Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-01-2024 01:00

General

  • Target

    6913c976717f771261d42365e9ed8940.dll

  • Size

    2.5MB

  • MD5

    6913c976717f771261d42365e9ed8940

  • SHA1

    de6623f60ec96e264ee873aaf2ceeacf81313405

  • SHA256

    f3ca4c539c12c3d56e02f61e3aa2def83515305b89bcbe17274ac895313ad46a

  • SHA512

    68ee9ec13b10596eb96f2fb0a0b66a93149c49ac922aff3830ff81234af5f6b8c4326aa188c3f26a43809d10f2cb40da40e7d01957459526b858ce5a21b3a934

  • SSDEEP

    24576:zfP7fWsK5z9A+WGAW+V5SB6Ct4bnbcs+:DDW/e+WG0Vo6CtSn

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\6913c976717f771261d42365e9ed8940.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2364
  • C:\Windows\system32\wscript.exe
    C:\Windows\system32\wscript.exe
    1⤵
      PID:4180
    • C:\Users\Admin\AppData\Local\j72g\wscript.exe
      C:\Users\Admin\AppData\Local\j72g\wscript.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4404
    • C:\Windows\system32\FileHistory.exe
      C:\Windows\system32\FileHistory.exe
      1⤵
        PID:2808
      • C:\Users\Admin\AppData\Local\HhFcEWh\FileHistory.exe
        C:\Users\Admin\AppData\Local\HhFcEWh\FileHistory.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1920
      • C:\Windows\system32\RdpSaUacHelper.exe
        C:\Windows\system32\RdpSaUacHelper.exe
        1⤵
          PID:1628
        • C:\Users\Admin\AppData\Local\wEeE7UHW\RdpSaUacHelper.exe
          C:\Users\Admin\AppData\Local\wEeE7UHW\RdpSaUacHelper.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2740

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\HhFcEWh\FileHistory.exe

          Filesize

          76KB

          MD5

          6fff8baa880c9fe7f4444fd7ae9c7663

          SHA1

          918a6474d9e9df22c00be6f5b528c47dbbcbf4e9

          SHA256

          774efb39deba8ecf1cb96e3f7b35ab12e7ac8284136e7398213f7004d48ebc6d

          SHA512

          c715b8cc14c620451eabdb65b8a01f2d4c5996831a7aa299902619ae7aefbb54ff63997c68f304e719dfb872a94a375ab026a0398545c86ddcb4bee3c36ba068

        • C:\Users\Admin\AppData\Local\HhFcEWh\FileHistory.exe

          Filesize

          199KB

          MD5

          71c68c1755a51168a641b72db88e21f0

          SHA1

          753b07aa014cad800684e28656044b4c8ebf5e7d

          SHA256

          62231cb8fa31621b1672fd9c3365005143ba2b839bb3ecf1aa389a4fd1e780e2

          SHA512

          c5a4b2068a10f773169557d64f4f5351ad617f973b3ae62c226b392fd13143e143be8bf3eff0dda5bc40ed25a3b115c830939b60b8453f95a5faa16bab0f551c

        • C:\Users\Admin\AppData\Local\HhFcEWh\UxTheme.dll

          Filesize

          143KB

          MD5

          c0e2989a972a0fd1d863741a30c8d16a

          SHA1

          4629c7156e11c138a8df21343498a5d88d4db6d8

          SHA256

          2dcb4f1052cad7d06e2f9a467a238befb230ab769c948b75a0272cbe7dca85b7

          SHA512

          90d2b252c4ad761f02f80b34bc2203733bc10418c591bcf82b8cb2a5c261fe82d6850e8431f5ad02e470ba55c1dd659f99a10ff9afde7f30ea2b7188339d26c7

        • C:\Users\Admin\AppData\Local\HhFcEWh\UxTheme.dll

          Filesize

          136KB

          MD5

          e0a462cbc5d21ecbe2c1ed4cd4d00fe4

          SHA1

          73e86bccfcd35662d4ad390617bde1eb4cb30c35

          SHA256

          b256e55e0e5a2b76867661090fd0bca5e0b8b74bb9dd8dadae86b1bdd9e3f52b

          SHA512

          86eed1fcf56fb48ac300973e9ad6d6fb90a436c74e85552b3f2b53d067e983c781e5e156cf670f04611eb61f0ca8bb4e825446a8af8f69826cfd2b0480a18dbc

        • C:\Users\Admin\AppData\Local\j72g\VERSION.dll

          Filesize

          11KB

          MD5

          f860d9536a778bd6847453c8dff01b33

          SHA1

          6982321f1ee69078ff24b6dbf1ff673183bb296b

          SHA256

          d6e6faad725b215cd10aa1b31727a6a0bc474cd8702b71e1480e8afceb6b5ac7

          SHA512

          c185e4f53a7f2c85e0035191aceee6585af7b750df5dbceafbdf93d099b258a25af9a45998fc2f34545cd9504a70f4bce5fd405e2230afadcbcb166e0069c575

        • C:\Users\Admin\AppData\Local\j72g\VERSION.dll

          Filesize

          11KB

          MD5

          33cfc1a00fd09b900c9ca572409494ba

          SHA1

          448741a0dda54d729b7925ce0b10a7398c7eeba1

          SHA256

          2b56731e4390c3d88821cb3c20057219cf9e3d1a2affad8ae9c4470993d103dc

          SHA512

          b880b4ac89ca6fae9e448070d40d0212350d47e43aece4670817e9b27624ffd16f4f18de879947493eb55680454bbf7a81bc1ab60c9f3923e94e4e2369295344

        • C:\Users\Admin\AppData\Local\j72g\wscript.exe

          Filesize

          13KB

          MD5

          13551f0e862ff11791f590fbfb6c168f

          SHA1

          4bc640fc6714ac477a52409085988eeea3111a7a

          SHA256

          d7ca3b728722ae4e2b1cc75b689b989f4938c2f333f8715bb5931743368d2156

          SHA512

          a4ec387c4755c26921e241e5fedc3f8f94a611c91c849e630383761bc431e4657095d0b6900e6d8e5826b6b38cd73ab39f7e66cca7c1cd90243bc1c3ea028a56

        • C:\Users\Admin\AppData\Local\wEeE7UHW\RdpSaUacHelper.exe

          Filesize

          33KB

          MD5

          0d5b016ac7e7b6257c069e8bb40845de

          SHA1

          5282f30e90cbd1be8da95b73bc1b6a7d041e43c2

          SHA256

          6a6fdd834af9c79c5ffc5e6b51700030259aeae535f8626df84b07b7d2cee067

          SHA512

          cd44d8b70fc67c692e6966b4ad86a7de9c96df0bade1b3a80cb4767be159d64f3cc04dc5934f7d843b15101865089e43b8aecabddc370b22caf0c48b56b3430e

        • C:\Users\Admin\AppData\Local\wEeE7UHW\WINSTA.dll

          Filesize

          206KB

          MD5

          1466064bbfdff42e043f14a00f4cb2f6

          SHA1

          d119cf2d43815d2fc9fafcae94e26736ab821153

          SHA256

          ba47d9b2408117b7f48abadd4ff36f20a7358dfb34d9db221a28c3c9111cf3b8

          SHA512

          71808dcb377ebda24d4914e4351649ba8b1ebd26887c5a620bbfea74717dcbfb1ac3ea9d9d9211966bb26bbb75c70e3ce3ebf89559efd55af488226691df3f8d

        • C:\Users\Admin\AppData\Local\wEeE7UHW\WINSTA.dll

          Filesize

          113KB

          MD5

          0bc6f42d8f922c774b7ee4d90d99cfd9

          SHA1

          16e71eb1bd9a777875f3c45fcf2f0c9580691e21

          SHA256

          6520e561cf1f811574e23922f559e580742407796caf1c5100c55639b2e79a7e

          SHA512

          10fcd908d21cb225dda27e3809dd69c0e4582f74ed5ea5f2fba8b8bfe47125582b4d650c6ce1b2c2e282f7aadb64f0929a8247ad649ac8e21b31f281d0f73485

        • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\UbAqzoaRr\UxTheme.dll

          Filesize

          2.5MB

          MD5

          aa8f6f8e186b92078204d1cb5c1459b0

          SHA1

          fe520c2e4e9eac5e73dd09ce0757a75281c5f32f

          SHA256

          c0c038a51c9d7c53ce5dfd505c421bc92e7931cd201a5374c6cae3965c0780cb

          SHA512

          67ee8c0e59f00584501afee58b10e3d466bb1d110b85fa2ac98f0e4befe0d4b8a039ddf2ceec52b5bbf16cfbd17ecaf1aab7fc3503e5e410e6825c72731c9644

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dvizybqqo.lnk

          Filesize

          1KB

          MD5

          1084a0430bc74734cb9de98d321905f2

          SHA1

          bfe1d4da7470285f2597a9ee9fac717743718aa0

          SHA256

          685120edca3b6d6c6ed9866ebf8a591fab07a77dfe22d436f2d10bb5f84dce58

          SHA512

          e22ba8da75c090b1b305a48e9fb9121a17c1c88417b1bad65e5ba2fc20ff9e6c60ad024501f6f446c9631e72ebc15ef0f3815496efd48505ae20fa8e758e502d

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\cl\WINSTA.dll

          Filesize

          2.5MB

          MD5

          de56ccf2370e278c425c1585c3cfa7d5

          SHA1

          20b97859173fc6b89997501d29b800acf4579c8c

          SHA256

          07a2781482a4cc8e88fc4eb4189be00dc1cf7d7f05d52f9257865a35a8e2a7bc

          SHA512

          9ae0e3b0227ed95b28254b52cb972408e2a79011b0b230a530e9b3d2af3b70b55dbe71bacc986f2599e29aa1c81be78fb74ceddd9d2a671bb9d2a3acbb610d1f

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\D3S4bU\VERSION.dll

          Filesize

          2.5MB

          MD5

          8469e2e301699c9872ab52a393213a8d

          SHA1

          c0e3f6110939983923ca9958fd0171f52ab99d7b

          SHA256

          3f7df7b9d11eb43a173a4d5aef3003004c2e89071b7148495f2cf4ba689521ab

          SHA512

          8add8e569aa0c97a76a4cdaed6dc59c0ae28c1461157b92678fe77e5d4bf99cf47204f6ac8913f723fe3a2ed7e29d7d5f34f109ebef7e40eb4f97f9eca709853

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\D3S4bU\wscript.exe

          Filesize

          166KB

          MD5

          a47cbe969ea935bdd3ab568bb126bc80

          SHA1

          15f2facfd05daf46d2c63912916bf2887cebd98a

          SHA256

          34008e2057df8842df210246995385a0441dc1e081d60ad15bd481e062e7f100

          SHA512

          f5c81e6dc4d916944304fc85136e1ff6dee29a21e50a54fe6280a475343eccbfe094171d62475db5f38e07898c061126158c34d48b9d8f4f57f76d49e564e3fc

        • memory/1920-93-0x0000020E92940000-0x0000020E92947000-memory.dmp

          Filesize

          28KB

        • memory/2364-8-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/2364-0-0x000001E65DDB0000-0x000001E65DDB7000-memory.dmp

          Filesize

          28KB

        • memory/2364-1-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/2740-110-0x0000025AD1DF0000-0x0000025AD1DF7000-memory.dmp

          Filesize

          28KB

        • memory/3368-20-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/3368-38-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/3368-25-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/3368-26-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/3368-27-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/3368-29-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/3368-28-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/3368-32-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/3368-30-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/3368-31-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/3368-34-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/3368-35-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/3368-37-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/3368-39-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/3368-40-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/3368-41-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/3368-43-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/3368-45-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/3368-47-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/3368-48-0x0000000002920000-0x0000000002927000-memory.dmp

          Filesize

          28KB

        • memory/3368-46-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/3368-55-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/3368-56-0x00007FFBCABC0000-0x00007FFBCABD0000-memory.dmp

          Filesize

          64KB

        • memory/3368-44-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/3368-42-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/3368-24-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/3368-36-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/3368-33-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/3368-65-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/3368-67-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/3368-23-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/3368-22-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/3368-21-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/3368-4-0x0000000002960000-0x0000000002961000-memory.dmp

          Filesize

          4KB

        • memory/3368-7-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/3368-9-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/3368-19-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/3368-18-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/3368-17-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/3368-16-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/3368-15-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/3368-14-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/3368-13-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/3368-6-0x00007FFBC930A000-0x00007FFBC930B000-memory.dmp

          Filesize

          4KB

        • memory/3368-12-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/3368-11-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/3368-10-0x0000000140000000-0x000000014028A000-memory.dmp

          Filesize

          2.5MB

        • memory/4404-81-0x0000000140000000-0x000000014028B000-memory.dmp

          Filesize

          2.5MB

        • memory/4404-77-0x0000000140000000-0x000000014028B000-memory.dmp

          Filesize

          2.5MB

        • memory/4404-76-0x00000179B7AE0000-0x00000179B7AE7000-memory.dmp

          Filesize

          28KB