Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    28-01-2024 06:42

General

  • Target

    7c6984424b8af070581e59a97ed874d6.dll

  • Size

    1.7MB

  • MD5

    7c6984424b8af070581e59a97ed874d6

  • SHA1

    2a8e3182c1dbd840a4b040d12f0cddb218ea055c

  • SHA256

    abe02436407d423ba7d2ee6fb54b60261b85fb70c076afc60d906b1b4a5f569a

  • SHA512

    1362191bdc99468b21ee2b9060835afe60d345062d0806028ef5959535f4e03d29c0fae11a893ab0307afa7f5708005dd4fc61784ab4b31f4ec89e069bfe21ff

  • SSDEEP

    12288:UVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:RfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\7c6984424b8af070581e59a97ed874d6.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:1980
  • C:\Windows\system32\SystemPropertiesPerformance.exe
    C:\Windows\system32\SystemPropertiesPerformance.exe
    1⤵
      PID:2284
    • C:\Users\Admin\AppData\Local\P2F0hAd1\SystemPropertiesPerformance.exe
      C:\Users\Admin\AppData\Local\P2F0hAd1\SystemPropertiesPerformance.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2172
    • C:\Windows\system32\rekeywiz.exe
      C:\Windows\system32\rekeywiz.exe
      1⤵
        PID:2844
      • C:\Users\Admin\AppData\Local\LsMZ\rekeywiz.exe
        C:\Users\Admin\AppData\Local\LsMZ\rekeywiz.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2960
      • C:\Windows\system32\WFS.exe
        C:\Windows\system32\WFS.exe
        1⤵
          PID:2160
        • C:\Users\Admin\AppData\Local\xi3\WFS.exe
          C:\Users\Admin\AppData\Local\xi3\WFS.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1964

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\LsMZ\rekeywiz.exe

          Filesize

          67KB

          MD5

          767c75767b00ccfd41a547bb7b2adfff

          SHA1

          91890853a5476def402910e6507417d400c0d3cb

          SHA256

          bd70e504871a2ac1c883d19b87970c8d1b8b251c784bf777ba77ed764f5f2395

          SHA512

          f096043452a1aa213a5e4d62638de3ee4b0b3ad3d12b7ee0372d8c79e00e2e13b4fd0ebc4206bbdb5124bed292dd5b30ef1641288046ef835f89c332985154f9

        • C:\Users\Admin\AppData\Local\LsMZ\slc.dll

          Filesize

          290KB

          MD5

          41c52b5ca619c4ced49806ce7ad5ef2d

          SHA1

          233f7af949c44c60fad542e8c53c7a784d6599d6

          SHA256

          69123a4c864aaf0c34223b31da3d88d3f5585b825b3c5062e4c213cfc637cc26

          SHA512

          e96dacc3ba76e22a1725209acc6f79cc4cc899aa5683910beed907f0b7d27a58905169afc0e7b67614c62a579c679c021081f40d0cd772014a4df6ecf84eb0af

        • C:\Users\Admin\AppData\Local\P2F0hAd1\SYSDM.CPL

          Filesize

          132KB

          MD5

          6d92e7f1e7422bd578e15b4f34758a22

          SHA1

          560317cfd786d0f8b85892ce015c0dfb630fd534

          SHA256

          807f89bac60869749033a836fa1daab765fd2856402f49ad2f8843ff5a946b9d

          SHA512

          de490d24d05c6969bf526fd77d8d203d4384db417146c18a8efc8f9e3a51f6a279a8994264bca58e48a58905311e64d250870549951a7a8a08783f4f572ed324

        • C:\Users\Admin\AppData\Local\xi3\WFS.exe

          Filesize

          884KB

          MD5

          8cfd4d317a8af7b13bd9c3897a67869e

          SHA1

          7ea9223a7a97f102846a92c639387595e90fea16

          SHA256

          0e076e054e76859f009bedaf865be526dc537dbccedd8661d514b949ff0d5a25

          SHA512

          99fcacbc843b4b674d3b762f5a30872ecffe759971aacdb9a734b0dd28aae886e5d3933cbb5eec9b715a433fb7f97307430fdc7de443d3bc135c26a668617617

        • C:\Users\Admin\AppData\Local\xi3\credui.dll

          Filesize

          1.2MB

          MD5

          2b965e5f24e2fc2be8d4227f265f4fec

          SHA1

          1a5ee0bdf52c7c4c224985d1b6835fb66711d455

          SHA256

          1ffffed27e437acfc7a6bfd4e9330fff94ad1c00d3ce0efcce57eb2c1b05a911

          SHA512

          962819ae2594431256d62690a7fb01272b1bb1e7d85b8e7004df820ae591762be584b1964ed600e361da662d6836f45e485e04b0e47476ea19a9e93bdd527056

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ekhyqsv.lnk

          Filesize

          1KB

          MD5

          98307f2c6dff9dcad14d67e824a0556f

          SHA1

          0adce53fa06183257146836c836c5a04a7272fe1

          SHA256

          9464e15d9a256e7ca23034a0d4b3739c13c0fec42ae3c29aef90d61778668d5c

          SHA512

          7d13d56659608c7979857a4342754a184a73e7f2a22120c4108268a34be0167de41ff4208086f986dd3839e273a7983327f35549e7853aac2d669c6b9190eb6d

        • C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\x9N\SYSDM.CPL

          Filesize

          1.7MB

          MD5

          0ff469de21a414915f480faad5f9060f

          SHA1

          228abc590d764546dc152f593f8639328a92d3ae

          SHA256

          00f71c1d3c4fe28384ba0e8ba140259503a939e3b79dac4bea91212c3a167f96

          SHA512

          62570014a2381196f42bc289edb6b886d53b1e50b1a812718144b573f375e947f72843a3fb3b2ff033dd2de2773f6b98573d7d41cfd1304244be8b86e366778a

        • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\YSQ67Sam\slc.dll

          Filesize

          595KB

          MD5

          9701b5ab9601ef44a14345cf05b17a49

          SHA1

          c094542aa6f3b35b2c40edf0eef77881232766e0

          SHA256

          ee8a7d755de7e99110ab3c9d4e9ffb97eaed658f5bfbdb677411d54927742ad9

          SHA512

          361b9859408a6ac7ea02e92fbef3e6322e3fe799d2b3f781649ef746443a34dd691aafce7a3e7eabd7d95e071f64bd305b95a0d54b05e869c77b61d0a55852c9

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Sf1tAtG\WFS.exe

          Filesize

          363KB

          MD5

          2da433572d3974158a530ef148e5edb1

          SHA1

          c94e62b0e62d3c5a9a142dd4244b1283bf2d5936

          SHA256

          aaaa3fb247b21d8fabeadea5a6bb9f734c25893f60b5be45375985d7a31b6ed0

          SHA512

          9cb493012b12a9892c225d07b24a81efa8acad5252f574d39af6095f8b5e409033ef086891c806c9e90b0640cea6afd4daee08747e48a306ee949d678f2c5b12

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Sf1tAtG\credui.dll

          Filesize

          1.7MB

          MD5

          d8674c78f2e0cf7d9e79cd3770950f6b

          SHA1

          d68cfc620c78ae98f3095b4f6d1cd744e618a0f6

          SHA256

          9c3b85aaf0196c7b8aead0cf7a5973286e1f11be91c0209cd0c4d860d3041203

          SHA512

          da0f94081ac0e2672d41da65a7316efb9b14480dbc85edbbab1d4f60edb6f151f2925e1aa0e9b9a45bf83878b45b094f8e146c211276f90b26035cc04bfe3ed0

        • \Users\Admin\AppData\Local\LsMZ\slc.dll

          Filesize

          206KB

          MD5

          eb4e139975897eb7d432f96a4c087168

          SHA1

          2f54b8ae4ee0ddf3baec3abcc0e608a82b13ac06

          SHA256

          b1198346dc21a6950316b810d0926be1f46f5fcc11ef4bac1cd8a960cf4a8d72

          SHA512

          95a5e336509a5cbeb235dc3a56200ff6e5ceb2527813534ba88a3fdca44320cb86910e8279d92283f2f77ac8d5e13e1da0ec02d0096d0c3450e41a81c15eebf5

        • \Users\Admin\AppData\Local\P2F0hAd1\SYSDM.CPL

          Filesize

          92KB

          MD5

          86de1c98430c88f8b7e38a72d0a2818f

          SHA1

          486daefa7f5c76e89081ae9e5b18f789c7672bf1

          SHA256

          d3fd0394725fba04f44d2e617669ff3e2dda112a7f8260cb73abcc676a30952d

          SHA512

          eaca93a8df66599f030a5fac4ee781030c3ef65c2400d5ba3e6c1c2ab13016cb8d2d42a7375cb7839c3c4d9d5db534921935b23d292614acab9166d0df344401

        • \Users\Admin\AppData\Local\P2F0hAd1\SystemPropertiesPerformance.exe

          Filesize

          80KB

          MD5

          870726cdcc241a92785572628b89cc07

          SHA1

          63d47cc4fe9beb75862add1abca1d8ae8235710a

          SHA256

          1ab77fa1ee0cbe59ca185c228c3c11abeba2b2008a162c91a06d3c40542e7fc6

          SHA512

          89b961c2a2716fe0800e54e0206c8b349a26f1bc2a463ec9bd12f3ab22bfcb13e6402b4c20ddcf284d838a3c66e73335af8f6dc4554d76646382e387242c6f72

        • \Users\Admin\AppData\Local\xi3\WFS.exe

          Filesize

          951KB

          MD5

          a943d670747778c7597987a4b5b9a679

          SHA1

          c48b760ff9762205386563b93e8884352645ef40

          SHA256

          1a582ebe780abc1143baccaf4910714d3e9f4195edd86939499d03ed6e756610

          SHA512

          3d926ddead8afcb32b52b3eb3c416d197c15e5fff6ba9fa03a31a07522bdb9088b32500fc8b98d82af657071571d09cd336a65cf45c485ebcc145dea70b3a934

        • \Users\Admin\AppData\Local\xi3\credui.dll

          Filesize

          1011KB

          MD5

          3e1990217003de6f69c40882381d3f3a

          SHA1

          e9920dd1f570b27e683431a24482ee6fd795d274

          SHA256

          0da6de24e30a457974a2438d702285b54aa61a920141435329d9f944dd6617af

          SHA512

          0f5b4afb1c9525513791c951b19d4b81c641f80b5a47882fe2b1a62255be71f8b77d469cfd78f7c1dba37d81f43ffebf0736e93bd0c1d06b3570ded451d9565b

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Sf1tAtG\WFS.exe

          Filesize

          304KB

          MD5

          b26702799e644a19d52204db014aa11b

          SHA1

          dd3159037ef59fc6a2f67e900d60f934f654e7dd

          SHA256

          b345d4ffe79d4cd8d87ee0a579a9a58174ee570ca6ff5dd32f0a65ff032ed3c7

          SHA512

          02d9e98b21985b81772aafcf38eb0b355ceab42c27faa2712498c22911ca21c9b3f5cc558163426dd333bd7cc026b9e1e57985d9b029dc957007a02280f7c699

        • memory/1260-36-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-56-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-37-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-35-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-34-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-45-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-33-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-30-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-28-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-27-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-23-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-20-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-19-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-17-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-16-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-14-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-15-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-11-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-12-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-9-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-4-0x0000000077AC6000-0x0000000077AC7000-memory.dmp

          Filesize

          4KB

        • memory/1260-46-0x0000000077CD1000-0x0000000077CD2000-memory.dmp

          Filesize

          4KB

        • memory/1260-47-0x0000000077E30000-0x0000000077E32000-memory.dmp

          Filesize

          8KB

        • memory/1260-38-0x0000000002980000-0x0000000002987000-memory.dmp

          Filesize

          28KB

        • memory/1260-62-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-5-0x00000000029A0000-0x00000000029A1000-memory.dmp

          Filesize

          4KB

        • memory/1260-32-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-7-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-131-0x0000000077AC6000-0x0000000077AC7000-memory.dmp

          Filesize

          4KB

        • memory/1260-10-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-29-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-31-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-26-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-22-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-13-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-18-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-24-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-25-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-21-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1964-112-0x00000000003A0000-0x00000000003A7000-memory.dmp

          Filesize

          28KB

        • memory/1980-0-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1980-8-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1980-1-0x00000000001E0000-0x00000000001E7000-memory.dmp

          Filesize

          28KB

        • memory/2172-80-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/2172-74-0x0000000000170000-0x0000000000177000-memory.dmp

          Filesize

          28KB

        • memory/2172-75-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/2960-98-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/2960-92-0x0000000001D30000-0x0000000001D37000-memory.dmp

          Filesize

          28KB