Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25-01-2024 10:36

General

  • Target

    74792d6438fe27a6b4efb9c1142f875c.dll

  • Size

    1.7MB

  • MD5

    74792d6438fe27a6b4efb9c1142f875c

  • SHA1

    df86d55db627c71dfda71d31b9120875b4763655

  • SHA256

    91f4e0d55b25c852d48512dcc4852c2aa7d950cfb08fbcc53c1f373202032dae

  • SHA512

    c273b6b6e722fed5ebc10f107cce93c97bb4d32fdd89547ce1bf1392f02e1647d4eedfccd9a92cbe7cb0e239897fdce905ec15fc833f0be604856963792aa2b4

  • SSDEEP

    12288:5VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1kt:4fP7fWsK5z9A+WGAW+V5SB6Ct4bnbkt

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\74792d6438fe27a6b4efb9c1142f875c.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2536
  • C:\Windows\system32\winlogon.exe
    C:\Windows\system32\winlogon.exe
    1⤵
      PID:2676
    • C:\Users\Admin\AppData\Local\pU9jsk\winlogon.exe
      C:\Users\Admin\AppData\Local\pU9jsk\winlogon.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2820
    • C:\Users\Admin\AppData\Local\H0An\SystemPropertiesAdvanced.exe
      C:\Users\Admin\AppData\Local\H0An\SystemPropertiesAdvanced.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2188
    • C:\Windows\system32\SystemPropertiesAdvanced.exe
      C:\Windows\system32\SystemPropertiesAdvanced.exe
      1⤵
        PID:2232
      • C:\Users\Admin\AppData\Local\kyp\BitLockerWizard.exe
        C:\Users\Admin\AppData\Local\kyp\BitLockerWizard.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2368
      • C:\Windows\system32\BitLockerWizard.exe
        C:\Windows\system32\BitLockerWizard.exe
        1⤵
          PID:2200

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\H0An\SYSDM.CPL

          Filesize

          33KB

          MD5

          e6e3cb87f89a9ce2b6c94ce28143c2d7

          SHA1

          d4d94490d51cc91e44b730169619258448fba289

          SHA256

          a8969f110c5d9b347f869f979b20260a9f07f16fd083e8df3c6529dcb8c2518b

          SHA512

          6b0867a4605e154b5537ca147c5ab8d6b072e1c46da8f0d7e2f5efcbe71ecd1a8c813aeff10e6ca5c1e5f9e854c75b68ca718af0489c4aceee43e9ef5fc437ae

        • C:\Users\Admin\AppData\Local\H0An\SystemPropertiesAdvanced.exe

          Filesize

          78KB

          MD5

          3ecef6876be90cbec79fa0261ae52bee

          SHA1

          e90593c99da3dcbc59f7990772c44b69e0c98595

          SHA256

          cc68b431e946bce41da378f5a2bfbe5cc749a1df4930434f7c68b1b4c1c271fe

          SHA512

          9d43bed82d032beb9fc30f4e263ecfbaf0275e1abca7ab0fa7e8dc9a7016b645932e5b347505a49740a68e62795bd1424920e0e19c908191c4359f0bfdd6430d

        • C:\Users\Admin\AppData\Local\kyp\BitLockerWizard.exe

          Filesize

          98KB

          MD5

          08a761595ad21d152db2417d6fdb239a

          SHA1

          d84c1bc2e8c9afce9fb79916df9bca169f93a936

          SHA256

          ec0b9e5f29a43f9db44fa76b85701058f26776ab974044c1d4741591b74d0620

          SHA512

          8b07828e9c0edf09277f89294b8e1a54816f6f3d1fe132b3eb70370b81feb82d056ec31566793bd6f451725f79c3b4aeedb15a83216115e00943e0c19cab37c9

        • C:\Users\Admin\AppData\Local\kyp\FVEWIZ.dll

          Filesize

          47KB

          MD5

          261121504d8c23c8cdc10da9b92db42c

          SHA1

          ecce1f62ebc07de4d15009b1ece9558630a421f6

          SHA256

          6b3610e492f4bd44692470dbd4ed6b5d971592f532993e2cd7e6526f96cf4b83

          SHA512

          93d1dd06d4ba583174f09e184d43f69720f23f08e570a358a80a40e4deb26ebb69f6564a45d1e00a531d5d49cba264cafc8d823a7b3ea2dbed97ee124aaaadeb

        • C:\Users\Admin\AppData\Local\pU9jsk\WINSTA.dll

          Filesize

          212KB

          MD5

          3fb8b7f309a8f39ec3ee69b3766da8e9

          SHA1

          2005a7575f1a26fa410af1c931e19ccdf4f100e2

          SHA256

          1f434ff41e051bc7f17abceb8426a040aa36a98fca5a05bdbb829c89cd0d4984

          SHA512

          d83343ae730bda46024fdb430ef9b9437d383c7641220eb7938a08a2c9740540b187308bbc4c603feaca0a5ff14f57e3124f704c98cf36642596993169c96e70

        • C:\Users\Admin\AppData\Local\pU9jsk\winlogon.exe

          Filesize

          125KB

          MD5

          584838eb0a99ef98b7671deab8059862

          SHA1

          f4591ce1e60e4a5cfdedf5ec08369aafe270d81d

          SHA256

          b4f62c8203213e5b000ee55f07283c667409d8c32bea39a454e70c52140f38ca

          SHA512

          d6c6dcf7240e7c743404d44d9fce23c794f6faf51106e0fef0a8ec12420d3f9c76903bf8c30f60e88c4057031092cd590b00177a65585ca2ca1ce3f5c8b37aa5

        • C:\Users\Admin\AppData\Local\pU9jsk\winlogon.exe

          Filesize

          136KB

          MD5

          6dac19a27825c8d786c7f665ceab18a4

          SHA1

          df0f6c4ccdea6de5ce93346b34e9de3b5dae2ce4

          SHA256

          7e264b7ab05c3595d7bda1764bf3339ddf16ec4332b1452805de4a37028401ed

          SHA512

          e37d98481259fee73c2792764e3a3b77454433a1462aeaf80e1f0e8afffe468ea65533c9103c14314b1fbf8223ef8213b2e0cebb2427e8dd8979aeae48379e7a

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Tiizeasb.lnk

          Filesize

          1KB

          MD5

          9ee86ca8c1dc92d82444f206c40169d3

          SHA1

          084f60ea22f35d08f7df1c306fcb23cd07e458a5

          SHA256

          e9598f41eec8af63fcdf039457399fa653e98defd0c7a3694048fd298fe30e5f

          SHA512

          1d8896757799a322988fbc0abcaf5f64948003f5382ef0e82a9ba36e18c85d4f2e17aed99a6e5a865c793a604497432275b83e6f2a0e94bd2c98961ed666fc32

        • C:\Users\Admin\AppData\Roaming\Macromedia\zmknj\SYSDM.CPL

          Filesize

          1.7MB

          MD5

          2d93fdf5bc81c96bd3233db367cf6095

          SHA1

          acee813c6d17bcab555d809f57b3749ed9660919

          SHA256

          e4ab35215c45f0946dd2a47c06b9a2870708cf234eae4719c32b6e77915c5aa5

          SHA512

          c451b3bf40d01fa635e5d42d4a7abd252511e52be43e23769ab72391dec1f710b646ece91c04d99582e7f1f5699e4657a2647364f7cee791ea015869fa40444e

        • C:\Users\Admin\AppData\Roaming\Macromedia\zmknj\SystemPropertiesAdvanced.exe

          Filesize

          80KB

          MD5

          25dc1e599591871c074a68708206e734

          SHA1

          27a9dffa92d979d39c07d889fada536c062dac77

          SHA256

          a13b2ba5892c11c731869410b1e3dd2f250d70ff9efd513a9f260ab506dd42ef

          SHA512

          f7da9ce4c3e8aea9095fcc977084c042f85df48fca0b58fb136dfd835ce69b5b1e68f3c11eeb14c617ffcec7011ffc7e5d5a948f49dde653a2348b28e10adb72

        • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Ik\WINSTA.dll

          Filesize

          1.7MB

          MD5

          d2922ad17fa034c3d0f5a417ab07d03b

          SHA1

          c5584e37e05db791b370d6df13ea06a388479782

          SHA256

          cf3ebc731508687fcc257907b605b431e1381e731cc3723ece74fa70125d7382

          SHA512

          4f71b6490298d429d64dfd5429acbc2205450edc4e75dade67cbad19d7e02bc5a78ce6ad717eff9121f3869cdebe857776dd5daaf4a34ba8ed277baf95f0e9a5

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low\3S5PXE1\BitLockerWizard.exe

          Filesize

          74KB

          MD5

          1cbbfd698f3a17006cca66179a5a2cea

          SHA1

          c21e677de216b0b99f974ec4618d8ed9347e4c8d

          SHA256

          fe249d4ae54975fae42a79ba57cb4af2e0bafb9f2a5f7ed7e77f35177ba1f749

          SHA512

          8b6b23598ef4ec2b47ee74ee564c71c29e6cdf95cec599b4771612c50f41a7770523cdfec13b9c0355197c63f06f99717ba34e0bff1c07b7a47a5b72f4d30205

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low\3S5PXE1\FVEWIZ.dll

          Filesize

          1.7MB

          MD5

          9670179df2e800d87ae511da048e0d44

          SHA1

          71bf33f0e84bf78d7cb5b63d6dddbb9c62145b6c

          SHA256

          112cbd58fa53073423f387df4b9a94c2faf15df8240a30957c7e79a27a9962c0

          SHA512

          ca3ff38a942fa7ff4b354fa5bb59fe558def915b7376a9483a8d659ed0cf2390c7ec1787f0c72e9e7778f8cca037114daae2232798c11f28c703d7211f4cd4a2

        • \Users\Admin\AppData\Local\H0An\SYSDM.CPL

          Filesize

          34KB

          MD5

          d74bb68fdbb4402016ef8e9e713c6117

          SHA1

          399999eba7547122617eba5aac1062d9a009a18b

          SHA256

          03d0f89ff64affe19fe50ce92d84828b377e9d858622039167f32e4b2dbae82a

          SHA512

          dc3207968cd89f49c996dd8eb826d42e06c3e0bc9eb45ec9b692f59a1ebdd1df2c96dde55816559e58aa5461f3de1e152c14bb4f1bf3ac318e37a612203c37ab

        • \Users\Admin\AppData\Local\H0An\SystemPropertiesAdvanced.exe

          Filesize

          30KB

          MD5

          5df46b0258fd63b9f1f0b049341aaa93

          SHA1

          96685dc71fa5f64450d715d0d2a5fdc1dc960f5a

          SHA256

          581f806288cb2cb2ac07f24c6836f9fdb6192641b25bc4b33bbf57c7d064a269

          SHA512

          5d92fc7f9f07e801db35802bb359eeea95d98012a260dcdc19078a239cc2cf2f95a251e42840ad0bee68a5f99f592ff77ea39855d0a89686b4276cc8c6feec9d

        • \Users\Admin\AppData\Local\kyp\BitLockerWizard.exe

          Filesize

          38KB

          MD5

          757b9fdacb0c6ab6bc3668eae7a46a96

          SHA1

          870ec8800facbcdd26d16d592fba4aab8e7d2951

          SHA256

          9990a26084131ef374b9190adaa2465cdfe691c879d743ceeba15ebff7085b8a

          SHA512

          adf703f058177c124d370e53b31dd8281ff700b6a24cc1e91afc835e8e6225ecef3d00b2396310ae65311424c6924b2dadde2cbb62175b2c36ad947553be0a1e

        • \Users\Admin\AppData\Local\kyp\FVEWIZ.dll

          Filesize

          99KB

          MD5

          2a4f2b687e242e5c57824a3c0150121b

          SHA1

          d6c7dd46b77078d29f1d15937ac8505559b0c37a

          SHA256

          60ca1d09b5df029f13e0585e92b2ac3ebac599d0cbdbd89642a4e43c8a857a3d

          SHA512

          28512861fdd8d135018d185653b9a3c5712109cc7c8f7ffc834c27210fbc8d09ed9fb1c62eb9ac0be01139b398dc94d24b8051a438a4ba39820ab062aa2bd216

        • \Users\Admin\AppData\Local\pU9jsk\WINSTA.dll

          Filesize

          128KB

          MD5

          ad1508fca0cb4f714f13b4bb53e020da

          SHA1

          4fcac2b7801a1a38b88f645ade7921878f6290e0

          SHA256

          bd8d0fb70fd03c0e02a0f7fb47732ed91009ef211fea86cf103eb34839d7dfff

          SHA512

          69f5dc4940539480ea864a2197f5b4b08ce08f6b60ebd5eb2c86d86cc0dcf8651517c1ec9266d2d84a309e69e8af8399844d4937fa23fa80812fcf99d42c9162

        • \Users\Admin\AppData\Local\pU9jsk\winlogon.exe

          Filesize

          217KB

          MD5

          5209369b4aa1fe15361e93db06db32c9

          SHA1

          8f035cac4d29c6f8881ef356547ae695df915218

          SHA256

          2cd8b43074281119d01200819255c3a817c80d311d99ac97ce64d902657509eb

          SHA512

          55d8eb5b638027f38c372f3bc59c0d299e1577dbbd9cfb55273dda66fe3ba1d66153cf3d39e6d2d20f6ca06ff29ae8ab3aa1f8605f41f5cf453cb1e5ffa5c20a

        • memory/1208-52-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-16-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-25-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-24-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-34-0x0000000002550000-0x0000000002557000-memory.dmp

          Filesize

          28KB

        • memory/1208-33-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-22-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-21-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-41-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-20-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-19-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-43-0x00000000774E0000-0x00000000774E2000-memory.dmp

          Filesize

          8KB

        • memory/1208-42-0x0000000077381000-0x0000000077382000-memory.dmp

          Filesize

          4KB

        • memory/1208-4-0x0000000077276000-0x0000000077277000-memory.dmp

          Filesize

          4KB

        • memory/1208-59-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-58-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-27-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-28-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-5-0x0000000002570000-0x0000000002571000-memory.dmp

          Filesize

          4KB

        • memory/1208-14-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-13-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-12-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-127-0x0000000077276000-0x0000000077277000-memory.dmp

          Filesize

          4KB

        • memory/1208-11-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-30-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-31-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-32-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-29-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-10-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-9-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-18-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-23-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-7-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-15-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-26-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-17-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

        • memory/2188-90-0x0000000000180000-0x0000000000187000-memory.dmp

          Filesize

          28KB

        • memory/2188-91-0x0000000140000000-0x00000001401AD000-memory.dmp

          Filesize

          1.7MB

        • memory/2188-95-0x0000000140000000-0x00000001401AD000-memory.dmp

          Filesize

          1.7MB

        • memory/2368-111-0x0000000140000000-0x00000001401AD000-memory.dmp

          Filesize

          1.7MB

        • memory/2536-8-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

        • memory/2536-0-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

        • memory/2536-2-0x0000000000310000-0x0000000000317000-memory.dmp

          Filesize

          28KB

        • memory/2820-71-0x0000000140000000-0x00000001401AE000-memory.dmp

          Filesize

          1.7MB

        • memory/2820-70-0x00000000001B0000-0x00000000001B7000-memory.dmp

          Filesize

          28KB

        • memory/2820-75-0x0000000140000000-0x00000001401AE000-memory.dmp

          Filesize

          1.7MB