Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    31-01-2024 12:09

General

  • Target

    8460ca6c008df062af50bb935cad86e0.dll

  • Size

    2.7MB

  • MD5

    8460ca6c008df062af50bb935cad86e0

  • SHA1

    c7d9a2b3fa86c6f68c1afda5ebcd80fbb52fc42b

  • SHA256

    b656eba38e60d3e5cf61d0f7ee76348ec9053509d5c3fe2c3256eee34993cccd

  • SHA512

    40ce6d2e128b77057347d484a3549c06441fb132a837956c412efe90e39e4314eaaaf8b7de092acb7d6ffc5ae2e5886016b956ca29c8607b6dbb8665adb92a38

  • SSDEEP

    12288:4VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:tfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\8460ca6c008df062af50bb935cad86e0.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2432
  • C:\Windows\system32\wisptis.exe
    C:\Windows\system32\wisptis.exe
    1⤵
      PID:2912
    • C:\Users\Admin\AppData\Local\00G\wisptis.exe
      C:\Users\Admin\AppData\Local\00G\wisptis.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2892
    • C:\Windows\system32\SystemPropertiesComputerName.exe
      C:\Windows\system32\SystemPropertiesComputerName.exe
      1⤵
        PID:1004
      • C:\Users\Admin\AppData\Local\SEIo\SystemPropertiesComputerName.exe
        C:\Users\Admin\AppData\Local\SEIo\SystemPropertiesComputerName.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:320
      • C:\Windows\system32\SystemPropertiesProtection.exe
        C:\Windows\system32\SystemPropertiesProtection.exe
        1⤵
          PID:2796
        • C:\Users\Admin\AppData\Local\rnik5\SystemPropertiesProtection.exe
          C:\Users\Admin\AppData\Local\rnik5\SystemPropertiesProtection.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2800

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\00G\HID.DLL

          Filesize

          71KB

          MD5

          1d1082f9e179e26536acd46f78daf515

          SHA1

          2d794d1781716c7f2a0f0d74ec22233fc3d21454

          SHA256

          2ad22fe2deca594a536fe4a10779123b7d237345aeddb8ccf707548e9320ae2a

          SHA512

          2f8f603381de007d1b3afdb33c09065d6e202534e65f49e6f7866c4baf6aa700adee89a9861dee6e207032c0afbe00cbcab4f97718488a568ef2a48eafb78a14

        • C:\Users\Admin\AppData\Local\00G\wisptis.exe

          Filesize

          206KB

          MD5

          a4a7499a782ed6585f6b8d88ef42f93a

          SHA1

          ed874b807a1567fdd84c8439a81f1df8498fa457

          SHA256

          a7761b3944193dfcbf9a27e4225087ff189ac6e2819fa701ce3dc0e279224b77

          SHA512

          c39444fa58e3fac433e5e1aea708a7ea44ff7488e9a2aff921a7734e32b711877ff6df414fecf26dc5abaa0cf83feaafed5c5bc7151dc09f8831454d6094fa66

        • C:\Users\Admin\AppData\Local\00G\wisptis.exe

          Filesize

          53KB

          MD5

          4f659d88e39bc08110095506488088d4

          SHA1

          5d2637ad1d2dde6eb374db3299cc3128600eba82

          SHA256

          ed2e0b51d4ab8a0de43b7fd2a8bca70fc739ad0bbadfb721493012d5b8ae0080

          SHA512

          73a091ce1ac346148962f0ab6abfe8963b2421ee6e48ae4fada4133427d12d9f0860ef9c71b1fd2403c456fac74fbc433d21b53d579608e52ca17f077de7c266

        • C:\Users\Admin\AppData\Local\SEIo\SYSDM.CPL

          Filesize

          95KB

          MD5

          970258414dc9dd3543aee1aba6d6ebbd

          SHA1

          d4cdef0bd8d5b41485dbdeb61248fb3d80959c22

          SHA256

          5e3dda87c45a978c961a489b5b6932864dbba50afe717676f2d1ed2c1133c00c

          SHA512

          29fa03815342f399d7c6b42fb3caac04870d52bbb67f15ac377355c1f9775aff5b70b328f3fa477dcce95ce6492df04ce8565b02b94f0a2a912ec7626c61e488

        • C:\Users\Admin\AppData\Local\SEIo\SystemPropertiesComputerName.exe

          Filesize

          80KB

          MD5

          bd889683916aa93e84e1a75802918acf

          SHA1

          5ee66571359178613a4256a7470c2c3e6dd93cfa

          SHA256

          0e22894595891a9ff9706e03b3db31a751541c4a773f82420fce57237d6c47cf

          SHA512

          9d76de848b319f44657fb7fbe5a3b927774ae999362ff811a199002ffa77ad9e1638a65a271388e605ab5e5a7cb6ce5aa7fcabc3ed583ade00eaa4c265552026

        • C:\Users\Admin\AppData\Local\rnik5\SYSDM.CPL

          Filesize

          42KB

          MD5

          fd811adff43f700f6c62ed939c72ed15

          SHA1

          8180b5e3bbdd98e7ce32d4bbeff3fb1f415841fa

          SHA256

          5bf649678686fe161f8159db7758309f1b9085e3d52304457b205cdee7ec0aba

          SHA512

          a2cdd64e32f70014e408810248544fba0273d2d769e859e9ae13c29c664d12135b7037debbd0a765448dbf28d3f69d45ec8c15d834447a4ec572e3c919c2ac3e

        • C:\Users\Admin\AppData\Local\rnik5\SystemPropertiesProtection.exe

          Filesize

          80KB

          MD5

          05138d8f952d3fff1362f7c50158bc38

          SHA1

          780bc59fcddf06a7494d09771b8340acffdcc720

          SHA256

          753a43d8aa74341d06582bd6b3784dc5f8c6f46174c2a306cf284de238a9c6bd

          SHA512

          27fa8c0af3d01f0816852d04693087f3c25d1307d8857a7ea75b0bb3e0ac927d262f5ac5a335afee150142fa3187354d33ebbcf6c3cd5cc33cb4e6cd00c50255

        • C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\NativeCache\0IDhvPYU\SYSDM.CPL

          Filesize

          2.7MB

          MD5

          013d892b2972e197f166a8691af49d79

          SHA1

          c8174ce30cb793308893bfc099271dfdc95b730d

          SHA256

          28b52aee18388bacf4280054cca4d83d51f3fbd686f30394286932572c02909c

          SHA512

          97cf0b4db6cd31321c463de8bae9ca69f20c351f1d7224c2fd0d7c36870bb816a758501009b31b61cba99d7500cfac87b7dcf3f05be20668ab115a116343dac3

        • C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\NativeCache\0IDhvPYU\SystemPropertiesComputerName.exe

          Filesize

          45KB

          MD5

          4805483cbda964b5055efb4537c1fd83

          SHA1

          1e022ef80d4c09ccf971a5968464942e5ad61783

          SHA256

          6fb20773446a91f1a767372edd428fdf6df1ee04be6fc81aa90b093bfa0e86a2

          SHA512

          ee03ece32fa0f26a2fbb010655ae46bda04087d65dfb853c1eb40912796ef746e1e029aaf0e851d1373883e0166e605ccfe10cec232b4c4fdcd9bd90facc79f3

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Tiizeasb.lnk

          Filesize

          1KB

          MD5

          bdbc3979dc1de247aa85858567f0f97f

          SHA1

          b9c578eb9239f1543cd61c87b0a1af0b3c795525

          SHA256

          e084fa9c1082bc1aea625a7f5e44d869ccff3e385d18b52fdf4ddcbab897dcf8

          SHA512

          971d5fdf442cdfe5f8bcd4e09285d6af9ba4f5790cc37c88a74bf6a14a0b1cf20a24e30ee065e8ce058ee630b664f4b300e9b0ea2b1a43dda610627733ba3705

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low\jenIBBC2Gy\HID.DLL

          Filesize

          486KB

          MD5

          7db8b11e35aa3bd8ed0fd87bd63ab6da

          SHA1

          3b47ff073d8a33685e6a6a073636c7ff85e899a2

          SHA256

          42e3352a84cf2b3ce9890dd3aafd6419e9e74e4c9d30ffa56c6d066b0a333781

          SHA512

          bc10d28de92ba904b5e4cded3e6f889df108a6095ac521f82741bd75c96f31ec682f1ba5e7e6e65ed17199216e447115d0bee11544c412f2e68f09661c5c38e2

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\uC\SYSDM.CPL

          Filesize

          2.7MB

          MD5

          1b1be9c45a0ba03c80b2a26c57a3c410

          SHA1

          cf5695f5b59bfd887c99b59c770b3788f90abcf2

          SHA256

          8b11107701bb271586109bf2d62f076208adb6a21e6ce2846bec1b2223fcb542

          SHA512

          a383d51f25456d672e6bbfc1211a3405e292ab12a85e2699573714981ac8f2e56b1cfab1fa0e1b632cb4c634b5bc177be1d2b644a591ce596bcbc37b6b7b7baa

        • \Users\Admin\AppData\Local\00G\HID.DLL

          Filesize

          120KB

          MD5

          0a306a5bcedc17525347bd2a170d4f37

          SHA1

          647af58acab81025b36285d1f40f8df24f8ece40

          SHA256

          36d9c4371e952086d3872ce5817cb92e06a9bd5e5a2b75575c0da84f9d16ccc8

          SHA512

          f259063384c8af2d3c76f42428208356c4fae21867619e2add82f3154825f2557afee5f27d52daf70058f6c8a0c05c1140fe7ff2899700b3f4a25972057f4526

        • \Users\Admin\AppData\Local\00G\wisptis.exe

          Filesize

          126KB

          MD5

          d6fe05dda45418b5b681df7792b3d3ca

          SHA1

          4af7831b5b645bf823acfa8c2cfe77f7062c9d2a

          SHA256

          132de2b1e63cdae8a88e129fb3c6cd25f2dbb51ec7330980241fa501c10ba9be

          SHA512

          0ba8f2d0cfb737e2a2b40ec9b9f4bb0ef5c974e161e527001300b021d9d9c6dc1f4e318530066c0d086390c09fb3d5a8b625a8b19b1ab897c93de63fdee81c21

        • \Users\Admin\AppData\Local\SEIo\SYSDM.CPL

          Filesize

          304KB

          MD5

          4afa442a4eacae826d79d85a2a103eda

          SHA1

          df8ce952520743e13624d1759e3ca99522dabe0a

          SHA256

          d1d3395d55ca00943b75c913589697c7a1f4fd4cadcbe2664c10c9d1eaa9ea25

          SHA512

          c933a6142866a34d9706ca1947af5a598cbf99af1c58d3ef68cdcf79a45df885d547b9cd31e8284e16cc3cb3aaff17b2a5a13a2df343da2f9b92a044273c8d8c

        • \Users\Admin\AppData\Local\rnik5\SYSDM.CPL

          Filesize

          15KB

          MD5

          22d243a413e70a0fbd0bd4fd2d065dbd

          SHA1

          f1ef6a70f503cfc3415b1b241517727388ffb5f9

          SHA256

          115fa91ef2a73a845900503da4ee5a7b6dd90b0bacfe66d8d34e85c6645a1910

          SHA512

          ead88e96f838b128b1d18b9594fe96a857ba9bdfd640855ca3f956e183b72edae2e5e7782dbe35bdec913b469864ecc31d323254716c94ee5275905d8bdffc58

        • \Users\Admin\AppData\Local\rnik5\SystemPropertiesProtection.exe

          Filesize

          64KB

          MD5

          2759d5e8fb493711b86225cd139aaeaf

          SHA1

          6fd55f11b6b2520e240c99e7ba4c5b7ef855b36f

          SHA256

          cab43db2ab832822925b527ebd49e7e82111c677255d5df1e453494314725a23

          SHA512

          7861868eef60ebc026d1c7cf8025ea0b7b8572211aac78df8bd7baf3740d43ee20a51dcce28589851e629e8da107573b8b73b418e7b52d9326f00756bfaf1adc

        • memory/320-125-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

        • memory/1140-63-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1140-33-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1140-62-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1140-4-0x00000000775C6000-0x00000000775C7000-memory.dmp

          Filesize

          4KB

        • memory/1140-64-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1140-65-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1140-61-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1140-68-0x0000000002590000-0x0000000002597000-memory.dmp

          Filesize

          28KB

        • memory/1140-60-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1140-58-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1140-57-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1140-76-0x00000000776D1000-0x00000000776D2000-memory.dmp

          Filesize

          4KB

        • memory/1140-77-0x0000000077830000-0x0000000077832000-memory.dmp

          Filesize

          8KB

        • memory/1140-56-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1140-54-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1140-53-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1140-52-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1140-50-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1140-49-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1140-48-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1140-46-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1140-45-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1140-44-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1140-55-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1140-51-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1140-47-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1140-5-0x00000000025B0000-0x00000000025B1000-memory.dmp

          Filesize

          4KB

        • memory/1140-42-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1140-41-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1140-43-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1140-39-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1140-38-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1140-36-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1140-35-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1140-34-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1140-59-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1140-31-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1140-30-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1140-28-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1140-26-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1140-25-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1140-24-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1140-22-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1140-21-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1140-20-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1140-18-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1140-16-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1140-15-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1140-14-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1140-13-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1140-11-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1140-10-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1140-9-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1140-7-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1140-40-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1140-37-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1140-32-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1140-29-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1140-27-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1140-23-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1140-161-0x00000000775C6000-0x00000000775C7000-memory.dmp

          Filesize

          4KB

        • memory/1140-19-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1140-17-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1140-12-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/2432-8-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/2432-0-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/2432-1-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

        • memory/2800-143-0x0000000000290000-0x0000000000297000-memory.dmp

          Filesize

          28KB

        • memory/2892-105-0x0000000000390000-0x0000000000397000-memory.dmp

          Filesize

          28KB