Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25-01-2024 12:10

General

  • Target

    74aa7a7b1a55a686da6fb64c99496b53.dll

  • Size

    3.2MB

  • MD5

    74aa7a7b1a55a686da6fb64c99496b53

  • SHA1

    baf7fcf0fe7a57031c1285f02cb4a0814e54fa31

  • SHA256

    e12d72cce77128cc87490c508bb9e32003d1141cf5ccc962117961d65c2d71ab

  • SHA512

    6e7d2349024ceb235cb85ddc9c88695796197d9dd84f19518e0639f93f5cd0cd713c216d04f85e961be6115b93e34e4fc39912b8b9262b2f8b69ed7d68ef05b1

  • SSDEEP

    12288:4VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:tfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\74aa7a7b1a55a686da6fb64c99496b53.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1968
  • C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    1⤵
      PID:2408
    • C:\Users\Admin\AppData\Local\FzFtepNFE\dialer.exe
      C:\Users\Admin\AppData\Local\FzFtepNFE\dialer.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1748
    • C:\Windows\system32\icardagt.exe
      C:\Windows\system32\icardagt.exe
      1⤵
        PID:2860
      • C:\Users\Admin\AppData\Local\HF74NVWB\icardagt.exe
        C:\Users\Admin\AppData\Local\HF74NVWB\icardagt.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1696
      • C:\Windows\system32\BdeUISrv.exe
        C:\Windows\system32\BdeUISrv.exe
        1⤵
          PID:572
        • C:\Users\Admin\AppData\Local\I12\BdeUISrv.exe
          C:\Users\Admin\AppData\Local\I12\BdeUISrv.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2896

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\FzFtepNFE\TAPI32.dll

          Filesize

          147KB

          MD5

          5622f39e4960cfd322f1db1fc8e3ff32

          SHA1

          2293249f3049e67e7524cb48ef5ee700f91d73e5

          SHA256

          722e128961be7028de08500b837c166a6dfdd2b76c11e4b7ce80ea3bb706c37c

          SHA512

          c9088091c00b762c688e796eddbb19e0c806b1f1624d1d561bae7289731054c59d407ea6793c541fb578a8373d6b39703c6490b619e3962c725d7757452b7e73

        • C:\Users\Admin\AppData\Local\FzFtepNFE\dialer.exe

          Filesize

          34KB

          MD5

          46523e17ee0f6837746924eda7e9bac9

          SHA1

          d6b2a9cc6bd3588fa9804ada5197afda6a9e034b

          SHA256

          23d8a6a1d847a324c556c30e10c8f63c2004aeb42ac3f5a5ca362077f1517382

          SHA512

          c7117c3778650864e685bd89df599d7cdd9319d757344ddc7cfd9403d6673964127f6ff0c5ac48455fd3097af31a6ff09173f85dfa7be2d25f395cdf3692bb9a

        • C:\Users\Admin\AppData\Local\HF74NVWB\VERSION.dll

          Filesize

          157KB

          MD5

          61fa9b176faa456ae210521ce2e50fae

          SHA1

          526d59e9e5f1c95c4af603fbff74fc1f9fd1c52e

          SHA256

          d5b52ceef582983341fd72e66d8d83cfd9d9f6bf1c17780916cb60ee94db6441

          SHA512

          3d200c68f16ee6b7fea615e6b952ac819fdfaac98f1bd8c90e62b772a6c7868805d36a0bdcd7e1f007522176c63945b3d05673ff8465e9e55bce58d4dd51b51f

        • C:\Users\Admin\AppData\Local\HF74NVWB\icardagt.exe

          Filesize

          90KB

          MD5

          ebd853ae26e9d29184b5de8ed4236d64

          SHA1

          0852cf6e980991a04ba1f69dfc84c44777a32d32

          SHA256

          7f89f1e4b24dbc16fe8a87125d9ec2beea3eda8d12d759589163e29323bbf1a2

          SHA512

          79cdfac83a3a5bc150f9e4c4afd6dad55e859c0f69b355b16891b29727c8b52e5e458cea80df4b7d1aeab3e336cd6b21d8e862ee9e1f3df02ebccdc19b3d5249

        • C:\Users\Admin\AppData\Local\HF74NVWB\icardagt.exe

          Filesize

          102KB

          MD5

          03157c9dba02bfce4f263d88b2d9bb3a

          SHA1

          f7576353b6bfe36f7d92b5501a7eeb950a722bd7

          SHA256

          36560d970185c3e20e201e834ef2eef950b32b40b377366970e2fe6949ee9ecd

          SHA512

          c6a763c6d124cf119be643335d05b3b3351a9d5543508afccd2ab6497d51e151778587f9eb3bc852b13ac753bb32d85b06d7367051e66175603366b2b552b344

        • C:\Users\Admin\AppData\Local\I12\BdeUISrv.exe

          Filesize

          47KB

          MD5

          1da6b19be5d4949c868a264bc5e74206

          SHA1

          d5ee86ba03a03ef8c93d93accafe40461084c839

          SHA256

          00330a0e0eb1dbb6ee84997963f8e15c7c15c1df787f1c7f109609d7b31bd35c

          SHA512

          9cee858c55eb0852e5bad53a675a094ae591b46b07afe9fb4224cac32e0be577fe36c1ed3e9f6bda4d4eb0c924a773d00e3181cd97f07e24c6c68c70f2b002c6

        • C:\Users\Admin\AppData\Local\I12\WTSAPI32.dll

          Filesize

          173KB

          MD5

          4962828dbcbba0781e87932d853f1ac3

          SHA1

          9684b11ce11d99aaff0f39988195044fef3fb1de

          SHA256

          22d6d7a934a87017208afab0fce5e41ca97303281d8f9f9e2a3e7fcef8addc7d

          SHA512

          9981f996268f122ce7ae8af96df94ffd42ef0c6d3ff9f844e7a2493ab53ba8c0cb4568b8238d547231bf4ac480453972b8e5362d3556b49df70619efe9ee8885

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ekhyqsv.lnk

          Filesize

          1KB

          MD5

          00fc1eec0ab09f1f230689ac12b8de8d

          SHA1

          aa2eb969bc3afd198986097a5e1a282602e016ad

          SHA256

          18cef11707b90141b11c73614ace3d687a34e3d36c7b6b3a85d977877ae71183

          SHA512

          74e790d763905de75fa9893495b111e83d5eb74db85e7d607b19680eef1897c399cf2aab8dbac9fc794c53d21f09329135125d496e85d042c48190396b362626

        • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\smpwSrZPA\WTSAPI32.dll

          Filesize

          691KB

          MD5

          63224b144cb1bfc690c666cf5dc72309

          SHA1

          09ce6affe35f4e8938bc9c8bc51981b5786698fb

          SHA256

          87fb6382d9d4746783a4a10bcd3b29b895e7bd8743194364a96406727832d912

          SHA512

          cb36d4d36d280ff3fb058effeaf8545ab2cb779de56d3de7210e0c2baa6f9a5ce2043a30a39519d2dedf9e70395c8d3647b3371d85326f58977616adda455ea7

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\rZIGC5s8\VERSION.dll

          Filesize

          342KB

          MD5

          b406385583f9347ac7b402df5e35c28d

          SHA1

          d4d51a0b4c2dad4fc1e8fcf642eab0ee6fe1929d

          SHA256

          fd2cf877b7a2b9a321d183c254398542b5f66e916969aeeaba7e1b703e86c2e3

          SHA512

          ca1622585be55766b86de7d58b6f269262ee8de82c4e67e57066b9e156c359f14065b7a18db59108d99bc01d31f46b2c58656bfaa309d00ef53224b8d60b0a30

        • C:\Users\Admin\AppData\Roaming\Mozilla\Extensions\TMYkDBNP8J2\TAPI32.dll

          Filesize

          131KB

          MD5

          4e71519e160975cb6363f49148ae252e

          SHA1

          374174971c12e1e7209ef4242ab17e9eabc6df6a

          SHA256

          ea50cedc1cf31105534104a68029eb20e24789233be6ab19098bca73423a12a7

          SHA512

          52960643fe3f11ee0c52e137e3765ca9952b0deeb00499c6ca1407579a3b96172888bd4c51e300413eb627f536b482a10fd65690a01e0318d79b54f65d19ef20

        • \Users\Admin\AppData\Local\FzFtepNFE\TAPI32.dll

          Filesize

          64KB

          MD5

          55ffeb9abdfa40569c9e0741e2d31e36

          SHA1

          2e82c7f16c6a5d031854f153c0eeaad64371322d

          SHA256

          63adc73067fc01298e7d07bb2b6d426ba257737dcb17dbfe6afd015182ee0a36

          SHA512

          648a69b4dbcbec93ce4cac5890efe9e1dabf139c14886ebb32b8a687737cb678844e7fe6f81c84b26bbb7555bfc5bbca2ac05ea296c4392b6d1877f17ff90e17

        • \Users\Admin\AppData\Local\HF74NVWB\VERSION.dll

          Filesize

          136KB

          MD5

          33e283f4d56a71618ace2c17b99d03cc

          SHA1

          287306d4177968d996a9ef92c82e5432771e4a48

          SHA256

          24bc320b3c4e75d919af24c6c19d86526ab3a68d42a263181eb273fc553cce7d

          SHA512

          e9219c271d7297e550214aed2556d4a00dcf1dff086b678757c557cf9d146b72f108d830f92f1499737d8119b5fe09151060140be47d29d13e67c9b2742a0ba2

        • \Users\Admin\AppData\Local\HF74NVWB\icardagt.exe

          Filesize

          74KB

          MD5

          a4d190d2541640ed09ece5930ceb8b5d

          SHA1

          a7856071120df5752b8de9709e180db0f7c653a9

          SHA256

          dea2d025bb9ba57903467c7d91210f911463379ce971d0d8ca867c4ab494c6b4

          SHA512

          94fed021fc7eb348c7ce516be76ce37a639c40d63387b6f7ecad24064c74b1f1a8763358cb18f63073a1595e3b663f9fb8c592b4e8fe5b7d09bf0f525f7668b1

        • \Users\Admin\AppData\Local\I12\WTSAPI32.dll

          Filesize

          158KB

          MD5

          02dd54cf2bc29a3bf40648c9bc01a6cc

          SHA1

          06ef037fe3f982c2d34708b2bddcd9ae665d4287

          SHA256

          f60905a55996f5c5140766f18ab7fae2daaa6ba339651ef02f0d30d73413be05

          SHA512

          30b6a90798d21434145e7c86121d228d323b27371c5487ba572394eca2dd552f1025bc888bc8fcae1ff8a890afaa15989e468c33d1a4cafc798e6c89b0d66a87

        • \Users\Admin\AppData\Roaming\Microsoft\Protect\smpwSrZPA\BdeUISrv.exe

          Filesize

          45KB

          MD5

          22128497245eebd711a8902ca1391814

          SHA1

          6a1212e03206e6f7f48078c982311be4e59cb427

          SHA256

          e185b210eef21c8a0cca2c1a66515c44f892a1b1d0c59900236391fd6e986b56

          SHA512

          b935fa6c4bce155c4ecd3ef5fc107248046116f7d276132a964317b51b5a28d382bb59612e2783fd0ec0995dbe9493df3c52dbe89b886953d7748bf412f31184

        • memory/1280-57-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/1280-54-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/1280-26-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/1280-27-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/1280-25-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/1280-28-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/1280-29-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/1280-33-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/1280-35-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/1280-36-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/1280-37-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/1280-38-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/1280-40-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/1280-39-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/1280-41-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/1280-43-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/1280-44-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/1280-46-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/1280-47-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/1280-50-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/1280-51-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/1280-52-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/1280-53-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/1280-55-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/1280-56-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/1280-58-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/1280-9-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/1280-59-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/1280-60-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/1280-61-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/1280-62-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/1280-65-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/1280-63-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/1280-64-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/1280-71-0x0000000002910000-0x0000000002917000-memory.dmp

          Filesize

          28KB

        • memory/1280-10-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/1280-48-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/1280-49-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/1280-45-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/1280-42-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/1280-34-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/1280-79-0x00000000773C1000-0x00000000773C2000-memory.dmp

          Filesize

          4KB

        • memory/1280-32-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/1280-80-0x0000000077520000-0x0000000077522000-memory.dmp

          Filesize

          8KB

        • memory/1280-31-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/1280-30-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/1280-23-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/1280-24-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/1280-5-0x0000000002940000-0x0000000002941000-memory.dmp

          Filesize

          4KB

        • memory/1280-22-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/1280-4-0x00000000772B6000-0x00000000772B7000-memory.dmp

          Filesize

          4KB

        • memory/1280-21-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/1280-12-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/1280-20-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/1280-7-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/1280-19-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/1280-18-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/1280-17-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/1280-16-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/1280-14-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/1280-11-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/1280-13-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/1280-171-0x00000000772B6000-0x00000000772B7000-memory.dmp

          Filesize

          4KB

        • memory/1280-15-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/1696-125-0x0000000000210000-0x0000000000217000-memory.dmp

          Filesize

          28KB

        • memory/1748-107-0x0000000000310000-0x0000000000317000-memory.dmp

          Filesize

          28KB

        • memory/1968-8-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/1968-0-0x00000000001B0000-0x00000000001B7000-memory.dmp

          Filesize

          28KB

        • memory/1968-1-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/2896-149-0x00000000000F0000-0x00000000000F7000-memory.dmp

          Filesize

          28KB