Analysis

  • max time kernel
    149s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    30-01-2024 08:33

General

  • Target

    81f8648768d984dad73854085026281b.dll

  • Size

    1.7MB

  • MD5

    81f8648768d984dad73854085026281b

  • SHA1

    46693723c9775aa609b2a4fdb53bb7d383c9adf3

  • SHA256

    f5a2a17ec58c0e535e888c046a88eb1703fd65111fff76073fa8b540702f5efa

  • SHA512

    0372bb40acb5549ddc542b2899358c10bc50d77acea5cc8de2cc808e859f87bcf5979843ede11723e6aee0b227ee6191e2186f4e5ed70e174723a0242f52f914

  • SSDEEP

    12288:MVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:5fP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\81f8648768d984dad73854085026281b.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2356
  • C:\Users\Admin\AppData\Local\649t\unregmp2.exe
    C:\Users\Admin\AppData\Local\649t\unregmp2.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Checks whether UAC is enabled
    PID:2664
  • C:\Windows\system32\unregmp2.exe
    C:\Windows\system32\unregmp2.exe
    1⤵
      PID:2632
    • C:\Users\Admin\AppData\Local\qdv2Wme\Netplwiz.exe
      C:\Users\Admin\AppData\Local\qdv2Wme\Netplwiz.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2136
    • C:\Windows\system32\Netplwiz.exe
      C:\Windows\system32\Netplwiz.exe
      1⤵
        PID:1692
      • C:\Windows\system32\notepad.exe
        C:\Windows\system32\notepad.exe
        1⤵
          PID:2128
        • C:\Users\Admin\AppData\Local\pfpb\notepad.exe
          C:\Users\Admin\AppData\Local\pfpb\notepad.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:768

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\649t\VERSION.dll

          Filesize

          103KB

          MD5

          7b120bb947cbf784bd16cd92d57637b6

          SHA1

          bb46b991af6d6d33ffd0f33cff3c45e4308a4ad4

          SHA256

          8161829f647e4cc5963beebf318d861251544a239fbe3e8e40ecf64700bf265c

          SHA512

          8295a197cc4af49a5bc5755c54c4c63b49f48c480a93579c12a791075b5e8bf8fc8ed333e7cbe0b3da7aa783dba20bcbac67c3c88d30c4d16384bd1892fcbf53

        • C:\Users\Admin\AppData\Local\649t\unregmp2.exe

          Filesize

          264KB

          MD5

          6642f8ca5fd18b1d07a94bcc4989673e

          SHA1

          d4edb7d17103cc73a97acf421c0b88bd5e8f2dee

          SHA256

          d9acce294106703594d67b9e4aacffc6a056837ad4f8d55d554bae871f7fd0c1

          SHA512

          2ba27ffe89f2eae86c518f5a7110655ef45119fc562703061cf679fab1f099d8aee1a0e18bde25747771da33f88708f6c02c47ea165248099c283c07afd909bf

        • C:\Users\Admin\AppData\Local\649t\unregmp2.exe

          Filesize

          204KB

          MD5

          80b492e86ec74937d83678f1b8578514

          SHA1

          c4e7a59720b2487b2fa744ccd1a97db51cf836a8

          SHA256

          b3f5d13477de7e2fa82d9731cb19bcbf16efeb5edc943b8f77b0a26505197f4b

          SHA512

          6ef8ef6c49c7b7d78d7d8f34c1664228b0c1a7f5abcbc027eb238302b3a12cb2258f2f1f18cecae2b9c821bcc67803596b41cb062e16389db4e59413533730fb

        • C:\Users\Admin\AppData\Local\pfpb\VERSION.dll

          Filesize

          137KB

          MD5

          cf83a55891ebf8b7f653b31442fa4ee3

          SHA1

          4402aaf22d1d51ff6a803f4c339951c79a4010a3

          SHA256

          6d0fa59bae77c235a792e428934b2fd8bb4cda8c098f1ed32e5e782b74f0b809

          SHA512

          921ee1eea913682faadeb5bb20f19f0143e9f6c376e7ede53617e27aa0d07f9a8a1af792369342be7d314ab5821177363ff87dfed25cd9e2a065e2b494c900f4

        • C:\Users\Admin\AppData\Local\pfpb\notepad.exe

          Filesize

          45KB

          MD5

          e064e8f90f7712d3b4b4bebcc55fd5fa

          SHA1

          636643cfec151d4a1a2cad29e240bc097c71d1dc

          SHA256

          7ec0ac1deacd73b1b72ef302901cac2dbd9baf0f4ad09ace6b5f9d871243afaa

          SHA512

          ef0283a72be005929dc2317c146881d06c4e65bf782c0861c429d90bb19d43ab83ba6650f2b6299264d450ca1c4ec147dd57fa7ef84c23a0544e8f06a5b21e74

        • C:\Users\Admin\AppData\Local\pfpb\notepad.exe

          Filesize

          136KB

          MD5

          abe9a7b3c54c54cdb3ca799d13164661

          SHA1

          78dfb869f38b67cd1d5bdb3ddade8aab4d7c7495

          SHA256

          f50600bb967c845db4311a94ebf69447fffa989fe832e27c89d62a10c4951bf3

          SHA512

          38cd5f4fa21e93c581490d4414ca3960946ca6281623d4b331866df77badf96c076d9ce00d1b3509550851a6ae5d1598acc34ed2ee461e6b54fadc773b770508

        • C:\Users\Admin\AppData\Local\qdv2Wme\NETPLWIZ.dll

          Filesize

          124KB

          MD5

          b4a1f6edc0584c645e125df0bb3e6f30

          SHA1

          0e27108bafe31f678c9baa72f9744c9609b0ebcb

          SHA256

          ddcb9a06c4a827638fecc7cde5b71e178ae6d02c5833efcabb2b1e450d64fe2d

          SHA512

          c6879d9df039426391fc5f57601abc91442f33565cc934d67c75f86755d1ad67155b65bf476890cb44aba5f1098c4c8aac22e2af920facf561b7e3edbb430b0d

        • C:\Users\Admin\AppData\Local\qdv2Wme\Netplwiz.exe

          Filesize

          26KB

          MD5

          e43ec3c800d4c0716613392e81fba1d9

          SHA1

          37de6a235e978ecf3bb0fc2c864016c5b0134348

          SHA256

          636606415a85a16a7e6c5c8fcbdf35494991bce1c37dfc19c75ecb7ce12dc65c

          SHA512

          176c6d8b87bc5a9ca06698e2542ff34d474bcbbf21278390127981366eda89769bd9dd712f3b34f4dd8332a0b40ee0e609276400f16b51999471c8ff24522a08

        • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\OW\VERSION.dll

          Filesize

          1.7MB

          MD5

          6de9df6f4bbd3650ba77b3f0701ce5bb

          SHA1

          62d623c154886a7dda913a5c7efe0b6677b22f5d

          SHA256

          d6e26b67b3b1732539ab6d9401f028bc921de95c5cfac09fc2b003f7008aa1e4

          SHA512

          4a56acdca2fecc6fe6952a199b4e7439d4709c60702e92b9735291583ed4b364e24f40cc3eac133fbcce982b9151bf5cafc40a878d066900afa679756f5b9b04

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Cuhrqknkppepky.lnk

          Filesize

          1KB

          MD5

          66c8c8c52b30da23d78f308cc3c301e6

          SHA1

          ba2ef581e065171ec272d279f39b866ff40d8d52

          SHA256

          dd75dc0516bf0baa6253dd7333c91a6c51c749525e8d925bf31721ee681575b6

          SHA512

          fd87eb4e16af84bc731bf9b351f1bd18779ae20ce145c6fa5d3b957c6e142ee3800454b27114c936663808953506ab1039e838887f6a50d35cba4c362a52fb32

        • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\U0GqYeN0d\VERSION.dll

          Filesize

          1.7MB

          MD5

          c119ca2853cb9e67044600f546a9b8e2

          SHA1

          e24a7a1e6c0498106b05337cfa3a23b44ba9d254

          SHA256

          e0d829c1e29e5cfd5a8ad4ba1e2bb9256336a3b3a75160bfcc0a783b895be8cb

          SHA512

          9c586e77097410e4183df37eac51f7ae8855632a9df982ecb97cfe366c35778d3a22a1fc04b8942fd2934fca2d6989412902722b02b814c70613180e2eae824e

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\sT5EpZxBV\NETPLWIZ.dll

          Filesize

          1.7MB

          MD5

          71169c51a96a7b0b4e57f8713a999410

          SHA1

          a5b7b7aabb51f2677b9d3d37078ae3d3ef487c1a

          SHA256

          2cd8479bb75fcfa46c3a64548154b2117cb5732ee79e3f90fa04e3e7d5c46cba

          SHA512

          8eaf0bd53afbd860689363a36c70e946b5303ebf4895d1e127e8ee7b0acfbf6622efabc7a0fe6d69b353a21c4d62646769d5876622624b1d2e508e1ec18f0bb1

        • \Users\Admin\AppData\Local\649t\VERSION.dll

          Filesize

          294KB

          MD5

          d5f584158410038388fbb548455564ef

          SHA1

          dee8d6c3dd6e1746969cc9bbd7a4092dbb562403

          SHA256

          41fc8696605915b2b8840123cf15b368e502e104a31cd693c5f4e806eeaf23fd

          SHA512

          5f73145ff78d5fe8f332ff3caf9801862fd0d17e897459e68a4562f77abaee0fbd1411d907c80276a65545c675757ae970669e6bbaaf53e77166a4f67b64b0d6

        • \Users\Admin\AppData\Local\649t\unregmp2.exe

          Filesize

          148KB

          MD5

          73b8dcf6f14976335e48ed249f735fba

          SHA1

          e3803187c178b6884350f4320dce0e0139d85997

          SHA256

          8d3878a8a8e939a90b45537fd0b53def791339c10cd640ae1f30ad2316e59101

          SHA512

          f18dd9b3526a0f99a56a61acc92adb2f163e0bc1f300d99f92ca139f664b0b256eb6fa51e825262cbf17b49b349203216e0ec6a57e3513db86e06ee50c107e5c

        • \Users\Admin\AppData\Local\pfpb\VERSION.dll

          Filesize

          80KB

          MD5

          ebe212e32dec3bf17eebdf69d84f90e1

          SHA1

          14f556ff39766f19c5c32471e523c875f903af50

          SHA256

          fbe65ab92bbd696a0a7305c91e9668979280a241f871c64f05273201f5b21258

          SHA512

          dfd4ab90ec13cec5476db3c44f957ce0c274879306461e14fa173716c919ca4490f0edd9231691c79852ea5f824288e42849b5e6f65d2a70c53cdf0ab3e7ee38

        • \Users\Admin\AppData\Local\pfpb\notepad.exe

          Filesize

          63KB

          MD5

          a15971d8730726ad343be8c1ab50177b

          SHA1

          fb3ec53cf8499248867dd00334801ebdee24c384

          SHA256

          67ccce9703deaca0224332446c177490597087b0b8574151c8e44e8f6543f4cb

          SHA512

          50dfacfc09bd423d992e8f8fb8d3623d06aa235336fbdfc453c12c41d79c3f616dc159588ade92c35f70d79b140f973e8f805c36652eff990566c07f7004298e

        • \Users\Admin\AppData\Local\qdv2Wme\NETPLWIZ.dll

          Filesize

          78KB

          MD5

          c2149487d107939f3ec727a30e65453a

          SHA1

          ff18531f490ff46f827c79ee4cd7ed50e983cb1e

          SHA256

          b5ae9c8aae1f944a6c850989a4efa4c1abc4b35edbf8c67e6fe6ccad8231ab33

          SHA512

          0ba425be01561af9e2905894604c62b82bdb9449b93fc214b3db4b394633b5facf9e4222dd21c1b80cd571db2ff33f653dd9b5ac0c965ae547cde19ffc65513c

        • \Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\OW\notepad.exe

          Filesize

          64KB

          MD5

          bdd930432e0329985fd6fdfcccecf9af

          SHA1

          e027abea767a76a581a7ef678de5c6014b13812e

          SHA256

          3f42c0d9a9e832beff2b2ae8eedcc7c93a6f626dd63fc21cbe2bbdc33469430d

          SHA512

          83e4bac65b88c75b631dbbe0006593666b8d0aa2be96be23de0ba17d939213858dc17ba10bed01972954d4542a10ce8b8717aa940012be430e9e1cb66b6fa92a

        • memory/768-105-0x0000000000280000-0x0000000000287000-memory.dmp

          Filesize

          28KB

        • memory/768-110-0x0000000140000000-0x00000001401AB000-memory.dmp

          Filesize

          1.7MB

        • memory/1144-21-0x0000000140000000-0x00000001401AA000-memory.dmp

          Filesize

          1.7MB

        • memory/1144-41-0x0000000077480000-0x0000000077482000-memory.dmp

          Filesize

          8KB

        • memory/1144-4-0x0000000077116000-0x0000000077117000-memory.dmp

          Filesize

          4KB

        • memory/1144-5-0x0000000002660000-0x0000000002661000-memory.dmp

          Filesize

          4KB

        • memory/1144-26-0x0000000140000000-0x00000001401AA000-memory.dmp

          Filesize

          1.7MB

        • memory/1144-25-0x0000000140000000-0x00000001401AA000-memory.dmp

          Filesize

          1.7MB

        • memory/1144-11-0x0000000140000000-0x00000001401AA000-memory.dmp

          Filesize

          1.7MB

        • memory/1144-24-0x0000000140000000-0x00000001401AA000-memory.dmp

          Filesize

          1.7MB

        • memory/1144-23-0x0000000140000000-0x00000001401AA000-memory.dmp

          Filesize

          1.7MB

        • memory/1144-22-0x0000000140000000-0x00000001401AA000-memory.dmp

          Filesize

          1.7MB

        • memory/1144-20-0x0000000140000000-0x00000001401AA000-memory.dmp

          Filesize

          1.7MB

        • memory/1144-19-0x0000000140000000-0x00000001401AA000-memory.dmp

          Filesize

          1.7MB

        • memory/1144-18-0x0000000140000000-0x00000001401AA000-memory.dmp

          Filesize

          1.7MB

        • memory/1144-17-0x0000000140000000-0x00000001401AA000-memory.dmp

          Filesize

          1.7MB

        • memory/1144-16-0x0000000140000000-0x00000001401AA000-memory.dmp

          Filesize

          1.7MB

        • memory/1144-15-0x0000000140000000-0x00000001401AA000-memory.dmp

          Filesize

          1.7MB

        • memory/1144-14-0x0000000140000000-0x00000001401AA000-memory.dmp

          Filesize

          1.7MB

        • memory/1144-13-0x0000000140000000-0x00000001401AA000-memory.dmp

          Filesize

          1.7MB

        • memory/1144-12-0x0000000140000000-0x00000001401AA000-memory.dmp

          Filesize

          1.7MB

        • memory/1144-10-0x0000000140000000-0x00000001401AA000-memory.dmp

          Filesize

          1.7MB

        • memory/1144-9-0x0000000140000000-0x00000001401AA000-memory.dmp

          Filesize

          1.7MB

        • memory/1144-128-0x0000000077116000-0x0000000077117000-memory.dmp

          Filesize

          4KB

        • memory/1144-7-0x0000000140000000-0x00000001401AA000-memory.dmp

          Filesize

          1.7MB

        • memory/1144-27-0x0000000140000000-0x00000001401AA000-memory.dmp

          Filesize

          1.7MB

        • memory/1144-29-0x0000000140000000-0x00000001401AA000-memory.dmp

          Filesize

          1.7MB

        • memory/1144-28-0x0000000140000000-0x00000001401AA000-memory.dmp

          Filesize

          1.7MB

        • memory/1144-30-0x0000000140000000-0x00000001401AA000-memory.dmp

          Filesize

          1.7MB

        • memory/1144-56-0x0000000140000000-0x00000001401AA000-memory.dmp

          Filesize

          1.7MB

        • memory/1144-50-0x0000000140000000-0x00000001401AA000-memory.dmp

          Filesize

          1.7MB

        • memory/1144-38-0x0000000002640000-0x0000000002647000-memory.dmp

          Filesize

          28KB

        • memory/1144-39-0x0000000140000000-0x00000001401AA000-memory.dmp

          Filesize

          1.7MB

        • memory/1144-31-0x0000000140000000-0x00000001401AA000-memory.dmp

          Filesize

          1.7MB

        • memory/1144-40-0x0000000077321000-0x0000000077322000-memory.dmp

          Filesize

          4KB

        • memory/2136-90-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

        • memory/2136-93-0x0000000140000000-0x00000001401AB000-memory.dmp

          Filesize

          1.7MB

        • memory/2136-139-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

        • memory/2356-8-0x0000000140000000-0x00000001401AA000-memory.dmp

          Filesize

          1.7MB

        • memory/2356-0-0x0000000140000000-0x00000001401AA000-memory.dmp

          Filesize

          1.7MB

        • memory/2356-1-0x0000000000430000-0x0000000000437000-memory.dmp

          Filesize

          28KB

        • memory/2664-68-0x0000000140000000-0x00000001401AB000-memory.dmp

          Filesize

          1.7MB

        • memory/2664-70-0x0000000000420000-0x0000000000427000-memory.dmp

          Filesize

          28KB

        • memory/2664-73-0x0000000140000000-0x00000001401AB000-memory.dmp

          Filesize

          1.7MB