Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    01-02-2024 23:34

General

  • Target

    87f4ff988b3efc9a3e0d996f68db1be0.dll

  • Size

    2.0MB

  • MD5

    87f4ff988b3efc9a3e0d996f68db1be0

  • SHA1

    89c3b7a72d3dab1fbf000ec432f9e4bdf8169c67

  • SHA256

    a7f598f265286347b55802674110210e08986dad0a49bdd83caf30ee6d6085f0

  • SHA512

    7487d405c81a5a1fb200ffd92223569f782168a092fb09d318e55ba76faece7a8edfbaf97f727f9bff7c92f695a69f33b78d77e66a989e51071d9641669292c0

  • SSDEEP

    12288:kVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1dP4bL:BfP7fWsK5z9A+WGAW+V5SB6Ct4bnbc

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\87f4ff988b3efc9a3e0d996f68db1be0.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2532
  • C:\Windows\system32\shrpubw.exe
    C:\Windows\system32\shrpubw.exe
    1⤵
      PID:2276
    • C:\Users\Admin\AppData\Local\9uWbol3Cc\shrpubw.exe
      C:\Users\Admin\AppData\Local\9uWbol3Cc\shrpubw.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:832
    • C:\Windows\system32\ddodiag.exe
      C:\Windows\system32\ddodiag.exe
      1⤵
        PID:2964
      • C:\Users\Admin\AppData\Local\wjfo\ddodiag.exe
        C:\Users\Admin\AppData\Local\wjfo\ddodiag.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3020
      • C:\Windows\system32\unregmp2.exe
        C:\Windows\system32\unregmp2.exe
        1⤵
          PID:2252
        • C:\Users\Admin\AppData\Local\oVUV0nDe\unregmp2.exe
          C:\Users\Admin\AppData\Local\oVUV0nDe\unregmp2.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:292

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\9uWbol3Cc\ACLUI.dll

          Filesize

          95KB

          MD5

          539ddddf6797759e820854ec54adf82e

          SHA1

          fec486d6e9a38a54963e01ac18b370c5173aaeee

          SHA256

          b59c25b7f8fa161e2ab78507dbe258e6b2c281d028790ebd1d321ce285186afc

          SHA512

          633d9b735144bbc79016e211a248830d6ef57bc232cd7de7c4d62934e0345b45218c233120ba5a61e9dfbbed572b4cafbfecc102ff35edcedf6aebbb2cefacb2

        • C:\Users\Admin\AppData\Local\9uWbol3Cc\shrpubw.exe

          Filesize

          118KB

          MD5

          2d73937b3735925ebcacd04151459500

          SHA1

          115aaaccd01d1c8beaba6fd84fe30dbd84210597

          SHA256

          d05cf222f7fb9b6dd72b0ce7f13b0ce273a4a603ac390134273cca4664e746cd

          SHA512

          a34c7286f49c79b0e5ab63e5735c9f886641b7bf09138186f15145ef7e3e7ae5a32f21243d473d546ee4e5a3e80dc78de60460b61acf7d313553a1d24534a6d9

        • C:\Users\Admin\AppData\Local\9uWbol3Cc\shrpubw.exe

          Filesize

          33KB

          MD5

          d19b9de6ac49b9604059136f3957d5b9

          SHA1

          28d8cd6ec45b553f529189989f2c85a78b615e3f

          SHA256

          b6100cbdd7bbf827653bcc69019cf33ad8c23ed1aa5fdd0a86c62a85f0bee760

          SHA512

          d3395863c6cf348b47583b606756f3fbc13cbff3151cce936cbb785f3e5283c16db4e17db99e61c33e05a89f86e18f8682f900304ebc52ddf0fde40ab8fb3b40

        • C:\Users\Admin\AppData\Local\oVUV0nDe\slc.dll

          Filesize

          88KB

          MD5

          15d41c9aa88d3a13c880b4d7a6772477

          SHA1

          40597f28624a1976da21dfccb3ef4d3801e176e7

          SHA256

          a45125550d80a397a6472fefed0c3bca25daa7cd7951b840405723e7a85f6128

          SHA512

          46f287574c0aff8dd94156132a575332836eb04b201da5b3a8b14ab0a49613136c411b3e2a168d3fe1f16582872be268bb8309d46dfdf264a2d3081df3862ddf

        • C:\Users\Admin\AppData\Local\oVUV0nDe\unregmp2.exe

          Filesize

          132KB

          MD5

          9121740ff1acfa9ac5f33b9dfdc1a8f5

          SHA1

          db47b4adc72371cd0978c0892fe3aeefc07de047

          SHA256

          9e29665d3b2d6c1b7f374875b79b304f89da162b41741c80db1eb4f25be1a6da

          SHA512

          b3df5c42edaa2f86ac0415f97979bebda7ae70d4e7c971e423dd85040f79d6e199324c4588367994f7a5a7584be83565c08bf1153a699b34be41fd4a4e5efb81

        • C:\Users\Admin\AppData\Local\oVUV0nDe\unregmp2.exe

          Filesize

          134KB

          MD5

          32b97eb34f4b8fa296839cc4f4c48377

          SHA1

          24ef8a039ecd35ea1780e17197ae37583869226b

          SHA256

          688c823234f46b7a264c8c2252a2b303239d42d751480f67bdc67e0d7c8bcd04

          SHA512

          3eef44c1ea009ba89a3351d0865028ef7e75e43679568585eda8161d76798f774a9e51816c0099f92907d40db906f2e187a40512bef20ec36803d56bf2273068

        • C:\Users\Admin\AppData\Local\wjfo\XmlLite.dll

          Filesize

          68KB

          MD5

          1ac402c5cb88c684287132abae86623c

          SHA1

          4d0c6cfb802c2aeb03b4ae5772eb0f88e5d510d3

          SHA256

          00beee083fc2f58969734d7ae1a9a9bcf14e331c489a0a65107b66b02b14dec7

          SHA512

          5d7e84b1ee1c9d1ede22795dd2c251c667f8969945fe66a3af165b2b97cb2aeb28e9e66fdf1efdb28afa9d881fef78fe6234c491b735c96f12f2de799247c8f6

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gmfoo.lnk

          Filesize

          1010B

          MD5

          82fba99901a34346a60d2876f5b7a1a1

          SHA1

          66ab939671763a5b745686b15ab109fe5c058d05

          SHA256

          6a2727bd99e05e6077da6f64c32d714892528edfccc1f8e8af9295359eefb083

          SHA512

          3df32f426ab3664c9b9ba1a3b2662f9ba987def014d6976976bb860d289a257b8b3d23180ae84442be60e94937d9326a33ba676588dea40482be5319a3eecb9d

        • C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6EPRn84PObd\ACLUI.dll

          Filesize

          158KB

          MD5

          989e7e42fbd0fb346e45ac17b0f81a2d

          SHA1

          97b4f4d3aae15b65f3d4500e83ed8eb06caeece2

          SHA256

          4c27c652dd1fff3259ed15a82827ad7744a4a67dc4cf7318cc02c09e255e23bb

          SHA512

          bb4873fabcf501d77ac61882f5d43188ddb447bba7fc4e84febe0502978e12f1562765bf75ada90f9fb457a4018102ff2a9cc9d171ff35fab33c47bf7c058a06

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\uWefXBYPLRC\XmlLite.dll

          Filesize

          495KB

          MD5

          791ea65fad082e86db609282b5472023

          SHA1

          937ab541f9b4cfb1b25e07fa0ca617c9dec417c8

          SHA256

          e61ed85b57d053eaf57d06274a08ab0de01d506ffe07ca1e94b9841bd539e5d2

          SHA512

          22f20a61d91d7b57e2c5d2e61690082e1aab4e83bb5b9c59003892d7a53e31e5a17fe99299b84c4527f24f8e67d13dea7eac024820cc626af6682cf46b11afec

        • C:\Users\Admin\AppData\Roaming\Mozilla\Extensions\NpA\slc.dll

          Filesize

          375KB

          MD5

          06b9dabd4677f9cbbf4c2b939c3f02f5

          SHA1

          adf61f5258063be5b97c2db0e4b6110db837ba2b

          SHA256

          d7c4e74c36629172139c9f1538287c2ffae6b04037955bd7a971df4376290d26

          SHA512

          07958b61765c885efdc13b3681a120b9960d2656064b4593572e1a77e9b03ec301a33af653ae5ad32e9254f8ae19c23adb365bf0d4cda00af1d825a00ee927b5

        • \Users\Admin\AppData\Local\9uWbol3Cc\ACLUI.dll

          Filesize

          128KB

          MD5

          217e248ccbce89e478d531cf3bd89ae3

          SHA1

          332e074da0c9e44153bad6988c85e59987ea3a42

          SHA256

          70d14772f74b1868c75578c94f8ca43d091c14661ac1309c9b347a2baa1239ac

          SHA512

          7d27c4e15d13b0181a9f645d845234e4a164078c56e7603c5a7a9079760024dd26e05b09618338ec17d33d62648bb7ef90faf1b24164c81221657170248b0f0f

        • \Users\Admin\AppData\Local\9uWbol3Cc\shrpubw.exe

          Filesize

          38KB

          MD5

          088a1f2fbdcaf68235232d1ae12cdf77

          SHA1

          51a2569da0d9d567347b4a3e7dcbf07bc67a29fd

          SHA256

          08311273a69d5617aa35e6673f20aabcc8522acfdb300621ba3960157d827d15

          SHA512

          137f09863e717be1f997aa5c61752186beb1be858912745fc88df62bee35c497c924ab2367fb17865e0020efff49e8740cee0203dc57e4a38e422c2aa5e676cb

        • \Users\Admin\AppData\Local\oVUV0nDe\slc.dll

          Filesize

          216KB

          MD5

          dbf594cb79d5fe4dcbfc41626a471e96

          SHA1

          d19b0f5606c9341235d74a324a2ba7480197cdf7

          SHA256

          6989166e3283c2d2053edafd2e5f441568a5a6135efe0294597aed5931a82b43

          SHA512

          bd8e0ed21d5620e1c649cabdb22beaa82bd0e2f331c9997b8b807fbc343497ef5f3491f7d30e217c6006a659e0c607fca8d5d821ca0db4d82334f41c922c42a5

        • \Users\Admin\AppData\Local\oVUV0nDe\unregmp2.exe

          Filesize

          110KB

          MD5

          4de9c366740815e266defc61b23092a3

          SHA1

          76a790f158e3f10a3ba1ec7ef33f70c1b118386e

          SHA256

          160b65c63f2947e074d69224d66ab0d599c6a87df6a8dd03267fb77d23bf9639

          SHA512

          6374c50e9c0a1620604cfc8643ac5917bc22e4dccfb0797f89301c70b961d806659a740829ccda79a78b02fdd305cb2a3d9ca52bc18d93e6343b5ffbfb33740c

        • \Users\Admin\AppData\Local\wjfo\XmlLite.dll

          Filesize

          79KB

          MD5

          0a18d673623d33e7746048d8f39a530d

          SHA1

          eab8bae2e4b0ef310de0e71b9321af1bee7b0dea

          SHA256

          d8772a41cc5d00bd518c1b88d8f9a278f586c4b8d6634a71d65f52653eac364b

          SHA512

          aeecb3b26e74fa4cadac3c36fda5b6588554b86a531944cd216fc82b1a78c99d32630be928e257b539bfc0a5be636bc159b6aa8fbd8230a6c729f6d405ac53ed

        • \Users\Admin\AppData\Local\wjfo\ddodiag.exe

          Filesize

          42KB

          MD5

          509f9513ca16ba2f2047f5227a05d1a8

          SHA1

          fe8d63259cb9afa17da7b7b8ede4e75081071b1a

          SHA256

          ddf48c333e45c56c9e3f16e492c023bf138629f4c093b8aaab8ea60310c8c96e

          SHA512

          ad3168767e5eba575ae766e1e2923b1db4571bbeb302d7c58e8023612e33913dcd9e5f4a4c1bc7b1556442a0807117066f17c62b38fe2ae0dfaa3817b7318862

        • \Users\Admin\AppData\Roaming\Mozilla\Extensions\NpA\unregmp2.exe

          Filesize

          147KB

          MD5

          5e2143090655d160d69119f6e2d39ff1

          SHA1

          fb804416a0809c27c137bbf51b14ff47bbb19ff5

          SHA256

          321bb5328e335b783df753413d2c26d18f4d057c7223d702d25606fdf44a1df0

          SHA512

          930543cb84e9060616238995bb8803ad3319030f648c74feba8effe5571c3a10c51c0f3b3835a564086eb768cb2b576851b32cc16a691b0a3420df5c351d86d8

        • memory/292-120-0x0000000000180000-0x0000000000187000-memory.dmp

          Filesize

          28KB

        • memory/832-84-0x0000000140000000-0x0000000140205000-memory.dmp

          Filesize

          2.0MB

        • memory/832-83-0x0000000000120000-0x0000000000127000-memory.dmp

          Filesize

          28KB

        • memory/1204-23-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-65-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-28-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-27-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-33-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-32-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-26-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-21-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-20-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-19-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-34-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-36-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-37-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-38-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-39-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-41-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-45-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-44-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-43-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-42-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-40-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-35-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-46-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-47-0x0000000002990000-0x0000000002997000-memory.dmp

          Filesize

          28KB

        • memory/1204-54-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-55-0x00000000771C1000-0x00000000771C2000-memory.dmp

          Filesize

          4KB

        • memory/1204-56-0x0000000077320000-0x0000000077322000-memory.dmp

          Filesize

          8KB

        • memory/1204-29-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-69-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-74-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-31-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-30-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-22-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-4-0x0000000076FB6000-0x0000000076FB7000-memory.dmp

          Filesize

          4KB

        • memory/1204-25-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-24-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-17-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-18-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-15-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-16-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-5-0x00000000029C0000-0x00000000029C1000-memory.dmp

          Filesize

          4KB

        • memory/1204-14-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-13-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-12-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-11-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-10-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-9-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-8-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-143-0x0000000076FB6000-0x0000000076FB7000-memory.dmp

          Filesize

          4KB

        • memory/2532-7-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/2532-1-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

        • memory/2532-0-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/3020-102-0x0000000000080000-0x0000000000087000-memory.dmp

          Filesize

          28KB