Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-01-2024 10:09

General

  • Target

    6d08db5aa8c6eec9c991d6a14bd58a5f.dll

  • Size

    1.5MB

  • MD5

    6d08db5aa8c6eec9c991d6a14bd58a5f

  • SHA1

    e2a82cb1cffee35083b1a7ff9461a7eb5fa6046c

  • SHA256

    b183bd1e5a5f6a08cdb529a91cb1a1049d1b0f9700f6a10bf3716e17acb79d43

  • SHA512

    7d01b699b05e93f4cc671652dbf9c263dde5a16804d653fad4bca51c900cf58c72d58c58c0074377f5e9c7c647a1770bf9476e4f9393a5f099cc6613d7b9f3dd

  • SSDEEP

    12288:yVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:vfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\6d08db5aa8c6eec9c991d6a14bd58a5f.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2388
  • C:\Windows\system32\msconfig.exe
    C:\Windows\system32\msconfig.exe
    1⤵
      PID:3300
    • C:\Windows\system32\sdclt.exe
      C:\Windows\system32\sdclt.exe
      1⤵
        PID:2472
      • C:\Windows\system32\SnippingTool.exe
        C:\Windows\system32\SnippingTool.exe
        1⤵
          PID:4056
        • C:\Users\Admin\AppData\Local\16Ctixbp\SnippingTool.exe
          C:\Users\Admin\AppData\Local\16Ctixbp\SnippingTool.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1104
        • C:\Users\Admin\AppData\Local\hgF\sdclt.exe
          C:\Users\Admin\AppData\Local\hgF\sdclt.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2096
        • C:\Users\Admin\AppData\Local\vlO3\msconfig.exe
          C:\Users\Admin\AppData\Local\vlO3\msconfig.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4460

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\16Ctixbp\SnippingTool.exe

          Filesize

          57KB

          MD5

          029faebfb6b88a228df45d4b730e1fa3

          SHA1

          674c019496c3992de4a99137cadbaa4b21fd7d16

          SHA256

          3f7fd249c2d0f6a992bb6923e9201768614bc1bed4571ab2de05096ad3f6fef5

          SHA512

          914e71f50fc1946f72ceb586bca0ae16c6d39f4320fe270e37b9b13571ae80257d258f09b204ef78a28f783d7f973052df1d74bb58d23c1faf019a2548941af6

        • C:\Users\Admin\AppData\Local\16Ctixbp\SnippingTool.exe

          Filesize

          62KB

          MD5

          214120d578d82e1594862e0db209af30

          SHA1

          7c0c1c99ccdf1d5cc44e864cea276cca7cc8cd70

          SHA256

          7be9671f202d070324ce02ee95ce3db3e51094799c6c29fbabe80520092669c0

          SHA512

          8bdf5928d73a576ea10ff644711d8fdeab2d0a53560972fa78976e3406322806891e95a9b5104cdd65f06245cbd4d70baa11892bdb5aec156c70055fe4a95a3d

        • C:\Users\Admin\AppData\Local\16Ctixbp\dwmapi.dll

          Filesize

          78KB

          MD5

          03a0c388a0ba0e1972c9b12d47b13395

          SHA1

          41a7b67df8b86e40065ca611b57c3e1aa784914e

          SHA256

          75462c976981fffad0224dda523cdf5c4a5f49997c6c1be09b785b0971790a3a

          SHA512

          3d70c7170ba6117a93c4f7abb7f35af2deb94bc0ccc485f7175b7a9e694c34de685d57447f71d57a2999e947f5882b8846bb185d7d087da4b7daa2534eca297c

        • C:\Users\Admin\AppData\Local\16Ctixbp\dwmapi.dll

          Filesize

          71KB

          MD5

          a1085f35207d27fb6509a01c94acfe06

          SHA1

          495d93fb0fbd106fda3226045ac3e598517bcf05

          SHA256

          c750c6edd79b1e999d623826e4f81c6d1c0c31ad44e557477d0f7737ab6b67af

          SHA512

          7c8c68c5c9860435dce34c9e1c199e3f5ec4a3a686569b27937702789cab7893354f66d8d21209b90fa655b17d7c05717707bfe648b3abd82606a9d9104b659a

        • C:\Users\Admin\AppData\Local\hgF\SPP.dll

          Filesize

          115KB

          MD5

          563ddfd9093bef70004cc8c04993262b

          SHA1

          8343b9c33b51247834a3aa6dbebf33c03d2e7dbd

          SHA256

          fdfcaba5574425855835cdd1fbd3478766d10c1417186e5678d8a5c96dc416f7

          SHA512

          76d8b7529eefd0fb257c5e8b7da9f3cf08ce8e1cff835bd749b2f253392e4aa954ade356e367c0afdd8f43dbcd2f4eefd354090f4f801c00fc3f683f45b45755

        • C:\Users\Admin\AppData\Local\hgF\SPP.dll

          Filesize

          182KB

          MD5

          5280132f784ddfa56495f8cd0f00f5a8

          SHA1

          afcdbb8984715687ce5f92866a3c6dbbc225a2fe

          SHA256

          abd5fa25e8cc54180478f490c42e377a0ee71522fcc712040f83449a3dde7bcb

          SHA512

          befe91baf6439202b49ab63931fa2a3da2a821ef91b2c5c2cad69ba5802cd2823578f52f13d2495c2a3358eef3937d59c873242629a1a38659da913b39e7d7b8

        • C:\Users\Admin\AppData\Local\hgF\sdclt.exe

          Filesize

          131KB

          MD5

          63861a270165aef842f584a17ac53b48

          SHA1

          3b76f46b0007671437424e0774beeddeeb301f27

          SHA256

          e60e442639113f009bbad39a015fae140b9d7b69b687708207d39fc409f50635

          SHA512

          87996c24b68c04bb0cb6d1e375f62732b7a66898c9de7966b28eee9155aa09326e8b351dad7c1f72e6ff11eec32519f92564b9d8c34fef0272eccd5a12099a0c

        • C:\Users\Admin\AppData\Local\hgF\sdclt.exe

          Filesize

          126KB

          MD5

          689251f53924c4747ce64258aa7fc5d9

          SHA1

          381e05d1ca1ace8f6fa1be22f0e9c6fd994f4758

          SHA256

          a0e2aa624455aa7f6afebc8ca663c4362df2bfb4b77a0b779c9f4f449cdd5c70

          SHA512

          c3d0376b052a83400f19f348d12c5c73a02a283a1d3f1540c9bca58267d782abf689497898863693d344218b98035324a9a151983763fda3867efba8cbdf6b96

        • C:\Users\Admin\AppData\Local\vlO3\VERSION.dll

          Filesize

          116KB

          MD5

          33912728ed8fbe3e7cc97f6b3c3a88b1

          SHA1

          36859280062a30dadc54ed86d9d91607c6f92989

          SHA256

          b37c6d5ed2957b066dedaf20d57fef4e5e1531238cd9e41749e2ed9dbbd01eec

          SHA512

          d535929d13396c215e364aaf9e0d49408ff302ca59b2d84b2652be89b9ae68cfe9c9c68aba437ee6bcfc2f4b7141cc891b801e10da86c8d98ca182d63a34ba2d

        • C:\Users\Admin\AppData\Local\vlO3\VERSION.dll

          Filesize

          113KB

          MD5

          9d21ac8806ed3d10eb8110d9f0927878

          SHA1

          b91cb85653e5c8c14f075d5978b5addc9cd3fc44

          SHA256

          1ec5acd6ccbb3092363bd2e720b606bff17aa075bec3a55cc24ac1c0459b9ac0

          SHA512

          8923dae8024335cd9a80e65ccef4131c7905b73ec2c9784da243f0f9180ed634a61ae26fcd2e590fa74da8d2bab3294da8bf356230cdd50b314b0cd48bd1af8a

        • C:\Users\Admin\AppData\Local\vlO3\msconfig.exe

          Filesize

          193KB

          MD5

          39009536cafe30c6ef2501fe46c9df5e

          SHA1

          6ff7b4d30f31186de899665c704a105227704b72

          SHA256

          93d2604f7fdf7f014ac5bef63ab177b6107f3cfc26da6cbd9a7ab50c96564a04

          SHA512

          95c9a8bc61c79108634f5578825544323e3d980ae97a105a325c58bc0e44b1d500637459969602f08d6d23d346baec6acd07d8351803981000c797190d48f03a

        • C:\Users\Admin\AppData\Local\vlO3\msconfig.exe

          Filesize

          122KB

          MD5

          cf6c3b40ba244445f348f1afa6de5f58

          SHA1

          90df3ba3d79439ce637069c5b6e327783e9cf968

          SHA256

          b48c84a7f8a269bb19874624ed2fae2bf685d8f13113fcc4d2fc622c90bee376

          SHA512

          23213f04d58ba7d38b620a9ad68281ba16001b87eded399a138fcd9c9492b1b4a3c520c6772d5ac003253787c2c30f9a509b45bec1edc1da45b45c63fa215dee

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ocuuy.lnk

          Filesize

          1KB

          MD5

          c823c10030a2fcfe84c5fa9f0fd27858

          SHA1

          71c900ac1deea2741b2f8fd7faadc69a08b5fe64

          SHA256

          e4a92798a06af598173a374bf049437e0868086bc4d567bfabd08c6cd3f9f575

          SHA512

          41cd5e06625e0cc18b0fd31b8b52c0fd30fd387689d1245a1e785eda21fd75e1e14c330f64154dfa7a01f4c130d715fb2f6427c549f39b0eb8e15ef78f7f1ada

        • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low\nDBXX\dwmapi.dll

          Filesize

          1.5MB

          MD5

          1ddb4a9fd55a369b6a5a3faea38c84ac

          SHA1

          af12593a9114708065476d7e664f7516c1de14fe

          SHA256

          198213e2bdd278d0efd22222624abde4c1f4fe8844c842c1118b62aa089f3d9d

          SHA512

          b3668c5b8ea8f5b348b7fba5613f7bf13d456d1b0b10cfe82e5f2b4ac349f7e7178b40daed14639e70e277eca5f8aabb16cc4a25337ef4888293e58516aa3dab

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\EUlJnF1n\SPP.dll

          Filesize

          1.5MB

          MD5

          7af1530c7a8ea808e13813830aef9264

          SHA1

          86791a9589344ee2feddc5c257710d0aeeee679f

          SHA256

          7618935f51ce8d8c322b4e1b3ed023e485da10a3b0089ed0c237008c482c6578

          SHA512

          2b7450144d0bcf63118e704f5466d51568655b07887bacd7a6e6a8a82f950c190234cd27e1b2e4af0baaa71824e53a96cca955f6ec46ccbfbd691e2a40875581

        • C:\Users\Admin\AppData\Roaming\Microsoft\Word\v86e\VERSION.dll

          Filesize

          1.5MB

          MD5

          f58e79917707e974c503ed055080d2fb

          SHA1

          4f6f2aa646b9d20fda4b0423f58477cf26f6bb57

          SHA256

          36316b9f2190c0ef0083d50128279c6294c6ff3a8e75152cc5bf2a74a3e05220

          SHA512

          a7c2e2b991fdbab465a299304e43cfdea9a245ba7f960d7fe1a638d1d79742023e05c0629c7a4560323b494c887e9488d4a0c10eef3d18bf769f9a6ca0e84a94

        • memory/1104-111-0x0000024AE4830000-0x0000024AE4837000-memory.dmp

          Filesize

          28KB

        • memory/2096-97-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/2096-91-0x000002DC6A3F0000-0x000002DC6A3F7000-memory.dmp

          Filesize

          28KB

        • memory/2388-0-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/2388-2-0x0000022937EF0000-0x0000022937EF7000-memory.dmp

          Filesize

          28KB

        • memory/2388-8-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/3468-27-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/3468-56-0x00007FFA4F760000-0x00007FFA4F770000-memory.dmp

          Filesize

          64KB

        • memory/3468-32-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/3468-31-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/3468-24-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/3468-21-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/3468-18-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/3468-17-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/3468-16-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/3468-13-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/3468-35-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/3468-37-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/3468-41-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/3468-46-0x0000000000760000-0x0000000000767000-memory.dmp

          Filesize

          28KB

        • memory/3468-45-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/3468-44-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/3468-43-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/3468-42-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/3468-40-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/3468-39-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/3468-38-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/3468-36-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/3468-53-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/3468-33-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/3468-63-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/3468-34-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/3468-5-0x00007FFA4F4AA000-0x00007FFA4F4AB000-memory.dmp

          Filesize

          4KB

        • memory/3468-4-0x0000000002620000-0x0000000002621000-memory.dmp

          Filesize

          4KB

        • memory/3468-30-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/3468-9-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/3468-29-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/3468-28-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/3468-25-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/3468-26-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/3468-22-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/3468-23-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/3468-20-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/3468-19-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/3468-15-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/3468-14-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/3468-7-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/3468-12-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/3468-11-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/3468-65-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/3468-10-0x0000000140000000-0x0000000140188000-memory.dmp

          Filesize

          1.5MB

        • memory/4460-75-0x000001DD8CFD0000-0x000001DD8CFD7000-memory.dmp

          Filesize

          28KB

        • memory/4460-80-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

        • memory/4460-74-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB