Analysis

  • max time kernel
    125s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-01-2024 04:33

General

  • Target

    66b58767a74baad1c7515631dc19f40d.dll

  • Size

    1.4MB

  • MD5

    66b58767a74baad1c7515631dc19f40d

  • SHA1

    ee1d09e46fcb9cf0a71d4a055a82fd1e7b18580e

  • SHA256

    cf999aa80ee97169297cb4ba12d751d3b0bf3195f85022adf03933d10cb43641

  • SHA512

    d625c635b29537eba27e37d403515685f1cc8730906e749c5fdc08c78bef80b5dbf89ee31c5579a581aaa3f5cb76797f30c26540d4ef8bab6e00882cea45d060

  • SSDEEP

    12288:OVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:TfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\66b58767a74baad1c7515631dc19f40d.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4120
  • C:\Users\Admin\AppData\Local\xk8h71GN\omadmclient.exe
    C:\Users\Admin\AppData\Local\xk8h71GN\omadmclient.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Checks whether UAC is enabled
    PID:2248
  • C:\Windows\system32\omadmclient.exe
    C:\Windows\system32\omadmclient.exe
    1⤵
      PID:1144
    • C:\Users\Admin\AppData\Local\DmqfV6ms6\ddodiag.exe
      C:\Users\Admin\AppData\Local\DmqfV6ms6\ddodiag.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3612
    • C:\Windows\system32\ddodiag.exe
      C:\Windows\system32\ddodiag.exe
      1⤵
        PID:3024
      • C:\Users\Admin\AppData\Local\ckaxRDN\consent.exe
        C:\Users\Admin\AppData\Local\ckaxRDN\consent.exe
        1⤵
        • Executes dropped EXE
        PID:2916
      • C:\Windows\system32\consent.exe
        C:\Windows\system32\consent.exe
        1⤵
          PID:388
        • C:\Users\Admin\AppData\Local\5MWKwBHYC\SystemPropertiesHardware.exe
          C:\Users\Admin\AppData\Local\5MWKwBHYC\SystemPropertiesHardware.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4636
        • C:\Windows\system32\SystemPropertiesHardware.exe
          C:\Windows\system32\SystemPropertiesHardware.exe
          1⤵
            PID:3312

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\5MWKwBHYC\SYSDM.CPL

            Filesize

            61KB

            MD5

            1657cfc067fe91de086c24bb726d1943

            SHA1

            87dfc38e2fa660c9372d2a63aa38f55cb7f8360e

            SHA256

            fc83d91b4daa487294f38fb3bb02c48fff9f7332a4e84d8c6a89dc5d9056d875

            SHA512

            a117a086eb8cc1863aa617032d3aab86b2ff99198e7b18f2e5af05071245d201d4794a4d94e57dd6ae0880ad58a23c611362ba288fd39d71d80d212b9fe335b7

          • C:\Users\Admin\AppData\Local\5MWKwBHYC\SYSDM.CPL

            Filesize

            18KB

            MD5

            9becf0eaa466f93349b296fe95f50d03

            SHA1

            f05eab6b4a041e386236d42275494a7d6dadd84c

            SHA256

            8d1d4a632313502f85e46ab4e3cfbc44a5fd0ae6cb8b52625de2ce9295f4ab95

            SHA512

            34ae90015af7e25c6a16dfad264cfebd1c3fd4e0bcc0ab8be5b56c1687daa8f3304367e186f46e671e551a827430b1a6acbc3f19f0534ac7d663134333a9c8e5

          • C:\Users\Admin\AppData\Local\5MWKwBHYC\SystemPropertiesHardware.exe

            Filesize

            82KB

            MD5

            bf5bc0d70a936890d38d2510ee07a2cd

            SHA1

            69d5971fd264d8128f5633db9003afef5fad8f10

            SHA256

            c8ebd920399ebcf3ab72bd325b71a6b4c6119dfecea03f25059a920c4d32acc7

            SHA512

            0e129044777cbbf5ea995715159c50773c1818fc5e8faa5c827fd631b44c086b34dfdcbe174b105891ccc3882cc63a8664d189fb6a631d8f589de4e01a862f51

          • C:\Users\Admin\AppData\Local\DmqfV6ms6\XmlLite.dll

            Filesize

            75KB

            MD5

            fbe63f65c62052165e3cf82ef7d80873

            SHA1

            ab62f39145b01a38135efcbc448d858da8f05614

            SHA256

            452964b5b653d9ca566597388dfdd33a02dbf9bf2a78c6b844886528908b0399

            SHA512

            608b519d59f1241d37baaea9706b177e2454c5b48247b04fc64c12002bbb2fbf46c2037cce33df6948702e4c6e95e68c6e0961f01b40de303bed55b77aa3db04

          • C:\Users\Admin\AppData\Local\DmqfV6ms6\XmlLite.dll

            Filesize

            34KB

            MD5

            1389c23b07c8a25e292e12e66310f2c1

            SHA1

            8000969b9af4e9704e83f7ab292723da43009575

            SHA256

            556ebef22cd0d80cd2b016fe10efd5b0ed15a597ae1488b190f0b1f02cb9a0cb

            SHA512

            55001a5b13ae66a306a00f1b6f367518e58d724e3ae83187df05fa0dfcbf34194adbbd9d355e809ff09f0190960824c318ee928cdf1fa774fb9d1d95ee9bd4a6

          • C:\Users\Admin\AppData\Local\DmqfV6ms6\ddodiag.exe

            Filesize

            39KB

            MD5

            85feee634a6aee90f0108e26d3d9bc1f

            SHA1

            a7b1fa32fe7ed67bd51dea438f2f767e3fef0ca2

            SHA256

            99c63175504781e9278824d487da082da7c014e99f1024227af164986d3a27c6

            SHA512

            b81a3e1723a5180c5168cd7bb5181c631f4f57c59780bb82a502160b7874777f3eef1ebe1b14f66c97f9f1a4721af13b6fbcdff2045c8563c18b5d12540953ff

          • C:\Users\Admin\AppData\Local\ckaxRDN\consent.exe

            Filesize

            149KB

            MD5

            f14012de9453de18090da57482efec44

            SHA1

            b10d3693d20ac487d8a7ad72aef59069b6dc1cee

            SHA256

            e14bb8a9d2a3151e46de16134a3f5ba3d83d4b93c7c2ff7ffce9dc3cec807afe

            SHA512

            d0e96411cf6e95cbe5408cd5270df36c92325918356ce77bdd523ad07973abbcac465a7599086df696ea0f2d446f9d646480446c9e3295296928cc7aa6d35fa1

          • C:\Users\Admin\AppData\Local\xk8h71GN\XmlLite.dll

            Filesize

            92KB

            MD5

            edc45517be95f74758fe159ba9ece7a1

            SHA1

            6df1203e21d6cc555befe6b430312376f9cdc90d

            SHA256

            53419f9de09773f0dd34a28038380286d4474c14436f921abfad4388501752c0

            SHA512

            856e132fd0c636fb4e7fd40f4672ea389fe14dc1d587f1f23299459482686ad725c113209f6d3561c1aa139369cfb43bd2bb52fdcbb365b121e5eefb7f8dc9da

          • C:\Users\Admin\AppData\Local\xk8h71GN\XmlLite.dll

            Filesize

            107KB

            MD5

            5490b284ae504f3d5ad748235c40910b

            SHA1

            e007becbe5f93356918d6e316ce551d391430024

            SHA256

            27c3fb87ae5346c8d340b9ccce3445690cba919396a788229395372adc5b4230

            SHA512

            c2b2a67386d40dabfc5aafa39b6e3638a7c11cdad03aff9e729a45a0f015c7c8a04002fa516288ae38e9d64136baad42f957d4846e0167e5a98fd792aa50c5ff

          • C:\Users\Admin\AppData\Local\xk8h71GN\omadmclient.exe

            Filesize

            50KB

            MD5

            f0ef277737dabf16b52a4acf60ed5146

            SHA1

            87698ce0ba58280fde00f2be1e7eab850fe9a460

            SHA256

            cc596f2277b883f2740326d2c9183c99d232f80977b8d30b82892e7c30819cd5

            SHA512

            cffb294814e23c8aaef768712da2d62af17c9d9a7c3ece6384d65c7feaf15416716019bf92fe3a1f4022ba7ec204c84695a2bd35f378311f29d2bc03897be922

          • C:\Users\Admin\AppData\Local\xk8h71GN\omadmclient.exe

            Filesize

            73KB

            MD5

            403ea46a5b216dbada5b9a66b3031aa4

            SHA1

            af659f65b7e37339b111c4ab06dc9b9b49c37361

            SHA256

            9237f05192661b89a20c0b5ed9581d489585c982783a81d0970aaba635b89249

            SHA512

            d590d7101a52b9647d08b4ab5c47e07f2a244527ff01d9e8f44ab63911ffe7e803e35155c6d42c2a8590ef8de7561564de6c1b1510bdd3846cee420078810c5c

          • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mkzwiunlad.lnk

            Filesize

            1KB

            MD5

            a3abddca61a5fb5258a83b9d6fc20f73

            SHA1

            9297f8df9f10d11bf095f5fae9b0bfd9eadccf60

            SHA256

            4216b3df40cb5d026fe68e59a91db42b09fd0215e4b96491612d93d676ce838a

            SHA512

            2958eab3a794e0986e4cd2af1646ed5f0f3f38345cd4118d68fe5d6540879d97b029ac8f57aa243ef46b07812d88f64a53cd9e1ca7c0eea6745a9256c87c0329

          • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\hoa7DJjyq\SYSDM.CPL

            Filesize

            1.4MB

            MD5

            43f9b2ef10806ed46c67166e6d37c016

            SHA1

            b5f82510b57a6b059df2040cfbd4a1bc5e862ffd

            SHA256

            2cfac8ff17ba180fc77b9a20debc0b37c98add4fb24221aadb4379485c1b4ffc

            SHA512

            195dd8613448d2f975b2a59eac1b3ea3a3b9eb9797f404c07ec17938e07c361b8e928885096c72cd25a5b0a89f758dd75b35cfaab3b54230df615776eb5ea452

          • C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\p0RlpZzK6gn\XmlLite.dll

            Filesize

            1.4MB

            MD5

            8368c263236aa10ca231e0edbe61723a

            SHA1

            232be5f5b0063e7cda0de861a2ad4f6101f307e0

            SHA256

            cc75253244aedf7ca8c10dae6e34454b510dc9a8c21e122fb5141990df02ada2

            SHA512

            b7db184dcc37a3e4586842d0a14d38ef57bd83e6af1bce785388ca03bc47aeb8b3bca3b3cf3fd33783cc924b7c5f905b31df6bbce5aa3006b69dfd6cf71c99fb

          • C:\Users\Admin\AppData\Roaming\Sun\Java\Deployment\arcklMd\XmlLite.dll

            Filesize

            1.4MB

            MD5

            6260f862cfa3ac0298b5db3f15b30f25

            SHA1

            bc3912e439abf603c64b9bd4d62d7a7872e25d4a

            SHA256

            3244578bdf3a5b079fbb4fb86a688b4037b048d3d1b237b1c301dcc4a2b60c10

            SHA512

            c6ec558136887d3c8b62b27e0b856701a28bfaaed2b7e28c17f0f10047a0148231cf29cef5b003b563a44fce5a077a83ba2b54cb6f16fd444d5dad0cb03bfc05

          • memory/2248-110-0x0000000140000000-0x0000000140169000-memory.dmp

            Filesize

            1.4MB

          • memory/2248-107-0x000002EBDC4E0000-0x000002EBDC4E7000-memory.dmp

            Filesize

            28KB

          • memory/3488-25-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

          • memory/3488-21-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

          • memory/3488-33-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

          • memory/3488-36-0x0000000001120000-0x0000000001127000-memory.dmp

            Filesize

            28KB

          • memory/3488-32-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

          • memory/3488-31-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

          • memory/3488-29-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

          • memory/3488-26-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

          • memory/3488-14-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

          • memory/3488-13-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

          • memory/3488-12-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

          • memory/3488-11-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

          • memory/3488-9-0x00007FFEFA03A000-0x00007FFEFA03B000-memory.dmp

            Filesize

            4KB

          • memory/3488-8-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

          • memory/3488-10-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

          • memory/3488-42-0x00007FFEFA3E0000-0x00007FFEFA3F0000-memory.dmp

            Filesize

            64KB

          • memory/3488-41-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

          • memory/3488-53-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

          • memory/3488-30-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

          • memory/3488-28-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

          • memory/3488-15-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

          • memory/3488-4-0x0000000003610000-0x0000000003611000-memory.dmp

            Filesize

            4KB

          • memory/3488-6-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

          • memory/3488-51-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

          • memory/3488-17-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

          • memory/3488-24-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

          • memory/3488-16-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

          • memory/3488-19-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

          • memory/3488-22-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

          • memory/3488-23-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

          • memory/3488-20-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

          • memory/3488-27-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

          • memory/3488-18-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

          • memory/3612-89-0x0000023179E80000-0x0000023179E87000-memory.dmp

            Filesize

            28KB

          • memory/3612-93-0x0000000140000000-0x0000000140169000-memory.dmp

            Filesize

            1.4MB

          • memory/4120-1-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

          • memory/4120-7-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

          • memory/4120-0-0x000002427D300000-0x000002427D307000-memory.dmp

            Filesize

            28KB

          • memory/4636-62-0x0000000140000000-0x0000000140169000-memory.dmp

            Filesize

            1.4MB

          • memory/4636-63-0x0000020971970000-0x0000020971977000-memory.dmp

            Filesize

            28KB

          • memory/4636-68-0x0000000140000000-0x0000000140169000-memory.dmp

            Filesize

            1.4MB