Analysis

  • max time kernel
    143s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-12-2023 23:37

General

  • Target

    0724ac274c2aa56ae735cccf77b3f98e.dll

  • Size

    1.8MB

  • MD5

    0724ac274c2aa56ae735cccf77b3f98e

  • SHA1

    de36f531d90ea25637d0601ef4aa0695120baedb

  • SHA256

    c1c4df943e9c4ec308cef81052e29707a94810f3c3a018a0be8072d4e2a59cd5

  • SHA512

    f488a0c0cac2bd9f594933a663cdda07d54643da5b51eeab5709107d584c60728dc1279c114644310a4b39e7824a41e65d051b0bac56b0c5356e8c5f3963330f

  • SSDEEP

    12288:RVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:gfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\0724ac274c2aa56ae735cccf77b3f98e.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3500
  • C:\Windows\system32\wlrmdr.exe
    C:\Windows\system32\wlrmdr.exe
    1⤵
      PID:996
    • C:\Users\Admin\AppData\Local\hKpXJ\wlrmdr.exe
      C:\Users\Admin\AppData\Local\hKpXJ\wlrmdr.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2820
    • C:\Windows\system32\RdpSaUacHelper.exe
      C:\Windows\system32\RdpSaUacHelper.exe
      1⤵
        PID:3384
      • C:\Users\Admin\AppData\Local\9ijXD\RdpSaUacHelper.exe
        C:\Users\Admin\AppData\Local\9ijXD\RdpSaUacHelper.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1696
      • C:\Windows\system32\msdt.exe
        C:\Windows\system32\msdt.exe
        1⤵
          PID:1736
        • C:\Users\Admin\AppData\Local\3iF5Y\msdt.exe
          C:\Users\Admin\AppData\Local\3iF5Y\msdt.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1632

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\3iF5Y\UxTheme.dll

          Filesize

          1.8MB

          MD5

          658f82507b5fa9445a83a38312af28bc

          SHA1

          fc7a89399847b65de4459bc34bbb7b53f9af9904

          SHA256

          fe8dea4166d614d0103e02bb257fa4f6e5f2946ae59a15cf4aa506f53f476efa

          SHA512

          cb63fb22f3a54fc65c279fb771e25ef854e298e8ae3ba1b9d65a725f4616284850b0f0cfaf4e773ab4711c04daaedba020e9858fb52798bc58436972724cba2b

        • C:\Users\Admin\AppData\Local\3iF5Y\msdt.exe

          Filesize

          421KB

          MD5

          992c3f0cc8180f2f51156671e027ae75

          SHA1

          942ec8c2ccfcacd75a1cd86cbe8873aee5115e29

          SHA256

          6859d1b5d1beaa2985b298f3fcee67f0aac747687a9dec2b4376585e99e9756f

          SHA512

          1f1b8d39e29274cfc87a9ef1510adb9c530086a421c121523376731c8933c6e234e9146310d3767ce888a8dce7a5713221f4d25e5b7b6398d06ae2be2b99eadf

        • C:\Users\Admin\AppData\Local\9ijXD\RdpSaUacHelper.exe

          Filesize

          33KB

          MD5

          0d5b016ac7e7b6257c069e8bb40845de

          SHA1

          5282f30e90cbd1be8da95b73bc1b6a7d041e43c2

          SHA256

          6a6fdd834af9c79c5ffc5e6b51700030259aeae535f8626df84b07b7d2cee067

          SHA512

          cd44d8b70fc67c692e6966b4ad86a7de9c96df0bade1b3a80cb4767be159d64f3cc04dc5934f7d843b15101865089e43b8aecabddc370b22caf0c48b56b3430e

        • C:\Users\Admin\AppData\Local\9ijXD\WINSTA.dll

          Filesize

          1.8MB

          MD5

          e7da7ef61ca915d5346deddef7316a09

          SHA1

          4f166900b88086a201818337295b00cde7bbab08

          SHA256

          d752b79d9df6f7fe13405a1c6862a92a93e086c7c89e6178979fd8a1a050204c

          SHA512

          7331bac2e61f391d0ecdd48192e0aee7a546663ef7d4b99172d7d0cb16eded840242406fb7d857d5bf05db9ef37ea173d07c722c990f918f702d3236dea24cb7

        • C:\Users\Admin\AppData\Local\hKpXJ\DUI70.dll

          Filesize

          49KB

          MD5

          4e4f4e4a13e0d17a792824f22679e305

          SHA1

          983aae98a73b55ec9ba7545180c19cb3db91d6f7

          SHA256

          eb059c47f0492143581a566e5464fc14cf38c4e542688102dccdc2401b5cd69d

          SHA512

          046da1ca89c66ab12a9f1f27197c5f2cfe41ca5231456a40627ee508044a6cb4e69e7172a63897dce4f903a1883c3d8471f96195c3f4e99d70935083b6af55d0

        • C:\Users\Admin\AppData\Local\hKpXJ\DUI70.dll

          Filesize

          94KB

          MD5

          d572895cebd24e9d61357ef48497a083

          SHA1

          b48e519d03220fb78f7f5b75c25a235fdcdcc1a6

          SHA256

          304b562f9ed4dd95be477826cd828c6fd38e9fb59af7901585116ced012f5685

          SHA512

          f5a8828cf0e7e166340c299b1c8cd97771b34e0b19479a544251bbb011db5165d2e9ac947422e7a8cc75b46a247b7688d88a581d181eec0034e06376a6561d36

        • C:\Users\Admin\AppData\Local\hKpXJ\wlrmdr.exe

          Filesize

          1KB

          MD5

          dabbfef50f731f12f346b83f567cecea

          SHA1

          4904741f17a2afd395f7a58e704d237b2192e93e

          SHA256

          66cf68b465172eed24459e28d0b74f66fc23d73ad7723fe1e56ae4c529677e17

          SHA512

          6c0896ec991b1eac89dd7870ea2696e2b350fdadd6f880839fd2a61a242ce82367016a1279e62e018f2a919f07bf87ef768e43f10132214ee81c527db01be24f

        • C:\Users\Admin\AppData\Local\hKpXJ\wlrmdr.exe

          Filesize

          66KB

          MD5

          ef9bba7a637a11b224a90bf90a8943ac

          SHA1

          4747ec6efd2d41e049159249c2d888189bb33d1d

          SHA256

          2fda95aafb2e9284c730bf912b93f60a75b151941adc14445ed1e056140325b1

          SHA512

          4c1fdb8e4bf25546a2a33c95268593746f5ae2666ce36c6d9ba5833357f13720c4722231224e82308af8c156485a2c86ffd97e3093717a28d1300d3787ef1831

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dvizybqqo.lnk

          Filesize

          984B

          MD5

          6379441ac0d453219c6637e229a6bb2c

          SHA1

          2c8931504af11cbb91965dd703bcce8c784435d5

          SHA256

          ef54baf12291f7eee44e67b55d557ab3d9edced6d3d99677a729ad5ba544ee8f

          SHA512

          57038fb05926d807ce88b9133f7bec770362a079eba6d653debeb0ffd0539c480c8a1a65fa65aaa589204caf462258b5453e09f4b8c5798a6a212727e385c9da

        • C:\Users\Admin\AppData\Roaming\Microsoft\Qq3I\DUI70.dll

          Filesize

          2.1MB

          MD5

          5e90060a71a514ec725c8ee66b905b3b

          SHA1

          e22584625f27adb071c7da6363c68bc23fab42d4

          SHA256

          daaf7376615b0897b36e083930a1a6508e82b528dd0b7d444f79b50838ed5b33

          SHA512

          60072412b53253ca78bffe731ee22d153adf1f242de53ee5b170a7278ada7bd1ce8b19476f4ce4977d1fa13d0bebc38004d2099fca3ab403c2d7a35b5d846dcb

        • memory/1632-125-0x000002137E480000-0x000002137E487000-memory.dmp

          Filesize

          28KB

        • memory/1632-124-0x0000000140000000-0x00000001401C9000-memory.dmp

          Filesize

          1.8MB

        • memory/1632-131-0x0000000140000000-0x00000001401C9000-memory.dmp

          Filesize

          1.8MB

        • memory/1696-103-0x0000000140000000-0x00000001401CA000-memory.dmp

          Filesize

          1.8MB

        • memory/1696-106-0x0000018329760000-0x0000018329767000-memory.dmp

          Filesize

          28KB

        • memory/1696-112-0x0000000140000000-0x00000001401CA000-memory.dmp

          Filesize

          1.8MB

        • memory/2820-91-0x0000000140000000-0x000000014020E000-memory.dmp

          Filesize

          2.1MB

        • memory/2820-84-0x0000000140000000-0x000000014020E000-memory.dmp

          Filesize

          2.1MB

        • memory/2820-86-0x0000015567CF0000-0x0000015567CF7000-memory.dmp

          Filesize

          28KB

        • memory/3416-22-0x0000000140000000-0x00000001401C8000-memory.dmp

          Filesize

          1.8MB

        • memory/3416-53-0x0000000140000000-0x00000001401C8000-memory.dmp

          Filesize

          1.8MB

        • memory/3416-27-0x0000000140000000-0x00000001401C8000-memory.dmp

          Filesize

          1.8MB

        • memory/3416-29-0x0000000140000000-0x00000001401C8000-memory.dmp

          Filesize

          1.8MB

        • memory/3416-32-0x0000000140000000-0x00000001401C8000-memory.dmp

          Filesize

          1.8MB

        • memory/3416-33-0x0000000140000000-0x00000001401C8000-memory.dmp

          Filesize

          1.8MB

        • memory/3416-31-0x0000000140000000-0x00000001401C8000-memory.dmp

          Filesize

          1.8MB

        • memory/3416-30-0x0000000140000000-0x00000001401C8000-memory.dmp

          Filesize

          1.8MB

        • memory/3416-28-0x0000000140000000-0x00000001401C8000-memory.dmp

          Filesize

          1.8MB

        • memory/3416-26-0x0000000140000000-0x00000001401C8000-memory.dmp

          Filesize

          1.8MB

        • memory/3416-25-0x0000000140000000-0x00000001401C8000-memory.dmp

          Filesize

          1.8MB

        • memory/3416-34-0x0000000140000000-0x00000001401C8000-memory.dmp

          Filesize

          1.8MB

        • memory/3416-35-0x0000000140000000-0x00000001401C8000-memory.dmp

          Filesize

          1.8MB

        • memory/3416-23-0x0000000140000000-0x00000001401C8000-memory.dmp

          Filesize

          1.8MB

        • memory/3416-36-0x0000000140000000-0x00000001401C8000-memory.dmp

          Filesize

          1.8MB

        • memory/3416-37-0x0000000140000000-0x00000001401C8000-memory.dmp

          Filesize

          1.8MB

        • memory/3416-40-0x0000000140000000-0x00000001401C8000-memory.dmp

          Filesize

          1.8MB

        • memory/3416-41-0x0000000140000000-0x00000001401C8000-memory.dmp

          Filesize

          1.8MB

        • memory/3416-42-0x0000000140000000-0x00000001401C8000-memory.dmp

          Filesize

          1.8MB

        • memory/3416-44-0x0000000140000000-0x00000001401C8000-memory.dmp

          Filesize

          1.8MB

        • memory/3416-45-0x0000000140000000-0x00000001401C8000-memory.dmp

          Filesize

          1.8MB

        • memory/3416-43-0x0000000140000000-0x00000001401C8000-memory.dmp

          Filesize

          1.8MB

        • memory/3416-46-0x0000000140000000-0x00000001401C8000-memory.dmp

          Filesize

          1.8MB

        • memory/3416-48-0x0000000140000000-0x00000001401C8000-memory.dmp

          Filesize

          1.8MB

        • memory/3416-50-0x0000000140000000-0x00000001401C8000-memory.dmp

          Filesize

          1.8MB

        • memory/3416-51-0x0000000140000000-0x00000001401C8000-memory.dmp

          Filesize

          1.8MB

        • memory/3416-49-0x0000000140000000-0x00000001401C8000-memory.dmp

          Filesize

          1.8MB

        • memory/3416-47-0x0000000140000000-0x00000001401C8000-memory.dmp

          Filesize

          1.8MB

        • memory/3416-39-0x0000000140000000-0x00000001401C8000-memory.dmp

          Filesize

          1.8MB

        • memory/3416-24-0x0000000140000000-0x00000001401C8000-memory.dmp

          Filesize

          1.8MB

        • memory/3416-55-0x0000000003270000-0x0000000003277000-memory.dmp

          Filesize

          28KB

        • memory/3416-54-0x0000000140000000-0x00000001401C8000-memory.dmp

          Filesize

          1.8MB

        • memory/3416-52-0x0000000140000000-0x00000001401C8000-memory.dmp

          Filesize

          1.8MB

        • memory/3416-38-0x0000000140000000-0x00000001401C8000-memory.dmp

          Filesize

          1.8MB

        • memory/3416-62-0x0000000140000000-0x00000001401C8000-memory.dmp

          Filesize

          1.8MB

        • memory/3416-63-0x00007FF9B22C0000-0x00007FF9B22D0000-memory.dmp

          Filesize

          64KB

        • memory/3416-72-0x0000000140000000-0x00000001401C8000-memory.dmp

          Filesize

          1.8MB

        • memory/3416-74-0x0000000140000000-0x00000001401C8000-memory.dmp

          Filesize

          1.8MB

        • memory/3416-5-0x0000000003290000-0x0000000003291000-memory.dmp

          Filesize

          4KB

        • memory/3416-21-0x0000000140000000-0x00000001401C8000-memory.dmp

          Filesize

          1.8MB

        • memory/3416-20-0x0000000140000000-0x00000001401C8000-memory.dmp

          Filesize

          1.8MB

        • memory/3416-19-0x0000000140000000-0x00000001401C8000-memory.dmp

          Filesize

          1.8MB

        • memory/3416-18-0x0000000140000000-0x00000001401C8000-memory.dmp

          Filesize

          1.8MB

        • memory/3416-17-0x0000000140000000-0x00000001401C8000-memory.dmp

          Filesize

          1.8MB

        • memory/3416-16-0x0000000140000000-0x00000001401C8000-memory.dmp

          Filesize

          1.8MB

        • memory/3416-7-0x00007FF9B140A000-0x00007FF9B140B000-memory.dmp

          Filesize

          4KB

        • memory/3416-15-0x0000000140000000-0x00000001401C8000-memory.dmp

          Filesize

          1.8MB

        • memory/3416-14-0x0000000140000000-0x00000001401C8000-memory.dmp

          Filesize

          1.8MB

        • memory/3416-13-0x0000000140000000-0x00000001401C8000-memory.dmp

          Filesize

          1.8MB

        • memory/3416-12-0x0000000140000000-0x00000001401C8000-memory.dmp

          Filesize

          1.8MB

        • memory/3416-11-0x0000000140000000-0x00000001401C8000-memory.dmp

          Filesize

          1.8MB

        • memory/3416-10-0x0000000140000000-0x00000001401C8000-memory.dmp

          Filesize

          1.8MB

        • memory/3416-8-0x0000000140000000-0x00000001401C8000-memory.dmp

          Filesize

          1.8MB

        • memory/3500-9-0x0000000140000000-0x00000001401C8000-memory.dmp

          Filesize

          1.8MB

        • memory/3500-0-0x0000000140000000-0x00000001401C8000-memory.dmp

          Filesize

          1.8MB

        • memory/3500-1-0x0000000140000000-0x00000001401C8000-memory.dmp

          Filesize

          1.8MB

        • memory/3500-2-0x0000027429EE0000-0x0000027429EE7000-memory.dmp

          Filesize

          28KB