Analysis

  • max time kernel
    149s
  • max time network
    113s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2023 15:15

General

  • Target

    d577f77a0cf8344c9bb7d3be5578311b.dll

  • Size

    1.9MB

  • MD5

    d577f77a0cf8344c9bb7d3be5578311b

  • SHA1

    d150adc8a686a849c666159ab896fcc845fc6c00

  • SHA256

    95fc26f100d5508c34cd691e6e2e1d6cca2f621de4cd4769433e1564fc6f7e1f

  • SHA512

    a097092b1886bffcd6d963700f8ad88b0ac4e75f80979030eea65984d9e062d21a6a1b53dd62b16866b88a757449977198311e3040cbbd3db0b0c09cfa760319

  • SSDEEP

    12288:XVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:efP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\d577f77a0cf8344c9bb7d3be5578311b.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4932
  • C:\Windows\system32\DisplaySwitch.exe
    C:\Windows\system32\DisplaySwitch.exe
    1⤵
      PID:4752
    • C:\Users\Admin\AppData\Local\n4K3m8E\DisplaySwitch.exe
      C:\Users\Admin\AppData\Local\n4K3m8E\DisplaySwitch.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2744
    • C:\Windows\system32\PasswordOnWakeSettingFlyout.exe
      C:\Windows\system32\PasswordOnWakeSettingFlyout.exe
      1⤵
        PID:2172
      • C:\Windows\system32\DisplaySwitch.exe
        C:\Windows\system32\DisplaySwitch.exe
        1⤵
          PID:4468
        • C:\Users\Admin\AppData\Local\NiTZR2yCb\DisplaySwitch.exe
          C:\Users\Admin\AppData\Local\NiTZR2yCb\DisplaySwitch.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2188
        • C:\Users\Admin\AppData\Local\KESB\PasswordOnWakeSettingFlyout.exe
          C:\Users\Admin\AppData\Local\KESB\PasswordOnWakeSettingFlyout.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1532

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\KESB\DUI70.dll

          Filesize

          159KB

          MD5

          344f692d46901b6d1bd22514d652d730

          SHA1

          486d2b18f57de63c1ac5b399bf2f79f5492e1786

          SHA256

          2b645f987ab20b6454a805a9e5e41d02b3fb9f60be2a17ab119c16aa1f32c1d4

          SHA512

          a647dbe5b2fca7d5fb0b1f370215121da5d048c21ff7828785f8f05fa711041fe682710787fbec1c4b3770cf29a5c48593c5e8cc4b64ecc84750e45050318d7c

        • C:\Users\Admin\AppData\Local\KESB\DUI70.dll

          Filesize

          298KB

          MD5

          ee09232410deaf3b472e561ec7346b29

          SHA1

          7c62ecba9d6654013db8995241bb7bd64d130f61

          SHA256

          b9277f524423b86c87ae7da3487afda515ca5a2177cef819796a59e9f9ec8598

          SHA512

          5e2b1b35b102f870731aa37b38321a524c2db59ef8e6579b82a2c4d63ab2d89a121e984b72b9c6982f0bf003b7b30c665530d42242dd7f6f6f084426ebcad48e

        • C:\Users\Admin\AppData\Local\KESB\PasswordOnWakeSettingFlyout.exe

          Filesize

          44KB

          MD5

          591a98c65f624c52882c2b238d6cd4c4

          SHA1

          c960d08c19d777069cf265dcc281807fbd8502d7

          SHA256

          5e6ed524c955fb1ea3e24f132987143da3ec81db5041a0edcfa7bf3ac790eb06

          SHA512

          1999f23c90d85857461f8ddc5342470296f6939a654ac015780c2977f293c1f799fc992462f3d4d9181c97ab960db3291b85ea7c0537edcb57755706b20b6074

        • C:\Users\Admin\AppData\Local\NiTZR2yCb\DisplaySwitch.exe

          Filesize

          152KB

          MD5

          447f1b07f2fba9289d4ccb16d6bd7262

          SHA1

          3557a4a5281ab9d9d13cd4ff9808e109e8ae0095

          SHA256

          57beaeaf58e65fe46a2e5d351d534bc440b69de15e30390a5f6acdb069fe1a12

          SHA512

          a4382f319d7d69206b867bb0cc6f0c1fb5083e21321909a705564d60ea31737dfbbd33f0335d53351700bcb3de714b2f207cd21510fcb3545bc2105696183154

        • C:\Users\Admin\AppData\Local\NiTZR2yCb\WINSTA.dll

          Filesize

          128KB

          MD5

          097199d7e8fc610c66b5f532817b5f08

          SHA1

          57942480672d8554e653c1fc35cd23e6052ae89e

          SHA256

          69e57208dba43eb6667d19600d8c0c4ce82eacc5c439c709aff4f90adcb118bf

          SHA512

          c688bb936d51f046213ed95ed7c9831fc72d85551c582c2c69f90e1e53bfda10c0482803dd834fcf23818102a0a03bc2e7020d1c4a7c072ce78d53c13f83fe3a

        • C:\Users\Admin\AppData\Local\NiTZR2yCb\WINSTA.dll

          Filesize

          180KB

          MD5

          4a7fe742586e339c45268068dc6f60a3

          SHA1

          59ac8bed67152b0f09f93144a02d3979ce941ea2

          SHA256

          4ff3a1b298586a728fd327d32238cdbd1019f09ee0070076ad558519a573a87f

          SHA512

          727f585a0e620a6844db90d875254bd74db16ce9306d622b619a7dd01d0f74b84e142799c6ee3edf6cec0def01778c47975533ebe45c9acba3a3f434707709e9

        • C:\Users\Admin\AppData\Local\n4K3m8E\DisplaySwitch.exe

          Filesize

          103KB

          MD5

          ca8bc36055536b7b3e5d7e34bc753bcc

          SHA1

          d71b158990c818e5e37171414d6b0990c4c9402a

          SHA256

          0661b7e856dfffadcdb15494dfcad0a3e6fc6348f02b6ad66c432f0e5258aaea

          SHA512

          26e27ab160c21b68378178ee9616e3db6d8d7b120090a053972e26f7ed77309145b5f4e1bdb77257c25bd8dde33b397b24f4b2ddffd9e777df0b7defa93e8c8d

        • C:\Users\Admin\AppData\Local\n4K3m8E\DisplaySwitch.exe

          Filesize

          27KB

          MD5

          c0192eb071a89e9f3e2b1ded502dfa51

          SHA1

          2acb31d46c1f47812c33bee6cad72c05a41ef549

          SHA256

          97cd3ba644f0bee08bf10eb22f330a88e11bf133beb517117f6daa2d5a36b510

          SHA512

          99705fec6217f087b120d960f71a674cb67a41733058c0e83e7ca684cf10fbe75da288662f3167b85fc1ea68ad58128a29df9356341af258aa10ef58f820cd59

        • C:\Users\Admin\AppData\Local\n4K3m8E\WINSTA.dll

          Filesize

          87KB

          MD5

          75613a324a7d1f61b1c2f236bdaac9b5

          SHA1

          52cdf5cea006b9617873a405ca51e8f3d922b1c9

          SHA256

          c8932f9b5a54ccad718d2acc808290f9f2eef139cc942d2467a1419d0d0bab6d

          SHA512

          74b173a92e5fedce053206d8c838e4d0c24002aa7aa171a01124f6a1c5d0a374a821601b6e914699b8c416f2d3811a1960bff9b415ec127bf3d2008eee59d83f

        • C:\Users\Admin\AppData\Local\n4K3m8E\WINSTA.dll

          Filesize

          109KB

          MD5

          cd60a945c77920f813b98157581a4825

          SHA1

          033361c3558859e6fe12678313b463a3d121ad6c

          SHA256

          d057f6452a21d5d0c47d8ec4debcd6d4c7a033bebe4df833c1b855cf0ff716ff

          SHA512

          0433ec9d54e055cc25de85bcc2edecf2c5b8ffba1e587d02abcbd745eacbf6a2f6fffa6d63925f3ca235cbbc85da802167efbfdbfda44c28c5a2fc3991532bad

        • C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\hT6wz\DUI70.dll

          Filesize

          2.2MB

          MD5

          bf9a17ce86dbb712af7cd31e568550b9

          SHA1

          cb0cd8e9610c06e7cf347758d33cf201bd8934c4

          SHA256

          4c611e666f651895ceadda12c5c3f54c855d6b7d9be6f5ef74a61aeab41b9540

          SHA512

          e765c2ea7f13ab0bf8a0855f0d2e5b379cce4dda0496e5ec94dc6d85e00d4a4df337294128a9da9c80d4a07fdb6684f40e14e94c08d8e113bd4ce010eefbd24e

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqwbkkvq.lnk

          Filesize

          1KB

          MD5

          bcd1ca51b957bad9b160dcfded6fd60d

          SHA1

          a5b600e71579631fc0dbe73c2b117b3156f96e10

          SHA256

          320a1615c71b1584727b74ac34875a1cee63e9f48399ed7e0ec6a93157993454

          SHA512

          0c3a5515d20251dfb5dbe9468ef3801a44361d684a4ce064243a19017a59fb65190cb3b127be4765f3aac4bc314712dc8c852299e6baae7f5dae307d6175f81b

        • C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\yU\WINSTA.dll

          Filesize

          2.0MB

          MD5

          074c4dd42afb8446724008996816ba27

          SHA1

          5ec696d6bd1d90f66b34bf5b8fe118cb9e8bc9b9

          SHA256

          dc51e10986e8b174b096465fce284882e0aecbd10d3ada1c915e12a02b055e0d

          SHA512

          966795267d850b738639cddd42291896ba5c7bbaba8b3ec9e249dee7f45c6206c1ac7be69d1d67252bb0cdbef39ee9af5d569ac455acbeb528207dbad28be95a

        • C:\Users\Admin\AppData\Roaming\Sun\Java\Deployment\Zba\WINSTA.dll

          Filesize

          2.0MB

          MD5

          9b41958e31ba398589e40028e2a604d4

          SHA1

          234426d184c1b01bf3db5d2fdc2d7f004249c7bb

          SHA256

          f697ec5ce715758599fdc6d6324682f5ee503b800fc0cbbb49c77636fbfeb16a

          SHA512

          83e8523080389b24a28fddda62472317a128a91f8fb10a29bc3ad14a645a6c6f612ca96d0ffa2cc8f6ddd54c55be6fd5673d4d9a726d1b745ea5d4d8c40bd49e

        • memory/1532-81-0x00000237B6E10000-0x00000237B6E17000-memory.dmp

          Filesize

          28KB

        • memory/1532-79-0x0000000140000000-0x0000000140238000-memory.dmp

          Filesize

          2.2MB

        • memory/1532-85-0x0000000140000000-0x0000000140238000-memory.dmp

          Filesize

          2.2MB

        • memory/2188-98-0x0000012F17C00000-0x0000012F17C07000-memory.dmp

          Filesize

          28KB

        • memory/2188-102-0x0000000140000000-0x00000001401F4000-memory.dmp

          Filesize

          2.0MB

        • memory/2744-68-0x0000000140000000-0x00000001401F4000-memory.dmp

          Filesize

          2.0MB

        • memory/2744-62-0x0000000140000000-0x00000001401F4000-memory.dmp

          Filesize

          2.0MB

        • memory/2744-64-0x0000027297EB0000-0x0000027297EB7000-memory.dmp

          Filesize

          28KB

        • memory/3496-20-0x0000000140000000-0x00000001401F2000-memory.dmp

          Filesize

          1.9MB

        • memory/3496-22-0x0000000140000000-0x00000001401F2000-memory.dmp

          Filesize

          1.9MB

        • memory/3496-34-0x0000000000820000-0x0000000000827000-memory.dmp

          Filesize

          28KB

        • memory/3496-33-0x0000000140000000-0x00000001401F2000-memory.dmp

          Filesize

          1.9MB

        • memory/3496-32-0x0000000140000000-0x00000001401F2000-memory.dmp

          Filesize

          1.9MB

        • memory/3496-31-0x0000000140000000-0x00000001401F2000-memory.dmp

          Filesize

          1.9MB

        • memory/3496-28-0x0000000140000000-0x00000001401F2000-memory.dmp

          Filesize

          1.9MB

        • memory/3496-27-0x0000000140000000-0x00000001401F2000-memory.dmp

          Filesize

          1.9MB

        • memory/3496-26-0x0000000140000000-0x00000001401F2000-memory.dmp

          Filesize

          1.9MB

        • memory/3496-23-0x0000000140000000-0x00000001401F2000-memory.dmp

          Filesize

          1.9MB

        • memory/3496-41-0x0000000140000000-0x00000001401F2000-memory.dmp

          Filesize

          1.9MB

        • memory/3496-42-0x00007FF87E7C0000-0x00007FF87E7D0000-memory.dmp

          Filesize

          64KB

        • memory/3496-53-0x0000000140000000-0x00000001401F2000-memory.dmp

          Filesize

          1.9MB

        • memory/3496-51-0x0000000140000000-0x00000001401F2000-memory.dmp

          Filesize

          1.9MB

        • memory/3496-29-0x0000000140000000-0x00000001401F2000-memory.dmp

          Filesize

          1.9MB

        • memory/3496-25-0x0000000140000000-0x00000001401F2000-memory.dmp

          Filesize

          1.9MB

        • memory/3496-24-0x0000000140000000-0x00000001401F2000-memory.dmp

          Filesize

          1.9MB

        • memory/3496-30-0x0000000140000000-0x00000001401F2000-memory.dmp

          Filesize

          1.9MB

        • memory/3496-21-0x0000000140000000-0x00000001401F2000-memory.dmp

          Filesize

          1.9MB

        • memory/3496-14-0x0000000140000000-0x00000001401F2000-memory.dmp

          Filesize

          1.9MB

        • memory/3496-15-0x0000000140000000-0x00000001401F2000-memory.dmp

          Filesize

          1.9MB

        • memory/3496-16-0x0000000140000000-0x00000001401F2000-memory.dmp

          Filesize

          1.9MB

        • memory/3496-5-0x00007FF87C87A000-0x00007FF87C87B000-memory.dmp

          Filesize

          4KB

        • memory/3496-19-0x0000000140000000-0x00000001401F2000-memory.dmp

          Filesize

          1.9MB

        • memory/3496-17-0x0000000140000000-0x00000001401F2000-memory.dmp

          Filesize

          1.9MB

        • memory/3496-18-0x0000000140000000-0x00000001401F2000-memory.dmp

          Filesize

          1.9MB

        • memory/3496-7-0x0000000140000000-0x00000001401F2000-memory.dmp

          Filesize

          1.9MB

        • memory/3496-13-0x0000000140000000-0x00000001401F2000-memory.dmp

          Filesize

          1.9MB

        • memory/3496-12-0x0000000140000000-0x00000001401F2000-memory.dmp

          Filesize

          1.9MB

        • memory/3496-11-0x0000000140000000-0x00000001401F2000-memory.dmp

          Filesize

          1.9MB

        • memory/3496-10-0x0000000140000000-0x00000001401F2000-memory.dmp

          Filesize

          1.9MB

        • memory/3496-9-0x0000000140000000-0x00000001401F2000-memory.dmp

          Filesize

          1.9MB

        • memory/3496-4-0x0000000002690000-0x0000000002691000-memory.dmp

          Filesize

          4KB

        • memory/4932-8-0x0000000140000000-0x00000001401F2000-memory.dmp

          Filesize

          1.9MB

        • memory/4932-0-0x0000000140000000-0x00000001401F2000-memory.dmp

          Filesize

          1.9MB

        • memory/4932-2-0x000001F98E510000-0x000001F98E517000-memory.dmp

          Filesize

          28KB