Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    26-01-2024 05:17

General

  • Target

    767b661339f842a24584de1cfd7ff58a.dll

  • Size

    2.0MB

  • MD5

    767b661339f842a24584de1cfd7ff58a

  • SHA1

    e01e2af3f556dab1835683abc02c7e6f4886568e

  • SHA256

    12f891dd73ef13029a6cb2422c35d390835c149c627ec7f52a985633b4ec14d4

  • SHA512

    ac3f08cd8a55c437a73d79529ff0e3133a7c30d666dc11ef200a5096435ffa15a6c3030f41b1de623e7cb080508d2e89b25539230e886abbd6c2c7ed58861b9c

  • SSDEEP

    12288:bVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:6fP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\767b661339f842a24584de1cfd7ff58a.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3048
  • C:\Windows\system32\SoundRecorder.exe
    C:\Windows\system32\SoundRecorder.exe
    1⤵
      PID:2612
    • C:\Users\Admin\AppData\Local\oFMo\SoundRecorder.exe
      C:\Users\Admin\AppData\Local\oFMo\SoundRecorder.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2564
    • C:\Windows\system32\msconfig.exe
      C:\Windows\system32\msconfig.exe
      1⤵
        PID:732
      • C:\Users\Admin\AppData\Local\fYk\msconfig.exe
        C:\Users\Admin\AppData\Local\fYk\msconfig.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1084
      • C:\Windows\system32\SystemPropertiesComputerName.exe
        C:\Windows\system32\SystemPropertiesComputerName.exe
        1⤵
          PID:1452
        • C:\Users\Admin\AppData\Local\1EiEYL1K\SystemPropertiesComputerName.exe
          C:\Users\Admin\AppData\Local\1EiEYL1K\SystemPropertiesComputerName.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2144

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\1EiEYL1K\SYSDM.CPL

          Filesize

          226KB

          MD5

          0c8d9b455aa11e7dc816e8d38a4d02a3

          SHA1

          9bb035f745e8b8b5c2fed292732bbdedf484c791

          SHA256

          f63046aca45b95b373350d49615056838b1427677595015f30b85946f73e4d48

          SHA512

          6e722e304f2bc95db22a4351049d7656770754d1b44f03c7d2e42c4090fbcafa678354e75a6f986a1e4681c352308990c9fc2f42fc0a575e4926a8966f9228cc

        • C:\Users\Admin\AppData\Local\1EiEYL1K\SystemPropertiesComputerName.exe

          Filesize

          80KB

          MD5

          bd889683916aa93e84e1a75802918acf

          SHA1

          5ee66571359178613a4256a7470c2c3e6dd93cfa

          SHA256

          0e22894595891a9ff9706e03b3db31a751541c4a773f82420fce57237d6c47cf

          SHA512

          9d76de848b319f44657fb7fbe5a3b927774ae999362ff811a199002ffa77ad9e1638a65a271388e605ab5e5a7cb6ce5aa7fcabc3ed583ade00eaa4c265552026

        • C:\Users\Admin\AppData\Local\fYk\VERSION.dll

          Filesize

          169KB

          MD5

          d077a7c8a72a4c38242d9f9006f3ec64

          SHA1

          75b51aedb3bba8b777193252412204d9ea9bfd57

          SHA256

          0e10cdef30f77054f779e0f30b8d5211811348dd9dc9c2740ab71897c69e3180

          SHA512

          dab8f8aca4394394cdeee0914a8d00b849d6fc5b25d665a724d7d7e201fe2940a3f0aabf79de4c65479e454086a1523437b80238fc3d4d78fa7ca509ec4aad32

        • C:\Users\Admin\AppData\Local\fYk\msconfig.exe

          Filesize

          136KB

          MD5

          5634ebcf7905c20817331419031fa5a4

          SHA1

          9f9a1f83cc2dc5b511ceee2fb4917fe89601b145

          SHA256

          5927128afdd8cd9a1d1a23075ed20cbe1ca41ed70e64053622aedceb622e56a5

          SHA512

          e5fc82f26e7009bdfb0f511870b731f6f3453fd139b8686ce47feed128449ba6f94ca0b6359c82778b5d21528e1a7d95d9c72ec84d820eac32e5f8ce4b46816f

        • C:\Users\Admin\AppData\Local\oFMo\SoundRecorder.exe

          Filesize

          139KB

          MD5

          47f0f526ad4982806c54b845b3289de1

          SHA1

          8420ea488a2e187fe1b7fcfb53040d10d5497236

          SHA256

          e81b11fe30b16fa4e3f08810513c245248adce8566355a8f2a19c63b1143ff5b

          SHA512

          4c9a1aa5ed55087538c91a77d7420932263b69e59dc57b1db738e59624265b734bf29e2b6ed8d0adb2e0dec5763bfbf86876fd7d1139c21e829001c7868d515d

        • C:\Users\Admin\AppData\Local\oFMo\UxTheme.dll

          Filesize

          388KB

          MD5

          2d1d00ffe9fd6ae701c8568e0c20fc1d

          SHA1

          b5f81ba738dbcb294db4f888ae2d28c7df1d2bd0

          SHA256

          f1c98ec49cb9fa17e39923bc56208e02735cfdf225cd813452cd43e4de53afac

          SHA512

          f61bde3b44c56d08beeb0b7b7cce5f2d25f64fd9908f5487b34da23fc909b86e761e414a6b378325203a56bef50a7d12f93cc4be2390f0db79979ea6ea23bfd2

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zrkibbhbsqvuoso.lnk

          Filesize

          1KB

          MD5

          387f9ef34fe7e26fb9d4e968c43f78c9

          SHA1

          3b02dbc7afb972985cc847061bcd242b216e8ef8

          SHA256

          0bf196619616bf11a8692ffd64836fee6aae505bbc185869e7862d421b2d9027

          SHA512

          56221d2b89129b908833da5fd7dd3341797cdf85f379496200e6f957d8d98fffe09a440bdd67698659db4b9a20406fb272606aa7bb3d84def09cf843aebfa609

        • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\UxkMfgDlgWS\VERSION.dll

          Filesize

          2.0MB

          MD5

          b0f443613e2ed42b8e03a875ea5f3ec4

          SHA1

          8991ac75af6d4b3a7945cb4eb3bb9a29aa46b10c

          SHA256

          23874b39912c1f8fce8a4341bf6000120f1775ef0399258804d43123a83a16bf

          SHA512

          154b8c624bcd9e622fb8b979ecf512b5f0542a4a4f9b5077f0f4306288b33c9d1238c15ef9939eb3532700904c5ba9649b3a9d6488ce2367319498ecda399d29

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IETldCache\Low\M0\UxTheme.dll

          Filesize

          2.0MB

          MD5

          f7a68cfdd1ae28a7cc4ad3f3a625ad67

          SHA1

          08ecded9f291b9e23bc8fd7567c41fd008cec7c1

          SHA256

          def08bf29a1119052d06d367a93f77843b0924bbea639f332741bd2d012a1ca5

          SHA512

          5f257662b397fa320981292e0e5466e04f11a9c4b36dc1a2b75b2c6874f83e2056c563a62b46b26b6cddc7deb0d38ffaba53a5d3a40bfc46c79acdebbb1fb22b

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\7WZg\SYSDM.CPL

          Filesize

          2.0MB

          MD5

          abb0d2475979dc8ebafdb514b56a2e86

          SHA1

          827a6e7608e0f968dc4ffc8bb5c0e8dac2345d41

          SHA256

          e06ea96c87d9c8c0d68fe144e3d3f01cf11f56eeeee8cac86707f9296387492d

          SHA512

          091b77204b64510658ac205bb61dbb018798c6d01582299027a0749b652e156b86b3e8de51430379f817dcae6aa2aa5dfc921d5f81e93d958c0836db5373dee1

        • \Users\Admin\AppData\Local\1EiEYL1K\SYSDM.CPL

          Filesize

          564KB

          MD5

          35f6cc30a6071d65903d099e339e313c

          SHA1

          a6484f372904c0e6781f61086169d91070a40dff

          SHA256

          87c4a990c1b6bfa1391c38e7a91b3f51322e705c84a7f177ae587f4f23e61ad5

          SHA512

          150f59c19bcb5fbc5ce062c3ca8a94fda7514ee066948ccb09ebd3821652799fcf1679d69d362ea7398b2ff648cea35c9c603fd82ce33ba3c874318f0a235ed1

        • \Users\Admin\AppData\Local\fYk\VERSION.dll

          Filesize

          216KB

          MD5

          c8a3860e5f9f8c7f08111b604a28bf3c

          SHA1

          b2954e3ead5007d14d747919c7619fd13067937c

          SHA256

          ffc046f77a7066f30ba558a6b16c03bd58a211a26d7111e76ca6ac2a22208578

          SHA512

          ac481f2e4c4cf1115ec92dea334bb2e88e1879a31e881792bde49a300f5a7722a806b364c40eeb9f4493d05a3aae637ec484ff7d8ccc3f86dafb157d58abcb1e

        • \Users\Admin\AppData\Local\fYk\msconfig.exe

          Filesize

          293KB

          MD5

          e19d102baf266f34592f7c742fbfa886

          SHA1

          c9c9c45b7e97bb7a180064d0a1962429f015686d

          SHA256

          f3c8bb430f9c33e6caf06aaebde17b7fddcc55e8bb36cec2b9379038f1fca0b1

          SHA512

          1b9f1880dd3c26ae790b8eead641e73264f90dc7aa2645acc530aad20ad9d247db613e1725282c85bca98c4428ac255752a4f5c9b2a97f90908b7fe4167bb283

        • \Users\Admin\AppData\Local\oFMo\UxTheme.dll

          Filesize

          511KB

          MD5

          1958d2b610a44686c13e715c40cbdb85

          SHA1

          7635419f9bb2f4a4362e3809c3a380fb98a8d330

          SHA256

          da22a6cbae9508dff317f228b0901312fab925225050b1a16533bb1748716035

          SHA512

          8690b29f974a9cb9c41ea0b3772bc1e032535cf063f27eed9ab3ce7e820e1b63da5012b31e94d6642fda968adec955cf6f7dca38b98ee138af7af55f24dedf21

        • memory/1084-101-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB

        • memory/1244-26-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/1244-55-0x00000000773E1000-0x00000000773E2000-memory.dmp

          Filesize

          4KB

        • memory/1244-4-0x00000000772D6000-0x00000000772D7000-memory.dmp

          Filesize

          4KB

        • memory/1244-25-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/1244-24-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/1244-17-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/1244-27-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/1244-29-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/1244-30-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/1244-31-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/1244-28-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/1244-12-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/1244-32-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/1244-33-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/1244-37-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/1244-38-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/1244-41-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/1244-44-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/1244-46-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/1244-47-0x0000000002A60000-0x0000000002A67000-memory.dmp

          Filesize

          28KB

        • memory/1244-45-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/1244-42-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/1244-43-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/1244-54-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/1244-40-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/1244-39-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/1244-58-0x0000000077540000-0x0000000077542000-memory.dmp

          Filesize

          8KB

        • memory/1244-23-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/1244-35-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/1244-65-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/1244-36-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/1244-34-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/1244-69-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/1244-10-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/1244-9-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/1244-74-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/1244-22-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/1244-21-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/1244-18-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/1244-5-0x0000000002A90000-0x0000000002A91000-memory.dmp

          Filesize

          4KB

        • memory/1244-143-0x00000000772D6000-0x00000000772D7000-memory.dmp

          Filesize

          4KB

        • memory/1244-19-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/1244-20-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/1244-16-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/1244-14-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/1244-15-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/1244-13-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/1244-11-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/1244-7-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/2144-118-0x00000000001F0000-0x00000000001F7000-memory.dmp

          Filesize

          28KB

        • memory/2564-84-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/2564-83-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

        • memory/3048-8-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3048-1-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3048-0-0x00000000002A0000-0x00000000002A7000-memory.dmp

          Filesize

          28KB