Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    31-01-2024 12:18

General

  • Target

    846540a9573e476e30b92db75daf0040.dll

  • Size

    1.7MB

  • MD5

    846540a9573e476e30b92db75daf0040

  • SHA1

    855922518de0270d786c73a8fff57122dcd0c91b

  • SHA256

    5e53ece48ca9fe32af72a2718f10fe2dd25db88a393f7011a3805115f6b6bd46

  • SHA512

    697f7c5a25e285d8d308d94e7172851083ea0e51a791ff9838c5999c560667a2850d3912593e3c94ec4eef256577487b008a5aef5448d56d1c437d4cd4e4646c

  • SSDEEP

    12288:zVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1a1:ifP7fWsK5z9A+WGAW+V5SB6Ct4bnba1

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\846540a9573e476e30b92db75daf0040.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2276
  • C:\Windows\system32\OptionalFeatures.exe
    C:\Windows\system32\OptionalFeatures.exe
    1⤵
      PID:2632
    • C:\Users\Admin\AppData\Local\SnNx\OptionalFeatures.exe
      C:\Users\Admin\AppData\Local\SnNx\OptionalFeatures.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2284
    • C:\Windows\system32\dpapimig.exe
      C:\Windows\system32\dpapimig.exe
      1⤵
        PID:2896
      • C:\Users\Admin\AppData\Local\j4pH\dpapimig.exe
        C:\Users\Admin\AppData\Local\j4pH\dpapimig.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2928
      • C:\Windows\system32\ComputerDefaults.exe
        C:\Windows\system32\ComputerDefaults.exe
        1⤵
          PID:1632
        • C:\Users\Admin\AppData\Local\Q3TKK\ComputerDefaults.exe
          C:\Users\Admin\AppData\Local\Q3TKK\ComputerDefaults.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1892

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Q3TKK\appwiz.cpl

          Filesize

          1.7MB

          MD5

          66c4f866c690b0d8e7bf1f390b944c59

          SHA1

          ef3de43bf564848284cb41c82792a84e6d699a3a

          SHA256

          28a7170a5d0713a6dbbdb57a7a227fa088ed0b340c1a7280985abb5cf9761e70

          SHA512

          a1c5837f674f433200d3a3efeafa6cbe4d0904806d9c490dc001269a68bcc510b4136e4542db8d3e1969d6d306c3cff1b01bef266f50346c836d1ccad8d55ad0

        • C:\Users\Admin\AppData\Local\j4pH\DUI70.dll

          Filesize

          1.9MB

          MD5

          abe5488c01911486ad2c880deb2b66dd

          SHA1

          7af9bf3dcf64ee9bc2075e9d6d4d48ac0c9b7a81

          SHA256

          c340749fcd47303b505182242ed19ab75cf88b78be0e31f6b7a56a3cab96f2ac

          SHA512

          627387a9139bccd5d3c331304a76d6f34c7e4a7610ea00b735d279ecd0a0d202e8ef7db3bb24c7dc617dab59a26dc0663f0ccde831f3170cd2b0bc46ee6a346d

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Efrsxj.lnk

          Filesize

          1KB

          MD5

          dfc9477ea536c88ea49ed88b0bee20b3

          SHA1

          ad9f1048221127e3ccbc97cfdf5b7fbf9127242b

          SHA256

          83004035e192db7c9cb430b85b0a792b910c5ff6c46ca2777d5cf47d4f7a1020

          SHA512

          09a04cad5f140c7533bfcb94145c9fc4ae539bb4909a215fd8c6b9a97a6fd1dcbd5ebac18457463fe5698fd90777f5c6aed2bf6678df11e007e96c3a4b4473ee

        • \Users\Admin\AppData\Local\Q3TKK\ComputerDefaults.exe

          Filesize

          36KB

          MD5

          86bd981f55341273753ac42ea200a81e

          SHA1

          14fe410efc9aeb0a905b984ac27719ff0dd10ea7

          SHA256

          40b194be2bad2d3d4d1b69f9aec2853c8b663130810a11607ff72a9e3a06d5b3

          SHA512

          49bb6d4bf7a9356fadde7f6165af6973630827d28b69db10ad477a84d98b08fb82e4daae777166e1ddddb5b5efcdf634e4e9bd34b255dae87462ba32e8bba143

        • \Users\Admin\AppData\Local\SnNx\OptionalFeatures.exe

          Filesize

          95KB

          MD5

          eae7af6084667c8f05412ddf096167fc

          SHA1

          0dbe8aba001447030e48e8ad5466fd23481e6140

          SHA256

          01feebd3aca961f31ba4eac45347b105d1c5772627b08f5538047721b61ff9bc

          SHA512

          172a8accaa35a6c9f86713a330c5899dfeeffe3b43413a3d276fc16d45cd62ed9237aa6bff29cc60a2022fba8dcc156959723c041df4b7463436a3bdabef2a9d

        • \Users\Admin\AppData\Local\SnNx\appwiz.cpl

          Filesize

          1.7MB

          MD5

          07f53023b27901d3a18416a0ad6b6e72

          SHA1

          27d4754466dbe35db844cafd282fe0b6e31d8d28

          SHA256

          62b6299bfd292b82da10ff0687417c15de0bd3bc2b3ba8bb084f9fefec565a52

          SHA512

          9dffc20ba2744596022f21773f7b2bfef695c9c2201a18c0cdff51fcb2e45664a8b54904ff0bb88e37750977cf3608dd4c310f17e776c0ed4713e27ee7779053

        • \Users\Admin\AppData\Local\j4pH\dpapimig.exe

          Filesize

          73KB

          MD5

          0e8b8abea4e23ddc9a70614f3f651303

          SHA1

          6d332ba4e7a78039f75b211845514ab35ab467b2

          SHA256

          66fc6b68e54b8840a38b4de980cc22aed21009afc1494a9cc68e892329f076a1

          SHA512

          4feded78f9b953472266693e0943030d00f82a5cc8559df60ae0479de281164155e19687afc67cba74d04bb9ad092f5c7732f2d2f9b06274ca2ae87dc2d4a6dc

        • memory/1264-43-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/1264-34-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/1264-14-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/1264-16-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/1264-18-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/1264-19-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/1264-20-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/1264-21-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/1264-17-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/1264-24-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/1264-25-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/1264-26-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/1264-28-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/1264-29-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/1264-30-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/1264-33-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/1264-31-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/1264-32-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/1264-27-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/1264-36-0x0000000002B00000-0x0000000002B07000-memory.dmp

          Filesize

          28KB

        • memory/1264-35-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/1264-13-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/1264-50-0x0000000076F60000-0x0000000076F62000-memory.dmp

          Filesize

          8KB

        • memory/1264-49-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/1264-44-0x0000000076E01000-0x0000000076E02000-memory.dmp

          Filesize

          4KB

        • memory/1264-15-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/1264-23-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/1264-22-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/1264-11-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/1264-10-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/1264-55-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/1264-4-0x0000000076CF6000-0x0000000076CF7000-memory.dmp

          Filesize

          4KB

        • memory/1264-128-0x0000000076CF6000-0x0000000076CF7000-memory.dmp

          Filesize

          4KB

        • memory/1264-5-0x0000000002B30000-0x0000000002B31000-memory.dmp

          Filesize

          4KB

        • memory/1264-7-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/1264-9-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/1264-12-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/1264-59-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/1892-106-0x0000000000310000-0x0000000000317000-memory.dmp

          Filesize

          28KB

        • memory/1892-112-0x0000000140000000-0x00000001401B0000-memory.dmp

          Filesize

          1.7MB

        • memory/2276-8-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/2276-1-0x0000000001B60000-0x0000000001B67000-memory.dmp

          Filesize

          28KB

        • memory/2276-0-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/2284-68-0x0000000000270000-0x0000000000277000-memory.dmp

          Filesize

          28KB

        • memory/2284-74-0x0000000140000000-0x00000001401B0000-memory.dmp

          Filesize

          1.7MB

        • memory/2284-69-0x0000000140000000-0x00000001401B0000-memory.dmp

          Filesize

          1.7MB

        • memory/2928-88-0x0000000000280000-0x0000000000287000-memory.dmp

          Filesize

          28KB

        • memory/2928-89-0x0000000140000000-0x00000001401E3000-memory.dmp

          Filesize

          1.9MB

        • memory/2928-94-0x0000000140000000-0x00000001401E3000-memory.dmp

          Filesize

          1.9MB