Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    26-01-2024 11:50

General

  • Target

    7747f0093a61bd648a9356cf2797bc88.dll

  • Size

    1.7MB

  • MD5

    7747f0093a61bd648a9356cf2797bc88

  • SHA1

    2d2ad0030c4569e867ceb32bdc0f23a30a1dbcb3

  • SHA256

    2a93a9d8dcfa728e06e4cde541d13154ee6a07f1439f177e54d31dea176dc681

  • SHA512

    6e131a6cfa2f256b7d757ba2e52f4fa89f8f3fd80529fe1fdb3324e4ab277d9d3041ce802ee78163e72081ffd1118b7f9a66d8dcda0028743251ddd677f622d5

  • SSDEEP

    12288:NVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:UfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\7747f0093a61bd648a9356cf2797bc88.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2076
  • C:\Users\Admin\AppData\Local\HxQ5f\fvenotify.exe
    C:\Users\Admin\AppData\Local\HxQ5f\fvenotify.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Checks whether UAC is enabled
    PID:1272
  • C:\Windows\system32\fvenotify.exe
    C:\Windows\system32\fvenotify.exe
    1⤵
      PID:2708
    • C:\Users\Admin\AppData\Local\E7vDW6Ff\OptionalFeatures.exe
      C:\Users\Admin\AppData\Local\E7vDW6Ff\OptionalFeatures.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1676
    • C:\Windows\system32\OptionalFeatures.exe
      C:\Windows\system32\OptionalFeatures.exe
      1⤵
        PID:2200
      • C:\Users\Admin\AppData\Local\0bPa\wisptis.exe
        C:\Users\Admin\AppData\Local\0bPa\wisptis.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1052
      • C:\Windows\system32\wisptis.exe
        C:\Windows\system32\wisptis.exe
        1⤵
          PID:1812

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\0bPa\MAGNIFICATION.dll

          Filesize

          1KB

          MD5

          a5253ceb3ef871026150fc39d8210c00

          SHA1

          6dda88557951075dba52502d7ca435b4c9ea0565

          SHA256

          b8f96dbec068a942ba478773e31b27b9e4fd824aaa3d095d46d6d4e3fef08b66

          SHA512

          eaf7f5502a0324310448fc2ebba2947c1722e6370cf0ae719570dfd2142408ec18a642172e769496ea4416a8a11842a22589fd1a2b24b1f0652b250f0d89f8ce

        • C:\Users\Admin\AppData\Local\0bPa\wisptis.exe

          Filesize

          15KB

          MD5

          c157117e072112b1ba8b13a1e008305b

          SHA1

          93ec97d1fb8223003146fb53c6a504d07cd5f8a5

          SHA256

          214eba3e76e0db9e946bb2c33207e7be999d15888f75f528bbbe33ea0258b1a1

          SHA512

          e46006b6c745f0f3a88ed7f937d07b2f2a999283416c191ef7a9f0f6105311574218e12b51316301d454352b7ba6a99f563d0823b889546692e59c6c465dbd23

        • C:\Users\Admin\AppData\Local\0bPa\wisptis.exe

          Filesize

          59KB

          MD5

          84e36bafa0f5b763e8d6417e16964b5f

          SHA1

          82d0a025f86743704809a4f814f9336977a6c903

          SHA256

          d9589c39eac05be04fbf0fc85e04f06f5f9e30025a3b09217571125c9a887355

          SHA512

          e8b7e54a6591f57d81a4409682445d87f0c02af54d48e4a4fc6b64ca0badfb74eed94dd5e4c96bb159207151c3182e3d61688a1c9d357ac372d5dfd9840645d0

        • C:\Users\Admin\AppData\Local\E7vDW6Ff\OptionalFeatures.exe

          Filesize

          15KB

          MD5

          2098f9e5f964089dfdb02f2a86eae1b0

          SHA1

          fbbaac160ac1a8ea4bd681d3b96cb9a4f163e95b

          SHA256

          f319f4fb7f351f87b8a43d878b390bf148db2632bfaba0a589c0830b34d948be

          SHA512

          e294eb7412f8b661657480688c3634ea163471932d3b8d3a8f831a1b997a7b19e862c9a2fddc0d16f22a10f0141598aaaf5496f662de7b7e1cf612ae302e5547

        • C:\Users\Admin\AppData\Local\E7vDW6Ff\appwiz.cpl

          Filesize

          95KB

          MD5

          84916e2ab92b5fd4a21e9da202a4f5e7

          SHA1

          aac4f64a36c7acb26662f878bdbeea128a84779e

          SHA256

          6bcbe0bbeeda09f9095c78edb1e279d61ee0ce53431908712a542ee57f80e56c

          SHA512

          688216a6ee2a48c3c572c1a79a0b8d729b587a5562c39d7aac74b405c09f106b05f6c730d05ff500936e93013145131ed4b3168948bf4b0a6069b5cff5a076f6

        • C:\Users\Admin\AppData\Local\HxQ5f\fvenotify.exe

          Filesize

          117KB

          MD5

          e61d644998e07c02f0999388808ac109

          SHA1

          183130ad81ff4c7997582a484e759bf7769592d6

          SHA256

          15a85cd6fbcb1ec57d78f986d6dd8908bd56231ce0cf65775075512303f7e5fa

          SHA512

          310141b73394ae12a35f8d4f0c097868ee8a8045a62dd402a5dfbe2151980dd4fe18409ae3ca9422e3b88b2fa9afb04c1acbf8ec23a937a0a242b32a9a1e9272

        • C:\Users\Admin\AppData\Local\HxQ5f\fvenotify.exe

          Filesize

          79KB

          MD5

          b266d79ad87fd2edcdc6a64f7caaa18a

          SHA1

          7a67208f878217d2f164fa4e3dee4aa10efeb51b

          SHA256

          5ae190208ad66ae21fc7696843e6d92fe78e1d03d77488e989cb17e8c13d8bce

          SHA512

          6be3fd27966769c04157c907f04c0aaaaa472976f2126755a168008cbe258bb986ee67fc04892ba806d5bb798d12599cb78c2f803e3c6e4e43191d3c49289a10

        • C:\Users\Admin\AppData\Local\HxQ5f\slc.dll

          Filesize

          45KB

          MD5

          f9c76c892da470d035f4cf35a273bb11

          SHA1

          56696489f9cef68e27661053a9848ece877ef25a

          SHA256

          f8555ef53c96e8e0c5dce8f219e9c3e6d7f38cb10594e60687ddb9df276101fa

          SHA512

          0d61cbbf9d716c7e517eab49544baf44499841ce6bf467f392f3520882e632530101875c141098a6c0c562ef803500985a7fdb43e0e3e3d226678c4baebfe40c

        • C:\Users\Admin\AppData\Roaming\Microsoft\Credentials\DBzm\MAGNIFICATION.dll

          Filesize

          1.7MB

          MD5

          72bc675d77a744b1f951e553c2816ea2

          SHA1

          36d00a3d4ed648925fce64816bca4b7f69bc2d79

          SHA256

          3415c0f9b27c7113e8d7a5f21385677ba1a7f9a845fab0687d0947c3759695bf

          SHA512

          c14947625d3a8b2080c65e1257d1985d77b884ac4829d590c825dc44d0d77fb26a153c6386c934fa111cbd98331299d3844de547766d373749a4d3326945c273

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatCache\Low\YUSPOJVh\slc.dll

          Filesize

          1.7MB

          MD5

          07da27c96e63838cd7f2b243d92063fe

          SHA1

          3b00792d7eeb81663781b92a35b8960cb2dedc1f

          SHA256

          e4886cdad647b16151cc0255e4cf229108f135252c43ff74bc1ec8771b2f965e

          SHA512

          c29e4c4678cb27ced665353dde3c47fa9bc9001f1c1fdbe8c0fe623c330b7284983d7baa312e77863441c6bd6836273bdb9c7ef64bd670cb40f69a28fa1d2b19

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\VkxLniYdti\OptionalFeatures.exe

          MD5

          d41d8cd98f00b204e9800998ecf8427e

          SHA1

          da39a3ee5e6b4b0d3255bfef95601890afd80709

          SHA256

          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

          SHA512

          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\VkxLniYdti\appwiz.cpl

          Filesize

          1.7MB

          MD5

          e572e7a377695e6d436a4e6aa11e6193

          SHA1

          e2c1b105ad3a3eb0d24ef3f26f217374981cbc1a

          SHA256

          64e33d8a4d50812933de39a6992da64d92074f953a1c511d54ee449e1191221f

          SHA512

          0d6c9a281cd3997bcb526e2535877915b16b8114fe97582f1c4c2ad40af13a20de9727049b145877ac071ae66c0c900e5eb12b5d2a8ad550d7c65434501db94f

        • \Users\Admin\AppData\Local\0bPa\wisptis.exe

          Filesize

          1KB

          MD5

          3a35e48f365545a5152c07a2d1d5fc21

          SHA1

          138ab5b33ddd0f0159e8ab36ec515f94f5da1984

          SHA256

          5b2dfb639daf8455c18f87549901a52e6c62cfa9c3d2042885a3f58d5a5ef907

          SHA512

          bb8d6cc40e5f1a1cdc105af667d3fb3b8ddb93763c8c74df7078adc075a7c8682b30b5e9a6a34d37aff1202c9be7a7cd4bb75b275646eb2b447cd9e3f8ddb361

        • \Users\Admin\AppData\Local\E7vDW6Ff\OptionalFeatures.exe

          Filesize

          45KB

          MD5

          d26e5d3013049fa2df28f560ce87e84d

          SHA1

          fa92eea122ac6d47360c47eb4ef09e06bd2899ae

          SHA256

          5a0d92c397f413647f6c2b007789c8aa90dd87d25bc6e27bb9ca60af3617c37e

          SHA512

          e01a0e27799b493001d71b83f196c1c4bc8d327bb0a6eb835c942111779bb2a2728d88ec145bb8e8a69fe0c54c917244b940c8b9ce26ec6801422bceee4342b3

        • \Users\Admin\AppData\Local\E7vDW6Ff\appwiz.cpl

          Filesize

          31KB

          MD5

          4452b41ddc6186378ecba67550600199

          SHA1

          6a5f5c58682339d7c9f4d2a13f77e68082284230

          SHA256

          b3ff19a18d332b851ed6c1eebc74d08ad0790e30b75e4d658be9ba63e940e75c

          SHA512

          d3edf04a56bfd5b2b324c41b784b5b7c59d788cda9c7f1170b397ed054faa9178d006cd757c09cc7e1620b8e9485bdb118e346908334451d53af4da363ea9a94

        • \Users\Admin\AppData\Local\HxQ5f\fvenotify.exe

          Filesize

          80KB

          MD5

          7131ad4a12df34d0e567a9413a77283b

          SHA1

          2524a23e913a54c0523058bb419885b8bf32ad27

          SHA256

          49ed5b1c177f4917bf3e848ca94b93bd11ffdfc64c613b5cb3aa8ca5b2694c08

          SHA512

          956d38f8faebbae0c9cf15d243f59a2e27893e210b0ba4a2ff28a6b57a13c7fc9ccacb8a538495f65237046254e05f3c691b1e67b520d34867586788a6a239e6

        • \Users\Admin\AppData\Local\HxQ5f\slc.dll

          Filesize

          67KB

          MD5

          af9a68a3e01f7f211c7d4b121e62e811

          SHA1

          c9b7ff3368e04fde8d9992f041264a78c4858d17

          SHA256

          aa15d52b77ac696d9ff202948bb41a77934ddd67a1b9c32e8d7d6d0c4555c166

          SHA512

          fac6bdf782dde40cac15fab983860e6d822fa58fb2c5fb912df2eefbb7db4260dc61ea9c5ff7f9435e76fdc656f22235dd717a75c5af2c5949376534aa5c7d36

        • memory/1052-120-0x0000000000420000-0x0000000000427000-memory.dmp

          Filesize

          28KB

        • memory/1200-38-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-26-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-20-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-19-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-30-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-35-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-39-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-41-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-45-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-46-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-47-0x00000000029F0000-0x00000000029F7000-memory.dmp

          Filesize

          28KB

        • memory/1200-44-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-54-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-56-0x0000000077BA0000-0x0000000077BA2000-memory.dmp

          Filesize

          8KB

        • memory/1200-55-0x0000000077A41000-0x0000000077A42000-memory.dmp

          Filesize

          4KB

        • memory/1200-42-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-43-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-40-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-24-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-65-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-70-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-37-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-71-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-36-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-34-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-33-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-74-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-4-0x0000000077936000-0x0000000077937000-memory.dmp

          Filesize

          4KB

        • memory/1200-21-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-32-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-25-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-31-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-29-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-27-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-28-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-9-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-5-0x0000000002A20000-0x0000000002A21000-memory.dmp

          Filesize

          4KB

        • memory/1200-14-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-149-0x0000000077936000-0x0000000077937000-memory.dmp

          Filesize

          4KB

        • memory/1200-13-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-7-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-12-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-22-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-23-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-15-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-16-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-17-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-18-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-10-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-11-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/1272-83-0x0000000000280000-0x0000000000287000-memory.dmp

          Filesize

          28KB

        • memory/1272-84-0x0000000140000000-0x00000001401BB000-memory.dmp

          Filesize

          1.7MB

        • memory/1676-104-0x0000000000220000-0x0000000000227000-memory.dmp

          Filesize

          28KB

        • memory/2076-8-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/2076-0-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/2076-1-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB