Analysis

  • max time kernel
    152s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-12-2023 13:02

General

  • Target

    b122a91caaad5f9133a910107ab182f2.dll

  • Size

    728KB

  • MD5

    b122a91caaad5f9133a910107ab182f2

  • SHA1

    df8ac36b8382ec1a7cd5c52decdca2330fc57af1

  • SHA256

    f2ded2615a9ec37198c3ae0042de5ddb999eda4d0d89b5469d20c4b047e8759f

  • SHA512

    f9a9311958fbffcfbf5a6b71168add5e585a0d09daa4e748617aed1180eef1c0bbd997adda57561ed21106f4d4e62c64d99fa5dee4ce7dafcc3ba452a4b709f5

  • SSDEEP

    12288:G6BBWGJW6eC85Df97+yXUj7SncCxj8iHGo59S1WQSCtEdFO7YKJf6:G6BQBjlc728jo7S1bl6FbK

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\b122a91caaad5f9133a910107ab182f2.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1848
  • C:\Windows\system32\phoneactivate.exe
    C:\Windows\system32\phoneactivate.exe
    1⤵
      PID:2348
    • C:\Users\Admin\AppData\Local\zoZBJC\phoneactivate.exe
      C:\Users\Admin\AppData\Local\zoZBJC\phoneactivate.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3580
    • C:\Windows\system32\WFS.exe
      C:\Windows\system32\WFS.exe
      1⤵
        PID:3116
      • C:\Users\Admin\AppData\Local\xFx1yOt\WFS.exe
        C:\Users\Admin\AppData\Local\xFx1yOt\WFS.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2336
      • C:\Windows\system32\dpapimig.exe
        C:\Windows\system32\dpapimig.exe
        1⤵
          PID:3568
        • C:\Users\Admin\AppData\Local\5iWWlGY1R\dpapimig.exe
          C:\Users\Admin\AppData\Local\5iWWlGY1R\dpapimig.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3920

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\5iWWlGY1R\DUI70.dll

          Filesize

          1008KB

          MD5

          0d945fb531da801c8a13e7c5d1346e5b

          SHA1

          25585ab94362e7c6b57981f11df2a96db4bd87d8

          SHA256

          4b900740e933d61f05abc2bb6f3f3273d558d7f15b26e9ffadfbfe4cd23e25eb

          SHA512

          ded6c44aa897aadb167cff5b65fb7d3f4fb5061cb86475675e8473fb565790b26386be31ffb91d4b11f0b90fac6f770b8b915c6334f3288464b561aa052cada3

        • C:\Users\Admin\AppData\Local\5iWWlGY1R\dpapimig.exe

          Filesize

          76KB

          MD5

          b6d6477a0c90a81624c6a8548026b4d0

          SHA1

          e6eac6941d27f76bbd306c2938c0a962dbf1ced1

          SHA256

          a8147d08b82609c72d588a0a604cd3c1f2076befcc719d282c7cbd6525ae89eb

          SHA512

          72ec8b79e3438f0f981129a323ad39db84df7dd14a796a820bdbc74ea8fa13eee843d1ea030a0c1caeda2e2d69952f14a821a73825b38dd9415047aca597b1fe

        • C:\Users\Admin\AppData\Local\xFx1yOt\WFS.exe

          Filesize

          944KB

          MD5

          3cbc8d0f65e3db6c76c119ed7c2ffd85

          SHA1

          e74f794d86196e3bbb852522479946cceeed7e01

          SHA256

          e23e4182efe7ed61aaf369696e1ce304c3818df33d1663872b6d3c75499d81f4

          SHA512

          26ae5845a804b9eb752078f1ffa80a476648a8a9508b4f7ba56c94acd4198f3ba59c77add4feb7e0420070222af56521ca5f6334f466d5db272c816930513f0a

        • C:\Users\Admin\AppData\Local\xFx1yOt\credui.dll

          Filesize

          732KB

          MD5

          16082cd7084cd0a2422862d1d08fd303

          SHA1

          28da451426d2663c5ffd7ac1f9146bc8c59e13df

          SHA256

          ba917a5e69d008aecb7630eededb9daa9520b9a613d5ad68a537554fd5ee668c

          SHA512

          d9c51da2c24fa77c447870c9786d368ff9533941031a855e601cef621aaab249f30ef65661e03603e03de32b260bde5782d00a4fb455be31c5af7ed9e12f6dc4

        • C:\Users\Admin\AppData\Local\zoZBJC\SLC.dll

          Filesize

          732KB

          MD5

          7ff15326fc377b6423911e72e2649c8e

          SHA1

          e67f27ebbc0668b7a00cfd502cc96228fc9b6f5b

          SHA256

          eaf571769be6508c887d887ccf4da10aaec1860530b2a302f5ee59cb4cc1e350

          SHA512

          4796da4499c00ae3155ddf91955bbc664f8ba0abf388d53530fd43043c4ff5e2313ee27795ec427d7441c95f8dddc91b947f714953905251b34dc9996910df04

        • C:\Users\Admin\AppData\Local\zoZBJC\phoneactivate.exe

          Filesize

          107KB

          MD5

          32c31f06e0b68f349f68afdd08e45f3d

          SHA1

          e4b642f887e2c1d76b6b4777ade91e3cb3b9e27c

          SHA256

          cea83eb34233fed5ebeef8745c7c581a8adbefbcfc0e30e2d30a81000c821017

          SHA512

          fe61764b471465b164c9c2202ed349605117d57ceb0eca75acf8bda44e8744c115767ee0caed0b7feb70ba37b477d00805b3fdf0d0fa879dd4c8e3c1dc1c0d26

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk

          Filesize

          1KB

          MD5

          497cfe49ccc51a232548f21de8e0c9c7

          SHA1

          ab28381097759d4a86f5bcde328be1ffd3079db6

          SHA256

          1ca9a90614120b0bcb3d2cf3f5a9f89233ea01e96742d770a042865106867a0d

          SHA512

          407f17dee85d2e61d5356732ee49f4b6dd3aab00ddb343d65466804b846cb8b5c4afcca28a33eb030d8529be0e80fb96cb91c2bb9bdcfa081ad0f3ebecc23e1d

        • memory/1848-0-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

        • memory/1848-2-0x0000020579CF0000-0x0000020579CF7000-memory.dmp

          Filesize

          28KB

        • memory/1848-44-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

        • memory/2336-74-0x0000000140000000-0x00000001400B7000-memory.dmp

          Filesize

          732KB

        • memory/2336-68-0x00000235D9960000-0x00000235D9967000-memory.dmp

          Filesize

          28KB

        • memory/3512-23-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

        • memory/3512-11-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

        • memory/3512-17-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

        • memory/3512-18-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

        • memory/3512-19-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

        • memory/3512-20-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

        • memory/3512-21-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

        • memory/3512-24-0x0000000000600000-0x0000000000607000-memory.dmp

          Filesize

          28KB

        • memory/3512-15-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

        • memory/3512-22-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

        • memory/3512-31-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

        • memory/3512-32-0x00007FFCC6A90000-0x00007FFCC6AA0000-memory.dmp

          Filesize

          64KB

        • memory/3512-41-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

        • memory/3512-14-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

        • memory/3512-13-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

        • memory/3512-16-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

        • memory/3512-4-0x0000000000630000-0x0000000000631000-memory.dmp

          Filesize

          4KB

        • memory/3512-7-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

        • memory/3512-9-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

        • memory/3512-12-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

        • memory/3512-10-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

        • memory/3512-6-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

        • memory/3512-8-0x00007FFCC502A000-0x00007FFCC502B000-memory.dmp

          Filesize

          4KB

        • memory/3580-57-0x0000000140000000-0x00000001400B7000-memory.dmp

          Filesize

          732KB

        • memory/3580-52-0x0000000140000000-0x00000001400B7000-memory.dmp

          Filesize

          732KB

        • memory/3580-51-0x0000027C97AE0000-0x0000027C97AE7000-memory.dmp

          Filesize

          28KB

        • memory/3920-87-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

        • memory/3920-88-0x0000023687D10000-0x0000023687D17000-memory.dmp

          Filesize

          28KB

        • memory/3920-93-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB