Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25-01-2024 10:34

General

  • Target

    7477fc39b45ddb88b4ff0de5a954889a.dll

  • Size

    1.8MB

  • MD5

    7477fc39b45ddb88b4ff0de5a954889a

  • SHA1

    b89770175d0845d1aa7615fc346bcf6d9dd755ea

  • SHA256

    1bed54ab01a098e8eefee909a56a0ce2b4ffc50208869d313501680c11e05798

  • SHA512

    f4369eb6c97714d9409f67598022fab36555405a4b4a2fcac31b8b8a631a19280c0204e32bd9c46a33d44a77c31134f129e3b7295dfc0c6470c612e62b352296

  • SSDEEP

    12288:zVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1Kt:ifP7fWsK5z9A+WGAW+V5SB6Ct4bnbKt

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\7477fc39b45ddb88b4ff0de5a954889a.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2436
  • C:\Windows\system32\eudcedit.exe
    C:\Windows\system32\eudcedit.exe
    1⤵
      PID:1680
    • C:\Users\Admin\AppData\Local\RecUTez\eudcedit.exe
      C:\Users\Admin\AppData\Local\RecUTez\eudcedit.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:328
    • C:\Windows\system32\StikyNot.exe
      C:\Windows\system32\StikyNot.exe
      1⤵
        PID:1180
      • C:\Users\Admin\AppData\Local\ZH6j2qFR\StikyNot.exe
        C:\Users\Admin\AppData\Local\ZH6j2qFR\StikyNot.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2644
      • C:\Windows\system32\msinfo32.exe
        C:\Windows\system32\msinfo32.exe
        1⤵
          PID:1492
        • C:\Users\Admin\AppData\Local\96P\msinfo32.exe
          C:\Users\Admin\AppData\Local\96P\msinfo32.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1560

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\96P\MFC42u.dll

          Filesize

          1.8MB

          MD5

          8c42d96a06f0c138f7be68b461ba1aca

          SHA1

          f781f66e2bb2b67077869213ee3303626dfbbf96

          SHA256

          55d0470e4494590cd6dea28d3f9f8160913ad252620bc0a960f922fe3198dc1f

          SHA512

          e23dd29de6aceddc9c30332f9678219edd0a25b7d087ae3760673ffa0cde6ff97e6cfdc9d8deb9757f92385db1d38a169a6e843766cca6e53f31bf08283da4da

        • C:\Users\Admin\AppData\Local\RecUTez\MFC42u.dll

          Filesize

          1.8MB

          MD5

          e879ed7a139445e4ddd2bbc06e196004

          SHA1

          5b4e528b6079276ba220ce7d7da367b910d4d716

          SHA256

          812b84acb47eedf17886b47d6a7edd4521d7d9310d583a1def224083d9c7f80b

          SHA512

          de0507314d4d1e73c29d08fe2ab7b22b35e223ea5c26decd916bdfd52fea777d891afeb83ea168a060bf14970709d3f40fa29c7fdcdeb421d254fbd9fccef5c3

        • C:\Users\Admin\AppData\Local\ZH6j2qFR\slc.dll

          Filesize

          1.8MB

          MD5

          77711413fad9a5293ba0c7c1cf74c219

          SHA1

          27d9bb757f661239c3e242cd63031170b59e5a50

          SHA256

          ba1d3b43aa2684d13adc444ef3440e42c5e420093bf5894bf655f21238b0e075

          SHA512

          f42bccf6ac1082ec3e183b62e82a894d111d3c728ebb09e5e7ddddb9e8f60f31011643c263ffe50072c7e6501900854f48b9ab84ecca904ebf855241a238ab69

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk

          Filesize

          1KB

          MD5

          acf4abd5ce068a487b64473c8565c58b

          SHA1

          a1e5a670a6c61c4ecea68fc12d272c468595e09c

          SHA256

          d4abd97813bac609272772b6c495791bb7b758407e1e873d84229461326301c6

          SHA512

          63bef9fdae91564df23190bd8dcaf08d35ef0b14ad30a45c0429ea6fb717f65ae996c42f21eba6a670b3bd5c739becf94217f9618c274cade2b6447efc2c8aee

        • \Users\Admin\AppData\Local\96P\msinfo32.exe

          Filesize

          370KB

          MD5

          d291620d4c51c5f5ffa62ccdc52c5c13

          SHA1

          2081c97f15b1c2a2eadce366baf3c510da553cc7

          SHA256

          76e959dd7db31726c040d46cfa86b681479967aea36db5f625e80bd36422e8ae

          SHA512

          75f9bcce4c596dae1f4d78e13d9d53b0c31988d2170c3d9f5db352b8c8a1c8ca58f4a002b30a4b328b8f4769008b750b8a1c9fda44a582e11c3adc38345c334b

        • \Users\Admin\AppData\Local\RecUTez\eudcedit.exe

          Filesize

          351KB

          MD5

          35e397d6ca8407b86d8a7972f0c90711

          SHA1

          6b39830003906ef82442522d22b80460c03f6082

          SHA256

          1f64118bdc3515e8e9fce6ad182f6d0c8a6528d638fedb4901a6152cde4c7cde

          SHA512

          71b0c4ac120e5841308b0c19718bdc28366b0d79c8177091328ef5421392b9ee5e4758816ffb8c0977f178e1b33ed064f64781eaf7d6952878dc8aea402f035e

        • \Users\Admin\AppData\Local\ZH6j2qFR\StikyNot.exe

          Filesize

          417KB

          MD5

          b22cb67919ebad88b0e8bb9cda446010

          SHA1

          423a794d26d96d9f812d76d75fa89bffdc07d468

          SHA256

          2f744feac48ede7d6b6d2727f7ddfa80b26d9e3b0009741b00992b19ad85e128

          SHA512

          f40aad2a381b766aae0a353fae3ab759d5c536b2d00d135527bba37b601d2f24323f079bd09600355d79404d574ac59201d415ef64c1568877ad0ce0da2dd1d5

        • memory/328-91-0x0000000000180000-0x0000000000187000-memory.dmp

          Filesize

          28KB

        • memory/1384-39-0x0000000140000000-0x00000001401C6000-memory.dmp

          Filesize

          1.8MB

        • memory/1384-42-0x0000000140000000-0x00000001401C6000-memory.dmp

          Filesize

          1.8MB

        • memory/1384-14-0x0000000140000000-0x00000001401C6000-memory.dmp

          Filesize

          1.8MB

        • memory/1384-13-0x0000000140000000-0x00000001401C6000-memory.dmp

          Filesize

          1.8MB

        • memory/1384-12-0x0000000140000000-0x00000001401C6000-memory.dmp

          Filesize

          1.8MB

        • memory/1384-19-0x0000000140000000-0x00000001401C6000-memory.dmp

          Filesize

          1.8MB

        • memory/1384-20-0x0000000140000000-0x00000001401C6000-memory.dmp

          Filesize

          1.8MB

        • memory/1384-22-0x0000000140000000-0x00000001401C6000-memory.dmp

          Filesize

          1.8MB

        • memory/1384-21-0x0000000140000000-0x00000001401C6000-memory.dmp

          Filesize

          1.8MB

        • memory/1384-24-0x0000000140000000-0x00000001401C6000-memory.dmp

          Filesize

          1.8MB

        • memory/1384-23-0x0000000140000000-0x00000001401C6000-memory.dmp

          Filesize

          1.8MB

        • memory/1384-26-0x0000000140000000-0x00000001401C6000-memory.dmp

          Filesize

          1.8MB

        • memory/1384-25-0x0000000140000000-0x00000001401C6000-memory.dmp

          Filesize

          1.8MB

        • memory/1384-27-0x0000000140000000-0x00000001401C6000-memory.dmp

          Filesize

          1.8MB

        • memory/1384-29-0x0000000140000000-0x00000001401C6000-memory.dmp

          Filesize

          1.8MB

        • memory/1384-28-0x0000000140000000-0x00000001401C6000-memory.dmp

          Filesize

          1.8MB

        • memory/1384-32-0x0000000140000000-0x00000001401C6000-memory.dmp

          Filesize

          1.8MB

        • memory/1384-31-0x0000000140000000-0x00000001401C6000-memory.dmp

          Filesize

          1.8MB

        • memory/1384-30-0x0000000140000000-0x00000001401C6000-memory.dmp

          Filesize

          1.8MB

        • memory/1384-34-0x0000000140000000-0x00000001401C6000-memory.dmp

          Filesize

          1.8MB

        • memory/1384-33-0x0000000140000000-0x00000001401C6000-memory.dmp

          Filesize

          1.8MB

        • memory/1384-35-0x0000000140000000-0x00000001401C6000-memory.dmp

          Filesize

          1.8MB

        • memory/1384-36-0x0000000140000000-0x00000001401C6000-memory.dmp

          Filesize

          1.8MB

        • memory/1384-40-0x0000000140000000-0x00000001401C6000-memory.dmp

          Filesize

          1.8MB

        • memory/1384-4-0x0000000076FE6000-0x0000000076FE7000-memory.dmp

          Filesize

          4KB

        • memory/1384-37-0x0000000140000000-0x00000001401C6000-memory.dmp

          Filesize

          1.8MB

        • memory/1384-38-0x0000000140000000-0x00000001401C6000-memory.dmp

          Filesize

          1.8MB

        • memory/1384-41-0x0000000140000000-0x00000001401C6000-memory.dmp

          Filesize

          1.8MB

        • memory/1384-43-0x0000000140000000-0x00000001401C6000-memory.dmp

          Filesize

          1.8MB

        • memory/1384-16-0x0000000140000000-0x00000001401C6000-memory.dmp

          Filesize

          1.8MB

        • memory/1384-45-0x0000000140000000-0x00000001401C6000-memory.dmp

          Filesize

          1.8MB

        • memory/1384-44-0x0000000140000000-0x00000001401C6000-memory.dmp

          Filesize

          1.8MB

        • memory/1384-46-0x0000000140000000-0x00000001401C6000-memory.dmp

          Filesize

          1.8MB

        • memory/1384-51-0x0000000140000000-0x00000001401C6000-memory.dmp

          Filesize

          1.8MB

        • memory/1384-50-0x0000000140000000-0x00000001401C6000-memory.dmp

          Filesize

          1.8MB

        • memory/1384-52-0x0000000140000000-0x00000001401C6000-memory.dmp

          Filesize

          1.8MB

        • memory/1384-49-0x0000000140000000-0x00000001401C6000-memory.dmp

          Filesize

          1.8MB

        • memory/1384-48-0x0000000140000000-0x00000001401C6000-memory.dmp

          Filesize

          1.8MB

        • memory/1384-47-0x0000000140000000-0x00000001401C6000-memory.dmp

          Filesize

          1.8MB

        • memory/1384-54-0x0000000002AE0000-0x0000000002AE7000-memory.dmp

          Filesize

          28KB

        • memory/1384-61-0x00000000771F1000-0x00000000771F2000-memory.dmp

          Filesize

          4KB

        • memory/1384-60-0x0000000140000000-0x00000001401C6000-memory.dmp

          Filesize

          1.8MB

        • memory/1384-62-0x0000000077350000-0x0000000077352000-memory.dmp

          Filesize

          8KB

        • memory/1384-71-0x0000000140000000-0x00000001401C6000-memory.dmp

          Filesize

          1.8MB

        • memory/1384-15-0x0000000140000000-0x00000001401C6000-memory.dmp

          Filesize

          1.8MB

        • memory/1384-18-0x0000000140000000-0x00000001401C6000-memory.dmp

          Filesize

          1.8MB

        • memory/1384-17-0x0000000140000000-0x00000001401C6000-memory.dmp

          Filesize

          1.8MB

        • memory/1384-7-0x0000000140000000-0x00000001401C6000-memory.dmp

          Filesize

          1.8MB

        • memory/1384-9-0x0000000140000000-0x00000001401C6000-memory.dmp

          Filesize

          1.8MB

        • memory/1384-5-0x0000000002B10000-0x0000000002B11000-memory.dmp

          Filesize

          4KB

        • memory/1384-146-0x0000000076FE6000-0x0000000076FE7000-memory.dmp

          Filesize

          4KB

        • memory/1384-11-0x0000000140000000-0x00000001401C6000-memory.dmp

          Filesize

          1.8MB

        • memory/1384-10-0x0000000140000000-0x00000001401C6000-memory.dmp

          Filesize

          1.8MB

        • memory/1560-125-0x0000000000170000-0x0000000000177000-memory.dmp

          Filesize

          28KB

        • memory/2436-8-0x0000000140000000-0x00000001401C6000-memory.dmp

          Filesize

          1.8MB

        • memory/2436-2-0x00000000001A0000-0x00000000001A7000-memory.dmp

          Filesize

          28KB

        • memory/2436-0-0x0000000140000000-0x00000001401C6000-memory.dmp

          Filesize

          1.8MB

        • memory/2644-107-0x0000000000430000-0x0000000000437000-memory.dmp

          Filesize

          28KB