00d117d52bb54cc24786367ec1e65c8e78b42bbc8ed439c6b83460655927b71faa646ed87b8

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\j0cb\WINMM.dll

          Filesize

          614KB

          MD5

          ebde81d3a266a0ef0db55de7edc758f1

          SHA1

          a369b667a31b5eeb6f89e3266c8fa7e7f0f7cafc

          SHA256

          c3d7d968a01ac0a154091ee646dedc9f33979d9d1c9753ad75b3107e06804465

          SHA512

          818ef28b6be26847cfe5b86061ae4bfac4d9fb5979ad5aaad0574fbcca049033e6731fb3c71a5074cd14786275f1436f0aa696b47a02723686cd0829bc1faac0

        • \Users\Admin\AppData\Local\3EzN\WFS.exe

          Filesize

          163KB

          MD5

          6be99cac1629ad7ca4b8c9769d911bbf

          SHA1

          bb54c3ec95988430922f5458c7f99abd2dede7f8

          SHA256

          1897d88db026b4244cc123923ce052dbf03d9d633420b987e8b6de9674893672

          SHA512

          5bd152044d151459af4912f6556eed34236f754235c705bc81f6a62bef25adbb5177f21c6f59d53bdf1fb99c76670c8194e0d4efac695f530bd8d9b34575a736

        • \Users\Admin\AppData\Local\3EzN\WINMM.dll

          Filesize

          120KB

          MD5

          ef7f4cf6bb53de0de186f4ac52832f7b

          SHA1

          515772aad7d2a5dc0a12b5ae61b5aead5cd5781b

          SHA256

          46fba5763a98cb8116c953cf31ac7fcb8d461ad9ba091942025fe87412497875

          SHA512

          561ca1233e9fb2ed306af632feba40505963c2e76f716b0fadf1963b02aa6388b902d8c4f0386b94edb40c6923c0e209a596392ef20c8d9739bc95230a99a22a

        • \Users\Admin\AppData\Local\eSnT4YjY\WINMM.dll

          Filesize

          7KB

          MD5

          b404e8598944c13f6a6330bb1f7bfa92

          SHA1

          217f43354732856ac64382197f5fabf7ab75b48b

          SHA256

          d9bd9a5b86c21500ec39b3976468176d6a3455214917da8397e96e168703b9a8

          SHA512

          86f1995710c7cb6579a63b9646122e242672be81be63d426284bd564dfbe24d793f666370bb04934fedc7b6ee851d840d0ad8255829777edce08039665195834

        • \Users\Admin\AppData\Local\eSnT4YjY\xpsrchvw.exe

          Filesize

          292KB

          MD5

          022d3a08d08f0cc6508db0c2dcdcfeb8

          SHA1

          361df50887884b1f3b7b4d2f2b31b1d3dea6c14a

          SHA256

          2708846d8a4bf5e77722970c16431cc33e1d5548d85fd98e64a498e9c77a3325

          SHA512

          205e3f1a9ccda9fe7ad3ebe5a7e9e04bcbd7a4191c1818241364a3c3ef0ec524da242c36c1f5e7316358553e69970e4a64dbe63da3e360d9d1ba132ed7925100

        • \Users\Admin\AppData\Local\vO6mC\BdeUISrv.exe

          Filesize

          47KB

          MD5

          1da6b19be5d4949c868a264bc5e74206

          SHA1

          d5ee86ba03a03ef8c93d93accafe40461084c839

          SHA256

          00330a0e0eb1dbb6ee84997963f8e15c7c15c1df787f1c7f109609d7b31bd35c

          SHA512

          9cee858c55eb0852e5bad53a675a094ae591b46b07afe9fb4224cac32e0be577fe36c1ed3e9f6bda4d4eb0c924a773d00e3181cd97f07e24c6c68c70f2b002c6

        • \Users\Admin\AppData\Local\vO6mC\WTSAPI32.dll

          Filesize

          7KB

          MD5

          75de1f25a2b37fdc4646176b9aaa244a

          SHA1

          f92fbeef48bf85b229e1ebe52652bb9847aeb5be

          SHA256

          f50ff03137ad126614e76dc9b9faa367ff89e2a6ca62b3530ca1ab023aaa2608

          SHA512

          60d86e9eb4c35f4ac12f3cf9cbb6ae272c34b056b7b9be689ae3133a5fcbccbc94c8bc62b6f88e6623d47955a024ec6caf0e91f1b7c0f90ba00bbf2243503fa5

        • \Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\srvnYygizj\xpsrchvw.exe

          Filesize

          113KB

          MD5

          cba607de4b3afd201441ef1b57d86c9d

          SHA1

          540a2e7a476e21ea601304465a60022b57f9615c

          SHA256

          4135a4fba1fea5f603355105b3442592276928f60fae2a5c1fc1413ab3978ebd

          SHA512

          d7243eaec1b5e6fe88d601681b1e1cf50b7e507744ffbdacad83d1a55370ddf4c369f2a44839020225e8750e92c527fdb688b0730dca47864190688585d1b45b

        • memory/660-144-0x0000000000090000-0x0000000000097000-memory.dmp

          Filesize

          28KB

        • memory/1272-26-0x0000000140000000-0x00000001403BF000-memory.dmp

          Filesize

          3.7MB

        • memory/1272-61-0x0000000140000000-0x00000001403BF000-memory.dmp

          Filesize

          3.7MB

        • memory/1272-4-0x0000000076DA6000-0x0000000076DA7000-memory.dmp

          Filesize

          4KB

        • memory/1272-27-0x0000000140000000-0x00000001403BF000-memory.dmp

          Filesize

          3.7MB

        • memory/1272-28-0x0000000140000000-0x00000001403BF000-memory.dmp

          Filesize

          3.7MB

        • memory/1272-30-0x0000000140000000-0x00000001403BF000-memory.dmp

          Filesize

          3.7MB

        • memory/1272-29-0x0000000140000000-0x00000001403BF000-memory.dmp

          Filesize

          3.7MB

        • memory/1272-13-0x0000000140000000-0x00000001403BF000-memory.dmp

          Filesize

          3.7MB

        • memory/1272-31-0x0000000140000000-0x00000001403BF000-memory.dmp

          Filesize

          3.7MB

        • memory/1272-32-0x0000000140000000-0x00000001403BF000-memory.dmp

          Filesize

          3.7MB

        • memory/1272-33-0x0000000140000000-0x00000001403BF000-memory.dmp

          Filesize

          3.7MB

        • memory/1272-34-0x0000000140000000-0x00000001403BF000-memory.dmp

          Filesize

          3.7MB

        • memory/1272-35-0x0000000140000000-0x00000001403BF000-memory.dmp

          Filesize

          3.7MB

        • memory/1272-36-0x0000000140000000-0x00000001403BF000-memory.dmp

          Filesize

          3.7MB

        • memory/1272-37-0x0000000140000000-0x00000001403BF000-memory.dmp

          Filesize

          3.7MB

        • memory/1272-38-0x0000000140000000-0x00000001403BF000-memory.dmp

          Filesize

          3.7MB

        • memory/1272-40-0x0000000140000000-0x00000001403BF000-memory.dmp

          Filesize

          3.7MB

        • memory/1272-39-0x0000000140000000-0x00000001403BF000-memory.dmp

          Filesize

          3.7MB

        • memory/1272-41-0x0000000140000000-0x00000001403BF000-memory.dmp

          Filesize

          3.7MB

        • memory/1272-42-0x0000000140000000-0x00000001403BF000-memory.dmp

          Filesize

          3.7MB

        • memory/1272-44-0x0000000140000000-0x00000001403BF000-memory.dmp

          Filesize

          3.7MB

        • memory/1272-45-0x0000000140000000-0x00000001403BF000-memory.dmp

          Filesize

          3.7MB

        • memory/1272-47-0x0000000140000000-0x00000001403BF000-memory.dmp

          Filesize

          3.7MB

        • memory/1272-49-0x0000000140000000-0x00000001403BF000-memory.dmp

          Filesize

          3.7MB

        • memory/1272-50-0x0000000140000000-0x00000001403BF000-memory.dmp

          Filesize

          3.7MB

        • memory/1272-51-0x0000000140000000-0x00000001403BF000-memory.dmp

          Filesize

          3.7MB

        • memory/1272-53-0x0000000140000000-0x00000001403BF000-memory.dmp

          Filesize

          3.7MB

        • memory/1272-52-0x0000000140000000-0x00000001403BF000-memory.dmp

          Filesize

          3.7MB

        • memory/1272-48-0x0000000140000000-0x00000001403BF000-memory.dmp

          Filesize

          3.7MB

        • memory/1272-46-0x0000000140000000-0x00000001403BF000-memory.dmp

          Filesize

          3.7MB

        • memory/1272-54-0x0000000140000000-0x00000001403BF000-memory.dmp

          Filesize

          3.7MB

        • memory/1272-57-0x0000000140000000-0x00000001403BF000-memory.dmp

          Filesize

          3.7MB

        • memory/1272-58-0x0000000140000000-0x00000001403BF000-memory.dmp

          Filesize

          3.7MB

        • memory/1272-59-0x0000000140000000-0x00000001403BF000-memory.dmp

          Filesize

          3.7MB

        • memory/1272-60-0x0000000140000000-0x00000001403BF000-memory.dmp

          Filesize

          3.7MB

        • memory/1272-25-0x0000000140000000-0x00000001403BF000-memory.dmp

          Filesize

          3.7MB

        • memory/1272-56-0x0000000140000000-0x00000001403BF000-memory.dmp

          Filesize

          3.7MB

        • memory/1272-64-0x0000000140000000-0x00000001403BF000-memory.dmp

          Filesize

          3.7MB

        • memory/1272-65-0x0000000140000000-0x00000001403BF000-memory.dmp

          Filesize

          3.7MB

        • memory/1272-62-0x0000000140000000-0x00000001403BF000-memory.dmp

          Filesize

          3.7MB

        • memory/1272-63-0x0000000140000000-0x00000001403BF000-memory.dmp

          Filesize

          3.7MB

        • memory/1272-70-0x00000000026B0000-0x00000000026B7000-memory.dmp

          Filesize

          28KB

        • memory/1272-55-0x0000000140000000-0x00000001403BF000-memory.dmp

          Filesize

          3.7MB

        • memory/1272-43-0x0000000140000000-0x00000001403BF000-memory.dmp

          Filesize

          3.7MB

        • memory/1272-78-0x0000000076EB1000-0x0000000076EB2000-memory.dmp

          Filesize

          4KB

        • memory/1272-79-0x0000000077010000-0x0000000077012000-memory.dmp

          Filesize

          8KB

        • memory/1272-21-0x0000000140000000-0x00000001403BF000-memory.dmp

          Filesize

          3.7MB

        • memory/1272-24-0x0000000140000000-0x00000001403BF000-memory.dmp

          Filesize

          3.7MB

        • memory/1272-22-0x0000000140000000-0x00000001403BF000-memory.dmp

          Filesize

          3.7MB

        • memory/1272-23-0x0000000140000000-0x00000001403BF000-memory.dmp

          Filesize

          3.7MB

        • memory/1272-5-0x00000000026E0000-0x00000000026E1000-memory.dmp

          Filesize

          4KB

        • memory/1272-20-0x0000000140000000-0x00000001403BF000-memory.dmp

          Filesize

          3.7MB

        • memory/1272-12-0x0000000140000000-0x00000001403BF000-memory.dmp

          Filesize

          3.7MB

        • memory/1272-8-0x0000000140000000-0x00000001403BF000-memory.dmp

          Filesize

          3.7MB

        • memory/1272-17-0x0000000140000000-0x00000001403BF000-memory.dmp

          Filesize

          3.7MB

        • memory/1272-19-0x0000000140000000-0x00000001403BF000-memory.dmp

          Filesize

          3.7MB

        • memory/1272-18-0x0000000140000000-0x00000001403BF000-memory.dmp

          Filesize

          3.7MB

        • memory/1272-16-0x0000000140000000-0x00000001403BF000-memory.dmp

          Filesize

          3.7MB

        • memory/1272-15-0x0000000140000000-0x00000001403BF000-memory.dmp

          Filesize

          3.7MB

        • memory/1272-14-0x0000000140000000-0x00000001403BF000-memory.dmp

          Filesize

          3.7MB

        • memory/1272-11-0x0000000140000000-0x00000001403BF000-memory.dmp

          Filesize

          3.7MB

        • memory/1272-10-0x0000000140000000-0x00000001403BF000-memory.dmp

          Filesize

          3.7MB

        • memory/1272-9-0x0000000140000000-0x00000001403BF000-memory.dmp

          Filesize

          3.7MB

        • memory/1272-170-0x0000000076DA6000-0x0000000076DA7000-memory.dmp

          Filesize

          4KB

        • memory/1624-120-0x0000000000120000-0x0000000000127000-memory.dmp

          Filesize

          28KB

        • memory/2932-102-0x00000000000F0000-0x00000000000F7000-memory.dmp

          Filesize

          28KB

        • memory/3000-7-0x0000000140000000-0x00000001403BF000-memory.dmp

          Filesize

          3.7MB

        • memory/3000-0-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

        • memory/3000-1-0x0000000140000000-0x00000001403BF000-memory.dmp

          Filesize

          3.7MB