Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    27-01-2024 05:36

General

  • Target

    7968f591e01c7a4a04d2d9c53d667082.dll

  • Size

    1.9MB

  • MD5

    7968f591e01c7a4a04d2d9c53d667082

  • SHA1

    d360ace519351b3109e26800067532b2d26ee952

  • SHA256

    00a23ef486863b29a272d8b4405e375fefa0a629927a9bccd0434886b02c5cdd

  • SHA512

    261007611f113167d1e3a8c9fc1d7e6867fcb82ec8c1bf0c82f5ae6d17de7abf8807834c4d6d68720ed83c6fca428d0400ca4e86119cfe80fe1315b3cb1f29cc

  • SSDEEP

    12288:3VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1V:+fP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\7968f591e01c7a4a04d2d9c53d667082.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2912
  • C:\Users\Admin\AppData\Local\SYi\taskmgr.exe
    C:\Users\Admin\AppData\Local\SYi\taskmgr.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Checks whether UAC is enabled
    PID:1312
  • C:\Windows\system32\taskmgr.exe
    C:\Windows\system32\taskmgr.exe
    1⤵
      PID:3008
    • C:\Windows\system32\iexpress.exe
      C:\Windows\system32\iexpress.exe
      1⤵
        PID:1912
      • C:\Users\Admin\AppData\Local\pQ6\iexpress.exe
        C:\Users\Admin\AppData\Local\pQ6\iexpress.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1016
      • C:\Windows\system32\msra.exe
        C:\Windows\system32\msra.exe
        1⤵
          PID:2824
        • C:\Users\Admin\AppData\Local\3KDM3e\msra.exe
          C:\Users\Admin\AppData\Local\3KDM3e\msra.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2872

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\3KDM3e\msra.exe

          Filesize

          636KB

          MD5

          e79df53bad587e24b3cf965a5746c7b6

          SHA1

          87a97ec159a3fc1db211f3c2c62e4d60810e7a70

          SHA256

          4e7c22648acf664ab13dfeb2dc062ae90af1e6c621186981f395fb279bbc9b9d

          SHA512

          9a329c39ce0bc5aede01e96c4190cc7ccd17729fbc3a2b6df73057be8efaa3fa92cfef6e26a25bde6f7f94f64f6d6d0e4c5459aef2aead367e43178dd275acfb

        • C:\Users\Admin\AppData\Local\SYi\Secur32.dll

          Filesize

          1.9MB

          MD5

          dba2f56fdeaa3e8ce90ee1d3649276e9

          SHA1

          fdd7e1b898f24809bae38cac86cad107e3315cd2

          SHA256

          45c35b6aab5ff252316fd9d80612b10b1dd78f53e21391425f4f5648ffc69b1e

          SHA512

          b9274a460706582660b3eceaef75e8a0751709fceef16671bcdd4156566bba3fd8cd335ba1c83e40ee884baf1a92cca29acf48f74177bbcf58c57c5b866e1ca5

        • C:\Users\Admin\AppData\Local\pQ6\VERSION.dll

          Filesize

          1.9MB

          MD5

          fda59afd0c6e113db719a9c4bc13a6ec

          SHA1

          b69a6f1dcf4782c6dda468fde6773732f77e8581

          SHA256

          ea26732655b9ed19b15a521cf7055d0d40a8d9035352a5a8976bcbee02d822bd

          SHA512

          bc9e6d088e0f56ca5b901f30b6dba01baba675b4f9211c5a3bc4f9c58a9f2ea87acd6707b547e1cd150bbddf5a2a5052f93428b9692a57c3926ac612669b3d3f

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk

          Filesize

          1KB

          MD5

          65f1b19c148965d66854fb7ec54500ed

          SHA1

          1a90aa720cb26b3eca6e19b91d695d8aec649bf0

          SHA256

          5c2f71c06ed379a1260b5bb651b03f8273edde631bc7c8883843a00740016219

          SHA512

          8e6208e7565fb824c43790d251f6d1755886ba052d30c53c24a0ca55fe694f20248d13e431210ec9c6d2dc40dc73fe2e03bd030607f4a4b617c56a194704e74b

        • \Users\Admin\AppData\Local\3KDM3e\UxTheme.dll

          Filesize

          1.9MB

          MD5

          2275127c227c413afe1b173506c828b9

          SHA1

          978e60d9cd6c4a890f9a77f9227f25858698d439

          SHA256

          a59e45b77d467938dc20568fa55398c245322253d29e85b798fc572814a2ed7b

          SHA512

          01ba3a5bbdee791f496514fe23a294bcea3efc1b4e27dd7beba44568f199aec7f18b0e5a619d05a86305f5395b7b98d93e1778af1f43c562cafa13f288cb00cb

        • \Users\Admin\AppData\Local\SYi\taskmgr.exe

          Filesize

          251KB

          MD5

          09f7401d56f2393c6ca534ff0241a590

          SHA1

          e8b4d84a28e5ea17272416ec45726964fdf25883

          SHA256

          6766717b8afafe46b5fd66c7082ccce6b382cbea982c73cb651e35dc8187ace1

          SHA512

          7187a27cd32c1b295c74e36e1b6148a31d602962448b18395a44a721d17daa7271d0cd198edb2ed05ace439746517ffb1bcc11c7f682e09b025c950ea7b83192

        • \Users\Admin\AppData\Local\pQ6\iexpress.exe

          Filesize

          163KB

          MD5

          46fd16f9b1924a2ea8cd5c6716cc654f

          SHA1

          99284bc91cf829e9602b4b95811c1d72977700b6

          SHA256

          9f993a1f6a133fa8375eab99bf1710471dd13ef177ef713acf8921fb4ff565a3

          SHA512

          52c91043f514f3f8ce07f8e60357786eb7236fcf6cdcccca0dd76000b9a23d6b138cebcdec53b01823cb2313ec850fc7bece326ec01d44ed33f4052b789b7629

        • memory/1016-93-0x0000000140000000-0x00000001401F2000-memory.dmp

          Filesize

          1.9MB

        • memory/1016-88-0x0000000000180000-0x0000000000187000-memory.dmp

          Filesize

          28KB

        • memory/1260-33-0x0000000001D40000-0x0000000001D47000-memory.dmp

          Filesize

          28KB

        • memory/1260-41-0x00000000777B1000-0x00000000777B2000-memory.dmp

          Filesize

          4KB

        • memory/1260-13-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/1260-23-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/1260-24-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/1260-22-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/1260-21-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/1260-20-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/1260-19-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/1260-18-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/1260-25-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/1260-26-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/1260-28-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/1260-30-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/1260-27-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/1260-29-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/1260-31-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/1260-4-0x00000000775A6000-0x00000000775A7000-memory.dmp

          Filesize

          4KB

        • memory/1260-32-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/1260-40-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/1260-42-0x0000000077910000-0x0000000077912000-memory.dmp

          Filesize

          8KB

        • memory/1260-14-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/1260-51-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/1260-57-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/1260-15-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/1260-61-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/1260-16-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/1260-5-0x0000000002C20000-0x0000000002C21000-memory.dmp

          Filesize

          4KB

        • memory/1260-127-0x00000000775A6000-0x00000000775A7000-memory.dmp

          Filesize

          4KB

        • memory/1260-9-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/1260-17-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/1260-10-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/1260-11-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/1260-12-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/1260-7-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/1312-75-0x0000000140000000-0x00000001401F2000-memory.dmp

          Filesize

          1.9MB

        • memory/1312-69-0x0000000140000000-0x00000001401F2000-memory.dmp

          Filesize

          1.9MB

        • memory/1312-70-0x0000000000220000-0x0000000000227000-memory.dmp

          Filesize

          28KB

        • memory/2872-105-0x00000000000A0000-0x00000000000A7000-memory.dmp

          Filesize

          28KB

        • memory/2872-111-0x0000000140000000-0x00000001401F2000-memory.dmp

          Filesize

          1.9MB

        • memory/2912-0-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/2912-2-0x00000000001B0000-0x00000000001B7000-memory.dmp

          Filesize

          28KB

        • memory/2912-8-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB