Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    01-02-2024 16:32

General

  • Target

    875d030c5fc6c9897bd817f84ca43711.dll

  • Size

    2.9MB

  • MD5

    875d030c5fc6c9897bd817f84ca43711

  • SHA1

    865b73891c48646127255bfdc6104552b7aa90a4

  • SHA256

    2303cd17c0c377a2c2446c1267c7ff5a772e4cc30c721eddf332fae15489d256

  • SHA512

    d67ae0e3134a96e7c3948813206839eb330f411104751450cd600b4b7aea549aa2c140b9b45c9c7d36c21b4c09c3ed83c89eac384816dd5942c4d07490cca48b

  • SSDEEP

    12288:tVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:0fP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\875d030c5fc6c9897bd817f84ca43711.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1956
  • C:\Windows\system32\SystemPropertiesRemote.exe
    C:\Windows\system32\SystemPropertiesRemote.exe
    1⤵
      PID:2800
    • C:\Users\Admin\AppData\Local\iOtt4B7I\SystemPropertiesRemote.exe
      C:\Users\Admin\AppData\Local\iOtt4B7I\SystemPropertiesRemote.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2860
    • C:\Windows\system32\taskmgr.exe
      C:\Windows\system32\taskmgr.exe
      1⤵
        PID:1112
      • C:\Users\Admin\AppData\Local\OfNqYkjn\taskmgr.exe
        C:\Users\Admin\AppData\Local\OfNqYkjn\taskmgr.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1324
      • C:\Windows\system32\DWWIN.EXE
        C:\Windows\system32\DWWIN.EXE
        1⤵
          PID:1284
        • C:\Users\Admin\AppData\Local\8ipY5EaU\DWWIN.EXE
          C:\Users\Admin\AppData\Local\8ipY5EaU\DWWIN.EXE
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2464

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\8ipY5EaU\DWWIN.EXE

          Filesize

          95KB

          MD5

          fee33d1833716e6455071f0392718965

          SHA1

          28b7a1cccb8164c1d3dc6262af4ad8897038a6a1

          SHA256

          5eb2e41c2f4188885231ee6f55d27915424d7238caf70f4611b235a34683d9aa

          SHA512

          276672528c1a7e03aa5c522bf44be19de391b3aa83f926b9d755623af93281fda735c34fce7ada529c3519165a4877122beb7d05b9ee8ae06cd9974dcaa7512b

        • C:\Users\Admin\AppData\Local\8ipY5EaU\DWWIN.EXE

          Filesize

          19KB

          MD5

          a3ca98a2e443c36714633b14e0a1b91f

          SHA1

          33fb287ca151945aaa0726d975d12299081b3ec6

          SHA256

          b79e07b142e1214e2f0edcb1dbd542e5b0ed11b862cba624f7314787cee5a462

          SHA512

          1006be53236afb5ba5513ba9dba28b46b3eb55e7c8dc093b7d3e95a9f68bd1730347b4d3f5692bf4c88282d5b2d1097d2f686181e30c34fe59fd7dd515d1a066

        • C:\Users\Admin\AppData\Local\8ipY5EaU\VERSION.dll

          Filesize

          55KB

          MD5

          b6fe94566625c1ba81beceb12b26239e

          SHA1

          ccc2510eb25dac1d094e6a35d8eda108294be9e4

          SHA256

          7ebbe8b362c73b51e7838c83c10d8f3de872034e258374b844ac93f36e6942be

          SHA512

          6887d57d29b789a3f98039a66995eec94c2cdffec784c1c745b4e2547c3448806de8e4c94a9ebc3a46c6b3d1815ec1f1a4c1f5b3a3345858618a281872e607cb

        • C:\Users\Admin\AppData\Local\OfNqYkjn\Secur32.dll

          Filesize

          76KB

          MD5

          8929bc89a3ea791715782aa0725e324c

          SHA1

          ca2242f2beb3ce063467ee5599ea2d2b93375572

          SHA256

          127b932a31c6a04d34b9d8ba2dd51b4aa6706e2a06e3d122db11375f77add746

          SHA512

          c2c5251e1d7bac2e8b8eef4e8126fd7e6d73e0d66e9d22ed351ceeb973d6100e6ab9072cca3aa20ae900890bd72339b731c187755b1fea0d4c30abe13d929725

        • C:\Users\Admin\AppData\Local\OfNqYkjn\taskmgr.exe

          Filesize

          126KB

          MD5

          a769c6a0e3d070bcc54fc41580a1d007

          SHA1

          2c00277b80c1ca40d77202c4af367384b659bc9b

          SHA256

          b260d7659bb1a58ea78cfe3e6d7e2bb7819f3a48d5febfd496b24eee45c723c3

          SHA512

          1eba28659888cd19fa2a0ced0094f618bfcbc1148900d2c0a42004ee7aff6244e8deb150353fca27e89817f0cefaa3cb2b9508d5e831d2aa2f1dfadfe0d4a39f

        • C:\Users\Admin\AppData\Local\OfNqYkjn\taskmgr.exe

          Filesize

          77KB

          MD5

          e93b5e3719ba5f2cd603bd4c3b776932

          SHA1

          382ac9ea7a5fb3b99f2c5b2503e5a8360252497e

          SHA256

          2a1a3f46dd61d0105835025c0039872270fc7ac9d234735fd0287316ad6f7fbf

          SHA512

          a886f533e23c638de84ddcfd92ba2eb7f828d562811e8a236c248335ebc2257e2e773da5ac8211c423130cf3b83aa6bcd5323bc6eec90a55c43e0baee9fd17b2

        • C:\Users\Admin\AppData\Local\iOtt4B7I\SYSDM.CPL

          Filesize

          76KB

          MD5

          3d4d377d0b4ed3553d3722e383ba5bf4

          SHA1

          1a079675125661fb2ad5991504e54788b0442334

          SHA256

          2650e1ba5e497177131abcd71fd1db0dd857930f7139803e1e32ad2a7f9736ce

          SHA512

          d33000e4280ed428a4581e7170b488202b91e13da2c89945867bf1dc185c385940098eb6bca076fd541b64a7b59fef3a4c3918db7852e7211345bd2fedf74539

        • C:\Users\Admin\AppData\Local\iOtt4B7I\SystemPropertiesRemote.exe

          Filesize

          6KB

          MD5

          92a04675d1dcf7a229c0709fafc44076

          SHA1

          7f54cc87ceda0510e66ebe7f11e1168438913d71

          SHA256

          c9f51f1440b12023acf7e78d83f24b8df88dd51ed969f0faa4e00a5ab1e749c8

          SHA512

          21f0b3194284e86e920082c00acd5c963499cab0f6a8cb82d048b6910affc7f9ff8c23c98b8cfdd03bc73ed72db5c9f92db5f6b9de2a66dad765e2795d892dfb

        • C:\Users\Admin\AppData\Local\iOtt4B7I\SystemPropertiesRemote.exe

          Filesize

          80KB

          MD5

          d0d7ac869aa4e179da2cc333f0440d71

          SHA1

          e7b9a58f5bfc1ec321f015641a60978c0c683894

          SHA256

          5762e1570de6ca4ff4254d03c8f6e572f3b9c065bf5c78fd5a9ea3769c33818a

          SHA512

          1808b10dc85f8755a0074d1ea00794b46b4254573b6862c2813a89ca171ad94f95262e8b59a8f9a596c9bd6a724f440a14a813eab93aa140e818ee97af106db7

        • C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\NativeCache\idoRtXwx83\VERSION.dll

          Filesize

          2.9MB

          MD5

          0c96a0a35ff7d8dd6780237e2e0f1e5e

          SHA1

          9a5d3e39186971a57380877b7bab3a94f1f773d2

          SHA256

          ee7fe8ceff9102c3a35168b25d385a1caa23077352debf14182f8e51e386f0cb

          SHA512

          4230ba09a3146c223ed161465e4327709915acd4bcc44a46bf0abd864e5dd917c030e770b6c8e00f40d1e84e5d948fde1da1303acb7d55afa93412478f3ba0af

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gmfoo.lnk

          Filesize

          1KB

          MD5

          c375509f66de33365ade0a4ad044f4ee

          SHA1

          6fb1d9043c91f8b08c2c02084275351ad5b2c59f

          SHA256

          e38476a287b8c9d4435a16a8fc390c90e71162029fd3c3543ad9a2c95b45bd70

          SHA512

          5beac96e408a9f7024bd7ccd4ce3c9d063c434b57d6000de9e84b2b98b28a10c921803061ac1818282cf8415c050496eafa2adae015b85d492b4407d708e7104

        • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\ZV\Secur32.dll

          Filesize

          649KB

          MD5

          7095720ceb241935f055598e0ef9d154

          SHA1

          716c47be9876cccbd91ec6d652bfc5c5da4a9264

          SHA256

          f7de773ddacfaed5cf3130a260695fd6a51aa1235e8c3382a66f85f4ee0d2df3

          SHA512

          b66c650aca17597ba27d7b9d90bf2d5706fa248c315ac3d238b77b2a86cbfaf4b1f5ce7cdfa17f47a49c2046ff25faa09e0f094449372b2c0e886710e61a4263

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HU\SYSDM.CPL

          Filesize

          2.9MB

          MD5

          31d5be96cae9221f64a666bc3e590696

          SHA1

          3c12b9e404447ec8f9a14ace55647db8fe2dbca1

          SHA256

          967097d8be163ff99c0a2233b7c16c582d40c7bda31cd43af1aa15e4c95ef556

          SHA512

          2f9d7943077a2c44c053a83246fd012c33b5c810ed4ea22103d0dc0fe32f0f28220e4689830c0ff9c0599cd326fb9827a9c24f00938f7b8096acbc6c0c040ed6

        • \Users\Admin\AppData\Local\8ipY5EaU\DWWIN.EXE

          Filesize

          111KB

          MD5

          af279bf6b2b27ae69b348a7394aa3e8b

          SHA1

          b115dd9f949a7000fccdee04cff7096835c89a04

          SHA256

          79bd133a40cde72351c3e5e5f7676b0619f0b37c361c8a3fb02cf18f25a8a2ae

          SHA512

          caabc5069f22fb4a41d5155a48a6e24a6200bea9de0370c7369081d9ae2e651bb7f8b155d1101127dd6c5ab39d23a3152e3d68f571b81657e5aa65a394e45f62

        • \Users\Admin\AppData\Local\8ipY5EaU\VERSION.dll

          Filesize

          172KB

          MD5

          73f3c80710ce2e2fd129a1714576fc25

          SHA1

          c142e4b8bb7801c89b5a5873409b77eb5df456fb

          SHA256

          f0c4f11b45bd441ec85d36e8b3de0f82a86d8533865c92e3e74258f68bb8d510

          SHA512

          ce4245249dc53edd3b811cda4404ec0049f91bd6818a79a7c432d0526f8736ddc362bde99978e972c1156ec50ff6018c12821cb185bbc44e49b85bcca8fa0b64

        • \Users\Admin\AppData\Local\OfNqYkjn\Secur32.dll

          Filesize

          121KB

          MD5

          176088226afb70ea27aea51a1e3dd8e5

          SHA1

          9d20fa5d31fc1b15a88fee0849cfd6174fe60e7a

          SHA256

          6ffd287b878f7f141421f1ea16d77d7254d2a29230422434de2d569832568956

          SHA512

          be3ab23f46ed4400887ee416ee986c3de30e7ab9b1029ad8df755ab08969df140960c0f91d74eb23a265049a0267334be45b51d1e26b4aea5e5f602626dc3332

        • \Users\Admin\AppData\Local\OfNqYkjn\taskmgr.exe

          Filesize

          91KB

          MD5

          2cecc19c537e8a9fc2417ecfbbd432ac

          SHA1

          52c1c5fa50f5d96758dd95abc99f4991ba6bfb26

          SHA256

          3a776d16c59ecb35931ede343f9187dc16317bf1a7b14c52975cd5bcf13f10b5

          SHA512

          2733187909e98c19008dd6d771c4d972cf4e6e03b89456dc521a87334c98c5b27acc367d005d1ef44a6176a09dfc1324735445581d502d7232ce340fecc88691

        • \Users\Admin\AppData\Local\iOtt4B7I\SYSDM.CPL

          Filesize

          136KB

          MD5

          61f56d0217cd99fef80b72522e61cdc8

          SHA1

          01541821a9135aa4d9bb0f983094072dac47c7fd

          SHA256

          2627c384643d7c9f566ce0875c55b274242d309eb06d1491d59d8253e840e569

          SHA512

          15bba337a3d43f43f7117da1b564fef360cea3242bb2c93f747529f53cb3e27bbb6b2978b54a6f4d3a6cbc2b6ccb04c1e15208e7b8ed4393d073a1ac8ed05e19

        • \Users\Admin\AppData\Local\iOtt4B7I\SystemPropertiesRemote.exe

          Filesize

          58KB

          MD5

          870c7f902a5eae940c76b5e6bfd7f64b

          SHA1

          b7a09b41f32b50155a73cf9e6d72c93c0cc57601

          SHA256

          b7811b67f57b834483f4c931dfc1b8a402ccfffe4b27c5a511ea9b8cf76a9ce1

          SHA512

          39c3b85f212286929032c348a4b9ae2fdb6e474b546b783897340025ec206c293c9a6a2c4b943f71b79bbb0c333228e21becbda31fe2877436c2fe85b13d694e

        • \Users\Admin\AppData\Roaming\Adobe\Flash Player\NativeCache\idoRtXwx83\DWWIN.EXE

          Filesize

          123KB

          MD5

          56d1759d5f13348dbf2b0f48c63d3873

          SHA1

          a544b49678354c1292f9938ef1a53dad32a97415

          SHA256

          f1ad6ab0642e559ad74c3eadf62083b055c0c9944d93a36889a98a8e4ad54396

          SHA512

          2310d904372fe8fdac4b1f52810679b257335fe1894909f698c133936949cad04051bce46960adfc4e65703c4184452229bd59aa86bb7a9465d1631c10180668

        • memory/1192-19-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/1192-58-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/1192-4-0x0000000077A96000-0x0000000077A97000-memory.dmp

          Filesize

          4KB

        • memory/1192-18-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/1192-31-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/1192-32-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/1192-30-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/1192-29-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/1192-28-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/1192-27-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/1192-33-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/1192-34-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/1192-36-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/1192-35-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/1192-37-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/1192-42-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/1192-41-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/1192-45-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/1192-46-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/1192-44-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/1192-43-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/1192-40-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/1192-39-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/1192-38-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/1192-52-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/1192-53-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/1192-51-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/1192-50-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/1192-54-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/1192-55-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/1192-49-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/1192-48-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/1192-47-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/1192-56-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/1192-57-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/1192-20-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/1192-60-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/1192-61-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/1192-59-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/1192-64-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/1192-66-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/1192-65-0x0000000002BB0000-0x0000000002BB7000-memory.dmp

          Filesize

          28KB

        • memory/1192-63-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/1192-62-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/1192-75-0x0000000077D00000-0x0000000077D02000-memory.dmp

          Filesize

          8KB

        • memory/1192-74-0x0000000077BA1000-0x0000000077BA2000-memory.dmp

          Filesize

          4KB

        • memory/1192-21-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/1192-22-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/1192-5-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

          Filesize

          4KB

        • memory/1192-23-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/1192-24-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/1192-25-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/1192-26-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/1192-17-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/1192-7-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/1192-16-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/1192-9-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/1192-10-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/1192-157-0x0000000077A96000-0x0000000077A97000-memory.dmp

          Filesize

          4KB

        • memory/1192-11-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/1192-12-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/1192-13-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/1192-14-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/1192-15-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/1956-8-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/1956-1-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/1956-0-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

        • memory/2464-137-0x00000000000F0000-0x00000000000F7000-memory.dmp

          Filesize

          28KB

        • memory/2860-102-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB