Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25-01-2024 01:58

General

  • Target

    736f4c09867897af390e3e0bf50a0b23.dll

  • Size

    3.5MB

  • MD5

    736f4c09867897af390e3e0bf50a0b23

  • SHA1

    3194159767a1ca1c25f18e33b5f790394c9f5cd9

  • SHA256

    fee679a74d93c6adee409515fdf168e955e056dae2949cbf848a48e03a8ac97d

  • SHA512

    3c33731da1c256f43480f8b6e9480209a9f65dcefd9ea45f3bfa754e8f21fa022dca160f227fd223da04027d692e7001ed19882e0c3ba60962d79c119b76d497

  • SSDEEP

    12288:SVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:PfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\736f4c09867897af390e3e0bf50a0b23.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2208
  • C:\Windows\system32\spinstall.exe
    C:\Windows\system32\spinstall.exe
    1⤵
      PID:1384
    • C:\Users\Admin\AppData\Local\k16Ck\spinstall.exe
      C:\Users\Admin\AppData\Local\k16Ck\spinstall.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1484
    • C:\Windows\system32\SnippingTool.exe
      C:\Windows\system32\SnippingTool.exe
      1⤵
        PID:2956
      • C:\Users\Admin\AppData\Local\QvEm\SnippingTool.exe
        C:\Users\Admin\AppData\Local\QvEm\SnippingTool.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1568
      • C:\Windows\system32\Dxpserver.exe
        C:\Windows\system32\Dxpserver.exe
        1⤵
          PID:1968
        • C:\Users\Admin\AppData\Local\6Jn\Dxpserver.exe
          C:\Users\Admin\AppData\Local\6Jn\Dxpserver.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1736
        • C:\Windows\system32\DisplaySwitch.exe
          C:\Windows\system32\DisplaySwitch.exe
          1⤵
            PID:2032
          • C:\Users\Admin\AppData\Local\qLT6b\DisplaySwitch.exe
            C:\Users\Admin\AppData\Local\qLT6b\DisplaySwitch.exe
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks whether UAC is enabled
            PID:1620

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\6Jn\XmlLite.dll

            Filesize

            3.5MB

            MD5

            d13998e695b9a489ec9c72a26b77359d

            SHA1

            d4ada77aeda6845e5a8323244549e2f0dc30e9d6

            SHA256

            d4499394031f6e3cd4de47266131e071246a4db2f58877dc98bf1b85726f45e4

            SHA512

            3872e97f9f12de1af0bbaf53a912a3ab9acc57de1fdb804f4433c6a9b0f4daaf1e43bc3287b80bb1ab2d390a9e34e887be05321abcba534803fc07c15993cbaf

          • C:\Users\Admin\AppData\Local\k16Ck\VERSION.dll

            Filesize

            3.5MB

            MD5

            959843c47eaa9bf47c245f7a7c54cc2d

            SHA1

            2dcdd7573d2610e191c93dd9258bd34b4ff9db84

            SHA256

            43aa786c45ea377bc4a94866a73c928a1c837847886d2beac226fb0bd4545a47

            SHA512

            c4a708ad81d4b74199789314fa6b9271b3dac8bd5d860468fd5e20f4170ea0385e031925e895f9bb218e1d050008686725aacc1672ef18ec7222590066d1fcc0

          • C:\Users\Admin\AppData\Local\qLT6b\slc.dll

            Filesize

            3.5MB

            MD5

            dddf0650057a9829b318e04ca649712b

            SHA1

            2a7536c1a41714a4a414c59cddf3dadceb051069

            SHA256

            6bf59a4cf6b430b08be2e0d8040d021479a24f5a54ca7ab4452694bb3e1625ca

            SHA512

            2cfe9b1cc4721dd359a24494b70d9bc25cb6ba3460e70dc957942ef99c5aa4d79c440ca92c509f7f0c1b0d1951b99d57fb975c19c3607f74cf298092e3f15df8

          • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk

            Filesize

            1KB

            MD5

            446aee12d83216e14a6be88e30f14504

            SHA1

            89cfac8fd71c730139b0ee4442532b1a97d20278

            SHA256

            5188e885664b6a89a8316d23e0b2adf0b7fa6b483fafb850ceb424bad7167428

            SHA512

            244cbe4a354281cae1c50544b08e2b657c38393cf3b5979150a64ff9887d8da43fbb70ac528b677a7b5aca0853634532add97d537bd793e56cd93925a2e2a8b2

          • \Users\Admin\AppData\Local\6Jn\Dxpserver.exe

            Filesize

            259KB

            MD5

            4d38389fb92e43c77a524fd96dbafd21

            SHA1

            08014e52f6894cad4f1d1e6fc1a703732e9acd19

            SHA256

            070bc95c486c15d2edc3548ba416dc9565ead401cb03a0472f719fb55ac94e73

            SHA512

            02d8d130cff2b8de15139d309e1cd74a2148bb786fd749e5f22775d45e193b0f75adf40274375cabce33576480ff20456f25172d29a034cd134b8084d40a67ba

          • \Users\Admin\AppData\Local\QvEm\SnippingTool.exe

            Filesize

            421KB

            MD5

            7633f554eeafde7f144b41c2fcaf5f63

            SHA1

            44497c3d6fada0066598a6170b90c53e28ddf96c

            SHA256

            890884c7fe7d037e6debd21d1877e9c9c5e7790cdba007ddb219ae6a55667f78

            SHA512

            7b61b6736c2c4f49d80f53c839914ad845f86a7d921fee1557e49aa7b4e9713e3483417d6c717eca155229bb6a90fc2253e1543cf05192aaf08262dc761fa203

          • \Users\Admin\AppData\Local\QvEm\slc.dll

            Filesize

            3.5MB

            MD5

            58787c8a3f1b7b4b511aa735b79d2cd5

            SHA1

            96bcbd2c9cf87ede17a25e95eda96ba1171a09bf

            SHA256

            1ff2979a16cb202124f72d196d276453a5234e52f1d157f638df0a5c40fae66e

            SHA512

            e4c07af389b06ec61367efd8a8149b8ad8b13161a55baa042a0a56b9fe1f9cf97b53b408f67c0dc482643f220e81385e0d29dbeed3811234ef3c6637d1614c10

          • \Users\Admin\AppData\Local\k16Ck\spinstall.exe

            Filesize

            584KB

            MD5

            29c1d5b330b802efa1a8357373bc97fe

            SHA1

            90797aaa2c56fc2a667c74475996ea1841bc368f

            SHA256

            048bd22abf158346ab991a377cc6e9d2b20b4d73ccee7656c96a41f657e7be7f

            SHA512

            66f4f75a04340a1dd55dfdcc3ff1103ea34a55295f56c12e88d38d1a41e5be46b67c98bd66ac9f878ce79311773e374ed2bce4dd70e8bb5543e4ec1dd56625ee

          • \Users\Admin\AppData\Local\qLT6b\DisplaySwitch.exe

            Filesize

            517KB

            MD5

            b795e6138e29a37508285fc31e92bd78

            SHA1

            d0fe0c38c7c61adbb77e58d48b96cd4bf98ecd4a

            SHA256

            01a9733871baa8518092bade3fce62dcca14cdf6fc55b98218253580b38d7659

            SHA512

            8312174a77bab5fef7c4e9efff66c43d3515b02f5766ed1d3b9bd0abb3d7344a9a22cbac228132098428c122293d2b1898b3a2d75f5e4247b1dcb9aa9c7913b1

          • memory/1208-43-0x0000000140000000-0x000000014037A000-memory.dmp

            Filesize

            3.5MB

          • memory/1208-19-0x0000000140000000-0x000000014037A000-memory.dmp

            Filesize

            3.5MB

          • memory/1208-17-0x0000000140000000-0x000000014037A000-memory.dmp

            Filesize

            3.5MB

          • memory/1208-49-0x0000000140000000-0x000000014037A000-memory.dmp

            Filesize

            3.5MB

          • memory/1208-20-0x0000000140000000-0x000000014037A000-memory.dmp

            Filesize

            3.5MB

          • memory/1208-48-0x0000000140000000-0x000000014037A000-memory.dmp

            Filesize

            3.5MB

          • memory/1208-22-0x0000000140000000-0x000000014037A000-memory.dmp

            Filesize

            3.5MB

          • memory/1208-21-0x0000000140000000-0x000000014037A000-memory.dmp

            Filesize

            3.5MB

          • memory/1208-23-0x0000000140000000-0x000000014037A000-memory.dmp

            Filesize

            3.5MB

          • memory/1208-25-0x0000000140000000-0x000000014037A000-memory.dmp

            Filesize

            3.5MB

          • memory/1208-24-0x0000000140000000-0x000000014037A000-memory.dmp

            Filesize

            3.5MB

          • memory/1208-26-0x0000000140000000-0x000000014037A000-memory.dmp

            Filesize

            3.5MB

          • memory/1208-28-0x0000000140000000-0x000000014037A000-memory.dmp

            Filesize

            3.5MB

          • memory/1208-27-0x0000000140000000-0x000000014037A000-memory.dmp

            Filesize

            3.5MB

          • memory/1208-29-0x0000000140000000-0x000000014037A000-memory.dmp

            Filesize

            3.5MB

          • memory/1208-31-0x0000000140000000-0x000000014037A000-memory.dmp

            Filesize

            3.5MB

          • memory/1208-32-0x0000000140000000-0x000000014037A000-memory.dmp

            Filesize

            3.5MB

          • memory/1208-30-0x0000000140000000-0x000000014037A000-memory.dmp

            Filesize

            3.5MB

          • memory/1208-35-0x0000000140000000-0x000000014037A000-memory.dmp

            Filesize

            3.5MB

          • memory/1208-34-0x0000000140000000-0x000000014037A000-memory.dmp

            Filesize

            3.5MB

          • memory/1208-33-0x0000000140000000-0x000000014037A000-memory.dmp

            Filesize

            3.5MB

          • memory/1208-40-0x0000000140000000-0x000000014037A000-memory.dmp

            Filesize

            3.5MB

          • memory/1208-41-0x0000000140000000-0x000000014037A000-memory.dmp

            Filesize

            3.5MB

          • memory/1208-39-0x0000000140000000-0x000000014037A000-memory.dmp

            Filesize

            3.5MB

          • memory/1208-38-0x0000000140000000-0x000000014037A000-memory.dmp

            Filesize

            3.5MB

          • memory/1208-37-0x0000000140000000-0x000000014037A000-memory.dmp

            Filesize

            3.5MB

          • memory/1208-36-0x0000000140000000-0x000000014037A000-memory.dmp

            Filesize

            3.5MB

          • memory/1208-47-0x0000000140000000-0x000000014037A000-memory.dmp

            Filesize

            3.5MB

          • memory/1208-46-0x0000000140000000-0x000000014037A000-memory.dmp

            Filesize

            3.5MB

          • memory/1208-45-0x0000000140000000-0x000000014037A000-memory.dmp

            Filesize

            3.5MB

          • memory/1208-44-0x0000000140000000-0x000000014037A000-memory.dmp

            Filesize

            3.5MB

          • memory/1208-4-0x0000000077996000-0x0000000077997000-memory.dmp

            Filesize

            4KB

          • memory/1208-42-0x0000000140000000-0x000000014037A000-memory.dmp

            Filesize

            3.5MB

          • memory/1208-50-0x0000000140000000-0x000000014037A000-memory.dmp

            Filesize

            3.5MB

          • memory/1208-18-0x0000000140000000-0x000000014037A000-memory.dmp

            Filesize

            3.5MB

          • memory/1208-54-0x0000000140000000-0x000000014037A000-memory.dmp

            Filesize

            3.5MB

          • memory/1208-16-0x0000000140000000-0x000000014037A000-memory.dmp

            Filesize

            3.5MB

          • memory/1208-53-0x0000000140000000-0x000000014037A000-memory.dmp

            Filesize

            3.5MB

          • memory/1208-52-0x0000000140000000-0x000000014037A000-memory.dmp

            Filesize

            3.5MB

          • memory/1208-51-0x0000000140000000-0x000000014037A000-memory.dmp

            Filesize

            3.5MB

          • memory/1208-56-0x0000000140000000-0x000000014037A000-memory.dmp

            Filesize

            3.5MB

          • memory/1208-55-0x0000000140000000-0x000000014037A000-memory.dmp

            Filesize

            3.5MB

          • memory/1208-61-0x0000000140000000-0x000000014037A000-memory.dmp

            Filesize

            3.5MB

          • memory/1208-62-0x0000000140000000-0x000000014037A000-memory.dmp

            Filesize

            3.5MB

          • memory/1208-60-0x0000000140000000-0x000000014037A000-memory.dmp

            Filesize

            3.5MB

          • memory/1208-59-0x0000000140000000-0x000000014037A000-memory.dmp

            Filesize

            3.5MB

          • memory/1208-58-0x0000000140000000-0x000000014037A000-memory.dmp

            Filesize

            3.5MB

          • memory/1208-57-0x0000000140000000-0x000000014037A000-memory.dmp

            Filesize

            3.5MB

          • memory/1208-63-0x0000000140000000-0x000000014037A000-memory.dmp

            Filesize

            3.5MB

          • memory/1208-64-0x0000000140000000-0x000000014037A000-memory.dmp

            Filesize

            3.5MB

          • memory/1208-65-0x0000000140000000-0x000000014037A000-memory.dmp

            Filesize

            3.5MB

          • memory/1208-69-0x0000000002140000-0x0000000002147000-memory.dmp

            Filesize

            28KB

          • memory/1208-77-0x0000000077AA1000-0x0000000077AA2000-memory.dmp

            Filesize

            4KB

          • memory/1208-78-0x0000000077C00000-0x0000000077C02000-memory.dmp

            Filesize

            8KB

          • memory/1208-15-0x0000000140000000-0x000000014037A000-memory.dmp

            Filesize

            3.5MB

          • memory/1208-7-0x0000000140000000-0x000000014037A000-memory.dmp

            Filesize

            3.5MB

          • memory/1208-5-0x0000000002170000-0x0000000002171000-memory.dmp

            Filesize

            4KB

          • memory/1208-13-0x0000000140000000-0x000000014037A000-memory.dmp

            Filesize

            3.5MB

          • memory/1208-14-0x0000000140000000-0x000000014037A000-memory.dmp

            Filesize

            3.5MB

          • memory/1208-123-0x0000000077996000-0x0000000077997000-memory.dmp

            Filesize

            4KB

          • memory/1208-12-0x0000000140000000-0x000000014037A000-memory.dmp

            Filesize

            3.5MB

          • memory/1208-9-0x0000000140000000-0x000000014037A000-memory.dmp

            Filesize

            3.5MB

          • memory/1208-10-0x0000000140000000-0x000000014037A000-memory.dmp

            Filesize

            3.5MB

          • memory/1208-11-0x0000000140000000-0x000000014037A000-memory.dmp

            Filesize

            3.5MB

          • memory/1484-105-0x00000000000F0000-0x00000000000F7000-memory.dmp

            Filesize

            28KB

          • memory/1568-125-0x0000000000120000-0x0000000000127000-memory.dmp

            Filesize

            28KB

          • memory/1620-157-0x0000000000180000-0x0000000000187000-memory.dmp

            Filesize

            28KB

          • memory/1736-138-0x00000000001F0000-0x00000000001F7000-memory.dmp

            Filesize

            28KB

          • memory/2208-0-0x0000000001BE0000-0x0000000001BE7000-memory.dmp

            Filesize

            28KB

          • memory/2208-1-0x0000000140000000-0x000000014037A000-memory.dmp

            Filesize

            3.5MB

          • memory/2208-8-0x0000000140000000-0x000000014037A000-memory.dmp

            Filesize

            3.5MB