Analysis

  • max time kernel
    150s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    31-01-2024 04:39

General

  • Target

    837792f925aca842eba981ebc7aff9a1.dll

  • Size

    2.2MB

  • MD5

    837792f925aca842eba981ebc7aff9a1

  • SHA1

    527e5a2d67f6422ae44a5276ae6cf67f7e597823

  • SHA256

    3806ec3c6ae591fb47c6b48f5dbfaf45d7500d6efb12c07311ecdc5e9c9d514d

  • SHA512

    a4b0865d290225b514fd4b711ae83d5f659b19edf1fd2409920054ef706eb580e2d2a816ba34ceaa5778d1c43bce7149575b736e8828de9c942906800512c90f

  • SSDEEP

    12288:eVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:DfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\837792f925aca842eba981ebc7aff9a1.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:2356
  • C:\Users\Admin\AppData\Local\yPjURgvo6\rdrleakdiag.exe
    C:\Users\Admin\AppData\Local\yPjURgvo6\rdrleakdiag.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Checks whether UAC is enabled
    PID:2016
  • C:\Windows\system32\rdrleakdiag.exe
    C:\Windows\system32\rdrleakdiag.exe
    1⤵
      PID:2672
    • C:\Windows\system32\rstrui.exe
      C:\Windows\system32\rstrui.exe
      1⤵
        PID:3068
      • C:\Users\Admin\AppData\Local\8a8gkC\rstrui.exe
        C:\Users\Admin\AppData\Local\8a8gkC\rstrui.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3064
      • C:\Windows\system32\RDVGHelper.exe
        C:\Windows\system32\RDVGHelper.exe
        1⤵
          PID:1324
        • C:\Users\Admin\AppData\Local\dfCDb\RDVGHelper.exe
          C:\Users\Admin\AppData\Local\dfCDb\RDVGHelper.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1964

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\8a8gkC\SPP.dll

          Filesize

          77KB

          MD5

          42d899924a17323b75cda36df53d4dfc

          SHA1

          a06a41885a9a5b5307a4e3ea4ee78e0832bf5582

          SHA256

          4d49673083ef17dcc4fdaa0b640e46fa88146e66a83b4b3446a4f36be32e93ab

          SHA512

          e51c7252131618a84932dda59a69e62cc2b81fb749a94003cc847976bcb4a29175635e311e48fae6d2d9babae3fb7763fafc17ea2bedf85213bb235407342715

        • C:\Users\Admin\AppData\Local\8a8gkC\rstrui.exe

          Filesize

          39KB

          MD5

          88eb800b34f2965fb1df4cb085f2da45

          SHA1

          c067887129f61141843ac71e3737bd013b3956d6

          SHA256

          5dc34600ea837e257e8ea75ade466b6258fa2c408768edee83fa588ed4770f5e

          SHA512

          cc889953b6d9a038891a95679585dd4be1ff9d293a6a540eb77281eb3c07165d45c6ff30893fd5020a955862785c2c2c812f2c2b6f3290540807e0952606d572

        • C:\Users\Admin\AppData\Local\8a8gkC\rstrui.exe

          Filesize

          89KB

          MD5

          1c1c92ef23e19b28f74e05ca617c83d2

          SHA1

          ff03ffef96bb5bf7b84a9cc4bceea19e7b3dcca3

          SHA256

          2f34c4041e2e2a9573fbf8b5295475a79361421bc0bcf1454d73df975fd6dc35

          SHA512

          1bfc5f3c6698ebaa55ccf1a0db7f3c07bcef39f9296f8e57c0b6893195593c605a597a46b1d325674650394265ebd5aa20ce30bc49205d866d090cd18ecf9fbe

        • C:\Users\Admin\AppData\Local\dfCDb\RDVGHelper.exe

          Filesize

          86KB

          MD5

          8c88510b28fe119238eef0a004ec439a

          SHA1

          2f32df5e48de99babd13c83be9e5a56c13917268

          SHA256

          eee46a51c223a0d3b82662e1260d196a55160d6895166f541e9348554c8198db

          SHA512

          4fb3e4b23e6c4ce61e26014f4c2f66dbee345ab7db9959bd4b75eb717bea59b85940c775a3e4aeb8a571437fbd0fdfc551927597977a9b25446bd2eeb5b0cd50

        • C:\Users\Admin\AppData\Local\dfCDb\dwmapi.dll

          Filesize

          261KB

          MD5

          006181c98ffbc7ed2d934bf50261d91b

          SHA1

          e7d2acbca480a9fb47e077dc61a9fc00a4d70331

          SHA256

          36aca031bdc1e1788a9cd83f3ea5ec4701e030ce362e036fe2f62c259d4944ca

          SHA512

          ffe8dfab5a449fc926bb503c6c44bc7abb73567cc6903f032d872d7a7967bb01fd021173473b99b2fa41dd138fe0895a9ff06f7a72476f1967c4178f9fb8e36d

        • C:\Users\Admin\AppData\Local\yPjURgvo6\rdrleakdiag.exe

          Filesize

          39KB

          MD5

          5e058566af53848541fa23fba4bb5b81

          SHA1

          769ce3bfc45e4d56ed01dbeeeca7be22f9b9eed6

          SHA256

          ae83b050fa722da7e4b19fc3d534f0126b1ec055643bb1f267b85b55160f4409

          SHA512

          352029cf0af7583a4c525cfd1da7467446bac410a885b2768d8052f39577ccce85b21d5bd946be6bf8341e7308c8e4f645e4d79232b93aaf6a92d6cd55f598d0

        • C:\Users\Admin\AppData\Local\yPjURgvo6\wer.dll

          Filesize

          295KB

          MD5

          2686c9396a088eea4b32aa99962b1e1b

          SHA1

          638c3b7ed5684850f4addb2135de6b1a0a463b89

          SHA256

          cf2ae1d19d6aba263670301bba650a3388293a946e9a58bc147383d5cdfdac44

          SHA512

          5125607cfa4672218964ba9662b3d11c929aafca92b3187e058eeaf06ff619aefa414132ebd8e6f496f808f855fdb05853df1129bfd93ee59ebf7a898beb00a1

        • C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\AssetCache\H07\wer.dll

          Filesize

          2.2MB

          MD5

          8f1a0a7921b468e13a5dca68f85853d3

          SHA1

          ca217f92ea3e19997da953b1cedc110b708e8b6e

          SHA256

          39cc768724dd38096e1d32dc01d138df6dfecbb017c2f24089a478191a6f1232

          SHA512

          803a031d984200e06683f76bbf374365561d085685b2f527ea13e12640a48ba17b9e2eb6e0aa5690ab3cf929bab8e264a9c2ac48ae2da006871fa2332b5b344e

        • C:\Users\Admin\AppData\Roaming\Identities\{4C0CEA03-C988-4067-9D42-5D4466084111}\rgxk6\SPP.dll

          Filesize

          2.2MB

          MD5

          31b8815efeae55cd850c1016d46c2b03

          SHA1

          bc81712cab24ac15cabc5a185deb1e93dbcc2cf3

          SHA256

          7daa06831fc98560f8945f156c49652be554b9caf1861693560d255ad87e9503

          SHA512

          97148967cfc57d686affc5511a8764f30fe7ba904f665322fe79a7e60564696f12562ff5acd7ec7d80eec6e3a5b60a31e9af6eed5b1871df9397a17bfb642ac7

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Cuhrqknkppepky.lnk

          Filesize

          1KB

          MD5

          ef3f2daa69b28e0b0899db4634cde7b6

          SHA1

          f36d2d417a463e60dbfab41c7e79717fbe185b06

          SHA256

          7a00961f23a759984f1a9fee4392381ab5ae54fe055dd568e3348026113069ca

          SHA512

          4ef8eedbea537f0b41b04eaf45c106be915a5398ddd93dcc5c05703e91cc492ea47065a7ecc5878200470e4b2b7166b47a82f10ed954d2a4d5b59ad1cbda95fc

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low\s6Y\RDVGHelper.exe

          Filesize

          56KB

          MD5

          5b5434ab98c4f17f0b2dfdb09bbc91aa

          SHA1

          a117d43262a7bb84c96de5fc2bc91b2b41f3052e

          SHA256

          7bead478f9498447c09499abf4efaa8f66db1a51ab92c5a9d2bed7640b045e06

          SHA512

          9c6af6232df433ca023d8c82355fbb3689d6c0970ec53073ee3a7d85dd6bf31ed5e7f4a2403a94b3676ea0bb10d94b40df36221170fdd8af6147ddf420c9fb91

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low\s6Y\dwmapi.dll

          Filesize

          2.2MB

          MD5

          1f26c5135ed449ef1af1a05b8a9999e4

          SHA1

          4de81a0cb9ff22195aecfd700eb45383398c4dcc

          SHA256

          e5aec39fa5f0ec235db7c635ffe40aabf0655232fbbf9f3717969bba7b364fbd

          SHA512

          02f7f0aa9d77a9877eb4950b99973310c25ed158736115520fe80f5876cb2c0a8ec9184a03ce18fe534555b82d47486385d19f9dfe0f63561ea4e466e69c9ad2

        • \Users\Admin\AppData\Local\8a8gkC\SPP.dll

          Filesize

          96KB

          MD5

          9e561f93c460125756daa7c9deb8c9e7

          SHA1

          d5d011008ce9da528b916743de29fb773cbc146f

          SHA256

          d278861ba638523ef5e56cf3737d16fc930ce920f439ca8ca81143667629433f

          SHA512

          6e8324203c5a816e4131b3f1421ea8e1626ac510c7ce772eeda01e7122b4fa7d555cbe8658c10e63b1cb65660e9f8cb6541c9b91e4bd7480de70c1b71a2dd68f

        • \Users\Admin\AppData\Local\8a8gkC\rstrui.exe

          Filesize

          118KB

          MD5

          a16075a2e705d64dd3d545f6d0551a59

          SHA1

          ee4783e097bd1a2514655641deddcd175d444504

          SHA256

          1eac6f17f0e2390869e3ab3497b8263b58b8f3ad1ec473fd1a6b9d18a860b0ef

          SHA512

          b1a8a75bc280bd38446aa2605c0a0272d05bb0e7c22523b36cefae00cca98bc22ba01366217900c0b8f8b4dcb9bceb09f71064707a3eac892b02d0b1556e807d

        • \Users\Admin\AppData\Local\dfCDb\RDVGHelper.exe

          Filesize

          93KB

          MD5

          53fda4af81e7c4895357a50e848b7cfe

          SHA1

          01fb2d0210f1c47aaf684e31a9fb78f89bba9c0f

          SHA256

          62ab8c2c5b5bd84fd07e96b6a3b87a4ea56946107ed9b7f8076580ae1fefd038

          SHA512

          dbbda90a57d27160c5a3a5e4e94cfc43b1663fcbfe424fdec851e52356f61492bdcf677c46be8aa4e8ccc8be7c389b6aa7bbbce8447e1fae32f03e5e409f4051

        • \Users\Admin\AppData\Local\dfCDb\dwmapi.dll

          Filesize

          5KB

          MD5

          488228ac5bdc124ad457ae32bf412f5b

          SHA1

          36feb33fb14cb1a47369d289050275b3ef2ed234

          SHA256

          bfcfc9953d1026bd1d7930601e98786039318f6050596b3e225a114c9daf79a3

          SHA512

          a404903074de56bc40b25ef296f15e3b49726632c4cda1f6db9b07abfaf88f40c03e22e81a2a7696b71b467cf7773f3372d2a9b8217a47c24efe89df06ca6db5

        • \Users\Admin\AppData\Local\yPjURgvo6\wer.dll

          Filesize

          41KB

          MD5

          55b0050601f5e48c71ef3ccc9000d7e4

          SHA1

          7d468eb2a47ef93550512e4aee6886fa85bd8132

          SHA256

          263c52c98c6e717607226bfb14339a21fd59c516b93d0a26c8add64c99302c4d

          SHA512

          bb95138798343abefa6d6deb0403b7e6079f705a91b443828ab6857c31c631afb6d0d32a231e923960f6d19055bd84947fd104eed5e91239e47b2c48427a3243

        • memory/1192-28-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1192-19-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1192-43-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1192-42-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1192-41-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1192-39-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1192-66-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1192-38-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1192-37-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1192-35-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1192-72-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1192-56-0x0000000077921000-0x0000000077922000-memory.dmp

          Filesize

          4KB

        • memory/1192-44-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1192-4-0x0000000077816000-0x0000000077817000-memory.dmp

          Filesize

          4KB

        • memory/1192-45-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1192-34-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1192-32-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1192-31-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1192-30-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1192-5-0x00000000025F0000-0x00000000025F1000-memory.dmp

          Filesize

          4KB

        • memory/1192-27-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1192-26-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1192-24-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1192-23-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1192-22-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1192-21-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1192-20-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1192-57-0x0000000077A80000-0x0000000077A82000-memory.dmp

          Filesize

          8KB

        • memory/1192-18-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1192-17-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1192-15-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1192-14-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1192-13-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1192-12-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1192-11-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1192-9-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1192-10-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1192-7-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1192-55-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1192-144-0x0000000077816000-0x0000000077817000-memory.dmp

          Filesize

          4KB

        • memory/1192-47-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1192-48-0x0000000002600000-0x0000000002607000-memory.dmp

          Filesize

          28KB

        • memory/1192-46-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1192-40-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1192-36-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1192-16-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1192-33-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1192-29-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1192-25-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/1964-125-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

        • memory/2016-86-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

        • memory/2356-8-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/2356-0-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/2356-1-0x0000000000120000-0x0000000000127000-memory.dmp

          Filesize

          28KB

        • memory/3064-102-0x0000000000180000-0x0000000000187000-memory.dmp

          Filesize

          28KB