Analysis

  • max time kernel
    149s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    30-01-2024 22:26

General

  • Target

    82b98a019126a5f30050d77d82814f93.dll

  • Size

    3.5MB

  • MD5

    82b98a019126a5f30050d77d82814f93

  • SHA1

    903191e96053b8e6ac7ba8cbea36462ca8cf27c0

  • SHA256

    9463a439b0c76f66e03535405b713b906c9bce1453dfdc13a0ce3579c7059e41

  • SHA512

    aa8c585df62b333496bae2c05db6dbb026df46f2dc0a535a6a743479c8f7b6d2c7c4146e21430d955f9d60f4742e5c808267e535059d9470ba921c758b88d90e

  • SSDEEP

    12288:ZVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:YfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\82b98a019126a5f30050d77d82814f93.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2880
  • C:\Windows\system32\mspaint.exe
    C:\Windows\system32\mspaint.exe
    1⤵
      PID:2036
    • C:\Users\Admin\AppData\Local\Y4vs1\mspaint.exe
      C:\Users\Admin\AppData\Local\Y4vs1\mspaint.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1848
    • C:\Windows\system32\msra.exe
      C:\Windows\system32\msra.exe
      1⤵
        PID:896
      • C:\Users\Admin\AppData\Local\19bz\msra.exe
        C:\Users\Admin\AppData\Local\19bz\msra.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1796
      • C:\Windows\system32\p2phost.exe
        C:\Windows\system32\p2phost.exe
        1⤵
          PID:1140
        • C:\Users\Admin\AppData\Local\q1JNgLbp\p2phost.exe
          C:\Users\Admin\AppData\Local\q1JNgLbp\p2phost.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1696

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\19bz\Secur32.dll

          Filesize

          53KB

          MD5

          f2beb3380818a1d3b3a31ca35492c4ed

          SHA1

          556375c96734fbd6953351e772a3a82497650be4

          SHA256

          50d3076b45014be7e32f866eabcab14d7454f94b85976b0c0aad1fdd561f56bb

          SHA512

          4e0401ab134bf5ccae8b04ff36fa2079fdef713e8e4bc0aa093d714aa3cbcfa72fd0072ef4e4ffa83d00327b8e0a67d9a4e5aa3fa75412446d4bafffad08a45f

        • C:\Users\Admin\AppData\Local\19bz\msra.exe

          Filesize

          1KB

          MD5

          fee1881479374568a8d8a05b700a4fe4

          SHA1

          ab329330117487091aa041ed83c1d05aba5ebcda

          SHA256

          c47c38fad79a01a25a98de4dc01bc0f3562f8c57db802b8ec127af998f590e64

          SHA512

          2266c464ed4df06a201d0364901df76804bfaf93e8dde393188575f5e63fc9db239ea9c8236f434729aa699d97f1a41e003686ce467b97548f5a2d43897fe53a

        • C:\Users\Admin\AppData\Local\19bz\msra.exe

          Filesize

          45KB

          MD5

          1c68e664bba559daf7293872b77d5d10

          SHA1

          1426e7fce119c04ef433622ae77ec5f3428a2e4e

          SHA256

          347fc4edd8903071d1acd42c93ac0c3695cb850b49e1946d97e3b7f9390cb24d

          SHA512

          3b5fe8ae2c4d31cdadbe35546e1997c3c15a54fdd83ece6dc0c42d5f5685dd50a9c96efaa565d16fd5dc70f98633d01bcba2547f99ed73ecea47ecabdf6249fa

        • C:\Users\Admin\AppData\Local\Y4vs1\MFC42u.dll

          Filesize

          169KB

          MD5

          11039144381d4b3ab64daf1457487d37

          SHA1

          99a10e763e6ebfca3f5452209dba337c425c1890

          SHA256

          87d8579015490581352ec2d8126322123ff24eb48629040f3fc8cb4bedf04178

          SHA512

          3e5a6882db7823fb6289747a0617e1806185f628fa6b8ece534e9d55ab18dc66a93e5834cd298234026aacee43b5c05e886fbee062383e5ce3b817865ebccae9

        • C:\Users\Admin\AppData\Local\Y4vs1\mspaint.exe

          Filesize

          130KB

          MD5

          8d395e79a524374d99ea4fc7b5fde9b4

          SHA1

          1dfc956ef9150014c905c4a1abca7b852236560c

          SHA256

          1348c2ecd998de6424a7acac12eec05f5833386c65a998e9040477275093bfca

          SHA512

          d56d9abfbc049f225248c79415ce3d154fc55de6218af4e45f2667c3d4abcc1b1e1e83e333e40ed07772fdf68ad59f186c57fc96fbb6c7f2d624814f52154a97

        • C:\Users\Admin\AppData\Local\Y4vs1\mspaint.exe

          Filesize

          45KB

          MD5

          310568515c600e08c5b5743618c5f7d2

          SHA1

          d0aae6ef59b33a2a06a5d72c45d8ef99cb6d465b

          SHA256

          1ce773c7695b0c07b1f756833d2c01019f2809aaea7ca802d5902713dceb25f7

          SHA512

          d429e741ab35b563030f67e192c4ac7cadd1b3620fc67dcef5e7154600f49f680465284d341f8446abd7747f8f415c51c7f941b55a9e3f2bc237dd219e52af18

        • C:\Users\Admin\AppData\Local\q1JNgLbp\P2PCOLLAB.dll

          Filesize

          42KB

          MD5

          0f26e9a3559fcd9ef0632508aca2de3c

          SHA1

          8308d90a758b0a7803b00c3a60c5006390827906

          SHA256

          803a5a153f07e2270e896115087fda58831841c0f8ee06862507a420f5e8e408

          SHA512

          6b826657c27f8118c2bd20fbc1c9d996c25c8c03d89cf049c4908620d96810e271d33bedc67c1e1c903caafbe6fbaeff919d66c06a42493080966d51d3d3a80c

        • C:\Users\Admin\AppData\Local\q1JNgLbp\p2phost.exe

          Filesize

          92KB

          MD5

          c1ce469d418497208efda563edc69927

          SHA1

          b0cfdec97b89ca14af36c2a32859c4fedb3a53b5

          SHA256

          1aff2edbe45ad6f5900e9fea376bb4d0029cbe51304c300a882445184aa73681

          SHA512

          81a6a492258f1afa8f234ba85abd343dc34d95f9961f0bb3a19244acd83e2fce870de640be5548604f82abb8e44743bd48a11837dfb3947f59471dd27e530402

        • C:\Users\Admin\AppData\Local\q1JNgLbp\p2phost.exe

          Filesize

          172KB

          MD5

          0dbd420477352b278dfdc24f4672b79c

          SHA1

          df446f25be33ac60371557717073249a64e04bb2

          SHA256

          1baba169de6c8f3b3c33cea96314c67b709a171bdc8ea9c250a0d016db767345

          SHA512

          84014b2dcc00f9fa1a337089ad4d4abcaa9e3155171978ec07bc155ddaebebfabb529d8de3578e564b3aae59545f52d71af173ebb50d2af252f219ac60b453d1

        • C:\Users\Admin\AppData\Roaming\Adobe\gpqP\Secur32.dll

          Filesize

          279KB

          MD5

          93ca81cd11837c3f5236756f1c505eb5

          SHA1

          a52ea5074e80b200e19560d32985bbcbb73d71a3

          SHA256

          f416f38e78e77e6d2198dc365b6c982ae2d43192f67154e991b9dbfe7fbf8af8

          SHA512

          0b45a0e11840a3a26a41d1890d623439936afea559788f37aca0a86141493b2c1581f713f1eb530e6585af7fdef1338387afe50981830103a912f80eac93c9ea

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqrvnhd.lnk

          Filesize

          1KB

          MD5

          8096fedb7eaca1a65e1773d2994b5ca7

          SHA1

          ef5b195e4fc6b3949d00b5fb3c0608d1c09b250a

          SHA256

          62f147580774d8ce951d53137f633ed9a56ae912343d8be73e98d897e85b8fb8

          SHA512

          b07cd95889e1d0c2629937e1702a9f02d8726e6e16bcb8e5efb762a89d0a69455f7ea792a6cf6102fab5ea6294f3cc542b12cc58a7c964a979e57fa74876e61c

        • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\k8Uw6p75\MFC42u.dll

          Filesize

          38KB

          MD5

          6c1c8b64a709a6d44370a0c99aa87ae4

          SHA1

          836a32bfd1964a52dd3db6a35f3500924c530795

          SHA256

          0ed285382b8a30deb67bcfa23784f2be087e34c9de15ce96de4c592fa26cc61b

          SHA512

          e5af17ea02ebeabd9bf093bd3ee6eeef142ab1bb08851916844a5729706e44df6e72807df4991abed26a99e98fad107dfff912212655d04a224cffa07b9e29eb

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\AI5aLZ\P2PCOLLAB.dll

          Filesize

          206KB

          MD5

          f85a7fd91ce1966dcfa2835c3dbfa7a5

          SHA1

          9ca7ffeb7b11da2d727e92d9537db7426dddeadc

          SHA256

          e8fd8a5ea7fc17be6296631f0a6a4b3cfb887942d461a4ce32784bb3b8e672b1

          SHA512

          a44fc3321b8792643d25ee2beacc7d6425650767e08047eb76891a5f8d86a51b0b02bafae9f7117930f3d114e07496e271a4b3baf3ba1359da75ed822d7ae116

        • \Users\Admin\AppData\Local\19bz\Secur32.dll

          Filesize

          38KB

          MD5

          f66504741905cbe1d742c133c03722e8

          SHA1

          60687c77d276b413bb1284f7d5e510ac5876e9e3

          SHA256

          1c0933aa32529ed48f64b0890a28094def995f687cb4e466443d1748e5c12f23

          SHA512

          37facc480def234784f0cd30f6784f10ecab0de42e0fa381956026745c0478f17c3c476d3bbd31aae3f2a02f7968e6aaec3faba5b6d54217d1f23d89fa1631d9

        • \Users\Admin\AppData\Local\19bz\msra.exe

          Filesize

          16KB

          MD5

          d0af3305e149b1bc2722b241b75b3eef

          SHA1

          358c5ec22d123f92a161a5cdddc25aba5d128535

          SHA256

          ea0091ed06961a5db990461d2bba4d605e85e2098d2e34e41bd3a56c6489bd6a

          SHA512

          ad43aa7be846fa479692a9bd8e383b5c660397ea7ec0ab59164e2508ffe511db2854cd70e8a30b47112345e601cb5a7d31d669ceac78ef667473963aefb4a5ae

        • \Users\Admin\AppData\Local\Y4vs1\MFC42u.dll

          Filesize

          164KB

          MD5

          378a843b86d13f4f2a26a61694ead31e

          SHA1

          a2dc28c9501daa3c69dc20df41b506e908f09761

          SHA256

          770ce5f5fb4fcc47f5852d2aef8bf26c93daa6ed334b0bddeb2e9a9143068e2b

          SHA512

          ab831b622c8795b58ebdb719d0dde7f5fcde12d1e379cb0b29c486ed5bc0dcefcd6541d24789d4edbd3042d268d1865a93b90ac4d1e3bab843e412f695e53fa3

        • \Users\Admin\AppData\Local\Y4vs1\mspaint.exe

          Filesize

          36KB

          MD5

          da543e3f949e4b36f6a2fd2f4c8479d0

          SHA1

          8de73c7295668ec28a94a39b90446f828911cf41

          SHA256

          a2d55f5a8c47002bc003af7737b93ec15d7ffe6339649f5f5af8481925b5ca3f

          SHA512

          4329322debfbe2b26eb519f00cebd07e210286e216df02efdafadf0736dbeb77d8dca4d5140fbbd6fe816ddacc96b0a8479061bf499c990c277655f3f41a473e

        • \Users\Admin\AppData\Local\q1JNgLbp\P2PCOLLAB.dll

          Filesize

          63KB

          MD5

          c9e0d8bfa4dc8d13e7eb9f202d023449

          SHA1

          abd901708efa756927b1e6a12756873f02d9b388

          SHA256

          62458c61b55e7e01d308b7a1de1a6bc48a8fbf56b844c3a9f9aacee995a807bb

          SHA512

          bac5d0d58a1d5327e250115b8d60b212d83855ca95960f630f76efccd9fa1a38ce232993ae244e6cea5b7b4c0281d30b5c72db968bcf14e89ec62f62f55a20e3

        • \Users\Admin\AppData\Local\q1JNgLbp\p2phost.exe

          Filesize

          69KB

          MD5

          870f3386e0a3ffe93616886faa092a46

          SHA1

          01e764d5b00787ccc8249e81c17406245a3b20f5

          SHA256

          81cb47631f1fca3e1a97a5186b0b1b9570bae5c7011cfb8d3e50339de886b0be

          SHA512

          1e944890bbdc6a2a06d94d457728079354be5fc791e59c5b1fda2dd75ac7e048833d29c88b978a8e849100a6106cea79e27fac4a57af6bb20567ba6acb2dcf96

        • memory/1380-23-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/1380-42-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/1380-26-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/1380-4-0x0000000077866000-0x0000000077867000-memory.dmp

          Filesize

          4KB

        • memory/1380-17-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/1380-31-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/1380-35-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/1380-37-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/1380-41-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/1380-45-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/1380-50-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/1380-52-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/1380-56-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/1380-58-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/1380-59-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/1380-62-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/1380-64-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/1380-65-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/1380-63-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/1380-73-0x0000000002B00000-0x0000000002B07000-memory.dmp

          Filesize

          28KB

        • memory/1380-61-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/1380-60-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/1380-84-0x0000000077AD0000-0x0000000077AD2000-memory.dmp

          Filesize

          8KB

        • memory/1380-83-0x0000000077971000-0x0000000077972000-memory.dmp

          Filesize

          4KB

        • memory/1380-57-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/1380-55-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/1380-54-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/1380-53-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/1380-51-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/1380-49-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/1380-48-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/1380-47-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/1380-46-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/1380-44-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/1380-43-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/1380-25-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/1380-40-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/1380-39-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/1380-38-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/1380-36-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/1380-34-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/1380-33-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/1380-32-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/1380-30-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/1380-29-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/1380-27-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/1380-24-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/1380-5-0x0000000002B20000-0x0000000002B21000-memory.dmp

          Filesize

          4KB

        • memory/1380-22-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/1380-21-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/1380-20-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/1380-28-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/1380-19-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/1380-18-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/1380-187-0x0000000077866000-0x0000000077867000-memory.dmp

          Filesize

          4KB

        • memory/1380-16-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/1380-14-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/1380-15-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/1380-13-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/1380-12-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/1380-8-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/1380-11-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/1380-10-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/1380-9-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/1796-135-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

        • memory/1848-109-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

        • memory/2880-7-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/2880-0-0x0000000000120000-0x0000000000127000-memory.dmp

          Filesize

          28KB

        • memory/2880-1-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB