Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-01-2024 06:42

General

  • Target

    7c6984424b8af070581e59a97ed874d6.dll

  • Size

    1.7MB

  • MD5

    7c6984424b8af070581e59a97ed874d6

  • SHA1

    2a8e3182c1dbd840a4b040d12f0cddb218ea055c

  • SHA256

    abe02436407d423ba7d2ee6fb54b60261b85fb70c076afc60d906b1b4a5f569a

  • SHA512

    1362191bdc99468b21ee2b9060835afe60d345062d0806028ef5959535f4e03d29c0fae11a893ab0307afa7f5708005dd4fc61784ab4b31f4ec89e069bfe21ff

  • SSDEEP

    12288:UVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:RfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\7c6984424b8af070581e59a97ed874d6.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:368
  • C:\Windows\system32\wbengine.exe
    C:\Windows\system32\wbengine.exe
    1⤵
      PID:1440
    • C:\Windows\system32\osk.exe
      C:\Windows\system32\osk.exe
      1⤵
        PID:4380
      • C:\Users\Admin\AppData\Local\RRz9CFGsq\wermgr.exe
        C:\Users\Admin\AppData\Local\RRz9CFGsq\wermgr.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4796
      • C:\Windows\system32\wermgr.exe
        C:\Windows\system32\wermgr.exe
        1⤵
          PID:1968
        • C:\Users\Admin\AppData\Local\OfkVjzV3u\osk.exe
          C:\Users\Admin\AppData\Local\OfkVjzV3u\osk.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2072
        • C:\Users\Admin\AppData\Local\RAlrZ3Bl\wbengine.exe
          C:\Users\Admin\AppData\Local\RAlrZ3Bl\wbengine.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:484

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\OfkVjzV3u\WINMM.dll

          Filesize

          215KB

          MD5

          21c28197eed28d2f1eb788109c306112

          SHA1

          78d8d650adb474c5527a181d000aaffa553fddba

          SHA256

          b20e33b2c70b4947769f28ddcbbf8208c76e8857bb8a5bf0c994aebb2f64c80f

          SHA512

          0514dde9136d9d6b8b00db1d369c5a1b2e3193f5a0bf44c7d3a0a09289e9c834c57419f622900d5e7ce4be9799d5f25d574d912e0945ba4c941c78eeab0c1583

        • C:\Users\Admin\AppData\Local\OfkVjzV3u\WINMM.dll

          Filesize

          145KB

          MD5

          6c321a34180bced0b4beda5c742602e4

          SHA1

          7cd1145a69fc18f1ac2b2230b099d087c80adf45

          SHA256

          49f82fd23e80d31719ead0389cc51a3ce31c5ce6299436684bf7dc22921c3d0c

          SHA512

          4ae976085f0ff2fcc8997b653678bef1b73f84fb1428c98128a63c0e3e4ba585fd0d85d8d94ec939117671aaddcf4e3f2cd2b0544241764a24e7f8561cac5f3c

        • C:\Users\Admin\AppData\Local\OfkVjzV3u\osk.exe

          Filesize

          207KB

          MD5

          c7b4b9944cebdbf3ebcd11cbe31988cb

          SHA1

          09c510dea634ee68f6d946b8b6b8089cf589bcaa

          SHA256

          ba2244077761c0d6aa1c32c6b1ccf773e95d600f167a51d73ada55c07460a52e

          SHA512

          50a1b3a399386680202faa95ae409cb5e6fadb504112a79753ee635c14d6c8e82300328a97ea785b17d436e93490efdc9d4629aa6ae229c6e4b06ae71c704e0d

        • C:\Users\Admin\AppData\Local\OfkVjzV3u\osk.exe

          Filesize

          153KB

          MD5

          900c1367db60154c3bbbb07342118ab5

          SHA1

          83e3113daff8086098b5e042788621879a555687

          SHA256

          2c1965f48c3f0b662a96866fe660ae48f83df8c360f4c070bc527fe5e6513ad6

          SHA512

          ecc1c3323ce42428a355628441a7f0d8ee652d4395e8005980574b22aba41d1fa1a0a010955af199c54c37a110275a24040ec10ad756c6c308f9a34bfad51979

        • C:\Users\Admin\AppData\Local\RAlrZ3Bl\SPP.dll

          Filesize

          35KB

          MD5

          a729fef85b60ffdef20fd592a09096f3

          SHA1

          535ebc8438bff63f4fe22cdb29605934ee1bf6df

          SHA256

          836d40ccc39949118d58c9c7eacac249c047ef484cd510a6e01f731cd2b57e65

          SHA512

          cf45b9a29c84028f66ba69f6cdc7702888e5b7b74281edd4b0c3e30a4f7e1e42aeb8411b89623f56810b24c430c6e8e5fbf16e4487d12973dac82423bc6962c4

        • C:\Users\Admin\AppData\Local\RAlrZ3Bl\SPP.dll

          Filesize

          139KB

          MD5

          cf73c4d270dfe003038a1780e482725d

          SHA1

          811d03ec6ae8cfa3b46368ca3e09e683ec65ec78

          SHA256

          44e8ec7a2f39873d0a37c390a6be17805f9e5ad05f961c2ab10f530404b6f167

          SHA512

          7340adff2409d12fc94b0d7c7073141d76886f6dc10759d49968a0657c2f5436df4bcf9f9bc17650822f3427c69cf690ad3f8bd59295dca86fc736ff8ef93a2d

        • C:\Users\Admin\AppData\Local\RAlrZ3Bl\wbengine.exe

          Filesize

          219KB

          MD5

          8b2479c9554a6abb7193fc2c105f01a2

          SHA1

          b3cb8c6809e6489a4cb4078c0167b21142d47b7f

          SHA256

          3c4276408edc02892b009ecd9471802bb83641d20193db1a4858ce818914bffb

          SHA512

          9537626a01e3058331deb1008b218c32da1e9c8aa6da7cef0cbf5e3b9d92922572b74052c783f60d33088ab72a205d9679e469c48269f9d49d82ae737d7a0a57

        • C:\Users\Admin\AppData\Local\RAlrZ3Bl\wbengine.exe

          Filesize

          311KB

          MD5

          395af89ad7ef78c034a3c32f1db8e609

          SHA1

          2b9577cecbbd6ccc34822fff8dd5924e74793c5b

          SHA256

          bf4d0d80ca13fd03ba1fed089a688f391399c8452d1ea9aa9e91dbb3eb986d56

          SHA512

          b39fa47021e50d0467fa6f4544609bac0108cbc86ab71ed9cf580b21554c50955e5f03bbb24c16e5c7293ced5a31df38ab9b4cf1638f1190ea229964d9b80382

        • C:\Users\Admin\AppData\Local\RRz9CFGsq\wer.dll

          Filesize

          173KB

          MD5

          e64fb2ee507ba8ee8990022464e2f0c4

          SHA1

          09b009ede447aea0ada55ff24acbabe6afd26143

          SHA256

          136b0279adb053f8418e25a1eaf63023d85645e1edcdf9b50a016d00a8c15845

          SHA512

          591b9a9a0466bf5163007a75b79683de15a71c0fcbcad308a64f28029b0c71fa8491b844d34461dd499bfe757cfdd07334c8c0d125c97452c64609450c3704a5

        • C:\Users\Admin\AppData\Local\RRz9CFGsq\wer.dll

          Filesize

          182KB

          MD5

          81f89616aebce00d18d4c1f47356b888

          SHA1

          4d39f1e251aabd805d0e8945d908517390eab859

          SHA256

          21ba026219c7142f909184f2d73e777f597e85424c4599f91e118cdb828da8fa

          SHA512

          542ebe34e345c44c76471f1eda330d507d9a735a3f143950b652cb62015b96376833366baba2c8fa3136a0ce92d2f18d6fb16fc6e852f8c0f5265e774eb79f51

        • C:\Users\Admin\AppData\Local\RRz9CFGsq\wermgr.exe

          Filesize

          88KB

          MD5

          ca02e312be7aaedfc0fa0b818098f7c7

          SHA1

          a5b2554b7d7fa017af7a3df88d4f351f2ce9589b

          SHA256

          f7f78ab6499e6c873bc1328defb8d9e4aa5bc79c893bfff4d78fccbbad813b2d

          SHA512

          fb0bc469014c20c3bef8191a5938483d335e7036e22c29627243cd70f3275d407046bba0d33b5f3e0dd103b525e6b8a44d77d28d354bc6de7c5b26bd714d85e1

        • C:\Users\Admin\AppData\Local\RRz9CFGsq\wermgr.exe

          Filesize

          223KB

          MD5

          f7991343cf02ed92cb59f394e8b89f1f

          SHA1

          573ad9af63a6a0ab9b209ece518fd582b54cfef5

          SHA256

          1c09759dcd31fdc81bcd6685438d7efb34e0229f1096bfd57d41ecfe614d07dc

          SHA512

          fa3cf314100f5340c7d0f6a70632a308fcadb4b48785753310a053a510169979a89637b8b4fedf4d3690db6b8b55146e323cad70d704c4e2ede4edff5284237d

        • C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\Ilw7N0jCkF\wer.dll

          Filesize

          1.7MB

          MD5

          109c9392cc6c3aaa2aaa0b13ff32f4f3

          SHA1

          732696b9d12d0b491c1f6d4f9bf8e5738212c7c9

          SHA256

          6f7b8abea170e0180a80fa3bea1f42f91b22b9a820fc66558bf64d27d35e358e

          SHA512

          173ca3346f77c775e66d93fb4b78923d9547b8fc82c0e0ac854b18b53b85472199e67e4102838dde15f8eba879b702baebc44aecce8a7b867a20d0d6425c5c21

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wdush.lnk

          Filesize

          1KB

          MD5

          0c5ff9fb2c7b0191974f47218bd4265e

          SHA1

          89d46132f7264bf509fbe6f089764ef8ddd6703b

          SHA256

          1086f843ce9b1b3b3c08d4bace531d1b3694153d44dc3e2191c5aa582e37e095

          SHA512

          7378bea77ab32d63408ea62730f1608fa765c60039df4d56cf642110083dde885e34ffeffaa1043b9dc0934648cc6022bd64d4c14e9bcee6faea2a0499084022

        • C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\R6Od\WINMM.dll

          Filesize

          1.7MB

          MD5

          620b881007161068583a2699acf62320

          SHA1

          44eb1fbd44bcedad9fb8c2e54f26d54b7af8d1ec

          SHA256

          13c3a514f14d138548009784696a1f64761550e5282bfa90df42c17e075a2153

          SHA512

          33617be43680fe15a594fca7e40d81bc5ac7d2ad99a7c334db96dec583f04ce5eb48ad4d13e803ff330f76eaace9ed16872286a50a1bed4d8aedb549bc3854f6

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\acSe\SPP.dll

          Filesize

          1.7MB

          MD5

          da5939c641d372eb07d0322b038782e5

          SHA1

          2c4d063ec73c1f85ce1e3e2409227478e66251d1

          SHA256

          711ea12c6200dd07c33646ffe13dc7f4d79a6a9e2f65d7cd43752b5a3f518674

          SHA512

          d854c934b426c85710823489a845256e296f84b626d6a2c6cef4d5c370af65f46d281d6e93ea4f4267319d903487450f09613b89b1eddd50d806ecfc7c742bf9

        • memory/368-8-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/368-2-0x0000000000B20000-0x0000000000B27000-memory.dmp

          Filesize

          28KB

        • memory/368-0-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/484-67-0x0000022A79140000-0x0000022A79147000-memory.dmp

          Filesize

          28KB

        • memory/484-72-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/484-66-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/2072-83-0x0000000140000000-0x00000001401B8000-memory.dmp

          Filesize

          1.7MB

        • memory/2072-84-0x000001F199340000-0x000001F199347000-memory.dmp

          Filesize

          28KB

        • memory/2072-89-0x0000000140000000-0x00000001401B8000-memory.dmp

          Filesize

          1.7MB

        • memory/3504-31-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3504-26-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3504-45-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3504-33-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3504-46-0x00007FFAD1660000-0x00007FFAD1670000-memory.dmp

          Filesize

          64KB

        • memory/3504-57-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3504-10-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3504-11-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3504-37-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3504-19-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3504-21-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3504-24-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3504-38-0x0000000002D90000-0x0000000002D97000-memory.dmp

          Filesize

          28KB

        • memory/3504-36-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3504-25-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3504-23-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3504-22-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3504-7-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3504-20-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3504-9-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3504-12-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3504-35-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3504-13-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3504-28-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3504-18-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3504-17-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3504-55-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3504-32-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3504-34-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3504-30-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3504-29-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3504-27-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3504-16-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3504-5-0x00007FFAD15CA000-0x00007FFAD15CB000-memory.dmp

          Filesize

          4KB

        • memory/3504-4-0x0000000007FE0000-0x0000000007FE1000-memory.dmp

          Filesize

          4KB

        • memory/3504-14-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3504-15-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/4796-103-0x0000025E2F920000-0x0000025E2F927000-memory.dmp

          Filesize

          28KB

        • memory/4796-106-0x0000000140000000-0x00000001401B8000-memory.dmp

          Filesize

          1.7MB