Analysis

  • max time kernel
    151s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-01-2024 08:51

General

  • Target

    6ce094e7633ddc304e6c7b56a7e56e86.dll

  • Size

    1.7MB

  • MD5

    6ce094e7633ddc304e6c7b56a7e56e86

  • SHA1

    693a8ad317cc0ece3f05edc77e1fd28d452483dd

  • SHA256

    dcb4e6dfc9dea7413fcd611f3f06c684dc85f48b698fe86c13fe9884756f81da

  • SHA512

    8f28d13f798af1fc4adef5339271054e165f0f18852c1482c8e685566a1cb77df217511fd3a01150ef7a27ed91d1ef58bbb9c160f0b0f925eace7c0d40f4c42b

  • SSDEEP

    12288:9VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:kfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\6ce094e7633ddc304e6c7b56a7e56e86.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4796
  • C:\Windows\system32\MusNotifyIcon.exe
    C:\Windows\system32\MusNotifyIcon.exe
    1⤵
      PID:2916
    • C:\Users\Admin\AppData\Local\pgvj\MusNotifyIcon.exe
      C:\Users\Admin\AppData\Local\pgvj\MusNotifyIcon.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:732
    • C:\Windows\system32\slui.exe
      C:\Windows\system32\slui.exe
      1⤵
        PID:2300
      • C:\Users\Admin\AppData\Local\8zj\slui.exe
        C:\Users\Admin\AppData\Local\8zj\slui.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3708
      • C:\Windows\system32\wscript.exe
        C:\Windows\system32\wscript.exe
        1⤵
          PID:2164
        • C:\Users\Admin\AppData\Local\953\wscript.exe
          C:\Users\Admin\AppData\Local\953\wscript.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2664

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\8zj\WINBRAND.dll

          Filesize

          1.7MB

          MD5

          fa67e94f768921cd0fa15cd8197c4327

          SHA1

          24e00655fca6f191c469ac8a978b277220c21db4

          SHA256

          0f61a93ffa93c36426c990f3812008b432838b88a5fb8902f75cae5b7135beb1

          SHA512

          6193c7b5435110865d6dbbc4868ea20179b02fd8103ae348556d70641cc63ad26a7616b09d4e132d85e89c992888acb59ee86544efde09e5551c06adc0a6de70

        • C:\Users\Admin\AppData\Local\8zj\slui.exe

          Filesize

          534KB

          MD5

          eb725ea35a13dc18eac46aa81e7f2841

          SHA1

          c0b3304c970324952e18c4a51073e3bdec73440b

          SHA256

          25e7624d469a592934ab8c509d12c153c2799e604c2a4b8a83650a7268577dff

          SHA512

          39192a1fad29654b3769f007298eff049d0688a3cb51390833ec563f44f9931cd3f6f8693db37b649b061b5aab379b166c15dade56d0fc414375243320375b26

        • C:\Users\Admin\AppData\Local\953\VERSION.dll

          Filesize

          1.7MB

          MD5

          5bea0a6c3ddb0ada28bf7c0bfb3f093f

          SHA1

          27da8388017d52440645fc1bcd4eaca388a5f494

          SHA256

          ccc8dcb3394b5b86231a75ab890b6613e4c20caec21dedee04cfe718d633fed0

          SHA512

          b74ff36440e45cfe4da57ca2983ba66e9c71ba3a1dcb65d6cc105db9523f598998dd538dbf04dd8a3a24f396d37a797e0373cf857a8aaa5df27d68403443f586

        • C:\Users\Admin\AppData\Local\953\wscript.exe

          Filesize

          166KB

          MD5

          a47cbe969ea935bdd3ab568bb126bc80

          SHA1

          15f2facfd05daf46d2c63912916bf2887cebd98a

          SHA256

          34008e2057df8842df210246995385a0441dc1e081d60ad15bd481e062e7f100

          SHA512

          f5c81e6dc4d916944304fc85136e1ff6dee29a21e50a54fe6280a475343eccbfe094171d62475db5f38e07898c061126158c34d48b9d8f4f57f76d49e564e3fc

        • C:\Users\Admin\AppData\Local\pgvj\MusNotifyIcon.exe

          Filesize

          629KB

          MD5

          c54b1a69a21e03b83ebb0aeb3758b6f7

          SHA1

          b32ee7e5b813554c4b8e8f96f176570e0f6e8b6c

          SHA256

          ac3e12011b70144cc84539bbccacdfae35bd4ea3ee61b4a9fca5f082d044d8bf

          SHA512

          2680ab501ffe7d40fed28eb207d812880c8a71d71a29d59ba3da27c0bae98c74893e04807d93fba7b5e673c3e13a1ad21bfaab10bdb871d83349ff4e7c614b19

        • C:\Users\Admin\AppData\Local\pgvj\XmlLite.dll

          Filesize

          1.7MB

          MD5

          63b235765fc17589e41d8625c926a631

          SHA1

          aa68b4ccdc12dc8a093cc8f09022859934f0241f

          SHA256

          0da5a71a04b00330992efd247aa4baffd4e6c01e01cc6cddd5f2f2939acf746b

          SHA512

          a4d6557412222f2f0d600b041013e487fa32d1fa675f85f0e3d746fdc4bb79bb15d0eed3f10d55c1d7f8347e1c82b029159f1385a33ecbf2ea229634c8f4a24f

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk

          Filesize

          1KB

          MD5

          0bb0b6ac67c15c21b988b2782c52d949

          SHA1

          74cf236b848dd521cc0a3784d59526a40105751e

          SHA256

          5f268cdcd92bb2602c2716b1e1e080389762aa8cbb7f04605e578ba1d565e19d

          SHA512

          545181331fb3d2ebfde40b1e32821865fcc85461e557f56c29b19ebca359f0c21bb40caf611160fde6bcf2ee5fcd6f5e6abcb177f9acd5f36ff3662658b57484

        • memory/732-68-0x0000000140000000-0x00000001401B4000-memory.dmp

          Filesize

          1.7MB

        • memory/732-62-0x0000000140000000-0x00000001401B4000-memory.dmp

          Filesize

          1.7MB

        • memory/732-63-0x000001F8622B0000-0x000001F8622B7000-memory.dmp

          Filesize

          28KB

        • memory/2664-96-0x00000208F73B0000-0x00000208F73B7000-memory.dmp

          Filesize

          28KB

        • memory/3532-15-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/3532-32-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/3532-16-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/3532-17-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/3532-18-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/3532-19-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/3532-20-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/3532-21-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/3532-22-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/3532-23-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/3532-24-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/3532-25-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/3532-26-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/3532-27-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/3532-28-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/3532-29-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/3532-30-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/3532-31-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/3532-33-0x0000000001460000-0x0000000001467000-memory.dmp

          Filesize

          28KB

        • memory/3532-4-0x00000000032C0000-0x00000000032C1000-memory.dmp

          Filesize

          4KB

        • memory/3532-7-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/3532-41-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/3532-42-0x00007FFCF0B80000-0x00007FFCF0B90000-memory.dmp

          Filesize

          64KB

        • memory/3532-51-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/3532-53-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/3532-6-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/3532-14-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/3532-8-0x00007FFCEFC8A000-0x00007FFCEFC8B000-memory.dmp

          Filesize

          4KB

        • memory/3532-13-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/3532-12-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/3532-11-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/3532-10-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/3532-9-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/3708-85-0x0000000140000000-0x00000001401B4000-memory.dmp

          Filesize

          1.7MB

        • memory/3708-79-0x0000012B7DBE0000-0x0000012B7DBE7000-memory.dmp

          Filesize

          28KB

        • memory/4796-35-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/4796-1-0x0000000140000000-0x00000001401B3000-memory.dmp

          Filesize

          1.7MB

        • memory/4796-0-0x0000024472870000-0x0000024472877000-memory.dmp

          Filesize

          28KB