Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    26-01-2024 13:37

General

  • Target

    77810543496dc906d195460796a0219f.dll

  • Size

    1.7MB

  • MD5

    77810543496dc906d195460796a0219f

  • SHA1

    715be388b02b3699ec35b93d4ad823e6b0127c91

  • SHA256

    3df740c27f3febda3ee2de2dfb8825fec9efdf4017ef648ff61b91d77f76f8ba

  • SHA512

    21fc370d2143019708e8980c089ec7ab3c930b3c5040c8a05b579312ddd16295d4efeb191a7c4b3cfd6ee570b7a351052268633880bd79aa68330f1bca1c033d

  • SSDEEP

    12288:sVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:ZfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\77810543496dc906d195460796a0219f.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2140
  • C:\Windows\system32\sdclt.exe
    C:\Windows\system32\sdclt.exe
    1⤵
      PID:2588
    • C:\Users\Admin\AppData\Local\rPIrD\sdclt.exe
      C:\Users\Admin\AppData\Local\rPIrD\sdclt.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1792
    • C:\Users\Admin\AppData\Local\2ipIWk\rekeywiz.exe
      C:\Users\Admin\AppData\Local\2ipIWk\rekeywiz.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2660
    • C:\Windows\system32\rekeywiz.exe
      C:\Windows\system32\rekeywiz.exe
      1⤵
        PID:2628
      • C:\Users\Admin\AppData\Local\Ovzd\rstrui.exe
        C:\Users\Admin\AppData\Local\Ovzd\rstrui.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2492
      • C:\Windows\system32\rstrui.exe
        C:\Windows\system32\rstrui.exe
        1⤵
          PID:2912

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\2ipIWk\rekeywiz.exe

          Filesize

          67KB

          MD5

          767c75767b00ccfd41a547bb7b2adfff

          SHA1

          91890853a5476def402910e6507417d400c0d3cb

          SHA256

          bd70e504871a2ac1c883d19b87970c8d1b8b251c784bf777ba77ed764f5f2395

          SHA512

          f096043452a1aa213a5e4d62638de3ee4b0b3ad3d12b7ee0372d8c79e00e2e13b4fd0ebc4206bbdb5124bed292dd5b30ef1641288046ef835f89c332985154f9

        • C:\Users\Admin\AppData\Local\2ipIWk\slc.dll

          Filesize

          189KB

          MD5

          58cfa68b97770a7f969a96920676a45c

          SHA1

          cbfd60488271d82d90dfe3b1935da8c454bf2301

          SHA256

          3f35599fc2b9aa9f9aeb1309f633627ceca29665f0259028e93529fa7056d740

          SHA512

          d3a440af4d12840e553b515392010ac5ce6a794b3fa9d7267f4dd5ed16947b4781777db2f7336f45aea6c48bad72548637ba4f29f017ec6435600172957079de

        • C:\Users\Admin\AppData\Local\Ovzd\SPP.dll

          Filesize

          71KB

          MD5

          1d237d48070457444927a19193eae76a

          SHA1

          466e61a51f2dabff2ffec7742efa5c5f71b29b01

          SHA256

          7828b6b5a7990736572563aab8f04d0113da5cad2a3ddfaa460ce283997a517f

          SHA512

          ad312519d3d917ae2c5b11b09444f8483b55dfab755feea48a652e4244b179e6658bc0d891782546a8f06ab51d79fcb521d5666c16ba61b88120cdea0b16c5b0

        • C:\Users\Admin\AppData\Local\Ovzd\rstrui.exe

          Filesize

          83KB

          MD5

          f1684e6c16e233879f90830ac7965abb

          SHA1

          c8ec3f7838497b54793bc515d5d5798c90018bfb

          SHA256

          d16e9d1bbf007fce0b1f5b7d0fe9dd05546a39dddc35b3c7b0f93e441464e3ab

          SHA512

          d406ed5db6c265e2e846d9550abaa7bc5c687f98ae42306192a38f29eebe5b1094e78ddbfd2f3930bd5b774851631107f3770b58a3e163fdc15db59ef18402ce

        • C:\Users\Admin\AppData\Local\Ovzd\rstrui.exe

          Filesize

          112KB

          MD5

          4dc3ec61408834916a3dcdf6b91b134b

          SHA1

          08b84f218e16036584931acd9cd010ac687c3a0a

          SHA256

          cc067ccea02f18d87d9337d3c5fdc1a839a6bceb35b2404f6828ab4f21dfb911

          SHA512

          c8a87a3acc4f8170ad18539523c2d9581fd25a1feceaf6e5e3c190fb3d9ed8152b242bdb9425cd11821137123c3bcdd8506f9913ac357c53b986ab3c8a40dd1e

        • C:\Users\Admin\AppData\Local\rPIrD\Secur32.dll

          Filesize

          144KB

          MD5

          759a1552bb11b444aac50ee3337fea97

          SHA1

          b3b97e1da25d3f0803e4add64de210ed187e0ba5

          SHA256

          3cab7025db18a6c2a86a097fd77b58bedd5dacded30afbfe2877d3f68dfe5299

          SHA512

          8f5d69838e02fe3e52a2d8e9898b6e46b4b4dccd65e5be399ae085e6f4aa1f935db5b98301f433d414b1c250de2cc92f65da76838d353773b5d02fd43dd1701e

        • C:\Users\Admin\AppData\Local\rPIrD\sdclt.exe

          Filesize

          139KB

          MD5

          1163292404c87d6eded602fb8ed3befb

          SHA1

          2523b6862ec4d2b2bfe662a4f84ac2ef105f5d88

          SHA256

          8b4354eb21b2f47a4a4004ef2dd74d91a23520d9bce362c5a400d9895b8703a0

          SHA512

          7988623abe98261e2e739e6821068edff25b61eb35aa4c8c85e70c53463e72e1b529df4e2e355ead0089cd4d1d9cd2451d64258a66438eae1d99a6bed2956c17

        • C:\Users\Admin\AppData\Local\rPIrD\sdclt.exe

          Filesize

          118KB

          MD5

          7c61a9afc3eb453bac76d740b04c557a

          SHA1

          db8e5696cc5f13fdf71fa9a8e8cebeee4d7e6abd

          SHA256

          f5cbcc8e781ebe299c11082017933ca60eb77cc25493f95cce9b8f5faf5b2cb7

          SHA512

          1d68b2c8dfbd144285b2898ed33f386233b9991b35b469cefb221485ab5d2778fb4fc9edd389de063d0eaf7b621fcee62ae00849034afc8ec4b56b2ccde6087b

        • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\AQu\Secur32.dll

          Filesize

          1.7MB

          MD5

          228fcd0e9b8225bab7d1ef1733561cd2

          SHA1

          3c38cf65a9e6a05f391ba75a0d715787cbdb9d2b

          SHA256

          d07ef0d722ed82aeca0f8d9584a322e5978cc82c0f8a5c90f4a72f0cce495f3e

          SHA512

          08f4ce8059bae12eb52eb7b2c7396448a436fd82cd61489aa645b7d3ad23d2468dbd86ec94fdc2edd09ec7f694c325bd8b711ebb3223660f6b3f03faf7153936

        • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\ebxK\slc.dll

          Filesize

          1.7MB

          MD5

          4094b514a056fa26b348cd2300aafcc6

          SHA1

          b8e1529fb4282d72d9a00f27bc3c8e76ed228a7d

          SHA256

          95f926cb5d8f3ac7bf5e472461778d6524b2c9b6701ede37c8f353a8464f59e7

          SHA512

          77929d203929e4191980731f2b0a3f4ba56854fe765438090dd219dc1edfe256ff38c517a8ec1bade42e612b2cce70e01b7a8b9831aa40d81a93c21f7baff526

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Cuhrqknkppepky.lnk

          Filesize

          1KB

          MD5

          358b160f1242223920b2e5ea27048228

          SHA1

          a6b9f46aab3c4ac4318d27d3fdf944feb88be05a

          SHA256

          fb79ba6be2306c2b04cb214111a4000284517e4f4a6bb50832b8c6c609156edd

          SHA512

          4aa8f4d75783361646f206ec2ac31cad745d9efd3fe880fbd6d8fe5d0cc562675269a094711df85317342c58a308a1d5003203f743f1f16dbc605127f2c1c7e7

        • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\PWJ2lwcTmcq\SPP.dll

          Filesize

          1.7MB

          MD5

          8cd243505f4ad2a151e49a47065ef8db

          SHA1

          338055b18dc059b4082f79226f8761b5404e84cf

          SHA256

          12fe0d872ed7b61a07700c7bf2d6b09b43465a971e38d1404b5462532b8b6a41

          SHA512

          cb49b8d614a82f4b972bfc1cb5e1b37ad6af0584b66f1731fb95bb563214fd3aa9911e5a3cf5d3d539826f748ec0821b980e182bb99f563dcb6e8875d97137e8

        • \Users\Admin\AppData\Local\2ipIWk\slc.dll

          Filesize

          206KB

          MD5

          5fecaff146cb69f5892cce74c6f86636

          SHA1

          fd5fea48bbf1c2f721c105af6445ec119b4f73d0

          SHA256

          0f2ebd5097c11f190c6e4133c374d308950674f22a6c8e21732181e865bf9fa7

          SHA512

          4cbccc36ddd3694485a49e654b54e96b4a6c37d30bd09044cd783a39f86dd6816204e597cce70a850b90b19a343142b5aff6d385c03052b5500ae995a061113a

        • \Users\Admin\AppData\Local\Ovzd\SPP.dll

          Filesize

          84KB

          MD5

          8bd0c05a23dd20469a17ff1818ff689e

          SHA1

          a726a1ee88399c62da3c4b28c6920d00b16b1b88

          SHA256

          545c8ecd3f238f3a44545dca4f51e01351b253269077036aa83899f1d8e8b94f

          SHA512

          092a74ce31b44ebaa703b4d6711c204c276f33523b1f5dbf48f4de6248ef17e2c0e81511fab578af367fae1c7d141013f4af20120287a11658ada3ab160a3001

        • \Users\Admin\AppData\Local\Ovzd\rstrui.exe

          Filesize

          47KB

          MD5

          88dd12cc6797b17c61e2abbacf17dd4c

          SHA1

          cd87e6f720f1a8e0df61366aa2a70dc5c640cbb6

          SHA256

          e139a84bf991bd3ccf1dd849365259547f2fdac80f6abc9f98309bb0eff955e5

          SHA512

          1645ea75875793031215d1fe0186d1b346eb11398e2107a6ac2125aaa3947d9afeaa74f7ccda3ed6eba067c07998e2660c0652c4ef0282fd51dd6ecf292caa28

        • \Users\Admin\AppData\Local\rPIrD\Secur32.dll

          Filesize

          133KB

          MD5

          c3b6459c89b91aa9ff4fdc20045d0a6e

          SHA1

          8be63136ffb4d30742a4584e7eadab4a70ffd80c

          SHA256

          d682ec0f0f8d50adce18c6a87e38c1093fceaa1e157cb3e4d66e9692880d1158

          SHA512

          6a237dc057c2a8f366f2ca0449f6a355869ba172c90c821fddd3fc50962216c85ae406ba9902c738f59206cee0ddec54d955a35952c0be199402998e5844dea0

        • \Users\Admin\AppData\Local\rPIrD\sdclt.exe

          Filesize

          170KB

          MD5

          2c2c1b7ab248604574360de489e8d06b

          SHA1

          819535e0636457fb5f5f2b3716d55c9ece064243

          SHA256

          dcd432ecefcf65a64e78582b28d9e1d8b85e8c86b3177f8f22722ceaaef06e81

          SHA512

          d0b021028c445c14d567bcd4902837a7ac7c2b0e32343f6281d7d6daaa3d061d966072ee0ae7e2b062e5976e67c7f39c4d7cc104c060cf79b164291b285625ea

        • \Users\Admin\AppData\Roaming\Microsoft\Protect\PWJ2lwcTmcq\rstrui.exe

          Filesize

          58KB

          MD5

          b69136323ea51425c31bf6fcfd64b637

          SHA1

          1c0272f77499ebeb684a96e30c3f3148cb4b4aab

          SHA256

          06168bac05ad12c59d824d67f41ef647712cf7bcf71ca6e788d7f6e9b2a2d8b2

          SHA512

          d01adc1ee80428ca57b24cc9b6cdb5bec74d9fc5aebbf2f18ea6106b5b3b0f6fb0a831920b7c8cc3b15be89108061576a907c36ab88b289d86eedbb3f4e5adc3

        • memory/1200-28-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-18-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-32-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-30-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-59-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-66-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-64-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-35-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-37-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-4-0x0000000077706000-0x0000000077707000-memory.dmp

          Filesize

          4KB

        • memory/1200-5-0x0000000002210000-0x0000000002211000-memory.dmp

          Filesize

          4KB

        • memory/1200-146-0x0000000077706000-0x0000000077707000-memory.dmp

          Filesize

          4KB

        • memory/1200-38-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-48-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-50-0x0000000077A70000-0x0000000077A72000-memory.dmp

          Filesize

          8KB

        • memory/1200-29-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-10-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-27-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-26-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-25-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-24-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-22-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-21-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-20-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-19-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-33-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-17-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-15-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-14-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-13-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-12-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-11-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-9-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-16-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-7-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-49-0x0000000077911000-0x0000000077912000-memory.dmp

          Filesize

          4KB

        • memory/1200-23-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-39-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-44-0x00000000021F0000-0x00000000021F7000-memory.dmp

          Filesize

          28KB

        • memory/1200-40-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-36-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-31-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/1200-34-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/1792-78-0x0000000140000000-0x00000001401B8000-memory.dmp

          Filesize

          1.7MB

        • memory/1792-82-0x0000000140000000-0x00000001401B8000-memory.dmp

          Filesize

          1.7MB

        • memory/1792-77-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

        • memory/2140-8-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/2140-1-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB

        • memory/2140-0-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/2492-118-0x0000000000380000-0x0000000000387000-memory.dmp

          Filesize

          28KB

        • memory/2660-104-0x00000000001F0000-0x00000000001F7000-memory.dmp

          Filesize

          28KB