Analysis

  • max time kernel
    123s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-12-2023 19:44

General

  • Target

    38f8f403c494cd304763615d922a67fb.dll

  • Size

    848KB

  • MD5

    38f8f403c494cd304763615d922a67fb

  • SHA1

    7706587dd4bc348037452e7833c6cd663111f440

  • SHA256

    60df94d0fa102fe714906ec53efafa0308a79d6caf9e8688edc8525123a7b1e3

  • SHA512

    8426cb54939bf66bcda1c537ecd0c574d64e548cbf04e03a38f15c670db0300c856a0ea5876b4c551edcdac8d33b266c6dc8f5f00944ffb1bc6fb796537679f8

  • SSDEEP

    12288:AkbQEkWqv+157EYfxarhwLNuR7ek1tHffB/HzTyNQ6NIeGYr/R:AkbHkWfzZ5adwLNGeStHntqN7v

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Dridex payload 11 IoCs

    Detects Dridex x64 core DLL in memory.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\38f8f403c494cd304763615d922a67fb.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:5000
  • C:\Users\Admin\AppData\Local\ym9AL\BitLockerWizard.exe
    C:\Users\Admin\AppData\Local\ym9AL\BitLockerWizard.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Checks whether UAC is enabled
    PID:3324
  • C:\Windows\system32\BitLockerWizard.exe
    C:\Windows\system32\BitLockerWizard.exe
    1⤵
      PID:1436
    • C:\Windows\system32\EaseOfAccessDialog.exe
      C:\Windows\system32\EaseOfAccessDialog.exe
      1⤵
        PID:3772
      • C:\Users\Admin\AppData\Local\jPkY0esy4\EaseOfAccessDialog.exe
        C:\Users\Admin\AppData\Local\jPkY0esy4\EaseOfAccessDialog.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4500
      • C:\Windows\system32\SysResetErr.exe
        C:\Windows\system32\SysResetErr.exe
        1⤵
          PID:4552
        • C:\Users\Admin\AppData\Local\s1cW\SysResetErr.exe
          C:\Users\Admin\AppData\Local\s1cW\SysResetErr.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2388

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\jPkY0esy4\EaseOfAccessDialog.exe

          Filesize

          123KB

          MD5

          e75ee992c1041341f709a517c8723c87

          SHA1

          471021260055eac0021f0abffa2d0ba77a2f380e

          SHA256

          0b1731562413eaa972b373cd7388c644a3059940ce67eb89668e4073f3e068dc

          SHA512

          48c3a8531df6bcc5077367cdf32af104c94cf7701118a85e8beabba2e9c4f511ae14e47b6d1b57d11a2bc1e8b4f6d5bacae27a8d16fcd09a8f9e0018f5a6370a

        • C:\Users\Admin\AppData\Local\s1cW\DUI70.dll

          Filesize

          64KB

          MD5

          0e4d6d7d7476c37ce10a2114ac131b7b

          SHA1

          7bedd9d9242eca144b2229f108e2b01b40aaceee

          SHA256

          974a1c627fbf4444f77d4428d0670c08f0d8941e1267cf096a9d44e5455bc4d9

          SHA512

          9aae1cf586a0dfd135e71b3a23ee8053903b5e78fe0a3875f05c501bf8ed5aaf46c45e99e85cce6a04d15af482ff36ec7f2dee928e6d2b1b72b59b9ee786ecc0

        • C:\Users\Admin\AppData\Local\s1cW\DUI70.dll

          Filesize

          149KB

          MD5

          95879dc04c070ffd34dd6f919dcca9e5

          SHA1

          7c219b2ec7e5b36718b74482a7fb595efd352e8d

          SHA256

          8f0f9db9cacf53a7431e15b6cec4a7e1b04768e3c63d51f695d435fec162c91c

          SHA512

          6b8535299944f4a58ba3d1dcfb0cb9576190f61a1de82c8ba404dff02c56da86f5d6ad5ce39b6c61af06cb3a65fd2fc41001404bdde30a15d74795cc25bcec1b

        • C:\Users\Admin\AppData\Local\s1cW\SysResetErr.exe

          Filesize

          41KB

          MD5

          090c6f458d61b7ddbdcfa54e761b8b57

          SHA1

          c5a93e9d6eca4c3842156cc0262933b334113864

          SHA256

          a324e3ba7309164f215645a6db3e74ed35c7034cc07a011ebed2fa60fda4d9cd

          SHA512

          c9ef79397f3a843dcf2bcb5f761d90a4bdadb08e2ca85a35d8668cb13c308b275ed6aa2c8b9194a1f29964e0754ad05e89589025a0b670656386a8d448a1f542

        • C:\Users\Admin\AppData\Local\ym9AL\BitLockerWizard.exe

          Filesize

          100KB

          MD5

          6d30c96f29f64b34bc98e4c81d9b0ee8

          SHA1

          4a3adc355f02b9c69bdbe391bfb01469dee15cf0

          SHA256

          7758227642702e645af5e84d1c0e5690e07687c8209072a2c5f79379299edf74

          SHA512

          25471b0ac7156d9ee9d12181020039bf551ba3efe252b656030c12d93b8db2648a18bdf762740f2a5cd8e43640e4bd4e8742310dea15823fc76b9e1c126876b8

        • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Collab\oXWulZtz\DUI70.dll

          Filesize

          1.1MB

          MD5

          320b2d02496d8c66fd1e47c6c63adaae

          SHA1

          3cf934c9a4087eeb50501a004822b53c74c7b6db

          SHA256

          dd725ec6e8b7110735ffadbbc8cd499e211c8283c471ca48c615ce02588c77fd

          SHA512

          8ffa8072736126c8fbb0ccb340dd193f391ce16c618ccbd1fd6535b6b2a5432245fb81c828da90dfa08db903bb5dd4d6ae26490609a75e774ffeef29f68f3ae5

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Iydemppuyghrhln.lnk

          Filesize

          1KB

          MD5

          8c53567d7d2badc28cea4c5b7db4a216

          SHA1

          5e6e1eb1eaaee2ede7f7d453a08232e4464fd019

          SHA256

          50f64b8a9035fe61351ced2cf15dd71c78d54a5c0c7a735f846a14cb75f32503

          SHA512

          44e611b77a1501c050abd68f732f2b03565cc2cfbd69746d57e273454c26e371e7bdcb9bb16b1f3e8fed198ddb87c397c32874c49a7f076c5e92d16d6df01afc

        • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\k4PQ3h5QDMw\FVEWIZ.dll

          Filesize

          349KB

          MD5

          f3cf3095deda254d0e720a0611b7ccc2

          SHA1

          ed7d209366fa5b995431c3805fd9c7968270f297

          SHA256

          bfd3c2bbaa7937eebdce8a2f38226c83a4eb3cf6141b166fa03d86df7167b5b5

          SHA512

          2db7d73a151a5d66f0ed835d6290f6a9c8e38f0721172d45b249f55719a59dc1f4ada655c5d5e395edcda09eaf6d296dfab2c0d5c164ea46f89cfc4a3c5f7f88

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\bKvR\OLEACC.dll

          Filesize

          852KB

          MD5

          d9748e3d357c10790848b4c72a399ee3

          SHA1

          dc5102abaaa0ed30a203081b8379d9eaacf43d6c

          SHA256

          90ea8ebc4731dce515c81086d129cef665de7677cf2d26722e60afd11f291e2f

          SHA512

          cd8db322c28746c4310ebe692b11e91842c358e489e0763c5ef6924957bf809dec5322b1fead19aa684c5485803cf5ee8b40f310b85f7f90fc74a066a6b333f5

        • memory/2388-85-0x00007FFF96C10000-0x00007FFF96D2A000-memory.dmp

          Filesize

          1.1MB

        • memory/2388-81-0x000002CF065F0000-0x000002CF065F7000-memory.dmp

          Filesize

          28KB

        • memory/2388-80-0x00007FFF96C10000-0x00007FFF96D2A000-memory.dmp

          Filesize

          1.1MB

        • memory/3324-49-0x0000019417F10000-0x0000019417F17000-memory.dmp

          Filesize

          28KB

        • memory/3324-48-0x00007FFF96B90000-0x00007FFF96C65000-memory.dmp

          Filesize

          852KB

        • memory/3324-53-0x00007FFF96B90000-0x00007FFF96C65000-memory.dmp

          Filesize

          852KB

        • memory/3528-10-0x0000000140000000-0x00000001400D4000-memory.dmp

          Filesize

          848KB

        • memory/3528-20-0x00000000021C0000-0x00000000021C7000-memory.dmp

          Filesize

          28KB

        • memory/3528-13-0x0000000140000000-0x00000001400D4000-memory.dmp

          Filesize

          848KB

        • memory/3528-12-0x0000000140000000-0x00000001400D4000-memory.dmp

          Filesize

          848KB

        • memory/3528-11-0x0000000140000000-0x00000001400D4000-memory.dmp

          Filesize

          848KB

        • memory/3528-3-0x0000000002210000-0x0000000002211000-memory.dmp

          Filesize

          4KB

        • memory/3528-8-0x00007FFFB2DDA000-0x00007FFFB2DDB000-memory.dmp

          Filesize

          4KB

        • memory/3528-7-0x0000000140000000-0x00000001400D4000-memory.dmp

          Filesize

          848KB

        • memory/3528-6-0x0000000140000000-0x00000001400D4000-memory.dmp

          Filesize

          848KB

        • memory/3528-38-0x0000000140000000-0x00000001400D4000-memory.dmp

          Filesize

          848KB

        • memory/3528-27-0x0000000140000000-0x00000001400D4000-memory.dmp

          Filesize

          848KB

        • memory/3528-28-0x00007FFFB4B00000-0x00007FFFB4B10000-memory.dmp

          Filesize

          64KB

        • memory/3528-29-0x00007FFFB4AF0000-0x00007FFFB4B00000-memory.dmp

          Filesize

          64KB

        • memory/3528-5-0x0000000140000000-0x00000001400D4000-memory.dmp

          Filesize

          848KB

        • memory/3528-9-0x0000000140000000-0x00000001400D4000-memory.dmp

          Filesize

          848KB

        • memory/3528-15-0x0000000140000000-0x00000001400D4000-memory.dmp

          Filesize

          848KB

        • memory/3528-16-0x0000000140000000-0x00000001400D4000-memory.dmp

          Filesize

          848KB

        • memory/3528-17-0x0000000140000000-0x00000001400D4000-memory.dmp

          Filesize

          848KB

        • memory/3528-19-0x0000000140000000-0x00000001400D4000-memory.dmp

          Filesize

          848KB

        • memory/3528-14-0x0000000140000000-0x00000001400D4000-memory.dmp

          Filesize

          848KB

        • memory/3528-18-0x0000000140000000-0x00000001400D4000-memory.dmp

          Filesize

          848KB

        • memory/4500-64-0x000001974B890000-0x000001974B897000-memory.dmp

          Filesize

          28KB

        • memory/4500-69-0x00007FFF96A00000-0x00007FFF96AD5000-memory.dmp

          Filesize

          852KB

        • memory/4500-65-0x00007FFF96A00000-0x00007FFF96AD5000-memory.dmp

          Filesize

          852KB

        • memory/5000-41-0x00007FFFA6030000-0x00007FFFA6104000-memory.dmp

          Filesize

          848KB

        • memory/5000-2-0x0000000002C40000-0x0000000002C47000-memory.dmp

          Filesize

          28KB

        • memory/5000-0-0x00007FFFA6030000-0x00007FFFA6104000-memory.dmp

          Filesize

          848KB