Analysis

  • max time kernel
    12s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-01-2024 08:44

General

  • Target

    672feea11a362219307b071df8f2dfa3.dll

  • Size

    2.2MB

  • MD5

    672feea11a362219307b071df8f2dfa3

  • SHA1

    580f8a932ac435b2b29011b922f9e75316e15398

  • SHA256

    2ba43678d9bb9bc374a126ea5792659d1b09bcb9ecb21dcbc233889a27082eef

  • SHA512

    36bb2bf5572df4cd8e33042a08e3bc7b2c22cce687ecb61feb254f04c6c486a0228cb8d747d7833bbbb6300fa51b0aed24b19f6a23bf7ba34a5ae03a7519147c

  • SSDEEP

    12288:4VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1Yt:tfP7fWsK5z9A+WGAW+V5SB6Ct4bnbYt

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\672feea11a362219307b071df8f2dfa3.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2548
  • C:\Windows\system32\OptionalFeatures.exe
    C:\Windows\system32\OptionalFeatures.exe
    1⤵
      PID:5088
    • C:\Windows\system32\sdclt.exe
      C:\Windows\system32\sdclt.exe
      1⤵
        PID:4288
      • C:\Users\Admin\AppData\Local\0p2z\sdclt.exe
        C:\Users\Admin\AppData\Local\0p2z\sdclt.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:856
      • C:\Windows\system32\SystemPropertiesPerformance.exe
        C:\Windows\system32\SystemPropertiesPerformance.exe
        1⤵
          PID:3284
        • C:\Users\Admin\AppData\Local\dwTv\SystemPropertiesPerformance.exe
          C:\Users\Admin\AppData\Local\dwTv\SystemPropertiesPerformance.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2496
        • C:\Users\Admin\AppData\Local\F1VHZ\OptionalFeatures.exe
          C:\Users\Admin\AppData\Local\F1VHZ\OptionalFeatures.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:392
        • C:\Windows\system32\rundll32.exe
          "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
          1⤵
            PID:4632
          • C:\Windows\System32\svchost.exe
            C:\Windows\System32\svchost.exe -k UnistackSvcGroup
            1⤵
              PID:3248

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\0p2z\WTSAPI32.dll

              Filesize

              66KB

              MD5

              f392fc7b9488c69211b3345bb09a088d

              SHA1

              22defe211b720986599d8606011b15a5d1fb3c56

              SHA256

              2e45eba40ce65c0e058fda982db1f39314a7ef136a99594a8adda5db39f72733

              SHA512

              9ac2028760d3ab17b872ba25c51dbf9c1f6c354035476c8cf7099f14b1177a7575bccf2793a8839f719215bc8a59df66dacf5ee60654d6168a985c1e06612717

            • C:\Users\Admin\AppData\Local\0p2z\WTSAPI32.dll

              Filesize

              52KB

              MD5

              34e57bafae0c49cd80f075b36372f33e

              SHA1

              94e7c85607b6daa3e5c3f925e269cbe8a0e58d0b

              SHA256

              35a441466aa17e7d6925a58067809a4525d2ea8be319b83c978bda068e4414db

              SHA512

              0165bf956a0da41e17c6a977ba68f80fbc29543d325c844e50acbb60e1a0e2bf93c630ae9a2a52deb5a1f9bcd05d135e7a207a6cd43f8c21a4b300eec1e1c149

            • C:\Users\Admin\AppData\Local\0p2z\sdclt.exe

              Filesize

              345KB

              MD5

              bee2b9320a12b32e08f6be8e3b501690

              SHA1

              7b1fa8fa04b7f740cc13bbe381833d1446795f1b

              SHA256

              a87533b814add5d8cb20ad07c49046721d8a201e635330902c9e74717e753837

              SHA512

              e228e43bd0887acb47af6e2fba0d40967f8f4ed661e8b43871915cfc2da8398e141eb16d085ffc26434925adaecc505fdd513976b83773a524bb6e9302f57aa6

            • C:\Users\Admin\AppData\Local\0p2z\sdclt.exe

              Filesize

              194KB

              MD5

              f15b88ea80441442ddc20635f134a286

              SHA1

              b642cffc9932cd8f21c5f79015eebea4495c9cd9

              SHA256

              b34bac9deb33f119c044c39bef743fd0a8b25a0dde3103a5277b73a67ca68b2a

              SHA512

              587ab788cbdd87dc6c25bd2b15aaca827342d759c4360b22c11a8c9da2fbd773df277fa85e379020ea333016568a3cbf26d74550ba5aa3d60c18b19a3ba405da

            • C:\Users\Admin\AppData\Local\F1VHZ\OptionalFeatures.exe

              Filesize

              64KB

              MD5

              ccb77de7fc80373670ad5b6909bc328c

              SHA1

              a7cd84914eb982a2762c56acc5f55350646a2030

              SHA256

              76e3b50a1e4497ab5e713d4a932e4152481840b1316a86d884a11ffc273ac5e4

              SHA512

              df410ebbe928ed1f6a35c09fe30e4e0cd24bc826fac585b387c8b8e55e1e28702435f4f9b1568fd8b43d90d254e92431bb0babdff77d689275e331ff91f29694

            • C:\Users\Admin\AppData\Local\F1VHZ\OptionalFeatures.exe

              Filesize

              34KB

              MD5

              b4fd8631d5d22c5949827b00b2aa0fd2

              SHA1

              487bcb33a7db1e75d6767b91471e56581b13070b

              SHA256

              1aa7d6e54fb487bee82e663acad8b7ff7ad8999985fa05ff14a56270e14233be

              SHA512

              95ab0ec59b253f4f979051711322ae8f00495d9bb08dcd4480475ab9474db959579ba245cc24ed96e2c3c19429dba2780fe26aae4073301c673fc8f6d5adcf65

            • C:\Users\Admin\AppData\Local\F1VHZ\appwiz.cpl

              Filesize

              73KB

              MD5

              9a1db82ee3994e92a5fd98a605e124e2

              SHA1

              0a525a63a56d3312fbf74003121a5133bf52ce33

              SHA256

              c653de50b15784f2723be8990fe9340fc0f1fe70320af2f11cb26418935779bd

              SHA512

              547f13da603dc166218d0ac39b9e288b6c031d5b49317b73b960a9703bd03993503acb184336f3091b20f34d264cdf31379a8674c36a6355b0c648362f775c9b

            • C:\Users\Admin\AppData\Local\F1VHZ\appwiz.cpl

              Filesize

              71KB

              MD5

              ba52e79913a7fd82e1c31fcdafa17b10

              SHA1

              4bdeffe109abe2ef513d8586832d26fd13d02266

              SHA256

              f78254132eaaac423188da551b4f52a16a3a0a2f4ce54c6dffa427737d3875f0

              SHA512

              042b60fe88303d63b629954b265ebb017b08f3f2ed8777da4d316c0ac65c4373f22f7cb4cdb95f02e9aad1d5d41dfbdc6b68d63da45ad67aa1ff9a3c5d9b4ad5

            • C:\Users\Admin\AppData\Local\dwTv\SYSDM.CPL

              Filesize

              149KB

              MD5

              008db85b1cbaa9fd6f37bcab0b100d9e

              SHA1

              d643cb700ab8b8612a1c78e926e284a7ac9b77e1

              SHA256

              c354d6eb5ddb91df8decaa84da31fced1174bd4955073503a95f4b5f0f112be4

              SHA512

              a3ea402314bbeae45119187ac561c372e83e7815f2588517aa7761be1f2842fecdf5ed959fd20d4ceb6133f9c8bff92bccd15d3544531773dc10e570ee868c47

            • C:\Users\Admin\AppData\Local\dwTv\SYSDM.CPL

              Filesize

              185KB

              MD5

              646cea338c8b39c63b12ef4f55c68bc7

              SHA1

              c2efd39bd114024cd83a7f6d301611981cc591fb

              SHA256

              cd7278233deb875805654e006bd1cc787ad5d0656aefede62af55b1028861cd1

              SHA512

              5910a6fe2db5d786aa14ee578186158f6f7084a04e6d2c6bba89615bddc2ff113a9443fee738c18855f5793772b3637db6a42ca45887c288352ca458d19b09d5

            • C:\Users\Admin\AppData\Local\dwTv\SystemPropertiesPerformance.exe

              Filesize

              82KB

              MD5

              e4fbf7cab8669c7c9cef92205d2f2ffc

              SHA1

              adbfa782b7998720fa85678cc85863b961975e28

              SHA256

              b266318d45a4245556a2e39b763f2f11eca780969105f6f103e53dd0a492bb30

              SHA512

              c5c62578d04133352d6cb7b018df96a7b55c18d6111ab8bf2bfe232a3315a63b07047fa5b0b88551d152085776c66169b47566242c8c4c5e0333c55adc64e1b6

            • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\6HDL\WTSAPI32.dll

              Filesize

              2.2MB

              MD5

              68306cd11ee5ed2a8021be7065890012

              SHA1

              e7b33e4d42790d07a3e8bf4c6ce641968938bf08

              SHA256

              79951f3d11a47777e33a50e5dc3a3c80a5d0d5c341435e371b81fe7bc24be6a6

              SHA512

              638375ca73172551d44c6f32290c44ff20b2816a151b78aedf01a409f5f328acefa365dd92e1445034712419e1a0a4626e3203d03577add1099580dbddeb8cf3

            • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqwbkkvq.lnk

              Filesize

              1KB

              MD5

              1cb25593f5d8b79daf20d9e6dde59b1f

              SHA1

              8ee574b66c9d32b2f5292c8667a69b86d6269e09

              SHA256

              24a1b783f4032148ca2abfcf7558beabeefdeb62aee0647fef244ad09f94791d

              SHA512

              984064945696488a32e39b623673d38667ba9fe0abee025e01888e98e7942b2a195aa08946f04b6e38657e9406dea1c1fe708789066366674c63f6378686c24e

            • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\YpWRfm\appwiz.cpl

              Filesize

              34KB

              MD5

              a27bd4f099e29a79b536d9efedc4a501

              SHA1

              b5dda25f1c692033cc771c042fba85a5843a91b9

              SHA256

              e920d1963206a756292996b326fcbb7ca2a9cc5e0905ecd9329365ba4fce9015

              SHA512

              0ba0e57a55385276c4cbbf390d97f168ed1100a5c62991f139bb39b5c1d3da86e830b703fc72e87ac24b694ed91b6426f116f6fcbea564099214db67f28fdcea

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\zxs0ONiO\SYSDM.CPL

              Filesize

              957KB

              MD5

              d8a95693d30c1a242e63679ce566875c

              SHA1

              af29b9a8a4ebdb9a9e6c129ed605a1daac162079

              SHA256

              03859996f4e90b11f513617d577cfc92335b8bb18f14ecffe12ab2e87c4f88e0

              SHA512

              4931c782e191d41f14c26e9c0b623aabf50a18677b66af78390ad68549322628585d797acc35d495d21c534b6b7ad4248c694c34eb7f35d91d02bb9ab8f595d5

            • memory/392-82-0x0000000140000000-0x0000000140233000-memory.dmp

              Filesize

              2.2MB

            • memory/392-76-0x000001CB79940000-0x000001CB79947000-memory.dmp

              Filesize

              28KB

            • memory/392-77-0x0000000140000000-0x0000000140233000-memory.dmp

              Filesize

              2.2MB

            • memory/856-93-0x0000025F059A0000-0x0000025F059A7000-memory.dmp

              Filesize

              28KB

            • memory/2496-110-0x0000025065F60000-0x0000025065F67000-memory.dmp

              Filesize

              28KB

            • memory/2548-6-0x0000000140000000-0x0000000140232000-memory.dmp

              Filesize

              2.2MB

            • memory/2548-1-0x0000000140000000-0x0000000140232000-memory.dmp

              Filesize

              2.2MB

            • memory/2548-0-0x0000024560BD0000-0x0000024560BD7000-memory.dmp

              Filesize

              28KB

            • memory/3480-26-0x0000000140000000-0x0000000140232000-memory.dmp

              Filesize

              2.2MB

            • memory/3480-55-0x0000000140000000-0x0000000140232000-memory.dmp

              Filesize

              2.2MB

            • memory/3480-38-0x0000000140000000-0x0000000140232000-memory.dmp

              Filesize

              2.2MB

            • memory/3480-40-0x0000000140000000-0x0000000140232000-memory.dmp

              Filesize

              2.2MB

            • memory/3480-39-0x0000000140000000-0x0000000140232000-memory.dmp

              Filesize

              2.2MB

            • memory/3480-37-0x0000000140000000-0x0000000140232000-memory.dmp

              Filesize

              2.2MB

            • memory/3480-36-0x0000000140000000-0x0000000140232000-memory.dmp

              Filesize

              2.2MB

            • memory/3480-35-0x0000000140000000-0x0000000140232000-memory.dmp

              Filesize

              2.2MB

            • memory/3480-33-0x0000000140000000-0x0000000140232000-memory.dmp

              Filesize

              2.2MB

            • memory/3480-28-0x0000000140000000-0x0000000140232000-memory.dmp

              Filesize

              2.2MB

            • memory/3480-23-0x0000000140000000-0x0000000140232000-memory.dmp

              Filesize

              2.2MB

            • memory/3480-22-0x0000000140000000-0x0000000140232000-memory.dmp

              Filesize

              2.2MB

            • memory/3480-21-0x0000000140000000-0x0000000140232000-memory.dmp

              Filesize

              2.2MB

            • memory/3480-20-0x0000000140000000-0x0000000140232000-memory.dmp

              Filesize

              2.2MB

            • memory/3480-4-0x0000000002A80000-0x0000000002A81000-memory.dmp

              Filesize

              4KB

            • memory/3480-41-0x0000000140000000-0x0000000140232000-memory.dmp

              Filesize

              2.2MB

            • memory/3480-42-0x0000000140000000-0x0000000140232000-memory.dmp

              Filesize

              2.2MB

            • memory/3480-43-0x0000000140000000-0x0000000140232000-memory.dmp

              Filesize

              2.2MB

            • memory/3480-44-0x0000000140000000-0x0000000140232000-memory.dmp

              Filesize

              2.2MB

            • memory/3480-47-0x0000000140000000-0x0000000140232000-memory.dmp

              Filesize

              2.2MB

            • memory/3480-48-0x0000000002AB0000-0x0000000002AB7000-memory.dmp

              Filesize

              28KB

            • memory/3480-46-0x0000000140000000-0x0000000140232000-memory.dmp

              Filesize

              2.2MB

            • memory/3480-45-0x0000000140000000-0x0000000140232000-memory.dmp

              Filesize

              2.2MB

            • memory/3480-34-0x0000000140000000-0x0000000140232000-memory.dmp

              Filesize

              2.2MB

            • memory/3480-56-0x00007FFE4C300000-0x00007FFE4C310000-memory.dmp

              Filesize

              64KB

            • memory/3480-65-0x0000000140000000-0x0000000140232000-memory.dmp

              Filesize

              2.2MB

            • memory/3480-67-0x0000000140000000-0x0000000140232000-memory.dmp

              Filesize

              2.2MB

            • memory/3480-32-0x0000000140000000-0x0000000140232000-memory.dmp

              Filesize

              2.2MB

            • memory/3480-31-0x0000000140000000-0x0000000140232000-memory.dmp

              Filesize

              2.2MB

            • memory/3480-27-0x0000000140000000-0x0000000140232000-memory.dmp

              Filesize

              2.2MB

            • memory/3480-30-0x0000000140000000-0x0000000140232000-memory.dmp

              Filesize

              2.2MB

            • memory/3480-29-0x0000000140000000-0x0000000140232000-memory.dmp

              Filesize

              2.2MB

            • memory/3480-25-0x0000000140000000-0x0000000140232000-memory.dmp

              Filesize

              2.2MB

            • memory/3480-24-0x0000000140000000-0x0000000140232000-memory.dmp

              Filesize

              2.2MB

            • memory/3480-19-0x0000000140000000-0x0000000140232000-memory.dmp

              Filesize

              2.2MB

            • memory/3480-18-0x0000000140000000-0x0000000140232000-memory.dmp

              Filesize

              2.2MB

            • memory/3480-17-0x0000000140000000-0x0000000140232000-memory.dmp

              Filesize

              2.2MB

            • memory/3480-12-0x0000000140000000-0x0000000140232000-memory.dmp

              Filesize

              2.2MB

            • memory/3480-16-0x0000000140000000-0x0000000140232000-memory.dmp

              Filesize

              2.2MB

            • memory/3480-11-0x0000000140000000-0x0000000140232000-memory.dmp

              Filesize

              2.2MB

            • memory/3480-15-0x0000000140000000-0x0000000140232000-memory.dmp

              Filesize

              2.2MB

            • memory/3480-14-0x0000000140000000-0x0000000140232000-memory.dmp

              Filesize

              2.2MB

            • memory/3480-13-0x0000000140000000-0x0000000140232000-memory.dmp

              Filesize

              2.2MB

            • memory/3480-10-0x0000000140000000-0x0000000140232000-memory.dmp

              Filesize

              2.2MB

            • memory/3480-9-0x00007FFE4AB8A000-0x00007FFE4AB8B000-memory.dmp

              Filesize

              4KB

            • memory/3480-8-0x0000000140000000-0x0000000140232000-memory.dmp

              Filesize

              2.2MB

            • memory/3480-7-0x0000000140000000-0x0000000140232000-memory.dmp

              Filesize

              2.2MB