Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    30-01-2024 05:15

General

  • Target

    818f6364c18d61853f5e7875c46b41b7.dll

  • Size

    2.2MB

  • MD5

    818f6364c18d61853f5e7875c46b41b7

  • SHA1

    0996afc6bdf46c9714f85894e9501c31573d80d0

  • SHA256

    354581ef623c4841ef267fae935ea55b0aa622c1de1aec7c31d3fbfe05005e00

  • SHA512

    4d4c4029cc74ea98745a605b7e1bd0cf5cc5aa05c77bb9ec6ff71a01797a5347cc7be07ab2c414e4c23128655f4eb4f30e80d76520e189e359487e30380a5866

  • SSDEEP

    12288:DVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:SfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\818f6364c18d61853f5e7875c46b41b7.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2380
  • C:\Windows\system32\PresentationSettings.exe
    C:\Windows\system32\PresentationSettings.exe
    1⤵
      PID:2524
    • C:\Users\Admin\AppData\Local\zEey2an\PresentationSettings.exe
      C:\Users\Admin\AppData\Local\zEey2an\PresentationSettings.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2416
    • C:\Users\Admin\AppData\Local\IDn\vmicsvc.exe
      C:\Users\Admin\AppData\Local\IDn\vmicsvc.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2720
    • C:\Windows\system32\vmicsvc.exe
      C:\Windows\system32\vmicsvc.exe
      1⤵
        PID:640
      • C:\Windows\system32\javaws.exe
        C:\Windows\system32\javaws.exe
        1⤵
          PID:1620
        • C:\Users\Admin\AppData\Local\bJLGHX8B\javaws.exe
          C:\Users\Admin\AppData\Local\bJLGHX8B\javaws.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1524

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\IDn\ACTIVEDS.dll

          Filesize

          111KB

          MD5

          b70921fd96675c8628f7fa935ea4386e

          SHA1

          a6bec6a71137e5fb6b5164b2a16c43976e575520

          SHA256

          7e55b7699588257e3f4bc1d346f184c1257a643b113d2cf0b1447c8cc7730ec3

          SHA512

          80b57d911f1342fb730e614bdfc0dd9063c227209cbcf43a51881c194b5d8948409174559bc9c09e03fe569fdb03e54420c2d0154d1fe27c8c1854b3cae8bab8

        • C:\Users\Admin\AppData\Local\IDn\vmicsvc.exe

          Filesize

          124KB

          MD5

          ee32b0796020e4557c99e1f4cc5f67b4

          SHA1

          27d3058bfa19d7f367cb0ca4254d8fd32aefbf0f

          SHA256

          392073a784de91d6c687706287b5f679764ec87440248160fe6b6413efaec4f0

          SHA512

          624b14381fc919580744e74fe5c855c70033712d98f68f7b99fab9d1ca9e51698b947d19fe9bfb4e3d74766c9d0cc1b8f5cbbc2779d178fd3ce01b52b99077f4

        • C:\Users\Admin\AppData\Local\IDn\vmicsvc.exe

          Filesize

          77KB

          MD5

          69423b3d5c58c30fb49ccd2e58ce20eb

          SHA1

          bb990c90c87f67047888f74b3c86b5148450b79b

          SHA256

          6741607482ae7b057679b3f6eebd44ce9d06b72f78724c942c85a147abb88add

          SHA512

          38d775f7f9c67f88ab5fb9b85278e0f3e751e346567ad9ac9b71f443e1ae6843ec96f0f45896e1f2f30744fa40507c73b46c74a7cf8232b481dd5f5a91b410c3

        • C:\Users\Admin\AppData\Local\bJLGHX8B\VERSION.dll

          Filesize

          68KB

          MD5

          d60d2dbd2f9c5d505d0e1049d9dacf14

          SHA1

          fed505730558f9e3d0d023dcd098cfec3a775dc8

          SHA256

          29c32072c11b2df0298332eff50cf141416a35d136cc0ab0a8598616f28def27

          SHA512

          b90e1ab9aad3a07a970c4a637ca306ac426f44cd63e6565d44810e1577f7b8b380439c018784216a6f4ea7a0e4f86c95d16f544eebc95857d3f0cd8184f27e01

        • C:\Users\Admin\AppData\Local\bJLGHX8B\javaws.exe

          Filesize

          146KB

          MD5

          463ba46e391828dbcdbb542438f8b909

          SHA1

          5dd685e9c2b2c64db447a8cd2066368695609752

          SHA256

          3e0aec56c449407530759b86c55a8ab9a73c87324909ed0d6a856f14dadc3393

          SHA512

          6c1e956d6dc24eec6cbad8d2c524b133111bc0c20a49cd47737985a81a8d87d91e6eba684d975bdca91cc2eb424bdfc4858643f174413967e1246cb977af2f24

        • C:\Users\Admin\AppData\Local\bJLGHX8B\javaws.exe

          Filesize

          153KB

          MD5

          100835591a336be6a9d1728a71763821

          SHA1

          cc71d367fad4a351d2650e1ab0113b96857a7c03

          SHA256

          8870f5a0b2e4a4969874a17a36be07343373b7504fee306b43d967cd7da10414

          SHA512

          8a9e0da69bbcb15f76c4746dcfa339c89813114b5ef73e97521f3a915270b36ad7536458c3ffeea1efe5884504d6f3c72abc03b83d9d6c3189d3df376f2d1a6b

        • C:\Users\Admin\AppData\Local\zEey2an\PresentationSettings.exe

          Filesize

          172KB

          MD5

          a6f8d318f6041334889481b472000081

          SHA1

          b8cf08ec17b30c8811f2514246fcdff62731dd58

          SHA256

          208b94fd66a6ce266c3195f87029a41a0622fff47f2a5112552cb087adbb1258

          SHA512

          60f70fa8a19e6ea6f08f4907dd7fede3665ad3f2e013d49f6649442ea5871a967b9a53ec4d3328a06cb83b69be1b7af1bb14bf122b568bd1f8432ee1d0bfee69

        • C:\Users\Admin\AppData\Local\zEey2an\PresentationSettings.exe

          Filesize

          64KB

          MD5

          32f2035674b7d17ff1b7a7fcd6ab20d1

          SHA1

          5744604e4edb72c0070edf89c58eadfdd44db347

          SHA256

          a81c646b892cc845e5d9e7ecd9546513df8b3edd406481892121f712bc689f12

          SHA512

          164addc49fdb1a9046931d176535e12dd6ba3e60f98e8b0a182690f41f16aeb0f426bc8e067ec60b5f95c3138bf2a8e2bb6522d3c1d3446f948378eda6fb26e1

        • C:\Users\Admin\AppData\Local\zEey2an\Secur32.dll

          Filesize

          182KB

          MD5

          a4ff18c9c99cf7800ea520b8f80c2157

          SHA1

          eca83f3e80eb4d43bd524dc414b7b01f99501ac4

          SHA256

          39fa28f3860b4c25c2d024b0610005dc14ff9b14c983fb6f9f873b2cca2bbf5a

          SHA512

          4ccb1fe3889863eb2e251f7fb503beffe7cea148c745b1a1f3e9e7186ebb62722a9fde921d85d284df9b573c54990e230a621cf9ced0b4b2f03933d5a708cc98

        • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\Collab\yNpVN\Secur32.dll

          Filesize

          2.2MB

          MD5

          6848563d823a5d6fb37067326d1bd7a3

          SHA1

          5edefd7ddc485cef1deec8851dbb43603831c95f

          SHA256

          222363cc04296e2e981ff247c9b55feb7df51a9dbcbb34df2cdd6026faf9ed9b

          SHA512

          7734e25d6982a69e713d0acc6522f5e9425060ad3ab27323067ed38b23289a5d45c09cb33d9e8aabe762f9de11ed8d8f97bae907bb9fda406666db74810c8afd

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dbyxyty.lnk

          Filesize

          1KB

          MD5

          e56c8071a970ce5cb6be1efe5e0b77ef

          SHA1

          06f0b93948447350a98539439c8eacfe868f783f

          SHA256

          d329794f7cfd365772458b9e30e4d662d3008de03ace29fc1be5759dd7fe7c1f

          SHA512

          823b62d8384f8401077897c785436793a6bd9ca1d064ff07772fe979ef6bc7904bd10cfc901322c4774ed2ec0cc58748de02469eb76c95eb7c2f37765b031533

        • C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\EYSJKQKJ\SbtN6Xl\ACTIVEDS.dll

          Filesize

          2.2MB

          MD5

          49fdd74456889c3ddda8b496524f3d46

          SHA1

          b64c2f75b263514bfe6797506baa435430cb2d27

          SHA256

          afa34d321e8a4126054f126d9ed439f929d3a290fe4a2c4c51f78710ace8eaa9

          SHA512

          a53afa28240b77f2f78bd5c71c3cbe37acf4539b7265d65dad36e641de9b69fda27c1729a6f2ff7800b10591f51e21d2d0a62e25a370822350a970bc5f3613e8

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\Low\cIDjCf7\VERSION.dll

          Filesize

          2.2MB

          MD5

          27c326f08a78c8f97f48b1cab0e02cdd

          SHA1

          78558f3b9d5b34bcd42710604f1e7feb42525af3

          SHA256

          638208e5954cce59030067c9b922ab85fda5a39438d720f91a7c3e9f1e621cef

          SHA512

          69767378114edc427f686ca90c6a1dc1851f43dcffe67f9228fa49ac0621fc366e610f2a0f4b65b0764c468dd95fbbd53600322ec9c3f00f0defa94725828cc4

        • \Users\Admin\AppData\Local\IDn\ACTIVEDS.dll

          Filesize

          80KB

          MD5

          ec6f33dc086ada6f9a477f3988fa786b

          SHA1

          e0cd94a71f5b33c3342a532ce0e1ffcf576ed425

          SHA256

          7125df48c10669714a6ffc5da7a98cf31c000d0b41bd1b369f22ef9dd6fcccec

          SHA512

          ff25777a670b955fa14b24d4588956343e8a8dc3d22bfb2c00d0fddf6944e7870c36f9ad5b77ff5dc5ce3f007e23bc645c80b72d04f140f62e93820fa2d32800

        • \Users\Admin\AppData\Local\IDn\vmicsvc.exe

          Filesize

          66KB

          MD5

          5756cda0f93bc8f707745aaec32a1826

          SHA1

          bb7b507fe43bfb68b3e6306f44f0fbe47f68e341

          SHA256

          6fcf27fdb4aedb24553b55fec8f949d73969ba130e3223c9ce9c20a0e7a0ba64

          SHA512

          03a107b60812e5cc731180dfe07b4d119a796fed96ee85a072ca7cb14d29798ac70391b8d75da9ccac238682006acf39a73cdfeaa8bba4f9c28fd0c12868b3eb

        • \Users\Admin\AppData\Local\bJLGHX8B\VERSION.dll

          Filesize

          24KB

          MD5

          85aef3c0287d44f28406684d5a7d1271

          SHA1

          eafa51c5d2a5d549b792ea45d1059ee012756844

          SHA256

          315f9a39ff4651346a50ef4e5f82a2cbc73e130271f023139f17f6e01485699d

          SHA512

          38f51181b559c3f73e9ce9959d6372668a663003f914bd73f6e0232be8912f83707efa9843d433877d5bb058ae4c7e2440efaf8c50c78151d3b9fa52cb52d4a2

        • \Users\Admin\AppData\Local\bJLGHX8B\javaws.exe

          Filesize

          24KB

          MD5

          b38b4485e202acdb263e8ad7aa0760a9

          SHA1

          17255abbcc2cc4486a0499ee24b88855f4017116

          SHA256

          dcc7ba71d7d0bbd1785713c3bfac7291c4eadf063067475af3cb60ce51fbfb98

          SHA512

          daf9f0a85f9601fefea1450181d9a380fbb8be07a3d3f29a1658e81c6fab48cc716089d30c5d09f4b155d045e64c1f3864e9f8a6100da48c68817bfe196014c5

        • \Users\Admin\AppData\Local\zEey2an\Secur32.dll

          Filesize

          177KB

          MD5

          d3ff5172c1b1939c4c5b5f8afc9d5fa3

          SHA1

          9eff15e815a238d621aa3adcf7211f15a5536cda

          SHA256

          d0ef50d238627b66b7c47a51a3a673c5825a30c13f837de594cc64e5214507f5

          SHA512

          5d43856dadf30945cb46eb3c604123ab36aee547f2033c097c2a61bfa18083a16637d8002373dcb1727b58cef05e328d3f9b1f93aa646388d72a741038a711f9

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\Low\cIDjCf7\javaws.exe

          Filesize

          109KB

          MD5

          3934d42bd7446ac123a1bd9f615a7cf7

          SHA1

          1a22309b2e06d7ecb0a3c80f5d08e21a1b9d7cea

          SHA256

          7e928f5cd61a31f125f555c35a1953ce63e0acc91c45fc7f797c75b66837e071

          SHA512

          f7a460f5222f5f513c5976aa8cdd569bc5933ccd80e6b6cfce715cd3bdab63dfc085d4bb1034ffce88f0a9474245ffdf68b7bfec54164fa1e7182663048cad71

        • memory/1348-27-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/1348-18-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/1348-45-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/1348-44-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/1348-43-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/1348-42-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/1348-61-0x00000000776E0000-0x00000000776E2000-memory.dmp

          Filesize

          8KB

        • memory/1348-40-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/1348-39-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/1348-38-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/1348-37-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/1348-35-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/1348-34-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/1348-70-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/1348-32-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/1348-31-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/1348-30-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/1348-29-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/1348-28-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/1348-48-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/1348-76-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/1348-25-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/1348-24-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/1348-23-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/1348-21-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/1348-4-0x0000000077476000-0x0000000077477000-memory.dmp

          Filesize

          4KB

        • memory/1348-5-0x0000000002E40000-0x0000000002E41000-memory.dmp

          Filesize

          4KB

        • memory/1348-20-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/1348-19-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/1348-47-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/1348-60-0x0000000077581000-0x0000000077582000-memory.dmp

          Filesize

          4KB

        • memory/1348-17-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/1348-15-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/1348-14-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/1348-13-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/1348-12-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/1348-11-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/1348-10-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/1348-9-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/1348-8-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/1348-50-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/1348-59-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/1348-16-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/1348-157-0x0000000077476000-0x0000000077477000-memory.dmp

          Filesize

          4KB

        • memory/1348-54-0x0000000002E20000-0x0000000002E27000-memory.dmp

          Filesize

          28KB

        • memory/1348-51-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/1348-49-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/1348-46-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/1348-22-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/1348-41-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/1348-36-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/1348-33-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/1348-26-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/1524-129-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

        • memory/2380-7-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/2380-1-0x0000000000430000-0x0000000000437000-memory.dmp

          Filesize

          28KB

        • memory/2380-0-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/2416-89-0x0000000000180000-0x0000000000187000-memory.dmp

          Filesize

          28KB

        • memory/2720-109-0x0000000000330000-0x0000000000337000-memory.dmp

          Filesize

          28KB