Analysis

  • max time kernel
    4s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-12-2023 20:15

General

  • Target

    103bce51e2fb20c197343aaf2d602bad.dll

  • Size

    656KB

  • MD5

    103bce51e2fb20c197343aaf2d602bad

  • SHA1

    3df0dcccbce4abeb9639358e234e30055f569a7a

  • SHA256

    b95c5ad1c557db07298ed44764a8ba2b022c508ccef0f1a4ff87bf813e3e2463

  • SHA512

    31240770fd9725ba0d28450f245f28d4a1eb751067aa0252bb5c35e31ff9c8bdf406dbf2d2715d78fb8508fbfc3808a0f04ab59c195763e2b12b267ba924be6b

  • SSDEEP

    12288:cKYQ5LL540CV3UIeLPrleV1F0e8gMA/9L0l3HATpKR4:dYQ5p4f0POF0nkls3opKR

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\103bce51e2fb20c197343aaf2d602bad.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2644
  • C:\Windows\system32\dpapimig.exe
    C:\Windows\system32\dpapimig.exe
    1⤵
      PID:964
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\kwI.cmd
      1⤵
        PID:4828
      • C:\Windows\system32\PresentationSettings.exe
        C:\Windows\system32\PresentationSettings.exe
        1⤵
          PID:1360
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\0GSMzy2.cmd
          1⤵
            PID:8
          • C:\Windows\system32\schtasks.exe
            "C:\Windows\system32\schtasks.exe" /Create /F /TN "Krslmbwtruyscx" /TR "C:\Windows\system32\97eoV\PresentationSettings.exe" /SC minute /MO 60 /RL highest
            1⤵
            • Creates scheduled task(s)
            PID:1776
          • C:\Windows\system32\schtasks.exe
            C:\Windows\system32\schtasks.exe /Query /TN "Krslmbwtruyscx"
            1⤵
              PID:4264
            • C:\Windows\system32\schtasks.exe
              C:\Windows\system32\schtasks.exe /Query /TN "Krslmbwtruyscx"
              1⤵
                PID:1412
              • C:\Windows\system32\schtasks.exe
                C:\Windows\system32\schtasks.exe /Query /TN "Krslmbwtruyscx"
                1⤵
                  PID:2712
                • C:\Windows\system32\schtasks.exe
                  C:\Windows\system32\schtasks.exe /Query /TN "Krslmbwtruyscx"
                  1⤵
                    PID:3704
                  • C:\Windows\system32\schtasks.exe
                    C:\Windows\system32\schtasks.exe /Query /TN "Krslmbwtruyscx"
                    1⤵
                      PID:2860
                    • C:\Windows\system32\schtasks.exe
                      C:\Windows\system32\schtasks.exe /Query /TN "Krslmbwtruyscx"
                      1⤵
                        PID:4536

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Temp\0GSMzy2.cmd

                        Filesize

                        206B

                        MD5

                        19c4a594c4258d5f0a4c75df6e32afed

                        SHA1

                        b238eb1e53fdbd225fd7c7dd57adc50dee5b4e1d

                        SHA256

                        413fc6e4876c72fbb6095106c1d3e3238fd1bb58d726943839ce770cd5aee608

                        SHA512

                        28281f22d28b5471dd05af8f0ca1551930097e40ed5531367ced55d9144161563143689fc9a072379165a538078f95a4ea3fe8c6c7c0387b1fc69df3f5a9a605

                      • C:\Users\Admin\AppData\Local\Temp\eA316.tmp

                        Filesize

                        57KB

                        MD5

                        b2f4c950ca137c633323384880f7f69b

                        SHA1

                        c90d591fba714190eb031928f059420c07c086ab

                        SHA256

                        3f62dd0b8d197a0d4dcf4a23534908959424f532816acb36229cb41959970b7f

                        SHA512

                        cb3af6d99793b9b16591986c1e37dfdd81434125b58d6b8802f177edcf17513cd284568ea309bc2587ff81d42cca08a39add0b2eafa99427418774c83e8129db

                      • C:\Users\Admin\AppData\Local\Temp\hCAE2.tmp

                        Filesize

                        29KB

                        MD5

                        99f79a59767a632249d0e7ea17efabf0

                        SHA1

                        02e7fb149bc10d0ae2b5ced261480732e4105caa

                        SHA256

                        60a8b11c9d4d958866c87fb4eae4c0f8643be221a8a8892d84ffcbfcb6f4c9f9

                        SHA512

                        ef467ec29606997fd3ed14580b7f67d86468aa227eaa447dfa030df469a64bc3ca76411f534bcfdb87b695dbb387fe4e52742e72974ca459328a0f88f2c783ab

                      • C:\Users\Admin\AppData\Local\Temp\kwI.cmd

                        Filesize

                        230B

                        MD5

                        c335a703293c2b18690629e4dd20066b

                        SHA1

                        f27b13a37e71ba9064b0508d9794d2de7c97c2c5

                        SHA256

                        57b179272554fb5af6af739fd4826d78cd66e484fcf6d5fcd09e8eb78b2285e2

                        SHA512

                        5080383881498cc9e3473e0ff0ed765639eada485c9547401a964d3c8bc7cb6f93b13d2b173c750c8e126e9a9f17832111a7c5223cc865c5acb7d6618202c238

                      • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dturazvnnsjkgvr.lnk

                        Filesize

                        883B

                        MD5

                        a7d8c82f584d22939a0d2d5416c26486

                        SHA1

                        ceb05d0e556eac81e08e26f6dce72a90d329c499

                        SHA256

                        14cd707f235a93e618e8e74bc2f12cc0fb94b3ff647eab0ecf64ef805fcec713

                        SHA512

                        fae233c464a7cb8d3fa594f0d2ab6d7bbce206eebb09681ec197d317916ef31ed83830c01c700b184be996f61a245f5b2b4bb7acd41a049731845b9a94735747

                      • C:\Users\Admin\AppData\Roaming\e8jhcM\dpapimig.exe

                        Filesize

                        53KB

                        MD5

                        608f84b28217f8769689d40266494ea8

                        SHA1

                        07240d04a9c61390252f09e5d9334e17ae0842c3

                        SHA256

                        df98e51672e195aadba7c774adcc87ff4bf00973596cb758cfd73bd2856332ce

                        SHA512

                        9674f36777709874dc76139977c5556504af556f3b50560175756f3c583c8d4ae4adce4f92d6db6e7188ca6ac97bc6733c064606456755f48829f2796373d38d

                      • memory/2644-1-0x00007FF8F89A0000-0x00007FF8F8A44000-memory.dmp

                        Filesize

                        656KB

                      • memory/2644-0-0x000002690E420000-0x000002690E427000-memory.dmp

                        Filesize

                        28KB

                      • memory/2644-6-0x00007FF8F89A0000-0x00007FF8F8A44000-memory.dmp

                        Filesize

                        656KB

                      • memory/3428-42-0x0000000140000000-0x00000001400A4000-memory.dmp

                        Filesize

                        656KB

                      • memory/3428-12-0x0000000140000000-0x00000001400A4000-memory.dmp

                        Filesize

                        656KB

                      • memory/3428-25-0x0000000000A40000-0x0000000000A47000-memory.dmp

                        Filesize

                        28KB

                      • memory/3428-21-0x0000000140000000-0x00000001400A4000-memory.dmp

                        Filesize

                        656KB

                      • memory/3428-32-0x0000000140000000-0x00000001400A4000-memory.dmp

                        Filesize

                        656KB

                      • memory/3428-33-0x00007FF906B00000-0x00007FF906B10000-memory.dmp

                        Filesize

                        64KB

                      • memory/3428-22-0x0000000140000000-0x00000001400A4000-memory.dmp

                        Filesize

                        656KB

                      • memory/3428-26-0x0000000140000000-0x00000001400A4000-memory.dmp

                        Filesize

                        656KB

                      • memory/3428-44-0x0000000140000000-0x00000001400A4000-memory.dmp

                        Filesize

                        656KB

                      • memory/3428-20-0x0000000140000000-0x00000001400A4000-memory.dmp

                        Filesize

                        656KB

                      • memory/3428-18-0x0000000140000000-0x00000001400A4000-memory.dmp

                        Filesize

                        656KB

                      • memory/3428-17-0x0000000140000000-0x00000001400A4000-memory.dmp

                        Filesize

                        656KB

                      • memory/3428-16-0x0000000140000000-0x00000001400A4000-memory.dmp

                        Filesize

                        656KB

                      • memory/3428-24-0x0000000140000000-0x00000001400A4000-memory.dmp

                        Filesize

                        656KB

                      • memory/3428-11-0x0000000140000000-0x00000001400A4000-memory.dmp

                        Filesize

                        656KB

                      • memory/3428-9-0x0000000140000000-0x00000001400A4000-memory.dmp

                        Filesize

                        656KB

                      • memory/3428-8-0x00007FF9067DA000-0x00007FF9067DB000-memory.dmp

                        Filesize

                        4KB

                      • memory/3428-7-0x0000000140000000-0x00000001400A4000-memory.dmp

                        Filesize

                        656KB

                      • memory/3428-5-0x0000000140000000-0x00000001400A4000-memory.dmp

                        Filesize

                        656KB

                      • memory/3428-3-0x00000000027D0000-0x00000000027D1000-memory.dmp

                        Filesize

                        4KB

                      • memory/3428-23-0x0000000140000000-0x00000001400A4000-memory.dmp

                        Filesize

                        656KB

                      • memory/3428-19-0x0000000140000000-0x00000001400A4000-memory.dmp

                        Filesize

                        656KB

                      • memory/3428-13-0x0000000140000000-0x00000001400A4000-memory.dmp

                        Filesize

                        656KB

                      • memory/3428-14-0x0000000140000000-0x00000001400A4000-memory.dmp

                        Filesize

                        656KB

                      • memory/3428-15-0x0000000140000000-0x00000001400A4000-memory.dmp

                        Filesize

                        656KB

                      • memory/3428-10-0x0000000140000000-0x00000001400A4000-memory.dmp

                        Filesize

                        656KB