Analysis

  • max time kernel
    188s
  • max time network
    200s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2023 16:42

General

  • Target

    f71f16a72ace0fd6a636a6008e36dc8d.dll

  • Size

    1.7MB

  • MD5

    f71f16a72ace0fd6a636a6008e36dc8d

  • SHA1

    03c376915c929e4162d388f70a6a87ab200206ae

  • SHA256

    f049251053c1be586de5e8d9804dcf16ec93afa5d0641c08f31706937d5410a1

  • SHA512

    2529cf8d24ff1fc38769a91077a7201bcee8097b77705dde1d7d4d4b0f60f4deeb46cb22fa950ba35e9c380e26aa29464d9b0d39a3d64ba91e8d5cbfdf0225c8

  • SSDEEP

    12288:uVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:zfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\f71f16a72ace0fd6a636a6008e36dc8d.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:4900
  • C:\Windows\system32\lpksetup.exe
    C:\Windows\system32\lpksetup.exe
    1⤵
      PID:3440
    • C:\Users\Admin\AppData\Local\AJr7bL\lpksetup.exe
      C:\Users\Admin\AppData\Local\AJr7bL\lpksetup.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2028
    • C:\Windows\system32\rdpinit.exe
      C:\Windows\system32\rdpinit.exe
      1⤵
        PID:1624
      • C:\Users\Admin\AppData\Local\0Awitw7R\rdpinit.exe
        C:\Users\Admin\AppData\Local\0Awitw7R\rdpinit.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:5032
      • C:\Windows\system32\wbengine.exe
        C:\Windows\system32\wbengine.exe
        1⤵
          PID:2068
        • C:\Users\Admin\AppData\Local\D64St0vTL\wbengine.exe
          C:\Users\Admin\AppData\Local\D64St0vTL\wbengine.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1028

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\0Awitw7R\WTSAPI32.dll

          Filesize

          134KB

          MD5

          bda667963d16a933cd1ec9a5082a93c6

          SHA1

          b0363ee647486e63980f682cab44ac8f1c44ec3a

          SHA256

          e6a6ccd3e9c3108b04b3f54b84a867521d3b59e10e32245b17a88186e9129e9d

          SHA512

          fdb21118cd3b73cbc8f7f25d351ce72f67e6ef80e84e9d7be12fe8435cbc42a7f344b5a581a3691deb2a60c1e293c2370584f83ad7996d12350404279ffdfa1c

        • C:\Users\Admin\AppData\Local\0Awitw7R\WTSAPI32.dll

          Filesize

          132KB

          MD5

          ca1b74e1d8c7ff8a5b6d592d854cb44a

          SHA1

          4e4f9da80518c7965a15fe92433803b27221296e

          SHA256

          bcb98b83baa3d364dfdfddb38afb95536fc65cc78b65905d5061042e01edef2f

          SHA512

          2267a9ab2d32d059c40961c53adbe896b130414fc890617ef5c408738d257cdcb1753f54fa53e15ddf27b1e1efade726a869857f2bb6f981ce758ccc8ad0c06a

        • C:\Users\Admin\AppData\Local\0Awitw7R\rdpinit.exe

          Filesize

          91KB

          MD5

          40f750473561b60a91d3dadcbd4714de

          SHA1

          42076ce9eb59c88c1eaa371eb3bb8b92284f0618

          SHA256

          8958877143804eb2137226d11d5198321c370d1c77ba41428cf29e86ca653e7d

          SHA512

          80df90067f3d59b6ff0bc5aa59b8b36e9da59dc7c83f7e14b0b9c90255839c883fb9df3b468c5253df96b23988de75b4b40a21e427875c58205f244138ec14de

        • C:\Users\Admin\AppData\Local\0Awitw7R\rdpinit.exe

          Filesize

          47KB

          MD5

          d383dc1b8b3586a61409f5895db73d69

          SHA1

          56691c99e4ea0168504cd6deb1845d57367c9c34

          SHA256

          48950b25afb9896545b1d0124fa2fa737af80fc47c8aba998b5cba3518e2e2cf

          SHA512

          475c4b7f0563ab44ea7d1b094e801f275db10f16ec713a6ba37a5141425a13331b61c633ffc755875ad16bb095f534b4dd91aff22a43310cd577250f48d2a1d0

        • C:\Users\Admin\AppData\Local\AJr7bL\dpx.dll

          Filesize

          217KB

          MD5

          78c3636ed730f18667e16e8e9eac6151

          SHA1

          aee12fda10c79eb34bffb98d325eb3322b74d61b

          SHA256

          1f57065243fef0721a7b344bee714e4642c0e1928ddfee5202a3509896101c3f

          SHA512

          b86a95892e1a13f6efdfd9023a30861eadba18f60d0b98e76201b70df1e00cda675fecc8c444d6e14cf6ad423b5e16e80387a1bd53589e94cff95058e3573094

        • C:\Users\Admin\AppData\Local\AJr7bL\dpx.dll

          Filesize

          234KB

          MD5

          9b0b099fd03f910ae80f210922559341

          SHA1

          5943c506f6621a538c9b6e4c7b87b7a5fcd22c8c

          SHA256

          b43371ca81f749fb319ebd32f87ea5951ad5bba5226b73c0b2a0e1d486c883a0

          SHA512

          9ae9ab5ece1ba1213c8f870d877a61ef0dd3389646a573f499b9af29d8e494f4786979b3eda8e4aa20d3137a0fd189eb6432c614bf14bab4cddb5113a7c36c8c

        • C:\Users\Admin\AppData\Local\AJr7bL\lpksetup.exe

          Filesize

          218KB

          MD5

          831e3f0b08ffd17835153edf4672f846

          SHA1

          dbb7bb7124ede23cf8b0590fedc887e0ace8ee40

          SHA256

          a0d25aae9482a4eb539b6efa575a91c15ee2c482d344d40bdb856de093dcf983

          SHA512

          e0c7858f926c043d6b8a064af9386f3e7c20f9d704dbd58141bdecddf26633d413046a055218a33636e145f83daa7170c11ad5cffbccd0127b5a2384068cb97f

        • C:\Users\Admin\AppData\Local\AJr7bL\lpksetup.exe

          Filesize

          196KB

          MD5

          c5ba25782bee51b7afce309726eb1102

          SHA1

          ab4e438383687ab3ccdb3eb617664dadc76e1fcf

          SHA256

          3b7472cf94b3631f55e42e1caa5ae54bec6b256aff97264194b2b34bfdb84835

          SHA512

          3f4f0e15a4d70452862a3c7fa88146afdd944471dbcd08ce84629ce458bb508abc97e3944b63f63af1c8458e9cfa44183b5f895068b7dfbe153126eb8b47a110

        • C:\Users\Admin\AppData\Local\D64St0vTL\SPP.dll

          Filesize

          99KB

          MD5

          509233f4e6b841d9bb7f08df7f904749

          SHA1

          bb71cba560ce7c48842b157e93318688fc398ea1

          SHA256

          b32aa778fb9cd6e1100c9830ba30935dc9ac2731ed347f4c6b54d04d47ead6c3

          SHA512

          c8bd60296df69656cd2466378e1690e20996a9ad79836a4f858e84848c0cc4450eee6f78e9e6cd43313be5588eae248ab098b0d113770046829c68cb2d7e7e81

        • C:\Users\Admin\AppData\Local\D64St0vTL\SPP.dll

          Filesize

          89KB

          MD5

          aa466d68aea5c09f8dc52d228fd3dbb1

          SHA1

          e127a84281aa3ed4fb5c23ea561a2334826fae12

          SHA256

          09061081f59c04bc51c8fc2f09ff358bfee5fabd29060dae36af542ccca6bb1b

          SHA512

          353c5374ab5d6d9457bab5e3c80732d3f984ba97250780401913a41895fe0945caccb2dfe7096ab0cb20c5f394c8eefac6ec702157cc4e484ed18ca9ff2b1542

        • C:\Users\Admin\AppData\Local\D64St0vTL\wbengine.exe

          Filesize

          44KB

          MD5

          705e362df90b501f5e360f9155f7337a

          SHA1

          7d7efcdf35a4a627b743b1b9621400eb1b4c16c3

          SHA256

          bc629ef14705b00f18874fa2dd33652e30dbc43192d473044ac0e28dc0124a48

          SHA512

          9688ae0142ed7aaa40db62ab79b96d100417e1d67821cc52f2c17183e826a0e0e338b36f14f7b1791fc941196e5bf6f38ffffd6f1689d6bf088e28128a0f0268

        • C:\Users\Admin\AppData\Local\D64St0vTL\wbengine.exe

          Filesize

          78KB

          MD5

          0ca51c53b91a475b8404cb010237fa57

          SHA1

          561fb8a6c73a8def7e30894fcfa69c1427c90ada

          SHA256

          7966407a2457a0753186dde81b202b35b5288e270eed652f194bca93590970ab

          SHA512

          1e3c3169b0d6dbcf75705ac6c4d5646e975705743402a64c7d8d98f70850e3b9a9abea53de0744f7b1d0c2aee364bb4c47b5c8f1b34531fe1f40b95ab1055a28

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dyngdiaoitf.lnk

          Filesize

          1KB

          MD5

          6197fb436acefb76aa12bba23a573e3a

          SHA1

          6b30d239092c3983e31322b589e88b951e4e5f8d

          SHA256

          9c4f04a8a3e8af96de25aab4b82a3aacf55c7b9db7dec171929b5aaa021337e6

          SHA512

          6eab03ecef685489a8549fa99239f2f9e5a05e48eac341ebbdac3263b40c51c700e39cc5bf3a2b38cab03929949053d8fd22c6684bbd21fe8380f83f9a1d2d2c

        • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\J1bwqbEHibJ\SPP.dll

          Filesize

          1.7MB

          MD5

          aa7138c965524415f1e382dc74651c45

          SHA1

          da0b6883cd7be4cff6d8f0cd4be9978be5cd6c51

          SHA256

          e966070d1eb37c7d87ff3e4c835bc0ec2cfd5a114a7dd46e4fb8650abae791af

          SHA512

          9a3f8e97331259c3e75889e2cbef27a329d6b9ee040ec5e7cb335dabff557b70193a85b4c07347ccadbf08c351ea926f3ed245224198b74e8636ab7a00a03e27

        • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\WcnqyRq6N\dpx.dll

          Filesize

          1.7MB

          MD5

          20db1beaa4c3085ccb9dd2282cd694ae

          SHA1

          5154938ef118dd602dbb447f1978a7e6bc114c58

          SHA256

          ab0fe43dbee8b4c222276b470e6bbc19a19a474af2ca812105cc2de0bf53ddc4

          SHA512

          bf9efbd449f0a8428e51c4cb2a46bdc95d684d895464b55038cffaf9e045d453b4ecead64fbb2e16246cd8a1ff137ea49d45746bfc32d8cda7c230c45a0ab49c

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\PPqecE0nwC\WTSAPI32.dll

          Filesize

          1.7MB

          MD5

          ac478c4dc16b90a649b2a519d91b2032

          SHA1

          61589a833db12ca4e90b362f91749cd64f989ace

          SHA256

          f7ad90ba837c49d082e1ac5da443d1a06fefb8831ef4d4a4391461c6d9fa3297

          SHA512

          4e803f61bae7e4511c920853e2faff804fe075eaa26e1c56aaeb1353564c75dcb369d3c3ac9ac343948721919e1d858b50b7b3d7b1af4ea643590a1add773f24

        • memory/1028-107-0x000002DEF1310000-0x000002DEF1317000-memory.dmp

          Filesize

          28KB

        • memory/2028-79-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/2028-74-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/2028-73-0x00000160FE870000-0x00000160FE877000-memory.dmp

          Filesize

          28KB

        • memory/3464-21-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3464-53-0x00007FFFACC20000-0x00007FFFACC30000-memory.dmp

          Filesize

          64KB

        • memory/3464-27-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3464-26-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3464-28-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3464-29-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3464-30-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3464-32-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3464-33-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3464-36-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3464-37-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3464-39-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3464-42-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3464-41-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3464-40-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3464-44-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3464-45-0x0000000001470000-0x0000000001477000-memory.dmp

          Filesize

          28KB

        • memory/3464-43-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3464-38-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3464-35-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3464-34-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3464-31-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3464-52-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3464-25-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3464-62-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3464-64-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3464-24-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3464-23-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3464-22-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3464-5-0x00000000014A0000-0x00000000014A1000-memory.dmp

          Filesize

          4KB

        • memory/3464-20-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3464-19-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3464-18-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3464-17-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3464-7-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3464-16-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3464-10-0x00007FFFACB5A000-0x00007FFFACB5B000-memory.dmp

          Filesize

          4KB

        • memory/3464-11-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3464-15-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3464-14-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3464-9-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3464-13-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3464-12-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/4900-0-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/4900-4-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/4900-2-0x0000000002390000-0x0000000002397000-memory.dmp

          Filesize

          28KB

        • memory/5032-96-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/5032-90-0x0000026D82C80000-0x0000026D82C87000-memory.dmp

          Filesize

          28KB