Analysis

  • max time kernel
    152s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-01-2024 01:01

General

  • Target

    6bf2b8dfb0ae1a87d53b7df0eba45900.dll

  • Size

    1.7MB

  • MD5

    6bf2b8dfb0ae1a87d53b7df0eba45900

  • SHA1

    21fd1716131f7cb2c2558cca781bdd40ebe582f5

  • SHA256

    040d5692e18f3667089d59f660741709390f41f201dd0f2d879ec90e47435a97

  • SHA512

    e773f27dce2811185f20ae0e4c26dfa68c75b12fa31f8930360132b51ae654dc3ba61d573d34cd1004865699f61475d59759a7d9e3db486c57db7c1ec7987f87

  • SSDEEP

    12288:tVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:0fP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\6bf2b8dfb0ae1a87d53b7df0eba45900.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2044
  • C:\Windows\system32\sessionmsg.exe
    C:\Windows\system32\sessionmsg.exe
    1⤵
      PID:3416
    • C:\Users\Admin\AppData\Local\Hdq7E\sessionmsg.exe
      C:\Users\Admin\AppData\Local\Hdq7E\sessionmsg.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2468
    • C:\Users\Admin\AppData\Local\6JQ3J7Ek\consent.exe
      C:\Users\Admin\AppData\Local\6JQ3J7Ek\consent.exe
      1⤵
      • Executes dropped EXE
      PID:4296
    • C:\Windows\system32\SppExtComObj.Exe
      C:\Windows\system32\SppExtComObj.Exe
      1⤵
        PID:2168
      • C:\Windows\system32\mblctr.exe
        C:\Windows\system32\mblctr.exe
        1⤵
          PID:2500
        • C:\Users\Admin\AppData\Local\IFt4W1tIe\SppExtComObj.Exe
          C:\Users\Admin\AppData\Local\IFt4W1tIe\SppExtComObj.Exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2340
        • C:\Users\Admin\AppData\Local\AYzwzV\mblctr.exe
          C:\Users\Admin\AppData\Local\AYzwzV\mblctr.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3664
        • C:\Windows\system32\consent.exe
          C:\Windows\system32\consent.exe
          1⤵
            PID:4992

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\6JQ3J7Ek\consent.exe

            Filesize

            162KB

            MD5

            6646631ce4ad7128762352da81f3b030

            SHA1

            1095bd4b63360fc2968d75622aa745e5523428ab

            SHA256

            56b2d516376328129132b815e22379ae8e7176825f059c9374a33cc844482e64

            SHA512

            1c00ed5d8568f6ebd119524b61573cfe71ca828bd8fbdd150158ec8b5db65fa066908d120d201fce6222707bcb78e0c1151b82fdc1dccf3ada867cb810feb6da

          • C:\Users\Admin\AppData\Local\AYzwzV\WINMM.dll

            Filesize

            194KB

            MD5

            289f2848ef9d24b3ea00092a6d4533f8

            SHA1

            7f7d19bbcb7863cea350bb5309e9b4fed6acf30a

            SHA256

            af2f900a3de0b85166c99393551d303f2fd5859234aadc764768000a4d6a915c

            SHA512

            585817c78a64cc37f1ee9a0bcd0db8e55a022d20734f972d9a17fc05201e52f6e455f1f305786fb1e5102e9ecaa1eb97f29fc96f900e8ab6b77f43075e8af417

          • C:\Users\Admin\AppData\Local\AYzwzV\WINMM.dll

            Filesize

            242KB

            MD5

            882347c1b447d106cf94258c04835248

            SHA1

            e21334f3ece6f76ea14c38400ae607fa2ad0a6e4

            SHA256

            86f173b7152ef5db22483ba5bccd74374d7ff615bdcf6e5fd76c4d4e87928e84

            SHA512

            a0f2a63ff139b10a86de465d4e9c0b76843d472156df8ab79f5db4222a92baeded4bb460040921435f689df19b3b4bc3ff73a375fb218d7827191a9fdda45f1b

          • C:\Users\Admin\AppData\Local\AYzwzV\mblctr.exe

            Filesize

            149KB

            MD5

            e7398b4378c9ae087d680836893b0e7f

            SHA1

            8a547a9bd5a1d56efd37bab774d77edbd2380364

            SHA256

            a5ea5969e2e27b06a7dbf313a3ec29352d121552b22a90077c82d6adb967762c

            SHA512

            c726ba04b6e87b260e24f4371c3475855b98ac5c1f2fdcdcdcc23fcc5b7994effddd8c6638143c7322081184911231d9117572e7f9553437662a14b402c609b1

          • C:\Users\Admin\AppData\Local\AYzwzV\mblctr.exe

            Filesize

            128KB

            MD5

            80f06d5105497a698a4dd58003a72474

            SHA1

            32c3ee2da3ef7150d3771e1f751507c86fd37dc7

            SHA256

            1030fc0e4f555791acf128d5c083b1b769ebb5ce3b16a4ee128eeabf6acb64e8

            SHA512

            d267cad0b80b18773f5720dcb2fa87081a810afa39729012d47d54a01ca414276190c2c5c07d2940c8ae3afcd739c452f158371a56d135aac4c22fe0e5a9d529

          • C:\Users\Admin\AppData\Local\Hdq7E\DUser.dll

            Filesize

            200KB

            MD5

            3ecaa73db340e8c72f04b5d846fca7ca

            SHA1

            a8c71ff5ef401db413e39a51355b27f4a9636339

            SHA256

            0f9ab8c86592a6f22c890734e5dd856fff622a489150773170c5fa6f12cb0f15

            SHA512

            a83b6e62ba6e9eb106465dd340ad4851c4272928759a9f66dde10e4863ea0c81ca24aa35ab8216d6cbdea726c3f2c517cfaf81a0c55efde0f4eecab09e658365

          • C:\Users\Admin\AppData\Local\Hdq7E\DUser.dll

            Filesize

            192KB

            MD5

            3cf5410bf3c4e84a07a130be752e3a60

            SHA1

            90ebd2ee19fef8b5b83741c6a64b5e6a3ee3553e

            SHA256

            137e1017e3b089328277f18c70b551da675eebef81656b6ab8b3c4560a619749

            SHA512

            0a59e7bfa8593a36f5a99d34b7c2bec32a0204bc9d5494b8a586589c654fab20acabf6c12fe8c2b21eac5de0d7fd0d8cb2ab57e19a4147fb9203adf432feadb4

          • C:\Users\Admin\AppData\Local\Hdq7E\sessionmsg.exe

            Filesize

            85KB

            MD5

            480f710806b68dfe478ca1ec7d7e79cc

            SHA1

            b4fc97fed2dbff9c4874cb65ede7b50699db37cd

            SHA256

            2416cd4aa577dbb2f8790a61e36fbab2b30bff81a4e1f67a5151c2fec29585bc

            SHA512

            29d3d234ebc45049a533b6a91b246ac043a56b9af67276aaf493b014ae34d73000f99a6b0c0b85d2dfb7fba54811cf8bbdfd167a9eed01a8617b7f05bf2971db

          • C:\Users\Admin\AppData\Local\IFt4W1tIe\ACTIVEDS.dll

            Filesize

            64KB

            MD5

            c9f6e6682e4e91ed12a1dc3d21e62efb

            SHA1

            1ebe640e53ac67e5e7a1943bc43443de3642db62

            SHA256

            e81c36d1ad40f292541d4783038c65e6f61d95b3486535ccd55a90e3bc8352e6

            SHA512

            0f7b7db1b391e6092ed16f0a4f63479257fdec59aebbb8bcc2d9ae737f921ac9b80e3951d225700c61dd77595e1c6c5afb515664ec1cd8e8eee0199edd28cc6f

          • C:\Users\Admin\AppData\Local\IFt4W1tIe\ACTIVEDS.dll

            Filesize

            15KB

            MD5

            b74c410efc0be2c402004decd33780d6

            SHA1

            aa560f031e4f9023d4845710010c5a0d93011821

            SHA256

            86b6009efb0312b0896da5f5bb56b21d2ff15e442f4e6b1a08e5af1495303ec2

            SHA512

            0c95747b0a6b9c7a5ce2ff722fd450f9d8639c9e176159bba8a97314edba185839ceb207989bc0954d77401295b2791d8be4fe5252ba8a52a8dff8c3ac61699a

          • C:\Users\Admin\AppData\Local\IFt4W1tIe\SppExtComObj.Exe

            Filesize

            23KB

            MD5

            4bdbe0723e3d0850febbf8c524bbaaae

            SHA1

            6e8698f2392aaf02440e679e6baaaec1d4a163c8

            SHA256

            72e5ff540de63737ab98ed58e5f9e2136dd96eb91481c131c76714a4fe9a0630

            SHA512

            b0e9aa0494059e87c5dd0aed546b8c32583539b85a4c8ea2ef245b9ac648c5f8769e55bcd08dd336f028355f5cf05d151828e2ba19ad988c549542ba9055a838

          • C:\Users\Admin\AppData\Local\IFt4W1tIe\SppExtComObj.Exe

            Filesize

            68KB

            MD5

            f4ffd37463488cd21b73810e7cfa46df

            SHA1

            baba51e90b5b75bc2376bf83d370aded220197e0

            SHA256

            e605ec1915b24c19aba48f62b26e8255b7f5cf1e9946f4ba2cf2f3afb5d1d6ad

            SHA512

            f4b985d86ce91477beb3ffb96706318890567e22727a138095d162071b734ce5e082bff77f4f5eab147bd72514a856a15f7416e8f8806b620cdfb99f1d5bcd45

          • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dyngdiaoitf.lnk

            Filesize

            1KB

            MD5

            e4f980761d4b2f50131e45abd59d7a60

            SHA1

            46395e85449028a574e26fa3c7fa2ac850a9cd56

            SHA256

            bbec79f875831f6a9f1be483ad71395b715ed75e5a7da4a02bc51d45c4624aa1

            SHA512

            9cefa29f4ed047545df2841ef00cfd6ca3c86f24423febb2de6e9d6c4b8dffb567373d630c058bbe864b7a726e05a01aa0aaeac585ac26328c91ca92199d2183

          • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\9Apeh8FC6\ACTIVEDS.dll

            Filesize

            1.7MB

            MD5

            7d2492ee437fb311530ccb848975db4b

            SHA1

            8f6e81c3ed775887a359f81332f186ca916f373d

            SHA256

            53807ab411bcc7b41622999af736d045858069ff96dcbb11b77ef3cdccba7040

            SHA512

            f303441759c9efce6c8b1b24f349d515496962646ef63e982cfc62fcecdaaefedc3077da12b4276b2ed89df1524e7406f0fa9b3e185a5ccabb7f70a554d5837e

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\uYd\DUser.dll

            Filesize

            1.7MB

            MD5

            0bc88fc73b87d666758fb6bf0c1ccfdd

            SHA1

            8ab7c6cc57acd6583d6bb2c75cd2997d0626a80e

            SHA256

            c7fe682588c725ac2cc45f7280e84e6c5b19383683f1ffc3b288b306e9aa393f

            SHA512

            e3405478899b567035e6d2781c3a3573a4f43c1db214cbecf61580d375d7e0277ffae7ae89f132b66cc643ebefb04e386b13bd1f31c01e5d12d4c11c7b3be800

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\uYd\rY4tacONr\WINMM.dll

            Filesize

            1.7MB

            MD5

            af21885de1e84dddf5e04757b7c2623f

            SHA1

            9d7682f0993b6eac54949958de60c50df7848b52

            SHA256

            852dde5ad8c75257a87fa6dc69b5ad6d802873b31ecc4e667124b085c41d9ac9

            SHA512

            23e6ed8831a251544cd8592f4637faaed813cabe719cb007c4a6db81c7d5e27477c55fcf54807002b8bc77997e4430710868f03f9532d9176432d52ff8421e87

          • memory/2044-1-0x0000000140000000-0x00000001401BC000-memory.dmp

            Filesize

            1.7MB

          • memory/2044-0-0x00000202CE140000-0x00000202CE147000-memory.dmp

            Filesize

            28KB

          • memory/2044-51-0x0000000140000000-0x00000001401BC000-memory.dmp

            Filesize

            1.7MB

          • memory/2340-98-0x000001F1B8EB0000-0x000001F1B8EB7000-memory.dmp

            Filesize

            28KB

          • memory/2340-99-0x0000000140000000-0x00000001401BD000-memory.dmp

            Filesize

            1.7MB

          • memory/2340-104-0x0000000140000000-0x00000001401BD000-memory.dmp

            Filesize

            1.7MB

          • memory/2468-75-0x000001C0FC7D0000-0x000001C0FC7D7000-memory.dmp

            Filesize

            28KB

          • memory/2468-73-0x0000000140000000-0x00000001401BE000-memory.dmp

            Filesize

            1.7MB

          • memory/2468-79-0x0000000140000000-0x00000001401BE000-memory.dmp

            Filesize

            1.7MB

          • memory/3552-21-0x0000000140000000-0x00000001401BC000-memory.dmp

            Filesize

            1.7MB

          • memory/3552-16-0x0000000140000000-0x00000001401BC000-memory.dmp

            Filesize

            1.7MB

          • memory/3552-11-0x0000000140000000-0x00000001401BC000-memory.dmp

            Filesize

            1.7MB

          • memory/3552-6-0x0000000140000000-0x00000001401BC000-memory.dmp

            Filesize

            1.7MB

          • memory/3552-4-0x0000000000F90000-0x0000000000F91000-memory.dmp

            Filesize

            4KB

          • memory/3552-34-0x0000000140000000-0x00000001401BC000-memory.dmp

            Filesize

            1.7MB

          • memory/3552-35-0x0000000140000000-0x00000001401BC000-memory.dmp

            Filesize

            1.7MB

          • memory/3552-36-0x0000000140000000-0x00000001401BC000-memory.dmp

            Filesize

            1.7MB

          • memory/3552-40-0x0000000140000000-0x00000001401BC000-memory.dmp

            Filesize

            1.7MB

          • memory/3552-39-0x0000000140000000-0x00000001401BC000-memory.dmp

            Filesize

            1.7MB

          • memory/3552-41-0x0000000140000000-0x00000001401BC000-memory.dmp

            Filesize

            1.7MB

          • memory/3552-42-0x0000000140000000-0x00000001401BC000-memory.dmp

            Filesize

            1.7MB

          • memory/3552-38-0x0000000140000000-0x00000001401BC000-memory.dmp

            Filesize

            1.7MB

          • memory/3552-37-0x0000000140000000-0x00000001401BC000-memory.dmp

            Filesize

            1.7MB

          • memory/3552-43-0x0000000140000000-0x00000001401BC000-memory.dmp

            Filesize

            1.7MB

          • memory/3552-44-0x0000000000F50000-0x0000000000F57000-memory.dmp

            Filesize

            28KB

          • memory/3552-33-0x0000000140000000-0x00000001401BC000-memory.dmp

            Filesize

            1.7MB

          • memory/3552-52-0x0000000140000000-0x00000001401BC000-memory.dmp

            Filesize

            1.7MB

          • memory/3552-53-0x00007FFA76040000-0x00007FFA76050000-memory.dmp

            Filesize

            64KB

          • memory/3552-13-0x0000000140000000-0x00000001401BC000-memory.dmp

            Filesize

            1.7MB

          • memory/3552-62-0x0000000140000000-0x00000001401BC000-memory.dmp

            Filesize

            1.7MB

          • memory/3552-64-0x0000000140000000-0x00000001401BC000-memory.dmp

            Filesize

            1.7MB

          • memory/3552-15-0x0000000140000000-0x00000001401BC000-memory.dmp

            Filesize

            1.7MB

          • memory/3552-12-0x0000000140000000-0x00000001401BC000-memory.dmp

            Filesize

            1.7MB

          • memory/3552-17-0x0000000140000000-0x00000001401BC000-memory.dmp

            Filesize

            1.7MB

          • memory/3552-20-0x0000000140000000-0x00000001401BC000-memory.dmp

            Filesize

            1.7MB

          • memory/3552-32-0x0000000140000000-0x00000001401BC000-memory.dmp

            Filesize

            1.7MB

          • memory/3552-31-0x0000000140000000-0x00000001401BC000-memory.dmp

            Filesize

            1.7MB

          • memory/3552-30-0x0000000140000000-0x00000001401BC000-memory.dmp

            Filesize

            1.7MB

          • memory/3552-29-0x0000000140000000-0x00000001401BC000-memory.dmp

            Filesize

            1.7MB

          • memory/3552-28-0x0000000140000000-0x00000001401BC000-memory.dmp

            Filesize

            1.7MB

          • memory/3552-27-0x0000000140000000-0x00000001401BC000-memory.dmp

            Filesize

            1.7MB

          • memory/3552-25-0x0000000140000000-0x00000001401BC000-memory.dmp

            Filesize

            1.7MB

          • memory/3552-26-0x0000000140000000-0x00000001401BC000-memory.dmp

            Filesize

            1.7MB

          • memory/3552-22-0x0000000140000000-0x00000001401BC000-memory.dmp

            Filesize

            1.7MB

          • memory/3552-23-0x0000000140000000-0x00000001401BC000-memory.dmp

            Filesize

            1.7MB

          • memory/3552-8-0x00007FFA75E5A000-0x00007FFA75E5B000-memory.dmp

            Filesize

            4KB

          • memory/3552-24-0x0000000140000000-0x00000001401BC000-memory.dmp

            Filesize

            1.7MB

          • memory/3552-19-0x0000000140000000-0x00000001401BC000-memory.dmp

            Filesize

            1.7MB

          • memory/3552-18-0x0000000140000000-0x00000001401BC000-memory.dmp

            Filesize

            1.7MB

          • memory/3552-14-0x0000000140000000-0x00000001401BC000-memory.dmp

            Filesize

            1.7MB

          • memory/3552-10-0x0000000140000000-0x00000001401BC000-memory.dmp

            Filesize

            1.7MB

          • memory/3552-9-0x0000000140000000-0x00000001401BC000-memory.dmp

            Filesize

            1.7MB

          • memory/3552-7-0x0000000140000000-0x00000001401BC000-memory.dmp

            Filesize

            1.7MB

          • memory/3664-115-0x0000023165C90000-0x0000023165C97000-memory.dmp

            Filesize

            28KB