Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    26-01-2024 21:17

General

  • Target

    786915fd97a5568543a2c219b4116abf.dll

  • Size

    1.4MB

  • MD5

    786915fd97a5568543a2c219b4116abf

  • SHA1

    4c76633b4440df5c58a8e835001c8921a5171cd0

  • SHA256

    a4c35298a6852c3e1ebec89e8d2c739c9dafe977cd2931af02f46f8d640dabe0

  • SHA512

    4c78d00677052e2cc189862f72ef6a8acc490fadba92e157292b0af022a437f685794617a3b462d59feb18178f1234019e503b23087cba4d3f3d2e1fa61b47ea

  • SSDEEP

    12288:yVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:vfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\786915fd97a5568543a2c219b4116abf.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:3016
  • C:\Windows\system32\mstsc.exe
    C:\Windows\system32\mstsc.exe
    1⤵
      PID:2584
    • C:\Users\Admin\AppData\Local\DV2\mstsc.exe
      C:\Users\Admin\AppData\Local\DV2\mstsc.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2640
    • C:\Windows\system32\OptionalFeatures.exe
      C:\Windows\system32\OptionalFeatures.exe
      1⤵
        PID:2880
      • C:\Users\Admin\AppData\Local\92WiHl\OptionalFeatures.exe
        C:\Users\Admin\AppData\Local\92WiHl\OptionalFeatures.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2848
      • C:\Windows\system32\msinfo32.exe
        C:\Windows\system32\msinfo32.exe
        1⤵
          PID:3020
        • C:\Users\Admin\AppData\Local\5DT4\msinfo32.exe
          C:\Users\Admin\AppData\Local\5DT4\msinfo32.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:544

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\5DT4\MFC42u.dll

          Filesize

          1.4MB

          MD5

          355362be283e498f71083411070a1fb0

          SHA1

          296ee323103fc25e2d15e5f250bd63837f081be9

          SHA256

          18c12b151413fad471e730cf0078d1d8750105461c4504e7f19e73ad39a7390f

          SHA512

          271120bbb2e2f517e41af676c01551779740c39a013c70e5723bf2fd0f9785a83c29946b51dfc29e9e9391dec9b8cc1d38d32be75eb11f605adc5194a9d6f78a

        • C:\Users\Admin\AppData\Local\92WiHl\appwiz.cpl

          Filesize

          732KB

          MD5

          b2ae57d46c51e5ec79907bd2ad1b6536

          SHA1

          54f93a5aa0fe922d3f52280c49ca4edd5a443895

          SHA256

          571108b440b6b1da394fcdad94ea78759e932240c754d7dd8ffb0168b0ee3209

          SHA512

          c4c45b1cc91704dad8cefa9ce22a0a4343d8e911b3e1de1cc6841365767f2ef9f51601ea9913036ad62ce790e133561a92e1b269282250e176d1a2bda16bac6c

        • C:\Users\Admin\AppData\Local\DV2\credui.dll

          Filesize

          256KB

          MD5

          ea5698226420f430a006eb5b952c8c20

          SHA1

          1154f1a1db16d0c747d628b1fd9de82176fdb76b

          SHA256

          62654eb11d50b303da9977bb7cf78328a9266f37e282aaefc523d7be94b0642d

          SHA512

          97c00d276bd1dc6d6b9b541d18510d55c02ddb21d122c159feee061bd0da3b779d76264f23de9a7f7e59e2d51f2ce560c3ad3f161d9091e98cc38b6485302361

        • C:\Users\Admin\AppData\Local\DV2\mstsc.exe

          Filesize

          325KB

          MD5

          be4f3322feaed27ae5a582697e4d33e5

          SHA1

          5ef95ffba3e9803327cf49366cd5cb5d850ba7c7

          SHA256

          e454baa0a9682dec8a8ac84ca86b2c0c4aa65efbb0b5bd6dd27e0aa694743fca

          SHA512

          ef079c4fe6f0061ee00f4a69ea25e304edfbfae0a74b6761e9690abcd2bbfb2df66e12fe74cc16f972841d077c1932260986be26c7cf73c6ff9c3bffddefc35a

        • C:\Users\Admin\AppData\Local\DV2\mstsc.exe

          Filesize

          331KB

          MD5

          e66090e446fd6b7bc5bee16ccc7f367a

          SHA1

          9c2a10f5e6b1ca9575aa0574a76bc8b1c18c49dd

          SHA256

          15c893034cb79fff6e920bfd15b4ace43cb05b031d326355dbaffec17c271da2

          SHA512

          0b84b727b7219bf2d5bd58bcce56a7867043181174a7de03e66367f1a6aa8f94cf3582a537d5ad195f9b59b23f14305d56134eff35849989e5c26bcc7418cc9a

        • C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\NativeCache\MZ6UDikstQN\credui.dll

          Filesize

          1.4MB

          MD5

          8e18160955028aa6e2ffb55e6e463e02

          SHA1

          5691dedeea2968a153e67e327e2eeae59a003ef3

          SHA256

          cf9b4080a333825697bdd52895789baddae7ec3ebc170716a10995c6bae52c02

          SHA512

          74725d9c956a5f69fbc7d1c7076cc085ce5a16163e832fe04e28e6347234c2240743d783749395840a94216bada625ec3007ff9efc023ec35acffd1cd4c23424

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Efrsxj.lnk

          Filesize

          1KB

          MD5

          5340f66ebb69ebd062f232123ad92055

          SHA1

          61ff1612bd7f01b64f7c775a64b02002039ff139

          SHA256

          e80537ac58e440c7658d23661dc55076baf42ab8adf17712621439ded9257194

          SHA512

          4d41564bb7a5c2df2946911fb30fe48d74613d24980f12a0a0bf0c94d8f765b7d732805e5e2832da321e550f410bf20658942c24556ecd8aa93eda937678c55c

        • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\RBpPDAEJq\appwiz.cpl

          Filesize

          1.4MB

          MD5

          8f8719e64180283621870ffb7334b5b7

          SHA1

          d21df765cfcfd41c64a2e605bc158669c60caae2

          SHA256

          1671ef6833cc12c0eea3e45beb7ed411e57886770f8e1a92ed8109f5b9825742

          SHA512

          10e2f3d309e2824ba4022f11213a602daa4e565af24d5b496d2783fcb26533d884b6751e047da368f08223b19a7b832271fcf93843909ca042d8163cfb8be826

        • \Users\Admin\AppData\Local\5DT4\msinfo32.exe

          Filesize

          370KB

          MD5

          d291620d4c51c5f5ffa62ccdc52c5c13

          SHA1

          2081c97f15b1c2a2eadce366baf3c510da553cc7

          SHA256

          76e959dd7db31726c040d46cfa86b681479967aea36db5f625e80bd36422e8ae

          SHA512

          75f9bcce4c596dae1f4d78e13d9d53b0c31988d2170c3d9f5db352b8c8a1c8ca58f4a002b30a4b328b8f4769008b750b8a1c9fda44a582e11c3adc38345c334b

        • \Users\Admin\AppData\Local\92WiHl\OptionalFeatures.exe

          Filesize

          95KB

          MD5

          eae7af6084667c8f05412ddf096167fc

          SHA1

          0dbe8aba001447030e48e8ad5466fd23481e6140

          SHA256

          01feebd3aca961f31ba4eac45347b105d1c5772627b08f5538047721b61ff9bc

          SHA512

          172a8accaa35a6c9f86713a330c5899dfeeffe3b43413a3d276fc16d45cd62ed9237aa6bff29cc60a2022fba8dcc156959723c041df4b7463436a3bdabef2a9d

        • \Users\Admin\AppData\Local\92WiHl\appwiz.cpl

          Filesize

          814KB

          MD5

          839b013c01c825d2666a31a40b399798

          SHA1

          30961b25377ba427b511e3bac5ee60f0d23fb35c

          SHA256

          1fe3840d6d15a2655f5f7d85e0d265b0933c22553fbe813794feb0633b9580ee

          SHA512

          15c67bd569aa1c596c897f0b6fa951ab4e659317cbd07ce986f138c5d298f3929ccdda7bd2069bbf5766f6ae02e37a3c2677f1da42f54e0d7e3d5d543ca112c2

        • \Users\Admin\AppData\Local\DV2\credui.dll

          Filesize

          227KB

          MD5

          23a1d2165ccab4e449a37ccae26261df

          SHA1

          866ef28cc5d19d832a771944b89cbf515d0f4dc5

          SHA256

          7c5b4878ede5a2f895e8d1fe240f8eaba79d7126c3b5ef15ff8423512ad7aafd

          SHA512

          f93743bf84e13be09589283fd18de9761735322261234b3b87ad1919c2b1e1ade65adcde034637c3a04c6189b14496f033949e26e3fb4a8bc78f7a92397dc177

        • \Users\Admin\AppData\Local\DV2\mstsc.exe

          Filesize

          410KB

          MD5

          fbbbb1d192fdadb3c4016f55ecba6a7c

          SHA1

          0bf9174fec44c3887543edb46f0213aea56709cc

          SHA256

          f83e8a61cbc1be22a281e8b8e2222b3fd1f48969f4918f1533ef780b42d2accf

          SHA512

          1ae072fbd7d291e78658ffead31839ce9bb95709925208403058a00994ebb598f36447642e7c2f768657b0d6410810c1d78df582ceb1af0291a6c70e4bff596a

        • memory/544-105-0x0000000001B40000-0x0000000001B47000-memory.dmp

          Filesize

          28KB

        • memory/544-111-0x0000000140000000-0x000000014016E000-memory.dmp

          Filesize

          1.4MB

        • memory/544-106-0x0000000140000000-0x000000014016E000-memory.dmp

          Filesize

          1.4MB

        • memory/1284-30-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/1284-61-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/1284-33-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/1284-32-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/1284-29-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/1284-24-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/1284-41-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/1284-42-0x00000000778B1000-0x00000000778B2000-memory.dmp

          Filesize

          4KB

        • memory/1284-43-0x0000000077A10000-0x0000000077A12000-memory.dmp

          Filesize

          8KB

        • memory/1284-22-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/1284-20-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/1284-21-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/1284-18-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/1284-15-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/1284-14-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/1284-11-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/1284-9-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/1284-10-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/1284-52-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/1284-4-0x00000000777A6000-0x00000000777A7000-memory.dmp

          Filesize

          4KB

        • memory/1284-56-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/1284-34-0x0000000002970000-0x0000000002977000-memory.dmp

          Filesize

          28KB

        • memory/1284-31-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/1284-130-0x00000000777A6000-0x00000000777A7000-memory.dmp

          Filesize

          4KB

        • memory/1284-28-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/1284-5-0x0000000002990000-0x0000000002991000-memory.dmp

          Filesize

          4KB

        • memory/1284-25-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/1284-7-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/1284-12-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/1284-26-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/1284-27-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/1284-23-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/1284-13-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/1284-16-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/1284-17-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/1284-19-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/2640-75-0x0000000140000000-0x0000000140168000-memory.dmp

          Filesize

          1.4MB

        • memory/2640-72-0x00000000001B0000-0x00000000001B7000-memory.dmp

          Filesize

          28KB

        • memory/2640-70-0x0000000140000000-0x0000000140168000-memory.dmp

          Filesize

          1.4MB

        • memory/2848-93-0x0000000140000000-0x0000000140168000-memory.dmp

          Filesize

          1.4MB

        • memory/2848-88-0x00000000000F0000-0x00000000000F7000-memory.dmp

          Filesize

          28KB

        • memory/3016-0-0x00000000001A0000-0x00000000001A7000-memory.dmp

          Filesize

          28KB

        • memory/3016-8-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/3016-1-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB