Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    02-02-2024 07:20

General

  • Target

    88e7c4c98a35a8043d0fb99f1b88898a.dll

  • Size

    2.7MB

  • MD5

    88e7c4c98a35a8043d0fb99f1b88898a

  • SHA1

    fb320c3b7aad7cad0f10d6430b2a244d4daf6aab

  • SHA256

    9af7f7a4d19d0327bdddeff74e7cc37b1eda5272fdf1853d54708c72c28178d1

  • SHA512

    5be1d5bf938edc1d1482b0d015ab57dfe8cf812163ac1cb5cb7e02383fa18385c4244dd67e993105faed3b01ad89bf2a83ae3037ef2420cb6de4a88ed2b3085d

  • SSDEEP

    12288:dVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:EfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\88e7c4c98a35a8043d0fb99f1b88898a.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2536
  • C:\Windows\system32\rdpshell.exe
    C:\Windows\system32\rdpshell.exe
    1⤵
      PID:2436
    • C:\Users\Admin\AppData\Local\84PBsYS6r\rdpshell.exe
      C:\Users\Admin\AppData\Local\84PBsYS6r\rdpshell.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2116
    • C:\Windows\system32\javaws.exe
      C:\Windows\system32\javaws.exe
      1⤵
        PID:2268
      • C:\Users\Admin\AppData\Local\M9yQGCiq\javaws.exe
        C:\Users\Admin\AppData\Local\M9yQGCiq\javaws.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:280
      • C:\Windows\system32\msra.exe
        C:\Windows\system32\msra.exe
        1⤵
          PID:780
        • C:\Users\Admin\AppData\Local\XVBg8RN\msra.exe
          C:\Users\Admin\AppData\Local\XVBg8RN\msra.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:976

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\84PBsYS6r\WTSAPI32.dll

          Filesize

          202KB

          MD5

          c70d28eddf23fe127fc66c6dfc5d4a45

          SHA1

          6eb5c0ddd213bd7c45a2777afdbab06522db1c01

          SHA256

          5076da204f9cdfc8faaffc90ac81713753a73a5401da983395150888eef631c5

          SHA512

          84e54446d6232aaad3e0828e3ee34e4d07a51eaaea378c6d360fe3f3110f690a1b7379059c736be9b2ac23b0e0bcc7e60357acf7a4d1bd99d47dc25af35c6f2c

        • C:\Users\Admin\AppData\Local\84PBsYS6r\rdpshell.exe

          Filesize

          158KB

          MD5

          783db0cf5829c3754a00b5437e18f7ae

          SHA1

          bc068f563123ad94e651204689681c96d380fcbd

          SHA256

          52265ac3e5c854cf58e5d40581099236c023f2471d1291d770fbd242a8a3b19e

          SHA512

          ad6a076c04d1d4e75e7e52129c38b6e44dca91d7fcfbd42b7466519f77762c1bf583898d962ddd1eec7cb02a54ebbe8fe766bf79054a37978793cb08f18cb261

        • C:\Users\Admin\AppData\Local\M9yQGCiq\VERSION.dll

          Filesize

          243KB

          MD5

          9269569dbed4d34f6086ad8d174cc18d

          SHA1

          b79dfe01cf424bb4ac114b773a401f520daf358d

          SHA256

          94dd365556bc7fc62086038ba62ac8075247b36274bfc9c40bc84c4b3a5ff307

          SHA512

          455feafcb511e9bce9126f73e7a84f209a40a12480395e9e30be66cded630acc175e4e4ab99ef9c88d5625fdcbecf4f241621fee6fcfcd8d370ec610cbf25591

        • C:\Users\Admin\AppData\Local\M9yQGCiq\javaws.exe

          Filesize

          312KB

          MD5

          f94bc1a70c942621c4279236df284e04

          SHA1

          8f46d89c7db415a7f48ccd638963028f63df4e4f

          SHA256

          be9f8986a6c86d9f77978105d48b59eebfec3b9732dbf19e0f3d48bf7f20120c

          SHA512

          60edf20ca3cae9802263446af266568d0b5e0692eddcfcfc3b2f9a39327b3184613ca994460b919d17a6edc5936b4da16d9033f5138bcfd9bc0f09d88c8dcd52

        • C:\Users\Admin\AppData\Local\M9yQGCiq\javaws.exe

          Filesize

          195KB

          MD5

          04de78c5b4a0d975ae606983ccf091a8

          SHA1

          3a26c5ff29959b20b21131ac93d0d4fa96fa9fb6

          SHA256

          1581dc1758b9165e1760cad7de17655e9e0bc2bdf9928f9e0f503c50c52fb3e2

          SHA512

          cfefa4db84b1a684584125a98282faefbf12694436539a763540c945ff7772aa3e1ca1d588bda365d97561604951ae21e20a89696eb81200e29099715b1fe8b1

        • C:\Users\Admin\AppData\Local\XVBg8RN\UxTheme.dll

          Filesize

          518KB

          MD5

          603d3623b7dd0955d38f508669bdff1e

          SHA1

          d09c16f1bea8ddde36c816719bb3b89a56c6f253

          SHA256

          03142f361832acbd234fbeb0c2d9cf657b8198f32e03b3c9e6af7f2f4c3f1436

          SHA512

          2ff259826155cd6e5b6ea066c5786ea1f7fb0a2346a1fa4dc8989b27084fbb1ddcec418ee4f9ffb52580f33c424c648224a29ca2d2b922e166e1f013e0c3d0e4

        • C:\Users\Admin\AppData\Local\XVBg8RN\msra.exe

          Filesize

          523KB

          MD5

          948c145a266120aacfbb544c6792e98c

          SHA1

          8c84b9de7a6f70d31baf990130b26140968bc932

          SHA256

          5c27210e00b1c840773bf2d48fac93c1d9a05be5c1a28f0d19a861de1600f85d

          SHA512

          0ad7b974c7d82ed72d303d53a33b659e3e5111ebc12f106cd2c0f6b2fa769100da99068b198624e61f41f0c5fc20eb3faf36488c1c703278458911017e95b216

        • C:\Users\Admin\AppData\Local\XVBg8RN\msra.exe

          Filesize

          474KB

          MD5

          4deb443842c8b9d50e20a87a5f118929

          SHA1

          935f4d9573bc4df61ea6023849a46e163a64e9ca

          SHA256

          8e3d847e7052bfefe88befee3f31cec46b801dff41687b4254997857f59782df

          SHA512

          e684c3f3312e857dd3ea7b3f8f5a7fda0729f22865307b2a237d6867f25dafa9089bb0a968ea94250b8fd996bb173ca2ebe1fd8d09b9915dd43296e6c5cfb54b

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Efrsxj.lnk

          Filesize

          998B

          MD5

          7344cfcd81a98e6ca86f00d065f7b867

          SHA1

          06e3c373f6bc90e7eb77723e3279eace214c5467

          SHA256

          8552166a6f97f5f64dd4ca55c1b0d03685971d6a4207975cb6cd443fcd482727

          SHA512

          0fc4503c20b82a46fb603c0130de8cb92a119e06861908df239449ce59c7e04e634f6e89efdfb7b1913f7f74964cbb1517a81601f4fa7d9e26cb8ef8185c8edf

        • C:\Users\Admin\AppData\Roaming\Media Center Programs\iKBQxX3nnT\VERSION.dll

          Filesize

          2.7MB

          MD5

          50379f37b464c9ae1198369356af7291

          SHA1

          62b6afd151d70ac743a90fd6300b555cfe63870b

          SHA256

          8ddef1edb4b0fe6a0d74da2c9434bc429593b61058357fc71c0ae4e34c1fb39f

          SHA512

          324fdbb680d17f0509d9249b427abf2ab43ee1caa8c5c3f5bbf78fb1057332edd816fba39919b74622a2ddf549d400cdc05e9002151e4325197ddf9b5c89b60c

        • C:\Users\Admin\AppData\Roaming\Microsoft\Credentials\nI\UxTheme.dll

          Filesize

          2.7MB

          MD5

          1e3a342b1cb99c1f3f8a67eda6184a83

          SHA1

          85dde84d415c847bea280e96204a8b03bc2cbda3

          SHA256

          0042ca1c14b0b35f06a685e1243f9f1f9ae591dd46922b82dcedb3b442951e66

          SHA512

          fd843247287d3ea7320a065e75786e70eb8fe7f9dbc849a71f750c8cbe4a0875ff1669fe31b31753f2043c74a7836215bf62657c6a357ef456608948199e7403

        • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\aFioVcjD8\WTSAPI32.dll

          Filesize

          2.7MB

          MD5

          f80d2338308309b8908a18547ab4c0d1

          SHA1

          cf7bbced72080eeb710447657f1178346003c538

          SHA256

          1480747ed24939416458ab7ca82c83100c350e33bc82e18f1b03ecc343347755

          SHA512

          0b2025ef56421d38e91e2bbb8dc7e1ca10da6da55c86925fe00f4b433175511172bf5d03de7f3573e61f8244d46651e0c949622279715b111ba9d9f6ede7d03a

        • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\aFioVcjD8\rdpshell.exe

          Filesize

          292KB

          MD5

          a62dfcea3a58ba8fcf32f831f018fe3f

          SHA1

          75f7690b19866f2c2b3dd3bfdff8a1c6fa8e958b

          SHA256

          f8346a44f12e5b1ca6beaae5fbdf5f7f494ba204379c21d1875b03ba6da6152e

          SHA512

          9a3df5be95017c23ab144302d2275654e86193e2cd94957d5f72bda3cb171ec2a6da14e6631a7fd4fd053b4529f4083aa287ada57484ad0ee01a8e5b2b54c603

        • \Users\Admin\AppData\Local\84PBsYS6r\WTSAPI32.dll

          Filesize

          196KB

          MD5

          68d799c15a18969be13476b2e89b2a9b

          SHA1

          7cf73bb556ca645bf756e736c55ea113c889f1e6

          SHA256

          c75599f2bef555aa1ac6ccc103d136f2e3cbd18c3b147fdd25616b262a6ae67b

          SHA512

          50372bce220f86989b9b7f38b82ebbcc283a6d5151a9bb3e4af4cacfae6ab0e004b45bc179fe87e7e550a9c1995800c2435e1dc31ecd4c8d3b2ce011e5e4f91c

        • \Users\Admin\AppData\Local\84PBsYS6r\rdpshell.exe

          Filesize

          168KB

          MD5

          e8374257eb20fceddc183fa8b45d30ca

          SHA1

          2215e1d38f9146320d5311aa5885144bd061d046

          SHA256

          393be3a4eb29752f1dccd7bf90783584d1c1c5ef5b5506dc30ee457fb88b853f

          SHA512

          ff70b3ab471e3db1a6c7c4305c2d58d993346c38a3ea02d025ce8f127b4cee259f0de60faaafab23eae3ab2a079a58ba2aee3cf53e89f0e582171fccbf49a252

        • \Users\Admin\AppData\Local\M9yQGCiq\VERSION.dll

          Filesize

          399KB

          MD5

          457de880a710f35e3c9363a72014a3cb

          SHA1

          bccd464e20f96a7df3532b89f9765d0dfa8746ef

          SHA256

          dd2e893a69470bb713d79d7d3f7cdfd4db4ab3160f6e5e6827ad56a9a1b52955

          SHA512

          d5ba80c6685846162fd337a34a0d0770018759e0da4d142678d5497f67103fad84d65f0f30337ccc0b7432d8623b55100bdaf7ead81795f3e27650e784c413a0

        • \Users\Admin\AppData\Local\M9yQGCiq\javaws.exe

          Filesize

          273KB

          MD5

          c55fd5c925fe023faf5bd664b9e42197

          SHA1

          8f46780abda95559b209dcd4b0154824941f2d61

          SHA256

          00bf1b62df0800f83c4ab863a4123ce63f109e86637df819c3762769ac2fae0a

          SHA512

          52297e59e9c80ee2db72903e46c35c853c469abc3452350415ba95a0ed8c84537decf80d11b86c70537910de74bd875d548ba672a5afbd6c2e87f96399d0a0c6

        • \Users\Admin\AppData\Local\XVBg8RN\UxTheme.dll

          Filesize

          347KB

          MD5

          d4a637cefbc53073f6401ac85187d972

          SHA1

          3d30140dfaf9f4f7d36bccb2ab48694e30a54703

          SHA256

          58d4a8d3a56f41b5126f1d5dc91a50e9a9baa188d6c823901e3546be192007ae

          SHA512

          d40a017f7ef773571bd8c93ea0b4d6cdd6dcda39aa793526d4eba8ddf511bf3e96cbfe63c464f61e2c590094f9ad741b849e6694d6d692644f6fcd165f3e4a4f

        • \Users\Admin\AppData\Local\XVBg8RN\msra.exe

          Filesize

          361KB

          MD5

          0fb60bc64fae7cec780513fb047385bc

          SHA1

          92572d0aff364ccd15949b53ba4d2871942c20b4

          SHA256

          4c683a0b1f011fa7d15f026ca6896c9f307106e953655ce69ef3bdb2c069f5d6

          SHA512

          16356e381bcdac69bf5bfb9acd53444453f96f6a30671dc39371406dbda2ba2e9f33522633085451cb92aa49aeeadcf6a945827d97d38ea81e5db5801c0acd0e

        • \Users\Admin\AppData\Roaming\Microsoft\Credentials\nI\msra.exe

          Filesize

          20KB

          MD5

          ebbb6a9f4cd86df2f1491457ff7165ae

          SHA1

          c1ab32500bf96f0ae18a0174fe187f592a5ce095

          SHA256

          3f667630e515e3ee4ed98d48a8e29bef2932d32c9e34c36b9d0d885f147a940a

          SHA512

          8d6503191ce7f724bbd6d9c92ba5b2e82864c130b97577f90c5a40f6961c094a759003dd70a3c381dad67e5de4ad96e072b3b278a557c7c8fb12967b2f4fe567

        • memory/280-121-0x00000000000F0000-0x00000000000F7000-memory.dmp

          Filesize

          28KB

        • memory/976-139-0x0000000000290000-0x0000000000297000-memory.dmp

          Filesize

          28KB

        • memory/1248-32-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1248-62-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1248-33-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1248-34-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1248-36-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1248-37-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1248-35-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1248-30-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1248-38-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1248-23-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1248-39-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1248-18-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1248-40-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1248-42-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1248-43-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1248-45-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1248-47-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1248-48-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1248-46-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1248-44-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1248-49-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1248-50-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1248-41-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1248-51-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1248-52-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1248-53-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1248-54-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1248-57-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1248-59-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1248-58-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1248-60-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1248-61-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1248-56-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1248-29-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1248-55-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1248-63-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1248-65-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1248-64-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1248-68-0x0000000002720000-0x0000000002727000-memory.dmp

          Filesize

          28KB

        • memory/1248-15-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1248-11-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1248-9-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1248-76-0x0000000077621000-0x0000000077622000-memory.dmp

          Filesize

          4KB

        • memory/1248-77-0x0000000077780000-0x0000000077782000-memory.dmp

          Filesize

          8KB

        • memory/1248-4-0x0000000077416000-0x0000000077417000-memory.dmp

          Filesize

          4KB

        • memory/1248-31-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1248-5-0x0000000002950000-0x0000000002951000-memory.dmp

          Filesize

          4KB

        • memory/1248-22-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1248-27-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1248-28-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1248-26-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1248-25-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1248-24-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1248-17-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1248-19-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1248-21-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1248-20-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1248-16-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1248-13-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1248-14-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1248-12-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1248-10-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1248-8-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/1248-162-0x0000000077416000-0x0000000077417000-memory.dmp

          Filesize

          4KB

        • memory/2116-104-0x0000000000080000-0x0000000000087000-memory.dmp

          Filesize

          28KB

        • memory/2536-7-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/2536-1-0x0000000140000000-0x00000001402A8000-memory.dmp

          Filesize

          2.7MB

        • memory/2536-0-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB