Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    02-02-2024 11:03

General

  • Target

    8958de5c2bf9701d5a7d93d25444c447.dll

  • Size

    1.7MB

  • MD5

    8958de5c2bf9701d5a7d93d25444c447

  • SHA1

    a7ce13895a1f347b2efb1b028041e78376a8193d

  • SHA256

    f07f4994e0fb57cc2f550e7cc7059b2eb27470c13df7ff76e488626d7e8c5efb

  • SHA512

    5dee19a23e54b34acd0a7eca69ebdac3f9c5c0b124d07640a075013f3610263172a7ea804bb1176294e4e800ce2d16e5670fec4455fef21a67c68f8f0183fbbf

  • SSDEEP

    12288:rVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:qfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\8958de5c2bf9701d5a7d93d25444c447.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2236
  • C:\Users\Admin\AppData\Local\SRXzyi\SnippingTool.exe
    C:\Users\Admin\AppData\Local\SRXzyi\SnippingTool.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Checks whether UAC is enabled
    PID:2648
  • C:\Windows\system32\SnippingTool.exe
    C:\Windows\system32\SnippingTool.exe
    1⤵
      PID:2616
    • C:\Windows\system32\cttune.exe
      C:\Windows\system32\cttune.exe
      1⤵
        PID:1220
      • C:\Users\Admin\AppData\Local\iOCdW\cttune.exe
        C:\Users\Admin\AppData\Local\iOCdW\cttune.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1808
      • C:\Users\Admin\AppData\Local\LHMKz\PresentationSettings.exe
        C:\Users\Admin\AppData\Local\LHMKz\PresentationSettings.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2592
      • C:\Windows\system32\PresentationSettings.exe
        C:\Windows\system32\PresentationSettings.exe
        1⤵
          PID:2272
        • C:\Users\Admin\AppData\Local\ItBpr\PresentationSettings.exe
          C:\Users\Admin\AppData\Local\ItBpr\PresentationSettings.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:912
        • C:\Windows\system32\PresentationSettings.exe
          C:\Windows\system32\PresentationSettings.exe
          1⤵
            PID:1588

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\ItBpr\WINMM.dll

            Filesize

            1.3MB

            MD5

            9109253d7a17c74b4c8d495fe395ee35

            SHA1

            7b978e24e770a9e409c62905e8c8f79ab9626ae8

            SHA256

            35d341826652c18776cc1f42901d3bc599cdb4adf36e30b2938a5d44931daff2

            SHA512

            a067136ee4ab2c0f651ecf29f7b41026f3c97f4eb89547363486d0b9165994e15977680f79ed29bb613e960194bd204505e2ad84e9fedab93bf16629aa117048

          • C:\Users\Admin\AppData\Local\LHMKz\PresentationSettings.exe

            Filesize

            172KB

            MD5

            a6f8d318f6041334889481b472000081

            SHA1

            b8cf08ec17b30c8811f2514246fcdff62731dd58

            SHA256

            208b94fd66a6ce266c3195f87029a41a0622fff47f2a5112552cb087adbb1258

            SHA512

            60f70fa8a19e6ea6f08f4907dd7fede3665ad3f2e013d49f6649442ea5871a967b9a53ec4d3328a06cb83b69be1b7af1bb14bf122b568bd1f8432ee1d0bfee69

          • C:\Users\Admin\AppData\Local\LHMKz\slc.dll

            Filesize

            465KB

            MD5

            75846ccddb80ea6219f2f3761ef6c4b0

            SHA1

            57b6cba57d4124f133d1bdb1414268915df2fc30

            SHA256

            1066234f2d72cd39694c61eb23912df0f4ec44de76eaa0f29101d92e63aa692f

            SHA512

            709dd35f6165f1662f46034ad3319cafd4a750ec0f5f8335cd37668087921c0c22cabf70e01038fb835e151785832a460f57308953d495b8a07900daf1094a5c

          • C:\Users\Admin\AppData\Local\SRXzyi\SnippingTool.exe

            Filesize

            421KB

            MD5

            7633f554eeafde7f144b41c2fcaf5f63

            SHA1

            44497c3d6fada0066598a6170b90c53e28ddf96c

            SHA256

            890884c7fe7d037e6debd21d1877e9c9c5e7790cdba007ddb219ae6a55667f78

            SHA512

            7b61b6736c2c4f49d80f53c839914ad845f86a7d921fee1557e49aa7b4e9713e3483417d6c717eca155229bb6a90fc2253e1543cf05192aaf08262dc761fa203

          • C:\Users\Admin\AppData\Local\SRXzyi\slc.dll

            Filesize

            245KB

            MD5

            f0616031e2d92405428e1523381bf0a8

            SHA1

            78584949e898fc5764c7ff30577db3e0925cf2f9

            SHA256

            430538534d2d679924f7096c60573acc2d907f71f11aa740a0e7568461702658

            SHA512

            871fa01e5e40b8673da1ca9982593a71435c1731de0b4d2b2b5d01607756408bdd755f1c342e82f2249804cf8a20f48a47354c5dd2db05fea53befebdf48c88a

          • C:\Users\Admin\AppData\Local\iOCdW\OLEACC.dll

            Filesize

            532KB

            MD5

            cea085ff91e448542f035bc304707252

            SHA1

            d883a79665760cebe251b5165f966c0a8d64117c

            SHA256

            c132717af6bd7a3d737ab75a54bf4159bf13a84f8e5b0f473dfeb6ae22055794

            SHA512

            76e5134473dd55d46a47c1b2023c76e25dd85f3620f831d4a3d95311a13d89ad2cf487c90d7d5523aff80cba475e9305fbd574be1c4f53e8075924e903e96a16

          • C:\Users\Admin\AppData\Local\iOCdW\cttune.exe

            Filesize

            314KB

            MD5

            7116848fd23e6195fcbbccdf83ce9af4

            SHA1

            35fb16a0b68f8a84d5dfac8c110ef5972f1bee93

            SHA256

            39937665f72725bdb3b82389a5dbd906c63f4c14208312d7f7a59d6067e1cfa6

            SHA512

            e38bf57eee5836b8598dd88dc3d266f497d911419a8426f73df6dcaa503611a965aabbd746181cb19bc38eebdb48db778a17f781a8f9e706cbd7a6ebec38f894

          • C:\Users\Admin\AppData\Roaming\Adobe\hpd\WINMM.dll

            Filesize

            1.7MB

            MD5

            609c45031adcc93aa84a3f9e8acd434e

            SHA1

            50ad1b535bbf913c5e8302e2ec6de49f3902b7b8

            SHA256

            d8df96b78b1481b47bfa397d29d5b3383e563f77411761adf30185e80f47e691

            SHA512

            d67439ec84342dd90eb40ca1ae184ee6efd2b95cf778089f8e11039017647f706d1c7076a37976df769caf828698ec0d5eca84011d80067fbc30b0d12d57c964

          • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Tiizeasb.lnk

            Filesize

            935B

            MD5

            a7e4921c4025c4750be2ca5347bb18eb

            SHA1

            0a2f442c62738af7047b8d7d9f157bab2b5e5726

            SHA256

            ddf9ec42d1765e2654c85241a43bf151800169ee4440c2a056e4a27a58fe8dc2

            SHA512

            e2142415956d0efbbd222191f80172db947418f873b6625a8d464accdecd5f47b76ca60f57d0e770b0c6848670c2af450bf32e8fc58af4e313a6e4c8dd85f53e

          • C:\Users\Admin\AppData\Roaming\Macromedia\Ocvfj3TAV1\OLEACC.dll

            Filesize

            1.7MB

            MD5

            a86fcd14ec7889a26e9b6d14bb7f9db5

            SHA1

            a7df96408ab58a155abb3605729795a2fa633de1

            SHA256

            49054dbec85fe42cdb55c7d6163d98b3f5ff7aabcbd09984b19828e4214a1d00

            SHA512

            9517a1fe6da5f6c68a00495543e2b6ba158d248581e6c42e578a0ad35df14a98cf89e0e3960ae956fa1998f50922dee0a1e45ec6ab662fd1b45fb2e3edd231b9

          • C:\Users\Admin\AppData\Roaming\Macromedia\Ocvfj3TAV1\cttune.exe

            Filesize

            310KB

            MD5

            995393aebc86e588c5f1287e76fe171e

            SHA1

            5e097f11268e8d27644ea1edbd3a7d5a05dd32ce

            SHA256

            46862b904d9ae4131ddd4e70a9e00555987de22951a0616d0e919b9b5c4e0bf4

            SHA512

            f10b321bab62d98cd9154ab094c9e59a5979aeb21093165df8ec884fba975527136ff9ab65ef295bb22a29f9c76c7280ce64ae5316b020dff7c1c57b4960b230

          • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\bZKo\slc.dll

            Filesize

            1.7MB

            MD5

            a9cd7939aea0cf330d5cf8739ed6cca5

            SHA1

            d31903d5544a99d1e9f6ee439dbeb005e613f7c4

            SHA256

            0b959521bf34b5ac5e8b6cdf73233f191c5d6dbbc46d391705b6c23386592bd4

            SHA512

            9bc5fc84ca585a45d77991e8daddca5b1440a15b873d5585e1b6c68845f413ec78074d0262dc0def0db15626cf6e8e993893681639bca2dd69ce966663d66983

          • \Users\Admin\AppData\Local\ItBpr\WINMM.dll

            Filesize

            1.3MB

            MD5

            929597a589a62794bd5a22b0dea738a2

            SHA1

            8314f48d5c029fcc6820b271f51333a07e685bd3

            SHA256

            6d540b0dbe29c0c131b7e2ac6f991d932a5636358202fc29e80f756a9a772fee

            SHA512

            44fb628a72f16cc9bf7360e1b10e4e90b2273449d7fdba0c060c1b091490711ab0772a37ffa2b43918e6e327b0cf93ca996d83632e6e56b6c10545f0542c19ab

          • \Users\Admin\AppData\Local\LHMKz\slc.dll

            Filesize

            377KB

            MD5

            baedcfb72b0fa00d8d9256a644f9a893

            SHA1

            b4d411c4a936cd9715740937d6a80f15d117873b

            SHA256

            fc9a484cd0811ffd600ed437e354e37e3b858d2e66a269bd98caf8871c0b09a4

            SHA512

            2e56c0c0927c2f3854bc3e7a6c3a94780281746b2e4b1de7311f071e34ff3e2cb768aa2738bc58f0fc24649425f233f5e218c52180d32130094005384051d558

          • \Users\Admin\AppData\Local\SRXzyi\slc.dll

            Filesize

            367KB

            MD5

            dd4f039e9de5256b3bb7344c8519d54e

            SHA1

            0cf0200c334520ac68c5abb38b24d5059a73da53

            SHA256

            896028cbba224bd203b1fb408ffe540ac271871c5aff224c48dfbc68e07840ef

            SHA512

            078f8d1c31351897a198b7fe7765bc5eca6440f1e0b8d8821467790ed63e697baa7bffea585e7d2e41d8d70d4dbb91fb6bb796a21aec87b2824432fb20fe7bac

          • \Users\Admin\AppData\Local\iOCdW\OLEACC.dll

            Filesize

            560KB

            MD5

            04cfa1254ef862a22e4ad5df281a34a1

            SHA1

            9a3d8a99870dae4b1c1d6e231ee8aed521e8251c

            SHA256

            7e2d328a063c4ffb99e0537e6ebb5a1c4576c79155729230888c99359c1c75ff

            SHA512

            444db194f6548d57fd2a4f26768bad78026b9a707bd2cc94a3f1ad83524ef510ae63e6f679ae481e66492c5b73f8ebd7a8f76df52e7a97c596ca179206f471ed

          • memory/1244-16-0x0000000140000000-0x00000001401AE000-memory.dmp

            Filesize

            1.7MB

          • memory/1244-15-0x0000000140000000-0x00000001401AE000-memory.dmp

            Filesize

            1.7MB

          • memory/1244-45-0x00000000779F0000-0x00000000779F2000-memory.dmp

            Filesize

            8KB

          • memory/1244-29-0x0000000140000000-0x00000001401AE000-memory.dmp

            Filesize

            1.7MB

          • memory/1244-28-0x0000000140000000-0x00000001401AE000-memory.dmp

            Filesize

            1.7MB

          • memory/1244-27-0x0000000140000000-0x00000001401AE000-memory.dmp

            Filesize

            1.7MB

          • memory/1244-26-0x0000000140000000-0x00000001401AE000-memory.dmp

            Filesize

            1.7MB

          • memory/1244-54-0x0000000140000000-0x00000001401AE000-memory.dmp

            Filesize

            1.7MB

          • memory/1244-24-0x0000000140000000-0x00000001401AE000-memory.dmp

            Filesize

            1.7MB

          • memory/1244-23-0x0000000140000000-0x00000001401AE000-memory.dmp

            Filesize

            1.7MB

          • memory/1244-22-0x0000000140000000-0x00000001401AE000-memory.dmp

            Filesize

            1.7MB

          • memory/1244-58-0x0000000140000000-0x00000001401AE000-memory.dmp

            Filesize

            1.7MB

          • memory/1244-21-0x0000000140000000-0x00000001401AE000-memory.dmp

            Filesize

            1.7MB

          • memory/1244-20-0x0000000140000000-0x00000001401AE000-memory.dmp

            Filesize

            1.7MB

          • memory/1244-19-0x0000000140000000-0x00000001401AE000-memory.dmp

            Filesize

            1.7MB

          • memory/1244-4-0x0000000077786000-0x0000000077787000-memory.dmp

            Filesize

            4KB

          • memory/1244-43-0x0000000140000000-0x00000001401AE000-memory.dmp

            Filesize

            1.7MB

          • memory/1244-5-0x0000000002510000-0x0000000002511000-memory.dmp

            Filesize

            4KB

          • memory/1244-9-0x0000000140000000-0x00000001401AE000-memory.dmp

            Filesize

            1.7MB

          • memory/1244-141-0x0000000077786000-0x0000000077787000-memory.dmp

            Filesize

            4KB

          • memory/1244-31-0x0000000140000000-0x00000001401AE000-memory.dmp

            Filesize

            1.7MB

          • memory/1244-33-0x0000000140000000-0x00000001401AE000-memory.dmp

            Filesize

            1.7MB

          • memory/1244-63-0x0000000140000000-0x00000001401AE000-memory.dmp

            Filesize

            1.7MB

          • memory/1244-44-0x0000000077891000-0x0000000077892000-memory.dmp

            Filesize

            4KB

          • memory/1244-14-0x0000000140000000-0x00000001401AE000-memory.dmp

            Filesize

            1.7MB

          • memory/1244-12-0x0000000140000000-0x00000001401AE000-memory.dmp

            Filesize

            1.7MB

          • memory/1244-11-0x0000000140000000-0x00000001401AE000-memory.dmp

            Filesize

            1.7MB

          • memory/1244-10-0x0000000140000000-0x00000001401AE000-memory.dmp

            Filesize

            1.7MB

          • memory/1244-13-0x0000000140000000-0x00000001401AE000-memory.dmp

            Filesize

            1.7MB

          • memory/1244-7-0x0000000140000000-0x00000001401AE000-memory.dmp

            Filesize

            1.7MB

          • memory/1244-37-0x00000000024F0000-0x00000000024F7000-memory.dmp

            Filesize

            28KB

          • memory/1244-34-0x0000000140000000-0x00000001401AE000-memory.dmp

            Filesize

            1.7MB

          • memory/1244-17-0x0000000140000000-0x00000001401AE000-memory.dmp

            Filesize

            1.7MB

          • memory/1244-18-0x0000000140000000-0x00000001401AE000-memory.dmp

            Filesize

            1.7MB

          • memory/1244-35-0x0000000140000000-0x00000001401AE000-memory.dmp

            Filesize

            1.7MB

          • memory/1244-32-0x0000000140000000-0x00000001401AE000-memory.dmp

            Filesize

            1.7MB

          • memory/1244-30-0x0000000140000000-0x00000001401AE000-memory.dmp

            Filesize

            1.7MB

          • memory/1244-25-0x0000000140000000-0x00000001401AE000-memory.dmp

            Filesize

            1.7MB

          • memory/1808-89-0x0000000000320000-0x0000000000327000-memory.dmp

            Filesize

            28KB

          • memory/1808-91-0x0000000140000000-0x00000001401AF000-memory.dmp

            Filesize

            1.7MB

          • memory/2236-8-0x0000000140000000-0x00000001401AE000-memory.dmp

            Filesize

            1.7MB

          • memory/2236-0-0x0000000140000000-0x00000001401AE000-memory.dmp

            Filesize

            1.7MB

          • memory/2236-1-0x0000000000190000-0x0000000000197000-memory.dmp

            Filesize

            28KB

          • memory/2592-109-0x0000000140000000-0x00000001401AF000-memory.dmp

            Filesize

            1.7MB

          • memory/2592-106-0x0000000000100000-0x0000000000107000-memory.dmp

            Filesize

            28KB

          • memory/2648-75-0x0000000000120000-0x0000000000127000-memory.dmp

            Filesize

            28KB

          • memory/2648-76-0x0000000140000000-0x00000001401AF000-memory.dmp

            Filesize

            1.7MB

          • memory/2648-72-0x0000000140000000-0x00000001401AF000-memory.dmp

            Filesize

            1.7MB