Analysis

  • max time kernel
    51s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-12-2023 14:55

General

  • Target

    772b68bf3048024e686be386fbfe5083.dll

  • Size

    652KB

  • MD5

    772b68bf3048024e686be386fbfe5083

  • SHA1

    458a9a79779cf07157ec419d9511975e2f8aa2c8

  • SHA256

    7c62dc19058fca240cc5e8942a240f7691e6066aa3d59a51185ac3209e8f1409

  • SHA512

    18164714b6ced7284218c0dc8c4e0013b1b08084e07f89322564bdd0bf5d37c62edcb947965e1384e26fe36dd7d613a82697a4429fc935ee1557edf3c9290d62

  • SSDEEP

    12288:8KYQ5LL540CV3UIeLPrleV1F0e8gMA/9L0l3HATpKR4:9YQ5p4f0POF0nkls3opKR

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\772b68bf3048024e686be386fbfe5083.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1208
  • C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\wwPwGp.cmd
    1⤵
      PID:4840
    • C:\Windows\system32\rdpinit.exe
      C:\Windows\system32\rdpinit.exe
      1⤵
        PID:2320
      • C:\Windows\system32\schtasks.exe
        "C:\Windows\system32\schtasks.exe" /Create /F /TN "Mtkoqsmyqyvls" /TR "C:\Windows\system32\J0u34\WMPDMC.exe" /SC minute /MO 60 /RL highest
        1⤵
        • Creates scheduled task(s)
        PID:3224
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\XbR9A.cmd
        1⤵
        • Drops file in System32 directory
        PID:3968
      • C:\Windows\system32\WMPDMC.exe
        C:\Windows\system32\WMPDMC.exe
        1⤵
          PID:4088
        • C:\Windows\system32\schtasks.exe
          C:\Windows\system32\schtasks.exe /Query /TN "Mtkoqsmyqyvls"
          1⤵
            PID:832
          • C:\Windows\system32\schtasks.exe
            C:\Windows\system32\schtasks.exe /Query /TN "Mtkoqsmyqyvls"
            1⤵
              PID:1472
            • C:\Windows\system32\schtasks.exe
              C:\Windows\system32\schtasks.exe /Query /TN "Mtkoqsmyqyvls"
              1⤵
                PID:3424
              • C:\Windows\system32\schtasks.exe
                C:\Windows\system32\schtasks.exe /Query /TN "Mtkoqsmyqyvls"
                1⤵
                  PID:4984
                • C:\Windows\system32\schtasks.exe
                  C:\Windows\system32\schtasks.exe /Query /TN "Mtkoqsmyqyvls"
                  1⤵
                    PID:1596
                  • C:\Windows\system32\schtasks.exe
                    C:\Windows\system32\schtasks.exe /Query /TN "Mtkoqsmyqyvls"
                    1⤵
                      PID:1552

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\Bsv72EE.tmp

                      Filesize

                      92KB

                      MD5

                      483fd818df66e432f2232f4617e10d39

                      SHA1

                      8ec7f41d0863a05665f571fc34e4c9362153ab79

                      SHA256

                      0070cd47d3c7b852db51a891fcd08c25a5e7dc049ba946700b8b9e4c30234bc0

                      SHA512

                      7b55185e7cc35a674a13cfff48dc07f654a59d67b22e8c7c99532e542003e12dc420731a6e5ffeed18edf5d2e7f627372f43f71e4ac87d16322bcc140af7c68a

                    • C:\Users\Admin\AppData\Local\Temp\UW9A5C.tmp

                      Filesize

                      219KB

                      MD5

                      79165f482d17ced2e968edd56ec75d1b

                      SHA1

                      cbe4f04cb0c8d06bcff42b43716fd1a1d6096095

                      SHA256

                      3bf7312b661fef1e4e6f54e866a365f096e109adca1f716257cca1b8e65b3442

                      SHA512

                      6e7fb8bf5e6631fc1691298d1867492e6edd19660912a65bdbdad989817591b3d88c9cc7134b05a4a23877adb693595340f35040968ae0f687410a2ce18881b4

                    • C:\Users\Admin\AppData\Local\Temp\XbR9A.cmd

                      Filesize

                      195B

                      MD5

                      933ad1e2f3e1d49ef8cd8a59f3affe09

                      SHA1

                      7a8a816d6d595f395b5a10043dfc868d02194f89

                      SHA256

                      7245c7cdc720710c22a7af2a738b5d8e740d07e2309255af20708de7d3a73772

                      SHA512

                      efaa481ce78a9d1762cf1e0443956e03d49b8ca2fde2c1db1a186acde1220ff17f18e522bff332edc310cce99ed0bd0833c5f6cba4e22579af19835ffe601e39

                    • C:\Users\Admin\AppData\Local\Temp\wwPwGp.cmd

                      Filesize

                      235B

                      MD5

                      c1531074ed36eb217c0ba2adc63136e4

                      SHA1

                      c87f6544c63df73515e2e4c23b1d059823f5270c

                      SHA256

                      3fcfc7e9c24e140b0f1754b57b3e3e10265294cbcbfb31b1314caf5017724202

                      SHA512

                      6487906c1e65c04c4dfb670946791a19a0786f5ebb89652e283bb11c9b657710ef5b60952629a7e9a659cdd41807d31acf79176d63747c21e40cc9f00e2d11ce

                    • C:\Users\Admin\AppData\Roaming\yVtwNVk\rdpinit.exe

                      Filesize

                      343KB

                      MD5

                      b0ecd76d99c5f5134aeb52460add6f80

                      SHA1

                      51462078092c9d6b7fa2b9544ffe0a49eb258106

                      SHA256

                      51251863097f7c80ef59606152ec59e7522881c8e3886c194c43f56bcab92e1b

                      SHA512

                      16855c7db48b26297c78d37d52ad03f6af0f5a58e333e17ad83b34f5e8b200c5517c6481043af0ecf1b962af2378f38600bd968592f4e1018b5a1b9400adb367

                    • memory/1208-0-0x00007FFE37110000-0x00007FFE371B3000-memory.dmp

                      Filesize

                      652KB

                    • memory/1208-2-0x0000025C34AA0000-0x0000025C34AA7000-memory.dmp

                      Filesize

                      28KB

                    • memory/1208-6-0x00007FFE37110000-0x00007FFE371B3000-memory.dmp

                      Filesize

                      652KB

                    • memory/3448-16-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB

                    • memory/3448-11-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB

                    • memory/3448-23-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB

                    • memory/3448-21-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB

                    • memory/3448-20-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB

                    • memory/3448-19-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB

                    • memory/3448-18-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB

                    • memory/3448-17-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB

                    • memory/3448-32-0x00007FFE45A80000-0x00007FFE45A90000-memory.dmp

                      Filesize

                      64KB

                    • memory/3448-15-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB

                    • memory/3448-14-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB

                    • memory/3448-13-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB

                    • memory/3448-12-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB

                    • memory/3448-29-0x0000000000E90000-0x0000000000E97000-memory.dmp

                      Filesize

                      28KB

                    • memory/3448-10-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB

                    • memory/3448-9-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB

                    • memory/3448-8-0x00007FFE4448A000-0x00007FFE4448B000-memory.dmp

                      Filesize

                      4KB

                    • memory/3448-7-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB

                    • memory/3448-5-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB

                    • memory/3448-3-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

                      Filesize

                      4KB

                    • memory/3448-41-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB

                    • memory/3448-43-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB

                    • memory/3448-31-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB

                    • memory/3448-24-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB

                    • memory/3448-22-0x0000000140000000-0x00000001400A3000-memory.dmp

                      Filesize

                      652KB