Analysis

  • max time kernel
    148s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-01-2024 16:15

General

  • Target

    6d744bbf016772634f87aa5fdf2fc9c5.dll

  • Size

    1.4MB

  • MD5

    6d744bbf016772634f87aa5fdf2fc9c5

  • SHA1

    e1b3f458533b0b13502b8fdf2d07d05eb228b467

  • SHA256

    d0c33dbcd2bc26465a2cdf232d5cfea8a77135f9572037c8a0fbe21ae5cd0c2c

  • SHA512

    a7f14f70607bc4b4169427c833c0bb6b7aac746c13f7b990314d01086d4a2d0df2b57b8826afd2812543032484f37b737d652449784a12e8e9852782d5419410

  • SSDEEP

    12288:mVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:7fP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\6d744bbf016772634f87aa5fdf2fc9c5.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2664
  • C:\Windows\system32\CustomShellHost.exe
    C:\Windows\system32\CustomShellHost.exe
    1⤵
      PID:2292
    • C:\Users\Admin\AppData\Local\P3idB\CustomShellHost.exe
      C:\Users\Admin\AppData\Local\P3idB\CustomShellHost.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4036
    • C:\Windows\system32\SystemSettingsAdminFlows.exe
      C:\Windows\system32\SystemSettingsAdminFlows.exe
      1⤵
        PID:732
      • C:\Users\Admin\AppData\Local\8DdDb\mmc.exe
        C:\Users\Admin\AppData\Local\8DdDb\mmc.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3028
      • C:\Windows\system32\mmc.exe
        C:\Windows\system32\mmc.exe
        1⤵
          PID:4916
        • C:\Users\Admin\AppData\Local\aN6s\SystemSettingsAdminFlows.exe
          C:\Users\Admin\AppData\Local\aN6s\SystemSettingsAdminFlows.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1124
        • C:\Windows\system32\rundll32.exe
          "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
          1⤵
            PID:2052
          • C:\Windows\System32\svchost.exe
            C:\Windows\System32\svchost.exe -k UnistackSvcGroup
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3536

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\8DdDb\DUser.dll

            Filesize

            323KB

            MD5

            66d8bc9a5115e649edd1255682546285

            SHA1

            6cc32f03971c35b761c1beb37582f83641aa2bba

            SHA256

            140366a66d6fd7a27b79d1535c6c9fb45bb0d79942f99c4eac15ef29638ceb39

            SHA512

            a242b45946378bae379f78b71a36a5abd2e85d7ebc7f7044e0868898582dd402ce51bdca6bab2dcece934200309151a110641df31b90ba8ef759347d63e60725

          • C:\Users\Admin\AppData\Local\8DdDb\DUser.dll

            Filesize

            1KB

            MD5

            a87d1d6dfe2c58a21e385a08c93f59ab

            SHA1

            f99c29d76d72df4905ad6f0aec8d7a156db679a9

            SHA256

            f18b073b85e18b852c9f9309e26e0ab1ec819cf5c44e6f88ebfac4847f35ec4d

            SHA512

            3e0ae91de351014195f523fa9bd1d8e4b5eb9ef69cd79546f6aa01375545207344710086044baf11fd36112afd8d615c8a211b3bdacc6e89c8063d0fcf59c70d

          • C:\Users\Admin\AppData\Local\8DdDb\mmc.exe

            Filesize

            279KB

            MD5

            3e3a22ceb99c26c4c69fa685002510e3

            SHA1

            d130ba8fdc12dd888a7ac4552e5b77f7240e476a

            SHA256

            8547aff38416da1be2359bc2bb7c49df90e070821748215334f750b985b0f3db

            SHA512

            df1cc8ca9ed2e930f33859ca4e4099cc93233cb0d33b2160c0294ed618fb2aed6eadfc6727103719beb71c09b24996546d758b36bc953acc18d3c499ff5c1e6b

          • C:\Users\Admin\AppData\Local\8DdDb\mmc.exe

            Filesize

            235KB

            MD5

            87fe2610a68552750f9046712660d8b7

            SHA1

            e807cbd8f418a9d1f3ff5ed732892a6831ff0a7d

            SHA256

            f439441b81a728d6b23ecd1322a4299a81a1c08cc8c95063bf56c8840eb894c7

            SHA512

            2f87552cccd34b0eb84e450b61d619ba63c55dd1c9440d7c5ade0ee7efabc5e79a3ce50bd4e39e00f8e322cbfa6cc486a5099916e4f9a3fca7a55ccd4eb79d4a

          • C:\Users\Admin\AppData\Local\P3idB\CustomShellHost.exe

            Filesize

            141KB

            MD5

            4f823b02373183704aafba71fd7f2f8b

            SHA1

            061232659e8367069deb4dd9659117a542bf8659

            SHA256

            bb8ba795b4afefd5398c06c75de12756fb439bfe30ab71ea9adadd46a4519d57

            SHA512

            1eae94e6cc8fe8462ee5feb6af791446cd37aafb9ecdcaefdc863e624bdf53be7c2c68ba0472942cd184daa4f1f7b6ad7def74b8fe2613a14c72d9edb3b0f06b

          • C:\Users\Admin\AppData\Local\P3idB\CustomShellHost.exe

            Filesize

            92KB

            MD5

            fc6f6f006f0baf6dee8ab1d07695684b

            SHA1

            7d079fc485b394f12ae8a12e1975e1c50e00eb3d

            SHA256

            5c7bfba9ab039bff5da77c99df2e9c3e6a8841eb5d18c09656bd786a64fea66b

            SHA512

            3c53c5742bfe1348d7d7fae2b339fbc8f1fe485430cb5f9979bcc19edd590ed7232c0d4ebc3f121918984249552ffe5016a43c877eead7eb885dbfee7c29dc19

          • C:\Users\Admin\AppData\Local\P3idB\WTSAPI32.dll

            Filesize

            122KB

            MD5

            1d4a429d23a09561e355dfd4fcba6f95

            SHA1

            95aae76d594c648aa3294c6076d39511831aa8ce

            SHA256

            af71a4ed80432703f2c242c95b846863c2673013fb4dd4dc206e0480bc5b6d5c

            SHA512

            bbe1e326613560cb86eecc9440547872b2b246428a01c796be63e69e55bc1c109f1801ea94a0393181a364a9ce3a69e2d618378bd56f45407a12d1f7b20ee5ac

          • C:\Users\Admin\AppData\Local\P3idB\WTSAPI32.dll

            Filesize

            154KB

            MD5

            01e94816a651a7fade4cc4d6bad61e9c

            SHA1

            18daee1c251f6475a63a62b31083b912fe12503c

            SHA256

            b87646b99ca3441265ffdedb70cfcd40a7683fe2dd08a675585b1bebef0a26db

            SHA512

            b6267b13fc054444b31ffefb432ed0e369fb14110970c8342029cde0aaaa3e53891632b4a24a2b274244bfdac8f0233f5df901d6cfced753bcdc9f361c2d8827

          • C:\Users\Admin\AppData\Local\aN6s\DUI70.dll

            Filesize

            170KB

            MD5

            e145906ef931cec3d9dee3dab719a424

            SHA1

            3fc735c0d0a0dcf6799e71b0746df2f9ae99219a

            SHA256

            0d42385abf0891086720003cf511e96682f1b8f37a8707b3b1fdb51f4f396113

            SHA512

            1ca08daa1e71c18c4da5463c04bc1a93f5e662d9699f255a5c2b3f2fce93a7e0703d45e7a419ce87638a98213af699bb05c1af9e1ef7c9b0a3ba7e5aa05a2550

          • C:\Users\Admin\AppData\Local\aN6s\DUI70.dll

            Filesize

            124KB

            MD5

            5c633b86bf6bd0bea888d2c23656728b

            SHA1

            0271bce2016448adaf53e7c08844674918f2108a

            SHA256

            e1d9928f9586a92216909b2bc70308730d00783bb4891d986aa9947cad3bac92

            SHA512

            5334fc109c35379f1ed79b818fb0ff2f0d53031e3e079ba42c31fb5cd502f4963fcad6af929d1d7261bf97a75ee5a87d8d228d713bcd1093c2d2f7dc2a556481

          • C:\Users\Admin\AppData\Local\aN6s\SystemSettingsAdminFlows.exe

            Filesize

            133KB

            MD5

            8a7cbf4160d0c27242d1688324926255

            SHA1

            fbfb7c54131d58d0e03cbbc91753e0a5f7b2d9c3

            SHA256

            8dcf399ecdd5a47fc36004fa20547b3f5e6c8be6172e932c1e9bf30755cbbea6

            SHA512

            e58687e917f98c07f1bfca55ccecb516c1a61547958e66f36f8f33fd0e82d7237d99da208cd4742662b183b75890d2ff85060dfcb0edc3cd2085a36d6fbe0c7a

          • C:\Users\Admin\AppData\Local\aN6s\SystemSettingsAdminFlows.exe

            Filesize

            100KB

            MD5

            f776d493cf1209729850adaab83970a0

            SHA1

            beb5f0d58447c5d579d751a212a6d52b6ef3f9ec

            SHA256

            7f121b1315bee099ea92093fb3403b5bf6171970e0ee2760beb40eda78eeae53

            SHA512

            9b76fdebc9b7b7f1af0b263daf73d4e81e2387a865e21aef3cb12c0728d9836bb3b9cbd3a6f837cdf2f526c6579017bed8e536645f05183cdef7e8a69ef92e17

          • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wdush.lnk

            Filesize

            1KB

            MD5

            8f5c75ecdc71ee2dde698a5bf4bd3be5

            SHA1

            80f320f8a24a1b4a81424d4c68cb58c2c489998c

            SHA256

            d9ccb600a92ae4ca0c2277dcc01e6f5312d48dd16235c7f232ce829f8bbc6df7

            SHA512

            04e7fcac25be3f954a521dde6da931be9fc62bf1ef89190a4759e2733b49922adba406279bf02550fa3e44981b31ef6a62d9831215ae33c73b948c6031095f12

          • C:\Users\Admin\AppData\Roaming\Microsoft\AddIns\7FNr\WTSAPI32.dll

            Filesize

            1.4MB

            MD5

            74d4e14b1e1ed6486b8e2db9f13ba2e4

            SHA1

            4f24278e6f378f29858468ff870d53c51e4baefe

            SHA256

            3cda882d10fd0d4201412339f09a2069b4bf11ed9b4fd9ae7820a4208d10160c

            SHA512

            4f16b33a5ab4cedff64e51554d1622077a031c59cc4c65f54533b4f279f177b1823351432bd943dacfd7df06958d2fe23ee445e219754124d3decf304648dbb3

          • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\YJeW3hlPGTz\DUser.dll

            Filesize

            1.4MB

            MD5

            d0391dc12fdef7ccc1f2e18d246c4320

            SHA1

            47c13787044c5bdb1f36f69a9f9eecca8a70430c

            SHA256

            bf8f16a4884ba0fb4898a7bb6602aca615148e58df207a3030f014eed4bb2387

            SHA512

            cb254a4561fd1bfe2024458ca91fa23b9405e5529120a43d1f61a5c18694f840aa8047cef127ea3bc394a88049f320263593212a54e12488c4ec8f687cc5cd40

          • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\YJeW3hlPGTz\mmc.exe

            Filesize

            133KB

            MD5

            4f934448978b57ead4c1490821d19a88

            SHA1

            0a7a426897d0d33893ca201de045174cc51da636

            SHA256

            c60004f0b6a6f046d6a5526d65ab74dd90d6eff96caf691f394d9984941b5253

            SHA512

            73ad605305a7a9e99e6ccd0bd5f2b41c5c83bc342b7948ecc875e8e5db5c31cd400449de6e720dfbc7c14ee9675c50ac8c37b8cf6e888913e506bb4c2c652192

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\pCYK9kIMWpy\DUI70.dll

            Filesize

            308KB

            MD5

            16adbdebeba837320007478e082c2565

            SHA1

            244ea71b4c11f982e4d1f0744355cd8217451e89

            SHA256

            8f3d913afd92151d511b1285168db26c98751a140b38c7d8b3d9161145be11f1

            SHA512

            f4a140fd8f33dae3f6903dc2d2a30dac2ca47e15169d6f53afbe791c339a6c6e78040a3946c552e09423d659d68d452bb2b1645773f869684424193c658c19c5

          • memory/1124-80-0x0000028C48990000-0x0000028C48997000-memory.dmp

            Filesize

            28KB

          • memory/1124-85-0x0000000140000000-0x00000001401AE000-memory.dmp

            Filesize

            1.7MB

          • memory/1124-79-0x0000000140000000-0x00000001401AE000-memory.dmp

            Filesize

            1.7MB

          • memory/2664-0-0x00000182509E0000-0x00000182509E7000-memory.dmp

            Filesize

            28KB

          • memory/2664-7-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

          • memory/2664-1-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

          • memory/3028-100-0x00000000032F0000-0x00000000032F7000-memory.dmp

            Filesize

            28KB

          • memory/3028-101-0x0000000140000000-0x000000014016A000-memory.dmp

            Filesize

            1.4MB

          • memory/3028-97-0x0000000140000000-0x000000014016A000-memory.dmp

            Filesize

            1.4MB

          • memory/3512-18-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

          • memory/3512-27-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

          • memory/3512-33-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

          • memory/3512-34-0x0000000002B50000-0x0000000002B57000-memory.dmp

            Filesize

            28KB

          • memory/3512-30-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

          • memory/3512-41-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

          • memory/3512-42-0x00007FFFFD200000-0x00007FFFFD210000-memory.dmp

            Filesize

            64KB

          • memory/3512-29-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

          • memory/3512-53-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

          • memory/3512-51-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

          • memory/3512-32-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

          • memory/3512-6-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

          • memory/3512-8-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

          • memory/3512-20-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

          • memory/3512-10-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

          • memory/3512-21-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

          • memory/3512-22-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

          • memory/3512-24-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

          • memory/3512-25-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

          • memory/3512-31-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

          • memory/3512-28-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

          • memory/3512-26-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

          • memory/3512-23-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

          • memory/3512-19-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

          • memory/3512-15-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

          • memory/3512-17-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

          • memory/3512-14-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

          • memory/3512-16-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

          • memory/3512-13-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

          • memory/3512-4-0x0000000003390000-0x0000000003391000-memory.dmp

            Filesize

            4KB

          • memory/3512-9-0x00007FFFFBC9A000-0x00007FFFFBC9B000-memory.dmp

            Filesize

            4KB

          • memory/3512-12-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

          • memory/3512-11-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

          • memory/3536-211-0x00000261DAB90000-0x00000261DABA0000-memory.dmp

            Filesize

            64KB

          • memory/4036-62-0x000001CDA6FF0000-0x000001CDA6FF7000-memory.dmp

            Filesize

            28KB

          • memory/4036-68-0x0000000140000000-0x0000000140169000-memory.dmp

            Filesize

            1.4MB

          • memory/4036-63-0x0000000140000000-0x0000000140169000-memory.dmp

            Filesize

            1.4MB