Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    28-01-2024 07:43

General

  • Target

    7c8beaa0420a5e1596bd7da96586b811.dll

  • Size

    2.1MB

  • MD5

    7c8beaa0420a5e1596bd7da96586b811

  • SHA1

    ba39edf8926c0666f12d85ae5cb2dbb4c507bd02

  • SHA256

    0f35ac401b512fd1dfd8434325a834942af1b28bd25d7b39dc76e457569cb08d

  • SHA512

    ad8ebf3f33240e18c5be247bfcc65d59ca2e46528a66dcd2e768d474c9c2eabe2932b7583c306c75e63cd3ed89aab2bcdd579f89bc5d21ca38b44fc9b94a9799

  • SSDEEP

    12288:OVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:TfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\7c8beaa0420a5e1596bd7da96586b811.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3028
  • C:\Windows\system32\StikyNot.exe
    C:\Windows\system32\StikyNot.exe
    1⤵
      PID:2964
    • C:\Users\Admin\AppData\Local\95PM4dzT\StikyNot.exe
      C:\Users\Admin\AppData\Local\95PM4dzT\StikyNot.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1104
    • C:\Users\Admin\AppData\Local\Zt4HpEcKD\perfmon.exe
      C:\Users\Admin\AppData\Local\Zt4HpEcKD\perfmon.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1980
    • C:\Windows\system32\perfmon.exe
      C:\Windows\system32\perfmon.exe
      1⤵
        PID:1608
      • C:\Users\Admin\AppData\Local\bHD5Y\perfmon.exe
        C:\Users\Admin\AppData\Local\bHD5Y\perfmon.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1856
      • C:\Windows\system32\perfmon.exe
        C:\Windows\system32\perfmon.exe
        1⤵
          PID:2456

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\95PM4dzT\StikyNot.exe

          Filesize

          59KB

          MD5

          63dc867eaf0b0ef8c49fc781c205bbc7

          SHA1

          fac7d73191e53ffd200243bbd51f84b58ef1dd9f

          SHA256

          10dabaa8ad1741d72e97766672a22cd704fe197ce123f3ee7c510d3a85891b36

          SHA512

          2858160e0e5661d122f13e7f9c195cb4f22ddc4761a5a695bb96eab9b471e61f448c6b7591c4a80c227957179daf9555afd54f2cc07e2a66151f89f61d22e320

        • C:\Users\Admin\AppData\Local\95PM4dzT\StikyNot.exe

          Filesize

          16KB

          MD5

          0d6e241faa0e94ff5946cead6d4acd47

          SHA1

          39efe8274c2e67a30c67966d8ef86e664eac7796

          SHA256

          1390a3102208e1525dcb61191f448b65c4d9ea619b03706d4f4b924d8e402266

          SHA512

          13b84bbdc4cd8cbe448f5631094a659722dfbbbb3a4fe74bf5a5960a6ce85af744e17ba6ce693668cdde9de614a389082073027643e0580adf8fcbc604d7bd38

        • C:\Users\Admin\AppData\Local\95PM4dzT\slc.dll

          Filesize

          49KB

          MD5

          487e0f40f9665bcdef57b7b267f0814a

          SHA1

          0d4157a16a223eb1130324748d29d31f569e9a7a

          SHA256

          22d5144d33a0d1bfc5cd8de08c6c54533ec0fdeb489ef2772c7089a421c847fc

          SHA512

          ea0ff9795960e43a4bccd0ede351e6f2b1f68954f87912881f1928b538cc79759bb24e46b1cb2467f83ea874d693f586a790873def3771862af4a3e6cfeb6eb5

        • C:\Users\Admin\AppData\Local\Zt4HpEcKD\credui.dll

          Filesize

          185KB

          MD5

          cfcd924d256f6d4a72ffeace0ff83280

          SHA1

          5d10d6a3a28f0d34420d20ffd1940d802fecdb45

          SHA256

          f44142c3c521e8d717b81a88b8c576567b7e0c5d14f2ae70ff7943c3b1011413

          SHA512

          818d1ecbfc4a8591c09c9d23d78b86d573c6c3555a2bda4dfa5ad6af68868a62f6fa644fb0bf535032093245aab55b57dc8554f8d4e9edbe11b3e1117c26b92c

        • C:\Users\Admin\AppData\Local\Zt4HpEcKD\perfmon.exe

          Filesize

          108KB

          MD5

          94e27dd527c12c7cfc0b289ab70459ea

          SHA1

          5a86418962e010c4438ac90cecfa093ab6825e59

          SHA256

          23b55d4059f40b37b423ef4f24e5e5d50e82dc6944262832e5fc26bf173d2bfd

          SHA512

          2ba75649533d54b01720c96879c6406a9b9be91aba0b1a4cb962448bbe97b9c2eb40041d3811a07b5fd39fad21a1c0c82a2bc12b7413f7f198885550e1aa7efc

        • C:\Users\Admin\AppData\Local\Zt4HpEcKD\perfmon.exe

          Filesize

          68KB

          MD5

          d77e04e50acbf596ae610b4c784e0c97

          SHA1

          307d65723a1ef9e22beaae201e1b963ee5cbb724

          SHA256

          1c905c7ad5a34319e346573fd93455bb38bd9e5c5a1de4fb5c1dab9ed5d9243c

          SHA512

          e2eef564a3da32db872b5140b8dc24772bb584daec8cb3ecd342b92833afef40d4d5cbe7ad099976c31b388c8b9d9b671a4302c8954cc07b20cabe1e30280e37

        • C:\Users\Admin\AppData\Local\bHD5Y\credui.dll

          Filesize

          281KB

          MD5

          5af4954be1a7c9ce0bd5aa6dcab6afa4

          SHA1

          68f63842135a503796711958e1f3889b2af94272

          SHA256

          d6e1bdcde3ceaf8a440c2dbcc0b5d7518cf66c18dc0ba1a66dedfd7622828b90

          SHA512

          350e8837b012bd0fcbf21bbed90f17dfde14de648bbc213e92e8a831ccfcb8cf132c9bd7a3e23a0e1b21be27ffb3c404b0915b674718cd7dfc55f90a6c487ba9

        • C:\Users\Admin\AppData\Local\bHD5Y\perfmon.exe

          Filesize

          168KB

          MD5

          3eb98cff1c242167df5fdbc6441ce3c5

          SHA1

          730b27a1c92e8df1e60db5a6fc69ea1b24f68a69

          SHA256

          6d8d5a244bb5a23c95653853fec3d04d2bdd2df5cff8cffb9848bddeb6adb081

          SHA512

          f42be2a52d97fd1db2ed5a1a1a81a186a0aab41204980a103df33a4190632ba03f3cbb88fcea8da7ed9a5e15f60732d49a924b025fe6d3e623195ec1d37dfb35

        • C:\Users\Admin\AppData\Roaming\Identities\ej9EYyKTGU\credui.dll

          Filesize

          2.1MB

          MD5

          7d8a47faaa5b6fbf38c9b7bd1cbdb07f

          SHA1

          12c120e2f115041c53c60994b477507e7ebc559c

          SHA256

          aa8246949f19fd9963461591183c8ebdbe40dcff7022a89125687aba4fdae79f

          SHA512

          34c1f6af1ed237e9467e9d893c31bb8c82d90a92bfcf3bbd7349f2a95fa35337232d6b4bc2db04a0db490532103f6aedc1023a8e3116d453c6e1b1d0c4931ab3

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqrvnhd.lnk

          Filesize

          1KB

          MD5

          ed5fd88d8eff8cd05e5c57570392773f

          SHA1

          68401a26c4ced77d3b9918e4a236ea50cc44864b

          SHA256

          3038cf9ab9fe6727f7bb82b37f0279c0cc04b76be6308c1ba4a1cf8de0c4bec9

          SHA512

          23fa6fe92b0f117a428cdf54f75ca660fdc16286d224b07e7bf4a66461361f58094f9828079ce2b598d83ed84400f019ee95e05a3c2c0fc3d4945fe79effd732

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\KH6H6\slc.dll

          Filesize

          2.1MB

          MD5

          02a6bdbac857ef4aaca518458b162fb7

          SHA1

          2132a5c825f8c2a92806ef388538a991167693ff

          SHA256

          ed642a3d9e889215b88712b6c4f90367c308228754bfb71019cb0ed546869ec8

          SHA512

          02dddb41963f52d923913c69f4d544edb772cab0436768578663f0ced46abba94ed60d46c754b6bf1fd6b967bacb5de9fe9628eb0a0ee4584ccce925e4e2cbfc

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\CrIVl0TkTGm\credui.dll

          Filesize

          2.1MB

          MD5

          310fb471ad0c6e61a606184787d0953f

          SHA1

          01f14f72dcbbf57ead7e3ca140da5c4bceb7de83

          SHA256

          69b97168729a9376fe8abc0c6297ba893ce564ecbb5d5d9a4df946c90159d98a

          SHA512

          b13211c824d70f930360c75138a5c8197b89242f708919f03514ae172c4a508c2deacdb1f3372450b4882024a18feac86be51f855b7e41dc716eb449c30db90f

        • \Users\Admin\AppData\Local\95PM4dzT\StikyNot.exe

          Filesize

          34KB

          MD5

          522b113898a30aadc107c9a37e5b3ef0

          SHA1

          fa7d5f78dfebd992001f714a8a4a2d548749b9c4

          SHA256

          22ae5d362a8e118a7213edaa1166410c0a65bd90a75c5a5c59615edd86af38fb

          SHA512

          47c46f03f950c304a36886503f68dc92c508cda5be1d7bb667a24d7cf8cab81f61740ae8a1e70633923a5f928511f94c8732a87d39d340aec53a09b40063128e

        • \Users\Admin\AppData\Local\95PM4dzT\slc.dll

          Filesize

          92KB

          MD5

          314ad450645ef3de198374454c49ef74

          SHA1

          f059b014912ebb976d2acad4852d49269e36eade

          SHA256

          a076523b152d90c55ad077a1307f1e8f9b09cf698b876394f6efd46de233fd94

          SHA512

          9abde651aa4a03cc36f88e555a656abd07925c5a83b6d2cdd5ee00657f0687522357d82c9d00398326b2652053a03e2bf3fefb1ccd39ef4c7879cbb882cb0e6a

        • \Users\Admin\AppData\Local\Zt4HpEcKD\credui.dll

          Filesize

          169KB

          MD5

          f67ea19ce37e0fbda58dcc86bced08c5

          SHA1

          20a600bf6ea67418f6bbe7a7464f93925e59771e

          SHA256

          055dc40a98af18e5d9afd2dd93e852b2d89a8f39f6b84a3c6a2e71d3d04dc239

          SHA512

          9a32ef22400e6ac172f81d7b6fdbb3797b8b9f1e8e3ee5c83471b12fc1ac4d7570bffb59383b686382ec56aae0972226d3102c86c3764e68fac30a8e9a60ca37

        • \Users\Admin\AppData\Local\Zt4HpEcKD\perfmon.exe

          Filesize

          19KB

          MD5

          445af7bf9c74bd296eba29b1b00a8fe3

          SHA1

          12ffc8223f6b2ad089df5d16a8d921576073dccd

          SHA256

          a4778e3139a4cd550c35e93589bf56f36c60e831d2cb6570dc4fe337955421ec

          SHA512

          4bead441cd5decb0390678f4f04587930ae455d66ee8b856ec0b843ad611726a509f0e0d53ee0be1df197ed32926b115ae6733a05ab69e4288cd54f65a0d3740

        • \Users\Admin\AppData\Local\bHD5Y\credui.dll

          Filesize

          147KB

          MD5

          d90a2c5d6e684d7cf06aed24bb9650c8

          SHA1

          2fbfb5b1ed4255b72864e5364c56396a8e81030d

          SHA256

          82e68fc1bef22c81f194b6219852e215ea34268a9ac994f7c12d86b336f97ab9

          SHA512

          bc008a6d343389aa810af71e6095553ff787667c2bbc682be631b7e0324ea74a0ccebb582d52d4a2c67cac277d090dad78275bcaf907f4efe7e4af8f55bea7a1

        • \Users\Admin\AppData\Local\bHD5Y\perfmon.exe

          Filesize

          136KB

          MD5

          29956abd1568da47bfafcdd46d451051

          SHA1

          96c90ff0a56727f41a738fff7e13b1dc4fb806f3

          SHA256

          fadc82fd045e1c3896eb51098ba597592a785f790defd54ec28a6fe30004e858

          SHA512

          1e31d0cfd3ad66e2b04187a02f3355412eed7c8aabae33880d33b359dd4eedbb3575793223783ff8c363f6082913cd03aa5c3efbeb70af96823f138530516eb1

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\CrIVl0TkTGm\perfmon.exe

          Filesize

          94KB

          MD5

          69f3986e03dc8f2627e9480445ad441b

          SHA1

          60e294fd5a834435e114e49b84cbcc9ff9f68aaa

          SHA256

          c44b9cd6994319172fcb562e51ff5f563b05c3e659f4518aca4eeaf0d1143425

          SHA512

          54d613de236968f9ad681cf468b6660676ec7baed424abb15712fd72a9568fa72db606d0b15da197892110beae262dc705ff249542abfc27ea8eb23d8ff11b92

        • memory/1104-92-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

        • memory/1380-33-0x0000000140000000-0x000000014021D000-memory.dmp

          Filesize

          2.1MB

        • memory/1380-22-0x0000000140000000-0x000000014021D000-memory.dmp

          Filesize

          2.1MB

        • memory/1380-66-0x00000000775F1000-0x00000000775F2000-memory.dmp

          Filesize

          4KB

        • memory/1380-51-0x0000000140000000-0x000000014021D000-memory.dmp

          Filesize

          2.1MB

        • memory/1380-50-0x0000000140000000-0x000000014021D000-memory.dmp

          Filesize

          2.1MB

        • memory/1380-49-0x0000000140000000-0x000000014021D000-memory.dmp

          Filesize

          2.1MB

        • memory/1380-47-0x0000000140000000-0x000000014021D000-memory.dmp

          Filesize

          2.1MB

        • memory/1380-46-0x0000000140000000-0x000000014021D000-memory.dmp

          Filesize

          2.1MB

        • memory/1380-74-0x0000000140000000-0x000000014021D000-memory.dmp

          Filesize

          2.1MB

        • memory/1380-63-0x0000000140000000-0x000000014021D000-memory.dmp

          Filesize

          2.1MB

        • memory/1380-53-0x0000000140000000-0x000000014021D000-memory.dmp

          Filesize

          2.1MB

        • memory/1380-43-0x0000000140000000-0x000000014021D000-memory.dmp

          Filesize

          2.1MB

        • memory/1380-42-0x0000000140000000-0x000000014021D000-memory.dmp

          Filesize

          2.1MB

        • memory/1380-41-0x0000000140000000-0x000000014021D000-memory.dmp

          Filesize

          2.1MB

        • memory/1380-40-0x0000000140000000-0x000000014021D000-memory.dmp

          Filesize

          2.1MB

        • memory/1380-55-0x0000000140000000-0x000000014021D000-memory.dmp

          Filesize

          2.1MB

        • memory/1380-39-0x0000000140000000-0x000000014021D000-memory.dmp

          Filesize

          2.1MB

        • memory/1380-37-0x0000000140000000-0x000000014021D000-memory.dmp

          Filesize

          2.1MB

        • memory/1380-36-0x0000000140000000-0x000000014021D000-memory.dmp

          Filesize

          2.1MB

        • memory/1380-35-0x0000000140000000-0x000000014021D000-memory.dmp

          Filesize

          2.1MB

        • memory/1380-56-0x0000000002470000-0x0000000002477000-memory.dmp

          Filesize

          28KB

        • memory/1380-32-0x0000000140000000-0x000000014021D000-memory.dmp

          Filesize

          2.1MB

        • memory/1380-31-0x0000000140000000-0x000000014021D000-memory.dmp

          Filesize

          2.1MB

        • memory/1380-30-0x0000000140000000-0x000000014021D000-memory.dmp

          Filesize

          2.1MB

        • memory/1380-28-0x0000000140000000-0x000000014021D000-memory.dmp

          Filesize

          2.1MB

        • memory/1380-27-0x0000000140000000-0x000000014021D000-memory.dmp

          Filesize

          2.1MB

        • memory/1380-26-0x0000000140000000-0x000000014021D000-memory.dmp

          Filesize

          2.1MB

        • memory/1380-24-0x0000000140000000-0x000000014021D000-memory.dmp

          Filesize

          2.1MB

        • memory/1380-23-0x0000000140000000-0x000000014021D000-memory.dmp

          Filesize

          2.1MB

        • memory/1380-67-0x0000000077750000-0x0000000077752000-memory.dmp

          Filesize

          8KB

        • memory/1380-21-0x0000000140000000-0x000000014021D000-memory.dmp

          Filesize

          2.1MB

        • memory/1380-19-0x0000000140000000-0x000000014021D000-memory.dmp

          Filesize

          2.1MB

        • memory/1380-18-0x0000000140000000-0x000000014021D000-memory.dmp

          Filesize

          2.1MB

        • memory/1380-17-0x0000000140000000-0x000000014021D000-memory.dmp

          Filesize

          2.1MB

        • memory/1380-16-0x0000000140000000-0x000000014021D000-memory.dmp

          Filesize

          2.1MB

        • memory/1380-15-0x0000000140000000-0x000000014021D000-memory.dmp

          Filesize

          2.1MB

        • memory/1380-14-0x0000000140000000-0x000000014021D000-memory.dmp

          Filesize

          2.1MB

        • memory/1380-12-0x0000000140000000-0x000000014021D000-memory.dmp

          Filesize

          2.1MB

        • memory/1380-11-0x0000000140000000-0x000000014021D000-memory.dmp

          Filesize

          2.1MB

        • memory/1380-10-0x0000000140000000-0x000000014021D000-memory.dmp

          Filesize

          2.1MB

        • memory/1380-8-0x0000000140000000-0x000000014021D000-memory.dmp

          Filesize

          2.1MB

        • memory/1380-4-0x00000000773E6000-0x00000000773E7000-memory.dmp

          Filesize

          4KB

        • memory/1380-5-0x0000000002490000-0x0000000002491000-memory.dmp

          Filesize

          4KB

        • memory/1380-9-0x0000000140000000-0x000000014021D000-memory.dmp

          Filesize

          2.1MB

        • memory/1380-54-0x0000000140000000-0x000000014021D000-memory.dmp

          Filesize

          2.1MB

        • memory/1380-159-0x00000000773E6000-0x00000000773E7000-memory.dmp

          Filesize

          4KB

        • memory/1380-52-0x0000000140000000-0x000000014021D000-memory.dmp

          Filesize

          2.1MB

        • memory/1380-48-0x0000000140000000-0x000000014021D000-memory.dmp

          Filesize

          2.1MB

        • memory/1380-45-0x0000000140000000-0x000000014021D000-memory.dmp

          Filesize

          2.1MB

        • memory/1380-44-0x0000000140000000-0x000000014021D000-memory.dmp

          Filesize

          2.1MB

        • memory/1380-38-0x0000000140000000-0x000000014021D000-memory.dmp

          Filesize

          2.1MB

        • memory/1380-34-0x0000000140000000-0x000000014021D000-memory.dmp

          Filesize

          2.1MB

        • memory/1380-29-0x0000000140000000-0x000000014021D000-memory.dmp

          Filesize

          2.1MB

        • memory/1380-25-0x0000000140000000-0x000000014021D000-memory.dmp

          Filesize

          2.1MB

        • memory/1380-20-0x0000000140000000-0x000000014021D000-memory.dmp

          Filesize

          2.1MB

        • memory/1380-13-0x0000000140000000-0x000000014021D000-memory.dmp

          Filesize

          2.1MB

        • memory/1980-119-0x0000000000180000-0x0000000000187000-memory.dmp

          Filesize

          28KB

        • memory/3028-7-0x0000000140000000-0x000000014021D000-memory.dmp

          Filesize

          2.1MB

        • memory/3028-0-0x0000000140000000-0x000000014021D000-memory.dmp

          Filesize

          2.1MB

        • memory/3028-1-0x0000000000230000-0x0000000000237000-memory.dmp

          Filesize

          28KB