Analysis

  • max time kernel
    165s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2023 15:49

General

  • Target

    e16fbec8441b778d6ffa3c0a50387254.dll

  • Size

    1.6MB

  • MD5

    e16fbec8441b778d6ffa3c0a50387254

  • SHA1

    f4618ea77b9fc65e1dae34efec00a1bee0121580

  • SHA256

    dcfe6f600462653084dd91777388c633bf70f43a2c2e9d2b51851feae9aa3598

  • SHA512

    501b030422ead74da9a3e43b304008178e612678c8b36bff2c89bcb32a744148d2ccf7ab07e76cdabdf434406c9901bced4b3d3dcd9f9e54e2ed9db1c07aa565

  • SSDEEP

    12288:QVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:VfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e16fbec8441b778d6ffa3c0a50387254.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3556
  • C:\Windows\system32\EaseOfAccessDialog.exe
    C:\Windows\system32\EaseOfAccessDialog.exe
    1⤵
      PID:2740
    • C:\Users\Admin\AppData\Local\2noz\EaseOfAccessDialog.exe
      C:\Users\Admin\AppData\Local\2noz\EaseOfAccessDialog.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3380
    • C:\Windows\system32\SystemPropertiesProtection.exe
      C:\Windows\system32\SystemPropertiesProtection.exe
      1⤵
        PID:2500
      • C:\Users\Admin\AppData\Local\pRu\SystemPropertiesProtection.exe
        C:\Users\Admin\AppData\Local\pRu\SystemPropertiesProtection.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:932
      • C:\Windows\system32\shrpubw.exe
        C:\Windows\system32\shrpubw.exe
        1⤵
          PID:3916
        • C:\Users\Admin\AppData\Local\y0iRtaY\shrpubw.exe
          C:\Users\Admin\AppData\Local\y0iRtaY\shrpubw.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4120

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\2noz\EaseOfAccessDialog.exe

          Filesize

          123KB

          MD5

          e75ee992c1041341f709a517c8723c87

          SHA1

          471021260055eac0021f0abffa2d0ba77a2f380e

          SHA256

          0b1731562413eaa972b373cd7388c644a3059940ce67eb89668e4073f3e068dc

          SHA512

          48c3a8531df6bcc5077367cdf32af104c94cf7701118a85e8beabba2e9c4f511ae14e47b6d1b57d11a2bc1e8b4f6d5bacae27a8d16fcd09a8f9e0018f5a6370a

        • C:\Users\Admin\AppData\Local\2noz\OLEACC.dll

          Filesize

          254KB

          MD5

          9897afbd7ba03b9b9cf94b52285e2e6f

          SHA1

          38b39e2bf1039f72c0a866349bcfbf91b36f0b5d

          SHA256

          de5c7564f814124aab94a03edd5c45d7856f63c4aa25ce4fc01df4d666743dd5

          SHA512

          828bcf8557e3289958bf54112776e67d4ca9081a551ac61601413949561d4a6f0910577da0a7747062d17e6fd7b244a4beeb2fdae5b720a892502a0ab490103f

        • C:\Users\Admin\AppData\Local\2noz\OLEACC.dll

          Filesize

          149KB

          MD5

          bbd7f16cf91a81902e481f0c08e3a497

          SHA1

          c71ec7b5bb01042ac1d9f2db9f6e3d60a9948726

          SHA256

          d2ab5551f18fad22014e35a4a839bad24975b8d0584cc9319116a6eccaa639ab

          SHA512

          a113ec3bc94bf7e77a8d23358a823dcf21796a1d27dd0ff52929720c59db261bf2297f76e3e8cabfa42cba628b4d6efabba207f741211ff5e1acee9a52bfd0c3

        • C:\Users\Admin\AppData\Local\pRu\SYSDM.CPL

          Filesize

          171KB

          MD5

          4664038ea8c0fdb4567e6369df7555ae

          SHA1

          2cef539ffff29c16d961926f4b998ef3b497bbbf

          SHA256

          855b28d41bcfa359a3f56d6c12b35fd067ac3feb56677b8b04e5f6df4645a19d

          SHA512

          eaeec150fb2cdbe755ed4707663a359cb50cfd674a9d3593948e9dc1a35fac84dad475e23515643f1d659a9aee81835ba7deca6eb84fc1852c691921565413cd

        • C:\Users\Admin\AppData\Local\pRu\SYSDM.CPL

          Filesize

          59KB

          MD5

          83ee0009d00019c37aa59646850f14b2

          SHA1

          873d721ab0a8bcfaf208ba672398cdd026235a27

          SHA256

          910a2bd9ec1aa23372e4782c033a2379807d08cd65935a333c219f3399eb4aef

          SHA512

          af19b5ba79d4ebc59338b49d743fa952c9319a3638d1f8b7631367b3e939b22402724e8dc3dee8c8dfacabeb43697d2da53a997a82080b03261a17950c74fcff

        • C:\Users\Admin\AppData\Local\pRu\SystemPropertiesProtection.exe

          Filesize

          82KB

          MD5

          26640d2d4fa912fc9a354ef6cfe500ff

          SHA1

          a343fd82659ce2d8de3beb587088867cf2ab8857

          SHA256

          a8ddf1b17b0cbc96a7eaedb0003aa7b1631da09ebfe85b387f8f630222511b37

          SHA512

          26162a3d9d4a8e3290dbcf6fe387b5c48ab1d9552aa02a38954649d877f408cb282e57580f81e15128e3a41da0eb58328d1d6253e1b57232f9a8cecdd99991dc

        • C:\Users\Admin\AppData\Local\y0iRtaY\MFC42u.dll

          Filesize

          194KB

          MD5

          f94b09fe64c3fab6a9d3297f1c4819fc

          SHA1

          cff413f7a087b071d70908cdfe94ad588140e596

          SHA256

          7e36819bf5e6c885a1c088720b9158390bea4510e2c4082b264655035d4fc37b

          SHA512

          ccf4a2de99283ae3e9b8878f9994b1bcd57a02a58049fa340f4bb2b64b7d9031491271a9be069d169fd4aa52223e4546334d7edb36137e3e82d63203a218b017

        • C:\Users\Admin\AppData\Local\y0iRtaY\MFC42u.dll

          Filesize

          57KB

          MD5

          8770a6173b27a213d5d63789ad55056b

          SHA1

          ead37aa79ccfdc274c29178474edfdab14ca1a4b

          SHA256

          64b19a67581bbc886f62ddeeab6b2ea56abb2dcf48959c27ef693eb24370f211

          SHA512

          cfa175535def478cd93b87fd2adeb62bc17e5f2fcf0fa91df2dd516598fd6c38e765dcb08ddee6ef95f49663201803342500072cebd69eb0cb2b53664304ed0c

        • C:\Users\Admin\AppData\Local\y0iRtaY\shrpubw.exe

          Filesize

          59KB

          MD5

          9910d5c62428ec5f92b04abf9428eec9

          SHA1

          05f27d7515e8ae1fa3bc974ec65b864ec4c9ac8b

          SHA256

          6b84e6e55d8572d7edf0b6243d00abb651fcb0cddddac8461de5f9bb80035a2e

          SHA512

          01be043f7ff879a683e53962eec58456ba200d6787ea66581bb62669ae65d5e58a5577cdf23441165f7a535fce1dec933e3ad2465c72172b4a1488b24ce722cb

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dyngdiaoitf.lnk

          Filesize

          1KB

          MD5

          85b40e636635717acbff0ee4f96d3fa1

          SHA1

          0503004fb31addc8a116be98028d985b1f00d6cc

          SHA256

          7046bc825d8c7925d56dffa2f2538e4af4a18106420590ead56fc88ba36ffcd5

          SHA512

          27cf272852c9d7db65951de4802394aac31d859a56f7b33e7f3c5d1e696526c6ac43847934b8771159826959beafd5d559cba1657349f08f334dc9eee560e033

        • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\Keys\5R\MFC42u.dll

          Filesize

          1.6MB

          MD5

          1a5ed215d1ba4b70a023af52fd97711f

          SHA1

          362022ed46b6abf5e12b8a18cce278cb4a2ff926

          SHA256

          5a8e687f73afafb73d0d4c255b8c6430f10f070fa08e1b16ad9e09679cd52e65

          SHA512

          558d63704145e1807f5ab6183644c9413ca98169c6faa7dc366587b61e3ae7efa54df646669e2d9d5bdc211ad022935ce49d7a0533366a6fbc8e083d1b31ce62

        • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\LxLxJqU\SYSDM.CPL

          Filesize

          1.6MB

          MD5

          ffce2d54155de10616c37daf5e6a27da

          SHA1

          7badadf38d892d8848b195bece2ec78cf6e2b01c

          SHA256

          dd3d7c2cd969e4c7b6a65241a6c6abb0821f540d64b9c7e496f77fc5ef85ef6c

          SHA512

          8e5481cf2b317cb90d44c618860693309a917ee46f32decd2f34462dede5e636af648a4a1614070cd9cce19b9d0ffa965f8a8b20ec693c5e1b93d15e752f2a7e

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\SOYme1th\OLEACC.dll

          Filesize

          974KB

          MD5

          7a1006a386ee4a07d08512829b9bdc53

          SHA1

          2206be5ab0ae57f4f6ea6174044894cff91c5351

          SHA256

          84660e5d12acce110958ffd06e9b9812434b6973dc19a489ff0d05ae39d75756

          SHA512

          ed92e34828d0b5cab4eb5e2e31982b0eebe3c27e18447c3c95ef9d6c0deb7dfaa83c1adb03f49bcf352180720fce52209989372229db7865c383bd68b61e9bc6

        • memory/932-84-0x000001748D820000-0x000001748D827000-memory.dmp

          Filesize

          28KB

        • memory/932-89-0x0000000140000000-0x00000001401A0000-memory.dmp

          Filesize

          1.6MB

        • memory/3380-66-0x0000026155D70000-0x0000026155D77000-memory.dmp

          Filesize

          28KB

        • memory/3380-72-0x0000000140000000-0x00000001401A0000-memory.dmp

          Filesize

          1.6MB

        • memory/3380-67-0x0000000140000000-0x00000001401A0000-memory.dmp

          Filesize

          1.6MB

        • memory/3448-18-0x0000000140000000-0x000000014019F000-memory.dmp

          Filesize

          1.6MB

        • memory/3448-57-0x0000000140000000-0x000000014019F000-memory.dmp

          Filesize

          1.6MB

        • memory/3448-23-0x0000000140000000-0x000000014019F000-memory.dmp

          Filesize

          1.6MB

        • memory/3448-25-0x0000000140000000-0x000000014019F000-memory.dmp

          Filesize

          1.6MB

        • memory/3448-22-0x0000000140000000-0x000000014019F000-memory.dmp

          Filesize

          1.6MB

        • memory/3448-26-0x0000000140000000-0x000000014019F000-memory.dmp

          Filesize

          1.6MB

        • memory/3448-27-0x0000000140000000-0x000000014019F000-memory.dmp

          Filesize

          1.6MB

        • memory/3448-28-0x0000000140000000-0x000000014019F000-memory.dmp

          Filesize

          1.6MB

        • memory/3448-33-0x0000000140000000-0x000000014019F000-memory.dmp

          Filesize

          1.6MB

        • memory/3448-34-0x0000000140000000-0x000000014019F000-memory.dmp

          Filesize

          1.6MB

        • memory/3448-35-0x0000000140000000-0x000000014019F000-memory.dmp

          Filesize

          1.6MB

        • memory/3448-36-0x0000000140000000-0x000000014019F000-memory.dmp

          Filesize

          1.6MB

        • memory/3448-38-0x0000000140000000-0x000000014019F000-memory.dmp

          Filesize

          1.6MB

        • memory/3448-37-0x0000000001420000-0x0000000001427000-memory.dmp

          Filesize

          28KB

        • memory/3448-32-0x0000000140000000-0x000000014019F000-memory.dmp

          Filesize

          1.6MB

        • memory/3448-31-0x0000000140000000-0x000000014019F000-memory.dmp

          Filesize

          1.6MB

        • memory/3448-30-0x0000000140000000-0x000000014019F000-memory.dmp

          Filesize

          1.6MB

        • memory/3448-29-0x0000000140000000-0x000000014019F000-memory.dmp

          Filesize

          1.6MB

        • memory/3448-45-0x0000000140000000-0x000000014019F000-memory.dmp

          Filesize

          1.6MB

        • memory/3448-46-0x00007FFA4F420000-0x00007FFA4F430000-memory.dmp

          Filesize

          64KB

        • memory/3448-55-0x0000000140000000-0x000000014019F000-memory.dmp

          Filesize

          1.6MB

        • memory/3448-24-0x0000000140000000-0x000000014019F000-memory.dmp

          Filesize

          1.6MB

        • memory/3448-21-0x0000000140000000-0x000000014019F000-memory.dmp

          Filesize

          1.6MB

        • memory/3448-20-0x0000000140000000-0x000000014019F000-memory.dmp

          Filesize

          1.6MB

        • memory/3448-19-0x0000000140000000-0x000000014019F000-memory.dmp

          Filesize

          1.6MB

        • memory/3448-4-0x00000000031F0000-0x00000000031F1000-memory.dmp

          Filesize

          4KB

        • memory/3448-17-0x0000000140000000-0x000000014019F000-memory.dmp

          Filesize

          1.6MB

        • memory/3448-16-0x0000000140000000-0x000000014019F000-memory.dmp

          Filesize

          1.6MB

        • memory/3448-15-0x0000000140000000-0x000000014019F000-memory.dmp

          Filesize

          1.6MB

        • memory/3448-14-0x0000000140000000-0x000000014019F000-memory.dmp

          Filesize

          1.6MB

        • memory/3448-6-0x0000000140000000-0x000000014019F000-memory.dmp

          Filesize

          1.6MB

        • memory/3448-9-0x00007FFA4DC2A000-0x00007FFA4DC2B000-memory.dmp

          Filesize

          4KB

        • memory/3448-13-0x0000000140000000-0x000000014019F000-memory.dmp

          Filesize

          1.6MB

        • memory/3448-12-0x0000000140000000-0x000000014019F000-memory.dmp

          Filesize

          1.6MB

        • memory/3448-8-0x0000000140000000-0x000000014019F000-memory.dmp

          Filesize

          1.6MB

        • memory/3448-10-0x0000000140000000-0x000000014019F000-memory.dmp

          Filesize

          1.6MB

        • memory/3448-11-0x0000000140000000-0x000000014019F000-memory.dmp

          Filesize

          1.6MB

        • memory/3556-7-0x0000000140000000-0x000000014019F000-memory.dmp

          Filesize

          1.6MB

        • memory/3556-0-0x0000000140000000-0x000000014019F000-memory.dmp

          Filesize

          1.6MB

        • memory/3556-2-0x000001FC8F510000-0x000001FC8F517000-memory.dmp

          Filesize

          28KB

        • memory/4120-101-0x0000000140000000-0x00000001401A6000-memory.dmp

          Filesize

          1.6MB

        • memory/4120-106-0x0000000140000000-0x00000001401A6000-memory.dmp

          Filesize

          1.6MB

        • memory/4120-100-0x0000018B17620000-0x0000018B17627000-memory.dmp

          Filesize

          28KB