Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    30-01-2024 21:46

General

  • Target

    82a4bc5335713f3201927604dc1c17fa.dll

  • Size

    1.7MB

  • MD5

    82a4bc5335713f3201927604dc1c17fa

  • SHA1

    0760fdf10d7b767e7b1c6c75b5a6df7fa582f2de

  • SHA256

    b24b5a97da7b45c297575085b7e6a6812e70391a8460609e4ab225c8b8c421b8

  • SHA512

    fdc555fae69369b3e61dae10b2e01607d5c853ed93bc403d08678447454e550ed598a3c46e4c7489e9e9626ffca57c317a92b64a3e48c6d44717667be684fe2e

  • SSDEEP

    12288:hVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:QfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\82a4bc5335713f3201927604dc1c17fa.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2480
  • C:\Windows\system32\raserver.exe
    C:\Windows\system32\raserver.exe
    1⤵
      PID:2560
    • C:\Users\Admin\AppData\Local\BwjLVSh\raserver.exe
      C:\Users\Admin\AppData\Local\BwjLVSh\raserver.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1924
    • C:\Windows\system32\Utilman.exe
      C:\Windows\system32\Utilman.exe
      1⤵
        PID:616
      • C:\Users\Admin\AppData\Local\HpCcfb\Utilman.exe
        C:\Users\Admin\AppData\Local\HpCcfb\Utilman.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2792
      • C:\Windows\system32\BitLockerWizard.exe
        C:\Windows\system32\BitLockerWizard.exe
        1⤵
          PID:1208
        • C:\Users\Admin\AppData\Local\fUkKHw\BitLockerWizard.exe
          C:\Users\Admin\AppData\Local\fUkKHw\BitLockerWizard.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:800

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\BwjLVSh\WTSAPI32.dll

          Filesize

          475KB

          MD5

          40e79bcdfceb9abc774cd4ce1913f167

          SHA1

          7c7f99c9ba975704ecc63c64045f595f8fddaf10

          SHA256

          70849c9108b9049ae1b1e152ba10227a55d4050608f27e0f07fe8376f189d3fa

          SHA512

          681eebf8044eb7dd21fe72396c399541bf38f18529e1f4684536fe26bdd3fef3fb45066b951b6221aaf1ef08f07dbb9cefd63e4f932ee319dadcf1d7fb449db3

        • C:\Users\Admin\AppData\Local\BwjLVSh\raserver.exe

          Filesize

          123KB

          MD5

          cd0bc0b6b8d219808aea3ecd4e889b19

          SHA1

          9f8f4071ce2484008e36fdfd963378f4ebad703f

          SHA256

          16abc530c0367df1ad631f09e14c565cf99561949aa14acc533cd54bf8a5e22c

          SHA512

          84291ea3fafb38ef96817d5fe4a972475ef8ea24a4353568029e892fa8e15cf8e8f6ef4ff567813cd3b38092f0db4577d9dccb22be755eebdd4f77e623dc80ac

        • C:\Users\Admin\AppData\Local\HpCcfb\DUI70.dll

          Filesize

          1.2MB

          MD5

          94b82b06ef00aac47ddbc60a782d9d92

          SHA1

          3bad39eab79fcdaa86d9b5ad693d944595d320e1

          SHA256

          0379dca29ac143aa5d91125106f46ea9f49c84b7b87ecf08c207324c4935a097

          SHA512

          4f3c07b5127c6445a5053ef7404c4ea08dc27320efb55a99b58ddcc1eb7767e79ae2f329d1f4101514eaa5f4fcbaea4baa235d16351244d1d299c81fdbf47494

        • C:\Users\Admin\AppData\Local\HpCcfb\Utilman.exe

          Filesize

          1.3MB

          MD5

          32c5ee55eadfc071e57851e26ac98477

          SHA1

          8f8d0aee344e152424143da49ce2c7badabb8f9d

          SHA256

          7ca90616e68bc851f14658a366d80f21ddb7a7dd8a866049e54651158784a9ea

          SHA512

          e0943efa81f3087c84a5909c72a436671ee8cc3cc80154901430e83ec7966aac800ad4b26f4a174a0071da617c0982ceda584686c6e2056e1a83e864aca6c975

        • C:\Users\Admin\AppData\Local\fUkKHw\BitLockerWizard.exe

          Filesize

          98KB

          MD5

          08a761595ad21d152db2417d6fdb239a

          SHA1

          d84c1bc2e8c9afce9fb79916df9bca169f93a936

          SHA256

          ec0b9e5f29a43f9db44fa76b85701058f26776ab974044c1d4741591b74d0620

          SHA512

          8b07828e9c0edf09277f89294b8e1a54816f6f3d1fe132b3eb70370b81feb82d056ec31566793bd6f451725f79c3b4aeedb15a83216115e00943e0c19cab37c9

        • C:\Users\Admin\AppData\Local\fUkKHw\FVEWIZ.dll

          Filesize

          1.7MB

          MD5

          c6e7d0ebbf7ebc4a01f50207d50d2442

          SHA1

          560a7587255e027f37d7f44cda8ac5eccaa9fad0

          SHA256

          13a64706754cb79f8c42b4595a1afd24e50bee4e905f02559ab486146b5752d3

          SHA512

          7b7020372974da34c1ebe047e0aed6b71e0ca2712a4dc382f44c7e6a0871109559f1e9e9ba2c921dffab02bdae5c79931027004af5c855fda535740907cae00a

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zrkibbhbsqvuoso.lnk

          Filesize

          1KB

          MD5

          2709b8e6adb741768c5304b14638a600

          SHA1

          6402622a4ac56907a89c57f3a1c91700d695e8ff

          SHA256

          e18cc7b8de30041765d5df88a6f3950341890524d17164a86b00c5f7430ce70c

          SHA512

          82287263e903a17f75ec704a95441a0d424850df6209b84fa4c56f9bfc239d0876694b47f20566f28385b8638dca7fb23dcaba874a4e0eaf07b707804448d758

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEDownloadHistory\o6T6Cp0b67\DUI70.dll

          Filesize

          1.9MB

          MD5

          714f3bc478bfe98ecd4a9ccc595720ce

          SHA1

          7c3587b9a1f2cc1eefe71c1afd2989e7dfb9e021

          SHA256

          81e62aab7ec80d454eed0f2b39e1769338a7cbee884433659487b2fe1ec95269

          SHA512

          cc72e1f110aeee89fa2f117dd263b10396a5fe83160a6c2986e3f5705decbf8769150c0d0025c815cb2eadb31a8c6ea70c8c025129ba4b5602dcecd807a0cf51

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\4xmVg\WTSAPI32.dll

          Filesize

          1.7MB

          MD5

          3be5ef623e8882cf49366c54c260663e

          SHA1

          fe90098027f39a097ecb7413b192bfef6c297664

          SHA256

          ba9c20af25a4d4245a761ecd9de367e18d0fdb720759f390cdd561587676fac0

          SHA512

          e103fef057e923bfd14818f983efb8670e9227c616105e51c6754b77cd243431460d154c176792663bbf09e9a003091dc1b8c7afba56210193cc8db311535d3d

        • \Users\Admin\AppData\Local\BwjLVSh\WTSAPI32.dll

          Filesize

          259KB

          MD5

          2056825fde299eab944562db6d64c66c

          SHA1

          9709850fb65fe760f92e0ad5c90c6e6de7e45b76

          SHA256

          d59ce7a7ff891e279e52ad379147b9678c91042c0046d33b0a132aef82cab7f6

          SHA512

          e780a6572a28a5d5d6c754eb4023ad10b44bc8badebf10da8388b1ce6188955158c56fbfa55c616d5d00e61ac219bdecb80bf482222da08d6645df172649d2e9

        • \Users\Admin\AppData\Local\HpCcfb\DUI70.dll

          Filesize

          983KB

          MD5

          515f26508b41412a0d07895b7981b421

          SHA1

          ea1bdb5e336803c5a0ead032e52beb2fce37765a

          SHA256

          2d0fda983f9c9d8365401e98f2b6c2b3386745bf6f3235be8027e9ce3eb7ee60

          SHA512

          809f8c4bc72ee53a3886f3c34e246163d216be695abc43e6e90796ce745f3a7f0e62081dee37e8f7cdc4d18f95e61b40a611d7891496cdf01b9ed26a7674cfe6

        • memory/800-122-0x0000000000080000-0x0000000000087000-memory.dmp

          Filesize

          28KB

        • memory/1260-36-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-29-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-24-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-26-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-25-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-27-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-22-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-32-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-34-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-38-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-40-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-39-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-41-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-42-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-43-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-37-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-45-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-46-0x0000000002B70000-0x0000000002B77000-memory.dmp

          Filesize

          28KB

        • memory/1260-44-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-35-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-4-0x0000000077366000-0x0000000077367000-memory.dmp

          Filesize

          4KB

        • memory/1260-53-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-33-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-31-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-54-0x0000000077471000-0x0000000077472000-memory.dmp

          Filesize

          4KB

        • memory/1260-30-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-28-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-18-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-23-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-21-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-20-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-19-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-10-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-5-0x0000000002BA0000-0x0000000002BA1000-memory.dmp

          Filesize

          4KB

        • memory/1260-55-0x00000000775D0000-0x00000000775D2000-memory.dmp

          Filesize

          8KB

        • memory/1260-64-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-70-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-12-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-15-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-17-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-143-0x0000000077366000-0x0000000077367000-memory.dmp

          Filesize

          4KB

        • memory/1260-9-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-16-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-14-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-7-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-13-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/1260-11-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/1924-82-0x00000000000F0000-0x00000000000F7000-memory.dmp

          Filesize

          28KB

        • memory/1924-83-0x0000000140000000-0x00000001401BE000-memory.dmp

          Filesize

          1.7MB

        • memory/2480-8-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/2480-0-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/2480-1-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB

        • memory/2792-101-0x0000000000180000-0x0000000000187000-memory.dmp

          Filesize

          28KB