Analysis

  • max time kernel
    71s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2023 15:34

General

  • Target

    da5e3cb85be5b54edb1e3b5ff9d733a2.dll

  • Size

    3.1MB

  • MD5

    da5e3cb85be5b54edb1e3b5ff9d733a2

  • SHA1

    e93524cf92f6c04fad09162a1462920dd0d48ec1

  • SHA256

    e441dc66366d37c4598e91b6779169dcbc71f386ca494b9d6c9d8137b45233f7

  • SHA512

    640fffd35412cc5100aaf4c14ce6359b7c6fcb4df6e22bf3d501b342cc16fe65dc07ad431d22544f49ba0b37b2da7e2c0c7b121d64cb078ccdb4a1d66da60c33

  • SSDEEP

    12288:hVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1po:QfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\da5e3cb85be5b54edb1e3b5ff9d733a2.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4280
  • C:\Windows\system32\eudcedit.exe
    C:\Windows\system32\eudcedit.exe
    1⤵
      PID:1672
    • C:\Users\Admin\AppData\Local\noEX\eudcedit.exe
      C:\Users\Admin\AppData\Local\noEX\eudcedit.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1448
    • C:\Windows\system32\rstrui.exe
      C:\Windows\system32\rstrui.exe
      1⤵
        PID:680
      • C:\Users\Admin\AppData\Local\woR\rstrui.exe
        C:\Users\Admin\AppData\Local\woR\rstrui.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4752
      • C:\Windows\system32\eudcedit.exe
        C:\Windows\system32\eudcedit.exe
        1⤵
          PID:2880
        • C:\Users\Admin\AppData\Local\WQwAmR\eudcedit.exe
          C:\Users\Admin\AppData\Local\WQwAmR\eudcedit.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4900

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\WQwAmR\MFC42u.dll

          Filesize

          41KB

          MD5

          b2d4a1b709b522de5f766fdd6b766114

          SHA1

          cd40cecdda37254dd0d52a0b4a6ded6bb8dcc381

          SHA256

          d2c54c5e4f6e0186245f69b623ce1cd247151115c84e80165e577e5cdae54fc1

          SHA512

          a36063f05fa05faec3ff965861513a67774fbb0c171ade7a335a629273849c0ca7ec9711ff54304de8f5c4659b0337abdc551cbaae90a963e6b97ae56e68d696

        • C:\Users\Admin\AppData\Local\WQwAmR\MFC42u.dll

          Filesize

          32KB

          MD5

          13dfab471f8eae58a30844196c8ca24e

          SHA1

          a3f8115cc7b8a4223eb0574a5ebbb3847432f9f9

          SHA256

          a2a29c6788c1b183213aca51284ef230f2bd1cfbd0b17456ef7a2ded802db4b3

          SHA512

          720df1e62fb49b9240e8ebdbe42d5fb76d2f1cc4291fe4346d503fced77eee6e20d7301de1feaaea1da68c76c498c6e7c9f7c298fa35131e369ccf2a9b384780

        • C:\Users\Admin\AppData\Local\WQwAmR\eudcedit.exe

          Filesize

          25KB

          MD5

          d141d882718adaa3f18bdf7a1af8cd95

          SHA1

          cd888c8ef54afe88f8eb99911aba9a1d573e9920

          SHA256

          a4d055f651b3392dc396048cf9b6a41b642d2484c56286368229cfff9d8dd9da

          SHA512

          7ad71697542bc2fd192631574604948eb3ea1ef922df40340055827688919295239b7a61dd2253c122796d94a203651167d8a3808f0008b3f072299392672ca4

        • C:\Users\Admin\AppData\Local\noEX\eudcedit.exe

          Filesize

          66KB

          MD5

          cfe8884f2d0581ecf0024a61196d410f

          SHA1

          ad38edf91c18c60189f8fc8cafd8e62cac3fed6d

          SHA256

          b3268b3f733bdeafd0c838eb7810d76bca805c5b6e7d5c1eb35fcacd3afc1230

          SHA512

          7c34f66b35209e3dd3b2e110241ff70cf06e8a76b691b5c248b2d8438207eb44444057430602fbcaf4b8a9622e49be0c19c3c8fa1b568648a43a50b7865f4429

        • C:\Users\Admin\AppData\Local\noEX\eudcedit.exe

          MD5

          d41d8cd98f00b204e9800998ecf8427e

          SHA1

          da39a3ee5e6b4b0d3255bfef95601890afd80709

          SHA256

          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

          SHA512

          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

        • C:\Users\Admin\AppData\Local\woR\SRCORE.dll

          Filesize

          119KB

          MD5

          b2e70143e96ca258fe509de8c0bd5252

          SHA1

          9a99cf3eabec3d150f9d89b5babf957f0dbaba4e

          SHA256

          329ae169b853c63cfde285654e7250fab309a5c3ff56b56a263b7094c20011f3

          SHA512

          2b26046f2c57bce7407e5f0a652af24781d1b8b616b47896a51044ba3d2e4e0e2903359cfd4ee4616267f1c5cfa8c9b9c3bcb3bf4364596d781af9677196bd2a

        • C:\Users\Admin\AppData\Local\woR\SRCORE.dll

          Filesize

          59KB

          MD5

          c93e8ec9692e480cc64cd6259821d14c

          SHA1

          eb143813ab8f9ad6b54437be11440c9d8deef817

          SHA256

          24c25a652e51d0a278456f597607c7ca2b4bbc03f6400b19cbe859a680dcb593

          SHA512

          629b87c391d33fec4d4ede16452342569ba926d12907882a71478dc98ca86cc97c3eae1e1f977abba3577574e499a6427b97fe033a4d6845dfb31bc56d3ef160

        • C:\Users\Admin\AppData\Local\woR\rstrui.exe

          Filesize

          73KB

          MD5

          b8d4c96c38905c4ed333cedc14d72abf

          SHA1

          20c895abbaa3b6e095382b9c9d3ad4019443af60

          SHA256

          761c61a695a47670f8cba59e5eba92d247e41d4fa00eb5589526be0d3b52c5b7

          SHA512

          a8f9f8e322c389a59e0e414b57347ef96510f77ab317ce2511907b365172d76ff954159c9a54d35cb95fab6fd80e567677001c4cc80ec6d0479a96cef2115467

        • C:\Users\Admin\AppData\Local\woR\rstrui.exe

          Filesize

          41KB

          MD5

          095a5605e9bbad4c76d802aa64155c26

          SHA1

          77a8fae3e7d46891214a4f63418ba84017e358d1

          SHA256

          5dfce9bb5edf4df92dc0ce90834e8955f91a721dafb043d86091933c95d23758

          SHA512

          21e79263bfda2e72efe130a359d4ef199429b6ee357c9724dba129ab267ec93fcc2a6caf7fa47fdf201e11657d5661661d52e079ecbe84963086edc54246322e

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Hxquhu.lnk

          Filesize

          1KB

          MD5

          063e22842275df69be0a388c7e873f05

          SHA1

          1391e203eb80389796fae5ff4d4a7c6b2011d796

          SHA256

          3634416a117c2450e29ad35f46a137ce8ca757fd1d9cc106f5c5683eef35f117

          SHA512

          df1d7d4fd910532cb3a9c5b194165d84fae44291a9680535326ebda7981e3b42996b8279d0e08ae0d40bdef8a64fc884967e7582fb8007f5ad5071d4e1987fed

        • C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\sd\SRCORE.dll

          Filesize

          3KB

          MD5

          3a36da183cb988bc13c0b692f2418b97

          SHA1

          6991621db676efcaf1947e32a3c5d881ffba5322

          SHA256

          04d728650db03e69b90d652d35d74e3ecb758396ebf874be71dc5b123176a96f

          SHA512

          a3462eb5f25ac6e3da1b7dcd49a5a240e69ab538aecf0227aaa3839ccdeeb23310db090472fdb5daa46a4ccd6bf8e7f8ac700fa8480f0494fda2ff00cce74ebb

        • C:\Users\Admin\AppData\Roaming\Microsoft\Vault\O0xma7cm\MFC42u.dll

          Filesize

          92KB

          MD5

          9c89e2bee3ec7b4ab2b1016f31002865

          SHA1

          ee79dd89a2ce9605419d322daac3bbec487ca72b

          SHA256

          43c8441cd33e20c1deea2e49aaf2f6e61c7f021cb79436b683c105a37b75eb73

          SHA512

          5de06f72f929821a04b62977337d97e74ced5c8b0096c9e823d1a5d086b7946bce073a9fa865ed6c909a024b81504bf6244bd4b3385fddf819760c62fff30dd7

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\O45n\MFC42u.dll

          Filesize

          61KB

          MD5

          c2837e78c070ce6901faf62ff922e200

          SHA1

          21a6da721f522237c588e52d81371aff97fb974e

          SHA256

          9223012600d279faafd29d2948b5ae06d9a5da6f2d14864c93c837ba2a0cc597

          SHA512

          bd0df03afc86ed23233eb4eee051131dcb7e0273ae9dae956d7e840659164dc00298f82fc6df7f36576e17d4645f3dc59a421332e64bf9ca7b7346cf0d254745

        • memory/1448-97-0x00000249C4FF0000-0x00000249C4FF7000-memory.dmp

          Filesize

          28KB

        • memory/3592-57-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/3592-38-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/3592-34-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/3592-36-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/3592-37-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/3592-39-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/3592-40-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/3592-42-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/3592-44-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/3592-45-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/3592-48-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/3592-49-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/3592-51-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/3592-50-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/3592-52-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/3592-54-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/3592-53-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/3592-56-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/3592-58-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/3592-60-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/3592-61-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/3592-63-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/3592-65-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/3592-64-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/3592-62-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/3592-59-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/3592-5-0x00007FFC8D66A000-0x00007FFC8D66B000-memory.dmp

          Filesize

          4KB

        • memory/3592-55-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/3592-47-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/3592-46-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/3592-43-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/3592-67-0x0000000000D00000-0x0000000000D07000-memory.dmp

          Filesize

          28KB

        • memory/3592-41-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/3592-31-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/3592-35-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/3592-33-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/3592-32-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/3592-30-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/3592-27-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/3592-26-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/3592-76-0x00007FFC8DC60000-0x00007FFC8DC70000-memory.dmp

          Filesize

          64KB

        • memory/3592-24-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/3592-22-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/3592-19-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/3592-15-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/3592-14-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/3592-12-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/3592-10-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/3592-29-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/3592-28-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/3592-25-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/3592-23-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/3592-21-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/3592-20-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/3592-4-0x0000000002840000-0x0000000002841000-memory.dmp

          Filesize

          4KB

        • memory/3592-8-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/3592-9-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/3592-11-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/3592-18-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/3592-17-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/3592-13-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/3592-16-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/4280-7-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/4280-1-0x0000000140000000-0x0000000140323000-memory.dmp

          Filesize

          3.1MB

        • memory/4280-0-0x00000239DA040000-0x00000239DA047000-memory.dmp

          Filesize

          28KB

        • memory/4752-113-0x000002BCA4160000-0x000002BCA4167000-memory.dmp

          Filesize

          28KB

        • memory/4900-130-0x0000027DF6890000-0x0000027DF6897000-memory.dmp

          Filesize

          28KB