Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18-10-2024 07:22

General

  • Target

    21351817e1f2f115e543f9034572210fe04fbea47a16922f3957c805671dc25f.dll

  • Size

    1.2MB

  • MD5

    2a6a4941d8146df58356dd5c72b0478a

  • SHA1

    c6f28c746bddcc4e68512911bc99afe0d8f2d3d9

  • SHA256

    21351817e1f2f115e543f9034572210fe04fbea47a16922f3957c805671dc25f

  • SHA512

    5d36fd395ea33e9a838fca4b5b0a7eabe893fb6e51f39e2aae59ad60c763e6b5bf83e2cedbe9095b74bff682ee300f13c777254e81e4ef724699167f1f5094f9

  • SSDEEP

    6144:k34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTP:kIKp/UWCZdCDh2IZDwAFRpR6Au+

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\21351817e1f2f115e543f9034572210fe04fbea47a16922f3957c805671dc25f.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2384
  • C:\Windows\system32\msdtc.exe
    C:\Windows\system32\msdtc.exe
    1⤵
      PID:2204
    • C:\Users\Admin\AppData\Local\PpEiWdTy\msdtc.exe
      C:\Users\Admin\AppData\Local\PpEiWdTy\msdtc.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2664
    • C:\Windows\system32\SystemPropertiesComputerName.exe
      C:\Windows\system32\SystemPropertiesComputerName.exe
      1⤵
        PID:2620
      • C:\Users\Admin\AppData\Local\ITNBW\SystemPropertiesComputerName.exe
        C:\Users\Admin\AppData\Local\ITNBW\SystemPropertiesComputerName.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2924
      • C:\Windows\system32\p2phost.exe
        C:\Windows\system32\p2phost.exe
        1⤵
          PID:2368
        • C:\Users\Admin\AppData\Local\ZwG\p2phost.exe
          C:\Users\Admin\AppData\Local\ZwG\p2phost.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2428

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\ITNBW\SYSDM.CPL

          Filesize

          1.2MB

          MD5

          8575c7113d20bab33524567e188287dd

          SHA1

          6c187a7290d62c585ff730295ae3063c52878852

          SHA256

          0cd3e3bdb157470f7da09c5fd995af7d733099382133c2a660047684778d683c

          SHA512

          2e9d08cb18d206cd18c479908f4db824752b165bdcf4373f81c26713c19dc111d1844d10df7489cc1a91a00e2fde1d99e910306d1737d07fa20a3e9a1a58f946

        • C:\Users\Admin\AppData\Local\PpEiWdTy\VERSION.dll

          Filesize

          1.2MB

          MD5

          3ff68aef7c776bf6c63acfbc1d67e587

          SHA1

          08e5f6bd5f20d3f6cc4d3cfb4bf83382bfe226a9

          SHA256

          b8ac453053a6351f0762b638d6d62b74f88e737d23c71006e7ff89528722f69b

          SHA512

          1268c9c0439c6899f9eae02c5b7299d3166f0707b73d46236611be1c6d0002132ddc548ca7167218f8d6cb4d32ca3227091cc88d3d723da2e189fedcaacae3ba

        • C:\Users\Admin\AppData\Local\ZwG\P2P.dll

          Filesize

          1.2MB

          MD5

          e967a2f6fa20d7ea6bd45410419efb27

          SHA1

          f623e724946d54ee4bedd72522ae2c547ea88f62

          SHA256

          1ec31eba7ccecdc432255f177ef598c45b869446f6cae1a43123cfae16243fb0

          SHA512

          692128d6df58f5b9cc76829193307cc6cbab5923892af027fe1c60fc0e8471a4085f5dbb908093cd8f69721d9f26175197cd3f6278dc66a4690ee02607457abf

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gwifj.lnk

          Filesize

          1KB

          MD5

          eb362b0ba70e386325afa79715b44008

          SHA1

          1d513c54ca8a86820e9c84ec95280bf38c268e56

          SHA256

          0dc69ce4a019ede93ff84e91474ab95e7ebf564e54aecbe596834b917634748e

          SHA512

          c023977446b6f5fa7b61bed28314970eb775fd81ade84dbb895865d782c6943344f9bfa16cf02c6200e74829fe5dfe876027870543c3b6966309a73672aa1ae5

        • \Users\Admin\AppData\Local\ITNBW\SystemPropertiesComputerName.exe

          Filesize

          80KB

          MD5

          bd889683916aa93e84e1a75802918acf

          SHA1

          5ee66571359178613a4256a7470c2c3e6dd93cfa

          SHA256

          0e22894595891a9ff9706e03b3db31a751541c4a773f82420fce57237d6c47cf

          SHA512

          9d76de848b319f44657fb7fbe5a3b927774ae999362ff811a199002ffa77ad9e1638a65a271388e605ab5e5a7cb6ce5aa7fcabc3ed583ade00eaa4c265552026

        • \Users\Admin\AppData\Local\PpEiWdTy\msdtc.exe

          Filesize

          138KB

          MD5

          de0ece52236cfa3ed2dbfc03f28253a8

          SHA1

          84bbd2495c1809fcd19b535d41114e4fb101466c

          SHA256

          2fbbec4cacb5161f68d7c2935852a5888945ca0f107cf8a1c01f4528ce407de3

          SHA512

          69386134667626c60c99d941c8ab52f8e5235e3897b5af76965572287afd5dcd42b8207a520587844a57a268e4decb3f3c550e5b7a06230ee677dc5e40c50bb3

        • \Users\Admin\AppData\Local\ZwG\p2phost.exe

          Filesize

          172KB

          MD5

          0dbd420477352b278dfdc24f4672b79c

          SHA1

          df446f25be33ac60371557717073249a64e04bb2

          SHA256

          1baba169de6c8f3b3c33cea96314c67b709a171bdc8ea9c250a0d016db767345

          SHA512

          84014b2dcc00f9fa1a337089ad4d4abcaa9e3155171978ec07bc155ddaebebfabb529d8de3578e564b3aae59545f52d71af173ebb50d2af252f219ac60b453d1

        • memory/1156-8-0x0000000140000000-0x0000000140133000-memory.dmp

          Filesize

          1.2MB

        • memory/1156-37-0x0000000140000000-0x0000000140133000-memory.dmp

          Filesize

          1.2MB

        • memory/1156-16-0x0000000140000000-0x0000000140133000-memory.dmp

          Filesize

          1.2MB

        • memory/1156-15-0x0000000140000000-0x0000000140133000-memory.dmp

          Filesize

          1.2MB

        • memory/1156-14-0x0000000140000000-0x0000000140133000-memory.dmp

          Filesize

          1.2MB

        • memory/1156-17-0x0000000140000000-0x0000000140133000-memory.dmp

          Filesize

          1.2MB

        • memory/1156-13-0x0000000140000000-0x0000000140133000-memory.dmp

          Filesize

          1.2MB

        • memory/1156-25-0x0000000002E00000-0x0000000002E07000-memory.dmp

          Filesize

          28KB

        • memory/1156-26-0x0000000140000000-0x0000000140133000-memory.dmp

          Filesize

          1.2MB

        • memory/1156-11-0x0000000140000000-0x0000000140133000-memory.dmp

          Filesize

          1.2MB

        • memory/1156-9-0x0000000140000000-0x0000000140133000-memory.dmp

          Filesize

          1.2MB

        • memory/1156-3-0x0000000077376000-0x0000000077377000-memory.dmp

          Filesize

          4KB

        • memory/1156-28-0x0000000077610000-0x0000000077612000-memory.dmp

          Filesize

          8KB

        • memory/1156-27-0x00000000775E0000-0x00000000775E2000-memory.dmp

          Filesize

          8KB

        • memory/1156-38-0x0000000140000000-0x0000000140133000-memory.dmp

          Filesize

          1.2MB

        • memory/1156-10-0x0000000140000000-0x0000000140133000-memory.dmp

          Filesize

          1.2MB

        • memory/1156-4-0x0000000002E20000-0x0000000002E21000-memory.dmp

          Filesize

          4KB

        • memory/1156-47-0x0000000077376000-0x0000000077377000-memory.dmp

          Filesize

          4KB

        • memory/1156-18-0x0000000140000000-0x0000000140133000-memory.dmp

          Filesize

          1.2MB

        • memory/1156-12-0x0000000140000000-0x0000000140133000-memory.dmp

          Filesize

          1.2MB

        • memory/1156-7-0x0000000140000000-0x0000000140133000-memory.dmp

          Filesize

          1.2MB

        • memory/1156-6-0x0000000140000000-0x0000000140133000-memory.dmp

          Filesize

          1.2MB

        • memory/2384-46-0x000007FEF6840000-0x000007FEF6973000-memory.dmp

          Filesize

          1.2MB

        • memory/2384-0-0x000007FEF6840000-0x000007FEF6973000-memory.dmp

          Filesize

          1.2MB

        • memory/2384-2-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

        • memory/2428-92-0x000007FEF6840000-0x000007FEF6974000-memory.dmp

          Filesize

          1.2MB

        • memory/2664-60-0x000007FEF6840000-0x000007FEF6974000-memory.dmp

          Filesize

          1.2MB

        • memory/2664-56-0x000007FEF6840000-0x000007FEF6974000-memory.dmp

          Filesize

          1.2MB

        • memory/2664-55-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

        • memory/2924-76-0x000007FEF6840000-0x000007FEF6974000-memory.dmp

          Filesize

          1.2MB