Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-12-2023 18:39

General

  • Target

    3526a594f157e00abe6d9baf2c84e361.dll

  • Size

    652KB

  • MD5

    3526a594f157e00abe6d9baf2c84e361

  • SHA1

    08c79f37fa9c70dcae933bb77d8711ce083ea91c

  • SHA256

    8ee1f2fa3582a791cdfc6bae5a3282b82ac28ab60683d968041a4f39584e4d57

  • SHA512

    76b4432bb65d66d1725d7901973afe973e7a5120686b2dce8d4482eb9b97ab829cede0faf1839de61901203e2fc8ec9cc7fbbc050c2d60f9504db94fa8963158

  • SSDEEP

    12288:gKYQ5LL540CV3UIeLPrleV1F0e8gMA/9L0l3HATpKR4:ZYQ5p4f0POF0nkls3opKR

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\3526a594f157e00abe6d9baf2c84e361.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4488
  • C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    1⤵
      PID:2332
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\SdINbYD.cmd
      1⤵
        PID:4436
      • C:\Windows\system32\schtasks.exe
        "C:\Windows\system32\schtasks.exe" /Create /F /TN "Kjaztdntfug" /TR "C:\Windows\system32\Bnk0\SystemPropertiesRemote.exe" /SC minute /MO 60 /RL highest
        1⤵
        • Creates scheduled task(s)
        PID:5056
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\62D9sJX.cmd
        1⤵
        • Drops file in System32 directory
        PID:1696
      • C:\Windows\system32\SystemPropertiesRemote.exe
        C:\Windows\system32\SystemPropertiesRemote.exe
        1⤵
          PID:5048
        • C:\Windows\system32\schtasks.exe
          C:\Windows\system32\schtasks.exe /Query /TN "Kjaztdntfug"
          1⤵
            PID:4124
          • C:\Windows\system32\schtasks.exe
            C:\Windows\system32\schtasks.exe /Query /TN "Kjaztdntfug"
            1⤵
              PID:4432
            • C:\Windows\system32\schtasks.exe
              C:\Windows\system32\schtasks.exe /Query /TN "Kjaztdntfug"
              1⤵
                PID:3488
              • C:\Windows\system32\schtasks.exe
                C:\Windows\system32\schtasks.exe /Query /TN "Kjaztdntfug"
                1⤵
                  PID:3172
                • C:\Windows\system32\schtasks.exe
                  C:\Windows\system32\schtasks.exe /Query /TN "Kjaztdntfug"
                  1⤵
                    PID:3140
                  • C:\Windows\system32\schtasks.exe
                    C:\Windows\system32\schtasks.exe /Query /TN "Kjaztdntfug"
                    1⤵
                      PID:920

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\62D9sJX.cmd

                      Filesize

                      206B

                      MD5

                      d76e79315d745c67bf9c705242767932

                      SHA1

                      079ba584885d3b830cf692f589a9e35b66ee7db2

                      SHA256

                      780169848e2d5ddef9f1944d64e1c4ec2a5caedb7ed68325b4de40eeabdb2ddb

                      SHA512

                      027f24b210a227dec32672fe138d49fd6f2eecd0b2b60df83fd037e91b1da421849ae53f567dc3956b84b00727de5ab0d41f7151bc29b39d85a29ef8e138fee0

                    • C:\Users\Admin\AppData\Local\Temp\SdINbYD.cmd

                      Filesize

                      232B

                      MD5

                      2846fb0f6e0b1931523fd625a8ebfa3d

                      SHA1

                      84b1aff0130d18724797b49a04ec48fe2af55e74

                      SHA256

                      958a4b41185ae1701dc7b73efecf97431343f8ec06e0bf6deeb03d9bcfb4d995

                      SHA512

                      b8b31a8ffb249183c4b44c35e8cdaf9679591da8bbac7fa8c6c1420aa260f3791d96a9c6c121bdaa0c56e53f4b2db60191496424a1f6048d44541b6fbf86b7aa

                    • C:\Users\Admin\AppData\Local\Temp\ZNS7A9E.tmp

                      Filesize

                      62KB

                      MD5

                      e9f50f4d6d5322e741e559d7ab7a3835

                      SHA1

                      479eed370f7b136a46c9c729de3c6751951aa4f5

                      SHA256

                      dc4d21cdf98ab842af45a186838dcae5918fdd2cec26c98f0daccaf0d1e638e9

                      SHA512

                      89323db0f8b73b784d422fe20c7f95e3996397b4475b4a22f40016bd2fabdc2cd31425a105feb8c4da3828f36763a43dbf968f88668ba73aa01ae6dc6b62af0d

                    • C:\Users\Admin\AppData\Local\Temp\vLA1FE.tmp

                      Filesize

                      11KB

                      MD5

                      bbcbb2c70ad66cd3be378276d1138309

                      SHA1

                      dd06411b0c1210710053b2e530c5c77701d61cff

                      SHA256

                      298cc817d625df06ec00caf59a156113041337b6c55f3b4bcf4e98b26e14a0cc

                      SHA512

                      22b179e52f801043042bc55d1f77840d221c8b4b69bc36d334d596220823988633853004fc8d9014944277a22b79f921ba190cff74cee156b57a88913eaed08b

                    • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Tgnmvdx.lnk

                      Filesize

                      871B

                      MD5

                      31aaae295237a98f000213ca13ad1567

                      SHA1

                      cd793fa1198f768f288fdecf88b7c60bd5660879

                      SHA256

                      11e0961b3369f278c4ba7811c03d8b8370a1f273fe29fe049cb1b6c8d76b399d

                      SHA512

                      274a34146174ed2e2f99ff484fee85d4946dbef3a3ae5e74d856757ab87895ad65eeebbdd20300223a2e7b4abbadc9248282855bc8598e7a28e925cf3b337309

                    • C:\Users\Admin\AppData\Roaming\gpvk7P\sppsvc.exe

                      Filesize

                      149KB

                      MD5

                      58c5c8cf49c408f955dfc82e419ec514

                      SHA1

                      2b00197c781ebb51c049e47a8e378464183496cf

                      SHA256

                      32e24438eec43bde7a66ede9f24e18537ae81acfe6cf783626db6509c5e572b0

                      SHA512

                      a586ccc118ee7a05c510aac0aa9ed85ee9005f4aaa4bab8921acb718846aba6b5564d339ccd5be442b4e11720e0d5d83d83c1df7bdce18c077be960eb0b0f89a

                    • memory/3528-18-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB

                    • memory/3528-15-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB

                    • memory/3528-32-0x00007FF95A700000-0x00007FF95A710000-memory.dmp

                      Filesize

                      64KB

                    • memory/3528-43-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB

                    • memory/3528-41-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB

                    • memory/3528-24-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB

                    • memory/3528-23-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB

                    • memory/3528-22-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB

                    • memory/3528-20-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB

                    • memory/3528-19-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB

                    • memory/3528-7-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB

                    • memory/3528-17-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB

                    • memory/3528-16-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB

                    • memory/3528-31-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB

                    • memory/3528-14-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB

                    • memory/3528-13-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB

                    • memory/3528-12-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB

                    • memory/3528-10-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB

                    • memory/3528-9-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB

                    • memory/3528-8-0x00007FF95885A000-0x00007FF95885B000-memory.dmp

                      Filesize

                      4KB

                    • memory/3528-5-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB

                    • memory/3528-3-0x0000000001240000-0x0000000001241000-memory.dmp

                      Filesize

                      4KB

                    • memory/3528-26-0x00000000011F0000-0x00000000011F7000-memory.dmp

                      Filesize

                      28KB

                    • memory/3528-21-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB

                    • memory/3528-11-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB

                    • memory/4488-0-0x00007FF94C5B0000-0x00007FF94C653000-memory.dmp

                      Filesize

                      652KB

                    • memory/4488-6-0x00007FF94C5B0000-0x00007FF94C653000-memory.dmp

                      Filesize

                      652KB

                    • memory/4488-2-0x000001C2FA5B0000-0x000001C2FA5B7000-memory.dmp

                      Filesize

                      28KB