Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    26-01-2024 14:01

General

  • Target

    778d4730d5f23525661b573a83f5a65f.dll

  • Size

    1.7MB

  • MD5

    778d4730d5f23525661b573a83f5a65f

  • SHA1

    b4363f418266b63f4036546ab4a54e52fd530c2d

  • SHA256

    72ab82c1cb0c63ec0a02f3bd9061de964700d7490d0704cafc3eb3459b0e906d

  • SHA512

    0ae77c82fb95805277f52235354ae296455ffb7c33a863dff46b6245738fadec923dfe742c2554bdbb53cebc664c58630cbce935c5ddf714ca1bf55f9ae105cd

  • SSDEEP

    12288:CVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:ffP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\778d4730d5f23525661b573a83f5a65f.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2144
  • C:\Windows\system32\msdt.exe
    C:\Windows\system32\msdt.exe
    1⤵
      PID:2584
    • C:\Users\Admin\AppData\Local\PBI\msdt.exe
      C:\Users\Admin\AppData\Local\PBI\msdt.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2640
    • C:\Windows\system32\rdpinit.exe
      C:\Windows\system32\rdpinit.exe
      1⤵
        PID:1156
      • C:\Users\Admin\AppData\Local\ysgckb4kP\rdpinit.exe
        C:\Users\Admin\AppData\Local\ysgckb4kP\rdpinit.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:748
      • C:\Windows\system32\FXSCOVER.exe
        C:\Windows\system32\FXSCOVER.exe
        1⤵
          PID:2964
        • C:\Users\Admin\AppData\Local\riKqWacaW\FXSCOVER.exe
          C:\Users\Admin\AppData\Local\riKqWacaW\FXSCOVER.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3016

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\PBI\Secur32.dll

          Filesize

          15KB

          MD5

          7d68750f6a08025d0728ccda2a9d5fcb

          SHA1

          b2ed946722ef9d8d255ba2c787e6562863a3e84d

          SHA256

          8ea501d2d76b7ce1d48b8ca2c6105866307c55c95ceda248d87f6532b6171fe1

          SHA512

          81e1ea131fcafdaf8fefd910b9ebe80f5cf702747a440beab03f51f6b4caeb7e962dd60d282290b8a4ab2772441bf5aa2ab5ca334925fb8600b451dbe73f4908

        • C:\Users\Admin\AppData\Local\PBI\msdt.exe

          Filesize

          37KB

          MD5

          51f6e08c39f2f1c46e1f80c3550f6596

          SHA1

          fd59a0e6fa4c65c78ab45ee435c6db93c06281a3

          SHA256

          ffb68ab699d32900cdbf2b1d3c8a7a71dcc7e2ac0884c1d170e14458eea0d3d4

          SHA512

          3d502d0a0810f686f85047f80075f6eaf1515695fa21f5c582781ab7857a022eba22b39d97e895849848371191f5a4e58a017251afd8639759df0610b0694451

        • C:\Users\Admin\AppData\Local\PBI\msdt.exe

          Filesize

          179KB

          MD5

          194c73b7fadb1e79c1c84d092663177a

          SHA1

          8ee6a5a2b82dbacb7cef6c067b5fd86051a65344

          SHA256

          ffabd359a9f4de658a9f4bcf2b0cec251f5c73bec5936a2ef34536a4a550e209

          SHA512

          daa279fc2c5e597eaca287b0bf781756128d722ac8e9c49a9241bff3551f64706b357302d019eb57056fdfe55b0405ec7a5eb07a569740f43adeb60525a358ec

        • C:\Users\Admin\AppData\Local\riKqWacaW\FXSCOVER.exe

          Filesize

          31KB

          MD5

          698715487f6176f68d70ec6a90bd7455

          SHA1

          7877eb01ddd7e01b4f3dd5d5da5e974b66b6f789

          SHA256

          47d6ed10b22984428964d9749565cea365c9c3e9eca0903e0246ded4203687d3

          SHA512

          39b02c4f04e3a9dde4ecb03bec9a8935ddb0c305b90f5c9595a2244cbcbf2ed41063ced405f8b02d762e618c51d48f5dafc96b3b23e888b8b3625cf533ad29f5

        • C:\Users\Admin\AppData\Local\riKqWacaW\FXSCOVER.exe

          Filesize

          31KB

          MD5

          d93aaa73de5c563f11fb8dcc44dde566

          SHA1

          37020f3b5661d13a1b38740b44eda063a0c53285

          SHA256

          3a431d3d3b48e1ced4d6357b89e9663df5a809921d1a9cfc20af785c255d3a73

          SHA512

          8c753900ca7ece8b7bc719b9213b1059ec9ddf0d15b7806a70d3a43eea3d448ef3e4bbb28bceb43323acc4528f3e5711912ac284c70faae36a0717008813f7d9

        • C:\Users\Admin\AppData\Local\riKqWacaW\MFC42u.dll

          Filesize

          39KB

          MD5

          43e4456d9539163197a0ed76f2b4e30f

          SHA1

          437908db9834ee8b5934995e3f74442334af7560

          SHA256

          bba1d292dd66ca86230ec459bfc0d4eb64d9b33070282583fd4604a512495a42

          SHA512

          04c48b782b156a8b33d9acbf17ed8cc3ed80030fdc0522286476fe8ce8eb761bc975d8b24065a415c80550eb2a87c0ddf17b09e37cb215623337cc9bfda07dd3

        • C:\Users\Admin\AppData\Local\ysgckb4kP\WTSAPI32.dll

          Filesize

          102KB

          MD5

          26ad07a4770912eec58abd5644213b73

          SHA1

          7f715a1047daa2bcf046c93c07a8aead826749d7

          SHA256

          16962166f1713410aabd8cbbbb67c0e7c1bc68984fe17eb54a106e0bf2e58bcf

          SHA512

          8c9e68c729dda1129f007ca98e65052e07358168f7f03c66219fb0cd944248133d6fffb520c04e0f87c92d43ed539675e0fc213b871dc16d33ccd66652ad955e

        • C:\Users\Admin\AppData\Local\ysgckb4kP\rdpinit.exe

          Filesize

          60KB

          MD5

          c95c06ba102102a26de91a3947927ec6

          SHA1

          e4cf659a6c1931493c746e908a1b9d4b4536226b

          SHA256

          62874984595212117ac92983e9c1fe90f27373e8129855f211c38f4d80644bb3

          SHA512

          54568b4068b823f4b62122759dcf22e8f326d86618130456a8159c22598810790f4ed2afd7369ed5863ff552ae34cf011557dea9454e1d49ef6e2fb445245e50

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ekhyqsv.lnk

          Filesize

          1KB

          MD5

          16999e5b5f4784468e4872f5d1d6e6f9

          SHA1

          53a017ba930a5ec781a5ce6072ea1de98c080abc

          SHA256

          b456a24b6127ca4c6279c46dc0fd3bcc5392939fc2ec16f4e5ba627ca61a574d

          SHA512

          30789583fa7cd2c6ae4cd0939e9373c23080003386d18ef336685b7f4faee122e42bcd49336cb3b37061ec5329756d3b35af30052adcbd7dde0b24f587d4ca17

        • C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\awdcnB3Nw\MFC42u.dll

          Filesize

          1.7MB

          MD5

          dad0a9b61d0c4c1baa3963c6a70d00fb

          SHA1

          02d1144208bc83af3d0c82293d009618d4f74551

          SHA256

          819c7a31bd0d47cd797b7fa8589c1f8caeac47e60f034b40d5bfe2efe736b3de

          SHA512

          53a208130432f3b63d3dfb63251f210642ac20a60e459b0bfee03d7fc08f5a5ddf3656684cc635382a3221cca6349d4875eaba8708fcbf9bf275b093ac910099

        • C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\k4xPwzO\WTSAPI32.dll

          Filesize

          1.7MB

          MD5

          ac6d82aa633f8a0487594326a7718aac

          SHA1

          93904096e733057b12dafe4e4152fe2629ee6b8e

          SHA256

          c50fa5d5483856fb01a99b33466bc83046c4a7d422159bdeecbf39c3ca8c995b

          SHA512

          022c108aec640fe6fee5809abf075dcf47249802df309559961f548c348641988e89d1d423377d313fb8902904ecf73a11673e6a9d7d2e5a47e0581134e15b5e

        • C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\k4xPwzO\rdpinit.exe

          Filesize

          89KB

          MD5

          f8901aaa6a4f1114c6ca42bfd4955ae3

          SHA1

          9dac033f80a3fc94cf7751f5ed0da4b4021a1245

          SHA256

          6d4161e1ddc6507922433455ab620daf6bd66d44758fa307a5d6e136797890fd

          SHA512

          15ca01e6018fc4e8b01ee4285001a9c3f23789b395b6b2f4dad9ae0d1143165fa05f7e5835f34c231907a0466de8ff64de8ace4fe381aaae74bfe3d60daf53de

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IETldCache\Low\KJrtmDIX3HO\Secur32.dll

          Filesize

          1.7MB

          MD5

          84f9c9fbf14549881f72d7cf6c615974

          SHA1

          67706faf64b6715fc3da96da3fe946f2e77289a4

          SHA256

          c59d50c503c181c0af9fdf19a0e448aa98787aaf70ccb0b811d70ef81301770a

          SHA512

          60be5a635ef6eeb9234398ed2b48b3647844404437a9dd8c616a81d90fad2c3528241042823e297a11479ad0cb0ab6e140599721b180ff6248ed631c1ff75b11

        • \Users\Admin\AppData\Local\PBI\Secur32.dll

          Filesize

          5KB

          MD5

          c0878943b28d02d694d1ce5a86752c5f

          SHA1

          90d1f8ab98c5fa2e7bf12c63d90d4044e0bacafa

          SHA256

          9a77faf54407ae848e9ba95ff85fc2f40ca8cf65e2fefa0e9d9c9c963d3f409d

          SHA512

          1518d9f1eb279d116002a7f297abc6b157ca6fc130764b4450203be9327f24dc055a670e66a150070e1f22c03652c7dc2a8e62c5444c8f8171ad996c9546f41a

        • \Users\Admin\AppData\Local\PBI\msdt.exe

          Filesize

          34KB

          MD5

          ec4e80eebeb4d2726a8961bb67e0885f

          SHA1

          764a9cf67092dc1616b1a01b9fa96c4adb02b1df

          SHA256

          1f1f8a3e54be47828cd04304e4fff7e7e7b6d8d5a75d72911bc6efbddab2b4e6

          SHA512

          5edb21333062ede813d0b0a37013cb77e380ecf7c582966d41fb4496e51ef92d89eb80910e7015a46edffb8cf055e88670749e1bad9349540c4841d9071d98a5

        • \Users\Admin\AppData\Local\riKqWacaW\FXSCOVER.exe

          Filesize

          1KB

          MD5

          c594432d751279e1d640d8706d1ef786

          SHA1

          5f778437dd968356917a8e4e2bf48a8461833568

          SHA256

          babb74b5b305291e95a46b9261da770d5e9713d7ad4dfdc2a491ff8ee6e23c5c

          SHA512

          f31c88a4b00cb1e5372bca0ba3f407fdc9d6366328bbb988198244b27ffd70c6add2ef0c175e87270924ddeda8086fcabf6bfb3a92a6561ef05a302dbee075d8

        • \Users\Admin\AppData\Local\riKqWacaW\MFC42u.dll

          Filesize

          13KB

          MD5

          476cc01f8ea1b82107107322578d665e

          SHA1

          74763e32aa08e3683c663d60075c9c5c95472198

          SHA256

          a246164225437b43336c2bd39aaf26da68bb8f1022a28f9b2268e0521d0ec30f

          SHA512

          04b33a2500c370bcd5b48a7d1d77f8687aaf0a980fb057dc34a7ba267f8bad9fa96116df41b261a15201245a79bfac9100eaf5a9a4f0cceeb5549f144ecc374b

        • \Users\Admin\AppData\Local\ysgckb4kP\WTSAPI32.dll

          Filesize

          45KB

          MD5

          4b0315183eaa630e6e44532fdc09bac9

          SHA1

          78f77533a62ec802aeeb673aee709bc89efcb8d3

          SHA256

          931ad1a4fc76006966a9b8b2d80a1cd4447d5fccf08086343d561f94dede683f

          SHA512

          9163e88d4eb55618fc39b8cc34b87cba0cb60340e9c52d10585b842ecac6a81e7fa39610aae212036df1ffa68f920d315acb030c6e64a2bc5e29c29850c17421

        • \Users\Admin\AppData\Local\ysgckb4kP\rdpinit.exe

          Filesize

          114KB

          MD5

          a6a11c90b70811659e0750bd93902046

          SHA1

          c4fb3c93a3297ec80dccb0f349f0a177e75d5e1c

          SHA256

          6cb0ffbce52e31367d325e6a58b2d5454b824bf5a791f0a597e4421fd597f595

          SHA512

          546f6a6a57f35d0c3d3b691b0eb78c4c4f60124d723ef339bc4da1f88c384f7b604375b4c83dda6c2f244c38ade28357c5a220b271b5a96df2735e50935662cf

        • \Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\awdcnB3Nw\FXSCOVER.exe

          Filesize

          185KB

          MD5

          2f70b2d1e8ba87cc3d27c1b86d2bc550

          SHA1

          a9bb005d93fb9136824ec721ed385a6d1e6f7069

          SHA256

          2aa21e22cccff9419a2fa7a5eaa16319183e0be7633f0482aacae59ada5adf1c

          SHA512

          eae423d85c633a07415fc5dfdfcb333cddcb4fc22ad72cd39c556814c7cd1991aae09e1a697b58540441d3746be4b4b12cde481bfbce7dbce73d01d9dcc717ad

        • memory/748-97-0x0000000000170000-0x0000000000177000-memory.dmp

          Filesize

          28KB

        • memory/1252-55-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1252-26-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1252-33-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1252-32-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1252-31-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1252-30-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1252-28-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1252-29-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1252-27-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1252-25-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1252-24-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1252-22-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1252-21-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1252-4-0x0000000077716000-0x0000000077717000-memory.dmp

          Filesize

          4KB

        • memory/1252-19-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1252-18-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1252-13-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1252-59-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1252-14-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1252-10-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1252-11-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1252-7-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1252-64-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1252-9-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1252-34-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1252-49-0x0000000077821000-0x0000000077822000-memory.dmp

          Filesize

          4KB

        • memory/1252-48-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1252-37-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1252-5-0x0000000002960000-0x0000000002961000-memory.dmp

          Filesize

          4KB

        • memory/1252-136-0x0000000077716000-0x0000000077717000-memory.dmp

          Filesize

          4KB

        • memory/1252-12-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1252-36-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1252-38-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1252-40-0x0000000002250000-0x0000000002257000-memory.dmp

          Filesize

          28KB

        • memory/1252-41-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1252-39-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1252-35-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1252-50-0x0000000077980000-0x0000000077982000-memory.dmp

          Filesize

          8KB

        • memory/1252-23-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1252-20-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1252-16-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1252-17-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1252-15-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/2144-8-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/2144-0-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/2144-1-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

        • memory/2640-78-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/2640-73-0x0000000000370000-0x0000000000377000-memory.dmp

          Filesize

          28KB

        • memory/2640-74-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/3016-114-0x0000000001B40000-0x0000000001B47000-memory.dmp

          Filesize

          28KB