Analysis

  • max time kernel
    35s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2023 15:47

General

  • Target

    e06bc9c34016a67b0d3a56913db15515.dll

  • Size

    2.1MB

  • MD5

    e06bc9c34016a67b0d3a56913db15515

  • SHA1

    b6b8a5ac1eb6952a7d92c37b4b9c38745796b1f5

  • SHA256

    9defa598e8384355655dd2fcba9e94f1bfbb4fc1d14d4f43cef7ce3173cc8736

  • SHA512

    79c4dcb7ff48c177ceba1d84946fde02ec9a122bccdff124fd2092d4b063837ba97f43ca49d4f43dc9c47e2ffba730a26bdca8cdfebedcfba03a5d7ab85bc313

  • SSDEEP

    12288:2VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:rfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e06bc9c34016a67b0d3a56913db15515.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3720
  • C:\Windows\system32\FileHistory.exe
    C:\Windows\system32\FileHistory.exe
    1⤵
      PID:5096
    • C:\Users\Admin\AppData\Local\SCrbFWM9\FileHistory.exe
      C:\Users\Admin\AppData\Local\SCrbFWM9\FileHistory.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:444
    • C:\Windows\system32\psr.exe
      C:\Windows\system32\psr.exe
      1⤵
        PID:4192
      • C:\Users\Admin\AppData\Local\WbHcFlDX\psr.exe
        C:\Users\Admin\AppData\Local\WbHcFlDX\psr.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4832
      • C:\Windows\system32\unregmp2.exe
        C:\Windows\system32\unregmp2.exe
        1⤵
          PID:3732
        • C:\Users\Admin\AppData\Local\RWqIx\unregmp2.exe
          C:\Users\Admin\AppData\Local\RWqIx\unregmp2.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:768

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\RWqIx\VERSION.dll

          Filesize

          56KB

          MD5

          86530fcec58475907541563e349660c4

          SHA1

          ce0bf5ca0dcfaa0cdf85ab19b0613c8c299d9b1e

          SHA256

          abd60ca614536e6baafd32cdce866f436390cc518b4d930db596d7b5d9d9b18f

          SHA512

          7d6a06d441db099872d49df1c371aaac5079df73eadda93cdc445846c433d1c2bb91a6757cf05e583df401cb12ed7d651316fe5cef351fc126d197584f329a50

        • C:\Users\Admin\AppData\Local\RWqIx\VERSION.dll

          Filesize

          16KB

          MD5

          7ce177cc2245fe154827a45e0a90cad4

          SHA1

          08bc4eced6f0caa1eba32841ade084bbc86586fe

          SHA256

          32600bc424fc355cb92144f52920e4e6634c37a178eb131a2a63ba13ef19696b

          SHA512

          e1b60ae726d3d920ebd04ded17de8d8b1ff912aac92d092ac4ffdc2dd7d424663f8e1515503b47cc559cbc742ef5cd06b442a1981314534f4662f442314f3081

        • C:\Users\Admin\AppData\Local\RWqIx\unregmp2.exe

          Filesize

          73KB

          MD5

          47aede7b66c8a8bdc032e87c2780480b

          SHA1

          88bd0c1c94373a8de32c078f9d64d86c5bfc9902

          SHA256

          f1254505ef3248878e9b89df444e5645653b1ade0e419fbe933cbd049f840c4c

          SHA512

          65704c2989825c00a7478303cac4361ac0ddb428ef9944007371622e83c1cd5e2bff4cbf4e512f4bc592c45b46d5896f0ec660dbe686e08b41d0847cd585c9ef

        • C:\Users\Admin\AppData\Local\SCrbFWM9\FileHistory.exe

          Filesize

          132KB

          MD5

          5af41fc5e4994b377c9883c0ba505380

          SHA1

          b1d7e37c20c4c0944f744ae6d9d44c32f87eee2d

          SHA256

          416466638ffd182b04a22208af4598f48d7e402932f7eaf84a7fda7644c286c1

          SHA512

          728adfdeba91eadaf6210cd054dce64c8d17025f6f55e511086c1f508529a25ecd2943a35f3a59c6548e1ba55d693644efd1f36c9e4c0c8445ad7538c3a8a11e

        • C:\Users\Admin\AppData\Local\SCrbFWM9\FileHistory.exe

          Filesize

          32KB

          MD5

          c7c16c482b23fff3f45dbdc3bfd4c990

          SHA1

          cd4a240e23569edfc197abd1b5dac6c27317891e

          SHA256

          7563f2925de20cf66ca6bd308f2d4c50238965d2ff60dda164483601d49c7655

          SHA512

          4316693060cd663ea650dbea3309357e68b6963a30e637a0fb948e2b877f720ea2104d4cc987e891a626b37de1cb7e33e8478e3dfcf68badf9d54c50b76cabd7

        • C:\Users\Admin\AppData\Local\SCrbFWM9\UxTheme.dll

          Filesize

          92KB

          MD5

          c9152e5603808531454be9b35963dd79

          SHA1

          26d4c433162f3cca192a75abb71de22cff464c9e

          SHA256

          52204e278ed9947a7f418a4eec471320a09ad614c0edb0cadbce27178bff6a79

          SHA512

          ec6f4a85a7fc774318d505188d6ecb7a78fa608c1823375f5a51ad06929903ab2a06a8506d4ba92b373c187b623b19011f326b90dded7f9b11278c904ca0cad4

        • C:\Users\Admin\AppData\Local\SCrbFWM9\UxTheme.dll

          Filesize

          33KB

          MD5

          c76b9a123bbf634dab6a70e52ee79a6b

          SHA1

          f321f6d0d6fe9bcb039dc53d4116606eb6797661

          SHA256

          538475c550db7be565756440b793f63c1a6c46b224db9c1f2f5e5cd84288f235

          SHA512

          bb20c9ef2acd46fe11a40954775e08de2e85554ce46969cccf0454ffb5c9a0964a92f1795272b95320460b790a295ba3d232b5506f2f98acf4cba625e447a14d

        • C:\Users\Admin\AppData\Local\WbHcFlDX\XmlLite.dll

          Filesize

          86KB

          MD5

          4ab8f088085a132fe120809edaba76cf

          SHA1

          ce71f5a4e848543508078e82daa369392ce2db00

          SHA256

          a410be9fe7df49032b84b3e0cfb5f6f73f42983a481dfc98eee6c3aaffd6928f

          SHA512

          9766f2a96d277f9e794d4d43193a78a4bfa6a2150e12bacc97bafd4410861d68c9bcbd42006469b65fd3b85c42d474538caec9f6c683fc2c6e93fd7e2495b1ce

        • C:\Users\Admin\AppData\Local\WbHcFlDX\XmlLite.dll

          MD5

          d41d8cd98f00b204e9800998ecf8427e

          SHA1

          da39a3ee5e6b4b0d3255bfef95601890afd80709

          SHA256

          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

          SHA512

          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

        • C:\Users\Admin\AppData\Local\WbHcFlDX\psr.exe

          Filesize

          5KB

          MD5

          d550310aee9d62163fdc222bb78ff2c7

          SHA1

          038be4f23803a6ead9c1c19c4767f680e363743e

          SHA256

          5c4fd95c5b3864a3ecd2addf774948d0d84a65d60e7eb044f7590f287faf0101

          SHA512

          598276ece227cebc1ec4b84ec1069c2f019fb279221f531b92d41655bc2157d235bfb20465ba243ebaea51869e65c820474919c190dd6d434e015b3a2cec1b1a

        • C:\Users\Admin\AppData\Local\WbHcFlDX\psr.exe

          Filesize

          92KB

          MD5

          4535b8763ab2bfec6f3bd25884a3e6dc

          SHA1

          3de2f480b9264a982719c252fa72b13485a10e5d

          SHA256

          9db005d5330f09f6d7f9df1818017e3f4a06bce661b8d02bf2a8f1a415fe49a8

          SHA512

          53a2be72b582a0ea0246d609bffcc655fb7c93a2169e2058cfbd2a4179401a1202c4a59daa5356ebb6ac5dafee488b3837e6ccae2051d5d2d9a662bc5181a215

        • memory/444-80-0x0000000140000000-0x0000000140213000-memory.dmp

          Filesize

          2.1MB

        • memory/444-81-0x00000217FD7F0000-0x00000217FD7F7000-memory.dmp

          Filesize

          28KB

        • memory/768-119-0x00000252133E0000-0x00000252133E7000-memory.dmp

          Filesize

          28KB

        • memory/3444-30-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/3444-20-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/3444-50-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/3444-49-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/3444-59-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/3444-47-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/3444-45-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/3444-46-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/3444-43-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/3444-42-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/3444-60-0x00007FF90E900000-0x00007FF90E910000-memory.dmp

          Filesize

          64KB

        • memory/3444-40-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/3444-39-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/3444-37-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/3444-69-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/3444-71-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/3444-36-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/3444-34-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/3444-33-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/3444-31-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/3444-11-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/3444-28-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/3444-26-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/3444-25-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/3444-23-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/3444-22-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/3444-21-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/3444-52-0x00000000011F0000-0x00000000011F7000-memory.dmp

          Filesize

          28KB

        • memory/3444-18-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/3444-17-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/3444-16-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/3444-15-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/3444-13-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/3444-12-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/3444-9-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/3444-10-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/3444-7-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/3444-14-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/3444-8-0x00007FF90CCAA000-0x00007FF90CCAB000-memory.dmp

          Filesize

          4KB

        • memory/3444-4-0x0000000003220000-0x0000000003221000-memory.dmp

          Filesize

          4KB

        • memory/3444-51-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/3444-48-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/3444-44-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/3444-41-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/3444-38-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/3444-35-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/3444-32-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/3444-29-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/3444-27-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/3444-19-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/3444-24-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/3720-6-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/3720-1-0x0000000140000000-0x0000000140212000-memory.dmp

          Filesize

          2.1MB

        • memory/3720-0-0x0000020ECB270000-0x0000020ECB277000-memory.dmp

          Filesize

          28KB

        • memory/4832-101-0x0000017477E40000-0x0000017477E47000-memory.dmp

          Filesize

          28KB