Analysis

  • max time kernel
    0s
  • max time network
    53s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-12-2023 22:02

General

  • Target

    0512aedf039191c7a60c97cd87a5d490.dll

  • Size

    1.9MB

  • MD5

    0512aedf039191c7a60c97cd87a5d490

  • SHA1

    f5ffb6e18f6e8c2b06d040509d4542f13fdfa459

  • SHA256

    d168ef7be6e3b73f63a62c817c0d87e4dd84cbe577454da94b7cc8bf8ff55879

  • SHA512

    71b20bfb893dc6013c4d790b19dd92815a33b269ae2125ac7afaccf2821a196c843ee41696d978d2b1ef2789fa789c52d1829dcefa23e9cdbc02cbb973dfe6a3

  • SSDEEP

    12288:YVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:NfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\0512aedf039191c7a60c97cd87a5d490.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1356
  • C:\Users\Admin\AppData\Local\Dx4\EhStorAuthn.exe
    C:\Users\Admin\AppData\Local\Dx4\EhStorAuthn.exe
    1⤵
      PID:4960
    • C:\Users\Admin\AppData\Local\4eT\wscript.exe
      C:\Users\Admin\AppData\Local\4eT\wscript.exe
      1⤵
        PID:3976
      • C:\Windows\system32\wscript.exe
        C:\Windows\system32\wscript.exe
        1⤵
          PID:1532
        • C:\Users\Admin\AppData\Local\bB6Cw3S\upfc.exe
          C:\Users\Admin\AppData\Local\bB6Cw3S\upfc.exe
          1⤵
            PID:1584
          • C:\Windows\system32\upfc.exe
            C:\Windows\system32\upfc.exe
            1⤵
              PID:4552
            • C:\Windows\system32\EhStorAuthn.exe
              C:\Windows\system32\EhStorAuthn.exe
              1⤵
                PID:976

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\4eT\VERSION.dll

                Filesize

                9KB

                MD5

                e89cdd42374ee74b19ea18b179856f83

                SHA1

                534e5645376873126fd2c9a24e463a47ca963f3d

                SHA256

                1ea0219eabb1fc0ffc103338533d40fb4d9489f814f3beffda0254696facfba8

                SHA512

                c1895e3d6d15176419e17c50afeb5188d85481ecf5d6253dd14e4a4fe31ed735cc052b6ae8692724bbf8888c3eef326eb55388157e75dd272b6837863b54dac8

              • C:\Users\Admin\AppData\Local\4eT\VERSION.dll

                Filesize

                6KB

                MD5

                a1d7e3aa2cb9620abc16dc99d2e98af6

                SHA1

                664154129020372e8b7521f754bc32a94d75b6a2

                SHA256

                1b404ca65182a4473fbc04437f25c84b2a47c558db008e07b161fdcf540c89a9

                SHA512

                ae8ceaea70732194f3d79c9be69d3e0002d4432405f86e590955c80e2926a60e5311c492ba38226cfce38df36c34abd821c910b3d9258b0f17f5471a24e1d515

              • C:\Users\Admin\AppData\Local\4eT\wscript.exe

                Filesize

                34KB

                MD5

                4286433d83e7bd3f68c8b3ee7acfb0f3

                SHA1

                017507dd3f29f92a8ef186f752dbce1b22709520

                SHA256

                dbc9c3665b58f2b88fd68c2d4d4ac500209cca823a0e3da5e84d494cbfb5203d

                SHA512

                c37b61ec0dbe90a6d5cae6cc37aec7c4b8b90c5411141034b3d665b33d0f7c9730e3cbbafea163e587bfe495646373cf437cbad96b395ac312c83774f3877d24

              • C:\Users\Admin\AppData\Local\4eT\wscript.exe

                Filesize

                24KB

                MD5

                a7e0f0bd7819507ecdfc638f29e9b885

                SHA1

                309bc0ddad63617205926531f4509a820e48d2f6

                SHA256

                283e2e89a1c34c2e8d16efff57a9b2be06feb3a6595683791455857b821614f2

                SHA512

                519087d2ca1ff7118dfd03eb2a7c24f0ea27471e98c261bccbb5d7d622af5075eab08c2d77c532d4dee6af8192832f71311a19ec9a34dced178df4ffb8b4e372

              • C:\Users\Admin\AppData\Local\Dx4\EhStorAuthn.exe

                Filesize

                50KB

                MD5

                091ccca07d24d56fe365f9b790a5d467

                SHA1

                01c2c3e14768d0c775d256e9260b634e6fc96bf0

                SHA256

                d8fb01faa50f23a17230989889264f759a4679453ebdedc70f9547103143aed9

                SHA512

                2f641f4c4bf5a7f594719a6f68e5d0703d018cb763c7f1023206b2f63d4b19791201fcaf86a3adb7ab97e178ef4c42fc122c987ca7eb24b5bddaf86f61bbf99e

              • C:\Users\Admin\AppData\Local\Dx4\EhStorAuthn.exe

                Filesize

                40KB

                MD5

                529a746fc4baa5dec1f6fb3a41764331

                SHA1

                8696dcf8c61eb0c619ade5eeae2d40ef1a991eea

                SHA256

                03eb6453402183a6098fbfad6eaf266ee59865718c7705a09e330e92e5d31a61

                SHA512

                ebcc19a454c62f34bebe335b16ca562fd5ceba4e2da122a3a871a157f5efc32dfdc554c1245a3ee7a6ce3f2ceb08ab0bbe5579d377535391e418016b35b95c29

              • C:\Users\Admin\AppData\Local\Dx4\UxTheme.dll

                Filesize

                29KB

                MD5

                3df4e529477fb0a38153f6792e0a054c

                SHA1

                5f55500177c78401d423127dd68ae3a7744989a7

                SHA256

                15257ce982996e364fc57bcd5868a46f7d7e8ab9bf56a71759bba38c47dc165e

                SHA512

                8dac8b4f9ab248aaa7caa96a170916daf51618b93935b1558432e9d10b9dec00e0103399f94e90a6b4ee5ff36a2ba92604a70f0733a245100b56a92f29766d2f

              • C:\Users\Admin\AppData\Local\Dx4\UxTheme.dll

                Filesize

                18KB

                MD5

                7ffa1966eeeb89969aed664ed2f35847

                SHA1

                6199b50f6d9b9619bd29dc2352cbe25298fd10a0

                SHA256

                7d20164cd12e8b21a3daefec74a43edf3f0813a48b2998b9c43a5b2d0ffba286

                SHA512

                1495e426a62e2660817aeae2d01755fd4e11e59aa99d02d82c0617d5425403fa2096ccd1d9af2c5049d439466a11b01f4c12f0783a6b10a4048c6afd13f9f52a

              • C:\Users\Admin\AppData\Local\bB6Cw3S\XmlLite.dll

                Filesize

                1KB

                MD5

                7108d9913efe83fdb9659f12e8746ac6

                SHA1

                01eb45b40e94213596b195ad01bb9a33097ea833

                SHA256

                e56ce2a2ae091354573b0942d88841125aa2ebf04f62740f36e37e9caafb0ac7

                SHA512

                aef3f9db64612d868df19c7a2e0e04478b97cfc4975367d143e617370cc20a50d79e1444df952cfa023dde8c90a7491c8644b475d930f50d4b77817a5497fdaf

              • C:\Users\Admin\AppData\Local\bB6Cw3S\upfc.exe

                Filesize

                21KB

                MD5

                8e6c608c050c0dc839ba50994f47fa3b

                SHA1

                e8d7b84b1a2b48644aa390b6d5744fd047be200d

                SHA256

                eb0cf164d8ef0636316ccc4a8963e61ee53e386f5d3b4378f061cd072ef8245e

                SHA512

                cc1a9eb555a5353729b3cc310fb0f67be880395ddb042aa0bb1c94d201e2179e99215686e09bf11c770807ac04a3340f7fb5914d9dc872210edcad22d43533c7

              • C:\Users\Admin\AppData\Local\bB6Cw3S\upfc.exe

                Filesize

                29B

                MD5

                10afe080d3d68e8082374c70ae5312ff

                SHA1

                6da7ab8c2b9179d426438cb072064baaf8ac6332

                SHA256

                5a179f3e2a089fdb60790c016a913d6753df671f99d74655ceab766bece7e4fd

                SHA512

                aa9edd556fb2cb98df48479a840865b96ea7187ac736ad9a757e6397f5eb7a3d63430a821e8747a6e56a1c3a685b242834d8e8e01ab2e33590fd8404e189186d

              • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqwbkkvq.lnk

                Filesize

                1KB

                MD5

                35473b3569566b5ba3b7ed446fc17674

                SHA1

                5eef934f1627f3bb694eecb699d7dc59031ed5e2

                SHA256

                7e0cfccfc1ab0794efee62399747cde6ec0692f9445e02d2dd6629705a80ea26

                SHA512

                5fcc32eb08d0539a8d174af60dcf410233434f07f849d6b3f263aa5a2073e116ba4f173e9d5c2c5fa97a5a93faddd6e89068d876a14c165837a11c56a148caf6

              • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3803511929-1339359695-2191195476-1000\4yBqkVK\XmlLite.dll

                Filesize

                23KB

                MD5

                42e0fba27e109ef6c216c29f0572d006

                SHA1

                bbac363b2e0ee4a08024d8d0f760dffe61cce469

                SHA256

                4a070686b32b626ea2396fad01dbda4fdc11d67516bb61f54b4538f812567f93

                SHA512

                1bb72f0ec698f05b3b91183c392885341bef19a1b017ad151df6787abe96b258e9a88ee6a5429985a1d796b399503450531f04d54f9e9f1a6e8d748bde3c69c5

              • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\eiS\VERSION.dll

                Filesize

                1KB

                MD5

                a9223f9d8f2260ca2856f809801f8f36

                SHA1

                f30f8d28667fcd14e1933c58077383d2588765e9

                SHA256

                903c4f0fa435d2a433539db4c07d9ae534113f337007a93352335835946dfc39

                SHA512

                4f88768411e7df09b71e420a39768eb82a7dfe17ff72f749d4f9356b96f39ea4e88d39f963a4312b678318216c2f4a9071de59caa071426417b3cceca14561cd

              • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Khny766MOmA\UxTheme.dll

                Filesize

                133KB

                MD5

                e424b0b5623c3d4b6a3c5ec58b2ff1ef

                SHA1

                381757dcb6f5dc7787469e3df524b9a66e43b450

                SHA256

                67626a40c29278c4ef41073aa98078d314e7c398929320244d8f3b24b5c3245d

                SHA512

                a2af0f2700a524b7e30e9517436a6d790adee92f9bd759f7f0c6b425f6c731280b55ecca7f8c7e58e481475b698befdc6f6cc0c8e2babbca2e889da99ff09cb5

              • memory/1356-0-0x0000022199710000-0x0000022199717000-memory.dmp

                Filesize

                28KB

              • memory/1356-7-0x0000000140000000-0x00000001401F1000-memory.dmp

                Filesize

                1.9MB

              • memory/1356-1-0x0000000140000000-0x00000001401F1000-memory.dmp

                Filesize

                1.9MB

              • memory/1584-77-0x000002B1945E0000-0x000002B1945E7000-memory.dmp

                Filesize

                28KB

              • memory/1584-83-0x0000000140000000-0x00000001401F2000-memory.dmp

                Filesize

                1.9MB

              • memory/3488-17-0x0000000140000000-0x00000001401F1000-memory.dmp

                Filesize

                1.9MB

              • memory/3488-23-0x0000000140000000-0x00000001401F1000-memory.dmp

                Filesize

                1.9MB

              • memory/3488-12-0x0000000140000000-0x00000001401F1000-memory.dmp

                Filesize

                1.9MB

              • memory/3488-13-0x0000000140000000-0x00000001401F1000-memory.dmp

                Filesize

                1.9MB

              • memory/3488-20-0x0000000140000000-0x00000001401F1000-memory.dmp

                Filesize

                1.9MB

              • memory/3488-27-0x0000000140000000-0x00000001401F1000-memory.dmp

                Filesize

                1.9MB

              • memory/3488-51-0x0000000140000000-0x00000001401F1000-memory.dmp

                Filesize

                1.9MB

              • memory/3488-49-0x0000000140000000-0x00000001401F1000-memory.dmp

                Filesize

                1.9MB

              • memory/3488-40-0x00007FF9F64A0000-0x00007FF9F64B0000-memory.dmp

                Filesize

                64KB

              • memory/3488-31-0x0000000140000000-0x00000001401F1000-memory.dmp

                Filesize

                1.9MB

              • memory/3488-39-0x0000000140000000-0x00000001401F1000-memory.dmp

                Filesize

                1.9MB

              • memory/3488-30-0x0000000140000000-0x00000001401F1000-memory.dmp

                Filesize

                1.9MB

              • memory/3488-29-0x0000000140000000-0x00000001401F1000-memory.dmp

                Filesize

                1.9MB

              • memory/3488-28-0x0000000140000000-0x00000001401F1000-memory.dmp

                Filesize

                1.9MB

              • memory/3488-26-0x0000000140000000-0x00000001401F1000-memory.dmp

                Filesize

                1.9MB

              • memory/3488-25-0x0000000140000000-0x00000001401F1000-memory.dmp

                Filesize

                1.9MB

              • memory/3488-24-0x0000000140000000-0x00000001401F1000-memory.dmp

                Filesize

                1.9MB

              • memory/3488-4-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

                Filesize

                4KB

              • memory/3488-22-0x0000000140000000-0x00000001401F1000-memory.dmp

                Filesize

                1.9MB

              • memory/3488-21-0x0000000140000000-0x00000001401F1000-memory.dmp

                Filesize

                1.9MB

              • memory/3488-19-0x0000000140000000-0x00000001401F1000-memory.dmp

                Filesize

                1.9MB

              • memory/3488-18-0x0000000140000000-0x00000001401F1000-memory.dmp

                Filesize

                1.9MB

              • memory/3488-32-0x00000000010E0000-0x00000000010E7000-memory.dmp

                Filesize

                28KB

              • memory/3488-16-0x0000000140000000-0x00000001401F1000-memory.dmp

                Filesize

                1.9MB

              • memory/3488-15-0x0000000140000000-0x00000001401F1000-memory.dmp

                Filesize

                1.9MB

              • memory/3488-14-0x0000000140000000-0x00000001401F1000-memory.dmp

                Filesize

                1.9MB

              • memory/3488-11-0x0000000140000000-0x00000001401F1000-memory.dmp

                Filesize

                1.9MB

              • memory/3488-10-0x0000000140000000-0x00000001401F1000-memory.dmp

                Filesize

                1.9MB

              • memory/3488-9-0x00007FF9F4EEA000-0x00007FF9F4EEB000-memory.dmp

                Filesize

                4KB

              • memory/3488-8-0x0000000140000000-0x00000001401F1000-memory.dmp

                Filesize

                1.9MB

              • memory/3488-6-0x0000000140000000-0x00000001401F1000-memory.dmp

                Filesize

                1.9MB

              • memory/3976-100-0x0000000140000000-0x00000001401F2000-memory.dmp

                Filesize

                1.9MB

              • memory/3976-94-0x0000028C86B60000-0x0000028C86B67000-memory.dmp

                Filesize

                28KB

              • memory/4960-61-0x0000000140000000-0x00000001401F2000-memory.dmp

                Filesize

                1.9MB

              • memory/4960-66-0x0000000140000000-0x00000001401F2000-memory.dmp

                Filesize

                1.9MB

              • memory/4960-60-0x000001F67E020000-0x000001F67E027000-memory.dmp

                Filesize

                28KB