Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    28-01-2024 20:58

General

  • Target

    7dfc5de3055bae2c2056b13cdd47a090.dll

  • Size

    1.7MB

  • MD5

    7dfc5de3055bae2c2056b13cdd47a090

  • SHA1

    51978d2febcabd2e969a15e71da3d4b572a2053d

  • SHA256

    d95cc0433afb03437c023c244ea84af4d4adb9e3f99de177b77f27dde047399e

  • SHA512

    d8810393576a5e82348cb00d700ad8a2731a2ef8029db264a2739dde9cd85f334a1508f53b604f4fe90d44ba88915bf48d94bd9a4466da4efd21ced49c64cde0

  • SSDEEP

    12288:vVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:GfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\7dfc5de3055bae2c2056b13cdd47a090.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2012
  • C:\Windows\system32\slui.exe
    C:\Windows\system32\slui.exe
    1⤵
      PID:2588
    • C:\Users\Admin\AppData\Local\56dWecyrk\slui.exe
      C:\Users\Admin\AppData\Local\56dWecyrk\slui.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2652
    • C:\Windows\system32\isoburn.exe
      C:\Windows\system32\isoburn.exe
      1⤵
        PID:2676
      • C:\Users\Admin\AppData\Local\WO6eRUK4\isoburn.exe
        C:\Users\Admin\AppData\Local\WO6eRUK4\isoburn.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2792
      • C:\Windows\system32\RDVGHelper.exe
        C:\Windows\system32\RDVGHelper.exe
        1⤵
          PID:3048
        • C:\Users\Admin\AppData\Local\Qwp\RDVGHelper.exe
          C:\Users\Admin\AppData\Local\Qwp\RDVGHelper.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2168

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\56dWecyrk\WINBRAND.dll

          Filesize

          117KB

          MD5

          19e451b1d34267f08486e0acc71a4c10

          SHA1

          9666f6b31937751a71e90bc5a4a31f6c6af3251d

          SHA256

          8b1c3f677ea1833664fa8fe555e2d3c29d9769af1772d4a3fd0fdb5c5d3f0332

          SHA512

          dcbe52aa4dbcfa885b93b3e51766ce2b121ffb1baaeff4a49e73d0a801b52928a711cdfc3e22332f4f61aae269df85efdb8a2f8849c3f4a37e9b9d88127de295

        • C:\Users\Admin\AppData\Local\56dWecyrk\slui.exe

          Filesize

          199KB

          MD5

          d94fe069c00712fa80114ee29519685d

          SHA1

          322ffcbab982fe3a3c423f6359fa8a8c255ddcb0

          SHA256

          dc697b2960c10325fb55e5246f75c538b4a61a62b1cdc461f1d02260dcef68ae

          SHA512

          be361fe0845b78c35088c9c29e6fabb3822ca4108db1612e314edb71500559998db8e931f0449c362765a8610b18cf36c5f9b14921b1c2de5f03eb215b5170d1

        • C:\Users\Admin\AppData\Local\56dWecyrk\slui.exe

          Filesize

          78KB

          MD5

          9c9ea25f8cbc3088927fc2e9700c5acb

          SHA1

          e11439586de20229774eff0a6c544fa900088396

          SHA256

          329e4d2edaaf8067096933292a05fea07592b27dc1e14a19685e9dd0b816be00

          SHA512

          9717570123bc731fc88d328caf93706a6c51122dd026cfc4faa06874eb1acbf9fc4e9c547ca72eca5133934e895855a8af81bf45e9673ee640cdee8391c9c214

        • C:\Users\Admin\AppData\Local\Qwp\dwmapi.dll

          Filesize

          1.7MB

          MD5

          30b5d555dfdb235ecf8c54816bd12b49

          SHA1

          e42c7226dd95080ce1f02f0dcc93d4f9448bbd9e

          SHA256

          977252eed40b67675977edf0931d72440bd7924e0d1cc086ce97aa05c5e1c89e

          SHA512

          1be552415d5d26fd25e7403b4b0d3c77506f8e4d593db4ba5968e8bd7e2613e7995f17a470f990c85f95e6d52dea83c955361357158d25b305a75c0cb5699104

        • C:\Users\Admin\AppData\Local\WO6eRUK4\UxTheme.dll

          Filesize

          267KB

          MD5

          5cc7999742ce93bcba0df5a602a38b02

          SHA1

          f941e025a50b764b9b7a332918fa021e7a5c92fc

          SHA256

          1c94e674a78895a0788db82c864ac2865ecd53b7b20e927a81fc91e2dd1a1bd8

          SHA512

          4625dd58f2b1a902ac700b311b93f7161cf5fb890cce387d0a2a1b3d9df1622884d515934939e0e2772a987a816076579c5531b3512400757ef0cd258be2b174

        • C:\Users\Admin\AppData\Local\WO6eRUK4\isoburn.exe

          Filesize

          89KB

          MD5

          f8051f06e1c4aa3f2efe4402af5919b1

          SHA1

          bbcf3711501dfb22b04b1a6f356d95a6d5998790

          SHA256

          50dcb4be409f50d26c0fc32dd9cdbf96bff4e19bf624221cb566ebeb3e09ce1a

          SHA512

          5f664d937abe4426ee7e0d8491a395f9ef4ffe7a51dba05b54b7ba27e80c9be37833400911c5878d3dec659f4fa1579ec8ba4cfc485fb2ce24dd37c321006daa

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Hbeids.lnk

          Filesize

          1KB

          MD5

          48a3aa339e7ebfee3dd597b34b681ff3

          SHA1

          775e10c37a6358c67fb6e3fccf8b69a75506b014

          SHA256

          dda6944e75dbdf8b85b39a6ef4ab9838919cb690807c0e20a9aa4e12053923da

          SHA512

          bb80d0b6254c3ed712e5cd6324644353ce04759043b6a869512eea3acd3aa33cabb8c7b03474c4c7727e4a48f0be1af1468cc813c1542731c06a26bdb045fda4

        • C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\Yk1mFKxt3i\UxTheme.dll

          Filesize

          1.7MB

          MD5

          ae8de4fc88369a8775e1a53b5b547a96

          SHA1

          bfc45855ba52cd5c1cc1be5bc67cb7d48cfe495d

          SHA256

          c76503842e4d472c561761d55b1bf7dc0f54f6151e399219cee7913e85c1988e

          SHA512

          b1183d936ecf9a1e1d1d70bc112c7bea56210eae3e3283208074b700c1ec53811f3258f02a23bf1a98f30b0d51a0bc0efb45d2de34b1de4e2e0cf4104e0ff56e

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PrivacIE\Low\ZTUjzGS\WINBRAND.dll

          Filesize

          1.7MB

          MD5

          082c5c6b143fe28534607c4d5ccd15d0

          SHA1

          de7715dd2ea48dbe1b39199ad1852dada35b6ccc

          SHA256

          01fe2292b4baa3454742f3d9a67af50081ad85eae985af1070b1e21c21aad977

          SHA512

          6ffcaaf18c3954d36707bb84cd4af3e94cbbd5190012a3035808d62807544732e8f53f6bf1bf4c584a4d795671ca2042d2842a98e5907b98b91a79c77f5809c4

        • \Users\Admin\AppData\Local\56dWecyrk\WINBRAND.dll

          Filesize

          71KB

          MD5

          774d310e1190f90ffed9ad7534d3eee1

          SHA1

          a0fc04635e4ac8e3c910f89306bf84d8372a056f

          SHA256

          802bb19f2963ed50a4b4833c222dd9237a1819ee8023741d480232e08a2358f9

          SHA512

          b5c6e7c1e76491679e16fc44264dbf3c8d265a2500c6a540b633fbc82ed6f54da21877b74fe67fc7119aae56405be2b5feeafd887387abfa90f9153414acef37

        • \Users\Admin\AppData\Local\56dWecyrk\slui.exe

          Filesize

          211KB

          MD5

          ec8098883cf0d1c83269fc0447d67c78

          SHA1

          5f661f61311403ea7c684b0e0658cc8d0e095091

          SHA256

          c8363a5f3db5724e4652d83440d028b9b7bdce89eeb3297bfd1567f1d680e293

          SHA512

          052417a887d4e137a6b1b6bdc5649b09013f1694ab776f87f2b59221c651e87318d418faaac8a72fd893dd17963c2c18ccf788c00444a0c4ff31f53409cc151a

        • \Users\Admin\AppData\Local\Qwp\RDVGHelper.exe

          Filesize

          93KB

          MD5

          53fda4af81e7c4895357a50e848b7cfe

          SHA1

          01fb2d0210f1c47aaf684e31a9fb78f89bba9c0f

          SHA256

          62ab8c2c5b5bd84fd07e96b6a3b87a4ea56946107ed9b7f8076580ae1fefd038

          SHA512

          dbbda90a57d27160c5a3a5e4e94cfc43b1663fcbfe424fdec851e52356f61492bdcf677c46be8aa4e8ccc8be7c389b6aa7bbbce8447e1fae32f03e5e409f4051

        • \Users\Admin\AppData\Local\WO6eRUK4\UxTheme.dll

          Filesize

          245KB

          MD5

          24127704d1a9a21c2161b3ae486f77e0

          SHA1

          f529147e03eed8a4476fa252c3a5b21e6f72dd16

          SHA256

          8998b8101fbf7c0c5548f6d488538fc90dd9e51d85d4fca1bffa9044918adc02

          SHA512

          e911fbb2a405c7730029195e31f04779a3bcc6635f292e51b2a467164ef3683565040551acef8576d3c24e3d915487869689791280ea94aee3cc56c121a28282

        • memory/1208-31-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-12-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-4-0x0000000077706000-0x0000000077707000-memory.dmp

          Filesize

          4KB

        • memory/1208-32-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-28-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-35-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-37-0x0000000002C70000-0x0000000002C77000-memory.dmp

          Filesize

          28KB

        • memory/1208-36-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-34-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-33-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-44-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-45-0x0000000077811000-0x0000000077812000-memory.dmp

          Filesize

          4KB

        • memory/1208-46-0x0000000077970000-0x0000000077972000-memory.dmp

          Filesize

          8KB

        • memory/1208-27-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-25-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-24-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-51-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-23-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-17-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-54-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-16-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-15-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-14-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-30-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-10-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-7-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-29-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-5-0x0000000002C90000-0x0000000002C91000-memory.dmp

          Filesize

          4KB

        • memory/1208-127-0x0000000077706000-0x0000000077707000-memory.dmp

          Filesize

          4KB

        • memory/1208-26-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-11-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-22-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-21-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-60-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-9-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-20-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-19-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-18-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/1208-13-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/2012-8-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/2012-1-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/2012-0-0x00000000002A0000-0x00000000002A7000-memory.dmp

          Filesize

          28KB

        • memory/2168-106-0x00000000000F0000-0x00000000000F7000-memory.dmp

          Filesize

          28KB

        • memory/2652-74-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/2652-69-0x0000000000120000-0x0000000000127000-memory.dmp

          Filesize

          28KB

        • memory/2652-70-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/2792-93-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/2792-87-0x0000000000370000-0x0000000000377000-memory.dmp

          Filesize

          28KB