Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-01-2024 12:26

General

  • Target

    679f5677802f338adc80c1c2058b5f66.dll

  • Size

    1.4MB

  • MD5

    679f5677802f338adc80c1c2058b5f66

  • SHA1

    de3198e8574810a74dea319fa5f3646b2ed05b64

  • SHA256

    7c001fa46c93bc6147cf0e2fafbbf52213c1ec82788aa9bba51c89bb12cfe90f

  • SHA512

    1720b8eb1a8c1f0d35519c30089acf516f79bb4071636862b53d47a97a79f650dff53f823a7209a6099b884b4f898eedd1a7747d5b00fc21d268e8cd5561e11d

  • SSDEEP

    12288:SVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:PfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\679f5677802f338adc80c1c2058b5f66.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1464
  • C:\Windows\system32\ApplySettingsTemplateCatalog.exe
    C:\Windows\system32\ApplySettingsTemplateCatalog.exe
    1⤵
      PID:1676
    • C:\Users\Admin\AppData\Local\QNNvZfuco\ApplySettingsTemplateCatalog.exe
      C:\Users\Admin\AppData\Local\QNNvZfuco\ApplySettingsTemplateCatalog.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3412
    • C:\Windows\system32\sethc.exe
      C:\Windows\system32\sethc.exe
      1⤵
        PID:2436
      • C:\Users\Admin\AppData\Local\HTwag5\sethc.exe
        C:\Users\Admin\AppData\Local\HTwag5\sethc.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2728
      • C:\Users\Admin\AppData\Local\en22fNB\tabcal.exe
        C:\Users\Admin\AppData\Local\en22fNB\tabcal.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2632
      • C:\Windows\system32\tabcal.exe
        C:\Windows\system32\tabcal.exe
        1⤵
          PID:4736

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\HTwag5\WTSAPI32.dll

          Filesize

          356KB

          MD5

          1c1107814d82a3f3ba82ba95d9c60eca

          SHA1

          66bf60f13c3ded04fb23eb168e3a771419b74442

          SHA256

          b5bec599c8da823e2af5c087c8699082e626517873a3dab44444d9fbf0373118

          SHA512

          aea7e47beb949643dbbc25312a3b9c5af10749518d06a4fd1219ddde5a8824c2f6af67b518868da6565631a70d45d0a638242be107627eeaee0367527f39eaeb

        • C:\Users\Admin\AppData\Local\HTwag5\WTSAPI32.dll

          Filesize

          71KB

          MD5

          4c75ac5aa4a75031a82271edce2eef6c

          SHA1

          e75379bfaf1f878db99fd4c82dddbe3df22788b5

          SHA256

          59e9399a6b29085e52b49da9bfcf62281d7c60b8d92796099781f07542249ebe

          SHA512

          5af000cbc9f3a437b91bb28c61f1220bff1f180e7d9a1deba5ab9c233486cc2da980a00942ee19b9d1f5fb6454024340a5ddba0681c9dec1c66208e35de1d5b5

        • C:\Users\Admin\AppData\Local\HTwag5\sethc.exe

          Filesize

          32KB

          MD5

          aba93ed9e6da337d5caee9e9f80f29be

          SHA1

          a335c586269150fd3d29e0cd171cd5691d705e15

          SHA256

          8e4fbe4538ebd10c2c89086a402c47f06c4adfd4e7ddc0017e3ea7d510f905dd

          SHA512

          05d65a609b44ecc911136c7dcb82e2268c4efbafaf7da82380c28c40321319598f09b403ea88a31e82f472fc430ffd3eb40a0ff38f75bb6675045fccd255b452

        • C:\Users\Admin\AppData\Local\HTwag5\sethc.exe

          Filesize

          104KB

          MD5

          8ba3a9702a3f1799431cad6a290223a6

          SHA1

          9c7dc9b6830297c8f759d1f46c8b36664e26c031

          SHA256

          615b2f2d7e3fce340839a9b54bdc3445eb2333d0fafee477d6113379e90935b8

          SHA512

          680c216d54f4fd2a14f0398e4461c8340ac15acdca75c36a42083625e1081d5e7d262c4c12296b6f21ba2f593f92816edf1c9a0cf4cbee23588e590713b87746

        • C:\Users\Admin\AppData\Local\QNNvZfuco\ACTIVEDS.dll

          Filesize

          171KB

          MD5

          325fa416133e1e14fe5441f075a35cc1

          SHA1

          54b24f13f59071c63d9fcc1d912606e4a7a21967

          SHA256

          a9ac63f061321e3e413e91f77090ac7e87b031d1d77caef63c946b517fe8b367

          SHA512

          58ebd959eaa0d5824e2f213787e7e3c308b1722286f44d0b062f924e22dcdc7d126d1bf425af81c4dfcfbc280b272c6ee5233e3c9a2d75128464d6ec8c40e3f3

        • C:\Users\Admin\AppData\Local\QNNvZfuco\ACTIVEDS.dll

          Filesize

          188KB

          MD5

          da7d1f1dc3aaab1f000783953c8aa08f

          SHA1

          7ea8732f4ab4997c8c87a5142df97fe585db8bde

          SHA256

          4289e1cc5f2531d603aad24d3027c3f777f8620eef5d4ea80ce532c1b76a32da

          SHA512

          50826711bd164718f09bc0450560ef088d34347bd27a77d3fcf7513aeebd658c269e89e88be695b6159a44c965dca369d61b3c22b7945b1294a82524288d8cc6

        • C:\Users\Admin\AppData\Local\QNNvZfuco\ApplySettingsTemplateCatalog.exe

          Filesize

          146KB

          MD5

          316bbaa0117d44ce14e7cd4c000d2428

          SHA1

          ef66833c7330c7729d368d110634d1f76c74b998

          SHA256

          4128e5563e8b4ce9a6a30328d71d2a4f238a277daf45ae082d0d18752a9b69f4

          SHA512

          eb1b1388f63a36e9ae2e424a5242bb4d0a6ac9de485f9043ebda761c20d12e5c941dc2dd57c09a237827a85e1b88fd81cd8875ad978d66d8c675ce7232d9d0d4

        • C:\Users\Admin\AppData\Local\QNNvZfuco\ApplySettingsTemplateCatalog.exe

          Filesize

          162KB

          MD5

          3f27b721c7e7870cb40c1ec0f997224c

          SHA1

          f8a78cf1938152c4df78454b8a1a389ce0411ca9

          SHA256

          034f998ac524218d17b86bf81e892966447092244d7ed30cebd4848d42b2c899

          SHA512

          c828a9c44fe3d869adcc23f46ea2d907333701f6e1c4233f2855ea5cad68790dc563b6cc8b143603f0eb5991e68ba078fddc3e9b2af1728691d67decdea6697b

        • C:\Users\Admin\AppData\Local\en22fNB\HID.DLL

          Filesize

          217KB

          MD5

          4322fcf6c9a23e0b889f976174f5c015

          SHA1

          9e02717c3832e9e9aba1626b439d0326ece7c4a6

          SHA256

          eefa1811c620649000235ef56e13656b65a28e6f96b21e501f15b2775f0a3810

          SHA512

          f7bab958d67685d7bb5f0b6b6066c02659184ae0c8c5b3639fc7df66c606c17e1e176d81c5c8e540e1153c7368424899e5ec4c810698877abae749f3d209abc8

        • C:\Users\Admin\AppData\Local\en22fNB\HID.DLL

          Filesize

          216KB

          MD5

          f6017d0075d381999cf42698e11c002d

          SHA1

          d9a9b6d72a860dfae96a2a7b16c28e39afef0a5d

          SHA256

          d12f226e9ac69176db6d11832bfcb84dab8f9beb88c176bb96f04014433acffe

          SHA512

          da07e0978435134a18b8a9fd4d13b40d41c7b97825ad16c45e52757a2e3d2b5f5646a809388930941314afd5bdf893ccb7cb5bb733bfb4f7f1f07e4c2134958b

        • C:\Users\Admin\AppData\Local\en22fNB\tabcal.exe

          Filesize

          47KB

          MD5

          e75adfa2851fbf03872b1a9a03a8b1d2

          SHA1

          9c034b78c38d5d427fddda86add013d42ee9a2a5

          SHA256

          ab09bc72563a36c18530b352635d2fb5f9ed9fae441fae2beb6dd43094296d89

          SHA512

          f699f0aa9330ef83f2c2a9ff58f8316cf9995cca5cf631dd4d34d0463872a84a34c37c66ebc00148a49038573c3a68ccf604fed0ccbcf02b3fcd7d182f36f8d4

        • C:\Users\Admin\AppData\Local\en22fNB\tabcal.exe

          Filesize

          65KB

          MD5

          5ea1c4b6483e5aee6814b0c618d44198

          SHA1

          d69cd6ca1f87b187c1086636ad973f9f2c2bf59b

          SHA256

          0571d4f3c324c77001e5cadd0edeb67dac9b6e2e76df706dc5c56a8d3c8d0b42

          SHA512

          b120ed6c8c4fcfacfb18c3d9db7d915b14eeb50330828af80e4d550b34dd9b9472f496cb0989bfc6920e562c8220efff1f986b4809738198071baf7749757bf2

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Psfjn.lnk

          Filesize

          1KB

          MD5

          14b38ccacc7f0b5b4b3bb3bcd377c140

          SHA1

          d6e5e0d4479be673fea4156bce156a6b0c5482d9

          SHA256

          48d9850121b5fabf4e39e5475e2b2fbed8a104c4587ed5d2ede2536ba4add6c6

          SHA512

          cec918f4a515c2c5d7ad53190fa1b18c2bff5e08576e1195c1c2689a8f9c538a4621367f0e0635297a2a4a9b14971b4a7fad7abe5420ef1eb9c50c8d2ea22e0c

        • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\mnePMDrjDP\WTSAPI32.dll

          Filesize

          1.4MB

          MD5

          82917f9e379775da1e30fe09c399295e

          SHA1

          cafa98ba66f58b7ae9260581e6c051449b60ad20

          SHA256

          6bea71b8a2923305d1f9e51c73e368cd4d3bad173939807106b8579089dfb45d

          SHA512

          3727ea0fbed3806ea9e890daf088c86cc51686c8fa589b0ac7d23f408c5f286254c516623fd31bd0976dc8e90295feef585c3b1a6fc8117a5bbab8f7fb96539e

        • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\aEo3fsR\HID.DLL

          Filesize

          1.4MB

          MD5

          56536a0576a6ab9e746b4c822289e737

          SHA1

          5118f82864fa704b10ac70665f18032a44896e2f

          SHA256

          053006215532c7ab560c1dd64516627dcfa818c6da8161dcc4a66cbd680b4973

          SHA512

          acbdf51de02ec85d98770ba479e14834a5dcab7e665cbc24039822a9cf90ef4228187e01e1157856ab2d1768659c111a57340f058ea4fc2204c49b2dc903b939

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\pAs2YrOylhZ\ACTIVEDS.dll

          Filesize

          1.4MB

          MD5

          36c62a133f4e01088753797f2f22d2f6

          SHA1

          79ac7f6096a91f8a76b769dc36a584c804f7c418

          SHA256

          dfdbd24d6dc6e3a6d4817bf268caf22862c72381fc2cb3a69d200bdadb713fef

          SHA512

          70d69d1e2a0eb45a1dee73557064270a4c4893a01aa4e7fb9f5d8fda5ff06ebdfd337c2439186b66fb0bc2ef1770aa612929f36a52a347a72fb7fa305d50cd3f

        • memory/1464-1-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/1464-36-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/1464-2-0x000002362FB10000-0x000002362FB17000-memory.dmp

          Filesize

          28KB

        • memory/1464-0-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/2632-83-0x0000024ED4960000-0x0000024ED4967000-memory.dmp

          Filesize

          28KB

        • memory/2632-80-0x0000000140000000-0x000000014016B000-memory.dmp

          Filesize

          1.4MB

        • memory/2632-87-0x0000000140000000-0x000000014016B000-memory.dmp

          Filesize

          1.4MB

        • memory/2728-105-0x0000000140000000-0x000000014016B000-memory.dmp

          Filesize

          1.4MB

        • memory/2728-100-0x0000023F77B70000-0x0000023F77B77000-memory.dmp

          Filesize

          28KB

        • memory/2728-98-0x0000000140000000-0x000000014016B000-memory.dmp

          Filesize

          1.4MB

        • memory/3412-64-0x000001CF89580000-0x000001CF89587000-memory.dmp

          Filesize

          28KB

        • memory/3412-67-0x0000000140000000-0x000000014016B000-memory.dmp

          Filesize

          1.4MB

        • memory/3412-61-0x0000000140000000-0x000000014016B000-memory.dmp

          Filesize

          1.4MB

        • memory/3440-27-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/3440-20-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/3440-25-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/3440-26-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/3440-50-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/3440-52-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/3440-28-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/3440-41-0x00007FFE287C0000-0x00007FFE287D0000-memory.dmp

          Filesize

          64KB

        • memory/3440-40-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/3440-29-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/3440-32-0x0000000002410000-0x0000000002417000-memory.dmp

          Filesize

          28KB

        • memory/3440-31-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/3440-30-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/3440-23-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/3440-22-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/3440-24-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/3440-19-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/3440-17-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/3440-16-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/3440-15-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/3440-14-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/3440-13-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/3440-11-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/3440-9-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/3440-8-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/3440-7-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/3440-5-0x0000000003EB0000-0x0000000003EB1000-memory.dmp

          Filesize

          4KB

        • memory/3440-21-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/3440-18-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/3440-12-0x0000000140000000-0x000000014016A000-memory.dmp

          Filesize

          1.4MB

        • memory/3440-10-0x00007FFE284FA000-0x00007FFE284FB000-memory.dmp

          Filesize

          4KB