Analysis

  • max time kernel
    151s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-12-2023 07:52

General

  • Target

    103bce51e2fb20c197343aaf2d602bad.dll

  • Size

    656KB

  • MD5

    103bce51e2fb20c197343aaf2d602bad

  • SHA1

    3df0dcccbce4abeb9639358e234e30055f569a7a

  • SHA256

    b95c5ad1c557db07298ed44764a8ba2b022c508ccef0f1a4ff87bf813e3e2463

  • SHA512

    31240770fd9725ba0d28450f245f28d4a1eb751067aa0252bb5c35e31ff9c8bdf406dbf2d2715d78fb8508fbfc3808a0f04ab59c195763e2b12b267ba924be6b

  • SSDEEP

    12288:cKYQ5LL540CV3UIeLPrleV1F0e8gMA/9L0l3HATpKR4:dYQ5p4f0POF0nkls3opKR

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\103bce51e2fb20c197343aaf2d602bad.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:868
  • C:\Windows\system32\Netplwiz.exe
    C:\Windows\system32\Netplwiz.exe
    1⤵
      PID:2256
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\e7w4f.cmd
      1⤵
        PID:4972
      • C:\Windows\system32\sppsvc.exe
        C:\Windows\system32\sppsvc.exe
        1⤵
          PID:4652
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\shWw9.cmd
          1⤵
          • Drops file in System32 directory
          PID:4928
        • C:\Windows\system32\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /Create /F /TN "Ugwggfx" /TR "C:\Windows\system32\d2sfFF\sppsvc.exe" /SC minute /MO 60 /RL highest
          1⤵
          • Creates scheduled task(s)
          PID:2640
        • C:\Windows\system32\schtasks.exe
          C:\Windows\system32\schtasks.exe /Query /TN "Ugwggfx"
          1⤵
            PID:1320
          • C:\Windows\system32\schtasks.exe
            C:\Windows\system32\schtasks.exe /Query /TN "Ugwggfx"
            1⤵
              PID:1312
            • C:\Windows\system32\schtasks.exe
              C:\Windows\system32\schtasks.exe /Query /TN "Ugwggfx"
              1⤵
                PID:3444
              • C:\Windows\system32\schtasks.exe
                C:\Windows\system32\schtasks.exe /Query /TN "Ugwggfx"
                1⤵
                  PID:3688

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\e7w4f.cmd

                  Filesize

                  237B

                  MD5

                  0e5fb56c50a141153e51759216fa6d65

                  SHA1

                  354b56159d73316413d398fa80cbf25ec305c403

                  SHA256

                  66189aa4c73cbe0d4a6ad80d84cab75cb84d09282671df02b36ec0c68ace36d7

                  SHA512

                  adc3bee081d1306ae00630777d2fd34061f68e3374f6ac0a80d18990dd702172cb75d893bfd73f8c0b314de67085b7bc6217514d35eddabae199b587fbeaddad

                • C:\Users\Admin\AppData\Local\Temp\sC272A.tmp

                  Filesize

                  660KB

                  MD5

                  3d40f4374a2c93faa226f3f7b7b531f7

                  SHA1

                  336d39d536a26daa8192a04e41f56beaec0d02fd

                  SHA256

                  253b0ef52576aa33ad330ad903de70eab25d1720046b3628169e5ce2cd82e18d

                  SHA512

                  d5647fed54573e52f2b4eca551bf80c96e71f64afbe614efa18846f0a358c97e0652baddb6d62e635d4988c1a5e987946fbcba8b09a19a66829c4f56e72eb5ed

                • C:\Users\Admin\AppData\Local\Temp\shWw9.cmd

                  Filesize

                  198B

                  MD5

                  f7a0ef0f6df7536e5cc743a22d73d57a

                  SHA1

                  a5ed97ef7cc1d58c46fbdca9d03e2347ba511320

                  SHA256

                  28ff24aa6893ca4c51831d5e11fa5eaeedf9422d2443c7293f657eac63686af3

                  SHA512

                  86b659eb6447242425a6c99d855b6e138202c4d81b1d3d0b0a19b8d22f9b9330133c75ea8163405f524e03d7c282687d69d5d0f708c0785dd5d2d41893330920

                • C:\Users\Admin\AppData\Local\Temp\xj4FE1.tmp

                  Filesize

                  660KB

                  MD5

                  646fa71e1b3cb064ccedfd76e5a63e20

                  SHA1

                  a4be0178e112a3265f1c75cf8c5a04891b4f7742

                  SHA256

                  63f893e6046b43071d252d55782279575e70bd9638615886926939fd9823c8c2

                  SHA512

                  86076e6302f825d80f274df44058d57b4a4d9037522c1240930cffbb75e28a6a6ad06260029748311f18a8493a6644365f912ed10f33420fa03acd90da35bbcb

                • C:\Users\Admin\AppData\Roaming\BH6a7Wl\Netplwiz.exe

                  Filesize

                  40KB

                  MD5

                  520a7b7065dcb406d7eca847b81fd4ec

                  SHA1

                  d1b3b046a456630f65d482ff856c71dfd2f335c8

                  SHA256

                  8323b44b6e69f02356a5ab0d03a4fc87b953edcbd85c2b6281bf92bc0a3b224d

                  SHA512

                  7aea2810f38d1640d4aa87efbbe20783fe7b8e7f588864a3a384a37c91108d906abd89b235672608c98c46ed76db2b0039462098a1064ebe4108ec37b6087914

                • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Qoccyyzfzcu.lnk

                  Filesize

                  888B

                  MD5

                  5cbd6aa25ed9d120a7e4100552c08150

                  SHA1

                  829b135bd7b2f641afd582a324cab010b82b336c

                  SHA256

                  084946bc6e69ddf1afa5de57ca359ec3d479bc877865bc7f98f90f6f303bb4fa

                  SHA512

                  386d39be79d884f0d2273dce9b080b15d1a44e91bf2348e1517353e25b6199f7b2abcb119e14e8bd186714bc02d764fd80d1ddfa87a33154f27fc72f9cf81c82

                • memory/868-0-0x00007FF81F990000-0x00007FF81FA34000-memory.dmp

                  Filesize

                  656KB

                • memory/868-2-0x0000015260EA0000-0x0000015260EA7000-memory.dmp

                  Filesize

                  28KB

                • memory/868-6-0x00007FF81F990000-0x00007FF81FA34000-memory.dmp

                  Filesize

                  656KB

                • memory/3304-22-0x0000000140000000-0x00000001400A4000-memory.dmp

                  Filesize

                  656KB

                • memory/3304-20-0x0000000140000000-0x00000001400A4000-memory.dmp

                  Filesize

                  656KB

                • memory/3304-14-0x0000000140000000-0x00000001400A4000-memory.dmp

                  Filesize

                  656KB

                • memory/3304-17-0x0000000140000000-0x00000001400A4000-memory.dmp

                  Filesize

                  656KB

                • memory/3304-18-0x0000000140000000-0x00000001400A4000-memory.dmp

                  Filesize

                  656KB

                • memory/3304-19-0x0000000140000000-0x00000001400A4000-memory.dmp

                  Filesize

                  656KB

                • memory/3304-21-0x0000000140000000-0x00000001400A4000-memory.dmp

                  Filesize

                  656KB

                • memory/3304-11-0x0000000140000000-0x00000001400A4000-memory.dmp

                  Filesize

                  656KB

                • memory/3304-24-0x0000000140000000-0x00000001400A4000-memory.dmp

                  Filesize

                  656KB

                • memory/3304-23-0x0000000140000000-0x00000001400A4000-memory.dmp

                  Filesize

                  656KB

                • memory/3304-27-0x0000000000D10000-0x0000000000D17000-memory.dmp

                  Filesize

                  28KB

                • memory/3304-26-0x0000000140000000-0x00000001400A4000-memory.dmp

                  Filesize

                  656KB

                • memory/3304-25-0x0000000140000000-0x00000001400A4000-memory.dmp

                  Filesize

                  656KB

                • memory/3304-13-0x0000000140000000-0x00000001400A4000-memory.dmp

                  Filesize

                  656KB

                • memory/3304-16-0x0000000140000000-0x00000001400A4000-memory.dmp

                  Filesize

                  656KB

                • memory/3304-15-0x0000000140000000-0x00000001400A4000-memory.dmp

                  Filesize

                  656KB

                • memory/3304-33-0x0000000140000000-0x00000001400A4000-memory.dmp

                  Filesize

                  656KB

                • memory/3304-34-0x00007FF82DC40000-0x00007FF82DC50000-memory.dmp

                  Filesize

                  64KB

                • memory/3304-43-0x0000000140000000-0x00000001400A4000-memory.dmp

                  Filesize

                  656KB

                • memory/3304-45-0x0000000140000000-0x00000001400A4000-memory.dmp

                  Filesize

                  656KB

                • memory/3304-12-0x0000000140000000-0x00000001400A4000-memory.dmp

                  Filesize

                  656KB

                • memory/3304-10-0x0000000140000000-0x00000001400A4000-memory.dmp

                  Filesize

                  656KB

                • memory/3304-9-0x0000000140000000-0x00000001400A4000-memory.dmp

                  Filesize

                  656KB

                • memory/3304-8-0x0000000140000000-0x00000001400A4000-memory.dmp

                  Filesize

                  656KB

                • memory/3304-5-0x00007FF82CC1A000-0x00007FF82CC1B000-memory.dmp

                  Filesize

                  4KB

                • memory/3304-3-0x0000000002A80000-0x0000000002A81000-memory.dmp

                  Filesize

                  4KB