Analysis

  • max time kernel
    105s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-12-2023 21:00

General

  • Target

    03e11938813980f4ee92eafaa1ef0941.dll

  • Size

    1.7MB

  • MD5

    03e11938813980f4ee92eafaa1ef0941

  • SHA1

    e38ff61eaaee9fd598dc696034625b95a6e8e444

  • SHA256

    fb7090afa187d1404a763ce8352a48a9c6fa47da4f1c0dd1b0cbfb87a59c56e0

  • SHA512

    4066cb8ecfaf9fdf0badc021d3d1c21d632d9242a7e9a5ccbe5e6683fd21802ea8e780428ce87b745d2241efe2e45b58e341f63b65dd2fb432eca1e9714cf418

  • SSDEEP

    12288:DVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:SfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\03e11938813980f4ee92eafaa1ef0941.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4136
  • C:\Windows\system32\SystemSettingsAdminFlows.exe
    C:\Windows\system32\SystemSettingsAdminFlows.exe
    1⤵
      PID:1584
    • C:\Users\Admin\AppData\Local\mc03LfmPq\SystemSettingsAdminFlows.exe
      C:\Users\Admin\AppData\Local\mc03LfmPq\SystemSettingsAdminFlows.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4888
    • C:\Windows\system32\CustomShellHost.exe
      C:\Windows\system32\CustomShellHost.exe
      1⤵
        PID:464
      • C:\Users\Admin\AppData\Local\69ktdcgS2\CustomShellHost.exe
        C:\Users\Admin\AppData\Local\69ktdcgS2\CustomShellHost.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1476
      • C:\Windows\system32\cttune.exe
        C:\Windows\system32\cttune.exe
        1⤵
          PID:4996
        • C:\Users\Admin\AppData\Local\C6enDh\cttune.exe
          C:\Users\Admin\AppData\Local\C6enDh\cttune.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4712

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\69ktdcgS2\CustomShellHost.exe

          Filesize

          96KB

          MD5

          f92199156cf1f91aaa5bff734aed09b3

          SHA1

          ae5bc3f2e43b3a8617143e5850c834f7235c34d4

          SHA256

          380aff4cd080732de58063e52a72d265423af4a1f0b32dcd9183b1469cf11c95

          SHA512

          9e671bf56f7e52b89e312f7f8d8bd418132b30ee00832d6e3cdf98ca5eec533dca0c86f40b3d5389933055076cd3858c13ee3e178eb68d55130636a441dfd74f

        • C:\Users\Admin\AppData\Local\69ktdcgS2\CustomShellHost.exe

          Filesize

          68KB

          MD5

          bfdbc5b5b29614128f3e38c8f321661b

          SHA1

          9847f223504df6bd8a0ddeb4e791e4417aad3075

          SHA256

          8a7cdc52f090909e03b7e8ddfb07a1fdb177bff4daee55da056b43cf16cb6156

          SHA512

          96e3f6562a1995eedb5815e19424314b9757da1106f481674a5b9b17b89beead3efb37c8d55f1aa0dd95493502ce61c622348317c245f753ed75c5ab791c3363

        • C:\Users\Admin\AppData\Local\69ktdcgS2\WTSAPI32.dll

          Filesize

          15KB

          MD5

          30fe2af7022f5bd6a4cdf59970538af4

          SHA1

          189e096dde55d0039e0e55682b99d6a6fc91d594

          SHA256

          a00381d88b901692acb722fb5f1bdecdd4ddd40a31669fe2565ebd2e1fad4260

          SHA512

          7e1c8a8300ee96b9f8585dbecfc03013b9bcc711ad07b064d72d7d6c893f75dfca03aa77f5a5d6bb235e4e542070a32184145d37f9c078abea187eb5e626a770

        • C:\Users\Admin\AppData\Local\69ktdcgS2\WTSAPI32.dll

          Filesize

          132KB

          MD5

          3e030ced6c50f647839ff6c367839c69

          SHA1

          503291061fc8cdda51da2051e089028c446e47be

          SHA256

          bbb1282167f5c24fd7c05c93888a02ca7eeeb9ceab43ddc92d43056654feed05

          SHA512

          bb95627d5338714da2698d7b3810defcc5b925a17c4b7091d389764816301d7056e688298568556a7035dfd3a861e6c32539c835874206540b079ca95bd6365a

        • C:\Users\Admin\AppData\Local\C6enDh\UxTheme.dll

          Filesize

          96KB

          MD5

          72fb66357c41065b83cb6096a4f26c6d

          SHA1

          21d574a7c31d3bbb34e8074d253fd649083ab3fd

          SHA256

          81ae209331dde4dfa56c9de7c1ee90925a5c064192882d43478b3eecc60422b4

          SHA512

          d1a39781baefe71c80102fb4cce166a49a626b1839aa90e81a8378b435170d42399734f26f94fdd73094ac1981adab7c4238d1536d329004607723b2424b5387

        • C:\Users\Admin\AppData\Local\C6enDh\UxTheme.dll

          Filesize

          57KB

          MD5

          1909445d25f24955ff2bf6cf97f239f1

          SHA1

          ac63b002be40252f7d18b5672acc441dc163196e

          SHA256

          f75ceee749224959bff78ff564eb306aacc99f89c78be4072e3b0ce1965a123e

          SHA512

          019f059585eee03afc987e8d8cc49bb7db46031efb1e2655516d94d2a4ecd63b88e18d0c727cf0ed8868fa06e50031e646a637ba49dc24a3c506579a30ad256b

        • C:\Users\Admin\AppData\Local\C6enDh\cttune.exe

          Filesize

          90KB

          MD5

          fa924465a33833f41c1a39f6221ba460

          SHA1

          801d505d81e49d2b4ffa316245ca69ff58c523c3

          SHA256

          de2d871afe2c071cf305fc488875563b778e7279e57030ba1a1c9f7e360748da

          SHA512

          eef91316e1a679cc2183d4fe9f8f40b5efa6d06f7d1246fd399292e14952053309b6891059da88134a184d9bd0298a45a1bf4bc9f27140b1a31b9523acbf3757

        • C:\Users\Admin\AppData\Local\C6enDh\cttune.exe

          Filesize

          74KB

          MD5

          a2c3492d5f3c512821243ba4c3df9937

          SHA1

          c5a38116ac10675c5db6350867b968cc6fe8ee3e

          SHA256

          b23733ae85cb215f5e09b75d69647fd85d4cda38117bfc7084674a7bfe7ae9aa

          SHA512

          1a036a9716cd127f018567c714eddea10342143ae55a23b2d54fe691c69c2ac0d59e13f079f309fa8f3ee6a259d630ad376a26bdb0e0fa8ebf69e9d6ae0cc43a

        • C:\Users\Admin\AppData\Local\mc03LfmPq\DUI70.dll

          Filesize

          201KB

          MD5

          6c77b777852436bd0b8549df3e1a6c70

          SHA1

          30da76f742f03d354234663427c25f99fca31f9d

          SHA256

          61e8db8a339a3303589a56211c4053aa1026e382d8e22dbb32142d798d2731b1

          SHA512

          e2fc39101b3ce2187c4c46b73e8a904fa64a04d488c47f20534136a7c1d90856026802c9b55516e1105caeb548f9e70022da840f44ee1394fbd4a7dada932074

        • C:\Users\Admin\AppData\Local\mc03LfmPq\DUI70.dll

          Filesize

          5KB

          MD5

          5e6007d6992d12d473dca484430c85a3

          SHA1

          18c51555a796075691ec4424c75806c0c8524f3e

          SHA256

          95604438e448b4dce62cf79a346bbc6a1e0aae364d9944531e6d6606084802c2

          SHA512

          8b2d24781ea56dd94393aa3d450aac2a2ab65b23ea9f791cd2a75e7c067c65b61cb0d8470773b1d1f7ad696e0a3a70e15d96b7cecf950ce11c0d0b9b29a2729e

        • C:\Users\Admin\AppData\Local\mc03LfmPq\SystemSettingsAdminFlows.exe

          Filesize

          90KB

          MD5

          dad49a2ed8b860e5132a500545f3e6b1

          SHA1

          ccb5f1fc084d030c383e75837d52a24bc7951b9c

          SHA256

          65eb3b20af11e155bf01c267737a954685b57dd4bfc6c730250a313a237ba57a

          SHA512

          08d42d8e6b9800e6374eeca38fbb1365fef07f70731967fa55d3e81f8c995c1a6890c3faa98859b66168133e2e56760a8263cceb77fb77734ab0cf1faf16d7bf

        • C:\Users\Admin\AppData\Local\mc03LfmPq\SystemSettingsAdminFlows.exe

          Filesize

          119KB

          MD5

          0c1e303490ba876cbbb9d6ff0653f159

          SHA1

          61cca6c175fed82e0c1d3143dd8934bb448f2a15

          SHA256

          083a30206190a4649d2c9cda0b22934d3c039d134dcb4c2a9a7040a9feaee315

          SHA512

          4cfbf2df0c065eeefb053e514873fb296641462a8048a36e05cb7decbcb76c4c105908b714e42cb45badf028e6fd970f6da23d2b462ac3c62d155de8b83b4647

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Hxquhu.lnk

          Filesize

          1KB

          MD5

          b22a54f73944d54d9d21d0fc7394b040

          SHA1

          76101561d9280f164efe28496c3021886354755a

          SHA256

          e1650353c967cc8b28ce17862b89136b8e6be44044d9cd25a0927a0a12a72535

          SHA512

          1f93433716462f806e8aa693396519e94f8af28cc8282dd832c0682a997f231d26dbf404fe7f52c79e25635ae5a8e43cae1bba7ee0e4f7e86780ecb6171463c4

        • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-3336304223-2978740688-3645194410-1000\NSDXXy1QSco\DUI70.dll

          Filesize

          56KB

          MD5

          5813ba8feb8a25732f8999fdfa0ababd

          SHA1

          1c9b31ea650c84ad001c9be1176226c0a4af3e27

          SHA256

          1014d30df4656aade879ef019409cacc575156d9a4fb71417d4005e27a45c33e

          SHA512

          cea22ed8553c707af97d19edb7e3913947631d0a77a0220f0ed345dfccd7a9086b4f250eade04f01c4be81f28c372e99d964b2abb3fb85057ebfc3c0ab4a6dc6

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\BUB\UxTheme.dll

          Filesize

          846KB

          MD5

          26fd07b60df0f06d9a3d8ec388a1e8b0

          SHA1

          c05a3918a3628447ba0d6573c3a01809dee231c0

          SHA256

          660708beff7a57349fdd815626df83215daa16228ee2e1a1b263eefd1b97b799

          SHA512

          c511cb328b3dccb28d3e61b4a676effd6de997f9a63ee4234561c3fbf6f13d72cf8b3eedbffc123fbfbb7cbd38059681ddbf3e0520845f4a1113ed6939398b63

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\u3eN\WTSAPI32.dll

          Filesize

          178KB

          MD5

          f1b451dd604cf008840b23ae41fcd211

          SHA1

          aae8670b778330c42f02f07711133bf8cf41691f

          SHA256

          84821a3dbbeb12add62ec98e566afc1789a57aabbf3d7e9feec6a4ccb9adf4e2

          SHA512

          40a4a5b1e9cb4d7d4e2b09705242d3a8caf5112cbe2300df60d86aa0fc88809dd6417b5fe76134406e41fc1b4a4d57e152addf2db19f514c28ff5ddfbbf0b641

        • memory/1476-98-0x000002572CDC0000-0x000002572CDC7000-memory.dmp

          Filesize

          28KB

        • memory/1476-104-0x0000000140000000-0x00000001401B1000-memory.dmp

          Filesize

          1.7MB

        • memory/1476-99-0x0000000140000000-0x00000001401B1000-memory.dmp

          Filesize

          1.7MB

        • memory/3500-29-0x0000000140000000-0x00000001401B0000-memory.dmp

          Filesize

          1.7MB

        • memory/3500-25-0x0000000140000000-0x00000001401B0000-memory.dmp

          Filesize

          1.7MB

        • memory/3500-20-0x0000000140000000-0x00000001401B0000-memory.dmp

          Filesize

          1.7MB

        • memory/3500-19-0x0000000140000000-0x00000001401B0000-memory.dmp

          Filesize

          1.7MB

        • memory/3500-18-0x0000000140000000-0x00000001401B0000-memory.dmp

          Filesize

          1.7MB

        • memory/3500-17-0x0000000140000000-0x00000001401B0000-memory.dmp

          Filesize

          1.7MB

        • memory/3500-15-0x0000000140000000-0x00000001401B0000-memory.dmp

          Filesize

          1.7MB

        • memory/3500-14-0x0000000140000000-0x00000001401B0000-memory.dmp

          Filesize

          1.7MB

        • memory/3500-13-0x0000000140000000-0x00000001401B0000-memory.dmp

          Filesize

          1.7MB

        • memory/3500-11-0x0000000140000000-0x00000001401B0000-memory.dmp

          Filesize

          1.7MB

        • memory/3500-10-0x0000000140000000-0x00000001401B0000-memory.dmp

          Filesize

          1.7MB

        • memory/3500-9-0x0000000140000000-0x00000001401B0000-memory.dmp

          Filesize

          1.7MB

        • memory/3500-8-0x0000000140000000-0x00000001401B0000-memory.dmp

          Filesize

          1.7MB

        • memory/3500-6-0x00007FFC905EA000-0x00007FFC905EB000-memory.dmp

          Filesize

          4KB

        • memory/3500-4-0x00000000027C0000-0x00000000027C1000-memory.dmp

          Filesize

          4KB

        • memory/3500-7-0x0000000140000000-0x00000001401B0000-memory.dmp

          Filesize

          1.7MB

        • memory/3500-44-0x0000000140000000-0x00000001401B0000-memory.dmp

          Filesize

          1.7MB

        • memory/3500-45-0x00007FFC91240000-0x00007FFC91250000-memory.dmp

          Filesize

          64KB

        • memory/3500-54-0x0000000140000000-0x00000001401B0000-memory.dmp

          Filesize

          1.7MB

        • memory/3500-56-0x0000000140000000-0x00000001401B0000-memory.dmp

          Filesize

          1.7MB

        • memory/3500-23-0x0000000140000000-0x00000001401B0000-memory.dmp

          Filesize

          1.7MB

        • memory/3500-24-0x0000000140000000-0x00000001401B0000-memory.dmp

          Filesize

          1.7MB

        • memory/3500-12-0x0000000140000000-0x00000001401B0000-memory.dmp

          Filesize

          1.7MB

        • memory/3500-16-0x0000000140000000-0x00000001401B0000-memory.dmp

          Filesize

          1.7MB

        • memory/3500-21-0x0000000140000000-0x00000001401B0000-memory.dmp

          Filesize

          1.7MB

        • memory/3500-28-0x0000000140000000-0x00000001401B0000-memory.dmp

          Filesize

          1.7MB

        • memory/3500-27-0x0000000140000000-0x00000001401B0000-memory.dmp

          Filesize

          1.7MB

        • memory/3500-22-0x0000000140000000-0x00000001401B0000-memory.dmp

          Filesize

          1.7MB

        • memory/3500-32-0x0000000140000000-0x00000001401B0000-memory.dmp

          Filesize

          1.7MB

        • memory/3500-35-0x0000000140000000-0x00000001401B0000-memory.dmp

          Filesize

          1.7MB

        • memory/3500-36-0x00000000006E0000-0x00000000006E7000-memory.dmp

          Filesize

          28KB

        • memory/3500-34-0x0000000140000000-0x00000001401B0000-memory.dmp

          Filesize

          1.7MB

        • memory/3500-33-0x0000000140000000-0x00000001401B0000-memory.dmp

          Filesize

          1.7MB

        • memory/3500-31-0x0000000140000000-0x00000001401B0000-memory.dmp

          Filesize

          1.7MB

        • memory/3500-30-0x0000000140000000-0x00000001401B0000-memory.dmp

          Filesize

          1.7MB

        • memory/3500-26-0x0000000140000000-0x00000001401B0000-memory.dmp

          Filesize

          1.7MB

        • memory/4136-0-0x00000190D4790000-0x00000190D4797000-memory.dmp

          Filesize

          28KB

        • memory/4136-43-0x0000000140000000-0x00000001401B0000-memory.dmp

          Filesize

          1.7MB

        • memory/4136-1-0x0000000140000000-0x00000001401B0000-memory.dmp

          Filesize

          1.7MB

        • memory/4712-116-0x000001D291020000-0x000001D291027000-memory.dmp

          Filesize

          28KB

        • memory/4712-121-0x0000000140000000-0x00000001401B1000-memory.dmp

          Filesize

          1.7MB

        • memory/4888-65-0x0000019C5E140000-0x0000019C5E147000-memory.dmp

          Filesize

          28KB

        • memory/4888-71-0x0000000140000000-0x00000001401F6000-memory.dmp

          Filesize

          2.0MB

        • memory/4888-66-0x0000000140000000-0x00000001401F6000-memory.dmp

          Filesize

          2.0MB