Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    26-01-2024 00:55

General

  • Target

    75f65720fe58821d96cea7f4f1f6f530.dll

  • Size

    3.5MB

  • MD5

    75f65720fe58821d96cea7f4f1f6f530

  • SHA1

    2a9ff7f107e3feda0a0dfece7a475e0950b023b8

  • SHA256

    dc652ba2912e47491ce16ba0da31998a4f7f8e30dc968203b5ed070fcebbf887

  • SHA512

    cf57fd4f1285344ee520906509c946f0416ac4e85b4fff18f308b8cfbb65fc7fb4dac573a9c65a90ef1c95f131592b11011a53117225a19c1e88114ad830b2f3

  • SSDEEP

    12288:PVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:mfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\75f65720fe58821d96cea7f4f1f6f530.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2772
  • C:\Windows\system32\rdpclip.exe
    C:\Windows\system32\rdpclip.exe
    1⤵
      PID:1248
    • C:\Users\Admin\AppData\Local\jvzgmK\rdpclip.exe
      C:\Users\Admin\AppData\Local\jvzgmK\rdpclip.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2224
    • C:\Windows\system32\ComputerDefaults.exe
      C:\Windows\system32\ComputerDefaults.exe
      1⤵
        PID:1732
      • C:\Users\Admin\AppData\Local\Zac\ComputerDefaults.exe
        C:\Users\Admin\AppData\Local\Zac\ComputerDefaults.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1548
      • C:\Windows\system32\VaultSysUi.exe
        C:\Windows\system32\VaultSysUi.exe
        1⤵
          PID:2492
        • C:\Users\Admin\AppData\Local\9CUd\VaultSysUi.exe
          C:\Users\Admin\AppData\Local\9CUd\VaultSysUi.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2400

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\9CUd\credui.dll

          Filesize

          2.3MB

          MD5

          a12a864b1ab1be297ae245b45ca77d85

          SHA1

          efd7cae5e91f53cab259325219169a50fe793655

          SHA256

          5277bbf58b3208380062673c81249431d4d7628abfa35caa140560c3d80d0394

          SHA512

          32b1f95285175f58b5f86e0dcddaffc7b03385fc9319267792b7a9e370fa4ef727c4e8564938fb39f664e6ce66dd595308306e2280013354f54d7d22857258f7

        • C:\Users\Admin\AppData\Local\Zac\ComputerDefaults.exe

          Filesize

          36KB

          MD5

          86bd981f55341273753ac42ea200a81e

          SHA1

          14fe410efc9aeb0a905b984ac27719ff0dd10ea7

          SHA256

          40b194be2bad2d3d4d1b69f9aec2853c8b663130810a11607ff72a9e3a06d5b3

          SHA512

          49bb6d4bf7a9356fadde7f6165af6973630827d28b69db10ad477a84d98b08fb82e4daae777166e1ddddb5b5efcdf634e4e9bd34b255dae87462ba32e8bba143

        • C:\Users\Admin\AppData\Local\Zac\appwiz.cpl

          Filesize

          512KB

          MD5

          1fb78a3cc71c83bcc85ab36f87be4321

          SHA1

          2ad7623204c0e1ae6c25382948e4b29f1c15ff5e

          SHA256

          8433f5deaa2536f5ba9c33b57b9ca50eaea03a3ea4aa1d02d302ee3daf6c8056

          SHA512

          f4d276f1809b2961177a374a0b6385a476ce6da41a661122ce1499f2ff19ca05d913d522578f7a01e1399432ef506a7b589db360b3e42a1f2203df47995c92d0

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk

          Filesize

          921B

          MD5

          26101af389c944fa1e85d75b5130c27a

          SHA1

          a03a6a1b9716ac6e689f7a0de4121d3dc97f17df

          SHA256

          90293f5a19e07971705e0b57c9a5a21fdb3590ebf1e7132f31eabce379054d56

          SHA512

          5d3793a47422baeba9c0d09ef7dc6801ca2a724b1c0ca8d8d00163ae3828f053e7d8478665fc5e86a20624a798ed9dd41a3932293e7c4016d3d41c45c8e927a6

        • C:\Users\Admin\AppData\Roaming\Macromedia\WREL\credui.dll

          Filesize

          3.5MB

          MD5

          6935049e89968874c453d1fe02bfcaee

          SHA1

          4bf50fc86e81851059eac8d4bd6898f4414dbce8

          SHA256

          978a20f4f06419ee58f4b2f8184dcfcff2a5f4d0dd2596f3af44d0ac698c3660

          SHA512

          8732788356a95666983b94900706b7fa43ead42cf8172ae5360935f8ec85afbbcf0e091ce34b8acbd405a9a7e5ea7d95cd66394017e0c42c149dbd91cb55cc30

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\z3cd\appwiz.cpl

          Filesize

          3.5MB

          MD5

          69bbd5b7143ab36334d117e538563464

          SHA1

          7487251acc0fa4ad4643d96d5cc13457b458b1e1

          SHA256

          de568870f52c78e34d35db8ff98bbe744d85801aca9be937862a5294c4b35f36

          SHA512

          3311107f1b86a6a4403d6629108c60da7bf3ef50bb8b6e08b5705a8c15d52bc63d2ac32a52cacbe3cd9f9953aa8b0732806e1f4f0a14a0d72301d6fec3544842

        • \Users\Admin\AppData\Local\9CUd\VaultSysUi.exe

          Filesize

          39KB

          MD5

          f40ef105d94350d36c799ee23f7fec0f

          SHA1

          ee3a5cfe8b807e1c1718a27eb97fa134360816e3

          SHA256

          eeb3f79be414b81f4eb8167390641787f14a033414533fb8de651c2247d054b2

          SHA512

          f16bcca6f6cecbdae117d5a41de7e86a6d9dfdfa2ce8c75ebff10d097083c106e7f9d030debed8cb20fdd71815a8aa7723a1d3c68b38ec382e55370331c594a1

        • \Users\Admin\AppData\Local\9CUd\credui.dll

          Filesize

          2.0MB

          MD5

          a1a2918303b7006e00c031f4f69705ac

          SHA1

          9fd8b0d4d49620da1664aab5d32fc477328f2bf4

          SHA256

          62ba3222c310edf52ee23d59424ba5c036fe8fec115df844c65726f5d07b6ae2

          SHA512

          794ba8edbb8499984c7a2243ff0abc053f36df5564733a20ee6a3462621975a2f3afc685236cc5d5f1fcdbef29362d4d1b8efc5476aff0931060ff3e27508518

        • \Users\Admin\AppData\Local\Zac\appwiz.cpl

          Filesize

          64KB

          MD5

          71f17a85abbc72bc87f3ef680c51eb3d

          SHA1

          b554444db3c1d8953579d1871c340b10a667ce9d

          SHA256

          be815dfa3d230f883d35207048d7f2623700c2df270a64543626fc1b64f263da

          SHA512

          19971a4fac2538c5bec3ae60699c9cb744863893085ef75339db207396459b676096eb20ae8742b861aad2e7d77f56d998687158e0f32ef66d2c089b8d106762

        • \Users\Admin\AppData\Local\jvzgmK\WTSAPI32.dll

          Filesize

          3.5MB

          MD5

          8cb554e8036652806cc12d92e38bcf19

          SHA1

          c2dc370b87232ab731e9447441db5901f23f9bbc

          SHA256

          ac5c9fc33a4bee4f9a4e2d241024ca7284765c80ddac41530d325a72d926aa25

          SHA512

          4eae8de092a6f0f01192c09ca9284b53cfbbc84c3b1c31bc61226bb6f97ced510e18df938040e280761ca39ce1f70b6084917c213a85f571adc7b45fea176401

        • \Users\Admin\AppData\Local\jvzgmK\rdpclip.exe

          Filesize

          206KB

          MD5

          25d284eb2f12254c001afe9a82575a81

          SHA1

          cf131801fdd5ec92278f9e0ae62050e31c6670a5

          SHA256

          837e0d864c474956c0d9d4e7ae5f884007f19b7f420db9afcf0d266aefa6608b

          SHA512

          7b4f208fa1681a0a139577ebc974e7acfc85e3c906a674e111223783460585eb989cb6b38f215d79f89e747a0e9224d90e1aa43e091d2042edb8bac7b27b968b

        • memory/1228-37-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/1228-61-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/1228-19-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/1228-20-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/1228-21-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/1228-22-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/1228-23-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/1228-24-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/1228-25-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/1228-26-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/1228-27-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/1228-30-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/1228-29-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/1228-28-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/1228-32-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/1228-31-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/1228-35-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/1228-34-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/1228-33-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/1228-47-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/1228-46-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/1228-45-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/1228-44-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/1228-43-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/1228-42-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/1228-41-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/1228-40-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/1228-39-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/1228-38-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/1228-4-0x0000000077176000-0x0000000077177000-memory.dmp

          Filesize

          4KB

        • memory/1228-36-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/1228-65-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/1228-64-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/1228-63-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/1228-62-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/1228-18-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/1228-60-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/1228-59-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/1228-58-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/1228-57-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/1228-56-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/1228-55-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/1228-54-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/1228-53-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/1228-52-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/1228-51-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/1228-50-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/1228-49-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/1228-48-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/1228-80-0x0000000002730000-0x0000000002737000-memory.dmp

          Filesize

          28KB

        • memory/1228-17-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/1228-16-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/1228-193-0x0000000077176000-0x0000000077177000-memory.dmp

          Filesize

          4KB

        • memory/1228-15-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/1228-14-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/1228-13-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/1228-5-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

          Filesize

          4KB

        • memory/1228-12-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/1228-11-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/1228-10-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/1228-7-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/1228-9-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/1228-175-0x00000000774E0000-0x00000000774E2000-memory.dmp

          Filesize

          8KB

        • memory/1228-176-0x0000000077381000-0x0000000077382000-memory.dmp

          Filesize

          4KB

        • memory/1548-131-0x0000000000370000-0x0000000000377000-memory.dmp

          Filesize

          28KB

        • memory/2224-113-0x0000000000180000-0x0000000000187000-memory.dmp

          Filesize

          28KB

        • memory/2400-154-0x00000000000E0000-0x00000000000E7000-memory.dmp

          Filesize

          28KB

        • memory/2772-0-0x0000000000290000-0x0000000000297000-memory.dmp

          Filesize

          28KB

        • memory/2772-1-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/2772-8-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB