Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-12-2023 20:46

General

  • Target

    038fac256867b97309719d78ffada177.dll

  • Size

    1.7MB

  • MD5

    038fac256867b97309719d78ffada177

  • SHA1

    fa48e8a93c0d26cdd5f4a442655f634d7a5e89e8

  • SHA256

    824b3fcc72e9e5493e7be24f46d26c1f5972846b947ce1782207faaf9458429a

  • SHA512

    59ba340ca23e03f969d0f62df6a1de329a90f8084a8fcb33e6393c7a3b80df28b5d12ed3802f2eee0cbb571f70c8381774ccabdcbb3caece35c22782880b84a0

  • SSDEEP

    12288:MVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:5fP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\038fac256867b97309719d78ffada177.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3284
  • C:\Windows\system32\sethc.exe
    C:\Windows\system32\sethc.exe
    1⤵
      PID:4628
    • C:\Users\Admin\AppData\Local\WPtS\sethc.exe
      C:\Users\Admin\AppData\Local\WPtS\sethc.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2516
    • C:\Windows\system32\dialer.exe
      C:\Windows\system32\dialer.exe
      1⤵
        PID:1272
      • C:\Users\Admin\AppData\Local\fZfLSmRY\PresentationHost.exe
        C:\Users\Admin\AppData\Local\fZfLSmRY\PresentationHost.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2508
      • C:\Windows\system32\PresentationHost.exe
        C:\Windows\system32\PresentationHost.exe
        1⤵
          PID:1048
        • C:\Users\Admin\AppData\Local\taefz0o3\dialer.exe
          C:\Users\Admin\AppData\Local\taefz0o3\dialer.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1588

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\WPtS\OLEACC.dll

          Filesize

          5KB

          MD5

          74759d0e38886614ffd970ba0e00fdce

          SHA1

          49fcbd308b8313840997afe050216c6c41857184

          SHA256

          531136979657015c6e57b5f2efbe605611437b631c97cb491b1cb0db9754fc06

          SHA512

          92b062d4804bef6d9605b8e16afef9aa405effa372e1d5804a0976898cd404e3daf4165bead96ec7d7b583de486a635cc0bc4d3ef88168f8aa3512b298abb3f1

        • C:\Users\Admin\AppData\Local\WPtS\OLEACC.dll

          Filesize

          10KB

          MD5

          5df9d83b6d6d0f42b8ab88836f0ace7c

          SHA1

          cbea63d97174060bf1662f430bb802b1be0e50ec

          SHA256

          3c29bc7501b0004b4195b1937d29c5f6dba294b7f43e10ccfe4d521715a478e8

          SHA512

          0f73a97811d39835decece22a7ccd13f01ab61a5e2b7f20503ffee6b59cfa1ee0c5fc9460548d43dbaa01d9639e15eafdd96fa54ff07e989a024a97a3ea9ea68

        • C:\Users\Admin\AppData\Local\WPtS\sethc.exe

          Filesize

          12KB

          MD5

          31daac89fabb111e93e2092414b781a1

          SHA1

          998fbd5c4b2087cf1257b3090d01283dd6b8922c

          SHA256

          6b7f60c9210435e8b91e19fae5f58837cbc859de091c989a072de483afce8d70

          SHA512

          49a7f1498c80b8cb3c2b3884fa7b180f0bd8379e5e88f67fa1f3659d5e0f70a0f76ef7a48b56dd7256ab13621f873ccf9bea933943b05fdaadf25961bc9326d6

        • C:\Users\Admin\AppData\Local\WPtS\sethc.exe

          Filesize

          9KB

          MD5

          2ddd6bd13795c1ed85a2c34cde41be34

          SHA1

          0507accf6dde2030fb7b8d5a83f097f57d7534fb

          SHA256

          8f05b44d0b6216be1decc4f5ad105396612007118a42b5899cea183329a0e081

          SHA512

          f1dd8fba5f804a2bc41547ad62a2a5d038916ad6b69198da592c9e5668e71c57ee9ebceba9ef6adf8362b4ebbf0f4327b731b88333215bb530ec3300dda3168d

        • C:\Users\Admin\AppData\Local\fZfLSmRY\PresentationHost.exe

          Filesize

          112KB

          MD5

          99a9a64f40fa8ce1d33eb86d83312dfa

          SHA1

          648f17d5d47686fb2bed353428581bb4388437b2

          SHA256

          f9a2675dec64e7a3b96b803568b8389195130154b04df40d3ba47d55d7871d67

          SHA512

          8f9f3654f09ff82518ef5283381c5d9c41d9bd730315898b5f32316648fb7530ea5d637bd366e1c489dbc4afee4b81d0c6889f3326422de2954bf8e7e58ef65a

        • C:\Users\Admin\AppData\Local\fZfLSmRY\PresentationHost.exe

          Filesize

          106KB

          MD5

          ee60b1ef553dceadb946520849e9faff

          SHA1

          a95f2de4bf97e27c478a0aa8fa5525b67d993868

          SHA256

          028e9338f7bce3545bf555c91ae705208bd8a77292b67bdd3b297548e6ae4f3d

          SHA512

          ae6999c28989e7c189865cfdf9c7087e026eb8baa23fca205f4c715fd3bb50b6438e287564c71931f1e5f302092e865c79b3e6440244b8a6045dc425f67cdecd

        • C:\Users\Admin\AppData\Local\fZfLSmRY\VERSION.dll

          Filesize

          68KB

          MD5

          4e49d9ccd8c4a60a1df6c00003fc7d57

          SHA1

          149ff7ef6e9b38f1c94bb3d9a51e8cf9684e0d22

          SHA256

          3417279f0ee94a8dd3269e3eabf194247b96767e3c3daf51b4987eef05da3140

          SHA512

          6b98f290270683116cdfc4be268dcb1b6c9d3296734038fd5f4ad00ce37ad36d68f0ac14fe311623768a9ac7957edbc64698c9e831a56ad9c3600102d600ca47

        • C:\Users\Admin\AppData\Local\fZfLSmRY\VERSION.dll

          Filesize

          187KB

          MD5

          c0c40efe2324f16749010ad614da1916

          SHA1

          fe57416f136b5f4a06e538d8d31b2376a4dad715

          SHA256

          2e12f91a55d9302cb2f443e1401aca212e7cee2f75dd1f7e5ed2a4aef11e906c

          SHA512

          d5220da3f9905144a3221397193234531336ba27d2fbfb5f25eedb9632a696399d289a872c5e11a0a7292361e7c5a40ba422fc39cef900b9dc334819074fe19e

        • C:\Users\Admin\AppData\Local\fZfLSmRY\VERSION.dll

          Filesize

          92KB

          MD5

          2fa85ce75d415e6fdcf373af8eded28e

          SHA1

          eb2d9fffc43474a8ee35440df77cb14b74ba63b8

          SHA256

          b921e12c1c1a0558a25fbb910eb054dcda5ad641b97a2935a770599550b6ad34

          SHA512

          df7e302c4d8a80d02dad90f64b8650cbed92fcc0216b157b59e6a5c4c2ad1bb6f9dcd6dad2add7de4ac993ab7d0d1f97b1186d4a56eb5f04e93d73f42319d782

        • C:\Users\Admin\AppData\Local\taefz0o3\TAPI32.dll

          Filesize

          5KB

          MD5

          1a52acad7b118ad7dd82ddc91ea25b86

          SHA1

          77db4df19f1a69e0448683c7131d7f1f6a93ecc2

          SHA256

          726fdbf987c9dcc1076ddc4e163bf772a37d9b93bef9242a60cd6517a9938138

          SHA512

          de1b62aada8c4703ac135aa249f3d784d4112e020a45dd1b0ab5c23dfbc61b27ffb29ccecb710b908f75ba245b45ed436ed07cff9a947326136cfaf1f87e4152

        • C:\Users\Admin\AppData\Local\taefz0o3\TAPI32.dll

          Filesize

          86KB

          MD5

          4be7abd63212587d528572ee887338b8

          SHA1

          c5f2824696ea3bb6d25ef08b0054f416759154e1

          SHA256

          011c76173cfe98c345a30fc910b09f301febb497cb0ef6144eb48d43d93e127b

          SHA512

          ae1a576630ab726151c5ddbbb0ea5a8589a84ac5c06d92317acf1386890fad265f153661abd54e5e916a145065b3f55c271e1f57c1da98fd52956eb8cc24593f

        • C:\Users\Admin\AppData\Local\taefz0o3\dialer.exe

          Filesize

          39KB

          MD5

          b2626bdcf079c6516fc016ac5646df93

          SHA1

          838268205bd97d62a31094d53643c356ea7848a6

          SHA256

          e3ac5e6196f3a98c1946d85c653866c318bb2a86dd865deffa7b52f665d699bb

          SHA512

          615cfe1f91b895513c687906bf3439ca352afcadd3b73f950af0a3b5fb1b358168a7a25a6796407b212fde5f803dd880bcdc350d8bac7e7594090d37ce259971

        • C:\Users\Admin\AppData\Local\taefz0o3\dialer.exe

          Filesize

          5KB

          MD5

          13443f83e72219bcce9808f725d78bdc

          SHA1

          0fd5d014e722576cf79e5f11db189f6ce3467314

          SHA256

          32a9f8305aeb9304eaf6e47313df525b5fe8db70540ac01241b6959b0cdf35ac

          SHA512

          ace4c879e616dc1d24985fa6fe0452628d26c63413037f03c2b9fd358e514cc668bb72fc3d38b1ddfda7ec8ef5ef6c2466cd13853360f61449a5decd3329f434

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mkzwiunlad.lnk

          Filesize

          1KB

          MD5

          4ff0eb7ac7c6cf76a384b9285f5e5b99

          SHA1

          aaf1e511831dfed824cfe7f161df53a9d29b33fb

          SHA256

          64f019d77ec06451f7abee18a165eb5fdecfeb2889b73890ee983b7cd4f66612

          SHA512

          dfd3b48856eedaed1d1e0bdd73aeaf102519886b7caee92ca4953a60ab188ae56fa6b67be64ef635bb15777d82c5014a8a4b296a4c086c66555a1544ace07acd

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\9cIM\TAPI32.dll

          Filesize

          64KB

          MD5

          1dcc58dbe2b56cd1eaf79096f87399ca

          SHA1

          58952440b96c0f213dfd9e7f3884212d7ec37046

          SHA256

          41d8ffacfff41e0da324f1fcc5b67c0db5495c4c2472d4337d1edc3b29bd3193

          SHA512

          601f7c0abdaacf4e6390bd4f43371ec3d84a0e67b8d42683f93eaf4cf47250f42a12d3df1bef96c48068f984bfc008dba57590182bdc5e0564ab07cf3332f4bc

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\H3wBI\VERSION.dll

          Filesize

          318KB

          MD5

          ef78efa8aa3022fc0ad54d5cc94bda82

          SHA1

          90053d5694d1ed1591f4ae317915d7d6d208a66b

          SHA256

          32f6aab462897e79b41edf5265f431abc00e109ba6b3bf0325897153c63f67ab

          SHA512

          98b33223e8be4d9a1eee073e0964937e823c0612c048acabb7e4f2c968179503398639ab3aa82e19ed1644b89961a7e1ae86d9c93d24b87d16a381eeb9dccaf0

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Nm\OLEACC.dll

          Filesize

          119KB

          MD5

          629eb0eabb0ac593b7f6b4e1f1189c1e

          SHA1

          8076b64bf9b41c0f7e05dcbea1e1558931669039

          SHA256

          afed70f54c9ad83eb061f9f1bc1cd059df9749b6a577e1d25a12741b0e356b38

          SHA512

          3a9c794a89fc5cd2b70284d0c93d9db158e370de7f66196cdb0014b20877637e94924935cc66fe5d95fb10e736f65ce7a734cd0dfe00bed9954954afe7bfbd97

        • memory/1588-85-0x0000029DAED00000-0x0000029DAED07000-memory.dmp

          Filesize

          28KB

        • memory/1588-86-0x0000000140000000-0x00000001401B4000-memory.dmp

          Filesize

          1.7MB

        • memory/1588-91-0x0000000140000000-0x00000001401B4000-memory.dmp

          Filesize

          1.7MB

        • memory/2508-109-0x000001761CBE0000-0x000001761CD93000-memory.dmp

          Filesize

          1.7MB

        • memory/2508-103-0x000001761CBE0000-0x000001761CD93000-memory.dmp

          Filesize

          1.7MB

        • memory/2508-104-0x000001761CAD0000-0x000001761CAD7000-memory.dmp

          Filesize

          28KB

        • memory/2516-74-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/2516-70-0x0000014BB6CC0000-0x0000014BB6CC7000-memory.dmp

          Filesize

          28KB

        • memory/2516-68-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/3284-0-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3284-7-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3284-1-0x0000018FA45C0000-0x0000018FA45C7000-memory.dmp

          Filesize

          28KB

        • memory/3520-37-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3520-26-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3520-34-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3520-35-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3520-59-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3520-38-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3520-42-0x0000000008350000-0x0000000008357000-memory.dmp

          Filesize

          28KB

        • memory/3520-57-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3520-48-0x00007FFEDF640000-0x00007FFEDF650000-memory.dmp

          Filesize

          64KB

        • memory/3520-47-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3520-39-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3520-36-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3520-29-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3520-19-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3520-32-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3520-31-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3520-30-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3520-28-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3520-27-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3520-33-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3520-25-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3520-24-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3520-23-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3520-22-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3520-21-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3520-20-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3520-18-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3520-17-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3520-16-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3520-15-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3520-14-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3520-13-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3520-12-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3520-11-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3520-8-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3520-9-0x00007FFEDEECA000-0x00007FFEDEECB000-memory.dmp

          Filesize

          4KB

        • memory/3520-10-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3520-6-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3520-4-0x0000000008370000-0x0000000008371000-memory.dmp

          Filesize

          4KB