Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    02-02-2024 03:10

General

  • Target

    88668b1d3f06f675f928f23dd79da143.dll

  • Size

    2.0MB

  • MD5

    88668b1d3f06f675f928f23dd79da143

  • SHA1

    c032664de6dc7c1c3380fba695c51cb453ade557

  • SHA256

    b211dfe06a94fe21d84592e03c8f26bc8529eccb6b4ee1bcc7784ffa27f1851a

  • SHA512

    e7a8d2f5d1ba3ffc35ae4da94c25b7b74b80bad5ade5a749b625e3740e246189f482504a04482cd7a35c7d1ca8f30d4f31b989a95a06562dccea6b38f7e018d6

  • SSDEEP

    24576:qfP7fWsK5z9A+WGAW+V5SB6Ct4bnb+sJS:+DW/e+WG0Vo6CtSn

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\88668b1d3f06f675f928f23dd79da143.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2988
  • C:\Windows\system32\rstrui.exe
    C:\Windows\system32\rstrui.exe
    1⤵
      PID:2704
    • C:\Users\Admin\AppData\Local\BWL\rstrui.exe
      C:\Users\Admin\AppData\Local\BWL\rstrui.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2468
    • C:\Users\Admin\AppData\Local\FQceQPXTt\dpnsvr.exe
      C:\Users\Admin\AppData\Local\FQceQPXTt\dpnsvr.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:592
    • C:\Windows\system32\dpnsvr.exe
      C:\Windows\system32\dpnsvr.exe
      1⤵
        PID:536
      • C:\Users\Admin\AppData\Local\VBKrWt\mspaint.exe
        C:\Users\Admin\AppData\Local\VBKrWt\mspaint.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1112
      • C:\Windows\system32\mspaint.exe
        C:\Windows\system32\mspaint.exe
        1⤵
          PID:1684

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\BWL\SRCORE.dll

          Filesize

          220KB

          MD5

          1e09c0c799dd0a321fe979ca408430e2

          SHA1

          f5708194750554e1e7d5ab7ab1b490ff8a4783c2

          SHA256

          43880b322735c3da6b9b5af60e7d975f6c50017103c3a4159d94eb53496dd673

          SHA512

          b4b8e35d2c47cae12d7ea4bdad654ce2743ff0916f2da18fe1f8e129e62c2dda9d98a326db779588a00185ffc56f097e07ffef382f4d6ef5e76c379e0cff2046

        • C:\Users\Admin\AppData\Local\BWL\rstrui.exe

          Filesize

          135KB

          MD5

          557efd19c2e8be32e690bf20fb8ac63a

          SHA1

          37bd206bc904d6b5d6477ad24a008c92a02f83b1

          SHA256

          011ca24aada7252886b8ffd61d772f7dbd2895f04a0474533755d8559d4046bc

          SHA512

          abfd7cf689502994c90f08a51ddf8b496d1c041e2a6d701d69137685222b7efcee4e99252bcaf8975d1cbbdbc43e3188f670ec03d3ecaff3b1fd756df3a984c6

        • C:\Users\Admin\AppData\Local\BWL\rstrui.exe

          Filesize

          290KB

          MD5

          3db5a1eace7f3049ecc49fa64461e254

          SHA1

          7dc64e4f75741b93804cbae365e10dc70592c6a9

          SHA256

          ba8387d4543b8b11e2202919b9608ee614753fe77f967aad9906702841658b49

          SHA512

          ea81e3233e382f1cf2938785c9ded7c8fbbf11a6a6f5cf4323e3211ae66dad4a2c597cb589ff11f9eae79516043aba77d4b24bfa6eb0aa045d405aabdea4a025

        • C:\Users\Admin\AppData\Local\FQceQPXTt\WINMM.dll

          Filesize

          104KB

          MD5

          7d1977b04f9df052a2125625ad126bfe

          SHA1

          9ad54cb94586d6704ea5197948acdbc4959a6c3c

          SHA256

          63f7132615149f5a1f3a0f03897c1d657018b5207f445b7f60b474911cfbd044

          SHA512

          5987741f50173c1a6abd538fd6167890ec5f44e9da9f52e43891ae1982960390747caa9e29245b2d18ca1a4f5ca22ea30e3fea3d81b0ac615276ae9a4f72a5ae

        • C:\Users\Admin\AppData\Local\FQceQPXTt\dpnsvr.exe

          Filesize

          33KB

          MD5

          6806b72978f6bd27aef57899be68b93b

          SHA1

          713c246d0b0b8dcc298afaed4f62aed82789951c

          SHA256

          3485ee4159c5f9e4ed9dd06e668d1e04148154ff40327a9ccb591e8c5a79958c

          SHA512

          43c942358b2e949751149ecc4be5ff6cb0634957ff1128ad5e6051e83379fb5643100cae2f6ef3eaf36aff016063c150e93297aa866e780d0e4d51656a251c7b

        • C:\Users\Admin\AppData\Local\VBKrWt\VERSION.dll

          Filesize

          152KB

          MD5

          fb112038a8d25a8897f1927d919afcd1

          SHA1

          0901c07d17f313cfff6d3465750b64caf4133188

          SHA256

          17a0285d35685c69943df42a8a2f7a0379639f348e4daa6f5aa2a37271b97d29

          SHA512

          9dac478336678468e9c4b62be0edbcedee03971b644f90046e962344bbc577289af0f53532fd6e5d32dd91fe094e4e7e2bd8e640b1c01e8d5759c9ff3453e272

        • C:\Users\Admin\AppData\Local\VBKrWt\mspaint.exe

          Filesize

          69KB

          MD5

          d113b2f0567c4a2d8ebe710d58972b93

          SHA1

          9d37bd4533d36cab5eb5cb415bffa4680496bfe4

          SHA256

          4c369609cd0ae2823444194adb977a5047a168117a73ddf9c3e06e2b32b21163

          SHA512

          c36d3475826875eae9cc19f559f158696507bf113dce78ccd052a334c2c9847397be641d5e9e169dea0aa84c557733c8b9f5fddc3504bc94da986163707ecc08

        • C:\Users\Admin\AppData\Local\VBKrWt\mspaint.exe

          Filesize

          46KB

          MD5

          f02cc80df38e9c2bd2a807e747c3aeae

          SHA1

          8ea4f3ace23eabc113fa060a0f7b94b5b9557205

          SHA256

          407894e7425a49d084a8fa65bdbde66d20e649fd7f663353dd489768aa4d1eff

          SHA512

          1561c8e1bf1c2e0e7d749d226862803a7c1f11ecac0318b3953126e71bf90576e11d9af31e436ca6e4c652716d134d21e456408ee8b59912d476b4b14e3182ad

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqrvnhd.lnk

          Filesize

          1KB

          MD5

          ca8b8c433c5982d9e98f97508d64bd88

          SHA1

          6f179c170cdd083677e9424086f1a455850e0d0b

          SHA256

          9383a7210fd53d47f475dcd69d9daa7883447e3ee42c0b855406fc3beaec9272

          SHA512

          a5df6cd9463b2f4000c7aa5b2b63bed02ceb27b8ee9f05d1a79eb6013616e1159cefaff0c4daa4a875fa3297050bbe45186f68f6932d4255b33d5ea63fb4422e

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PrivacIE\QPW\SRCORE.dll

          Filesize

          78KB

          MD5

          ac56b0b6c26615b97b5ac05daf6a6a61

          SHA1

          0a21621d0ae5a74613988eb977fcb708b8a6690f

          SHA256

          b1bb424ce28b4b58b17987d8081acda618d3ac795797531eb94b01a16a014b32

          SHA512

          2b4635a29a722d9c678dfd4007a5176c2b49a06e86365045a6d21fa56bfc75d6320daf82463471edee97d9d88a779005f8d85770ccf375aca6033fc3b0298de9

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\zlGTFd2GI\VERSION.dll

          Filesize

          76KB

          MD5

          7737d321af612b966c7e05739caf731b

          SHA1

          1e219379bc349180b8e0d218dd36337efb4b4f78

          SHA256

          282a94dc47bfa2bfdb5e2e42ec1df4bf641f5dd140e73b15a8ea60e9991fd0b1

          SHA512

          735747520be333646ad7e3aa4e69eb91d353ec6f1aadeba2b870cc443e39176a8d4c43e673f27ce3f0002791804922b6bdd301021e0f1bdf9318081cb8629452

        • C:\Users\Admin\AppData\Roaming\Microsoft\xyL5TzoK\WINMM.dll

          Filesize

          45KB

          MD5

          dc00b61505503068e952bda32127ba1e

          SHA1

          dc60475b6e45582ad1ec4a2d3d8bd05c30cc990f

          SHA256

          9b1bbeb53dd6ba04494dcb830c5b472a96561520c99e6c1fcb689b1ae4dc55a6

          SHA512

          563a841d9d8e0be85e585dfb720b53ee10601ea6566b68e16d9349c305abede92651634012c2ccee38a97658be460d9b81c11db476186d5f929fa1725f0d586b

        • \Users\Admin\AppData\Local\BWL\SRCORE.dll

          Filesize

          136KB

          MD5

          0cb5abfe22938b30efce6e1021c298b2

          SHA1

          7a7a83c6e13ac8109162afa071f7db57bf039a5e

          SHA256

          4081ffb25eef89f3f675792a20c87ab73498fe6c977ba0e70aad087267cf2b15

          SHA512

          cbaf9e73fcbc943c66754e4ae706428ece9b21e311b9670589cdbce42d7b90d08fc6964fd728eed6cbf7bd3dd049d872269840ca174dd6c11a930373d268d3c0

        • \Users\Admin\AppData\Local\BWL\rstrui.exe

          Filesize

          151KB

          MD5

          5023586af7318292809ce967a47861b3

          SHA1

          4a8ec9911cf4bec9323e23f6ad144f57b2f0391c

          SHA256

          ca03e0c72a2ca327e23c12d8c58d20c165c22e1f62808e9e94d0f35fb289177a

          SHA512

          3daed622a5de661acef914095ebebf0f78a01315a87684df5e5cce448081bf1bdf39aabfe8f94ed31ca17d46752df337201a5f2cb93b683ac9848d9683e283f4

        • \Users\Admin\AppData\Local\FQceQPXTt\WINMM.dll

          Filesize

          194KB

          MD5

          d79212067f1f707c91212a364ce1c40d

          SHA1

          55d969321d6d38fe380e7b682651987a7c1c3e1a

          SHA256

          dc99f15f982b6b032d51deca30e3e98d34772c861a1ab86db1256934871365dc

          SHA512

          f14cabbe92ab463ccbd7b6d948b5538970f26b6fd05b3a980de72910e0b3c57dc36d8a22aef54f37402105ae250369f12adaf8688d2db30b208af14c522b5ccd

        • \Users\Admin\AppData\Local\VBKrWt\VERSION.dll

          Filesize

          92KB

          MD5

          215dc18ac4c009911c7a1c0a9b41b961

          SHA1

          aa679328d89d9849f60cfc212a382d2f420b4247

          SHA256

          6b0efa350f85eb71bf47736fd3676a947b00502482b1eae29ffb280adfb6ed5d

          SHA512

          953c05b5a6d189d8bfbc661c3d5d996793e47b8b11627d16791e45bc58ac4c95ecaf2c85f633becb5f7a66877043b0156a2f7e0acb3622c84dd43851bff4fc6e

        • \Users\Admin\AppData\Local\VBKrWt\mspaint.exe

          Filesize

          173KB

          MD5

          ebef690903a19e24a03752fe7ad07ea3

          SHA1

          e63e14084454b64224c1bb866c9b4a7d28de88df

          SHA256

          5e860d78ac7b2143cfef41f17c7159b9649e4cb9892fc2e56cb8ad74bf74175c

          SHA512

          e28f0b4aae9dbd2b8f0fe627a67a51e256834afef8fdf29eb8f4a4053e2b0a7ed0c0905dd0c0d521b8e50dffc649b67f84c30c5996b6e5c2279a445c188d32b6

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\zlGTFd2GI\mspaint.exe

          Filesize

          101KB

          MD5

          fad5693684aad24c1591e5c7fbd149a4

          SHA1

          4864ce42320c56c3abafe6823b4f32d7c0af1e08

          SHA256

          a3cb4a57edf6e392bfc36a1e87638ad28676ad00ad174de9ca8ad46ab4156d9d

          SHA512

          1050048ce0eac0639353c76bf4153d20f20919c58848b808ba8625b0077e81451544b174257dbd701d1c7499493aea4a3f4f113e487d8ef0f298da33dba68391

        • memory/592-89-0x0000000140000000-0x0000000140200000-memory.dmp

          Filesize

          2.0MB

        • memory/592-94-0x0000000140000000-0x0000000140200000-memory.dmp

          Filesize

          2.0MB

        • memory/1112-108-0x0000000000120000-0x0000000000127000-memory.dmp

          Filesize

          28KB

        • memory/1112-111-0x0000000140000000-0x00000001401FF000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-22-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-25-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-27-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-20-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-31-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-21-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-19-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-33-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-32-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-35-0x0000000002D20000-0x0000000002D27000-memory.dmp

          Filesize

          28KB

        • memory/1204-34-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-42-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-43-0x0000000076D81000-0x0000000076D82000-memory.dmp

          Filesize

          4KB

        • memory/1204-44-0x0000000076EE0000-0x0000000076EE2000-memory.dmp

          Filesize

          8KB

        • memory/1204-53-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-59-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-30-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-28-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-4-0x0000000076B76000-0x0000000076B77000-memory.dmp

          Filesize

          4KB

        • memory/1204-5-0x0000000002D40000-0x0000000002D41000-memory.dmp

          Filesize

          4KB

        • memory/1204-23-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-29-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-7-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-26-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-24-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-134-0x0000000076B76000-0x0000000076B77000-memory.dmp

          Filesize

          4KB

        • memory/1204-18-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-17-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-12-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-14-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-15-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-16-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-13-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-11-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-10-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/1204-9-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/2468-77-0x0000000140000000-0x00000001401FF000-memory.dmp

          Filesize

          2.0MB

        • memory/2468-71-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

        • memory/2468-72-0x0000000140000000-0x00000001401FF000-memory.dmp

          Filesize

          2.0MB

        • memory/2988-8-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/2988-1-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/2988-0-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB