Analysis

  • max time kernel
    0s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-12-2023 00:26

General

  • Target

    08813f878cb82d72137f676d7e09709d.dll

  • Size

    2.5MB

  • MD5

    08813f878cb82d72137f676d7e09709d

  • SHA1

    f88f26f38331241120189c141189e91d8ca4dd50

  • SHA256

    d019c751d5e32cf0c6ae6a66e17f3c47b9ab46b76eea50f8d5e450841060c8ac

  • SHA512

    8d363518c30a7c18c5efba51af8a9eb517e2995ae3e11da66231badbea752b861a00f71bee7635498b536400c9dab1e24fffa92c7e6ccbd10e6e2b24319c3cfc

  • SSDEEP

    12288:kVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:BfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\08813f878cb82d72137f676d7e09709d.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1268
  • C:\Windows\system32\SnippingTool.exe
    C:\Windows\system32\SnippingTool.exe
    1⤵
      PID:4968
    • C:\Users\Admin\AppData\Local\KNl5pWS\SnippingTool.exe
      C:\Users\Admin\AppData\Local\KNl5pWS\SnippingTool.exe
      1⤵
        PID:212
      • C:\Windows\system32\SystemPropertiesPerformance.exe
        C:\Windows\system32\SystemPropertiesPerformance.exe
        1⤵
          PID:372
        • C:\Users\Admin\AppData\Local\scNI\SystemPropertiesPerformance.exe
          C:\Users\Admin\AppData\Local\scNI\SystemPropertiesPerformance.exe
          1⤵
            PID:3124
          • C:\Windows\system32\WFS.exe
            C:\Windows\system32\WFS.exe
            1⤵
              PID:1708
            • C:\Users\Admin\AppData\Local\M0Yq9A0LP\WFS.exe
              C:\Users\Admin\AppData\Local\M0Yq9A0LP\WFS.exe
              1⤵
                PID:3760
              • C:\Users\Admin\AppData\Local\v3WX0c\rdpshell.exe
                C:\Users\Admin\AppData\Local\v3WX0c\rdpshell.exe
                1⤵
                  PID:1412
                • C:\Windows\system32\rdpshell.exe
                  C:\Windows\system32\rdpshell.exe
                  1⤵
                    PID:3608

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\KNl5pWS\SnippingTool.exe

                    Filesize

                    3.2MB

                    MD5

                    f06d69f2fdd4d6a4e16f55769b7dccc1

                    SHA1

                    735eb9b032d924b59a8767b9d49bdb88bed05220

                    SHA256

                    83be001996cd4d9e5a1a8cd130e17e5b5ee81c9b5cf1b9d9196d8a39fbf7506d

                    SHA512

                    ccc1bff59636e91763659749d67b9f6255765ed5aed4b40b6f8111d4136a7e2fe9e0726396b0c837e4ab8717528134273ffc0825a205e501a13bf1d3aee5046b

                  • C:\Users\Admin\AppData\Local\KNl5pWS\UxTheme.dll

                    Filesize

                    2.5MB

                    MD5

                    efb660c46eabf1839d56a247b76eb486

                    SHA1

                    28f5a8401ea50912ab78960c9ac0782ce50e876b

                    SHA256

                    b7f5bc51aeae152db7860ad5eb1be113f908a4ec586c9a9ab3e773d1cc2def06

                    SHA512

                    0b9736c7abb12457598bb78fd312b7a7a216ed42b36261d5cb505b656cb182d666d67174db4c69300ecb25f34fa1f45fd8f72d1e9ba0257d6e3f78efa65b3b32

                  • C:\Users\Admin\AppData\Local\M0Yq9A0LP\WFS.exe

                    Filesize

                    944KB

                    MD5

                    3cbc8d0f65e3db6c76c119ed7c2ffd85

                    SHA1

                    e74f794d86196e3bbb852522479946cceeed7e01

                    SHA256

                    e23e4182efe7ed61aaf369696e1ce304c3818df33d1663872b6d3c75499d81f4

                    SHA512

                    26ae5845a804b9eb752078f1ffa80a476648a8a9508b4f7ba56c94acd4198f3ba59c77add4feb7e0420070222af56521ca5f6334f466d5db272c816930513f0a

                  • C:\Users\Admin\AppData\Local\M0Yq9A0LP\WINMM.dll

                    Filesize

                    2.5MB

                    MD5

                    ffa29a0f8976cfd0978359816ac1ceef

                    SHA1

                    19bbf883dade99f5b8aa9aa6a905ff715407489b

                    SHA256

                    ad0a9b592c828be50149228eca0a24c348590c082333a7d72a4347e1415d6f98

                    SHA512

                    948d243a46ebd239f562552a858a21464d22b4e0b9a2f6aa25d28b56d40aa6e229bbc2e7ba40f2242c9485e54bc15fde3f0747f4f8be7d4ad0a6122e7f3bdcd3

                  • C:\Users\Admin\AppData\Local\scNI\SYSDM.CPL

                    Filesize

                    2.5MB

                    MD5

                    01c83aec0f436727c461955e4ce5a073

                    SHA1

                    33b2c4420dd10b80cc4ca69fb83f9020ea4d7da1

                    SHA256

                    ad09755a40e452d57b913485173a69228fa102e6c444066234dc1cfa44a8fa1a

                    SHA512

                    4bc10e985d2f80f449a5036fb1a4a0c0659ca08f266b5c8b0febb737f16aa54877ec4f7da0ccf8c3614616c7fc7ca5bdc8bd8524a16059c52c1b98ef16d75b9b

                  • C:\Users\Admin\AppData\Local\scNI\SystemPropertiesPerformance.exe

                    Filesize

                    82KB

                    MD5

                    e4fbf7cab8669c7c9cef92205d2f2ffc

                    SHA1

                    adbfa782b7998720fa85678cc85863b961975e28

                    SHA256

                    b266318d45a4245556a2e39b763f2f11eca780969105f6f103e53dd0a492bb30

                    SHA512

                    c5c62578d04133352d6cb7b018df96a7b55c18d6111ab8bf2bfe232a3315a63b07047fa5b0b88551d152085776c66169b47566242c8c4c5e0333c55adc64e1b6

                  • C:\Users\Admin\AppData\Local\v3WX0c\WINSTA.dll

                    Filesize

                    2.5MB

                    MD5

                    281f5c6b3f8604b2a89f75d82072d3bf

                    SHA1

                    e5cfb1b1efa4f4043fc27c5f1bc34711bc1a4325

                    SHA256

                    c6c78ae89fe5715b713859b6789c3a601104a6ccb36303addd0829c94b8e401a

                    SHA512

                    0cf401348549e0b43338e95f8b426cd2ba7122db7428076baca0f87809dc099fdedb53f65f1b29d4ef5a8c8dcd332a41a2b839ceb5bf74cd544550ca6eacf7b7

                  • C:\Users\Admin\AppData\Local\v3WX0c\rdpshell.exe

                    Filesize

                    468KB

                    MD5

                    428066713f225bb8431340fa670671d4

                    SHA1

                    47f6878ff33317c3fc09c494df729a463bda174c

                    SHA256

                    da6c395a2018d3439ad580a19e6a1ca5ff29ef9074411ee9f9f1b0a6365dfebd

                    SHA512

                    292aad2762ae4dc519c69411aa114a29894f60ffac103813db4946f2fac4f5a166f66523c421529d6847c0882d8ab467392ee8da1e3a4fca0d6d4e6ebda5b737

                  • memory/1268-7-0x0000000140000000-0x0000000140280000-memory.dmp

                    Filesize

                    2.5MB

                  • memory/1268-2-0x000001EDE4750000-0x000001EDE4757000-memory.dmp

                    Filesize

                    28KB

                  • memory/1268-0-0x0000000140000000-0x0000000140280000-memory.dmp

                    Filesize

                    2.5MB

                  • memory/1412-82-0x0000000140000000-0x0000000140282000-memory.dmp

                    Filesize

                    2.5MB

                  • memory/1412-76-0x0000000140000000-0x0000000140282000-memory.dmp

                    Filesize

                    2.5MB

                  • memory/1412-78-0x0000017087CE0000-0x0000017087CE7000-memory.dmp

                    Filesize

                    28KB

                  • memory/3124-95-0x0000018CB5F50000-0x0000018CB5F57000-memory.dmp

                    Filesize

                    28KB

                  • memory/3124-99-0x0000000140000000-0x0000000140281000-memory.dmp

                    Filesize

                    2.5MB

                  • memory/3124-93-0x0000000140000000-0x0000000140281000-memory.dmp

                    Filesize

                    2.5MB

                  • memory/3560-55-0x0000000140000000-0x0000000140280000-memory.dmp

                    Filesize

                    2.5MB

                  • memory/3560-11-0x0000000140000000-0x0000000140280000-memory.dmp

                    Filesize

                    2.5MB

                  • memory/3560-32-0x0000000140000000-0x0000000140280000-memory.dmp

                    Filesize

                    2.5MB

                  • memory/3560-31-0x0000000140000000-0x0000000140280000-memory.dmp

                    Filesize

                    2.5MB

                  • memory/3560-30-0x0000000140000000-0x0000000140280000-memory.dmp

                    Filesize

                    2.5MB

                  • memory/3560-28-0x0000000140000000-0x0000000140280000-memory.dmp

                    Filesize

                    2.5MB

                  • memory/3560-27-0x0000000140000000-0x0000000140280000-memory.dmp

                    Filesize

                    2.5MB

                  • memory/3560-26-0x0000000140000000-0x0000000140280000-memory.dmp

                    Filesize

                    2.5MB

                  • memory/3560-25-0x0000000140000000-0x0000000140280000-memory.dmp

                    Filesize

                    2.5MB

                  • memory/3560-23-0x0000000140000000-0x0000000140280000-memory.dmp

                    Filesize

                    2.5MB

                  • memory/3560-22-0x0000000140000000-0x0000000140280000-memory.dmp

                    Filesize

                    2.5MB

                  • memory/3560-21-0x0000000140000000-0x0000000140280000-memory.dmp

                    Filesize

                    2.5MB

                  • memory/3560-19-0x0000000140000000-0x0000000140280000-memory.dmp

                    Filesize

                    2.5MB

                  • memory/3560-18-0x0000000140000000-0x0000000140280000-memory.dmp

                    Filesize

                    2.5MB

                  • memory/3560-17-0x0000000140000000-0x0000000140280000-memory.dmp

                    Filesize

                    2.5MB

                  • memory/3560-16-0x0000000140000000-0x0000000140280000-memory.dmp

                    Filesize

                    2.5MB

                  • memory/3560-15-0x0000000140000000-0x0000000140280000-memory.dmp

                    Filesize

                    2.5MB

                  • memory/3560-13-0x0000000140000000-0x0000000140280000-memory.dmp

                    Filesize

                    2.5MB

                  • memory/3560-12-0x0000000140000000-0x0000000140280000-memory.dmp

                    Filesize

                    2.5MB

                  • memory/3560-33-0x0000000140000000-0x0000000140280000-memory.dmp

                    Filesize

                    2.5MB

                  • memory/3560-10-0x0000000140000000-0x0000000140280000-memory.dmp

                    Filesize

                    2.5MB

                  • memory/3560-9-0x00007FFCCDECA000-0x00007FFCCDECB000-memory.dmp

                    Filesize

                    4KB

                  • memory/3560-34-0x0000000140000000-0x0000000140280000-memory.dmp

                    Filesize

                    2.5MB

                  • memory/3560-8-0x0000000140000000-0x0000000140280000-memory.dmp

                    Filesize

                    2.5MB

                  • memory/3560-4-0x0000000002700000-0x0000000002701000-memory.dmp

                    Filesize

                    4KB

                  • memory/3560-36-0x0000000140000000-0x0000000140280000-memory.dmp

                    Filesize

                    2.5MB

                  • memory/3560-46-0x00007FFCCE120000-0x00007FFCCE130000-memory.dmp

                    Filesize

                    64KB

                  • memory/3560-57-0x0000000140000000-0x0000000140280000-memory.dmp

                    Filesize

                    2.5MB

                  • memory/3560-45-0x0000000140000000-0x0000000140280000-memory.dmp

                    Filesize

                    2.5MB

                  • memory/3560-38-0x0000000001F70000-0x0000000001F77000-memory.dmp

                    Filesize

                    28KB

                  • memory/3560-37-0x0000000140000000-0x0000000140280000-memory.dmp

                    Filesize

                    2.5MB

                  • memory/3560-35-0x0000000140000000-0x0000000140280000-memory.dmp

                    Filesize

                    2.5MB

                  • memory/3560-29-0x0000000140000000-0x0000000140280000-memory.dmp

                    Filesize

                    2.5MB

                  • memory/3560-6-0x0000000140000000-0x0000000140280000-memory.dmp

                    Filesize

                    2.5MB

                  • memory/3560-14-0x0000000140000000-0x0000000140280000-memory.dmp

                    Filesize

                    2.5MB

                  • memory/3560-24-0x0000000140000000-0x0000000140280000-memory.dmp

                    Filesize

                    2.5MB

                  • memory/3560-20-0x0000000140000000-0x0000000140280000-memory.dmp

                    Filesize

                    2.5MB

                  • memory/3760-116-0x0000000140000000-0x0000000140282000-memory.dmp

                    Filesize

                    2.5MB

                  • memory/3760-110-0x000001B1E1260000-0x000001B1E1267000-memory.dmp

                    Filesize

                    28KB