Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-01-2024 15:40

General

  • Target

    6800149dece7def1ad1cd84f715f4837.dll

  • Size

    1.7MB

  • MD5

    6800149dece7def1ad1cd84f715f4837

  • SHA1

    640fca273f248d6a72d3265dea4a3f774c6aa64f

  • SHA256

    b0d4e0d901760c1879169db38ef00435f986e19dda97a46b8797d55e379eb1ac

  • SHA512

    f93a6f187f01bdac3af4abda5a11d040f4633296db46cbf2d19eb22c0e369129939e3d5aeaef5f67b44b9140fb13ad6971df7847c78a975cc86259e336da50e2

  • SSDEEP

    12288:bVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:6fP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\6800149dece7def1ad1cd84f715f4837.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1956
  • C:\Windows\system32\bdechangepin.exe
    C:\Windows\system32\bdechangepin.exe
    1⤵
      PID:2140
    • C:\Users\Admin\AppData\Local\bmk\phoneactivate.exe
      C:\Users\Admin\AppData\Local\bmk\phoneactivate.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4104
    • C:\Windows\system32\phoneactivate.exe
      C:\Windows\system32\phoneactivate.exe
      1⤵
        PID:2528
      • C:\Users\Admin\AppData\Local\dOQmhEld\bdechangepin.exe
        C:\Users\Admin\AppData\Local\dOQmhEld\bdechangepin.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1628
      • C:\Windows\system32\DWWIN.EXE
        C:\Windows\system32\DWWIN.EXE
        1⤵
          PID:4504
        • C:\Users\Admin\AppData\Local\CiCbzs\DWWIN.EXE
          C:\Users\Admin\AppData\Local\CiCbzs\DWWIN.EXE
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1836

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\CiCbzs\DWWIN.EXE

          Filesize

          47KB

          MD5

          0421f6cf16b6f260f7abb192eabe7908

          SHA1

          48fd7a3323d0e74b43f04ab302130533e0524683

          SHA256

          2d87807ae42d5dd9495333af481e04e4e2d6b367f6037cb30f6d6dfc51ce2c21

          SHA512

          a65483167481b7aebdc0c20da59e9b2beede817cc4c850515afbf56fd7bbe05b7032844efefc1f2700e37ef2c36ff1068264ba1f5d7522326d4de22303ad6a1e

        • C:\Users\Admin\AppData\Local\CiCbzs\DWWIN.EXE

          Filesize

          84KB

          MD5

          3fbe6d48bba609e9268e3addcfa90116

          SHA1

          7baaac0830008aef9d7b10e0b3758c4726067ef4

          SHA256

          10e05afa65984a980ba6ae38f7e0214b107a5ad7b9b39b973ce77fd0e90b9800

          SHA512

          bfea52ec1c57d0a06b217d16ab11b544fb7615c6222e12a82038dadcdcb98216c84849049be1b63d772bd8d948a57b5db95e9867b3d2ef0dd13e6750651bfb49

        • C:\Users\Admin\AppData\Local\CiCbzs\wer.dll

          Filesize

          109KB

          MD5

          d480acdfe977d360f9240ebb0d028b6a

          SHA1

          bf1f30e76973e6e075f573509e69651aef93ba2d

          SHA256

          6fc1cf20c924d5e8852c76ff9092417c44f5cf8adffcf741873cf6769a806e83

          SHA512

          ea77618f67ed3ac928edaa451790837a4058f51047e9967d3406391536bdfae74774912d8455fb5c55efbdc25c4be2c2b457ff72b966d8368c171862a82e3595

        • C:\Users\Admin\AppData\Local\CiCbzs\wer.dll

          Filesize

          12KB

          MD5

          fd8991c07d66cf67388aa51bc97e0fb2

          SHA1

          4e3e84da81a7184765ff77b716c4614227943b7e

          SHA256

          3c81d339f0797cb88ea3750a3c27bfcfde78e491d2c426ca53082741f2ace1ed

          SHA512

          47605197a8f036f136a412a309840ccce3896b07ac3299d2bae9118393bb48c9fe2ce46d47b2b5005b1c776aac643e16dd943690c889b2f022d566dc69ca07f2

        • C:\Users\Admin\AppData\Local\bmk\SLC.dll

          Filesize

          73KB

          MD5

          34b2388b1dbc77a73480bd5a22e9f9bd

          SHA1

          83f9cdfdc011daba7f6d9a7fb97d6f995d16edcc

          SHA256

          c0c474d0a4123405fc005afaf1907f4f20cd03566c6d1d5a50143171bca0b1d6

          SHA512

          041fe27943bb5d83d1e1aef5616d2c264569fac94217f2d07196d19cf6907f68c271fe4bf5e94d684d15526a5f98133b82ab5a5eb702baa2ed4014c937ba5588

        • C:\Users\Admin\AppData\Local\bmk\SLC.dll

          Filesize

          70KB

          MD5

          c72f181b52fa983f304f0279bcbb6cf7

          SHA1

          76db629a11ba51b8bc8622f45dc70007b068a59f

          SHA256

          252ddbdeb49b8ed5e62316bf6e052449495e5bb1564fb48fe7b6a42a07247846

          SHA512

          44aed362c3e78eb6f07f7bd27771f718e87b259919a7065bd9277f726427da807a456aeaf43b64fcebef458c66f55f193c3abdcf4077a47a9958992cef9fd8e3

        • C:\Users\Admin\AppData\Local\bmk\phoneactivate.exe

          Filesize

          36KB

          MD5

          8f1da0a9a064426a6abe855bef44f086

          SHA1

          3f55f4e8b6a33093955d2ca1c2664cdde2aa418d

          SHA256

          fc3d186e41115ca5f78c8f4f0816ea17fd0bbb6a3ea6c2509469b6f05cd17fc1

          SHA512

          5e99cf117a3c37c9384adc87f08bf7b2f24de06350b420c3ccd8d720c57596e700d96dbeb655a6bd5a68d31deec7ab8bd85ab905346a581bd2bb98e4d8ab9c9d

        • C:\Users\Admin\AppData\Local\bmk\phoneactivate.exe

          Filesize

          75KB

          MD5

          f0fced4adb6c801fb0c064919de13a81

          SHA1

          4e3b949f3c34a239ef1585ef72faeb9b2d1ce7b4

          SHA256

          1cef17759dafc96cf9c0bcc05597e82e58d93fb993bb89380d70601073116d3f

          SHA512

          d40cda5b686918242ac426111201975d295e045c20c47873e0a7292ede4de9e1681f83cce5c5c739953039cf4d975d19df81178e02f0bce8a7f3319ec85a26ec

        • C:\Users\Admin\AppData\Local\dOQmhEld\DUI70.dll

          Filesize

          104KB

          MD5

          3227be4321a5f6d1b0c60692bbb4f840

          SHA1

          503c060d94ac2394da63d2737dafa0195033ecc5

          SHA256

          f909140f1bac5c07ceaac5db8fb8d56c03f69856742992ea05474fba3f7aa59a

          SHA512

          8734b43da0af5b53de3b67706ead70d30b6dad9750135475adcc93ab3407313ecf3e07656af558b99c198d0f82fc90e6005449e3fd2769a9099ef8e3117c26d1

        • C:\Users\Admin\AppData\Local\dOQmhEld\DUI70.dll

          Filesize

          42KB

          MD5

          cfd8e95f8287d61a786e276d8e97c3bb

          SHA1

          dc4cf6140b00526abf22ad108a081f05842203ab

          SHA256

          822e443ebcebf17e43860c51f347f53af6d987f7426ab8542f47185352ad0dfa

          SHA512

          b77cddbcbb1a9b3e1c91843fabab16b17d47959c25a8bb29a057953e3889e12ce867a8594376ded9d3e12878689b4910adcd9fe6862ac9385697906f3f37af30

        • C:\Users\Admin\AppData\Local\dOQmhEld\bdechangepin.exe

          Filesize

          143KB

          MD5

          82ecf388046d1bcc111398fa74338241

          SHA1

          e82e91fc24907fc1a0727313cc2ebc4693fb9a11

          SHA256

          ac6afa17b9b9e4c6f3d186974f8e545c7bd3750b8522ecf360205d92cb490817

          SHA512

          e6fb2d85afed172dec5a43b8962d7e8c7cfc133d0d964036d9568a2b6d8c8039bc0aa4e56f4711683bbb3349674e9280faba872a57d808a03de661ece48885e6

        • C:\Users\Admin\AppData\Local\dOQmhEld\bdechangepin.exe

          Filesize

          113KB

          MD5

          2ddaceb9329188df81d152827c522ff2

          SHA1

          6ad57236b9282dce9c06d31da8ef3e5a93dd6765

          SHA256

          055e933059f86654e278de23a894b217a5d598909365b3e53c887dbe5ea1bb41

          SHA512

          c6204bd909069a2468d379fdc43aac1fe1e410b238f87b229713db25c1274c565fb00aa1dd7192c42736210004d699bf20e53ca7d1b6cb65f687b7ea5595af58

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Psfjn.lnk

          Filesize

          1KB

          MD5

          f44bd0b55c65be5607fff43bd9e72750

          SHA1

          2072a34bf47ed9c364d76504b06f8226fa822cdb

          SHA256

          0f590bc99ae423cccb129e420bb1b5654b656fa949a3907abc0f16e455f08c03

          SHA512

          1e868c977b782d2ed487eba7cff826475286d3e4b0553de3e195f30aff89b11dc5d0edc267796b0e66772056034593835877b8a2c4e5ec41749c9321fa904c7c

        • C:\Users\Admin\AppData\Roaming\Microsoft\AddIns\gGXcOXyJ\DUI70.dll

          Filesize

          317KB

          MD5

          4a10af8e204db7bd5bb623ca53a2f4c7

          SHA1

          e7278518b7d911ea86a405f01348c813ace0092f

          SHA256

          19d00ce8600447410f84e4184ecd1ca4ee7ae8933cedfa9439e817f025623ef2

          SHA512

          6ee30f4b5294f1b99df6ca74bec3084c8281e7e24f7d2f2b587d6eb5cb69118b69e8a355d200ef8a53977ac86e072aa192e43b489b7182ca0635e6b2784abcee

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\ULxm\wer.dll

          Filesize

          226KB

          MD5

          4302d04da11f6efd9a6b042c92fd45fe

          SHA1

          b4325a898c03b286fa58aefe6146fe3533c2bc88

          SHA256

          8ae4b9e68fb3327910f4b537e9a318947058b67aa1ff8baf54cf2fb0dbac465e

          SHA512

          8bbe2c5fe5fc7fc09843852729c1b9c407eee59aeacfe50e6ea23f4e09b8d7304fc748d9928509b89ad7fd288121528ae932ee9a848a754d39ef6d8c99f00836

        • C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\xU\SLC.dll

          Filesize

          71KB

          MD5

          9526d3ba3d00af14a6dc4382d106dee6

          SHA1

          8f6e94bcd940fae4d14b9e53aaf0f71d55247d02

          SHA256

          a332e44ae5bd9f4639a0fe935bd2e57860ecd6511619fbc81d539b3f7598f05d

          SHA512

          d7a5bab2ddbb9ae0c102d3ae729152a3d0c85af1503bbcdd753cb947db037c8f40bc935214eb95c87e3d9fa126d143c9a6d5abbfbd3abf06456a187b1770b147

        • memory/1628-82-0x000001D8CE850000-0x000001D8CE857000-memory.dmp

          Filesize

          28KB

        • memory/1628-83-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1628-88-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1836-99-0x00000212E6500000-0x00000212E6507000-memory.dmp

          Filesize

          28KB

        • memory/1836-100-0x0000000140000000-0x00000001401B4000-memory.dmp

          Filesize

          1.7MB

        • memory/1836-105-0x0000000140000000-0x00000001401B4000-memory.dmp

          Filesize

          1.7MB

        • memory/1956-2-0x0000022E43BB0000-0x0000022E43BB7000-memory.dmp

          Filesize

          28KB

        • memory/1956-0-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/1956-11-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-30-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-24-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-37-0x00000000077D0000-0x00000000077D7000-memory.dmp

          Filesize

          28KB

        • memory/3428-34-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-23-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-15-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-9-0x00007FF8D416A000-0x00007FF8D416B000-memory.dmp

          Filesize

          4KB

        • memory/3428-35-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-45-0x00007FF8D54C0000-0x00007FF8D54D0000-memory.dmp

          Filesize

          64KB

        • memory/3428-6-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-36-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-33-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-31-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-56-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-29-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-28-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-27-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-26-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-25-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-32-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-22-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-21-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-20-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-19-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-18-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-17-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-16-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-13-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-14-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-12-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-44-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-10-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-8-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-7-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-4-0x00000000077F0000-0x00000000077F1000-memory.dmp

          Filesize

          4KB

        • memory/3428-54-0x0000000140000000-0x00000001401B2000-memory.dmp

          Filesize

          1.7MB

        • memory/4104-71-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/4104-67-0x000001C476D40000-0x000001C476D47000-memory.dmp

          Filesize

          28KB

        • memory/4104-65-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB