Analysis

  • max time kernel
    177s
  • max time network
    198s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-12-2023 22:49

General

  • Target

    06194ae42efb4403b501d255e4ee8a4e.dll

  • Size

    2.9MB

  • MD5

    06194ae42efb4403b501d255e4ee8a4e

  • SHA1

    865df6831aee519d1619f07d5bfe5474fd5d5d26

  • SHA256

    3c710eec70ecf93ecdf44c999dafdab9edc3552a0c7a546116441691499be7b7

  • SHA512

    299da5d167d66a68f2ae5bbdf7bc64921840aa1a1a7bcbb9226bb8863fb8ba05ac383589eb6275e107c89ee5c130bef616f85fb2c1c28fb06aeb5efc915d6cf3

  • SSDEEP

    12288:hVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:QfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\06194ae42efb4403b501d255e4ee8a4e.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4680
  • C:\Windows\system32\EhStorAuthn.exe
    C:\Windows\system32\EhStorAuthn.exe
    1⤵
      PID:4880
    • C:\Users\Admin\AppData\Local\qmAdyM\EhStorAuthn.exe
      C:\Users\Admin\AppData\Local\qmAdyM\EhStorAuthn.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1264
    • C:\Windows\system32\ApplicationFrameHost.exe
      C:\Windows\system32\ApplicationFrameHost.exe
      1⤵
        PID:4560
      • C:\Users\Admin\AppData\Local\vQmiFV1Lw\ApplicationFrameHost.exe
        C:\Users\Admin\AppData\Local\vQmiFV1Lw\ApplicationFrameHost.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4088
      • C:\Windows\system32\mfpmp.exe
        C:\Windows\system32\mfpmp.exe
        1⤵
          PID:4020
        • C:\Users\Admin\AppData\Local\8lAFZBk\mfpmp.exe
          C:\Users\Admin\AppData\Local\8lAFZBk\mfpmp.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4872

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\8lAFZBk\MFPlat.DLL

          Filesize

          85KB

          MD5

          3e992f0f68c795140c61100a7fd0080d

          SHA1

          41aacf759ef77d997d1776e4bbb00d1a4cf9ab46

          SHA256

          ee88848b89ff36325e41a0f8c4026d41d8c49bbfc2305f1eff59d9210bb0a540

          SHA512

          db92325858c6dc06a55117a1f09c71990d04a0030d4d9d9a4f76226c12244dfeeed2fb4727485741667f53d6041ec0b5480e0e2c81d2cf2e5ed089e3b2946e7a

        • C:\Users\Admin\AppData\Local\8lAFZBk\MFPlat.DLL

          Filesize

          1KB

          MD5

          1e5bd3f7c36cbb84c41ff517d1ff7514

          SHA1

          dd98f08d7e5bd5765a10a6f60c76db8e28b08e7e

          SHA256

          8b3716af27bd0286565cf50a01d343ec682fdfd7a4ffde135ac8076ce1dbac9f

          SHA512

          d3b7fdc47009be255ea802f6bc8e8b79969f8868048d78ee747061782db9a427d22270021899bd8d32d365d26dec81bfeb6a2c60759823a47d61d1d6a3b8421e

        • C:\Users\Admin\AppData\Local\8lAFZBk\mfpmp.exe

          Filesize

          46KB

          MD5

          8f8fd1988973bac0c5244431473b96a5

          SHA1

          ce81ea37260d7cafe27612606cf044921ad1304c

          SHA256

          27287ac874cef86be03aee7b6d34fdc3bd208070ed20e44621a305865fb7579e

          SHA512

          a91179e1561168b3b58f5ca893bce425d35f4a02aec20ac3d6fb944f5eb3c06b0a1b9d9f3fb9ea87869d65671d2b89b4ae19acf794372bdbd27f5e9756c5a8ab

        • C:\Users\Admin\AppData\Local\qmAdyM\EhStorAuthn.exe

          Filesize

          66KB

          MD5

          d5dd933f87f85da9a49cc8eaf960dac1

          SHA1

          68dbd76bdc407bc3c030adbdc7a784799f1a7f49

          SHA256

          7750e4b587d621fe7460beba02bd3dd7042e90f387b77519548f88bfaafb6805

          SHA512

          2c76115ee52d7a008eee3a342eb21292a4b0ecfa48b0e6989972ceba7afd9e924a06364243de32632c828081c2af6e392cb36003add59abc2abf05df3e009cc5

        • C:\Users\Admin\AppData\Local\qmAdyM\EhStorAuthn.exe

          Filesize

          128KB

          MD5

          d45618e58303edb4268a6cca5ec99ecc

          SHA1

          1f8049fc5ea8b57bb68e19fb55cb9dc1e18e9513

          SHA256

          d527323643be9df4d174c3169c6f2c7854a59b781654bcaebd154cb51fb4219c

          SHA512

          5d7ae663dcfedfaf00836dc018131851e5a40778bd582b417b9f0bbd4bb6d1b2eb8f37f7f5a01cd2beed78b6037ef6eb2a3290248d5e901173b1407990a202bd

        • C:\Users\Admin\AppData\Local\qmAdyM\UxTheme.dll

          Filesize

          64KB

          MD5

          e2bc315fe93a548a5bc091ae9c3e4dd4

          SHA1

          40361fee1dd75b0cc2539cc01cfc1e729312ff22

          SHA256

          a870e2f978dfef59ae232c67dc99e3dc9c211e74cd47ab1b4c7388c446cceb84

          SHA512

          0315cc6ec5173825df02acb1948db7e9ff9507135e59e50356042e7d2474be11842aefd87cc05716263ee244ca3dfae954c9554dfd0402ebabc8a4ab30fa18be

        • C:\Users\Admin\AppData\Local\qmAdyM\UxTheme.dll

          Filesize

          84KB

          MD5

          3eed248130b0f1def63d2ada10f78e5f

          SHA1

          27c85e8e39923bc1764c220b41873c8343dba9b2

          SHA256

          c9ceb24db21d96a73ed7926f7d43dbeeea3c52f3b1281c5cf7d91377ffa6dd4d

          SHA512

          2d19f48c31e4d961bd3d9b2e97fefcdf2e6c7d92175a885b23e186c70a78942c5370d4577ff0d757c0474434a7434fd62c260e6d3919c3c8566baca2d087fecd

        • C:\Users\Admin\AppData\Local\vQmiFV1Lw\ApplicationFrameHost.exe

          Filesize

          24KB

          MD5

          df8444700ff72bd5ccf27e1d53482417

          SHA1

          dd0ac516981738a7fd1ddfc569e08dd654e6dc25

          SHA256

          f6f82258b7b5d2f11ae28785da7bd6977b6dc1dc602e099c678a88ee5ea1f4fd

          SHA512

          727e0b609b15d5f866850d1569169e9d10dc5f03d3bf2c358274801cf4c52390ba17e96865e611e92f6061f764c01b2adfdc518364b94a001171030d90e45e22

        • C:\Users\Admin\AppData\Local\vQmiFV1Lw\ApplicationFrameHost.exe

          Filesize

          37KB

          MD5

          31b1fb3d888cce11106938d665b7961b

          SHA1

          1e50131d9d0f251063d1101cdccc0a05a4807d2d

          SHA256

          132c41b280166439ae97d722563199c27a704a007f37ae98d03772c1027a6d11

          SHA512

          dd5ac4281d06c6f6dd38bb639de6248730909ce191745406ec15ad9a79ec737bbe87ccd225483bcb13da81bd674ace8134ef402d77ad540850ae729aec4f209a

        • C:\Users\Admin\AppData\Local\vQmiFV1Lw\dxgi.dll

          Filesize

          62KB

          MD5

          44fb402e4f32c6868321de7f46d41b73

          SHA1

          eef643e30df9ad7c72e98da479566e5218107997

          SHA256

          2ba814d9a055618db133e4233aedb571ee2b2720fd6631953a6c81567a1402b6

          SHA512

          8a0c8627e8407e7ae5a58f24d94bc6b0e85587d1eb48328910f4cab2ef09e7ca8cf47971513cc6eaec37f69c91dd06dba89285b9f48e2fd187cdac4f0ddd5f8b

        • C:\Users\Admin\AppData\Local\vQmiFV1Lw\dxgi.dll

          Filesize

          62KB

          MD5

          de947c40ca30bfd7d9f388afa5215aa0

          SHA1

          743e567ac597208da85fe1da01920f94ec8664cf

          SHA256

          899dd0d8859f16e47bb2f85aee89255422c78d180cfaf50b2729dafd6e084dc6

          SHA512

          d06f30c727f664ccdc99bef82dd599f294298238762857cc3864796091f094bb14433135e10fb31882f1a6b8239bc216b09f23ba0c3f4e4dcf20a9bb6b485b61

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dyngdiaoitf.lnk

          Filesize

          1KB

          MD5

          445bc00b13cdff20d8d04d0a8abd3b32

          SHA1

          ca9c9b76613af939f7ade8fcf74f78442dad292f

          SHA256

          4ea2619be6e686e7ab2d545ff1697e1d96b246f8e9afe4365a50abb148584cae

          SHA512

          16a9167938d41d6d7d8ed7473749642698f5d6ebf69d443204b23e1ef6ed58dbc4ce7a74b82ecf499aec5018752753022d4f8c3c5c3488ee2d28dacd4232f3aa

        • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\7qU\dxgi.dll

          Filesize

          2.9MB

          MD5

          1f57124fd5fdeec75f0fe7c1835f821b

          SHA1

          b675fbc70dcfacb8369af153d1af0081ae41d850

          SHA256

          d0e73ad86e08777a01ada69cb3cc5874b7c22bfc252d0a5ecc5a63bda9383ce2

          SHA512

          015f28072be2cfba4cbec29a8f541f996dd230253d3813b8cc1077c488e3542afb59182074f08571ee2775f5dd55ea966bf1fe7d55aab0d7fcafce96f0a6ba68

        • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\QVIr\MFPlat.DLL

          Filesize

          2.9MB

          MD5

          f97a43b370fcda37b3d958d1b1805f45

          SHA1

          429980224fd6bb0d7d5b91c2754c05ab840ad755

          SHA256

          198a9fe5b810ae5546b4f0da3ef3fdfcdb03d14edd3f37c711b50d8d2408eee3

          SHA512

          0dd975a440d74162d12a60e4040e95b287c4deceecf341acf76701664752a52b805a2264b7ae2147b2b038ba11604722d0d4b704b01eb5f460eb681d5375d74b

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\XPTfrDzHkx\UxTheme.dll

          Filesize

          2.9MB

          MD5

          c96141c20681f65ddf0512bdc444e583

          SHA1

          35df2daf2cc9d137e2d51656c3296e9a9cf2a83f

          SHA256

          f5d328585fa70be47339ca5979822314ad15c7b81c177618d8c79dfe98c4231e

          SHA512

          1eac86a805636c646a5f27b08a52549d18ba6734b26482487390bba1ad404749171367095fc667a14d62949e2e77c4496f5cbcc26218a439748d355a884bbcb3

        • memory/1264-98-0x00000178765C0000-0x00000178765C7000-memory.dmp

          Filesize

          28KB

        • memory/3392-48-0x0000000140000000-0x00000001402E0000-memory.dmp

          Filesize

          2.9MB

        • memory/3392-65-0x0000000140000000-0x00000001402E0000-memory.dmp

          Filesize

          2.9MB

        • memory/3392-27-0x0000000140000000-0x00000001402E0000-memory.dmp

          Filesize

          2.9MB

        • memory/3392-26-0x0000000140000000-0x00000001402E0000-memory.dmp

          Filesize

          2.9MB

        • memory/3392-25-0x0000000140000000-0x00000001402E0000-memory.dmp

          Filesize

          2.9MB

        • memory/3392-23-0x0000000140000000-0x00000001402E0000-memory.dmp

          Filesize

          2.9MB

        • memory/3392-28-0x0000000140000000-0x00000001402E0000-memory.dmp

          Filesize

          2.9MB

        • memory/3392-29-0x0000000140000000-0x00000001402E0000-memory.dmp

          Filesize

          2.9MB

        • memory/3392-30-0x0000000140000000-0x00000001402E0000-memory.dmp

          Filesize

          2.9MB

        • memory/3392-31-0x0000000140000000-0x00000001402E0000-memory.dmp

          Filesize

          2.9MB

        • memory/3392-32-0x0000000140000000-0x00000001402E0000-memory.dmp

          Filesize

          2.9MB

        • memory/3392-33-0x0000000140000000-0x00000001402E0000-memory.dmp

          Filesize

          2.9MB

        • memory/3392-35-0x0000000140000000-0x00000001402E0000-memory.dmp

          Filesize

          2.9MB

        • memory/3392-34-0x0000000140000000-0x00000001402E0000-memory.dmp

          Filesize

          2.9MB

        • memory/3392-38-0x0000000140000000-0x00000001402E0000-memory.dmp

          Filesize

          2.9MB

        • memory/3392-39-0x0000000140000000-0x00000001402E0000-memory.dmp

          Filesize

          2.9MB

        • memory/3392-37-0x0000000140000000-0x00000001402E0000-memory.dmp

          Filesize

          2.9MB

        • memory/3392-36-0x0000000140000000-0x00000001402E0000-memory.dmp

          Filesize

          2.9MB

        • memory/3392-40-0x0000000140000000-0x00000001402E0000-memory.dmp

          Filesize

          2.9MB

        • memory/3392-42-0x0000000140000000-0x00000001402E0000-memory.dmp

          Filesize

          2.9MB

        • memory/3392-43-0x0000000140000000-0x00000001402E0000-memory.dmp

          Filesize

          2.9MB

        • memory/3392-41-0x0000000140000000-0x00000001402E0000-memory.dmp

          Filesize

          2.9MB

        • memory/3392-45-0x0000000140000000-0x00000001402E0000-memory.dmp

          Filesize

          2.9MB

        • memory/3392-46-0x0000000140000000-0x00000001402E0000-memory.dmp

          Filesize

          2.9MB

        • memory/3392-4-0x0000000000B90000-0x0000000000B91000-memory.dmp

          Filesize

          4KB

        • memory/3392-51-0x0000000140000000-0x00000001402E0000-memory.dmp

          Filesize

          2.9MB

        • memory/3392-52-0x0000000140000000-0x00000001402E0000-memory.dmp

          Filesize

          2.9MB

        • memory/3392-50-0x0000000140000000-0x00000001402E0000-memory.dmp

          Filesize

          2.9MB

        • memory/3392-53-0x0000000140000000-0x00000001402E0000-memory.dmp

          Filesize

          2.9MB

        • memory/3392-56-0x0000000140000000-0x00000001402E0000-memory.dmp

          Filesize

          2.9MB

        • memory/3392-59-0x0000000140000000-0x00000001402E0000-memory.dmp

          Filesize

          2.9MB

        • memory/3392-63-0x0000000140000000-0x00000001402E0000-memory.dmp

          Filesize

          2.9MB

        • memory/3392-64-0x0000000140000000-0x00000001402E0000-memory.dmp

          Filesize

          2.9MB

        • memory/3392-24-0x0000000140000000-0x00000001402E0000-memory.dmp

          Filesize

          2.9MB

        • memory/3392-62-0x0000000140000000-0x00000001402E0000-memory.dmp

          Filesize

          2.9MB

        • memory/3392-70-0x0000000000B40000-0x0000000000B47000-memory.dmp

          Filesize

          28KB

        • memory/3392-61-0x0000000140000000-0x00000001402E0000-memory.dmp

          Filesize

          2.9MB

        • memory/3392-60-0x0000000140000000-0x00000001402E0000-memory.dmp

          Filesize

          2.9MB

        • memory/3392-58-0x0000000140000000-0x00000001402E0000-memory.dmp

          Filesize

          2.9MB

        • memory/3392-78-0x00007FF8C5D20000-0x00007FF8C5D30000-memory.dmp

          Filesize

          64KB

        • memory/3392-57-0x0000000140000000-0x00000001402E0000-memory.dmp

          Filesize

          2.9MB

        • memory/3392-55-0x0000000140000000-0x00000001402E0000-memory.dmp

          Filesize

          2.9MB

        • memory/3392-54-0x0000000140000000-0x00000001402E0000-memory.dmp

          Filesize

          2.9MB

        • memory/3392-49-0x0000000140000000-0x00000001402E0000-memory.dmp

          Filesize

          2.9MB

        • memory/3392-47-0x0000000140000000-0x00000001402E0000-memory.dmp

          Filesize

          2.9MB

        • memory/3392-44-0x0000000140000000-0x00000001402E0000-memory.dmp

          Filesize

          2.9MB

        • memory/3392-22-0x0000000140000000-0x00000001402E0000-memory.dmp

          Filesize

          2.9MB

        • memory/3392-16-0x0000000140000000-0x00000001402E0000-memory.dmp

          Filesize

          2.9MB

        • memory/3392-21-0x0000000140000000-0x00000001402E0000-memory.dmp

          Filesize

          2.9MB

        • memory/3392-20-0x0000000140000000-0x00000001402E0000-memory.dmp

          Filesize

          2.9MB

        • memory/3392-18-0x0000000140000000-0x00000001402E0000-memory.dmp

          Filesize

          2.9MB

        • memory/3392-19-0x0000000140000000-0x00000001402E0000-memory.dmp

          Filesize

          2.9MB

        • memory/3392-17-0x0000000140000000-0x00000001402E0000-memory.dmp

          Filesize

          2.9MB

        • memory/3392-7-0x0000000140000000-0x00000001402E0000-memory.dmp

          Filesize

          2.9MB

        • memory/3392-15-0x0000000140000000-0x00000001402E0000-memory.dmp

          Filesize

          2.9MB

        • memory/3392-8-0x00007FF8C5A7A000-0x00007FF8C5A7B000-memory.dmp

          Filesize

          4KB

        • memory/3392-14-0x0000000140000000-0x00000001402E0000-memory.dmp

          Filesize

          2.9MB

        • memory/3392-13-0x0000000140000000-0x00000001402E0000-memory.dmp

          Filesize

          2.9MB

        • memory/3392-12-0x0000000140000000-0x00000001402E0000-memory.dmp

          Filesize

          2.9MB

        • memory/3392-9-0x0000000140000000-0x00000001402E0000-memory.dmp

          Filesize

          2.9MB

        • memory/3392-10-0x0000000140000000-0x00000001402E0000-memory.dmp

          Filesize

          2.9MB

        • memory/3392-11-0x0000000140000000-0x00000001402E0000-memory.dmp

          Filesize

          2.9MB

        • memory/4088-128-0x00000200A56D0000-0x00000200A56D7000-memory.dmp

          Filesize

          28KB

        • memory/4680-6-0x0000000140000000-0x00000001402E0000-memory.dmp

          Filesize

          2.9MB

        • memory/4680-2-0x0000019DB24D0000-0x0000019DB24D7000-memory.dmp

          Filesize

          28KB

        • memory/4680-0-0x0000000140000000-0x00000001402E0000-memory.dmp

          Filesize

          2.9MB

        • memory/4872-144-0x000001C1118D0000-0x000001C1118D7000-memory.dmp

          Filesize

          28KB