Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    27-01-2024 15:21

General

  • Target

    7a96d67a18be2760a733a25afcbe0987.dll

  • Size

    1.5MB

  • MD5

    7a96d67a18be2760a733a25afcbe0987

  • SHA1

    2f8a7ab45bfa0fc5af4ebd3a32788c4d2b70d39c

  • SHA256

    322fdc6d77dfe2aaf96c4075f9798da0709dc4418400f9c15171be24360fed1c

  • SHA512

    52af3bdb3f5c190049950843159200d683f396f366f74428b9cfde0ce524c4b29a6307b1d70842abaebc2b3b37b4236631743e106bc4da1633a020cec0180007

  • SSDEEP

    12288:IVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1rUQ:dfP7fWsK5z9A+WGAW+V5SB6Ct4bnbr

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\7a96d67a18be2760a733a25afcbe0987.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:1060
  • C:\Windows\system32\spreview.exe
    C:\Windows\system32\spreview.exe
    1⤵
      PID:2696
    • C:\Users\Admin\AppData\Local\6y7qG\spreview.exe
      C:\Users\Admin\AppData\Local\6y7qG\spreview.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2072
    • C:\Windows\system32\FXSCOVER.exe
      C:\Windows\system32\FXSCOVER.exe
      1⤵
        PID:2872
      • C:\Users\Admin\AppData\Local\wM37uuni\FXSCOVER.exe
        C:\Users\Admin\AppData\Local\wM37uuni\FXSCOVER.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2884
      • C:\Windows\system32\dpnsvr.exe
        C:\Windows\system32\dpnsvr.exe
        1⤵
          PID:268
        • C:\Users\Admin\AppData\Local\JHrxz\dpnsvr.exe
          C:\Users\Admin\AppData\Local\JHrxz\dpnsvr.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1548

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\6y7qG\spreview.exe

          Filesize

          79KB

          MD5

          49a328dc3123e068a04a0409bb8e4944

          SHA1

          fcb54507db46a4249d5606e45ef42d3d612b6a6e

          SHA256

          74359e58c5d3adac5db8c2e2cc283d63486a6306fa65588b1860db8221f7b20e

          SHA512

          a53316fb040b79cf206b81ab9bff933f6e3c5921f4ae9ec71e4e49822e2ebe816bfed9cf5da5c55f739d0cfa39efde0a5d1afdaf3629b3d1d67c0cd9509f8635

        • C:\Users\Admin\AppData\Local\6y7qG\sqmapi.dll

          Filesize

          131KB

          MD5

          bfeeb0db1b0fe23ed4059337a60f1c32

          SHA1

          ec56f2351f69f17465773c503b4af0b84a7aefb5

          SHA256

          53c11a22fe7c4a94cba22940b6dfa514cb95a512a3e632c83d974ad545e6c93d

          SHA512

          bed36b54f837c73fa190efe96ba1bdcc4fb6cd3850be4c11386be523d2c06b9c821f914d6aa2dbfbc71634ed4246557e2e2c2f4c7d72f1323be40bf18ed20f59

        • C:\Users\Admin\AppData\Local\JHrxz\WINMM.dll

          Filesize

          1.5MB

          MD5

          849efd7563364efddadafa3a9e1538c2

          SHA1

          9f8c0501adf67c7a256664a404411d2b12c076d2

          SHA256

          ccb3606cb74614b5a727cf568b99960dcce3e4ca48691a369c36b27b59d18314

          SHA512

          d3db0a15149bba57b7d7ac4189ee7d97a511921cf5da61393564fed4817d08a8ba448f6fd69b4a822de1e56a2aef0165434cd6b0a5e65712ee9662b87e1173ff

        • C:\Users\Admin\AppData\Local\JHrxz\dpnsvr.exe

          Filesize

          33KB

          MD5

          6806b72978f6bd27aef57899be68b93b

          SHA1

          713c246d0b0b8dcc298afaed4f62aed82789951c

          SHA256

          3485ee4159c5f9e4ed9dd06e668d1e04148154ff40327a9ccb591e8c5a79958c

          SHA512

          43c942358b2e949751149ecc4be5ff6cb0634957ff1128ad5e6051e83379fb5643100cae2f6ef3eaf36aff016063c150e93297aa866e780d0e4d51656a251c7b

        • C:\Users\Admin\AppData\Local\wM37uuni\FXSCOVER.exe

          Filesize

          126KB

          MD5

          d7624dabe53e1a21fcc3f82156c19ee7

          SHA1

          1f84605ca0a8025976cafcd25938acf9b57306f3

          SHA256

          76818bc0327d32ccc4f7faf6ff10159ed8f9b0424c8b507f9db2c00cf2b76054

          SHA512

          9b81a9b7ad1b4b989ca36442ddd7ab26ad7d1401271b013432fb82c47a6629bd51288ded4c84ae647f83896069e08874170dccb0333deb9f7ec5d5223eaf6001

        • C:\Users\Admin\AppData\Local\wM37uuni\FXSCOVER.exe

          Filesize

          169KB

          MD5

          fb6efbd62bf00ae811ff799c0ce11e18

          SHA1

          d801058da595318c2f7dd43404669684007d4403

          SHA256

          910607f6fb0d1a9f61cdf85f29f05ec0851b59ccd0619501b8fec8f2beda3785

          SHA512

          3b11f0692c567a584ef49870dbad1a0baa0cbee18948a431991aebce32b1f64d55a9a2c289a2c55e996ce5c4c07233c5f28cff2e2119ad0a9ea261351deb00b9

        • C:\Users\Admin\AppData\Local\wM37uuni\MFC42u.dll

          Filesize

          311KB

          MD5

          3484e717f73a0ff2dcc808b55d5d06be

          SHA1

          e0e543987e7b378f0bc227536b7163d96208d315

          SHA256

          d77d4a6284361be90359a3030a8fe989c6ba2d30f413eb0b8968960a3b39ea86

          SHA512

          899d8ef6e5511512b4af62215f233df3a473e6daaf9490d301d1c813e53266e7db4a8d891dd80daa1b0fec3184a614dd323b121f404238314685527dd628b618

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zrkibbhbsqvuoso.lnk

          Filesize

          1KB

          MD5

          216fcee358ceddef053562ddd7350424

          SHA1

          25a994be261838f92c53da6ff786ea5dfd4f910f

          SHA256

          de6ce2dd54900f613555a34592f5404b9399e26a2aee9ef519a47a82a33aee91

          SHA512

          670afc5e93f78c29a408925c3d585473053ff2f96ff21b496336b3d86dd4271e6b07e6e7c9143ffcda113095c7684df1a92e1afc3833e5af48c9f025ed0be023

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatCache\EJUTOJ\spreview.exe

          Filesize

          294KB

          MD5

          704cd4cac010e8e6d8de9b778ed17773

          SHA1

          81856abf70640f102b8b3defe2cf65669fe8e165

          SHA256

          4307f21d3ec3b51cba6a905a80045314ffccb4c60c11d99a3d77cc8103014208

          SHA512

          b380264276bad01d619a5f1f112791d6bf73dc52cdd5cca0cc1f726a6f66eefc5a78a37646792987c508f9cb5049f0eb86c71fb4c7a2d3e670c0c8623f0522ee

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatCache\EJUTOJ\sqmapi.dll

          Filesize

          1.5MB

          MD5

          e5883fabc54918b25cd3c6beb79c4de6

          SHA1

          242ddbed4134c6a81c8b0ddf7fe07aa4ad60d17e

          SHA256

          fea00faa4a606b618f40ae483ece9528e0de0c7013e2b89840e1c3c664c82391

          SHA512

          48fc8970a72a5b4eaa99502a69f3b64d17cc3deaf48c8f23edf2a674dc4963b8a34c35cabca45253dadbeca3607fa2d44abc9d3b6112c62f71879649415f5e6d

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\M9RwH\MFC42u.dll

          Filesize

          1.5MB

          MD5

          3b0247483656d6add4df27e3e81a5458

          SHA1

          fddc67bf6063706e517c28f302c00a917a8255eb

          SHA256

          82e2dd2f098c07ad0760cba9cc420be9ac0f10c48e44f29fc1575e7100bcba72

          SHA512

          0ff854a5ba9109c4c65cc1c063ef84b0f1c1fa09a4eb0dc258b915b50b2aee2c02c238e19b07223bc1b36f2e52c87a92d03bf89d579179627dba9fda7b75e395

        • \Users\Admin\AppData\Local\6y7qG\spreview.exe

          Filesize

          45KB

          MD5

          f2d8450375ada664ce46267b9452a845

          SHA1

          fb5bb7f2288791a9fa80f2257701bf8f5f6a48e4

          SHA256

          33978bfcf4bb7d9ada1460c0e9a494837d0f1a600aa94ff9770d05934e9f1a38

          SHA512

          1922c0258aab4abc905181e3a7e3d58444e171a226c1a8180a2ef6d75441e212c0f4448ce0760322d8f18b0c9863943a41d80402237444156b9fcf3b2de0c094

        • \Users\Admin\AppData\Local\6y7qG\sqmapi.dll

          Filesize

          214KB

          MD5

          3e4480e8e630c18db403ade20f829483

          SHA1

          da40ee9fae2c120fd7b3026176d743239a8bbd14

          SHA256

          7c8a52298084de967bbf5f88f9709b1e860a47d7d683a2eabb88dd1ebc7422dc

          SHA512

          61df1ea806167965d152590c6f9ab9f9df53886262f915be44c8760e946373c14e5cba5f7b5daa378e977861277b2572238231d6c2c8a29e36a4aeccf8f0c8f0

        • \Users\Admin\AppData\Local\wM37uuni\FXSCOVER.exe

          Filesize

          261KB

          MD5

          5e2c61be8e093dbfe7fc37585be42869

          SHA1

          ed46cda4ece3ef187b0cf29ca843a6c6735af6c0

          SHA256

          3d1719c1caa5d6b0358830a30713c43a9710fbf7bcedca20815be54d24aa9121

          SHA512

          90bf180c8f6e3d0286a19fcd4727f23925a39c90113db979e1b4bbf8f0491471ad26c877a6e2cf49638b14050d952a9ee02a3c1293129843ec6bba01bc325d0b

        • \Users\Admin\AppData\Local\wM37uuni\MFC42u.dll

          Filesize

          273KB

          MD5

          b4683a76616990432f8d7e0d544b7037

          SHA1

          91c1d57c0019d31e0a68216f68cdc0232c78abdc

          SHA256

          7d83d03a8c28f81f1cdb05dbefdbbdedead416cd566f70996f46b9eaf7136a24

          SHA512

          3ce14b0a19489653af7dc3629e7db09028f06d011b852b88f149e4dd28fbe39508fc92171754627d0d5e66d2d835bd4b500142960c42fc5c0c63b0d8a18c0f6e

        • memory/1060-8-0x0000000140000000-0x0000000140175000-memory.dmp

          Filesize

          1.5MB

        • memory/1060-1-0x0000000140000000-0x0000000140175000-memory.dmp

          Filesize

          1.5MB

        • memory/1060-0-0x00000000000B0000-0x00000000000B7000-memory.dmp

          Filesize

          28KB

        • memory/1264-41-0x00000000026C0000-0x00000000026C7000-memory.dmp

          Filesize

          28KB

        • memory/1264-29-0x0000000140000000-0x0000000140175000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-24-0x0000000140000000-0x0000000140175000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-26-0x0000000140000000-0x0000000140175000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-25-0x0000000140000000-0x0000000140175000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-27-0x0000000140000000-0x0000000140175000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-23-0x0000000140000000-0x0000000140175000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-28-0x0000000140000000-0x0000000140175000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-30-0x0000000140000000-0x0000000140175000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-32-0x0000000140000000-0x0000000140175000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-31-0x0000000140000000-0x0000000140175000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-36-0x0000000140000000-0x0000000140175000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-40-0x0000000140000000-0x0000000140175000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-39-0x0000000140000000-0x0000000140175000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-22-0x0000000140000000-0x0000000140175000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-37-0x0000000140000000-0x0000000140175000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-38-0x0000000140000000-0x0000000140175000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-48-0x0000000140000000-0x0000000140175000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-35-0x0000000140000000-0x0000000140175000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-34-0x0000000140000000-0x0000000140175000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-33-0x0000000140000000-0x0000000140175000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-49-0x0000000076D61000-0x0000000076D62000-memory.dmp

          Filesize

          4KB

        • memory/1264-50-0x0000000076EC0000-0x0000000076EC2000-memory.dmp

          Filesize

          8KB

        • memory/1264-19-0x0000000140000000-0x0000000140175000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-20-0x0000000140000000-0x0000000140175000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-11-0x0000000140000000-0x0000000140175000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-12-0x0000000140000000-0x0000000140175000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-7-0x0000000140000000-0x0000000140175000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-59-0x0000000140000000-0x0000000140175000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-66-0x0000000140000000-0x0000000140175000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-65-0x0000000140000000-0x0000000140175000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-4-0x0000000076C56000-0x0000000076C57000-memory.dmp

          Filesize

          4KB

        • memory/1264-5-0x00000000026E0000-0x00000000026E1000-memory.dmp

          Filesize

          4KB

        • memory/1264-136-0x0000000076C56000-0x0000000076C57000-memory.dmp

          Filesize

          4KB

        • memory/1264-21-0x0000000140000000-0x0000000140175000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-18-0x0000000140000000-0x0000000140175000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-16-0x0000000140000000-0x0000000140175000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-17-0x0000000140000000-0x0000000140175000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-9-0x0000000140000000-0x0000000140175000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-15-0x0000000140000000-0x0000000140175000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-10-0x0000000140000000-0x0000000140175000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-14-0x0000000140000000-0x0000000140175000-memory.dmp

          Filesize

          1.5MB

        • memory/1264-13-0x0000000140000000-0x0000000140175000-memory.dmp

          Filesize

          1.5MB

        • memory/2072-82-0x0000000140000000-0x0000000140176000-memory.dmp

          Filesize

          1.5MB

        • memory/2072-77-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

        • memory/2072-78-0x0000000140000000-0x0000000140176000-memory.dmp

          Filesize

          1.5MB

        • memory/2884-95-0x0000000140000000-0x000000014017C000-memory.dmp

          Filesize

          1.5MB

        • memory/2884-94-0x0000000000170000-0x0000000000177000-memory.dmp

          Filesize

          28KB