Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    26-01-2024 21:07

General

  • Target

    7862e1e052ba3eff8d397f0c28d8fea7.dll

  • Size

    3.2MB

  • MD5

    7862e1e052ba3eff8d397f0c28d8fea7

  • SHA1

    9573a33a7a67bda2f5d4a1177397e544efb6d829

  • SHA256

    eeebc052be55ded532fd74517fae12e73ab5054eb3c0d61f000ec87ccb16f526

  • SHA512

    4a37ff3116311eefa256610e65ecff791334baa682cd4a50691be10be630ba095df4beac5ee351f4efddf9c1d850ad0250050fbdab48d7b58fed8e1630b64a3b

  • SSDEEP

    12288:zVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:ifP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\7862e1e052ba3eff8d397f0c28d8fea7.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2148
  • C:\Windows\system32\BitLockerWizard.exe
    C:\Windows\system32\BitLockerWizard.exe
    1⤵
      PID:2592
    • C:\Users\Admin\AppData\Local\5oO6A\BitLockerWizard.exe
      C:\Users\Admin\AppData\Local\5oO6A\BitLockerWizard.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2836
    • C:\Windows\system32\Dxpserver.exe
      C:\Windows\system32\Dxpserver.exe
      1⤵
        PID:2124
      • C:\Users\Admin\AppData\Local\1Won\Dxpserver.exe
        C:\Users\Admin\AppData\Local\1Won\Dxpserver.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1592
      • C:\Windows\system32\BdeUISrv.exe
        C:\Windows\system32\BdeUISrv.exe
        1⤵
          PID:352
        • C:\Users\Admin\AppData\Local\7BlOZIKZQ\BdeUISrv.exe
          C:\Users\Admin\AppData\Local\7BlOZIKZQ\BdeUISrv.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:852

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\1Won\Dxpserver.exe

          Filesize

          102KB

          MD5

          e4165935223eb9f9c5b397907c1e0595

          SHA1

          50d56bbf260b02712e8e92cd25ef709fd3da081e

          SHA256

          1edd8f3c7a91a7680d0cf62df6131fa884859c6fd2a54247c70901f6d4d17590

          SHA512

          aba97ad66cae4db486d9cce01125abcb5429c028292fa50b9b5392b5a41d3338dd53a14cdb66cca9d1a6e827deddcdaa9e758d1aa104bf0ab9966139c6a04cc9

        • C:\Users\Admin\AppData\Local\1Won\Dxpserver.exe

          Filesize

          77KB

          MD5

          2b1edaf8107605d7415fa0f5f06d9f66

          SHA1

          8f21ec27ff39c1657b47c9106a4c3c210933f2fa

          SHA256

          b53a27841f80c0c1e95458b85c4e8d7c92b220fe4d7f176deb91df047afabe61

          SHA512

          4b6a2bec4c747bef6d834b3cffde34b268919bc99de12fb3d1f049d8accafee89728492de73b958be4f2a319df09cb10f0097f8f72aed5c16d115922ee23d4b8

        • C:\Users\Admin\AppData\Local\1Won\XmlLite.dll

          Filesize

          1KB

          MD5

          9b28a659213092756cc1f2198f8e6a26

          SHA1

          0068cdab5b2ebad9d4daaf131d35d9037b39fad2

          SHA256

          cad8394684ba0eddf853f259df25229e3a126d1c5b39cd201fa4580861287e41

          SHA512

          178472fb768114a582bcf907373c77c427fe8da05d743de8815b94573f5c43adc71f5c5ebbf51d10db2858f55d4dc67279d0510fefc65b56a17b7cc350dd9902

        • C:\Users\Admin\AppData\Local\5oO6A\BitLockerWizard.exe

          Filesize

          82KB

          MD5

          073db153bae5b2b3a7050f78f5e7d471

          SHA1

          f6c99095c0d45c78f06bb1beb0748c92ae71c96c

          SHA256

          2a36e1806831e7aa271fe4bd2db70e05514e8fd7ade367b0bb6b39f82f0541fa

          SHA512

          d636148ddc2ad11a718d21b45d2cb272b4ed02bdc75c73f66de36a5cbb4396419c2bee843427d961cb529f4a144083c1bcd40ac3560912b8e9826e0416ac4ba3

        • C:\Users\Admin\AppData\Local\5oO6A\FVEWIZ.dll

          Filesize

          107KB

          MD5

          8049ad0673ced4b79ef37fafeadd62b9

          SHA1

          b6d5a7bc0ff3a86f09595920772a708adedf500e

          SHA256

          196e7d8c200f2ee30822206c6d4ee1e7dcefe35ed71e475285a959410a6c93f4

          SHA512

          47875e78b297250c7c317d9c5457320d725887f9659ee71262ecc444abcdd52d91f982f72ea8fb64d9e7aedd83d6aaf194bd7576c94db8d5677f715420bb84d2

        • C:\Users\Admin\AppData\Local\7BlOZIKZQ\BdeUISrv.exe

          Filesize

          47KB

          MD5

          1da6b19be5d4949c868a264bc5e74206

          SHA1

          d5ee86ba03a03ef8c93d93accafe40461084c839

          SHA256

          00330a0e0eb1dbb6ee84997963f8e15c7c15c1df787f1c7f109609d7b31bd35c

          SHA512

          9cee858c55eb0852e5bad53a675a094ae591b46b07afe9fb4224cac32e0be577fe36c1ed3e9f6bda4d4eb0c924a773d00e3181cd97f07e24c6c68c70f2b002c6

        • C:\Users\Admin\AppData\Local\7BlOZIKZQ\WTSAPI32.dll

          Filesize

          8KB

          MD5

          2499bf64d14e18319ef4749b09580944

          SHA1

          767f4f9ea1f35a4fac92a6b3ebe223cd43d0c744

          SHA256

          ed4ab74ab2e849db654fa5d6352660ef47b0c0eda65359d4c21d92f811a0534b

          SHA512

          7b9bc313471a90af84830498d84b0099d8efdf261a2600d93b51a2845aabb1c9b40de064d6272aa3684c791eca9a5a21cd7cec0bd12cc547624e17091324486d

        • C:\Users\Admin\AppData\Roaming\Adobe\uwQbZHtAXrL\BdeUISrv.exe

          Filesize

          12KB

          MD5

          c77a92b7d55eee4ae5655151c89df3cb

          SHA1

          8e5dda6e253dd439aa87074084c55765e88c59ad

          SHA256

          e1af3310c6d80ff1727533e68efd376561383da97b3a25b36778eef0682b3926

          SHA512

          87248d69e67e8969ad9b03ec0896008282b6f728e5fdc62cd915cd76b49503073ca259374378b8b853fd43ad339f5045ec7912bb77d97c607d37428685d7cfea

        • C:\Users\Admin\AppData\Roaming\Adobe\uwQbZHtAXrL\WTSAPI32.dll

          Filesize

          85KB

          MD5

          1ed890b1b59a34b2f7b0d1def632f0f2

          SHA1

          57643de0db54d246704e2454d53857b4e1d67c8b

          SHA256

          8301cf6dbc0a70a61574840634138a5e2f315fa2aeb1cc9daabde804ac554867

          SHA512

          a8ca9440727b75300f3c044112de9c0563c3fdba3581bf1542364503bef0ed30327eedc1950b0289ab3f24ab2157e6624c2f58a12062ff0c333b96a1db393993

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Tiizeasb.lnk

          Filesize

          921B

          MD5

          891d0a656623fec5cbd314f8ec60205c

          SHA1

          43fe8401efc44e8d5a81b225b779da7f2096d229

          SHA256

          d0efe1ed3c666fa2003cd8317152a1b1dc0d27ea94f55500416436d836dc91c4

          SHA512

          72d6d56e7d60d19c84b381a53cb71cacf32d2d97ec75aa308bba0dbaf5af038a10b99ad588b7c3ebf0cf76622bd812bf27b876bb87d8ae50974bee18a8f0dd9b

        • C:\Users\Admin\AppData\Roaming\Media Center Programs\2U3XxLT8Ppv\BitLockerWizard.exe

          Filesize

          22KB

          MD5

          7ba362ee62f16d95647f31bd24024ee9

          SHA1

          11ba01a5ded8785f799a40405427ca75e61bd915

          SHA256

          9c94f6ad83b434f6044de4170b489615a3f3d0f948d07d253eb3ef29a2b82089

          SHA512

          df0121d8401bca0cd9d14946b65fb8bc997fc6fb921946880bafc6499d2a854e12d7d81bbfd1900739244836c1f55956f9f91ebfc5b82e0439ccc7e943de744e

        • C:\Users\Admin\AppData\Roaming\Media Center Programs\2U3XxLT8Ppv\FVEWIZ.dll

          Filesize

          122KB

          MD5

          1c2c412fd4ad1fbda29353c7ef18d5d3

          SHA1

          08bbee40eb64aa30f44ed226dc6693e8cadb8b75

          SHA256

          9c608e33a49fbe159339db77ed18478bc8149292cd85ceb3758dc179e24a0bf2

          SHA512

          cb2b34930d61db10f0b0770b87fe5172619be674ecd6cacea2ae0f5b6a7a474f1d683fe3bb407228d5d9d7774f0956f47664f8717368acf194c2aa8b271ae724

        • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3601492379-692465709-652514833-1000\At\XmlLite.dll

          Filesize

          82KB

          MD5

          baecfd9987810c756559d3bc30d83561

          SHA1

          691849987d60ace40fb6fc8dc73797a2058484c3

          SHA256

          1ef5358a14e6185b2b1544fd14bea834c2a61a5dea52c02c9c0c402f303f0ffd

          SHA512

          caf7a0329f28e1064bdbafc3ce0c8d06f96f8922fb74f1c0d47473b8fbb4b54a2674041ec011a6e59aec536946824cfa9c432366bc8d73a6f420b2ea74fa64ac

        • \Users\Admin\AppData\Local\1Won\Dxpserver.exe

          Filesize

          27KB

          MD5

          7a3edfc7845e3a6c7c53918d23a95ce5

          SHA1

          52136ab9e16760edb8eac4cb87e421f3b99e7898

          SHA256

          d6113c195770228d9a918bf75b4c7879be57bfc0fbc126c486c3bbb459ac894b

          SHA512

          bdc606cd4d5310162371a6c6a9e2cb8f8b1df98edb4f8e20f90fa697f6fdfb24e56d343083e2570ed450a469fa78d3744cfaad2ad180ecee484daa8eaa6c7c88

        • \Users\Admin\AppData\Local\1Won\XmlLite.dll

          MD5

          d41d8cd98f00b204e9800998ecf8427e

          SHA1

          da39a3ee5e6b4b0d3255bfef95601890afd80709

          SHA256

          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

          SHA512

          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

        • \Users\Admin\AppData\Local\5oO6A\BitLockerWizard.exe

          Filesize

          98KB

          MD5

          08a761595ad21d152db2417d6fdb239a

          SHA1

          d84c1bc2e8c9afce9fb79916df9bca169f93a936

          SHA256

          ec0b9e5f29a43f9db44fa76b85701058f26776ab974044c1d4741591b74d0620

          SHA512

          8b07828e9c0edf09277f89294b8e1a54816f6f3d1fe132b3eb70370b81feb82d056ec31566793bd6f451725f79c3b4aeedb15a83216115e00943e0c19cab37c9

        • \Users\Admin\AppData\Local\5oO6A\FVEWIZ.dll

          Filesize

          130KB

          MD5

          f247e96a8024d1bc14b5248da46619a0

          SHA1

          721b7bf7fd4585bbdb115f2e873e2d7b14416739

          SHA256

          d6ae40fa5e9ebf5589830719cffbf79a63b7ee80c5173e183548ada25c76bde5

          SHA512

          2cccb211d1e619ea8fd91c9fdc97e594b34281aa4f9431e99c2f14027195413fc122016fd490ee2b63c97540e579c904ab4172049367b16b7cd3ca109ab93be4

        • memory/852-142-0x0000000000200000-0x0000000000207000-memory.dmp

          Filesize

          28KB

        • memory/1180-42-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/1180-27-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/1180-68-0x0000000002630000-0x0000000002637000-memory.dmp

          Filesize

          28KB

        • memory/1180-63-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/1180-62-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/1180-60-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/1180-77-0x00000000770E0000-0x00000000770E2000-memory.dmp

          Filesize

          8KB

        • memory/1180-76-0x0000000076F81000-0x0000000076F82000-memory.dmp

          Filesize

          4KB

        • memory/1180-58-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/1180-57-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/1180-55-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/1180-54-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/1180-52-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/1180-50-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/1180-49-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/1180-47-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/1180-46-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/1180-45-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/1180-44-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/1180-4-0x0000000076D76000-0x0000000076D77000-memory.dmp

          Filesize

          4KB

        • memory/1180-64-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/1180-61-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/1180-59-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/1180-56-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/1180-11-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/1180-40-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/1180-39-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/1180-38-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/1180-36-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/1180-34-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/1180-33-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/1180-32-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/1180-31-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/1180-30-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/1180-29-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/1180-65-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/1180-26-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/1180-25-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/1180-23-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/1180-22-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/1180-20-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/1180-19-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/1180-18-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/1180-16-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/1180-15-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/1180-14-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/1180-53-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/1180-13-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/1180-51-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/1180-48-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/1180-17-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/1180-43-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/1180-41-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/1180-12-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/1180-37-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/1180-10-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/1180-9-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/1180-161-0x0000000076D76000-0x0000000076D77000-memory.dmp

          Filesize

          4KB

        • memory/1180-7-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/1180-5-0x0000000002650000-0x0000000002651000-memory.dmp

          Filesize

          4KB

        • memory/1180-35-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/1180-28-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/1180-24-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/1180-21-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/1592-123-0x0000000000330000-0x0000000000337000-memory.dmp

          Filesize

          28KB

        • memory/2148-8-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/2148-2-0x00000000002A0000-0x00000000002A7000-memory.dmp

          Filesize

          28KB

        • memory/2148-0-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/2836-104-0x0000000000280000-0x0000000000287000-memory.dmp

          Filesize

          28KB