Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-01-2024 10:27

General

  • Target

    6a2f78fd728fdf56e1674632e7f5a5ed.dll

  • Size

    1.5MB

  • MD5

    6a2f78fd728fdf56e1674632e7f5a5ed

  • SHA1

    ff8ef932fc913e7f6affbaf71c85ef9e39651c7b

  • SHA256

    7cdb42626487138e394194e7d97f06affc9a4cba685fca6d1a496bd1765140f9

  • SHA512

    355a81750538976caaac04368d5bcfe05f31f8e22cf993a45e8ba54e113770c16a4ee36cf57f1b7b625bbd5d02b8c8c7d5e70f330e7861907844496ed23a9a44

  • SSDEEP

    12288:lVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:8fP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\6a2f78fd728fdf56e1674632e7f5a5ed.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2496
  • C:\Windows\system32\perfmon.exe
    C:\Windows\system32\perfmon.exe
    1⤵
      PID:2540
    • C:\Users\Admin\AppData\Local\k2pQ\perfmon.exe
      C:\Users\Admin\AppData\Local\k2pQ\perfmon.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4820
    • C:\Users\Admin\AppData\Local\xF7yl\AtBroker.exe
      C:\Users\Admin\AppData\Local\xF7yl\AtBroker.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4844
    • C:\Users\Admin\AppData\Local\Aonz8\cmstp.exe
      C:\Users\Admin\AppData\Local\Aonz8\cmstp.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2112
    • C:\Windows\system32\cmstp.exe
      C:\Windows\system32\cmstp.exe
      1⤵
        PID:4756
      • C:\Windows\system32\AtBroker.exe
        C:\Windows\system32\AtBroker.exe
        1⤵
          PID:4592

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Aonz8\VERSION.dll

          Filesize

          43KB

          MD5

          b90297b55e8f8c637eb7d69795195ab0

          SHA1

          1c9b28d28835dff3f0e0eb43f85ba1fa646289f1

          SHA256

          504cb151da1368d82c2ba240e157b8a86c98f40c63447227728f2e64caa8e237

          SHA512

          9ce702783670a58ff360afb1a32e7f2ce021a83ec063f7fe670b1a975bf31a1e7463551021cc1e24acc0c0103af956b4df9c127d167e4443c75052ed8eef3faa

        • C:\Users\Admin\AppData\Local\Aonz8\VERSION.dll

          Filesize

          83KB

          MD5

          584dfebea572ae3cf1b7e86444963dd0

          SHA1

          d6b00c19149cc1a46b5db72875b9aa578c853a53

          SHA256

          40d5f163eacb49949668fe59ef34c6d251f7e77d8d55ed7928fb40dfe0874ec7

          SHA512

          645864e6d6ca61b261d19bd76989a2091e672172a69332a587d6d38cfe54959a79afb7a61095e685448cfcb61c23139be8f8e26a416a734878dd227e75acbe2d

        • C:\Users\Admin\AppData\Local\Aonz8\VERSION.dll

          Filesize

          11KB

          MD5

          24b7cb24c31a13bc43668da56c5f4583

          SHA1

          6419166cecf5de471b2d07c6b43ec74be376089a

          SHA256

          85916e2a2cf525ed8d90f7886ac3be6a0d0b5f9230a5585cf0271014e247b462

          SHA512

          db3a08a024f70f3fd338d03ff313d30394555754387c356da99ff0b40a49c0656b39c09971d0fb53c19c495ad3b97b52c49bc059823e8a478a646cdedad9bf81

        • C:\Users\Admin\AppData\Local\Aonz8\cmstp.exe

          Filesize

          34KB

          MD5

          b978cea86173c8e1916fb7a8fe2703c5

          SHA1

          a21c5bb3ed04eb271e8c9be4057aaaeb02d1fcd2

          SHA256

          c9ba7e6c7ec87ef7b9da3cf9520c3825b1f5997185420eaf8b19a73441c05557

          SHA512

          edfc6b3f8bca0daa63cdcc1965d308a9697527dcb12c96119f93b9f661561387f4f123c9cac3cd0a0d9767a16c6b79273daa67c57f2ab3249a42965dc9d256e3

        • C:\Users\Admin\AppData\Local\Aonz8\cmstp.exe

          Filesize

          4KB

          MD5

          b45b65c2b646c1b3f60b02d798e0f794

          SHA1

          f7a30ce65dcfb17d265802e30a501d876431fdee

          SHA256

          360155289b81affce160e03140f70289b1173d82aeef971811263434693d7e1b

          SHA512

          696c57611c21353594cd903324add7662064d63fcb9940c2832f742f74ba8a54f23e852f0c650afa3953aa4ad4c558cc0a491e975685a857e0c9637b8e72700a

        • C:\Users\Admin\AppData\Local\k2pQ\credui.dll

          Filesize

          20KB

          MD5

          3760b4ea0beca7a8f82aeafe3a3acc7b

          SHA1

          88e9e6a9e3979a264c7858f598dbc3cde69990d7

          SHA256

          64b78af1cf1743871ea11ce608ba31a7a072de29bd0c030105912e313b4c3a4b

          SHA512

          1cb0f17db28f32dff47092d34e94e0322de597d8876dda04b74a131373ec3493ceeacec6bb43d894b38ae3ae50f6e764e0f9436d70789dea011653f7830d6c18

        • C:\Users\Admin\AppData\Local\k2pQ\credui.dll

          Filesize

          101KB

          MD5

          35994a6de72e4b12cfdbf1b08d80ba68

          SHA1

          12f586b6e4d1fe7266a62569305fc324aa329b12

          SHA256

          5a28af788f16d8c45593a685ddc68d6cede3271ce5c5a60c81adb1bfcfbf8a5f

          SHA512

          43d169b7c58c3f91fe9bc63fc3491e7fd47c79c751e6988b4cb659493af7e57ba0b222afb2154cad865b01825cc1dc837511f0398a5add6f823dd23a16f0ecf7

        • C:\Users\Admin\AppData\Local\k2pQ\perfmon.exe

          Filesize

          104KB

          MD5

          b591ca152d217c558a45a190c3d966eb

          SHA1

          888babdb6f0ff8251310c70fbc493a42c05d7d95

          SHA256

          d0b6a45781a6c75412ddf1c27bf2a10b190bd3dc98e78bb550385435a2a95fcb

          SHA512

          9044c76e92bd5cc0be44f3ec95680ad684d2042ba6dda690d47cfcc22c5cd11a5927290097cb9d1a06acd59a75eb874d7453f053c1667846b5a17c9e3ae1a498

        • C:\Users\Admin\AppData\Local\k2pQ\perfmon.exe

          Filesize

          47KB

          MD5

          0c9766f959a6116c1aa38266151d8e7b

          SHA1

          59ea5062a442a3f6d78a4b834dfc9c5c256bd950

          SHA256

          8214b63c77618690bfcfef9c6dfaf031f3bedc77dfdcf87d729b14fa343fa466

          SHA512

          55295727c28204f5280adbe74defc55dcba1e58b300733ad7ca200fa043238b020e511320a5776936c541549cad192e6af8b74ba6af9e7d05094627e45d0e234

        • C:\Users\Admin\AppData\Local\xF7yl\AtBroker.exe

          Filesize

          22KB

          MD5

          2c89af2c66a3c4087d0005788a4cdf4b

          SHA1

          41751daf5f1f351a59b2dd11d8741e6165ba5efd

          SHA256

          345484aa84a45191c057f46a596ceffce17b7931c80e3319cd0d03483defada3

          SHA512

          d768ed78f7d24d325ae17abc5476f1cd8085f056b4dbebbc4932673bcaa90e27cbc1f14f097d5655d406d83e3b775955048f9ca0dc1d597ca2c60789a2a6ef05

        • C:\Users\Admin\AppData\Local\xF7yl\AtBroker.exe

          Filesize

          1KB

          MD5

          1ecc7c9e10dcf56cf55472a777d953c4

          SHA1

          3ee5ff4e545f76a82bd1e6ecc99149af871140f5

          SHA256

          1b3d2e66d1e333e6796f6af5a481fb6a6dc1838dd4c902f54c6c595a6a55ee89

          SHA512

          1b5cc9b633c25ba33f69c8eacfc38cdf983cc3ee71a8cca2b6df0b3ecb3cc1b0eb7d34c8b1b111e1a89c2162bef3ad447688b5f7a5b70ebe3d8b8664528a3c39

        • C:\Users\Admin\AppData\Local\xF7yl\UxTheme.dll

          Filesize

          26KB

          MD5

          4844e2b1fd9854b0adc44d37fe1b0243

          SHA1

          3b47f5bdfbd135bc77ebe22c923a9b81c5a885b3

          SHA256

          c437b3cf5c8db623f193cdac6f36ebfe8ce49177386f09b30b4c8f81c7fb3fb3

          SHA512

          8fa9599dea6750fe695d92d53a4366713bebadba0e3916f05c18779f8c0e341db7037fd697916d08994bea0a04f009e39ab33d79cd9fd908940e71b2babdbaaa

        • C:\Users\Admin\AppData\Local\xF7yl\UxTheme.dll

          Filesize

          31KB

          MD5

          cd462add91a35db5e427296fac96165b

          SHA1

          5c590d013d1af81cd6ca260e27947e0e837fd502

          SHA256

          61bc182737c670fa68bd81efb5beeb36f8023a4eadc6400c6a72c7ddf6b4361b

          SHA512

          7945c9830d16dab5d96a97a35bc611ed72386a19048c1361eaac055f305f4859a84eb24a81c1181b9bae31c0ad77103cd7b4f1b8bdbb3aa6957063e72a564c63

        • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Collab\AYHA\UxTheme.dll

          Filesize

          1.5MB

          MD5

          2d8de8c9e3b2ecc4242ae9ecf3f81e51

          SHA1

          1ddfd5c948a75b20b643c0ce1e67f8e92357a73f

          SHA256

          db3f808790f7ba90df5dba62df5b320219acfc436e555c7df3643c222163ac20

          SHA512

          0a39c72abe8f1d02e7c2d52ab5c3856111251f6b3de0036b1b69ce2d43c9829339af52dfba1fd9c6d9ba8b41da5b4900cb23fcaf1d76a965768cd3a58e5fe58f

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wdush.lnk

          Filesize

          1KB

          MD5

          3417e097af440429e40c69c5d3f5c95b

          SHA1

          1bb85e2a69bb76503da3a10b5048995ffbd2a5fb

          SHA256

          217fdbec5a1b720b4e60fc921d18ca71ab65fb6fa30ad3ef2cf9ba0aa07b8849

          SHA512

          31e0ec7a15307dd16968c63d06c2b2d01f419b11243152fb4d4d6e6c02bf0200d782226e31de48d17329d7960556af3f7cb88f0475f95c4a68683a1fb0a53d93

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\CloudStore\TklFvL\credui.dll

          Filesize

          818KB

          MD5

          dacdbaff0663f5d7f5e0098c535c696c

          SHA1

          70012ae3c924161af945d127353c733e99ccdcb6

          SHA256

          7ffe97f8175627bb8a55be101bb90cdf4737ef88945127502495e0751a05893c

          SHA512

          11331174a8085dd7263180cd28f38080f0c3c01d11d2909b12f9cab8ac37036d7f989d93e2ef52c6fece67cc338809218d95b9488d4e03cb31a3b3e9fade11ea

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\ROMYIpv\VERSION.dll

          Filesize

          1.5MB

          MD5

          206792accb4bb6603c5d5f7c2194f8e3

          SHA1

          d53c824de2793907b934ec94c0510b425aa5dc6f

          SHA256

          39ec527367bb28256012c31f928c9d224a933173b716ac62deeb916f388e7a3b

          SHA512

          33923cb50f8a52dde17727585c7111aab875d0a83a68030856fe05d90aea0d3a750ad155155f9bf1ce338bd197f7e571202bbf68a38f31848a85b486cfa3d6f1

        • memory/2112-120-0x0000022D080D0000-0x0000022D080D7000-memory.dmp

          Filesize

          28KB

        • memory/2496-1-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/2496-7-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/2496-0-0x000001BD085A0000-0x000001BD085A7000-memory.dmp

          Filesize

          28KB

        • memory/3568-73-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/3568-34-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/3568-28-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/3568-46-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/3568-45-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/3568-44-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/3568-43-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/3568-42-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/3568-41-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/3568-27-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/3568-49-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/3568-54-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/3568-53-0x00000000010D0000-0x00000000010D7000-memory.dmp

          Filesize

          28KB

        • memory/3568-61-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/3568-62-0x00007FFA3F800000-0x00007FFA3F810000-memory.dmp

          Filesize

          64KB

        • memory/3568-52-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/3568-38-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/3568-40-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/3568-4-0x0000000002EC0000-0x0000000002EC1000-memory.dmp

          Filesize

          4KB

        • memory/3568-39-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/3568-37-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/3568-71-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/3568-51-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/3568-50-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/3568-36-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/3568-32-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/3568-35-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/3568-8-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/3568-30-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/3568-33-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/3568-31-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/3568-29-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/3568-26-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/3568-19-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/3568-17-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/3568-11-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/3568-48-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/3568-47-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/3568-25-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/3568-24-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/3568-23-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/3568-22-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/3568-21-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/3568-20-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/3568-18-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/3568-16-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/3568-15-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/3568-14-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/3568-13-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/3568-9-0x00007FFA3DC8A000-0x00007FFA3DC8B000-memory.dmp

          Filesize

          4KB

        • memory/3568-10-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/3568-12-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/3568-6-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/4820-83-0x000001C174090000-0x000001C174097000-memory.dmp

          Filesize

          28KB

        • memory/4844-101-0x000001852C200000-0x000001852C207000-memory.dmp

          Filesize

          28KB