Analysis

  • max time kernel
    149s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    30-01-2024 23:29

General

  • Target

    82db4107f6e131cd91a70e918dc4bfb2.dll

  • Size

    3.1MB

  • MD5

    82db4107f6e131cd91a70e918dc4bfb2

  • SHA1

    113d6fe86befdae836743292ba115bbfd63edbd7

  • SHA256

    297b30d04329d60ca335b82dd1d813b21d884fe642e602b61a9314501ad69782

  • SHA512

    92c92584210b0c0bf9b6d1798a0db0b21901763ef07f93bf176a607ae6448be6e2e82ecc909df5aa65f3a02899cf80c75357d08e544e85438e11a1430c14c6a7

  • SSDEEP

    12288:FVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1I1:cfP7fWsK5z9A+WGAW+V5SB6Ct4bnbI1

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\82db4107f6e131cd91a70e918dc4bfb2.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2948
  • C:\Windows\system32\ComputerDefaults.exe
    C:\Windows\system32\ComputerDefaults.exe
    1⤵
      PID:2940
    • C:\Users\Admin\AppData\Local\m2cq\ComputerDefaults.exe
      C:\Users\Admin\AppData\Local\m2cq\ComputerDefaults.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1764
    • C:\Windows\system32\DeviceDisplayObjectProvider.exe
      C:\Windows\system32\DeviceDisplayObjectProvider.exe
      1⤵
        PID:1792
      • C:\Users\Admin\AppData\Local\rMqp\DeviceDisplayObjectProvider.exe
        C:\Users\Admin\AppData\Local\rMqp\DeviceDisplayObjectProvider.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:876
      • C:\Windows\system32\BitLockerWizardElev.exe
        C:\Windows\system32\BitLockerWizardElev.exe
        1⤵
          PID:1496
        • C:\Users\Admin\AppData\Local\AMsGPi\BitLockerWizardElev.exe
          C:\Users\Admin\AppData\Local\AMsGPi\BitLockerWizardElev.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2344

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\AMsGPi\BitLockerWizardElev.exe

          Filesize

          98KB

          MD5

          73f13d791e36d3486743244f16875239

          SHA1

          ed5ec55dbc6b3bda505f0a4c699c257c90c02020

          SHA256

          2483d2f0ad481005cca081a86a07be9060bc6d4769c4570f92ad96fa325be9b8

          SHA512

          911a7b532312d50cc5e7f6a046d46ab5b322aa17ce59a40477173ea50f000a95db45f169f4ea3574e3e00ae4234b9f8363ac79329d683c14ebee1d423e6e43af

        • C:\Users\Admin\AppData\Local\AMsGPi\FVEWIZ.dll

          Filesize

          112KB

          MD5

          2be30f81b80bb026c2ad98a21fcfc7e8

          SHA1

          b9f42f38573d1b1da8b6a3ef954010b87daab7d8

          SHA256

          75e841b8d111057de153bdffff1cc0f3770c33aec4aa8b4f1de59ab5dab0cb00

          SHA512

          7de186b7f58cb2ce92db4a2838d32d16d1a4bf4ded4fdd5fbea085a7bf43214cebbbac954c3d3a93758b9ddcd1a6881667424b529d1b8daa023352094405d7a3

        • C:\Users\Admin\AppData\Local\m2cq\ComputerDefaults.exe

          Filesize

          36KB

          MD5

          86bd981f55341273753ac42ea200a81e

          SHA1

          14fe410efc9aeb0a905b984ac27719ff0dd10ea7

          SHA256

          40b194be2bad2d3d4d1b69f9aec2853c8b663130810a11607ff72a9e3a06d5b3

          SHA512

          49bb6d4bf7a9356fadde7f6165af6973630827d28b69db10ad477a84d98b08fb82e4daae777166e1ddddb5b5efcdf634e4e9bd34b255dae87462ba32e8bba143

        • C:\Users\Admin\AppData\Local\m2cq\appwiz.cpl

          Filesize

          144KB

          MD5

          4a460c513cb5b5d541745ebdb7c24a89

          SHA1

          b7229290b0330bda1d2d36bb38a53eea385dee08

          SHA256

          ef1048eef6d240573e6cfc0790e4b64b57f6d0c89417af361d705ae011ab7d9b

          SHA512

          c2e46b421b0c71c95cba66043fc5fc92a058354ffc514b448b00b3374273c141dcaae6b0931b6cc103a1042d54ec8e61ca39bbcc8d9702c9a2bac39fcec11b2b

        • C:\Users\Admin\AppData\Local\rMqp\DeviceDisplayObjectProvider.exe

          Filesize

          48KB

          MD5

          1fffd5db902c6bdaa7c56ee780fe9fd3

          SHA1

          3ad853969142f78835904de5aba74fa0ce1411b1

          SHA256

          2d5b4f609429806763f48b5fab64181f00e3fb60d30eeb3fd859c0598dbbee8c

          SHA512

          c215ccdf98d9ac47986062528d159554e68265688534d8bccd4484e6e99d1e8ba5e471a9c68a1fd8cd1fcac19ff03cd3e04a2215a8cd8e62a4a8b2a2bc8146a2

        • C:\Users\Admin\AppData\Local\rMqp\XmlLite.dll

          Filesize

          43KB

          MD5

          f9a79479fd303e74edca6b9079e9c839

          SHA1

          858b42b3f50fd24c7ce0754938e9d11dd53cbb20

          SHA256

          6ce3304366db0370ef22360320caa549360b429fb765088be6e6b7327df6f037

          SHA512

          a1e5229bdb3f08206c0c040d8f23b9ea87924d6eeff36fdc2f2ef86453f68e2fa3445ba043046ce6a46342aa3d30a82e44cffb230e621f1c8648ab48b28a5b9b

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dbyxyty.lnk

          Filesize

          1KB

          MD5

          a1c097ca2d2e8f14e3856435a0d23a89

          SHA1

          6fb9a5afba99bb0590ccdc841a07d624c2112362

          SHA256

          93bcd20ad967694bdbc0bc1eb89f232fc251a51b8ec30abc2b24c458df2f8ed9

          SHA512

          31a20150a14a28ae4560a1e7fa2affc9bb71338023878034c52a7a85ff7dc2d2cb93ea387770c0ea6073870e7d4f600dbc2f0c65f94d7b26cd06daa0f15daa44

        • C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\EYSJKQKJ\IkhM45LsJ8\FVEWIZ.dll

          Filesize

          3.1MB

          MD5

          1387b1b0e64d26e71f7feae51b049b0d

          SHA1

          da653da74e8a9da940864017659bd92c3c540532

          SHA256

          962396dddb441d5b43a19e038722091806f945a8cce79a082971f24656a829ff

          SHA512

          31f116a9d034651f5b1d89aa7dd7fae44184f0c63ac9e433316b07ca873fdb726ebab96939fbd2f57c34d70a7e5e48a1c5124d85ad2372fdb974b9c8ce0e595f

        • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\cf0VXOVMXTd\DeviceDisplayObjectProvider.exe

          Filesize

          109KB

          MD5

          7e2eb3a4ae11190ef4c8a9b9a9123234

          SHA1

          72e98687a8d28614e2131c300403c2822856e865

          SHA256

          8481a8ec19cb656ce328c877d5817d317203ba34424a2e9d169ddce5bf2cd2b0

          SHA512

          18b1a0637f48929972a463d441182307725ebf1410dd461a1966bd040ac5dcced138155b7c713bfc924ea2f7b39527a084a08b44fa24c3eb9c654871f99caabf

        • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\cf0VXOVMXTd\XmlLite.dll

          Filesize

          592KB

          MD5

          7e0da16b846a6f71d494e4548f610a6a

          SHA1

          0987f9ae66ea08d766933d82e7c1371b8336d0d9

          SHA256

          6f00969e209f70c997c1440b13be99dd2a17cda19c0d9a36a437d3edba061cbb

          SHA512

          36771851af2245c96b304139f3235e4df453c75a5031dbe2a7ac054a8207b46fd03cac8ddef1799418864bd04ca254f5ad6e2814b8b9ac5876b004d374cf7542

        • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\iLNrb5lZyS\appwiz.cpl

          Filesize

          97KB

          MD5

          015c38842e81e36f68ccea31cc835480

          SHA1

          c29a109d93b15cb1361af74fa32b54825ade7c54

          SHA256

          160e230daf82dc4f482307c504d47e5aaa3a1d1083e033dfbf241bf9fd584d4a

          SHA512

          0feb506770be4bce18e967800cb6d531a37aeb6600310fcd187533c425db0af8d1cf0775641b96bf084c29d6b5887fcb1f87fe4bb14343bf084608196889d301

        • \Users\Admin\AppData\Local\AMsGPi\FVEWIZ.dll

          Filesize

          108KB

          MD5

          3367dd81b65c54db5d91bd476cb519bd

          SHA1

          e23863b6e28a3f0969ba7f04ab0e871bac73b9fa

          SHA256

          bc5036db87108d2e6259b3fe00e034b3d64ae837e8849a05aa64cc7babda1349

          SHA512

          6e77ea682275b87c6b59678aa1997df6ffa935cd0a21fb30af9ccc7bad4043500333515c0df10cec8db17b7320ac74a81a70c769ca2d406763c0d50ba60e864d

        • \Users\Admin\AppData\Local\m2cq\appwiz.cpl

          Filesize

          152KB

          MD5

          bf730a89e3f78d94db9935ddfdf84bc1

          SHA1

          3d24069067f920801ab4beb378f9369ff2d2d0ca

          SHA256

          36e98fd33a1412f8b9428805a672d45d6a6bcc90799d8d5f15f42f5076287f1d

          SHA512

          6e27a68c10093610cbb002386f80a139a1d81b753cf9b7711a21407f3ab50a1b0e1e22a3424e203e453fe2a3ca1d1a2c30e7946d218ab94295b88a3f7b11e0b1

        • \Users\Admin\AppData\Local\rMqp\DeviceDisplayObjectProvider.exe

          Filesize

          37KB

          MD5

          c96c8854766f7b5d314e5e5cb9dd37cd

          SHA1

          6a280be3746f052e01797d4b7b1aa12237421b50

          SHA256

          5b387569e33d1c5f6c100410bfa8346152fdc726fb894fb73315e5f17c6925d1

          SHA512

          aca48cd23524efde0c3975a394388fc12e578db974e1580737cda90d0c8d78edc1137d76fe82b2988f68bdc13a46f9c8c2c96bb3315a151ca63003e7175d70d6

        • \Users\Admin\AppData\Local\rMqp\XmlLite.dll

          Filesize

          60KB

          MD5

          9086b275455f1233c77e2cb7c4077a7b

          SHA1

          016732a992c478559c7a92ae94b4f3cf7dee3bdd

          SHA256

          394cfeb66285fc5e967dc3d05b60040c779bcc0d9f6e0556e18d1db4b1a4f637

          SHA512

          d8d4fe290bd1eed81b04176bb2ced296880f85e9de7a2411773f27902f80a5b94c49d86193531b52fcd5ef6a725995181f217c1a4d7eca2f9c1be2b44652aaa2

        • \Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\EYSJKQKJ\IkhM45LsJ8\BitLockerWizardElev.exe

          Filesize

          1KB

          MD5

          0bf47230134131e29b6882da88f46ba8

          SHA1

          7f8e57a2e713016a133fe5d753af670042677515

          SHA256

          f39bb73e7eb0c9152883471835f4c8053b85ade257b7e05b6d79ec55cf0b021f

          SHA512

          a285de5b15adcf66b522dc31c98d09de8f2ea9097c4f0e82bb2df42f17b17186d7bd13c5c524428ec50ccd3b720956edb71dc06ba04bdbcbc2cedde9a82ed980

        • memory/1384-38-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/1384-26-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/1384-73-0x00000000029E0000-0x00000000029E7000-memory.dmp

          Filesize

          28KB

        • memory/1384-79-0x0000000077680000-0x0000000077682000-memory.dmp

          Filesize

          8KB

        • memory/1384-78-0x0000000077521000-0x0000000077522000-memory.dmp

          Filesize

          4KB

        • memory/1384-61-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/1384-59-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/1384-58-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/1384-56-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/1384-55-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/1384-53-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/1384-52-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/1384-51-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/1384-49-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/1384-48-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/1384-47-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/1384-45-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/1384-44-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/1384-43-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/1384-65-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/1384-5-0x0000000002A00000-0x0000000002A01000-memory.dmp

          Filesize

          4KB

        • memory/1384-64-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/1384-62-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/1384-42-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/1384-41-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/1384-39-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/1384-4-0x0000000077316000-0x0000000077317000-memory.dmp

          Filesize

          4KB

        • memory/1384-37-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/1384-35-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/1384-34-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/1384-32-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/1384-31-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/1384-29-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/1384-30-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/1384-27-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/1384-63-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/1384-25-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/1384-24-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/1384-23-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/1384-22-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/1384-20-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/1384-19-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/1384-18-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/1384-17-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/1384-16-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/1384-15-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/1384-14-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/1384-12-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/1384-11-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/1384-10-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/1384-9-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/1384-60-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/1384-57-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/1384-54-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/1384-50-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/1384-46-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/1384-40-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/1384-7-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/1384-36-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/1384-33-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/1384-28-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/1384-161-0x0000000077316000-0x0000000077317000-memory.dmp

          Filesize

          4KB

        • memory/1384-21-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/1384-13-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/1764-108-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

        • memory/2344-140-0x0000000001F20000-0x0000000001F27000-memory.dmp

          Filesize

          28KB

        • memory/2948-0-0x00000000001C0000-0x00000000001C7000-memory.dmp

          Filesize

          28KB

        • memory/2948-1-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/2948-8-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB