Analysis

  • max time kernel
    85s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-01-2024 07:08

General

  • Target

    69cd7320b88e1819f445bb8db3d0e43f.dll

  • Size

    1.7MB

  • MD5

    69cd7320b88e1819f445bb8db3d0e43f

  • SHA1

    5564a3813c18c1a44a3808c4f148ff3cace908c7

  • SHA256

    bcdd2a40691235cb270bc9cdcf08b99de975ddb77896eb02fd19508fdd2a57d5

  • SHA512

    9d357c5c0f48eac03bd63dbed69bf075054401a629e0ecd467a7a6ff6cbaa9081d90bcecb0c755361c3f0774ce43abd64463aad3230d5ba156af814e57735611

  • SSDEEP

    12288:6VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:nfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\69cd7320b88e1819f445bb8db3d0e43f.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2120
  • C:\Users\Admin\AppData\Local\Lzbkz\osk.exe
    C:\Users\Admin\AppData\Local\Lzbkz\osk.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Checks whether UAC is enabled
    PID:3092
  • C:\Windows\system32\osk.exe
    C:\Windows\system32\osk.exe
    1⤵
      PID:2344
    • C:\Windows\system32\sethc.exe
      C:\Windows\system32\sethc.exe
      1⤵
        PID:1604
      • C:\Windows\system32\MoUsoCoreWorker.exe
        C:\Windows\system32\MoUsoCoreWorker.exe
        1⤵
          PID:4336
        • C:\Users\Admin\AppData\Local\Y4KQ\MoUsoCoreWorker.exe
          C:\Users\Admin\AppData\Local\Y4KQ\MoUsoCoreWorker.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4296
        • C:\Users\Admin\AppData\Local\gxRt\sethc.exe
          C:\Users\Admin\AppData\Local\gxRt\sethc.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1400
        • C:\Windows\system32\rundll32.exe
          "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
          1⤵
            PID:2400
          • C:\Windows\System32\svchost.exe
            C:\Windows\System32\svchost.exe -k UnistackSvcGroup
            1⤵
              PID:2396

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Lzbkz\WINMM.dll

              Filesize

              70KB

              MD5

              f826f65f2088358e8b2ef4644f5d5f48

              SHA1

              fb2edbdbecd12878340c1b7863bfbb7d257193b4

              SHA256

              1689525d877bc827595ffff7006f625b23265fc74a768ec61e3e4dc71b711323

              SHA512

              a185bce98d2bb459abaafeec196388e78cfc78ae1ad23881bdb8ac54db73af0a4a732bdf34a333b6dafe21905464e2ed25ccdf23a263364f0e7aaca43f18ad9f

            • C:\Users\Admin\AppData\Local\Lzbkz\WINMM.dll

              Filesize

              64KB

              MD5

              ad9266b679ec3582d0055010373a9449

              SHA1

              345590b88092cdfe7e320a85b831fcbe5e552048

              SHA256

              937dd979e88970ff8bbb42e6de23ac9f21611c1febcf52e0ec8b03a276efa687

              SHA512

              285293dfa23b5cb943d19f02fe587990dd530f850a1eba024b402ca8a30ffd16d407407d5c9ec21a3576795c538557c07b6ddab9059d9d77c2f7b145b7bcac86

            • C:\Users\Admin\AppData\Local\Lzbkz\osk.exe

              Filesize

              59KB

              MD5

              eb9834aac2bbe2ddef192b48524e4cff

              SHA1

              efbbd4188cfde1fcd5467f72e41fb71b144fe32c

              SHA256

              fcd3e1a94e38c73a79971e1ad1800b83fc1e5347f42908825286fa4ee70730d5

              SHA512

              e75dc02d047405662bd64c5c398509226f11b33906e347e4029eb1d2b397421f7d3ddc6cba8c3eced336fbaafa8c2160d5e746368e7100f826688c89a90df0d8

            • C:\Users\Admin\AppData\Local\Lzbkz\osk.exe

              Filesize

              69KB

              MD5

              c0d2d20dd90155ec20f1b11d8a953e4d

              SHA1

              e624108769e7a4878d7171e2ef76cbb0a43749a2

              SHA256

              5219a12c59203e4cb917d6db28b8ac0d572e7465c6dc738f024b5f36654cbdbd

              SHA512

              04961a07b755fc8b974e84bbed3aceae71fc42e22f82dbd679327536a0fcce2b80a9ebf7a0af148e4f2a46002062f5a4bd00c43052536bc51347bdae8a87687d

            • C:\Users\Admin\AppData\Local\Y4KQ\MoUsoCoreWorker.exe

              Filesize

              127KB

              MD5

              18820593b885bbc1225acdfd0206969a

              SHA1

              74e25ede6adc6629eda39f5135f26578df89e64d

              SHA256

              811a4df6ef3bfdb4e4b2c0fbe239d1c64a4552a4f8c8678cdd60710f07229335

              SHA512

              4e05870fe73d32275e8b8c674a3d2ee9f8aca5a28d63b3ed56e3556556ea72445baf6786e715b5909662ad3eac4e4e63600043eea9021582c524ed0ac550fc79

            • C:\Users\Admin\AppData\Local\Y4KQ\MoUsoCoreWorker.exe

              Filesize

              98KB

              MD5

              f01b4344b00b31823a90118cb2a4c344

              SHA1

              2f30c9de63a981837243d9b03797d52a18ed12ab

              SHA256

              f0d68c1bb662400760955515e4fe3492950aeca704484df45b596d123ae1c2e5

              SHA512

              8091818b8cd58793c7e649a7e83ade6a6c57fd72814693526cb96813b2359def75699ef7c913ea0f2f35ce49a3f71b5db42a4d182f1ad850608c9e0a8eecac4c

            • C:\Users\Admin\AppData\Local\Y4KQ\XmlLite.dll

              Filesize

              120KB

              MD5

              de49b3f11039816deee8f19b490a2ad1

              SHA1

              c9551ee59b4bb8108b0bff66a534cb141c482a47

              SHA256

              e75b494e0b082f90868b04f244a1822c247f7e4dab6fe4b3a084975a987609c3

              SHA512

              c3188c5d13270d8bd2af8b2467893e53de69ac412c0afd98f8eb43be3e5e3ffc0707938886a06dde6459eee15cd0ae927eec5d1c8adf6dfd73d28a9bc31ea483

            • C:\Users\Admin\AppData\Local\Y4KQ\XmlLite.dll

              Filesize

              56KB

              MD5

              44b53a7697ece831827ede0c8b51cebe

              SHA1

              36cf15f16948832c204a2aafb561651019f1185e

              SHA256

              e9f36dcce374a22cf5d31eca269babd1636b5fc917b2fccd89c6a4913cfbb2ca

              SHA512

              d3f517fd181587d1fd1ec9d2ec8ea74b769658fe221ed45a3e79fb586bac2c8d851af3f486171df013a386e2d0f6eeb84e38a0f9777752146ea6887bc900c3f3

            • C:\Users\Admin\AppData\Local\gxRt\DUI70.dll

              Filesize

              23KB

              MD5

              54e15f9b03ad4ca2fba2639485375705

              SHA1

              e7331b9fa82bd62d2ce68aedc9849c64a7877760

              SHA256

              07660569c989c6e78b848690e61dee24a83c1b38b8493f81ca9f2e108972a24e

              SHA512

              c16c52c138dbab43af328ec1573dd957ee7f7aa66043558638a5f26c27742909b7e64d76bafe40ded077f143dfba39dd704b617d078910110297cc41903bbf5e

            • C:\Users\Admin\AppData\Local\gxRt\DUI70.dll

              Filesize

              4KB

              MD5

              e7e12578ce6e5b94b152b634b39b75ac

              SHA1

              960a3977ca4baecb55a142c2521f815c60a3b2e9

              SHA256

              257533265ea1d65e50c76559f1ec8ec096d42c25b0ebf84de0f3fcba53df8c55

              SHA512

              83aab61a34b1bf388fd60f90487366c36e9ff8b6aad7291f6d0e8d886c9ffbcd136b68e0a143e4c2c239be9698ace851deb5424f49596ae2fdb9cb5b5f94d9b8

            • C:\Users\Admin\AppData\Local\gxRt\sethc.exe

              Filesize

              104KB

              MD5

              8ba3a9702a3f1799431cad6a290223a6

              SHA1

              9c7dc9b6830297c8f759d1f46c8b36664e26c031

              SHA256

              615b2f2d7e3fce340839a9b54bdc3445eb2333d0fafee477d6113379e90935b8

              SHA512

              680c216d54f4fd2a14f0398e4461c8340ac15acdca75c36a42083625e1081d5e7d262c4c12296b6f21ba2f593f92816edf1c9a0cf4cbee23588e590713b87746

            • C:\Users\Admin\AppData\Local\gxRt\sethc.exe

              Filesize

              85KB

              MD5

              33c3a72395b0de30c1f0af7dc795f434

              SHA1

              d3a29603195fa85bf98ac0e26869b6b189c6b57d

              SHA256

              05af54cd21f22eecb5c1bdb24822f2ccfb5f3deec3c036fee16adccf46555fb7

              SHA512

              458403f9943fb3421e4b57f623338990d2ce71e63522f35e8f77f757229ef581e9fe606b066755b6a11f0dbabecd2b7f21bf909f92edef1a832d3787ced9a1d0

            • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqwbkkvq.lnk

              Filesize

              1KB

              MD5

              28e803b72f243d7ef4e105e8dbecd1b4

              SHA1

              40b0c302346fedfbc0b4946fb832385919c7c3c7

              SHA256

              86b3d956d0531563ed549e9bf2d18585b042ec6b3f1c31fb600fbd506957186d

              SHA512

              7cf7bb7b4c02354f3df1b4062c7a644a53d4b53ea436df8ec9e424bc7174619afb5b97852ac70ed7fe1d7fdce341792cee8be25562e0e123007a052c10dbea21

            • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fbesmd\DUI70.dll

              Filesize

              2.0MB

              MD5

              3288ead7764e2685053cd5bda56ebf2e

              SHA1

              d0b35b0e5f3b1ebd555d8707bec3d9c9ef560dd8

              SHA256

              9a13291d39c26a2269d59044d72eef8e22b3800b0aa87ab524e693a628defb97

              SHA512

              04c8ab52779ce8ba8b82d4cc11ce0b3a6f4781db4bf9792d79e67ae3aa6682c7c4872e3e3fd86bcb02e6e0bb1abe79fa735a961b40154fcb7aeefd17bea3e719

            • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Tg\XmlLite.dll

              Filesize

              1.7MB

              MD5

              577c6c11ec9b41e613f5a60c0edc09c3

              SHA1

              c6af2f166f135117b190f8c05b359ac0585674b4

              SHA256

              7aedf07eba199ee4869d0593dde40b02b6b085fd781372692b38c5efe6140f39

              SHA512

              6b5cd4749d4cc6b9346217511d6823179e9bd399126849bcf6e4327113de76920958a051af7bda162369c8070df53c5639cdb059f67537ec60b8ffc4d5f76f33

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\A7\WINMM.dll

              Filesize

              84KB

              MD5

              389d8d5fc28377883482fcee982a9ff0

              SHA1

              7ff45a6d754d257e09f9a1a8cd43918dc27346f6

              SHA256

              8df16900f6d3119cbe26bed37fe7f98e2751b3d7b30639b59ff053a9a6f27715

              SHA512

              ce7f24d02084d8ba5740ea8f6aaa4657361825e78d4f4897f1492491fcfb0ae88f4c67361ed86f622ae7e08e1e4822d1c02ac891c898941bacf7af04ddd319ac

            • memory/1400-89-0x0000000140000000-0x0000000140200000-memory.dmp

              Filesize

              2.0MB

            • memory/1400-95-0x0000000140000000-0x0000000140200000-memory.dmp

              Filesize

              2.0MB

            • memory/1400-91-0x00000125E9C00000-0x00000125E9C07000-memory.dmp

              Filesize

              28KB

            • memory/2120-7-0x0000000140000000-0x00000001401BA000-memory.dmp

              Filesize

              1.7MB

            • memory/2120-0-0x000001A09B090000-0x000001A09B097000-memory.dmp

              Filesize

              28KB

            • memory/2120-1-0x0000000140000000-0x00000001401BA000-memory.dmp

              Filesize

              1.7MB

            • memory/3092-73-0x000002F46FA60000-0x000002F46FA67000-memory.dmp

              Filesize

              28KB

            • memory/3092-72-0x0000000140000000-0x00000001401BC000-memory.dmp

              Filesize

              1.7MB

            • memory/3092-78-0x0000000140000000-0x00000001401BC000-memory.dmp

              Filesize

              1.7MB

            • memory/3512-36-0x0000000140000000-0x00000001401BA000-memory.dmp

              Filesize

              1.7MB

            • memory/3512-51-0x0000000140000000-0x00000001401BA000-memory.dmp

              Filesize

              1.7MB

            • memory/3512-41-0x0000000140000000-0x00000001401BA000-memory.dmp

              Filesize

              1.7MB

            • memory/3512-42-0x0000000140000000-0x00000001401BA000-memory.dmp

              Filesize

              1.7MB

            • memory/3512-44-0x0000000001310000-0x0000000001317000-memory.dmp

              Filesize

              28KB

            • memory/3512-43-0x0000000140000000-0x00000001401BA000-memory.dmp

              Filesize

              1.7MB

            • memory/3512-40-0x0000000140000000-0x00000001401BA000-memory.dmp

              Filesize

              1.7MB

            • memory/3512-39-0x0000000140000000-0x00000001401BA000-memory.dmp

              Filesize

              1.7MB

            • memory/3512-38-0x0000000140000000-0x00000001401BA000-memory.dmp

              Filesize

              1.7MB

            • memory/3512-33-0x0000000140000000-0x00000001401BA000-memory.dmp

              Filesize

              1.7MB

            • memory/3512-35-0x0000000140000000-0x00000001401BA000-memory.dmp

              Filesize

              1.7MB

            • memory/3512-34-0x0000000140000000-0x00000001401BA000-memory.dmp

              Filesize

              1.7MB

            • memory/3512-32-0x0000000140000000-0x00000001401BA000-memory.dmp

              Filesize

              1.7MB

            • memory/3512-31-0x0000000140000000-0x00000001401BA000-memory.dmp

              Filesize

              1.7MB

            • memory/3512-30-0x0000000140000000-0x00000001401BA000-memory.dmp

              Filesize

              1.7MB

            • memory/3512-29-0x0000000140000000-0x00000001401BA000-memory.dmp

              Filesize

              1.7MB

            • memory/3512-28-0x0000000140000000-0x00000001401BA000-memory.dmp

              Filesize

              1.7MB

            • memory/3512-23-0x0000000140000000-0x00000001401BA000-memory.dmp

              Filesize

              1.7MB

            • memory/3512-22-0x0000000140000000-0x00000001401BA000-memory.dmp

              Filesize

              1.7MB

            • memory/3512-26-0x0000000140000000-0x00000001401BA000-memory.dmp

              Filesize

              1.7MB

            • memory/3512-61-0x0000000140000000-0x00000001401BA000-memory.dmp

              Filesize

              1.7MB

            • memory/3512-63-0x0000000140000000-0x00000001401BA000-memory.dmp

              Filesize

              1.7MB

            • memory/3512-52-0x00007FFFED100000-0x00007FFFED110000-memory.dmp

              Filesize

              64KB

            • memory/3512-37-0x0000000140000000-0x00000001401BA000-memory.dmp

              Filesize

              1.7MB

            • memory/3512-27-0x0000000140000000-0x00000001401BA000-memory.dmp

              Filesize

              1.7MB

            • memory/3512-25-0x0000000140000000-0x00000001401BA000-memory.dmp

              Filesize

              1.7MB

            • memory/3512-24-0x0000000140000000-0x00000001401BA000-memory.dmp

              Filesize

              1.7MB

            • memory/3512-20-0x0000000140000000-0x00000001401BA000-memory.dmp

              Filesize

              1.7MB

            • memory/3512-21-0x0000000140000000-0x00000001401BA000-memory.dmp

              Filesize

              1.7MB

            • memory/3512-19-0x0000000140000000-0x00000001401BA000-memory.dmp

              Filesize

              1.7MB

            • memory/3512-18-0x0000000140000000-0x00000001401BA000-memory.dmp

              Filesize

              1.7MB

            • memory/3512-15-0x0000000140000000-0x00000001401BA000-memory.dmp

              Filesize

              1.7MB

            • memory/3512-17-0x0000000140000000-0x00000001401BA000-memory.dmp

              Filesize

              1.7MB

            • memory/3512-16-0x0000000140000000-0x00000001401BA000-memory.dmp

              Filesize

              1.7MB

            • memory/3512-11-0x0000000140000000-0x00000001401BA000-memory.dmp

              Filesize

              1.7MB

            • memory/3512-4-0x0000000002D70000-0x0000000002D71000-memory.dmp

              Filesize

              4KB

            • memory/3512-8-0x0000000140000000-0x00000001401BA000-memory.dmp

              Filesize

              1.7MB

            • memory/3512-14-0x0000000140000000-0x00000001401BA000-memory.dmp

              Filesize

              1.7MB

            • memory/3512-13-0x0000000140000000-0x00000001401BA000-memory.dmp

              Filesize

              1.7MB

            • memory/3512-12-0x0000000140000000-0x00000001401BA000-memory.dmp

              Filesize

              1.7MB

            • memory/3512-9-0x00007FFFED05A000-0x00007FFFED05B000-memory.dmp

              Filesize

              4KB

            • memory/3512-10-0x0000000140000000-0x00000001401BA000-memory.dmp

              Filesize

              1.7MB

            • memory/3512-6-0x0000000140000000-0x00000001401BA000-memory.dmp

              Filesize

              1.7MB

            • memory/4296-106-0x000001734ECC0000-0x000001734ECC7000-memory.dmp

              Filesize

              28KB

            • memory/4296-107-0x0000000140000000-0x00000001401BB000-memory.dmp

              Filesize

              1.7MB