Analysis

  • max time kernel
    138s
  • max time network
    132s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2023 15:47

General

  • Target

    e07278c27ec90b3d8fc7500d8180f0a8.dll

  • Size

    2.2MB

  • MD5

    e07278c27ec90b3d8fc7500d8180f0a8

  • SHA1

    2182eb858155c58ed16cab5d023fe4fde762a6be

  • SHA256

    ea2fba4b7d64dc7c14d8b7e2bbb4f2333976b93c5f6d32310925eda10593ca72

  • SHA512

    73b7d147fb8242d641315bf6e8f5824738dad17356ec8245b38754fd190f174278fdf69f1326a7f7e819de3aeebdbf563bbbf4a0e27ba461ceb8170d4a7cd8db

  • SSDEEP

    12288:bVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:6fP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e07278c27ec90b3d8fc7500d8180f0a8.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4616
  • C:\Users\Admin\AppData\Local\4ELeR\EaseOfAccessDialog.exe
    C:\Users\Admin\AppData\Local\4ELeR\EaseOfAccessDialog.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Checks whether UAC is enabled
    PID:680
  • C:\Windows\system32\EaseOfAccessDialog.exe
    C:\Windows\system32\EaseOfAccessDialog.exe
    1⤵
      PID:4592
    • C:\Users\Admin\AppData\Local\H5kfv\BitLockerWizard.exe
      C:\Users\Admin\AppData\Local\H5kfv\BitLockerWizard.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1704
    • C:\Windows\system32\BitLockerWizard.exe
      C:\Windows\system32\BitLockerWizard.exe
      1⤵
        PID:2936
      • C:\Users\Admin\AppData\Local\3sx2\mfpmp.exe
        C:\Users\Admin\AppData\Local\3sx2\mfpmp.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:5000
      • C:\Windows\system32\mfpmp.exe
        C:\Windows\system32\mfpmp.exe
        1⤵
          PID:2668

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\3sx2\MFPlat.DLL

          Filesize

          37KB

          MD5

          562c480ea39b48543a905fe323451465

          SHA1

          9ccf6afedd3faad643bb486cc7f584e92d63f2d3

          SHA256

          5f75d8153ec735478e0fd503834eebcc7ec72665288bd9c8d3ca7d172bcc6fbd

          SHA512

          97ed785fc4947415c47a23e79b03afea0d8293708abe00f4ae8a39e42f35b29812a476f8ac6307d24bccb359bc5f108473a9e0c9baaa4ba5ee4e07b1e0bfe3f3

        • C:\Users\Admin\AppData\Local\3sx2\MFPlat.DLL

          Filesize

          57KB

          MD5

          f38931d6e59ef19136436b64056d6563

          SHA1

          92fa053c74d4893066e056a1860165dec28feaa6

          SHA256

          30d729771052eda1adc38a040e96ea530c57e5c6236bec62975576fb99e78de4

          SHA512

          2274293ce4aa3e267ef8e685e5e916c0ccb9cc1f20334fe303e1e3ba69df4f95e5329b8e2d72c220ff2acdf4a31020f560690c218bdfb74146cac50cb15836b1

        • C:\Users\Admin\AppData\Local\3sx2\mfpmp.exe

          Filesize

          41KB

          MD5

          dde86491fc2c1e8cb0cb7ac6ad771ee6

          SHA1

          e7c497ee7be00331269a2f8a01ac948f12ece116

          SHA256

          08f3aece8bdab8249e02f5c671e11418829e4f28175ee8c14efd115420bf5293

          SHA512

          018fd97628c9fe776c1f1b3a4a488000d04b7906bde0f5daec1a6737c8ffe07eeec9317b128d3344850652732849303a3f68088ac696a66117a6d46daad5b68f

        • C:\Users\Admin\AppData\Local\3sx2\mfpmp.exe

          Filesize

          34KB

          MD5

          cd810bb75a4224ea34c4e7bb53ced4e6

          SHA1

          c6090c486e45ca5491e93e7dbf2f7f3043d3e5f1

          SHA256

          21decf4857071ab66fcd046d21389e1a4601d64a0eccb1ef89f36ee4c424d562

          SHA512

          3896c8b1802c942126bb649d12df31c992528c4b959ca2f27d86ef5ce9cb2698d2ce6510a0e17dbdd1950b1172cd820392bc9e94ab2074d27db635ff06f9fb43

        • C:\Users\Admin\AppData\Local\4ELeR\EaseOfAccessDialog.exe

          Filesize

          34KB

          MD5

          e52b08749fa407e44c37a05f6b542242

          SHA1

          68b1f1aa9a70c59172578dcae0e98071601525d1

          SHA256

          4387194d62f0710397ae6e4f3f707dc8574957da2625833ce7e4aeac837eed16

          SHA512

          00c4af4bac9db9a1c2dcc447990d0cd4bbc80b304c14816522403097935e513bcf07e7f1d37a60f2257dde69b4099f1ced3c53943fc8f6bfcbc68072797646da

        • C:\Users\Admin\AppData\Local\4ELeR\EaseOfAccessDialog.exe

          Filesize

          26KB

          MD5

          e8061bcb916dc31651a86ed6181f5e4b

          SHA1

          1d59fcaa79cd06c5eae8d16ef36e8b49e16e9d0b

          SHA256

          d0bade86222ad5685c7b2fb946d23590423e20197c8dd3379325dc0b78910398

          SHA512

          055403d382c6df2d3b13e974ae8948229e067dd7412cadcc59eabd7fcae4d1eeee5e50e5c1376d15d22d129c97a7e7005c2cf0cc4dcf77e3dc2327ba38f1f1c7

        • C:\Users\Admin\AppData\Local\4ELeR\OLEACC.dll

          Filesize

          58KB

          MD5

          9722e097b460d7b27896f3cb93d6a703

          SHA1

          2daec85a58f5d498cd43e61e61f2464c5acc4e30

          SHA256

          24c95de22da6da97dfe5461d9d88092414fc71073f5851c56cf927d0be0b6f0c

          SHA512

          6fbb02d23baa4d1926b1c214d946aceb67bd005ea13b75b42ed570eecbe115263fa1808ed3b987197333464457048cfa6c9d3dfbc17ac1f3201fabbb31cd9c36

        • C:\Users\Admin\AppData\Local\4ELeR\OLEACC.dll

          Filesize

          17KB

          MD5

          bd67724a7f88fecf8d84d95ea70d5b72

          SHA1

          0404399a7a1366219d22216fa62ccc8e084a934b

          SHA256

          1cf76594a34fb84dedddeb1a9cddf578a377a3112adf2286669cba278878a287

          SHA512

          b540e18db9cabe9b0e09fac877aedc3b14a794ed1e7cc4144b9029880e4b97c909641ba5f4fc06e095a7ae52131102754330f91d4e11ea3bab852710ca8da584

        • C:\Users\Admin\AppData\Local\H5kfv\BitLockerWizard.exe

          Filesize

          39KB

          MD5

          620aad971540dce295960abf840c6cb1

          SHA1

          b9318b585110a9afd14c3aca2e1c554cd42c0ea7

          SHA256

          9edf0f094b98b671b6251f20bae45cdd611764c33725bff3af4556f254d56e90

          SHA512

          daf0a4775de72689dd324189e13e9e0925c3a85eb904cdae03807dbc16c0383a4d91f4766822ef207ba24d5010d2bbd01233f45e148eaef209034a15142e49b1

        • C:\Users\Admin\AppData\Local\H5kfv\BitLockerWizard.exe

          Filesize

          73KB

          MD5

          e7fb91ffd9b64c86109fc1701245fc2a

          SHA1

          6f285f255ad89bfa6de3dd8c62f856039479396f

          SHA256

          c84c5a6e46ab73a0f6a6109f571b39a4915beabab8ff5c6683495a35b8259a4b

          SHA512

          a8f7204080b68a65626468f19d4c784461efda21f97a9846f84c1937c95a786e2e8143abef3b81954f1ee450114387b7ace0e0e0d48ef83a8db2e29d92a46b12

        • C:\Users\Admin\AppData\Local\H5kfv\FVEWIZ.dll

          Filesize

          59KB

          MD5

          3446992ec608716139eef422cb6312f5

          SHA1

          c1e1927e341c5118035a94294082aacd582f4244

          SHA256

          a247284e3fb93ce7d1fce9b11c413550e2be38be0b4ac56d4e63c812ff6767f3

          SHA512

          82af6e4d70fbe894d942d10bdb89864562b3c0ec50ad892aa6a177fcc73437c2c718aa4c128e890df5ff647d7c996b6d28f74e774659fe878b6477429b28311d

        • C:\Users\Admin\AppData\Local\H5kfv\FVEWIZ.dll

          Filesize

          71KB

          MD5

          0c32ee784a254efd2a47dde0c65a3c03

          SHA1

          74df1b6a8fcc0f9f135f051e749429002a0ed11c

          SHA256

          f600f6384570ee0ed42dacdcf0ae2cfeceb78c6b16f24742f0aead5f6608d5e3

          SHA512

          8ff947bb7fbc08988d682bfd9a9161ca1ff54a7b9d3ba762c0cf1ab4f0d194d3ad92f053e993b81879c616090e5ff4ead9b82114f2196a0a8f4c09abd1b1443c

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqwbkkvq.lnk

          Filesize

          1016B

          MD5

          18edf0ff7bf7e08e270245b861d9647d

          SHA1

          2ffa20eb9943844c2e683675e8242cc0a0c4d742

          SHA256

          2531aa273580ada41e3f3aad81c28cefa8cad55723eadf4ddc4c3b150cedee4a

          SHA512

          edfc02f26a6c198322e124ff760473ada1f736610dd3487f34b2fb0187e1e378a48b8306786d3fa8e290150dc66d0c28eb48f06a60e86271b8a52a01a5952911

        • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\laGuI\OLEACC.dll

          MD5

          d41d8cd98f00b204e9800998ecf8427e

          SHA1

          da39a3ee5e6b4b0d3255bfef95601890afd80709

          SHA256

          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

          SHA512

          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JQSjJGf3IE5\MFPlat.DLL

          Filesize

          1KB

          MD5

          37531edbe6d2ad4494bb2f957b214221

          SHA1

          4d4cfc4c47cf9d4312b005ee3f7279f667be546c

          SHA256

          494582d1022c7f6301135af7fb2e00f3301d76f20b11e8241e799530b0fde84f

          SHA512

          948caddb9c76f00ccf83181191cfefe6bb8482789f5f47cd474399dd6b4642cf67b39934bdb1511996f529f029cafc4eb0f140670d95c115df71f645003892f7

        • C:\Users\Admin\AppData\Roaming\Sun\ltUdnuMM\FVEWIZ.dll

          Filesize

          120KB

          MD5

          6aa4fff3f5fa055fca5fcd0a6cee0462

          SHA1

          871c07b1ab9f3a65c293778fec4b17fe09ed46c3

          SHA256

          5d09126995d4c3f5d0d936fbce926630c71b728f4ed1f36ba03347959ead8b69

          SHA512

          4b607ad96bc1071a522f2d6687e04f1db2f52c979cdeaf0512b15fac51c2764db4c8a467d977cbe146e7dc24296194fc7d035609ddb3822b51b95d381bab4b83

        • memory/680-84-0x0000000140000000-0x0000000140233000-memory.dmp

          Filesize

          2.2MB

        • memory/680-80-0x00000231B25D0000-0x00000231B25D7000-memory.dmp

          Filesize

          28KB

        • memory/680-78-0x0000000140000000-0x0000000140233000-memory.dmp

          Filesize

          2.2MB

        • memory/1704-122-0x0000000140000000-0x0000000140233000-memory.dmp

          Filesize

          2.2MB

        • memory/1704-115-0x0000000140000000-0x0000000140233000-memory.dmp

          Filesize

          2.2MB

        • memory/1704-116-0x000001BD3CCD0000-0x000001BD3CCD7000-memory.dmp

          Filesize

          28KB

        • memory/3468-57-0x00007FFACBBE0000-0x00007FFACBBF0000-memory.dmp

          Filesize

          64KB

        • memory/3468-40-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3468-66-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3468-7-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3468-48-0x0000000002F30000-0x0000000002F37000-memory.dmp

          Filesize

          28KB

        • memory/3468-49-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3468-44-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3468-42-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3468-5-0x0000000002F60000-0x0000000002F61000-memory.dmp

          Filesize

          4KB

        • memory/3468-9-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3468-10-0x00007FFACB0BA000-0x00007FFACB0BB000-memory.dmp

          Filesize

          4KB

        • memory/3468-41-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3468-36-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3468-31-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3468-30-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3468-28-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3468-23-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3468-16-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3468-17-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3468-11-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3468-13-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3468-12-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3468-56-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3468-47-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3468-45-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3468-46-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3468-43-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3468-68-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3468-39-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3468-38-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3468-37-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3468-35-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3468-34-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3468-33-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3468-32-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3468-29-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3468-27-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3468-26-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3468-25-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3468-24-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3468-22-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3468-21-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3468-20-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3468-19-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3468-18-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3468-15-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3468-14-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/4616-0-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/4616-8-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/4616-1-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/4616-3-0x0000021A9CCB0000-0x0000021A9CCB7000-memory.dmp

          Filesize

          28KB

        • memory/5000-97-0x0000024D8C700000-0x0000024D8C707000-memory.dmp

          Filesize

          28KB

        • memory/5000-103-0x0000000140000000-0x0000000140234000-memory.dmp

          Filesize

          2.2MB

        • memory/5000-95-0x0000000140000000-0x0000000140234000-memory.dmp

          Filesize

          2.2MB

        • memory/5000-96-0x0000000140000000-0x0000000140234000-memory.dmp

          Filesize

          2.2MB