Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2023 17:21

General

  • Target

    ffc534d7f4ae842b482459d6c9bdf83b.dll

  • Size

    1.5MB

  • MD5

    ffc534d7f4ae842b482459d6c9bdf83b

  • SHA1

    df4a15d08f9d32f13438cf5b5f517f435efce2e9

  • SHA256

    edd5115e384baca646c21047b643317e71d268059851bb97426d07b1b9db9c23

  • SHA512

    7d5a0725bc4c191101647e0d979acc647c500e52fb8c4986a7ffff44224d5b5f331079acf77c734169a84e6c248c5f1661f74a5c1e9348d15c3392bc3cc69d78

  • SSDEEP

    12288:ZVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:YfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffc534d7f4ae842b482459d6c9bdf83b.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1016
  • C:\Windows\system32\BdeUISrv.exe
    C:\Windows\system32\BdeUISrv.exe
    1⤵
      PID:1108
    • C:\Windows\system32\OptionalFeatures.exe
      C:\Windows\system32\OptionalFeatures.exe
      1⤵
        PID:1008
      • C:\Users\Admin\AppData\Local\htQW8tzp\BdeUISrv.exe
        C:\Users\Admin\AppData\Local\htQW8tzp\BdeUISrv.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:372
      • C:\Windows\system32\BdeUISrv.exe
        C:\Windows\system32\BdeUISrv.exe
        1⤵
          PID:680
        • C:\Users\Admin\AppData\Local\RTZOS2I\OptionalFeatures.exe
          C:\Users\Admin\AppData\Local\RTZOS2I\OptionalFeatures.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2212
        • C:\Users\Admin\AppData\Local\RfD0a\BdeUISrv.exe
          C:\Users\Admin\AppData\Local\RfD0a\BdeUISrv.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3996

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\RTZOS2I\OptionalFeatures.exe

          Filesize

          2KB

          MD5

          3ba651f6b3bbb38bccc32c3bff684283

          SHA1

          e81292ce436222cefef3f25053ddd2a690eeba32

          SHA256

          be82f9afdd7d813bf1846970d4c97e2e0c48592ef9c2737456780036cf50c282

          SHA512

          3d7ae8ade1039c7a879636a7daf124079f452e5d1da6648d914d646e32389498672d4e38ba3890b0462e641892f5da0dce4d8d37c63059609dd4b879346dae56

        • C:\Users\Admin\AppData\Local\RTZOS2I\OptionalFeatures.exe

          Filesize

          31KB

          MD5

          e168c6143af8d783b72b5ae4db230796

          SHA1

          7c4d30a7ffb00662e7f38c96ddc73043114ece61

          SHA256

          d64f277a1cb27338dc9bf0a5a5c6f47311bfc6bfb59766d32e6e46e582463b88

          SHA512

          40e9ab9258c3861a90c3d8e7c8fca7afcb9a088597215952f7e08a190e6603321a31b872e57d66f5dc6a4a1df3a1c71853872972c392671693b8d7f9e2d90827

        • C:\Users\Admin\AppData\Local\RTZOS2I\appwiz.cpl

          Filesize

          65KB

          MD5

          7c02cfef846d97270949979d0e3c141f

          SHA1

          28311ee286528cb22b287e976b3f5cbbf84da106

          SHA256

          79ddfcba287936c9f38b914791522b9d017383462c6ffdc3f0b0dfff4186063a

          SHA512

          8b8cc6e6986bda48d038b03bb0bfa74de4193132e2cbbd5d70149530d5d5f290bbb949b34b8537a23dc679a858f44966208059bb3872f621ef502a4f6867985e

        • C:\Users\Admin\AppData\Local\RTZOS2I\appwiz.cpl

          Filesize

          15KB

          MD5

          b5b11dd493cf110be72334454aba433b

          SHA1

          f868b2fd29cc081403c036e730105386280b1e4a

          SHA256

          4f9257ed3c4c95726bfa6eb868b27fe977e64210cca7f0b54f84b7a46df01f83

          SHA512

          a81afcab7f5473eebd2b29c4ca74b867f78776074ae626752dd1edb4464f0146b9f9991fad776c529d51a54a9b2470495d554c77dd590cf8de77e271e3b9122b

        • C:\Users\Admin\AppData\Local\RfD0a\BdeUISrv.exe

          Filesize

          54KB

          MD5

          8595075667ff2c9a9f9e2eebc62d8f53

          SHA1

          c48b54e571f05d4e21d015bb3926c2129f19191a

          SHA256

          20b05c77f898be08737082e969b39f54fa39753c8c0a06142eb7ad5e0764a2db

          SHA512

          080dbcdd9234c07efe6cea4919ffa305fdc381ccebed9d1020dd6551b54e20e52387e62a344502fa4a85249defd0f9b506528b8dd34675bc9f51f664b8fc4d88

        • C:\Users\Admin\AppData\Local\RfD0a\BdeUISrv.exe

          Filesize

          38KB

          MD5

          e3a89c145fab99bf047c84aaa89799c7

          SHA1

          f5a0430cf9e7148dc8f03b1bdff79dfd098ea33b

          SHA256

          24ff0db52cbf8d8a3a77f6e4e07de74c74d0f4e710c1dd70fd81f9db83e47578

          SHA512

          4b51dc600446087aac4113f5df288aeef66a9a269f2f027ec78b1b93820566a4f3ab1af3aad5cf0880c428dd1241b2b7d8749060b5448ee5d911f37b4ce3631e

        • C:\Users\Admin\AppData\Local\RfD0a\WTSAPI32.dll

          Filesize

          85KB

          MD5

          b59f83d06e0b518473c4af064bc292aa

          SHA1

          dadcc26b02ab1527392f892f6045c4b6f1f07ac3

          SHA256

          3a6ef09cb6232b0039bddfa5c27e0d6cb8c2d2b876dd711c0f2943bb51f7869b

          SHA512

          4e830e711ebb7bad83801a0dd141de33ae42e0ffaddb0afa5ebe5a6db244f14646575107f255550dd20ad1f76e1dcb968652371dccc87bdd9605af640c62cc9e

        • C:\Users\Admin\AppData\Local\RfD0a\WTSAPI32.dll

          Filesize

          58KB

          MD5

          c4b2edf7d7f0e9c6fad896bd8856e174

          SHA1

          86c6a875909b585a696700e6af5be3474ea3b4fa

          SHA256

          66b3859cc619c44d3216aecb6babccb94107a27e5fd8a6e6a9b15034f5421f7d

          SHA512

          ab4f14f6e922c91eb13ce72f4530c6cf7ac1fa9d0cb1c47fd1120fe0173d673f37d3f3c7a317bbea797f52551eed5c8d5493047e1b7a6419bb554cdee2764eb2

        • C:\Users\Admin\AppData\Local\htQW8tzp\BdeUISrv.exe

          Filesize

          19KB

          MD5

          4018ec8a19c0795c624e2e111f90b535

          SHA1

          2fd2365b6e5ce56d1dcfa00ea1694a8682c5861a

          SHA256

          36c1153dbe32c2d5d77e44608c665745aa6ebda83ed3b5dfa23bf804993b61f2

          SHA512

          b677046bd6e390bfd026f37f405b46c37e671253a1e2c29ce4ac25a2a5edf86ae8b71de2e7b6efcfa1531d2c293cbf2f61b3128a0a71b9cdf721f03189d7cf7b

        • C:\Users\Admin\AppData\Local\htQW8tzp\WTSAPI32.dll

          Filesize

          14KB

          MD5

          7359ae495306f5507ff51feb48a5137c

          SHA1

          72dc4034d43fecd85874ca24c13003c0ae9f959c

          SHA256

          16a2688b065671665850a18ca421fd44444f34f57da908082e2fdebb386d988a

          SHA512

          788d87f075a648b87dfbd4b898b713ea58759bca1e62a1166fe98430fb1c606c66d696816c3748ae7e7366bd08a25e66834200cc520d862749ed2a14345e0a02

        • C:\Users\Admin\AppData\Local\htQW8tzp\WTSAPI32.dll

          Filesize

          71KB

          MD5

          c875d6faaee649a20a3d72de6cd29b45

          SHA1

          13e1cbd9bf686a9c64ad8ff99cffca7a8b50db47

          SHA256

          0b19482925e8d882dd2555f6fbb1f22a82095f0cb8ee42a60daf6f5edd8507d1

          SHA512

          9e38449033acbc6aeb218aa3773c2448280596ffb7ff9ad2f3f0058b2341ac5dd2addd3dd59f0c9bbe22db0b86112118a09444d973e36e544125d22d6448da3c

        • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\vKMGJ9hF\WTSAPI32.dll

          Filesize

          32KB

          MD5

          b2e7e217a8d999fee7a86b4ecedec76f

          SHA1

          d53096479daebe9e73bcc655fb6aff8c5ec3f70e

          SHA256

          24d8e92753921a8a011acea957a9f9d3e9032d8184a146c6ae36b856a5f0096f

          SHA512

          834458b7d349345a8d26372da72b5954dd4c61cecdde47a2689dde12e825311eaa88bcffbe111a3eb349006467b1ebc832ec1cee26bfa486861f66cf051db7e0

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqwbkkvq.lnk

          Filesize

          1KB

          MD5

          9116abcd6aaaa5747234ba0b5801ae2b

          SHA1

          65a5282e6858f800bc3a21807b52b009245a3f26

          SHA256

          74744fc1150dd6c488bc56453fd01ee1b6f88e376aef8a9896a879d0711934cc

          SHA512

          60c94678a610d56c29de3033c6ce952fc08a59d2fb7ceab1a1805cb1001b63acf80cb10d07249d76a5b4bdb07a316244c60d54ded8ff511cc702cfd20df22a40

        • C:\Users\Admin\AppData\Roaming\Microsoft\AddIns\oeCmqtxx\WTSAPI32.dll

          Filesize

          70KB

          MD5

          ce17b59c0a46de6a8ab566af8007a84e

          SHA1

          e573c479ea1b60160cb8bb85c7cb5ccc9fe99af1

          SHA256

          3df35ab28f39191c3c756763c1c8a0495693322248648a32b4f8d29721966d27

          SHA512

          2bb08ba8589d18decf2cdd04f8a0cb90d8c4181f89abe7c710f614d87ba646c98da4b97cfe4cfa062d075d342a6cac06c1b2a2a5ce30cd61fbd1c9a73e4a2461

        • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\tpA1kPMd2Z\appwiz.cpl

          Filesize

          52KB

          MD5

          1a0c5ee0911774f20bafedde4ad8d25b

          SHA1

          6408f911329b3ba8ba2d6b1f979be923e7ef5ed2

          SHA256

          009e30ac140775de5f78c8fe0effac7072f6b8d648978a9dfe936c9c6dd47f5a

          SHA512

          bc33e3f6df5df7f7cdc0f8628d77be8af55fea76eabe0e23246a1dc27ba71b8541595fe371e66d8c6d828f06f904aa73a37e093445c1f4d6b5fa766dc33de29c

        • memory/372-110-0x000002E70A2C0000-0x000002E70A2C7000-memory.dmp

          Filesize

          28KB

        • memory/1016-7-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/1016-0-0x0000022567A40000-0x0000022567A47000-memory.dmp

          Filesize

          28KB

        • memory/1016-1-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/2212-95-0x0000013FC35E0000-0x0000013FC35E7000-memory.dmp

          Filesize

          28KB

        • memory/3480-24-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-55-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-38-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-36-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-35-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-32-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-30-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-29-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-28-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-27-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-20-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-19-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-15-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-14-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-10-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-8-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-41-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-46-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-45-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-44-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-48-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-47-0x0000000000CD0000-0x0000000000CD7000-memory.dmp

          Filesize

          28KB

        • memory/3480-39-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-9-0x00007FFE4AB8A000-0x00007FFE4AB8B000-memory.dmp

          Filesize

          4KB

        • memory/3480-34-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-37-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-4-0x0000000002A80000-0x0000000002A81000-memory.dmp

          Filesize

          4KB

        • memory/3480-33-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-31-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-25-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-26-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-22-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-23-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-21-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-16-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-18-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-17-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-6-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-11-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-13-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-67-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-65-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-43-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-42-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-40-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-56-0x00007FFE4C300000-0x00007FFE4C310000-memory.dmp

          Filesize

          64KB

        • memory/3480-12-0x0000000140000000-0x0000000140183000-memory.dmp

          Filesize

          1.5MB

        • memory/3996-77-0x0000022B08DF0000-0x0000022B08DF7000-memory.dmp

          Filesize

          28KB

        • memory/3996-76-0x0000000140000000-0x0000000140184000-memory.dmp

          Filesize

          1.5MB

        • memory/3996-82-0x0000000140000000-0x0000000140184000-memory.dmp

          Filesize

          1.5MB