Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    01-02-2024 09:36

General

  • Target

    868df0fad643001bb45bb8b38cfd7ec2.dll

  • Size

    2.2MB

  • MD5

    868df0fad643001bb45bb8b38cfd7ec2

  • SHA1

    3d4d21cfb078c2c8eed5adcef1a16b919f2e3b5b

  • SHA256

    35a57a2f4ae0a954f51d0b5da7bbebd60fbd047b7d9dc92da62bc442eb26429e

  • SHA512

    58e116d1627baf816257f2eaddcb01617b2d540b310bd3b9f0a34798bf78dd5631b873ad783bb50fb7f76f573c272445f938aeb9ba171f540c69c92cdb4c3f1d

  • SSDEEP

    12288:7VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:afP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\868df0fad643001bb45bb8b38cfd7ec2.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2372
  • C:\Users\Admin\AppData\Local\DnWGgH\WindowsAnytimeUpgradeResults.exe
    C:\Users\Admin\AppData\Local\DnWGgH\WindowsAnytimeUpgradeResults.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Checks whether UAC is enabled
    PID:2752
  • C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
    C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
    1⤵
      PID:2540
    • C:\Users\Admin\AppData\Local\3clGYl7X\DisplaySwitch.exe
      C:\Users\Admin\AppData\Local\3clGYl7X\DisplaySwitch.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2440
    • C:\Windows\system32\DisplaySwitch.exe
      C:\Windows\system32\DisplaySwitch.exe
      1⤵
        PID:2804
      • C:\Users\Admin\AppData\Local\4Jv\ComputerDefaults.exe
        C:\Users\Admin\AppData\Local\4Jv\ComputerDefaults.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1532
      • C:\Windows\system32\ComputerDefaults.exe
        C:\Windows\system32\ComputerDefaults.exe
        1⤵
          PID:1640

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\3clGYl7X\DisplaySwitch.exe

          Filesize

          68KB

          MD5

          11d86d4d7425ce220c022e156507c25b

          SHA1

          7296aa31ca9beaece281167122f9b82de8fcb1e1

          SHA256

          2d8eb9cf23785f90a89aadefa0eb480131dad0ff1eebf0ea0dc7072394bfda86

          SHA512

          77657cab66ea5c2bf798106937b3827fe8335793e35f85cb2249747cbc5c3a29f33ac798c9c34f0e25695b0110a81b11cdbf52b618c40c8ffb06f678330e8642

        • C:\Users\Admin\AppData\Local\3clGYl7X\DisplaySwitch.exe

          Filesize

          49KB

          MD5

          5ed2103185309b94fc0c2b8692fb3997

          SHA1

          e9c026891eafb9b0a54cf761be52204e19b38e1e

          SHA256

          7d83d1c9b2092945fd7308eb921a14bfb796b827e937a7035ad674ff5728f81d

          SHA512

          74421cf4afd8f84516d8045765b04638831b7a5759da5d500fc6d8927962eb323c5f929fb74ef1ab01e439398b4af84a7c8da77b75679f33d1276e45fd4899ca

        • C:\Users\Admin\AppData\Local\3clGYl7X\slc.dll

          Filesize

          65KB

          MD5

          8e62a307c83a9543e0de744ffc9d6cbb

          SHA1

          8f40e09cc77aa1f315d564d28d7de94726c1ac6b

          SHA256

          89e90fe75ec609307e90cf5fe46ee639debaa63eb7c7d87ff020e4cbd4f13cd8

          SHA512

          6be59f59bb7c4987127f00273c253d8bf28ecd1833a726ba8b67112692e922a1c8824005bc278b858b912320f71eef97368dcc2627986184de5206303ffd7ecb

        • C:\Users\Admin\AppData\Local\4Jv\ComputerDefaults.exe

          Filesize

          13KB

          MD5

          0551023b51f71ddc980c910e15fa3dd4

          SHA1

          cbe88079c8f42d18104c5f3d312211a77548ea89

          SHA256

          d86fb375b7ba52974d9f2eb5f09e97736b21ee1ad9b451b03fecff10192e60ae

          SHA512

          8ff4725b169ed6691f2411d5a4727e2e9d1c8d6e53a2dcd0378080a846440c174075af8e0db55a1857e461a014b2a38e2734468ba0479feb19132552b9400882

        • C:\Users\Admin\AppData\Local\4Jv\ComputerDefaults.exe

          Filesize

          36KB

          MD5

          86bd981f55341273753ac42ea200a81e

          SHA1

          14fe410efc9aeb0a905b984ac27719ff0dd10ea7

          SHA256

          40b194be2bad2d3d4d1b69f9aec2853c8b663130810a11607ff72a9e3a06d5b3

          SHA512

          49bb6d4bf7a9356fadde7f6165af6973630827d28b69db10ad477a84d98b08fb82e4daae777166e1ddddb5b5efcdf634e4e9bd34b255dae87462ba32e8bba143

        • C:\Users\Admin\AppData\Local\4Jv\appwiz.cpl

          Filesize

          78KB

          MD5

          060ac1669a10ea750aa266ca5e8ef86d

          SHA1

          da5c83b212cadecf28c9c7125038a60ad933f477

          SHA256

          64a292109bfad018e355c5ada730843949d4bb0f6f579506cf0565bf57a33159

          SHA512

          18a2d2a1bf0800a8be8116466052d9d1985dda9db4d98c1a1ec7640485961a1b5ac11a1ecba6df660b60a9d5647898558b80a523d79da1b73cff68fc09036a69

        • C:\Users\Admin\AppData\Local\DnWGgH\WINBRAND.dll

          Filesize

          69KB

          MD5

          d031fb5ee9e6951cf6fb11c4a6ebc4cd

          SHA1

          be7f43f92221007444aad5f894f96557d7a6b12f

          SHA256

          fbf80714def3f7a4c667a096130dc3b67be07467b64c6defae6bf259d3faa6ed

          SHA512

          0c9b394b00d37ec535fdcd4571d3cf495ef480b9e8497a0d904aef44033fe0f80d18b19a551dc436cf8b742c84028c5f48dd6b92a3be35aa8db499d4f3557e0d

        • C:\Users\Admin\AppData\Local\DnWGgH\WindowsAnytimeUpgradeResults.exe

          Filesize

          32KB

          MD5

          20e60cf11b90f4eddeaa366bc24c5bb2

          SHA1

          37da21e9a1869a702f9d236ec0050891b5ce4607

          SHA256

          1a62a3ada4bf83fd8ecfab574f6682ef772188e58f48dbedcffd339deb3cf1b6

          SHA512

          977cf46bf206da5ec0e5907e20f9a676579b6d60c1ea78599b261a64eb34d7ce5f85c21e1de730fe878b144b4b69ba951e24a65b302bb950bb1807ae35880156

        • C:\Users\Admin\AppData\Local\DnWGgH\WindowsAnytimeUpgradeResults.exe

          Filesize

          111KB

          MD5

          8cd690b45937427b6b5e21e3061d28d4

          SHA1

          c12c6d1bbac7cb6e4cef50b7168c4d8dccaa47d6

          SHA256

          2cb91010998e51e0b3ca08e0a5d1af6c2ad89063d5ac801f6bdca7d899af13f2

          SHA512

          e2290f7c1627db80547b9f125e676e8210d4853af854dff7cdf3dd2dec494cdba9ebad0c57e46ce07a21db6dccec13d4ce26ca666171365521d56edbfbca2d64

        • C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\nBfA\appwiz.cpl

          Filesize

          2.2MB

          MD5

          682e1fea84d3fc6e0090791254ecb398

          SHA1

          02364698c4255b98bc75645f9c02d377fb9b967d

          SHA256

          30ac1676610e66e167b2b8e41397a20945c974c075869c790989b8e218fc7a76

          SHA512

          3d292073f35070622d24d346fffbb6d8753495369c5a080c40853e5642ba60da65e247bb47c4306313e698eb550a22de72fb6c43f2c25a07f68c68f3b10ba04c

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqrvnhd.lnk

          Filesize

          1KB

          MD5

          4848138dc93e8a65814b698ca8322627

          SHA1

          ba9b30bc23971429c41aca93746c7d315ec1336e

          SHA256

          933b6805327a91455086f0ef4d51782e0aef403bddae3a51b80da245f6684101

          SHA512

          0ee3e0d9bcb14c19068312f1c2d41eda2545b2c04e48b81cc0810fe2585185decc0bb18d0d78538c7f4eb753a95523c9ac6f3ad8a6d196aa6b0efd1e6c8637d7

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low\HOK47D\slc.dll

          Filesize

          398KB

          MD5

          bb3a50cca8d525bf8a7420b7240669c5

          SHA1

          f44e505e03dfc014a62bb97cd5d9cf2d61856c3b

          SHA256

          a6244fae4fecbc7532efdf4037d839cc624b04ff4768215cc6077c09bb97587c

          SHA512

          7a88d00b17a40a246ea2266653e9b948065696fd07cd199712480847f4175007b0b32b0aceca671c2ad706103a6228c1655361ae239f8e52a967e73213933bb5

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low\JY0lT\WINBRAND.dll

          Filesize

          64KB

          MD5

          da15cc19cd66cdbc39614d0294bd6c4c

          SHA1

          bce06039a7e8ea875f9e09a30d12b5baa295dc1a

          SHA256

          34002f55b3d769f153aba81be2584823e9fac91c3692fc6bfe64db7bc347e9ed

          SHA512

          900313e7fb8a6d2650e1f4f0e07ea4a61b7d784ca7835f2b13a92295bae96422c09333861c69f8f74301fb25c41911ee1120a688309f43c3bffc026db0c53d6e

        • \Users\Admin\AppData\Local\3clGYl7X\DisplaySwitch.exe

          Filesize

          188KB

          MD5

          045640cfa4317b88c65a3cea3e99f6fd

          SHA1

          f547e40c04f14c2dc8ca88ddfda28cc4c8c311a3

          SHA256

          b7f132285b26f6df1909087002eaef7bceab5cb9ed7f15c71d1e7e7138d1f195

          SHA512

          943bf7a1544f5a353cf34cc59981f85aa43f83ab4a378d7cebd563f873a0224fbf83619bd871ceb21dd0cb71f12972c22fb84186ad8a9c313b8d3d5d3b57fd00

        • \Users\Admin\AppData\Local\3clGYl7X\slc.dll

          Filesize

          236KB

          MD5

          cbf66a15bf1039503d092dab1abe0436

          SHA1

          2135fce96d3457c3f5ccd8a8c751a495a8a0812e

          SHA256

          55a462acb269a02eb025be05554f45eb3786fb2d472d1eba48ecbd457f22fa23

          SHA512

          c5d720e96146da21f2f9aebab16270cbe6bf91106b1397fbe099f69d195d5308d505d43372cde538a533734934670b2ec4dfa521ce765bace211852e764b889b

        • \Users\Admin\AppData\Local\4Jv\appwiz.cpl

          Filesize

          57KB

          MD5

          ce267730c6482a667bb3f97d425ff622

          SHA1

          710a5896e652ed9d30e443a82213effc5af076cf

          SHA256

          5afe4d86a3f60b4055de742ce5181f060ed59f531c66c68e3bbcddf19d2dfe39

          SHA512

          0104d59fce5c525c9af9e71bd23b430850113f5278cf50abec955e180cd93e87784107f5caf5cadf90a2c562c06334620234f769de655541e21d925dba4bc98f

        • \Users\Admin\AppData\Local\DnWGgH\WINBRAND.dll

          Filesize

          76KB

          MD5

          75a1ff996cd67c62aa82e7819f163764

          SHA1

          a07c0a8f60fb1c622e0a1c37afd0cd2bbaa20744

          SHA256

          00431b028d95739d1d3a870caed364954a3c2e9510e5f970c238ca0c5435fbc0

          SHA512

          a0ee062da0ad521d331043b5576ab9c934f41af778c5e5e56df0380f8904a480c11517fcfc16883c7022a32e61229187caa844af50e90350114506b6bbb30492

        • \Users\Admin\AppData\Local\DnWGgH\WindowsAnytimeUpgradeResults.exe

          Filesize

          208KB

          MD5

          bf51290cf3b61042e2a96f7b7d1eb155

          SHA1

          ee6101dbe9e0c85bb93cb33bbdcdadfef1fcf0d7

          SHA256

          96c3e3ecf3e7486401b24d94d4a17bcf0176edf0d4e218feebb8d9f02e3e93b2

          SHA512

          1d963b9e9d5caf39f9521d85f6f698dcb2bcb05987e1047b565d0208070aed898386747d2e97d6d17579fdf01167c94268974e44f073ad869a0693519227cfed

        • memory/1340-36-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/1340-23-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/1340-57-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/1340-44-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/1340-43-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/1340-68-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/1340-74-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/1340-73-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/1340-41-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/1340-39-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/1340-58-0x0000000076FA1000-0x0000000076FA2000-memory.dmp

          Filesize

          4KB

        • memory/1340-5-0x0000000002D20000-0x0000000002D21000-memory.dmp

          Filesize

          4KB

        • memory/1340-7-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/1340-12-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/1340-16-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/1340-46-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/1340-47-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/1340-48-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/1340-38-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/1340-51-0x0000000002D00000-0x0000000002D07000-memory.dmp

          Filesize

          28KB

        • memory/1340-4-0x0000000076D96000-0x0000000076D97000-memory.dmp

          Filesize

          4KB

        • memory/1340-35-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/1340-34-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/1340-33-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/1340-32-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/1340-31-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/1340-29-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/1340-27-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/1340-25-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/1340-59-0x0000000077100000-0x0000000077102000-memory.dmp

          Filesize

          8KB

        • memory/1340-22-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/1340-21-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/1340-20-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/1340-19-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/1340-18-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/1340-17-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/1340-15-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/1340-14-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/1340-13-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/1340-11-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/1340-10-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/1340-9-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/1340-49-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/1340-45-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/1340-151-0x0000000076D96000-0x0000000076D97000-memory.dmp

          Filesize

          4KB

        • memory/1340-42-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/1340-40-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/1340-37-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/1340-30-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/1340-24-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/1340-28-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/1340-26-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/1532-132-0x0000000001F20000-0x0000000001F27000-memory.dmp

          Filesize

          28KB

        • memory/1532-164-0x0000000001F20000-0x0000000001F27000-memory.dmp

          Filesize

          28KB

        • memory/2372-8-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/2372-1-0x0000000001D90000-0x0000000001D97000-memory.dmp

          Filesize

          28KB

        • memory/2372-0-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/2440-108-0x0000000000280000-0x0000000000287000-memory.dmp

          Filesize

          28KB

        • memory/2752-86-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB