Analysis

  • max time kernel
    133s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    28-01-2024 04:57

General

  • Target

    7c364a9cc46fabb61560e9bb9ef588ce.dll

  • Size

    1.6MB

  • MD5

    7c364a9cc46fabb61560e9bb9ef588ce

  • SHA1

    1a755f4b3d03b6bce41ebb26bd8d15e3e6dfe96f

  • SHA256

    ac5e42f699e4e1efc7f7cd1f1b6516c4ff8405ff1e82aba21ed18cc8cf26efd7

  • SHA512

    807cbefe2206e54c26929f9868c6f8a0340d324d18a63e0da216ab6e523109cf6012b41676cd5552f0ee8681875065d8ad021632e80129089070317737dda75f

  • SSDEEP

    12288:GVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:bfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\7c364a9cc46fabb61560e9bb9ef588ce.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2536
  • C:\Windows\system32\AdapterTroubleshooter.exe
    C:\Windows\system32\AdapterTroubleshooter.exe
    1⤵
      PID:2608
    • C:\Users\Admin\AppData\Local\e3Fy0nv\AdapterTroubleshooter.exe
      C:\Users\Admin\AppData\Local\e3Fy0nv\AdapterTroubleshooter.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2596
    • C:\Users\Admin\AppData\Local\DI2Rso\RDVGHelper.exe
      C:\Users\Admin\AppData\Local\DI2Rso\RDVGHelper.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2340
    • C:\Windows\system32\RDVGHelper.exe
      C:\Windows\system32\RDVGHelper.exe
      1⤵
        PID:2648
      • C:\Users\Admin\AppData\Local\QCib\TpmInit.exe
        C:\Users\Admin\AppData\Local\QCib\TpmInit.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2992
      • C:\Windows\system32\TpmInit.exe
        C:\Windows\system32\TpmInit.exe
        1⤵
          PID:3012

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\DI2Rso\RDVGHelper.exe

          Filesize

          20KB

          MD5

          ce6704500246ee13cd19ab108dbffce1

          SHA1

          10505da49da1d0453de1d0fe28a793cbf944ee71

          SHA256

          4c4288a0f07b5a796435982b550b2991ac02998b4c85506988e8d49e9ad44750

          SHA512

          b2890a01e9cc49a9204736d41e18f58e4df8de60b243fdb51ad5fbca536f898a4d187fcc7ac832efd64ab58af429ec633faf0f7020192c87c5414b9462350d97

        • C:\Users\Admin\AppData\Local\DI2Rso\dwmapi.dll

          Filesize

          39KB

          MD5

          d851cd63cc9121c8ba1adb5da5ea5ed7

          SHA1

          67aa7cc843a8409da2b7d10ee20d5321392f804b

          SHA256

          37b69fbc887e9eb3e25ef5df784b4e6113db3f6685ba7cfcbd20c585da0afffe

          SHA512

          464d9a56916d3cf62a3abdc5f1dde39862ef9b949dcfa14ba283adb0f3aa96b425cc0c372d1cb867cf4b56f20c71ed4caf48ebe5d77a08173a530e297539722b

        • C:\Users\Admin\AppData\Local\QCib\ACTIVEDS.dll

          Filesize

          119KB

          MD5

          e85a26f26e4d8d6eff6d87dec51c3962

          SHA1

          4ba946aa14482541fbf7f6b547f8d5a2ca5fbaf3

          SHA256

          472514a21cf69c1364fed1de700eb36f55f13d287907edcc53eae1398f0685e2

          SHA512

          715ad8cab54085efcd26a8c1202f70862228dce6c9957ff3e10e003221e780783e058f3f7aec89d43220862908bf05b60be34d818559a19d792c203be55ea053

        • C:\Users\Admin\AppData\Local\QCib\TpmInit.exe

          Filesize

          96KB

          MD5

          edad2981231c1a42b8c7a7d3206cfdc4

          SHA1

          21ca15ca3be5c4caa81c8358174313341accc251

          SHA256

          480e8550b072a767c2ac9d086ed6bce08078fec4f95e784f5fc6772c2a277ccf

          SHA512

          04be414cd7e0b4813e7495404a0144942e5743b7d5a259bd819572f768c40333ddc12663589b89a7a8df1d48503201da037915308aec107346ca1ef521760d62

        • C:\Users\Admin\AppData\Local\QCib\TpmInit.exe

          Filesize

          112KB

          MD5

          8b5eb38e08a678afa129e23129ca1e6d

          SHA1

          a27d30bb04f9fabdb5c92d5150661a75c5c7bc42

          SHA256

          4befa614e1b434b2f58c9e7ce947a946b1cf1834b219caeff42b3e36f22fd97c

          SHA512

          a7245cde299c68db85370ae1bdf32a26208e2cda1311afd06b0efd410664f36cafb62bf4b7ce058e203dcc515c45ebdef01543779ead864f3154175b7b36647d

        • C:\Users\Admin\AppData\Local\e3Fy0nv\AdapterTroubleshooter.exe

          Filesize

          39KB

          MD5

          d4170c9ff5b2f85b0ce0246033d26919

          SHA1

          a76118e8775e16237cf00f2fb79718be0dc84db1

          SHA256

          d05e010a2570cdd5a67f62c99483aeeecb6a8d5ecc523cd49b158a460c9be5da

          SHA512

          9c85a9ea4002bd55cf9c51e470dd1bec527ff04b5d0d6f83094a998c541416cd47c9f42c6ca7e35ffa2842877f79e3c2e989489b9bf81644c5c57bb406b89608

        • C:\Users\Admin\AppData\Local\e3Fy0nv\d3d9.dll

          Filesize

          258KB

          MD5

          462f4e1a0c67f968856be2f1e70362ac

          SHA1

          4f66d2291c6dd79a824128c92039d70731b1c0c5

          SHA256

          68a6b40c799157f4a51dc8583594537fbe20a0c142498166d309e34da761e5d1

          SHA512

          a6aed16b3efff87e8aefb16a224615d509af8c72bf6972d8ddc8030f37c892d1e5b80a94ef5be670a4be5e6a6f2ef5c7d59f14fa60e4e6085cb8903c88e07dc1

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Cuhrqknkppepky.lnk

          Filesize

          1KB

          MD5

          cb630a3f56283f7cdea0bca1f7315518

          SHA1

          e7d51fdcea9103bf9d7f6941122d036d394ae252

          SHA256

          5235c4581459a3ca3997d44fcac983a4a34bdbd88eaee202ae5dfe9203da379b

          SHA512

          e9d1c4b646230a61a9f2d0b7f8a67558c293953c6497c0bef15d99931f235ea9295bde0a58b76f3702757d18547679beb42e8ae46a5f6bf5602a64289ec3e6fe

        • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\4gKF6E8\RDVGHelper.exe

          Filesize

          93KB

          MD5

          53fda4af81e7c4895357a50e848b7cfe

          SHA1

          01fb2d0210f1c47aaf684e31a9fb78f89bba9c0f

          SHA256

          62ab8c2c5b5bd84fd07e96b6a3b87a4ea56946107ed9b7f8076580ae1fefd038

          SHA512

          dbbda90a57d27160c5a3a5e4e94cfc43b1663fcbfe424fdec851e52356f61492bdcf677c46be8aa4e8ccc8be7c389b6aa7bbbce8447e1fae32f03e5e409f4051

        • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\4gKF6E8\dwmapi.dll

          Filesize

          1.6MB

          MD5

          f4620ad1d3d15b04300fec0455048a45

          SHA1

          f64e57e0deb46d02d54972e13da92fc90b23b1a2

          SHA256

          a37bfdb4a09dd1032ba9ac6adcda671bd98076b4c19e4222492c09491532fc33

          SHA512

          c5124b385261cc26bcb2aff9f1e8282e3f77c3c5af905b11a6331d229983b52f7efbf86be1d887002c547855d209e8890d61a353aa53070a895c829dc84d8595

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\iGKdI8QN\ACTIVEDS.dll

          Filesize

          1.6MB

          MD5

          b1546da3664afbad197d1a238fb227f3

          SHA1

          ab9abd07069539aa63e99b87644e93b6ce099e41

          SHA256

          edfe97461c577176d3f616fc93614809cbbd59f0f536010967841bcb379a2e7f

          SHA512

          ba1608544f0b6934af377cfa9f7c6d77cd3e056c8c29ecf318ff9b3f408a1453b757f89f8138b222acd81014960e83980f25365f8dc3dbb8ead17fd69f0c2dc9

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\ijtFw\d3d9.dll

          Filesize

          1.6MB

          MD5

          04c597e5b87e69ded7a9cbc710371b55

          SHA1

          1fbf85f255835d0351cd46c40e138055f990c443

          SHA256

          820dbad229c9359844c097f215e59d86c4fd862311b2e0c64ba894ae353cc597

          SHA512

          fc8d2e30ccb8bf154826ffd1a3f28e8a304b66410716ba68774ffad56e1160fb73ed23f1b562dcb69c355301297ccb0fe30573dc6b0cbe7ce5b1abf7d2e89180

        • \Users\Admin\AppData\Local\DI2Rso\RDVGHelper.exe

          Filesize

          55KB

          MD5

          45172b5447822eedb94261d316f7cc88

          SHA1

          829a48efd232956df3bf7770da25cde7a5c8e3e8

          SHA256

          00bcec24c6e45f2f1f31560324c17da2b4fa01820687c6f7fe3d5081cd23dc0d

          SHA512

          38d455769ba7b58bcb4a8fd569fdf325fc54878c316246126a92470cf94c3e2264628d4a59c0c7eb63e7ad44e432e1e2af3508af1968a4b1ff0f9415bcf24360

        • \Users\Admin\AppData\Local\DI2Rso\dwmapi.dll

          Filesize

          23KB

          MD5

          a6de505eb6e21ea38fbdfe6ae7a7fed4

          SHA1

          6b6ef40579de2e5e15231f8963443183cff8c96c

          SHA256

          5d48102bf245b5dc33408957289f4f0871ebe6d4756ea479000857c75ebc37ed

          SHA512

          49dd647993e6b7ac0210f378f4074250d3afd253c27e0b9595f382e25f9746e080240721c81c3475213a084fbd57e38d35ed80a909bd834799e3ad5bacb94be5

        • \Users\Admin\AppData\Local\QCib\ACTIVEDS.dll

          Filesize

          156KB

          MD5

          4c82ea2b20e692ac2c3cc8c2822be2bd

          SHA1

          12ecd10fd529e18b51530ac852d4ba75e4f9c024

          SHA256

          61b4ae9258ef4f74dc687e8ec4235d56ee216c45dfc438d4a96200710d405d2b

          SHA512

          c3d6b64fc689ffd5ff2fb7bd825e1f4ce702172accbfe10e3992ff42a525ba9596638ce37ee6fed74933dc6547b452861e113455d1fd615f76c28be484548b08

        • \Users\Admin\AppData\Local\e3Fy0nv\d3d9.dll

          Filesize

          217KB

          MD5

          52744a14a7f693f81eb79cce4469b25a

          SHA1

          006fd6813efb32f2650049ffcbb60ecec7ec4a89

          SHA256

          fd762fe4352b5bf0c123081bc5a798033f8d927bfad982094c7987df5dba012a

          SHA512

          6bed8714dceca8e569155aa18f49c5772db9064bbcfb0ed8faf7894bfa5e9a203e85923bb71e5a7082f6339f926db212367e3b315eb8ae10c664b6b2702c28aa

        • memory/1196-18-0x0000000140000000-0x00000001401A3000-memory.dmp

          Filesize

          1.6MB

        • memory/1196-16-0x0000000140000000-0x00000001401A3000-memory.dmp

          Filesize

          1.6MB

        • memory/1196-13-0x0000000140000000-0x00000001401A3000-memory.dmp

          Filesize

          1.6MB

        • memory/1196-12-0x0000000140000000-0x00000001401A3000-memory.dmp

          Filesize

          1.6MB

        • memory/1196-11-0x0000000140000000-0x00000001401A3000-memory.dmp

          Filesize

          1.6MB

        • memory/1196-9-0x0000000140000000-0x00000001401A3000-memory.dmp

          Filesize

          1.6MB

        • memory/1196-4-0x0000000076EB6000-0x0000000076EB7000-memory.dmp

          Filesize

          4KB

        • memory/1196-28-0x0000000140000000-0x00000001401A3000-memory.dmp

          Filesize

          1.6MB

        • memory/1196-27-0x0000000002500000-0x0000000002507000-memory.dmp

          Filesize

          28KB

        • memory/1196-35-0x0000000140000000-0x00000001401A3000-memory.dmp

          Filesize

          1.6MB

        • memory/1196-37-0x0000000077220000-0x0000000077222000-memory.dmp

          Filesize

          8KB

        • memory/1196-36-0x00000000770C1000-0x00000000770C2000-memory.dmp

          Filesize

          4KB

        • memory/1196-7-0x0000000140000000-0x00000001401A3000-memory.dmp

          Filesize

          1.6MB

        • memory/1196-46-0x0000000140000000-0x00000001401A3000-memory.dmp

          Filesize

          1.6MB

        • memory/1196-52-0x0000000140000000-0x00000001401A3000-memory.dmp

          Filesize

          1.6MB

        • memory/1196-5-0x0000000002520000-0x0000000002521000-memory.dmp

          Filesize

          4KB

        • memory/1196-123-0x0000000076EB6000-0x0000000076EB7000-memory.dmp

          Filesize

          4KB

        • memory/1196-10-0x0000000140000000-0x00000001401A3000-memory.dmp

          Filesize

          1.6MB

        • memory/1196-15-0x0000000140000000-0x00000001401A3000-memory.dmp

          Filesize

          1.6MB

        • memory/1196-14-0x0000000140000000-0x00000001401A3000-memory.dmp

          Filesize

          1.6MB

        • memory/1196-17-0x0000000140000000-0x00000001401A3000-memory.dmp

          Filesize

          1.6MB

        • memory/1196-19-0x0000000140000000-0x00000001401A3000-memory.dmp

          Filesize

          1.6MB

        • memory/1196-20-0x0000000140000000-0x00000001401A3000-memory.dmp

          Filesize

          1.6MB

        • memory/1196-26-0x0000000140000000-0x00000001401A3000-memory.dmp

          Filesize

          1.6MB

        • memory/1196-21-0x0000000140000000-0x00000001401A3000-memory.dmp

          Filesize

          1.6MB

        • memory/1196-22-0x0000000140000000-0x00000001401A3000-memory.dmp

          Filesize

          1.6MB

        • memory/1196-23-0x0000000140000000-0x00000001401A3000-memory.dmp

          Filesize

          1.6MB

        • memory/1196-24-0x0000000140000000-0x00000001401A3000-memory.dmp

          Filesize

          1.6MB

        • memory/1196-25-0x0000000140000000-0x00000001401A3000-memory.dmp

          Filesize

          1.6MB

        • memory/2340-86-0x0000000140000000-0x00000001401A4000-memory.dmp

          Filesize

          1.6MB

        • memory/2536-0-0x0000000140000000-0x00000001401A3000-memory.dmp

          Filesize

          1.6MB

        • memory/2536-8-0x0000000140000000-0x00000001401A3000-memory.dmp

          Filesize

          1.6MB

        • memory/2536-1-0x0000000000290000-0x0000000000297000-memory.dmp

          Filesize

          28KB

        • memory/2596-67-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

        • memory/2596-70-0x0000000140000000-0x00000001401A4000-memory.dmp

          Filesize

          1.6MB

        • memory/2596-64-0x0000000140000000-0x00000001401A4000-memory.dmp

          Filesize

          1.6MB

        • memory/2992-103-0x0000000140000000-0x00000001401A4000-memory.dmp

          Filesize

          1.6MB

        • memory/2992-101-0x0000000000090000-0x0000000000097000-memory.dmp

          Filesize

          28KB