Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    26-01-2024 06:47

General

  • Target

    76ab58fddc3a0bfc0befb9c1840e58c0.dll

  • Size

    2.0MB

  • MD5

    76ab58fddc3a0bfc0befb9c1840e58c0

  • SHA1

    af815a39e30a201a65f0669e7b957072e57939de

  • SHA256

    1476d58e91f48e2f1a549b08316ea6a465b85edd954d01b4d33a8c86ac56898e

  • SHA512

    c14eec86c7ac0a9a869b559e7078326cf11961d9252f2075acc55263494e2ae1c0263f491fc018f8c8482023904a9656806f3bb71aeb682faffb09321f0e971c

  • SSDEEP

    12288:2VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:rfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\76ab58fddc3a0bfc0befb9c1840e58c0.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3012
  • C:\Windows\system32\cttune.exe
    C:\Windows\system32\cttune.exe
    1⤵
      PID:2616
    • C:\Users\Admin\AppData\Local\TiX\cttune.exe
      C:\Users\Admin\AppData\Local\TiX\cttune.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2644
    • C:\Users\Admin\AppData\Local\jA2dBf8\winlogon.exe
      C:\Users\Admin\AppData\Local\jA2dBf8\winlogon.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2544
    • C:\Windows\system32\winlogon.exe
      C:\Windows\system32\winlogon.exe
      1⤵
        PID:844
      • C:\Users\Admin\AppData\Local\bfo9Gpgv\mblctr.exe
        C:\Users\Admin\AppData\Local\bfo9Gpgv\mblctr.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2096
      • C:\Windows\system32\mblctr.exe
        C:\Windows\system32\mblctr.exe
        1⤵
          PID:2128

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\TiX\UxTheme.dll

          Filesize

          188KB

          MD5

          1b6ec3f2058d3415c516de33c94b513d

          SHA1

          6ec0de533519894ae575ece478927c252615153d

          SHA256

          aefbb5edcb48fef2ec95b024efddd15900aca347f84359640708edfb7eafc280

          SHA512

          ea69938041d65cfdd5d3aded737fffe4a7e749c4309b6922a4d5c84c225ce8faadf530366bb27d0c9e714abfbd700f62ac1295ccfc6b480c72d1205e8c80f4f3

        • C:\Users\Admin\AppData\Local\TiX\cttune.exe

          Filesize

          262KB

          MD5

          44befea0f5aaa8cd40f2de96b23e9267

          SHA1

          7b34d5d3b663a09cac8121a1e92b5774bc46f585

          SHA256

          5692265cc46b170529c3a3ceefa20ab51fcba4f0796783f7d0c17ef30a856bae

          SHA512

          816dead7477c04ebafff367705ef93364dab1f09bd9b003492abf4dceb830dda06e498be2ad4598af3b9e378f8e600ddad4c72f50fa53bfdf9fdf3ae5acb21b1

        • C:\Users\Admin\AppData\Local\bfo9Gpgv\UxTheme.dll

          Filesize

          127KB

          MD5

          072d5235099a241a32aba0bb0b0a21a3

          SHA1

          1d6a4196032f6c1f8832acf87e876f64c936849e

          SHA256

          e019e4274f035e14d2b65eeeed7f8ebe57bcf40a8f94d3e860d743c28dbf0d9f

          SHA512

          64d0ec0a84747ce13b0d8370c7e828ee3f77acf3bf29f862029e6d1a3264fc8efa260e731ce9c67aa0bfff75459228871aada016215c171c8b643aa28b812dfe

        • C:\Users\Admin\AppData\Local\bfo9Gpgv\mblctr.exe

          Filesize

          69KB

          MD5

          844d6807a09af61035e815d74b735fe7

          SHA1

          a31a2deca0621e931e8cdb124f521449de40de47

          SHA256

          d1ddda41776efbe954dd50a0533c7f5b0757065395c7829bdfe04fa7f026ace9

          SHA512

          4c6a8e6d7b376fb0d315606cec83e087799c093e6e9bf331dd89ce15d5c79c3407b8d52cc5e08b29cb671c2a47c8bbd3cb34f71aeada0789fb01e550ff702818

        • C:\Users\Admin\AppData\Local\bfo9Gpgv\mblctr.exe

          Filesize

          109KB

          MD5

          b7345aa83f5d30dc4f26945b08051a63

          SHA1

          1e61be248a98505b2007a91afcfa69aa856487df

          SHA256

          c6e27232e43bab71261f3bb36c8a4a51dfbb33ab068c2defc8e1e23bc6d19735

          SHA512

          76e6205f3a97e7a9981a42256bbd7596ce16018d7ce701b01ba29f46467de5105536cf96711a5b7a7918271bf29773a627016fcc803db12ed1b44c1c69ce3fcd

        • C:\Users\Admin\AppData\Local\jA2dBf8\WINSTA.dll

          Filesize

          26KB

          MD5

          c96360e6e05f05eeadbb8eae0266f609

          SHA1

          9341b1a0fb611b385ea81bf37d8b05f8f7862c6c

          SHA256

          eb334135b0505b07318554972d74c7ea53be69538ffb2d129cadd4d1abd61b9a

          SHA512

          339b9c56d96353992c93b359923bea5503cb3a5da30f835b4abefb98f0be3bd9a3e7e0911defda0fac3902ff6d7b7a3e7f44311f3f8bc7c468c0361b98766e66

        • C:\Users\Admin\AppData\Local\jA2dBf8\winlogon.exe

          Filesize

          13KB

          MD5

          9323900374eaa65fbcee7eab34cadea7

          SHA1

          b8b32d0fc17a987c867b85dce1b668f25685d2f8

          SHA256

          4dc21d12954e9d5277078bf283f6070b875ed58ac67ab3dc2a9e2ee4733389c8

          SHA512

          a504c0443ef6cd80cf54dbecb2dff416bf4c5c5d036bb4484dc9ede0682fc6e71ccaf6b2aa2079f6e48d642f3fa37fd5cdb01533210c68f33005e3300449c37d

        • C:\Users\Admin\AppData\Local\jA2dBf8\winlogon.exe

          Filesize

          224KB

          MD5

          57191c528425ddd52233a5d6d6786fcb

          SHA1

          ba77b08547b2ea187d558adfc4c90c39e7088277

          SHA256

          637e3fa140dd87926ab0f71269160d2e7b41d094ae276666330b102a250ab3a3

          SHA512

          9947f8173188d2159667773ca1def6ee548dbcda030e26cf9f24b70bfed5bd716c98c356cde94a03bb00f94c6edf000bb34caa20234073a93d5fb8b7bc7273bd

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Tiizeasb.lnk

          Filesize

          1KB

          MD5

          bf98aa7d4839e56d3ccf3f2fad838d5e

          SHA1

          414e271e52a71c35fcd22c04c4f4d47be4fbb2c2

          SHA256

          65e78437569d637b61aab4b9ae1bea0c4f1333627dca3331afaecb199e45c33f

          SHA512

          2e7f8f31d7ac4734174efb79caa5faf1e91e924894cc64d5815c288df5f72fd0fb67f03298868e199929743d5a17cbc4cf6f3cc73dfe0563535260d3a0d23394

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\2r9LtEnVR\UxTheme.dll

          Filesize

          1.9MB

          MD5

          df29c4eb083b47bb14333c66ec7defa1

          SHA1

          290aebc4d055c0f205f8d005ecbe1cb9b009c991

          SHA256

          f4447b5a498232610195dd5b4624ab522b6b9ae9b6e8b9d90ec6e504f013b0b3

          SHA512

          ef9da61e10174b9e4d95fbcf1d2c4850c04f51d278f41c9d3a1c8d0990402b3dfaf64428bd0101e4f90b257c10cd3268a970def51adc398c46a8a491f66b3c05

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEDownloadHistory\lO47FAabQ\WINSTA.dll

          Filesize

          2.0MB

          MD5

          d320497321e8f24ba027347416da2f88

          SHA1

          700b0bb714da82d373443862d3fdb33da91222ee

          SHA256

          f77bc99f2ca480d561eeb621c6df89fa06dc199199135d38042f2b36052d564a

          SHA512

          1fc289fd7b55230b4773563f2837dda825a8bb3d39a1043b0658a4dd9109c6b2b5549228a55b533281595ca2bf12fa9453ef150ce92b324f1e4f696d58ceeea8

        • C:\Users\Admin\AppData\Roaming\Mozilla\H4wcV14ff\UxTheme.dll

          Filesize

          2.0MB

          MD5

          3270731020a6bf5f7e857d317b7011ac

          SHA1

          219798b9f3f7bf3ac792f26206a96a7e711d41db

          SHA256

          f87f1fa30faaff0c45828c2ee08cfdb712f1053b15942bbb8aa6734fb3f881de

          SHA512

          e3de5b86d293b8fb068738795eec07a742bf52f79b24c6f6c08cc132fd3325827c32fe19357c405ffd8fa2dadc14ffa8ea65f86dc38663ea6c04c1dbd6ebb693

        • C:\Users\Admin\AppData\Roaming\Mozilla\H4wcV14ff\cttune.exe

          Filesize

          13KB

          MD5

          bb1fd1e5f83fd78003860ec0eb221082

          SHA1

          d59363615c899085f7cdfab86265816ebc2d0795

          SHA256

          baaf6c28b879064918c1af4b8e9e8ed247d56dd9d7c75f18341b72aa1a2436f2

          SHA512

          daa488ccd8312b47a288513b8857867f94e0ad99ed099284c66334914617293f2a4dfbeb8d014f795819137679bd0558bfb6d7edfe357cf6b158fa20f7c74b3c

        • \Users\Admin\AppData\Local\TiX\UxTheme.dll

          Filesize

          234KB

          MD5

          0d409848b9584d57c06be49afd8180db

          SHA1

          0bf53f74cd8b68afa3decfddea6900e85e906115

          SHA256

          f1ab500955c1cc1c4d6b47eeb06ecfc26484bd163909bbb43c9df486255e52fb

          SHA512

          5e510fbeec88c2cf40a9d6d4d7d7b4fefee416c7671d9e92d024f23984cdaefbe906bc6173f861ce2940872e6d8b62d50d432040abad3323fe41ab015d9f7302

        • \Users\Admin\AppData\Local\TiX\cttune.exe

          Filesize

          314KB

          MD5

          7116848fd23e6195fcbbccdf83ce9af4

          SHA1

          35fb16a0b68f8a84d5dfac8c110ef5972f1bee93

          SHA256

          39937665f72725bdb3b82389a5dbd906c63f4c14208312d7f7a59d6067e1cfa6

          SHA512

          e38bf57eee5836b8598dd88dc3d266f497d911419a8426f73df6dcaa503611a965aabbd746181cb19bc38eebdb48db778a17f781a8f9e706cbd7a6ebec38f894

        • \Users\Admin\AppData\Local\bfo9Gpgv\UxTheme.dll

          Filesize

          150KB

          MD5

          a79a56d0be7a15528e71c6e5e1a04211

          SHA1

          feb9cb7bbd168183d0ed928e2eea4fe8a19e4662

          SHA256

          f180e706211d2b755a94cfea322d6692bd6ca05dfae5b547a9d9cd6f4f75cc2b

          SHA512

          cea0d44f145298de0f5a7400b4741ce6507434f78d508c48e0a5522c1811148c7d04ae59ddbd75c0b67f4c43a98119547c0e8d473e2d56d26ec46778fb0c2004

        • \Users\Admin\AppData\Local\bfo9Gpgv\mblctr.exe

          Filesize

          99KB

          MD5

          99d79c3e9be254c678f92b5eb96fda5b

          SHA1

          a4cf8c2615b7a5cba2113b51c2579a4ed876fa63

          SHA256

          5dad20631948b1028e782361dc9373d280ce393b562960b9efd120b400b8e4bb

          SHA512

          a26d34ad6ece2d6abc92721c422595fe31def90f3ea576748549f54206e0824db0a3c8547f495125ca438afd0f50eddb4a2dfabafd78b10eedbc6e8a9b2797b2

        • \Users\Admin\AppData\Local\jA2dBf8\WINSTA.dll

          Filesize

          4KB

          MD5

          3dba63b890aa64c43a045b2dafb1dd4b

          SHA1

          124816b8d125a648c629c59f04e86e4bed5b920b

          SHA256

          c73cd0b9832eccd67e41a57431ad17a06118ebe4757e843554bb1073b653eeae

          SHA512

          9e60c15fe919b1ca3748a7481622eea44caa37c46b25f70fff1fa8a2c4a34457568b9fec87edc10e84267508b629bba3d2d5b15ba896234916112a4df4fb7f6e

        • \Users\Admin\AppData\Local\jA2dBf8\winlogon.exe

          Filesize

          28KB

          MD5

          d31d5a29863c6c2db208360ba1ebf98f

          SHA1

          47176cd3ccfd2da11d96e4b1cd9f8d1d1c1c52ee

          SHA256

          3a8c5658c4e775702f2aa285cf91434eae26ba7d697625400edb3c36cafd732b

          SHA512

          b08d4659ed78d8f2eed9db58801fbcf64c8417c443fe349f481aca3ee2c51ea6660f807516d351d0ca1f5c7472ae503396c98a426e0029b68de3a5d5e01ab221

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\2r9LtEnVR\mblctr.exe

          Filesize

          152KB

          MD5

          fcdeff5e3f432c5b2eb3f6e5963c8c9f

          SHA1

          5fcd8a390143b12ccb97ed49513c231bbb097b07

          SHA256

          d79ef8c29f7412343f44551b2d4b17d9209b52a4732aab27957b64f4c2ebc07d

          SHA512

          2dc0c27b1e57566ba611b45596eb4edaea8a45d54de5863f69ef23f7f6e402196cd50bc61e222e2aee8e8d62236a7e55e2cde8f10c3c75ef10c9223f1cd9f3cc

        • memory/1136-19-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/1136-32-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/1136-26-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/1136-59-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/1136-53-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/1136-27-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/1136-28-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/1136-25-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/1136-24-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/1136-22-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/1136-21-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/1136-4-0x00000000772B6000-0x00000000772B7000-memory.dmp

          Filesize

          4KB

        • memory/1136-5-0x0000000002E20000-0x0000000002E21000-memory.dmp

          Filesize

          4KB

        • memory/1136-10-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/1136-20-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/1136-135-0x00000000772B6000-0x00000000772B7000-memory.dmp

          Filesize

          4KB

        • memory/1136-18-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/1136-17-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/1136-15-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/1136-14-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/1136-13-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/1136-12-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/1136-11-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/1136-9-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/1136-16-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/1136-7-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/1136-43-0x00000000774C1000-0x00000000774C2000-memory.dmp

          Filesize

          4KB

        • memory/1136-44-0x0000000077620000-0x0000000077622000-memory.dmp

          Filesize

          8KB

        • memory/1136-30-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/1136-23-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/1136-29-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/1136-33-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/1136-42-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/1136-31-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/1136-58-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/1136-34-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/1136-35-0x0000000002DA0000-0x0000000002DA7000-memory.dmp

          Filesize

          28KB

        • memory/2096-107-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

        • memory/2096-112-0x0000000140000000-0x00000001401FA000-memory.dmp

          Filesize

          2.0MB

        • memory/2544-90-0x0000000000200000-0x0000000000207000-memory.dmp

          Filesize

          28KB

        • memory/2544-93-0x0000000140000000-0x00000001401FB000-memory.dmp

          Filesize

          2.0MB

        • memory/2544-88-0x0000000140000000-0x00000001401FB000-memory.dmp

          Filesize

          2.0MB

        • memory/2644-76-0x0000000140000000-0x00000001401FA000-memory.dmp

          Filesize

          2.0MB

        • memory/2644-72-0x0000000140000000-0x00000001401FA000-memory.dmp

          Filesize

          2.0MB

        • memory/2644-71-0x0000000000180000-0x0000000000187000-memory.dmp

          Filesize

          28KB

        • memory/3012-8-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/3012-2-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

        • memory/3012-0-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB