Analysis

  • max time kernel
    75s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-12-2023 22:27

General

  • Target

    0597e704a1234f7f0a2cc4dd823194cb.dll

  • Size

    712KB

  • MD5

    0597e704a1234f7f0a2cc4dd823194cb

  • SHA1

    50e72b88256c7807853bea80c0c660a503383f75

  • SHA256

    7ba44f9bf826852b97d7fd37af4450957684acdea533f27440e8bfb5db1cd729

  • SHA512

    368b8672d5e1123fe15021264390d71482aae6b52cea5089afeaeed63ebf89c60addede65dd8ae1409c74e1f05009eb5f0e02e5326fa49f617fe36502b12f75c

  • SSDEEP

    12288:1dMIwS97wJs6tSKDXEabXaC+jhc1S8XXk7CZzHsZH9dq0T:bMIJxSDX3bqjhcfHk7MzH6z

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Dridex payload 4 IoCs

    Detects Dridex x64 core DLL in memory.

  • Modifies Installed Components in the registry 2 TTPs 7 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 14 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 56 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\0597e704a1234f7f0a2cc4dd823194cb.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3156
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4468
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:5040
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4388
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious use of SendNotifyMessage
    PID:3868
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
      PID:4284
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of SendNotifyMessage
      PID:4860
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:228
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of SendNotifyMessage
      PID:408
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4944
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3760
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      PID:3684
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3468
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      PID:1640
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3836
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4228
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
        PID:4684
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
          PID:456
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
            PID:2332
          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
            1⤵
              PID:1112
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
                PID:4120
              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                1⤵
                  PID:3692
                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                  1⤵
                    PID:4928
                  • C:\Windows\explorer.exe
                    explorer.exe
                    1⤵
                      PID:4444
                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                      1⤵
                        PID:4380
                      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                        1⤵
                          PID:1944
                        • C:\Windows\explorer.exe
                          explorer.exe
                          1⤵
                            PID:1056
                          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                            1⤵
                              PID:4032
                            • C:\Windows\explorer.exe
                              explorer.exe
                              1⤵
                                PID:116
                              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                1⤵
                                  PID:2980
                                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                  1⤵
                                    PID:3200

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

                                    Filesize

                                    471B

                                    MD5

                                    a760fb773b23d783f07e77de846bde96

                                    SHA1

                                    35f4a0c1ba33dee757f2b028fb313c3019b699fd

                                    SHA256

                                    e07532c862bf12834627535fe4304cbf9d977e22968dea7b99fa5bd9a733c290

                                    SHA512

                                    d8bf7846b453924fcaec8e153a7a3ea633e64c3aa695169ebfa944e48f4a8e0ddd8703d48ce988ba360d826e72006576cd822bc0b3ecf496d47649532ccc501e

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

                                    Filesize

                                    412B

                                    MD5

                                    fc30be1147dd153864c9240c4fde3991

                                    SHA1

                                    c1f92fa02ea1402769a5c6c248bff91922ed7bb6

                                    SHA256

                                    92619105bab2959cc33acfa8c2be2bfab03157998f7efcd9cba2ab920eeb1ac9

                                    SHA512

                                    b28b442edcc3b9c035a5854dade1fd5132969ce90f0a073e0f0cb49dc9fd4d19559bff0a176b8bddf371ffc157f82f750e916918b8dcef6f9d39d78fee090a8d

                                  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133484042748490280.txt

                                    Filesize

                                    74KB

                                    MD5

                                    c09e63e4b960a163934b3c29f3bd2cc9

                                    SHA1

                                    d3a43b35c14ae2e353a1a15c518ab2595f6a0399

                                    SHA256

                                    308deca5e1ef4d875fbe0aff3ce4b0b575b28e643dffda819d4390ec77faf157

                                    SHA512

                                    5ca3321034dff47e3afe0b0bdfaffc08782991660910a29375a8e0363794b78247282aba65dbd882ae225aa140ae63927dfd0946a441ee6fa64a1d8c146777b9

                                  • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\20HRAY6B\microsoft.windows[1].xml

                                    Filesize

                                    97B

                                    MD5

                                    c72a7948ce8864550fb31eac2c23711f

                                    SHA1

                                    6ad2c59dc76abe1067907f430e612d69f0da45aa

                                    SHA256

                                    18d42f2b7115b106b1e5f14cb9e0c2b91473fab2070ab838c34032bbeae04941

                                    SHA512

                                    fe62c104efe1c5ab83746619e69b1e7160d172ddb913cc626bf429fe9d32106fee9ea584d622b0d38525ab10afb82895615453cf9f2ac569b9943c432d09b0b7

                                  • memory/3156-1-0x0000000140000000-0x00000001400B2000-memory.dmp

                                    Filesize

                                    712KB

                                  • memory/3156-0-0x000001E49F130000-0x000001E49F137000-memory.dmp

                                    Filesize

                                    28KB

                                  • memory/3156-30-0x0000000140000000-0x00000001400B2000-memory.dmp

                                    Filesize

                                    712KB

                                  • memory/3436-11-0x0000000140000000-0x00000001400B2000-memory.dmp

                                    Filesize

                                    712KB

                                  • memory/3436-9-0x0000000140000000-0x00000001400B2000-memory.dmp

                                    Filesize

                                    712KB

                                  • memory/3436-18-0x0000000140000000-0x00000001400B2000-memory.dmp

                                    Filesize

                                    712KB

                                  • memory/3436-16-0x0000000140000000-0x00000001400B2000-memory.dmp

                                    Filesize

                                    712KB

                                  • memory/3436-17-0x0000000140000000-0x00000001400B2000-memory.dmp

                                    Filesize

                                    712KB

                                  • memory/3436-23-0x0000000001560000-0x0000000001567000-memory.dmp

                                    Filesize

                                    28KB

                                  • memory/3436-19-0x0000000140000000-0x00000001400B2000-memory.dmp

                                    Filesize

                                    712KB

                                  • memory/3436-15-0x0000000140000000-0x00000001400B2000-memory.dmp

                                    Filesize

                                    712KB

                                  • memory/3436-14-0x0000000140000000-0x00000001400B2000-memory.dmp

                                    Filesize

                                    712KB

                                  • memory/3436-13-0x0000000140000000-0x00000001400B2000-memory.dmp

                                    Filesize

                                    712KB

                                  • memory/3436-10-0x0000000140000000-0x00000001400B2000-memory.dmp

                                    Filesize

                                    712KB

                                  • memory/3436-7-0x0000000140000000-0x00000001400B2000-memory.dmp

                                    Filesize

                                    712KB

                                  • memory/3436-28-0x00000000032B0000-0x00000000032B1000-memory.dmp

                                    Filesize

                                    4KB

                                  • memory/3436-12-0x0000000140000000-0x00000001400B2000-memory.dmp

                                    Filesize

                                    712KB

                                  • memory/3436-3-0x0000000003380000-0x0000000003381000-memory.dmp

                                    Filesize

                                    4KB

                                  • memory/3436-6-0x0000000140000000-0x00000001400B2000-memory.dmp

                                    Filesize

                                    712KB

                                  • memory/3436-5-0x0000000140000000-0x00000001400B2000-memory.dmp

                                    Filesize

                                    712KB

                                  • memory/3436-8-0x00007FFCBE60A000-0x00007FFCBE60B000-memory.dmp

                                    Filesize

                                    4KB

                                  • memory/4468-60-0x00007FFCBFB50000-0x00007FFCBFB60000-memory.dmp

                                    Filesize

                                    64KB

                                  • memory/4468-59-0x00007FFCBFB60000-0x00007FFCBFB70000-memory.dmp

                                    Filesize

                                    64KB

                                  • memory/4468-58-0x0000000140000000-0x00000001400B2000-memory.dmp

                                    Filesize

                                    712KB

                                  • memory/4468-69-0x0000000140000000-0x00000001400B2000-memory.dmp

                                    Filesize

                                    712KB

                                  • memory/4468-82-0x00007FFCBFB70000-0x00007FFCBFD65000-memory.dmp

                                    Filesize

                                    2.0MB

                                  • memory/4468-49-0x0000000140000000-0x00000001400B2000-memory.dmp

                                    Filesize

                                    712KB

                                  • memory/4468-51-0x0000000004FF0000-0x0000000004FF7000-memory.dmp

                                    Filesize

                                    28KB

                                  • memory/4468-34-0x00007FFCBE5B0000-0x00007FFCBE66E000-memory.dmp

                                    Filesize

                                    760KB

                                  • memory/4468-32-0x00007FFCBFB70000-0x00007FFCBFD65000-memory.dmp

                                    Filesize

                                    2.0MB