Analysis

  • max time kernel
    106s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2023 16:34

General

  • Target

    f334c05455a23f89ee06fb59f1b9f77f.dll

  • Size

    3.5MB

  • MD5

    f334c05455a23f89ee06fb59f1b9f77f

  • SHA1

    33410197fc64415e351f489720b48f0cc6ff401b

  • SHA256

    0692471fb02d58c1e50832d9f74be4e0a1155b1de0d434d5c4d38f644abe1d79

  • SHA512

    4c97f8d362f8256c9a2abf0785d96ceb82e451e23533aa007346f88f3f27776bee16c27fc2c76b7d09cb772f9138b1750d651c1cbbba478d8e40b87efcb07e01

  • SSDEEP

    12288:PVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:mfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\f334c05455a23f89ee06fb59f1b9f77f.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3864
  • C:\Windows\system32\dccw.exe
    C:\Windows\system32\dccw.exe
    1⤵
      PID:1924
    • C:\Users\Admin\AppData\Local\a4Flf1Vek\perfmon.exe
      C:\Users\Admin\AppData\Local\a4Flf1Vek\perfmon.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:724
    • C:\Windows\system32\perfmon.exe
      C:\Windows\system32\perfmon.exe
      1⤵
        PID:432
      • C:\Users\Admin\AppData\Local\FuNH\dwm.exe
        C:\Users\Admin\AppData\Local\FuNH\dwm.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2184
      • C:\Windows\system32\dwm.exe
        C:\Windows\system32\dwm.exe
        1⤵
          PID:1584
        • C:\Users\Admin\AppData\Local\oMxwpW\dccw.exe
          C:\Users\Admin\AppData\Local\oMxwpW\dccw.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4892

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\FuNH\dwm.exe

          Filesize

          35KB

          MD5

          ee432ac8ce8357a17be75e03f33f5824

          SHA1

          41b1b46a31b9b38f8ecb3d17a9f5b79c8f7f57e5

          SHA256

          1a5f68afb16ce7b7ccd157dad82454ac9070dccd45385f7db881545c927cc734

          SHA512

          6f7b87c6f2d744d151de656dfcc8de5e64290ab64ed52c527b6eebba36776fed1eb3693d89844b26f799dbc80c4342567abf03f271ab25c0f2cfa2707f4d7d87

        • C:\Users\Admin\AppData\Local\FuNH\dwm.exe

          Filesize

          92KB

          MD5

          5c27608411832c5b39ba04e33d53536c

          SHA1

          f92f8b7439ce1de4c297046ed1d3ff9f20bc97af

          SHA256

          0ac827c9e35cdaa492ddd435079415805dcc276352112b040bcd34ef122cf565

          SHA512

          1fa25eabc08dff9ea25dfa7da310a677927c6344b76815696b0483f8860fa1469820ff15d88a78ed32f712d03003631d9aceaf9c9851de5dd40c1fc2a7bc1309

        • C:\Users\Admin\AppData\Local\FuNH\dxgi.dll

          Filesize

          21KB

          MD5

          390e0820e5cbef89a8da9fff6204b9e3

          SHA1

          8159f31b6167646d94346b46ca2fd882a3e08f56

          SHA256

          eb8c655ceafba69bd62142b1d3e81f562a53659d89bc73fa18b533556ef2b2f8

          SHA512

          3458cbd3bf94aa787263110e38bfd012421af427518c1e72482550a706dca913f382cb021f7a9bb91bafc31ffee9ae651c1fbfc151624354728c6b66c9bf6de7

        • C:\Users\Admin\AppData\Local\FuNH\dxgi.dll

          Filesize

          52KB

          MD5

          64accc65d094bf1d765d068f42a7c498

          SHA1

          3e5accdb18a6c7086835257cb89b9a9d6b639fc2

          SHA256

          7f5a37fe407689fee66d07d5fdebdb82e2e0e3182b9ea0dd8d7386be49258f17

          SHA512

          cdfb0c5221a778d2b5ac27ed0c5e3e8ad4434bc5e74e8956b9a8dadac03979e02df69520508e224b1896778722e8ea33431c516e1e2bd9da2ec0900ac482dbbb

        • C:\Users\Admin\AppData\Local\FuNH\dxgi.dll

          Filesize

          32KB

          MD5

          8e6d9172cab806e327782a658701b31e

          SHA1

          7ff35129b8a1672653f58b87e93bbaca56afaee0

          SHA256

          6538516c90b167966743cdc01e2a17729cded982e95945d3280040c401de2f3f

          SHA512

          4497e865a46f0086bfff40ad5d53d05f9e82a858a7bb2a0c8b9b38422244b722cd8df8150c589a22fa840a1c16f9ccb39109ea35dea6956ab78140439612cec8

        • C:\Users\Admin\AppData\Local\FuNH\dxgi.dll

          Filesize

          40KB

          MD5

          5b8db5b1166fc6d5e2094d5346c3004e

          SHA1

          01d2b7d159f3f524b2e057e76350e30eedcb5838

          SHA256

          758fd04d93c2ae42cbe199083f50e53d1379307546c935e740d3c6f79ff505b4

          SHA512

          da3907c523b4bc4d7351c631a141af348eba531a4011bd759dc948f5b2e81c56c4a4c748100ef50f8b0e4537bf471487b330a21fe4e0aeb4c51f20940627e5a5

        • C:\Users\Admin\AppData\Local\a4Flf1Vek\credui.dll

          Filesize

          18KB

          MD5

          8539a82e6b9474c7af3327bdfd972709

          SHA1

          090b261b858c0a080f4244a0899da1e0103935bf

          SHA256

          aecda28b8a9d8f393f982add3f6e36b7b19fe3911f1f9127eb519c156672769c

          SHA512

          a3d53ceaa9a9f3a381792c6768916ab06fa3e5a44fd33686a148dfe5b658c7f861eb13151f6c0ec9d736bd6d60fb83cbfb178cfcad690d3fbc5f3fd727da427c

        • C:\Users\Admin\AppData\Local\a4Flf1Vek\credui.dll

          Filesize

          29KB

          MD5

          51304f1d0ef1847b583e121f97539545

          SHA1

          5bf989194aed23a2cdb669abe2c4bc36263f400c

          SHA256

          ee4449456bae0f6cdf3e5683361dc8fb1ff478d522c88e886b3ddb6c5a05961c

          SHA512

          1c3d8cc5d4559fd042eebfee5a457e2e0eafab4701e398425dc14cfa893e32b48b47b564e3fe63eb4da76a333112c4de6e54233532aad3e34794126334bc64c4

        • C:\Users\Admin\AppData\Local\a4Flf1Vek\perfmon.exe

          Filesize

          26KB

          MD5

          d416de97e823a386808de0e6821b8a9e

          SHA1

          2c30b6c5422dc973438b8116648e515449e7f48e

          SHA256

          5173f4908382aeb756c17c00d132dd9af40b81288bf828519231b25d7f4aa100

          SHA512

          605edd65e6182f846fd46e910e027b7b3aed5a558867f6bec49929fbfc5895d9647a3308d50e0adc7e2e161b176ba7859b04970296f04228e9db1f58264a3aa6

        • C:\Users\Admin\AppData\Local\a4Flf1Vek\perfmon.exe

          Filesize

          10KB

          MD5

          f8419cdeff04a317015925559f0344ca

          SHA1

          24d094fd749b95a7a48f4e8325660f5363de1b4e

          SHA256

          ab5923fb746dc2169195b92a3303277d88f440aa4c4db03e292dfe305e91b3e3

          SHA512

          a45eddc82e9e58a401c2e2bfe1f4a03aa1a3237e967bf8bcb063018205fa23bdf3b67264bc7061ea312d144b0cb3bccb589124f208052c8e961e9f7aa54ed7b0

        • C:\Users\Admin\AppData\Local\oMxwpW\dccw.exe

          Filesize

          94KB

          MD5

          ed203a282fdde8d2a2f01af16066c2e5

          SHA1

          a86c77e831a66c9ef86c4582ca11fde33271657a

          SHA256

          bc4b4c5b0c70df0c5b8845989e4b9c83040d59999aa843c113382d54c4da525e

          SHA512

          1ea1d57707c11e65e1988ca8a266b83e6e23481df8af6790505e088a80f3e725f3b67620a143f78bf8a4ae29640244acc634c9a96759f1ecaeea62417cd05ce9

        • C:\Users\Admin\AppData\Local\oMxwpW\dccw.exe

          Filesize

          11KB

          MD5

          f0da418c420b643ebca8c22fb543a79d

          SHA1

          05b6a9f8ea0b9841edd90ce1dfc88de518b97791

          SHA256

          ae02f977727a808ca1718503f8bf5134e99e31a90f097681344fc955478b8e21

          SHA512

          09eb57c7ebfe249d3db64602345195ad7a4a112dc6447df3b8d1a29c75e166e3699e0be938aa0a510a8652f95f67feec858881bf07402934dd9c3d4b8b54fcdc

        • C:\Users\Admin\AppData\Local\oMxwpW\mscms.dll

          Filesize

          49KB

          MD5

          10a291f840bea76f7538b14df6fb167d

          SHA1

          354d4c2c75db3e4441cc7288ee3ea6dafee08c8c

          SHA256

          59159e7e08abb4712d9f2dcd3532ff6f6397e81256c812d6bf3dad59ffc014bb

          SHA512

          c29108738f93d93742e5e9f3d594fc9add2c299386a4ca88fa4cf11c0b799c8dbc5849533d00821ca75a91b0e3b3ffe987ba1691d2bbcafcc88cb38305de5508

        • C:\Users\Admin\AppData\Local\oMxwpW\mscms.dll

          Filesize

          27KB

          MD5

          f6f0c7a8d2fa0a2301ec4e9bc29b6fdf

          SHA1

          acbf608eaf6d5971bff29836557bd335de1f34e8

          SHA256

          c52175e6fe7f878afa9f3b53dd4b40094b90f26c7c74822f1f85d12623ada18e

          SHA512

          32c5bd2d531a844bbed5a5db786d89b9b10c7b0e85d0d9991edd1122ebd0f82bed5e2d66f4d92db63f1465d56f5256a2d9fc526b3363d221cfd5403cde0a392a

        • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\479gnT\mscms.dll

          Filesize

          36KB

          MD5

          3b58c6483a800a71b4d4319b36e77244

          SHA1

          e235a653a9c8f0e10abb06a64232d1d5f53b4be2

          SHA256

          7aaf415814e8d2ef5f8b397d8befada376cbd09f255ad64f0a368a1b9a4396ba

          SHA512

          447f302b0d97d3ba9300f7595934cd4b0090c958479bc59cb226a28fdb482d8404e4de63ae4bb0f6b05463844b63d3924f3aef2953c0ed39ce5fadd5832df45e

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqwbkkvq.lnk

          Filesize

          1KB

          MD5

          96a5d54a40a0051f4c109429c2505b2f

          SHA1

          0988ea4d3fb3976ec19e16e620354783406ec1ff

          SHA256

          6affe85e951805b51f37d41db32629f85a9cb7874ca2eafb7f8081f7a05155da

          SHA512

          50e04de36fd7a12e926f608c06ce327edefc937bcaab2829dc7da77ea9e8b035c8eeadec06557f75254025f4a517c099b1900a2db2effcfe2b80ee8d66c4ec0c

        • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3803511929-1339359695-2191195476-1000\FXVmo\dwm.exe

          Filesize

          12KB

          MD5

          a5333ad8504a51ef532e562efc7fce55

          SHA1

          0f0f8896db7e6fbe61e3b32b9c74f48ffcdcf41e

          SHA256

          2a482e2943880beae859a603c91fc8e0195d97cde918f830c9f90505fcb14306

          SHA512

          d2395eb5fbb361cce892d7c955793b1728e5b4ba51c2bae1496aa9ecb89268ad9f0a7913bcfe107111c6fdd7a330586c11d66cbaf2054bc1b8a9a710aa8259cc

        • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3803511929-1339359695-2191195476-1000\FXVmo\dxgi.dll

          Filesize

          1KB

          MD5

          cd068fed916674488a8a7a133c5541a2

          SHA1

          6a5b20f884f6992047131f2b22152da1647e7fb8

          SHA256

          9add45bff3abcbdbaf767c730e7e8c2af34aa1cba8a913e78c8a9e10702866d7

          SHA512

          9d0ca3478598a35f3deed6da47300cd5dfd7662498298feb3835b49d7fe48dbc4a7d3d581b1290c2ca2346e3c87322d70390f83eed46a073024e28606859897a

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\0SUZ69vg\credui.dll

          Filesize

          1KB

          MD5

          3a9c6a07395d1873899a74ee3dbaf3f3

          SHA1

          b6a3b9cef5dcf2bd6f5fe7bee73fb12d99b32dd8

          SHA256

          878b4a5826bd5c3f3d2f38af896ed1a7ed28036a19b73663638cc3f9e5b30d0a

          SHA512

          8e27972eb7acb236835927c42af77e7b2263e288116a255e09a4f516a2c6d412f9a659d85ce008ee8c087c3c0a5dd05f235a961ac30e94f4f643ab469fdc07c4

        • memory/724-129-0x0000026E49C30000-0x0000026E49C37000-memory.dmp

          Filesize

          28KB

        • memory/2184-116-0x0000018A3D360000-0x0000018A3D367000-memory.dmp

          Filesize

          28KB

        • memory/3452-56-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/3452-39-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/3452-74-0x00007FFE16280000-0x00007FFE16290000-memory.dmp

          Filesize

          64KB

        • memory/3452-62-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/3452-12-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/3452-66-0x0000000000E60000-0x0000000000E67000-memory.dmp

          Filesize

          28KB

        • memory/3452-65-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/3452-64-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/3452-61-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/3452-57-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/3452-53-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/3452-49-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/3452-45-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/3452-43-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/3452-40-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/3452-36-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/3452-33-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/3452-30-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/3452-60-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/3452-59-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/3452-58-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/3452-26-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/3452-55-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/3452-54-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/3452-52-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/3452-51-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/3452-50-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/3452-48-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/3452-47-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/3452-46-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/3452-44-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/3452-42-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/3452-41-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/3452-63-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/3452-38-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/3452-37-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/3452-35-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/3452-34-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/3452-32-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/3452-31-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/3452-29-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/3452-28-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/3452-27-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/3452-25-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/3452-24-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/3452-20-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/3452-19-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/3452-18-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/3452-16-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/3452-15-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/3452-14-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/3452-13-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/3452-11-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/3452-10-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/3452-8-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/3452-9-0x00007FFE1615A000-0x00007FFE1615B000-memory.dmp

          Filesize

          4KB

        • memory/3452-7-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/3452-17-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/3452-22-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/3452-4-0x0000000002CB0000-0x0000000002CB1000-memory.dmp

          Filesize

          4KB

        • memory/3452-23-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/3452-21-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/3864-6-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/3864-1-0x0000000140000000-0x000000014037E000-memory.dmp

          Filesize

          3.5MB

        • memory/3864-0-0x0000020B85AF0000-0x0000020B85AF7000-memory.dmp

          Filesize

          28KB

        • memory/4892-96-0x00000216163F0000-0x00000216163F7000-memory.dmp

          Filesize

          28KB