Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25-01-2024 20:50

General

  • Target

    757e0a2c79443f7d9de1d2fa72898839.dll

  • Size

    668KB

  • MD5

    757e0a2c79443f7d9de1d2fa72898839

  • SHA1

    60098803bc798f80bf40d9f4621651f344c6dc23

  • SHA256

    18d9182f2a3793c2c3eae6bb486603ed056d9bd1d3303da091ceaa8fbed7228b

  • SHA512

    018eb061037a6f67b58978399855a60802d4cb3b3822d23c2747de1d5d83258dabb10d1423510cf8cff05f5c25828685f3cf190b8d68bee3484595b71f4edda0

  • SSDEEP

    6144:o34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:oIKp/UWCZdCDh2IZDwAFRpR6Au

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Dridex payload 11 IoCs

    Detects Dridex x64 core DLL in memory.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\757e0a2c79443f7d9de1d2fa72898839.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1768
  • C:\Windows\system32\spreview.exe
    C:\Windows\system32\spreview.exe
    1⤵
      PID:2572
    • C:\Users\Admin\AppData\Local\tvVMyL8fZ\spreview.exe
      C:\Users\Admin\AppData\Local\tvVMyL8fZ\spreview.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2612
    • C:\Windows\system32\slui.exe
      C:\Windows\system32\slui.exe
      1⤵
        PID:2924
      • C:\Users\Admin\AppData\Local\W6AJD6p55\slui.exe
        C:\Users\Admin\AppData\Local\W6AJD6p55\slui.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2904
      • C:\Windows\system32\cttune.exe
        C:\Windows\system32\cttune.exe
        1⤵
          PID:1932
        • C:\Users\Admin\AppData\Local\T90p\cttune.exe
          C:\Users\Admin\AppData\Local\T90p\cttune.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:288

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\T90p\OLEACC.dll

          Filesize

          672KB

          MD5

          e117eaf81777895c668a81e2ea6ee047

          SHA1

          f87fb5901001d9e6290188292dcfacaf088fb762

          SHA256

          39acf884289c55948161fbfe5f1cb17ad7ffc4de4badc806b33d2cf14309abf4

          SHA512

          7d840aadde23982285e8addf3e5dd946e8304265af53786272c41648807564baf777d0005fd90d6e1e8cf91a42a8e51edae85a86c5972f1406f57b7757eb1ecb

        • C:\Users\Admin\AppData\Local\W6AJD6p55\WINBRAND.dll

          Filesize

          672KB

          MD5

          0f232baba4d39571b154b880710c9ab7

          SHA1

          9259e6bca876bfcb56aa7d6f276272e18f532e3f

          SHA256

          06001b493c35d4c28c0c0acd3ad5bf098811d942e1147813db765fba213617e5

          SHA512

          f681db5a3dec52416646958df5b6291e27f150264651b9b5779104263b4767e18601dca41204a4fa0994d7976c608fded4726368a219499bf8460956df270f80

        • C:\Users\Admin\AppData\Local\tvVMyL8fZ\VERSION.dll

          Filesize

          672KB

          MD5

          3a5efc53cd7f1604c088bb2e5f308520

          SHA1

          b966121f1290011ab3f097b5042c09ca32e3fabe

          SHA256

          7bb631134bb0e14080f0eed540407f456ee5e5a83b9dd97363cb4d44782e7cf9

          SHA512

          f1840a304008c49c96970ddd1c21ac322575e375e67092dce37b75e6ed1bb96e5207612f0db4fbb6e6ac88e43e47231b69be37f3ae6de7098afd3e4a462515f7

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yiudzqwx.lnk

          Filesize

          1KB

          MD5

          d40cf5df27feadd09a00e7f8ff162cc9

          SHA1

          83fa0469d96d6a0655838dbf14dbf38551ff3f91

          SHA256

          c4f5ebdf9fe838f8a0b636605a70d7ef4cb985b27af7aa373249569316508709

          SHA512

          bdd92686c16616b82011a6a8f3fd9987cb53d6bfc53caf29b646e9e170d3d39b31016ceefecd01a99ffa6b3f38ce7aa3ccb67039d4427a9c5f7ce1ba90a57ec6

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\1u\OLEACC.dll

          Filesize

          64KB

          MD5

          85f77645b0445c630413fa925e54c1ca

          SHA1

          ee42131d6fa64ae0daacdad0c87bcf449e9b84cf

          SHA256

          aacdf4b4f7aeadaf05b5bd1fdbcd9d7b9460476eb4da7af03087231a1b7fd562

          SHA512

          c54423af3d5827a3604c23197022375fd25b312afeb41b11798b8ea8993c979c8d142d9282c944f9172a2d81f59184fe4fe25fd8a4089d921017af29dc602d76

        • \Users\Admin\AppData\Local\T90p\cttune.exe

          Filesize

          314KB

          MD5

          7116848fd23e6195fcbbccdf83ce9af4

          SHA1

          35fb16a0b68f8a84d5dfac8c110ef5972f1bee93

          SHA256

          39937665f72725bdb3b82389a5dbd906c63f4c14208312d7f7a59d6067e1cfa6

          SHA512

          e38bf57eee5836b8598dd88dc3d266f497d911419a8426f73df6dcaa503611a965aabbd746181cb19bc38eebdb48db778a17f781a8f9e706cbd7a6ebec38f894

        • \Users\Admin\AppData\Local\W6AJD6p55\slui.exe

          Filesize

          341KB

          MD5

          c5ce5ce799387e82b7698a0ee5544a6d

          SHA1

          ed37fdb169bb539271c117d3e8a5f14fd8df1c0d

          SHA256

          34aa7ca0ea833263a6883827e161a5c218576c5ad97e0ce386fad4250676b42c

          SHA512

          79453b45e1f38d164ee3dbc232f774ff121d4394c22783140f5c8c722f184a69f499f2fb9621bdb28f565065b791883526e1a1d4abef9df82289613c2ce97a5c

        • \Users\Admin\AppData\Local\tvVMyL8fZ\spreview.exe

          Filesize

          294KB

          MD5

          704cd4cac010e8e6d8de9b778ed17773

          SHA1

          81856abf70640f102b8b3defe2cf65669fe8e165

          SHA256

          4307f21d3ec3b51cba6a905a80045314ffccb4c60c11d99a3d77cc8103014208

          SHA512

          b380264276bad01d619a5f1f112791d6bf73dc52cdd5cca0cc1f726a6f66eefc5a78a37646792987c508f9cb5049f0eb86c71fb4c7a2d3e670c0c8623f0522ee

        • memory/288-92-0x000007FEF6960000-0x000007FEF6A08000-memory.dmp

          Filesize

          672KB

        • memory/288-88-0x0000000000370000-0x0000000000377000-memory.dmp

          Filesize

          28KB

        • memory/1272-25-0x0000000077A70000-0x0000000077A72000-memory.dmp

          Filesize

          8KB

        • memory/1272-3-0x0000000077806000-0x0000000077807000-memory.dmp

          Filesize

          4KB

        • memory/1272-13-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

        • memory/1272-11-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

        • memory/1272-8-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

        • memory/1272-6-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

        • memory/1272-24-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

        • memory/1272-26-0x0000000077AA0000-0x0000000077AA2000-memory.dmp

          Filesize

          8KB

        • memory/1272-9-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

        • memory/1272-37-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

        • memory/1272-35-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

        • memory/1272-7-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

        • memory/1272-16-0x0000000002210000-0x0000000002217000-memory.dmp

          Filesize

          28KB

        • memory/1272-17-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

        • memory/1272-4-0x0000000002D60000-0x0000000002D61000-memory.dmp

          Filesize

          4KB

        • memory/1272-15-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

        • memory/1272-10-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

        • memory/1272-62-0x0000000077806000-0x0000000077807000-memory.dmp

          Filesize

          4KB

        • memory/1272-14-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

        • memory/1272-12-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

        • memory/1768-1-0x000007FEF6F70000-0x000007FEF7017000-memory.dmp

          Filesize

          668KB

        • memory/1768-38-0x000007FEF6F70000-0x000007FEF7017000-memory.dmp

          Filesize

          668KB

        • memory/1768-0-0x0000000000120000-0x0000000000127000-memory.dmp

          Filesize

          28KB

        • memory/2612-53-0x0000000000410000-0x0000000000417000-memory.dmp

          Filesize

          28KB

        • memory/2612-57-0x000007FEF7020000-0x000007FEF70C8000-memory.dmp

          Filesize

          672KB

        • memory/2612-52-0x000007FEF7020000-0x000007FEF70C8000-memory.dmp

          Filesize

          672KB

        • memory/2904-75-0x000007FEF6960000-0x000007FEF6A08000-memory.dmp

          Filesize

          672KB

        • memory/2904-72-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB

        • memory/2904-70-0x000007FEF6960000-0x000007FEF6A08000-memory.dmp

          Filesize

          672KB