Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    25-01-2024 05:15

General

  • Target

    73d3e10fa82e2301bd8fb5cabf77c864.dll

  • Size

    1.8MB

  • MD5

    73d3e10fa82e2301bd8fb5cabf77c864

  • SHA1

    d2b3b357137270b8fd1a4d7e2cb60a8b6ff1dc05

  • SHA256

    bdec67160c740cc4f649a1688c8cdc2467729c086df711606600d9967c967641

  • SHA512

    8b3af541942e69cb96783ed8ea2ac18bda4e9e91d1ea57e1ab8d6b66ca07ec51c699bccf3b612e98b98ab37f929a30cb3547a7d97210289a8928e90b6fc46c81

  • SSDEEP

    12288:5VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:4fP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\73d3e10fa82e2301bd8fb5cabf77c864.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2188
  • C:\Windows\system32\PresentationSettings.exe
    C:\Windows\system32\PresentationSettings.exe
    1⤵
      PID:2624
    • C:\Users\Admin\AppData\Local\oVAOIMn3u\PresentationSettings.exe
      C:\Users\Admin\AppData\Local\oVAOIMn3u\PresentationSettings.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2764
    • C:\Windows\system32\iexpress.exe
      C:\Windows\system32\iexpress.exe
      1⤵
        PID:1700
      • C:\Users\Admin\AppData\Local\nUt4bjZ\iexpress.exe
        C:\Users\Admin\AppData\Local\nUt4bjZ\iexpress.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:948
      • C:\Users\Admin\AppData\Local\bhrUSAnk\tcmsetup.exe
        C:\Users\Admin\AppData\Local\bhrUSAnk\tcmsetup.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1824
      • C:\Windows\system32\tcmsetup.exe
        C:\Windows\system32\tcmsetup.exe
        1⤵
          PID:1068

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\bhrUSAnk\TAPI32.dll

          Filesize

          9KB

          MD5

          8cdff0acbc15aab78b5c6cd664f60f2f

          SHA1

          1f28b10bcab530438e49d7db8e929863fdbc0648

          SHA256

          40ec756adca9f18693267782a5e7f7e7e7dd758ec0138b9c4a84d4cbd0278c57

          SHA512

          5e12b9649569f4977b9318f25b6ed727e2e30a04ee54ac02f114902c3f753b1b43c996f8843039704fda0c5c63b06f5ecd197cf518d3bc60331d088608879a3b

        • C:\Users\Admin\AppData\Local\bhrUSAnk\tcmsetup.exe

          Filesize

          15KB

          MD5

          0b08315da0da7f9f472fbab510bfe7b8

          SHA1

          33ba48fd980216becc532466a5ff8476bec0b31c

          SHA256

          e19556bb7aa39bbd5f0d568a95aec0b3af18dda438cc5737f945243b24d106e7

          SHA512

          c30501546efe2b0c003ef87ac381e901c69ddfc6791c6a5102cff3a07f56555d94995a4413b93036821aa214fc31501fa87eb519e1890ef75b2ec497983ffd58

        • C:\Users\Admin\AppData\Local\bhrUSAnk\tcmsetup.exe

          Filesize

          11KB

          MD5

          c47df0f0fafc67840e5308ca47fb34eb

          SHA1

          67e7ba565c6661c863304f329151866843fee13c

          SHA256

          f820ba259fe1e0f6e8ece35b938a14ca7544c175c15db1f9b128fed2513feb35

          SHA512

          0f34eb0bca098344d1ed79bab42757c05152158bee84b63a5a51b570fcd36443c3d5b4bb06b6129ca8d9f32e3ab870c3eeafc216ee5d0e8d0d59cdb5917e78a3

        • C:\Users\Admin\AppData\Local\nUt4bjZ\VERSION.dll

          Filesize

          73KB

          MD5

          3f1f0bfab2bd73c1dd3a185a12834754

          SHA1

          db114d9e8b98dd8697d764f500dbc129dd1e2e89

          SHA256

          ffd3d764f0e922321d933e311e928374f3ee58e81b3a58ee5302be0a5ad0a620

          SHA512

          3006bc25d445aed9b058bbd779a3665b790398951f593900499ff13e6bef33329ed44ae6c0b3e34dad9c79faadeac407ebd1670f4c85955105965211bb04db83

        • C:\Users\Admin\AppData\Local\nUt4bjZ\iexpress.exe

          Filesize

          64KB

          MD5

          e9810113a0227ee3c2e866f74230faab

          SHA1

          7b37f03123dab70357e6a23904d5a0fa32211a13

          SHA256

          fe460ac2fe97c4fb8a5bc3e61fb6b1c3b05cdb78dbf745e2764cf4dfec3ea9b7

          SHA512

          4be92515750fa5f592a19b2b83ee6fd5dd3dcd272cf97b9eba5e57e2f2c7139b3b8b3ee4b94976dc8fd3df62e2c9938056ae3ad387a5747c56caf35af210fec2

        • C:\Users\Admin\AppData\Local\nUt4bjZ\iexpress.exe

          Filesize

          30KB

          MD5

          62758063351e1779b2f43c8a3d4afcce

          SHA1

          764dd1da15e99aa1e5e73eff440af0a0c8f49fb3

          SHA256

          03c7a11e071ea7d4f938de4584f8e0a235b64efb4864b3e65ba4816173338a48

          SHA512

          f875099a3953e8147c219d45da39488cf53ed3a0117c805e15c5cf4922dcdb52e513d751c034fcb5e6ac54cbd151f3d791388f4388864b7d391bf9c60598e9c6

        • C:\Users\Admin\AppData\Local\oVAOIMn3u\PresentationSettings.exe

          Filesize

          58KB

          MD5

          2dc2336d9661bd0c0a3410b30feedc5c

          SHA1

          56d3f8b24f3c8d8cd626ad1b654a5d48e6dae211

          SHA256

          b91d1f53d6171beedd044d0e5e8148112efa41274be644d890d959501ee7811e

          SHA512

          0ae2adfa3937bbe6ac098b4fcc345ce32df2da5437ef384c958e4c3e4b4eb5f83147f07b50f7882d6453df2c1ede5baac3d929c11fb35cc7d4c5ab10cffbe971

        • C:\Users\Admin\AppData\Local\oVAOIMn3u\WINMM.dll

          Filesize

          76KB

          MD5

          ac055faf85f34a7a4fa9cc285ed443ad

          SHA1

          222815a74c9af8748ff116455536560f0f71cb14

          SHA256

          cb30ab88fe515ad47a63b9f4e2b3895b42434bbe7c67c1bd102eb05f065c6513

          SHA512

          5095963469beaea86993ff59a21e2784b7f7366b8af5110be2b43a1a6826a6ee91d32e25b06792e070afe49ef450ce3831d8b476a580ddab00af4826a06e4ab4

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqrvnhd.lnk

          Filesize

          1KB

          MD5

          277c50e4065b2485579acc0f2bcbe2d8

          SHA1

          52fc91536b88dfe89427bfac32584f4d41d5a109

          SHA256

          94182697fb108b76b17c23ca1aedd2ff60887fc66e9860d1426553720cc06b13

          SHA512

          52ddafafd4ae96cb477328127b8b8536da2c88e659150e8d429a030ad01f5a6306fd1b62f63710f85f51c974245bb69f0877d56df68eee38f409c2b3f0d9fd96

        • C:\Users\Admin\AppData\Roaming\Macromedia\iCqj\PresentationSettings.exe

          Filesize

          5KB

          MD5

          eabe8bd7d7c4cda27cfafdcad83df71a

          SHA1

          070320c8622024b87d64c2d34b1903e3c8f19535

          SHA256

          3e7769f937369a90fa467945f097cddd37f89210cb3b2f24aa04c1b168d7f850

          SHA512

          f83589f10d03b639fdf12220309e7a32c3eabdcf2fbcaa924ce6dabaa4028a04620b580184c34af0b7f8d7a84749bc85dc5028dc34567253d439f6fe1319e01a

        • C:\Users\Admin\AppData\Roaming\Macromedia\iCqj\WINMM.dll

          Filesize

          9KB

          MD5

          e9a403fa5e80c89ca13994fef2f18fe8

          SHA1

          e1b1ad7431204a105c4f2d6807fcb6be1a5fad9b

          SHA256

          2693d7de76f7dbae7c7fb558157036eec23a995a3d6f72dd23e61e9553b4845e

          SHA512

          f65fef13b38b6ef707c02633b0915b7cd529e5e0f58a35438f6896ec25b8024ea444bcb1cd63192e890ebd9c6fd97e9487841e59f7667c3f3ef9df740bddaefc

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\Low\joiiHQ43\TAPI32.dll

          Filesize

          1.8MB

          MD5

          fa2df8248f211ddb2edb3ffe0b474dc4

          SHA1

          61cfe95357423020ca3abcacae00af9c0395f336

          SHA256

          040bf7a4a6ad1e7a93d881a23d1c932ea4a8acf7ff5d97681046f7c9783e6d9f

          SHA512

          b3c70abd63849bf3aa70bbe21566329af9bfdfd040cfd4619f8424f259b6c1e3558d4e628d0f95632b258ca9140fa17f758e30dc2ebccee265a1d50ac5e7b7d2

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\O60FA2\VERSION.dll

          Filesize

          1.2MB

          MD5

          050f35d3e6f7f7b56465e52c9b13d6ed

          SHA1

          eca1c7f71981a4b78980b9dd03ee6d984ae39a32

          SHA256

          2aeaab8a6ebb6313aaeb67c77f61fbd25e943e55e13c0dda93d65d6199334b5d

          SHA512

          5e575cb18b6cd4a764672ef074eab513779dafa72d3b8f069df7f65879ed7168291fef3cc792f8167e3377fe3d094ad927d9a0b860a42a92cdb2d836bde10105

        • \Users\Admin\AppData\Local\bhrUSAnk\TAPI32.dll

          Filesize

          50KB

          MD5

          0d8ac2a3dee9404410435ddef9782222

          SHA1

          5fbbe3d5ff1eab1a079ea59f8f8e7ce533a81686

          SHA256

          de2314ceb3d6dc3a3ec2b825585994f2116aaa0e7fb6c76e0d8e4c3696881a0f

          SHA512

          14ead813bad4efddc8cbe3c9b8611740475835d288026c8aec2f26ba92211ef177c302cddd9cba56e10f6a1bc87856d1219d69ebfac05124d119705a57ad0904

        • \Users\Admin\AppData\Local\nUt4bjZ\VERSION.dll

          Filesize

          120KB

          MD5

          7d56de3c545e8a1527f2d62cb19fe762

          SHA1

          7b51bba11a2f6c64ea3af6e6700183e340c30778

          SHA256

          c703687dff0fbb84b4580f9d24db35903ccd24b9553f232bfbd9ca6666977cc9

          SHA512

          6a38541e300d7cf60793025cb6aab47ec2a7da9913fdfcb8cf8359f2d266131f1a085ebb2da4ac34f301dc5b40a2465931c3562a9718876c76e6ba3120f7bdd0

        • \Users\Admin\AppData\Local\nUt4bjZ\iexpress.exe

          Filesize

          81KB

          MD5

          47cf6057d543a387014ea38243c130dd

          SHA1

          887f31468257a688bee14dae50d333e5ba6e7bac

          SHA256

          6012cac0c9a5e30012d9d8d8ca027938e63158edda0fee2d76c29e295b49319d

          SHA512

          52ad14826480d366d52d52ac44d6929b4a719e173e5bc5405aa65fc1c536b05cf1d82db7b16500a83fc7705302ef55b5b6cf25902aceb875fcdafcce5637a95c

        • \Users\Admin\AppData\Local\oVAOIMn3u\PresentationSettings.exe

          Filesize

          96KB

          MD5

          67458fce22e3ac3e6a13662fc914af5b

          SHA1

          83ba7b4ae0a2e97c95abef3af1d73a619aa5ac80

          SHA256

          43a31a2842ba1f414bd64bd7baf119fbd301ec9a81fbad5dc92b191a3c6453ff

          SHA512

          7a9f7322c04a2f121fea7cbb865d6084d43fc8bfeac8a461a4795a3739ca0ebedc69aa6654d33564e33ccd7756e169c6b50959cd974ca408f30fab790831bdd9

        • \Users\Admin\AppData\Local\oVAOIMn3u\WINMM.dll

          Filesize

          141KB

          MD5

          5c31f8b21a416a2781bf7fefb9aebf5e

          SHA1

          c789a6a96fc743b7c7ab1c1f06f1f61f424e34f4

          SHA256

          12eb45a3b5ec71dbb2ff430016eda3124e3383fc3a1af9ed3c204d02011c0be5

          SHA512

          cda5d113ebc2d259a5106e49a26e484aaeeb5aab5d98b759eb87d85a09d3bddd861993d1b0e8892fda0370f0d605c52d18a8a141e93dc08c3858253510688318

        • memory/948-107-0x0000000000180000-0x0000000000187000-memory.dmp

          Filesize

          28KB

        • memory/1256-33-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/1256-22-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/1256-48-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/1256-47-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/1256-46-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/1256-45-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/1256-44-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/1256-43-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/1256-41-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/1256-40-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/1256-39-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/1256-38-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/1256-76-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/1256-36-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/1256-51-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/1256-72-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/1256-62-0x00000000774E1000-0x00000000774E2000-memory.dmp

          Filesize

          4KB

        • memory/1256-35-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/1256-4-0x00000000772D6000-0x00000000772D7000-memory.dmp

          Filesize

          4KB

        • memory/1256-34-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/1256-5-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

          Filesize

          4KB

        • memory/1256-31-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/1256-30-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/1256-28-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/1256-27-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/1256-26-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/1256-25-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/1256-24-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/1256-23-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/1256-50-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/1256-21-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/1256-20-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/1256-18-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/1256-17-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/1256-16-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/1256-15-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/1256-14-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/1256-13-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/1256-12-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/1256-11-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/1256-9-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/1256-8-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/1256-151-0x00000000772D6000-0x00000000772D7000-memory.dmp

          Filesize

          4KB

        • memory/1256-63-0x0000000077640000-0x0000000077642000-memory.dmp

          Filesize

          8KB

        • memory/1256-61-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/1256-52-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/1256-60-0x0000000002DB0000-0x0000000002DB7000-memory.dmp

          Filesize

          28KB

        • memory/1256-53-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/1256-49-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/1256-42-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/1256-37-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/1256-10-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/1256-32-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/1256-29-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/1256-19-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/1824-128-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

        • memory/2188-7-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/2188-1-0x0000000000390000-0x0000000000397000-memory.dmp

          Filesize

          28KB

        • memory/2188-0-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/2764-90-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB