Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    26-01-2024 05:13

General

  • Target

    76793acc5d4fbc8010e234153b47c147.dll

  • Size

    2.9MB

  • MD5

    76793acc5d4fbc8010e234153b47c147

  • SHA1

    4b78ec6bf864956998aba727320eb629d82e15d9

  • SHA256

    51148fdd8214cd04462c3c1e06dea7736dcbc85cacf0e7ed50a028df5812136c

  • SHA512

    b7e5911d471a4f1a8cb882c0d1fbd07c1cfdc0368716d0ddc25872012018bed4fe574bf65543ea4196fd68c4c205b896a11375c1a38cef784fd792541579d885

  • SSDEEP

    12288:SVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:PfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\76793acc5d4fbc8010e234153b47c147.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2264
  • C:\Windows\system32\taskmgr.exe
    C:\Windows\system32\taskmgr.exe
    1⤵
      PID:2868
    • C:\Users\Admin\AppData\Local\Q2Nrip\taskmgr.exe
      C:\Users\Admin\AppData\Local\Q2Nrip\taskmgr.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2964
    • C:\Windows\system32\BitLockerWizardElev.exe
      C:\Windows\system32\BitLockerWizardElev.exe
      1⤵
        PID:332
      • C:\Users\Admin\AppData\Local\CTYBLcK\BitLockerWizardElev.exe
        C:\Users\Admin\AppData\Local\CTYBLcK\BitLockerWizardElev.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1888
      • C:\Windows\system32\sdclt.exe
        C:\Windows\system32\sdclt.exe
        1⤵
          PID:604
        • C:\Users\Admin\AppData\Local\V5ejf1w9\sdclt.exe
          C:\Users\Admin\AppData\Local\V5ejf1w9\sdclt.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:692

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\CTYBLcK\BitLockerWizardElev.exe

          Filesize

          26KB

          MD5

          7cc5fbdcbc2e24e5fd00e6299ab35662

          SHA1

          95929323da5d9d4e04c52b85418a7e2837914487

          SHA256

          1b172aef62c55920399653a04c2fdccd617dd7d237cdec8a0cb9f51f2fe52233

          SHA512

          8915eeb2251242523058d09695458ec285c4b06e96b088869476028cf26bb8f5e777fe0735080017d702b5a53f25c4c1aec371464f44f2eee5399e2b87ddf483

        • C:\Users\Admin\AppData\Local\CTYBLcK\BitLockerWizardElev.exe

          Filesize

          98KB

          MD5

          73f13d791e36d3486743244f16875239

          SHA1

          ed5ec55dbc6b3bda505f0a4c699c257c90c02020

          SHA256

          2483d2f0ad481005cca081a86a07be9060bc6d4769c4570f92ad96fa325be9b8

          SHA512

          911a7b532312d50cc5e7f6a046d46ab5b322aa17ce59a40477173ea50f000a95db45f169f4ea3574e3e00ae4234b9f8363ac79329d683c14ebee1d423e6e43af

        • C:\Users\Admin\AppData\Local\CTYBLcK\FVEWIZ.dll

          MD5

          d41d8cd98f00b204e9800998ecf8427e

          SHA1

          da39a3ee5e6b4b0d3255bfef95601890afd80709

          SHA256

          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

          SHA512

          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

        • C:\Users\Admin\AppData\Local\Q2Nrip\Secur32.dll

          Filesize

          55KB

          MD5

          233f235b80700d2bd929b0a2484a4fb6

          SHA1

          9d03bff64a7499a5303e150e194887928a0b077b

          SHA256

          1981c7a5166a4d31605a7c7065895f26c38934edaa8f236b15c06a49b13458d8

          SHA512

          3a5ab956f1d6a40fb639744628f0a55f9dca1a2bfd58ab1f40ae77f432c689677b5ff90cb0585cbdfc8ba5fee6b434ea1c6a348553618ea8ea87a1eafe86611d

        • C:\Users\Admin\AppData\Local\Q2Nrip\taskmgr.exe

          Filesize

          76KB

          MD5

          aca5f57f89df206f2ccd888e21bac6c2

          SHA1

          009921d2fe93c5d0d1b9bf3ae7350d9271dc4133

          SHA256

          3864e38685d127164dea7930c253976d8b4e7482b5d368494b12bb58c18b5a23

          SHA512

          4edd6ab06c6fb1757ea67af6b2c5e8dfc99aecd39261e4b3234808574af3a12b3251ede5ae5c84d8bfe14612dce897f7141fcc3f5d309e5adf4efa2e1ff5438a

        • C:\Users\Admin\AppData\Local\Q2Nrip\taskmgr.exe

          Filesize

          140KB

          MD5

          4e80b245652d3b825212900e57f90041

          SHA1

          1614ce8ff23582772eb1651b7a0d99addfe3ab1c

          SHA256

          ee2fe20d00143737a22d9b880c0c40746d68bd5656d70415f577f23d10ddbab3

          SHA512

          f903aeedc1a8874bb698bdee96e27a5548f096f121e36dbec694222f2c63d1133d0901321ce92d0d0e3d62e65be5e3686a5f30f563ac55c31b87b38aa4e2dfc1

        • C:\Users\Admin\AppData\Local\V5ejf1w9\UxTheme.dll

          Filesize

          40KB

          MD5

          63fe62055b78fd3f162302ae45c94d8d

          SHA1

          047375f40bddc8bed0fc438e8ff1e102728da5e4

          SHA256

          be1bbeaad849486fef163656683e69f6c3543036b8e2207c739d38e32baca475

          SHA512

          cab5f684cf3bce66fbcd1885b0261a40a716eb70eb977319e4ffc13b77d6a056124fc3ff491fa6688647a32d30a8cffee4602dff1a547948d2cdd2babc7dc4cc

        • C:\Users\Admin\AppData\Local\V5ejf1w9\sdclt.exe

          Filesize

          82KB

          MD5

          b7af5465a895ef7f8ac9725de9030636

          SHA1

          b9f0a3c283e67683b3f831a52ecd0290251f4f0c

          SHA256

          afab6f135c32e11d975cabfd11f8de342191a517a6168c398dd9ba2ea8ac8eb0

          SHA512

          4348c09f1c87fbb6019725658132442997a424bab43cb0c13bc8b301663f3bdf62cfb6341203f1321f1f0985c7716b08c5a12bc59c7c6f826dc996bc1d0ac9a2

        • C:\Users\Admin\AppData\Local\V5ejf1w9\sdclt.exe

          Filesize

          81KB

          MD5

          4d84dc6d234a808aa6fd593b542ee175

          SHA1

          82a620f2b47dffd2a318e42ce6b335803d27f2a0

          SHA256

          6caf0e899d2bda618d1ec37646e61efa03febcea4cc645e96a16a1bf2491ced9

          SHA512

          d72830899ee62ef5fedb0c180e15a84199e01a60b969dedf880fde1d2da6bfb890ae5cb981189e1299e833090e0d6529e09a7405b53d305f58364872720e2093

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Cuhrqknkppepky.lnk

          Filesize

          1KB

          MD5

          8ef4b713ad991e73e619696b3caa6efe

          SHA1

          7cec0e5c6e7bc398b66205790cdec3d3684bdee3

          SHA256

          0160719188f0bfae5474ca172b05741c0f4791076e2aed97431a487ef5fa1352

          SHA512

          540be16d08e5f2a0f203956ae962b737a7b82056a11c92c2bd5d6b464add7d486bca72ac48fbed6e8e754c0b665dec7b18197d072662cd3a866deff946c78e00

        • C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\dILYg\Secur32.dll

          Filesize

          190KB

          MD5

          f2b3658c010f1dc6174ad5d97b246d90

          SHA1

          26665179e14121affaf47bd2fcfbf32b0878fc4e

          SHA256

          b9a050dc6f1ea790da0f886c3792a3be11d3e84b9a1e1d31183003262b1f8ecf

          SHA512

          4c8d5174e1f0c39d3549de038bb20ab7ce94cd9a93d588ce81e21b9d7aaeee98244e5b8391d2679de3ecc0c5b54f0cc1ed9cfa756cecc3de989c4c17a45e7acf

        • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\WhXVuDHvLOZ\UxTheme.dll

          Filesize

          2.9MB

          MD5

          5251fbcd5ffd1069a917f087e292c4ad

          SHA1

          9b469fb5b5ccfa4ba843707e4b64cd02d8ca9ec0

          SHA256

          adf2a6b373c467d57e46b7bf692512f5fb7f93f17bc722c6f8327fade1f23cc8

          SHA512

          47d05bbbcd1a73fa8ae81d5d071d224ac5d6b54636919ef9b1d5c7391b0a004124c364e98465ed912d0edc7ebd05d3ae6b9e5c84c8204efe13aa59f16666935c

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\XJJ1oLi\FVEWIZ.dll

          Filesize

          126KB

          MD5

          24a32d7eb7f49646d4aaf13d4eb4f8f8

          SHA1

          db829b53a5cbbfb02299bc9e8d229f55d7539327

          SHA256

          ac7c70388a8ee537bc0f529ea1b0bc22fa0a055a975e0eac8cfadab77ed4e138

          SHA512

          6027af6ec78454bca83a63fa2ed04a30148efbcc7f1aacf8ce86353ff92259ad4d606b88dfd4858690c3f6a9aae4fbe2b530b00e151b1b1b44101bccf2cb202c

        • \Users\Admin\AppData\Local\CTYBLcK\BitLockerWizardElev.exe

          Filesize

          96KB

          MD5

          5681edda2d25714e353b7da317de6b87

          SHA1

          a54852ddbb839abf76d3c9832da0fb8d567069b3

          SHA256

          cf741ffe182985573454818fc9dbfa6ae364b1563e71d0c3ed3089bee842cd02

          SHA512

          1d6498e5141ebeefcd86f8bf59beafe11f198d9d4afe5b2e01a34793a76573a3a811e4a6a65d8d14a0bc142a801667a6221b63d0a5c302f0e0c154fa3f229146

        • \Users\Admin\AppData\Local\CTYBLcK\FVEWIZ.dll

          Filesize

          8KB

          MD5

          4c1a7566df376a9c7936bfd7177cf049

          SHA1

          78904cca7c2996e71ee818e3888b38b877a01773

          SHA256

          fc9bfe4b00732458a07da5d8c893ee8a7b9f0c2d5004f8370e2f00aedd412bc8

          SHA512

          de2c706de985ead3c91927c223e98666888da0fd0c3a26498a3583f5443385f01ca3cbd2d9ab5fe0325275d73a81a57e9f134b8a9489e7acd926c057c6d993ce

        • \Users\Admin\AppData\Local\Q2Nrip\Secur32.dll

          Filesize

          113KB

          MD5

          48dfaa88e45c4cc912dcad19abb88e0a

          SHA1

          e0def63b9abd16cb95f9da2ec46ebdf8df2f2168

          SHA256

          157d36a07fee917e780e9e5f60bb0c8bb8942e49082861af2535b413d4b5972e

          SHA512

          84e4f88cddcff5148086d87d27e12085f54869e73c3bcc87927deb19c97c715dbf3afbc8f112683e0f5c03b2f66261973f487b73c21d0dfd081df40f311c92ae

        • \Users\Admin\AppData\Local\Q2Nrip\taskmgr.exe

          Filesize

          59KB

          MD5

          5ac97dff5cf3917ecca283d708c79116

          SHA1

          5eaa44ebeb307dbffaa9a3a5565da6db4bfa0d2f

          SHA256

          561d9140543144168bfdf06a4d814eb51e15cded7a062b065532dc1564899838

          SHA512

          0646ff531fc69f869dc1f8723dc9e2c0de91b32061e358dde4c93d9546911cfcf5a3d506a5e0f58b69e817b7ee6b2bb3183d2d81227fdb38be596d1d3660e06d

        • \Users\Admin\AppData\Local\V5ejf1w9\UxTheme.dll

          Filesize

          33KB

          MD5

          857bf7c51161bab2109041c57ff944b8

          SHA1

          d50f6ef92de75ff2aec355b41370da570d4fc9bb

          SHA256

          b621ebbf90ab310eb78fed418058a0ad8a12c91f7f13fd8d94b1735a75f86637

          SHA512

          3d7dbd62620e391a17d0e9c5f92c861f703b3a3e2405a312a18c46badf0622dc747c2427a2956f826b1497d5b6de7b6796fa13b49a77121454c025ededc02bb6

        • \Users\Admin\AppData\Local\V5ejf1w9\sdclt.exe

          Filesize

          6KB

          MD5

          d2a4f67f67de21a6963ec5acac1fc5c8

          SHA1

          26bcddd7809b0c97b10719e48d23b780691ec8dd

          SHA256

          a7bac1efa44b127b20302c5fadb6628d46f28f78a12662728cb266f0db5c38c9

          SHA512

          728d9bb32ab621da44d8cbb9aab17068a1dd8b6bf9697476ef09d56de2d98c4210acc43a73a13162f2da865ac47c759371a392ba01377c08d1d1b01df707b26d

        • \Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\WhXVuDHvLOZ\sdclt.exe

          Filesize

          58KB

          MD5

          6e0cfb38ba7c9018ed7f6fab2b47565e

          SHA1

          d663066ebc56eca1d32b73832097b72e22af8f6c

          SHA256

          b38d93907fe33f06a87e80d5af9c5ecaccd1d39e33d265ecffe432a3500640c0

          SHA512

          7fa231b89f7c912b51628f2faa93a2952a771bb2fc886de31a920d9048321689538d38540959de0de3b85c23afd367b1942e3709824f67b96b1a55dd2dad3898

        • memory/692-147-0x00000000001B0000-0x00000000001B7000-memory.dmp

          Filesize

          28KB

        • memory/1196-47-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/1196-24-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/1196-46-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/1196-45-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/1196-44-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/1196-58-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/1196-43-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/1196-42-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/1196-41-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/1196-40-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/1196-39-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/1196-38-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/1196-61-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/1196-62-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/1196-60-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/1196-64-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/1196-65-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/1196-63-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/1196-59-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/1196-69-0x00000000024C0000-0x00000000024C7000-memory.dmp

          Filesize

          28KB

        • memory/1196-37-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/1196-36-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/1196-35-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/1196-34-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/1196-33-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/1196-78-0x0000000077250000-0x0000000077252000-memory.dmp

          Filesize

          8KB

        • memory/1196-77-0x00000000770F1000-0x00000000770F2000-memory.dmp

          Filesize

          4KB

        • memory/1196-32-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/1196-31-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/1196-30-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/1196-29-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/1196-26-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/1196-25-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/1196-4-0x0000000076FE6000-0x0000000076FE7000-memory.dmp

          Filesize

          4KB

        • memory/1196-23-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/1196-22-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/1196-21-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/1196-20-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/1196-19-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/1196-18-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/1196-17-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/1196-16-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/1196-15-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/1196-14-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/1196-13-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/1196-48-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/1196-54-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/1196-5-0x00000000024E0000-0x00000000024E1000-memory.dmp

          Filesize

          4KB

        • memory/1196-56-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/1196-57-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/1196-55-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/1196-49-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/1196-50-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/1196-51-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/1196-53-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/1196-52-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/1196-27-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/1196-28-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/1196-12-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/1196-10-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/1196-11-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/1196-9-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/1196-7-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/1196-173-0x0000000076FE6000-0x0000000076FE7000-memory.dmp

          Filesize

          4KB

        • memory/2264-8-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/2264-1-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/2264-0-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

        • memory/2964-106-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB