Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-01-2024 05:38

General

  • Target

    6edcb3e9a95b87f3dd31d12871219ad1.dll

  • Size

    1.4MB

  • MD5

    6edcb3e9a95b87f3dd31d12871219ad1

  • SHA1

    0f9808dbdb07056ce6154ff9ec192a829382527e

  • SHA256

    fcec9ee59606ca5763dd3f779b2fb2e60ec8a2382cf095b0b00634a4c5ff6bee

  • SHA512

    eae92f278b0b7d945a43c8eed204f8bc86e62713fc1700b6f04962361d1c76400b43e955ec168f20aeb4895984e9789654ad7c4cdc4b40bc741f623e617aa802

  • SSDEEP

    12288:jVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:yfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6edcb3e9a95b87f3dd31d12871219ad1.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:1248
  • C:\Windows\system32\MDMAppInstaller.exe
    C:\Windows\system32\MDMAppInstaller.exe
    1⤵
      PID:4800
    • C:\Users\Admin\AppData\Local\SgnCfEIg\MDMAppInstaller.exe
      C:\Users\Admin\AppData\Local\SgnCfEIg\MDMAppInstaller.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4676
    • C:\Windows\system32\SndVol.exe
      C:\Windows\system32\SndVol.exe
      1⤵
        PID:400
      • C:\Users\Admin\AppData\Local\KamUETej\SndVol.exe
        C:\Users\Admin\AppData\Local\KamUETej\SndVol.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2064
      • C:\Windows\system32\SystemPropertiesAdvanced.exe
        C:\Windows\system32\SystemPropertiesAdvanced.exe
        1⤵
          PID:3616
        • C:\Users\Admin\AppData\Local\5TsC3\SystemPropertiesAdvanced.exe
          C:\Users\Admin\AppData\Local\5TsC3\SystemPropertiesAdvanced.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3200

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\5TsC3\SYSDM.CPL

          Filesize

          1.4MB

          MD5

          1711c3466ef66b7807cbcdb475de4ae5

          SHA1

          49ef7be73198a3d7bd2d0f4c1377dde94f24af28

          SHA256

          4f5d8f6b202ad81721a8f868db46a594c7d7933b2c67fdf7e3ac51a784e88f1b

          SHA512

          46263a26a5dd9288868a29128e29099796b051cbe83e5ffba775bbc176bd897f7c83750ea87e1c5a6a25381dcee00d1374f0430f5aa263dfc3dde9ce2c38f6c5

        • C:\Users\Admin\AppData\Local\5TsC3\SystemPropertiesAdvanced.exe

          MD5

          d41d8cd98f00b204e9800998ecf8427e

          SHA1

          da39a3ee5e6b4b0d3255bfef95601890afd80709

          SHA256

          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

          SHA512

          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

        • C:\Users\Admin\AppData\Local\5TsC3\SystemPropertiesAdvanced.exe

          Filesize

          82KB

          MD5

          fa040b18d2d2061ab38cf4e52e753854

          SHA1

          b1b37124e9afd6c860189ce4d49cebbb2e4c57bc

          SHA256

          c61fa0f8c5d8d61110adbcceaa453a6c1d31255b3244dc7e3b605a4a931c245c

          SHA512

          511f5981bd2c446f1f3039f6674f972651512305630bd688b1ef159af36a23cb836b43d7010b132a86b5f4d6c46206057abd31600f1e7dc930cb32ed962298a4

        • C:\Users\Admin\AppData\Local\KamUETej\SndVol.exe

          Filesize

          269KB

          MD5

          c5d939ac3f9d885c8355884199e36433

          SHA1

          b8f277549c23953e8683746e225e7af1c193ad70

          SHA256

          68b6ced01f5dfc2bc9556b005f4fff235a3d02449ad9f9e4de627c0e1424d605

          SHA512

          8488e7928e53085c00df096af2315490cd4b22ce2ce196b157dc0fbb820c5399a9dbd5dead40b24b99a4a32b6de66b4edc28339d7bacd9c1e7d5936604d1a4f0

        • C:\Users\Admin\AppData\Local\KamUETej\dwmapi.dll

          Filesize

          1.4MB

          MD5

          fce50cd6005d45803b4248f34e1d5ea3

          SHA1

          52b0b323d2c8b925dc166468e62149ea1a347ee0

          SHA256

          90f6973bb526879942b1fcb1aa26edd9f733e9a78ace866886bad6a8e5ab319b

          SHA512

          3c8420751e9d57639f91d96feb652167990ff0c0f61dd6ddde4c7e74a3dd67341740cae70fb7b72f2fa10a123d1f57e40abad0e448c8294b0b944d7d2ae8e503

        • C:\Users\Admin\AppData\Local\SgnCfEIg\MDMAppInstaller.exe

          Filesize

          151KB

          MD5

          30e978cc6830b04f1e7ed285cccaa746

          SHA1

          e915147c17e113c676c635e2102bbff90fb7aa52

          SHA256

          dc821931f63117962e2266acd3266e86bf8116d4a14b3adbebfade1d40b84766

          SHA512

          331923fa479f71c4c80b0e86ea238628666f95b6cf61cf4d741ae4a27ea2b8c636864dfac543d14599b4873f3b2ab397d07c4e4c17aca3f3b4e5871e24e50214

        • C:\Users\Admin\AppData\Local\SgnCfEIg\WTSAPI32.dll

          Filesize

          1.4MB

          MD5

          a97d39df8ff8322318214005dc458fc0

          SHA1

          bcff69ced685479fc2efb6716453c88fd17456a5

          SHA256

          4aabb487058eb9ed69b4371fe9dad0aa002ef1e16b529b965f9068550eff70a8

          SHA512

          12b2d88cc44a317715a0743d6dc1f54736e4dc24121d719877365552cb8b4520bda3e198460dbd2a0bbf7fd6e49d58aa76cd8a5ba6b2b6932121331276867422

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk

          Filesize

          1KB

          MD5

          03cedeaf4a2f8e931de5bad67087852d

          SHA1

          26f1c7eb1f3fe50caba78bb6b8351b57d64cc4bb

          SHA256

          24c2e13b77aeeffb39c598ad0321e4d1267c73d792114a61a5a509927636e479

          SHA512

          9649b5f9ac0f56b8be3502388c487058b3e19b45814ca8c7c69ef9bb3efca2b1c99494e6a362fc3f0c71e4ccd9d9dc89d7986dbdc0d1ae4045dcd8c6b90f90dd

        • memory/1248-0-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

        • memory/1248-3-0x0000000000950000-0x0000000000957000-memory.dmp

          Filesize

          28KB

        • memory/1248-8-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

        • memory/1248-1-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

        • memory/2064-81-0x00000227ADFE0000-0x00000227ADFE7000-memory.dmp

          Filesize

          28KB

        • memory/2064-86-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

        • memory/3200-104-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

        • memory/3200-97-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

        • memory/3200-99-0x000001B6A1FA0000-0x000001B6A1FA7000-memory.dmp

          Filesize

          28KB

        • memory/3520-27-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

        • memory/3520-19-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

        • memory/3520-23-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

        • memory/3520-21-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

        • memory/3520-24-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

        • memory/3520-25-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

        • memory/3520-26-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

        • memory/3520-20-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

        • memory/3520-28-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

        • memory/3520-30-0x0000000002E10000-0x0000000002E17000-memory.dmp

          Filesize

          28KB

        • memory/3520-29-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

        • memory/3520-37-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

        • memory/3520-38-0x00007FFE789A0000-0x00007FFE789B0000-memory.dmp

          Filesize

          64KB

        • memory/3520-47-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

        • memory/3520-49-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

        • memory/3520-22-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

        • memory/3520-18-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

        • memory/3520-5-0x0000000003770000-0x0000000003771000-memory.dmp

          Filesize

          4KB

        • memory/3520-7-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

        • memory/3520-10-0x00007FFE77E5A000-0x00007FFE77E5B000-memory.dmp

          Filesize

          4KB

        • memory/3520-11-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

        • memory/3520-9-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

        • memory/3520-17-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

        • memory/3520-16-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

        • memory/3520-15-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

        • memory/3520-14-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

        • memory/3520-13-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

        • memory/3520-12-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

        • memory/4676-67-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

        • memory/4676-60-0x0000025B0E500000-0x0000025B0E507000-memory.dmp

          Filesize

          28KB

        • memory/4676-58-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

        • memory/4676-59-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB