Analysis

  • max time kernel
    155s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2023 16:54

General

  • Target

    f913bdd039587c029c16ebf46f2a7aa3.dll

  • Size

    2.3MB

  • MD5

    f913bdd039587c029c16ebf46f2a7aa3

  • SHA1

    f3dc9a0c28daedbe2ed05a7f74196b9e2021aaec

  • SHA256

    bb2a735d3f812793ac73c336d9f50b5925a25a1788ebc7232e19fc2e007da26b

  • SHA512

    a077469ee0ffc12648c43b35fed235a64f5662444da93791fc54a61ccf0b2619e279f919221555818746d70e1039d86ae70cda2f20104bcec3087a47f0d3c51f

  • SSDEEP

    12288:VVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1XVtag:MfP7fWsK5z9A+WGAW+V5SB6Ct4bnbX

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\f913bdd039587c029c16ebf46f2a7aa3.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4664
  • C:\Windows\system32\unregmp2.exe
    C:\Windows\system32\unregmp2.exe
    1⤵
      PID:1636
    • C:\Users\Admin\AppData\Local\bHti\unregmp2.exe
      C:\Users\Admin\AppData\Local\bHti\unregmp2.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1416
    • C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
      C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
      1⤵
        PID:4460
      • C:\Users\Admin\AppData\Local\Bv36x3nm\SystemPropertiesDataExecutionPrevention.exe
        C:\Users\Admin\AppData\Local\Bv36x3nm\SystemPropertiesDataExecutionPrevention.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2916
      • C:\Windows\system32\PresentationHost.exe
        C:\Windows\system32\PresentationHost.exe
        1⤵
          PID:2524
        • C:\Users\Admin\AppData\Local\Xk6\PresentationHost.exe
          C:\Users\Admin\AppData\Local\Xk6\PresentationHost.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2804

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Bv36x3nm\SYSDM.CPL

          Filesize

          85KB

          MD5

          7c0a028fc05e9f7b75472b63c0d377db

          SHA1

          714eacb879a5245fcab91c5cf5bdaf6a1e8c9568

          SHA256

          d545a3733827a9e3d7b6a66d508882d1edfd168a44d44f82ff8465b5a18d5313

          SHA512

          e7c7f7916f76357f9418c70b0810365cdda426aff34fe83e321da82f52f52de36b02da2c82575c0fae68edc27ca4682ad61b48a0580d2bff0ddd1bd006aef391

        • C:\Users\Admin\AppData\Local\Bv36x3nm\SYSDM.CPL

          Filesize

          78KB

          MD5

          a16879296d0b96aea8f19ef9c131cfd3

          SHA1

          7c8b8504596b4186530138fb14668a74e34493b3

          SHA256

          c464b4e8b4f0df471fd3baab66069159d2a34e17d63c8b92c0b8fcaabfa59119

          SHA512

          e9f9c6fca6af397d5eb8e57f79a42a984b2e8bfe6b97d095d4b7b3ab613847b16db950732800321f0416fea396cbfcdd6c54f648213a5ac6603cd4c4e624264e

        • C:\Users\Admin\AppData\Local\Bv36x3nm\SystemPropertiesDataExecutionPrevention.exe

          Filesize

          82KB

          MD5

          de58532954c2704f2b2309ffc320651d

          SHA1

          0a9fc98f4d47dccb0b231edf9a63309314f68e3b

          SHA256

          1f810658969560f6e7d7a14f71d1196382e53b984ca190fa9b178ac4a32acfb3

          SHA512

          d4d57cc30d9079f4e9193ba42631e8e53d86b22e9c655d7a8c25e5be0e5e1d6dfff4714ddc23e3e392809d623b4f8d43c63893f74c325fc77459ac03c7a451ed

        • C:\Users\Admin\AppData\Local\Xk6\PresentationHost.exe

          Filesize

          57KB

          MD5

          1e6ba1a53e4f793138878b5fa93585ef

          SHA1

          aa055c7f831bc1aec16ae21e265c967c1fa207a2

          SHA256

          92f38a109114a23b43996150ef5c53eb91c1390da259f742a6249dd40ee2fefa

          SHA512

          028c7d3faa735080d8424707642cd23c4bf2866050b5ff2b6ffe70e0d901ca4320f6ed66870dcd06f18579f4619aa34c0a9cb56566cab149a674161feac1e6a6

        • C:\Users\Admin\AppData\Local\Xk6\PresentationHost.exe

          Filesize

          25KB

          MD5

          cf4b84c8568020da54bfc4481c1cc115

          SHA1

          02eee5515acfd2e20220e75269fe71f13dedc938

          SHA256

          e9325f6c7a28417e3c224eaedf672cab77b68b93f91a75e49aa57960e54423f9

          SHA512

          000ec4c33e53eb334a072ff3e3c1f29b88ed2283715390b88da4cda356a8a7e10fe816335bc2ed7ff6e5af92df187ecddd092e24c1353b47264f4460d5526135

        • C:\Users\Admin\AppData\Local\Xk6\VERSION.dll

          Filesize

          166KB

          MD5

          ece6ed2d4a39db18536a212ac2d11c39

          SHA1

          d0a4fba83ff4961f99a26740c7cc3eacdc863ef0

          SHA256

          f2dd1b7944c04dde1676260a552bfdc03f653d0d9b92ecf568c5e44e237ac00c

          SHA512

          d76555d725180fae9d4624a44f0e456e9d5c10302803048506a7059b85f57b6c1a6b40be9f29b1ce229bda7fcdb4acfaaa6d1c8845101fd6aa3811825e35a620

        • C:\Users\Admin\AppData\Local\Xk6\VERSION.dll

          Filesize

          92KB

          MD5

          9334cf43c0b41427ed1097db33352fad

          SHA1

          836033895cc1739ecfc37588affd6f4867b5af9d

          SHA256

          2739d7c20f6d8549979aba70c7de71238a2da9e067b71d5df138fe7c969e1533

          SHA512

          1f9aeda357da4f0938bd9f2ffbcfd8622e49f056d7d6569d975efe91a108cab17ca6f6fcf5f2b271ab4840e3e8ff38274c6bde0b857a303ecb02731238290166

        • C:\Users\Admin\AppData\Local\bHti\VERSION.dll

          Filesize

          149KB

          MD5

          7105d18403596578c72ac790156a4f78

          SHA1

          319d6cdb431c63c229f010d9b0fcf12bec2d9d0a

          SHA256

          3f97bf5c22aad698a2a63b708052e8eab89d0e23c45472cddde03758018e640b

          SHA512

          f5cff107c2dcc31be5c2ef68773d8e3b5e364fc98287b478367916fd98a950d9f397c3dab00ca3cb62a9f0cb0921b51634c0f7482738b805dd04fa968ce226b2

        • C:\Users\Admin\AppData\Local\bHti\VERSION.dll

          Filesize

          259KB

          MD5

          4b61bc934de9b2f6b67b35b5a26a96fa

          SHA1

          4012d66936c4f05a01ab5e047e732894b1b3acdc

          SHA256

          d9e7183d3f4b39351c6e25633b6cd019f22bbf4bcd0644141452a6d0c77609cc

          SHA512

          833bcc85c9732bf1761fdc0d92c924cdfed6de6977c3b7a96096a1a681b0096e0a2f00175a9552a9299dbc2d103e088b5ad1a30c32c9af92a8770b1be21382f4

        • C:\Users\Admin\AppData\Local\bHti\unregmp2.exe

          Filesize

          157KB

          MD5

          a88baa8ca4898c8db7976407ca71db73

          SHA1

          04d6a6296a819011497115be4194f728885da5fe

          SHA256

          0329c59c933f067dea2bff037416b979587905678c68cd8e06b8d0c3d10e8321

          SHA512

          1d6ac00f7c952135c0eb3e5cbd89487c6720058a469e8a5e81a69e6afab85af26349cef0b0366a161983d2016019478e974f66bbb0bbcf3bb4f4797bd9c448a2

        • C:\Users\Admin\AppData\Local\bHti\unregmp2.exe

          Filesize

          102KB

          MD5

          32f00fa6bc91aa712b00765693bf27f6

          SHA1

          8e36d7b60f5319a9fdd58cefe8722b680a9746e2

          SHA256

          45023db3ef9aec7506a25f51cd644fcdea841a1a265f0b8bcca85f06fc4f4523

          SHA512

          c6cfb0ee278f4f20cf2a29bcde5d592d9e3021ac3c9d554c6fa66332ee89a6d61a39159e189b10c0849eeff18cee8fa405ac573eec13442c0a1543983cf8aebf

        • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Collab\2FL\VERSION.dll

          Filesize

          1.3MB

          MD5

          21806e1e6fd4d973d1aad8022ff20555

          SHA1

          549fe8e6bdba4809b7d5f932237ca53a93b84558

          SHA256

          ca7c055629d7eb343bc77954438ccbb6566b4c8d44cc80d638a908ded212f5af

          SHA512

          21732354f9e70f35e91df96d9a2819563db33c99d2555576514664084c1413776841925a520ffbe89fe6ed3b2cf1294f82bc64d1c741358b6e85b79c0e323585

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dyngdiaoitf.lnk

          Filesize

          1KB

          MD5

          f4cc64aa779e0c5827695fa57ac6e59d

          SHA1

          080282c895f44ab22c89a4339d7e9d3894cb1a62

          SHA256

          9bf0e4f3d073e3068344d2587e067aa7b7a166ba3d287604a129ae6d39be32bf

          SHA512

          dd6f886d8e20805ef39a6b32f1d22ebab91053b45c937974a5e2412328f709bbab0fc7b1e6e0dbcee8ff93c960f7f4f4980fd288dbd9ca1c875b4266b106737d

        • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\Zc\VERSION.dll

          Filesize

          2.3MB

          MD5

          ca65f4f663506c3bab3c4be29f6f4e56

          SHA1

          80cd87fec2602dc9eeda1ce68a0c0a9ce76a6d55

          SHA256

          c1db4dd88925a52f5dcf86b8d31cecf91f8a37c0a0bc208441dd93b6c1f91fca

          SHA512

          f1e61fd1470144e7eaa9c219af6690188ac7d5ca4818a6dc0cbff4d35d3356e3ce8ca66eba300337490079bee2a26b450694660c2791d068752c8c73d4902810

        • C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\34HqLHkCE\SYSDM.CPL

          Filesize

          1.7MB

          MD5

          090f382cbd955a049c55471b2aa7c68b

          SHA1

          a3c21dc010d0dccacde7ce4bf5778a945abc6cca

          SHA256

          4e372768c1f3bed2f0b2ea3c17a34a223d7f41c2e45a7217d96abf321a2a02e5

          SHA512

          1c25df05965b4d1a23c5a82f9a40ded5417cda105d1c5e3bd417a3b0f7cb6fa20412093f0cbec3215b44987d69cd9f3c91a69996aca32ee8a2bc96e3b1468b89

        • memory/1416-82-0x0000000140000000-0x0000000140248000-memory.dmp

          Filesize

          2.3MB

        • memory/1416-77-0x0000000140000000-0x0000000140248000-memory.dmp

          Filesize

          2.3MB

        • memory/1416-76-0x000002E501AF0000-0x000002E501AF7000-memory.dmp

          Filesize

          28KB

        • memory/2804-111-0x00000227C01E0000-0x00000227C01E7000-memory.dmp

          Filesize

          28KB

        • memory/2916-94-0x000001D3FB090000-0x000001D3FB097000-memory.dmp

          Filesize

          28KB

        • memory/3536-21-0x0000000140000000-0x0000000140247000-memory.dmp

          Filesize

          2.3MB

        • memory/3536-46-0x0000000140000000-0x0000000140247000-memory.dmp

          Filesize

          2.3MB

        • memory/3536-5-0x00007FFAF21FA000-0x00007FFAF21FB000-memory.dmp

          Filesize

          4KB

        • memory/3536-26-0x0000000140000000-0x0000000140247000-memory.dmp

          Filesize

          2.3MB

        • memory/3536-29-0x0000000140000000-0x0000000140247000-memory.dmp

          Filesize

          2.3MB

        • memory/3536-28-0x0000000140000000-0x0000000140247000-memory.dmp

          Filesize

          2.3MB

        • memory/3536-31-0x0000000140000000-0x0000000140247000-memory.dmp

          Filesize

          2.3MB

        • memory/3536-32-0x0000000140000000-0x0000000140247000-memory.dmp

          Filesize

          2.3MB

        • memory/3536-33-0x0000000140000000-0x0000000140247000-memory.dmp

          Filesize

          2.3MB

        • memory/3536-34-0x0000000140000000-0x0000000140247000-memory.dmp

          Filesize

          2.3MB

        • memory/3536-30-0x0000000140000000-0x0000000140247000-memory.dmp

          Filesize

          2.3MB

        • memory/3536-27-0x0000000140000000-0x0000000140247000-memory.dmp

          Filesize

          2.3MB

        • memory/3536-35-0x0000000140000000-0x0000000140247000-memory.dmp

          Filesize

          2.3MB

        • memory/3536-36-0x0000000140000000-0x0000000140247000-memory.dmp

          Filesize

          2.3MB

        • memory/3536-38-0x0000000140000000-0x0000000140247000-memory.dmp

          Filesize

          2.3MB

        • memory/3536-39-0x0000000140000000-0x0000000140247000-memory.dmp

          Filesize

          2.3MB

        • memory/3536-41-0x0000000140000000-0x0000000140247000-memory.dmp

          Filesize

          2.3MB

        • memory/3536-42-0x0000000140000000-0x0000000140247000-memory.dmp

          Filesize

          2.3MB

        • memory/3536-40-0x0000000140000000-0x0000000140247000-memory.dmp

          Filesize

          2.3MB

        • memory/3536-37-0x0000000140000000-0x0000000140247000-memory.dmp

          Filesize

          2.3MB

        • memory/3536-43-0x0000000140000000-0x0000000140247000-memory.dmp

          Filesize

          2.3MB

        • memory/3536-44-0x0000000140000000-0x0000000140247000-memory.dmp

          Filesize

          2.3MB

        • memory/3536-45-0x0000000140000000-0x0000000140247000-memory.dmp

          Filesize

          2.3MB

        • memory/3536-47-0x0000000140000000-0x0000000140247000-memory.dmp

          Filesize

          2.3MB

        • memory/3536-48-0x0000000001410000-0x0000000001417000-memory.dmp

          Filesize

          28KB

        • memory/3536-23-0x0000000140000000-0x0000000140247000-memory.dmp

          Filesize

          2.3MB

        • memory/3536-55-0x0000000140000000-0x0000000140247000-memory.dmp

          Filesize

          2.3MB

        • memory/3536-56-0x00007FFAF3980000-0x00007FFAF3990000-memory.dmp

          Filesize

          64KB

        • memory/3536-65-0x0000000140000000-0x0000000140247000-memory.dmp

          Filesize

          2.3MB

        • memory/3536-67-0x0000000140000000-0x0000000140247000-memory.dmp

          Filesize

          2.3MB

        • memory/3536-25-0x0000000140000000-0x0000000140247000-memory.dmp

          Filesize

          2.3MB

        • memory/3536-24-0x0000000140000000-0x0000000140247000-memory.dmp

          Filesize

          2.3MB

        • memory/3536-22-0x0000000140000000-0x0000000140247000-memory.dmp

          Filesize

          2.3MB

        • memory/3536-4-0x0000000003490000-0x0000000003491000-memory.dmp

          Filesize

          4KB

        • memory/3536-20-0x0000000140000000-0x0000000140247000-memory.dmp

          Filesize

          2.3MB

        • memory/3536-19-0x0000000140000000-0x0000000140247000-memory.dmp

          Filesize

          2.3MB

        • memory/3536-18-0x0000000140000000-0x0000000140247000-memory.dmp

          Filesize

          2.3MB

        • memory/3536-17-0x0000000140000000-0x0000000140247000-memory.dmp

          Filesize

          2.3MB

        • memory/3536-16-0x0000000140000000-0x0000000140247000-memory.dmp

          Filesize

          2.3MB

        • memory/3536-15-0x0000000140000000-0x0000000140247000-memory.dmp

          Filesize

          2.3MB

        • memory/3536-14-0x0000000140000000-0x0000000140247000-memory.dmp

          Filesize

          2.3MB

        • memory/3536-13-0x0000000140000000-0x0000000140247000-memory.dmp

          Filesize

          2.3MB

        • memory/3536-12-0x0000000140000000-0x0000000140247000-memory.dmp

          Filesize

          2.3MB

        • memory/3536-10-0x0000000140000000-0x0000000140247000-memory.dmp

          Filesize

          2.3MB

        • memory/3536-11-0x0000000140000000-0x0000000140247000-memory.dmp

          Filesize

          2.3MB

        • memory/3536-9-0x0000000140000000-0x0000000140247000-memory.dmp

          Filesize

          2.3MB

        • memory/3536-8-0x0000000140000000-0x0000000140247000-memory.dmp

          Filesize

          2.3MB

        • memory/4664-0-0x0000000140000000-0x0000000140247000-memory.dmp

          Filesize

          2.3MB

        • memory/4664-7-0x0000000140000000-0x0000000140247000-memory.dmp

          Filesize

          2.3MB

        • memory/4664-1-0x00000129AC210000-0x00000129AC217000-memory.dmp

          Filesize

          28KB