Analysis

  • max time kernel
    153s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2023 16:11

General

  • Target

    eac2738515d0292a80e97bdd871ae3f8.dll

  • Size

    1.4MB

  • MD5

    eac2738515d0292a80e97bdd871ae3f8

  • SHA1

    bd8ef231bfeb6635d869210f39b36f77b691c9e6

  • SHA256

    96761af2af2e82740682729fe36feb508fc90cdc60771957e4583f853a873709

  • SHA512

    c7033b905fd46d55c0dac1629905196c5c09d933957ac5ec13f496397b5a55fdb07a0821d93c394cc0f4b58b8af092ee54388552a7f8c58eb36b91c6083c8711

  • SSDEEP

    12288:2VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:rfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\eac2738515d0292a80e97bdd871ae3f8.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1484
  • C:\Windows\system32\SppExtComObj.Exe
    C:\Windows\system32\SppExtComObj.Exe
    1⤵
      PID:2284
    • C:\Users\Admin\AppData\Local\IzGAuc6\SppExtComObj.Exe
      C:\Users\Admin\AppData\Local\IzGAuc6\SppExtComObj.Exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1352
    • C:\Windows\system32\wlrmdr.exe
      C:\Windows\system32\wlrmdr.exe
      1⤵
        PID:3552
      • C:\Windows\system32\usocoreworker.exe
        C:\Windows\system32\usocoreworker.exe
        1⤵
          PID:1408
        • C:\Users\Admin\AppData\Local\rwLmv\wlrmdr.exe
          C:\Users\Admin\AppData\Local\rwLmv\wlrmdr.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1012
        • C:\Users\Admin\AppData\Local\aIXs\usocoreworker.exe
          C:\Users\Admin\AppData\Local\aIXs\usocoreworker.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2420

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\IzGAuc6\ACTIVEDS.dll

          Filesize

          211KB

          MD5

          a318feb17d6a84e54464e6689737e388

          SHA1

          47df28fc9ca2bd5713950ec6fcb93e881c07cc7a

          SHA256

          97e75c5c2e6354fde18c9fe524bedae5862cb6e25b02c590531f74f5d7431a5e

          SHA512

          b76df3850a7096f4cfa056c19f5156e0cbd20e0a83a849942f981424b1cfded2ed7e6004736a95dade04c1c718ecf83672fdb6e52b3faae6755a61826ea9ee6f

        • C:\Users\Admin\AppData\Local\IzGAuc6\ACTIVEDS.dll

          Filesize

          139KB

          MD5

          a83af39f7e14225220b04ff766f57bd2

          SHA1

          4e02da7198a644c162041680b54461a21d3c1063

          SHA256

          03cbd6f92b49ad1d84c4f012c55621682abd9f33bd0a3d1b29a547fdfc3b49d4

          SHA512

          6dd9e83da86f85a6d7603e762c172ea31d04e7b11973d617b9ee0b3781b8cd562c8f4c3879cae43202d08618a60dc93f08278011055e041c7a7bc3627261846a

        • C:\Users\Admin\AppData\Local\IzGAuc6\SppExtComObj.Exe

          Filesize

          250KB

          MD5

          f59c74622079feed96bc0185097fcc01

          SHA1

          f04b1fd0ac2aec018f8f49e61403c838e2cef766

          SHA256

          af4056f97747b613f348a46268d8902fc43ced13c8d9c1bde7d21882548fa459

          SHA512

          daee87e8f2bd4d90c8af669a22f7773cd83ecdb0ebbdceca4315f4ca0b5159467e6473c87adbcfa1c00e3803a480205d0a6116e1e25b8f3858a8a30df9c67d62

        • C:\Users\Admin\AppData\Local\aIXs\XmlLite.dll

          Filesize

          57KB

          MD5

          49e2d90487ec20ae7f700b4270cf8f38

          SHA1

          d71db232ff51823bcb3e31cfc865edaf57332a76

          SHA256

          f238087a1f0683c2342b74ac2dbfce96b534e70b2a68b88e8093945d4461ce6e

          SHA512

          a85b2d24da46ab508478a667ca350504c746f4a7583439cfed8d5db2b253d68602e3c42edb891295320ffddb46aff4480c91c588dcac92d03b5e29d94cb51c4d

        • C:\Users\Admin\AppData\Local\aIXs\XmlLite.dll

          Filesize

          45KB

          MD5

          8dcd0ed7ab6b2b3926588309af6afe51

          SHA1

          403e646863b87a23acfdf4c7419f1a71231a9b0c

          SHA256

          83a6173ec62628d29981bfc39328427a3b540dded5ab7add727029e452ab7adf

          SHA512

          becd1e38f5b473b49228214006ff59b02da39f0e219349f4005863408a3bc95020ae909bb5f405d60c8e7cfc515ae4a92e20172e292eb8a4faf04ac86851fd25

        • C:\Users\Admin\AppData\Local\aIXs\usocoreworker.exe

          Filesize

          309KB

          MD5

          716c09394203f418654b40117379572d

          SHA1

          a399b13966a70ab9705d96e81f00d73085d9b46c

          SHA256

          1b8643affc82517b07a15e7bf2cbbe4747e55b20e214de8e0e5bf34125c4d5fc

          SHA512

          998ccbdb27a07d1a7ce1aaca29c3f3138081ecfce00c3e6ec3697a5dceec0c70f00dfb4ce99d8c20b1aa88e088542990d27edafdfac340e336213973a42a50df

        • C:\Users\Admin\AppData\Local\aIXs\usocoreworker.exe

          Filesize

          282KB

          MD5

          5c6e2cecd1f16c40f57013b98504163b

          SHA1

          aacf975a6c58e6fd96e6c05bd77868277cb36b42

          SHA256

          4bc67989fb7a5bcf5975d9c7aebd56e4cd266e26793c88e2ee32a3279f1fad48

          SHA512

          cd2d84e554d1c2b6b213f9992de6c13ec0bfc0f10264958bbe0d3be213e144b703f4e5e5ae97d50c8f9d5027bf0cfcdc16c9a1b518c2f402736d56dee0a09c75

        • C:\Users\Admin\AppData\Local\rwLmv\DUI70.dll

          Filesize

          149KB

          MD5

          5f383cb710878712b04682956991cbca

          SHA1

          ff1ed7c0be94d2ef1d20d7768841a8e90a7a3547

          SHA256

          b6eae8e6f9ade312d526c59a376254e95bd314fe7dbc46c338c3fd5addc0c968

          SHA512

          514a83a4d225dc8c68401cc4d2d68280254cf0e265d5d9e37e9b7f637cba8ee346514a99d4f0aa0c01390928a117e74511aa0886e33b06bb17026ad1745a78af

        • C:\Users\Admin\AppData\Local\rwLmv\DUI70.dll

          Filesize

          77KB

          MD5

          4e58b00f69ebea2fb721b4d0635f6326

          SHA1

          310242008b32131fb79a82da91533714799b5c7f

          SHA256

          d66947e0eec4084df0a2f4175fe25f361866b18dbcbf20dd9eb2901351099bf6

          SHA512

          3117c56b1d24051b729acb84ca8f7a571074f08ec466db3b673b4e401d127e1436903663e5bc3ed47d746967bcf09ccb55188cc2842893ec04a19ddd773860e1

        • C:\Users\Admin\AppData\Local\rwLmv\wlrmdr.exe

          Filesize

          66KB

          MD5

          ef9bba7a637a11b224a90bf90a8943ac

          SHA1

          4747ec6efd2d41e049159249c2d888189bb33d1d

          SHA256

          2fda95aafb2e9284c730bf912b93f60a75b151941adc14445ed1e056140325b1

          SHA512

          4c1fdb8e4bf25546a2a33c95268593746f5ae2666ce36c6d9ba5833357f13720c4722231224e82308af8c156485a2c86ffd97e3093717a28d1300d3787ef1831

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gvhynkxuzozqjys.lnk

          Filesize

          1KB

          MD5

          f139298ff33ba64bdfb68696aebc68de

          SHA1

          3d12e811cec64a05171da5e21a9ed2090544ea78

          SHA256

          e39039899c531517947ce43585965a1540b99f03ad578bc7aeb45c50424bef1a

          SHA512

          6e509becc31cb153be744c76fa81e3da32696b918df3a9a7eba9ec2dbe4085369b9e203e8e23dc6b095746f84640c06f1e0bad1db7ae7f1dcc3f78e8bd492d78

        • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\oZzEI4w\XmlLite.dll

          Filesize

          1.4MB

          MD5

          8ec9398de90aef60a32b5ad9d7abee3e

          SHA1

          3ae78d31dabee8fd949ffc918c2ffb16d426bc75

          SHA256

          964019b78622fb75a3d8fe111efdeb6c22a45358e6f35288f124b9ad1b8ed310

          SHA512

          f51d1a822bd8ad62b2d8a6b03e399926ac8f344de2be5c598f699d2a94ea7651207161ab4530448bd6950b784c38b0978b1a06e2b35ea8a21fe8a9b0f0dc1f4a

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\lG5H\DUI70.dll

          Filesize

          1.7MB

          MD5

          261b4e979e0bada275f257bb59c6f96b

          SHA1

          1060f6892f7d690b0aa6312edc21c05fd98592c8

          SHA256

          9853b7cee55b639113e3ac2e064d7bf2ae94924b760660dbbd36f25e510ed3c8

          SHA512

          7f5edb4076dc9a79a2920d9e5b92cfa868448b8f389dc2004c2e36a6388dc94be7b00ab8be4fddfbec95e93696e29d30f41070ef9575dfc39dd61351d81c3fee

        • C:\Users\Admin\AppData\Roaming\Microsoft\aWpHcBl\ACTIVEDS.dll

          Filesize

          1.4MB

          MD5

          b8fe45c4f23902cec11c760e8c5a1235

          SHA1

          6fc433bc822009294d0d531591137c2494486969

          SHA256

          16c96d3f6d5828eeeb58ede2b7744ac907e56fd09f39e867d40632593a220481

          SHA512

          4da4fd3991e6bf240f996001943573cda38826b347dedeefb5e8b693a485646da282e34a78c748f9372077384ad742985302ecb531fe8f8a999e858007d42ac9

        • C:\Users\Admin\AppData\Roaming\Microsoft\aWpHcBl\SppExtComObj.Exe

          Filesize

          92KB

          MD5

          80f0961b215c40fe96860564b134c644

          SHA1

          b8e81bd87fd6450c146c13da2aca016a930b601c

          SHA256

          870f9d8d3392c70919a61074af4b51e7e76958b6db9d40df15e3be85cc77f637

          SHA512

          47877e273efa82ead0117141f520dbad9bfe7dda03e620b7b240e2f8195db3ab66cfece3ddbf69dc7f784be1e7a7bd1dcb423ff24ffc918480ae1c9dc6cd83a7

        • memory/1012-84-0x000001A6C24E0000-0x000001A6C24E7000-memory.dmp

          Filesize

          28KB

        • memory/1012-83-0x0000000140000000-0x00000001401B0000-memory.dmp

          Filesize

          1.7MB

        • memory/1012-89-0x0000000140000000-0x00000001401B0000-memory.dmp

          Filesize

          1.7MB

        • memory/1012-82-0x0000000140000000-0x00000001401B0000-memory.dmp

          Filesize

          1.7MB

        • memory/1352-71-0x0000000140000000-0x000000014016B000-memory.dmp

          Filesize

          1.4MB

        • memory/1352-68-0x00000295F39E0000-0x00000295F39E7000-memory.dmp

          Filesize

          28KB

        • memory/1352-65-0x0000000140000000-0x000000014016B000-memory.dmp

          Filesize

          1.4MB

        • memory/1352-66-0x0000000140000000-0x000000014016B000-memory.dmp

          Filesize

          1.4MB

        • memory/1484-0-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/1484-1-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/1484-3-0x00000191C1230000-0x00000191C1237000-memory.dmp

          Filesize

          28KB

        • memory/1484-9-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/2420-101-0x0000000140000000-0x000000014016B000-memory.dmp

          Filesize

          1.4MB

        • memory/2420-107-0x0000000140000000-0x000000014016B000-memory.dmp

          Filesize

          1.4MB

        • memory/2420-103-0x000001CC90010000-0x000001CC90017000-memory.dmp

          Filesize

          28KB

        • memory/3204-19-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/3204-26-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/3204-25-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/3204-37-0x0000000000540000-0x0000000000547000-memory.dmp

          Filesize

          28KB

        • memory/3204-36-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/3204-44-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/3204-45-0x00007FFE81520000-0x00007FFE81530000-memory.dmp

          Filesize

          64KB

        • memory/3204-54-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/3204-56-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/3204-28-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/3204-29-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/3204-30-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/3204-32-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/3204-33-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/3204-34-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/3204-35-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/3204-31-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/3204-27-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/3204-23-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/3204-24-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/3204-22-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/3204-21-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/3204-20-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/3204-18-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/3204-8-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/3204-17-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/3204-16-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/3204-14-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/3204-13-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/3204-15-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/3204-12-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/3204-11-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/3204-10-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/3204-5-0x0000000002450000-0x0000000002451000-memory.dmp

          Filesize

          4KB

        • memory/3204-6-0x00007FFE8020A000-0x00007FFE8020B000-memory.dmp

          Filesize

          4KB