Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-01-2024 10:55

General

  • Target

    6f7d97ba73906e0867f0f46d5c537049.dll

  • Size

    1.5MB

  • MD5

    6f7d97ba73906e0867f0f46d5c537049

  • SHA1

    4760cd9fbb77d0a05a0f5a86a70ea98057e3bce3

  • SHA256

    9abc5f5cc3312da7b9eb0e44a7a2306afd47d84c49b9cb86ed120cadfc05c824

  • SHA512

    631240994428b1f4ce8ab54362384c7460ae14f97063c2320c33a3110f3daa7d4c6fee969bded9fead352bdd47c52c4a139877c8b52e5f4cf21915cfe61dd634

  • SSDEEP

    12288:0VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:xfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\6f7d97ba73906e0867f0f46d5c537049.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:212
  • C:\Windows\system32\FXSCOVER.exe
    C:\Windows\system32\FXSCOVER.exe
    1⤵
      PID:1048
    • C:\Windows\system32\isoburn.exe
      C:\Windows\system32\isoburn.exe
      1⤵
        PID:3692
      • C:\Users\Admin\AppData\Local\GgmHemHr\isoburn.exe
        C:\Users\Admin\AppData\Local\GgmHemHr\isoburn.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:788
      • C:\Users\Admin\AppData\Local\WzoIOwa\SystemPropertiesComputerName.exe
        C:\Users\Admin\AppData\Local\WzoIOwa\SystemPropertiesComputerName.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4632
      • C:\Windows\system32\SystemPropertiesComputerName.exe
        C:\Windows\system32\SystemPropertiesComputerName.exe
        1⤵
          PID:2444
        • C:\Users\Admin\AppData\Local\63ZE8qx\FXSCOVER.exe
          C:\Users\Admin\AppData\Local\63ZE8qx\FXSCOVER.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2400

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\63ZE8qx\FXSCOVER.exe

          Filesize

          242KB

          MD5

          5769f78d00f22f76a4193dc720d0b2bd

          SHA1

          d62b6cab057e88737cba43fe9b0c6d11a28b53e8

          SHA256

          40e8e6dabfa1485b11cdccf220eb86eeaa8256e99e344cf2b2098d4cdb788a31

          SHA512

          b4b3448a2635b21690c71254d964832e89bf947f7a0d32e79dcc84730f11d4afb4149a810a768878e52f88fc8baec45f1a2fec8e22c5301e9f39fe4fc6a57e3f

        • C:\Users\Admin\AppData\Local\63ZE8qx\MFC42u.dll

          Filesize

          374KB

          MD5

          a55aedef6d273880cf3f6c9e7fb940a6

          SHA1

          cae7ba4bd1edc038a602c39e4700d06f25fd2bf0

          SHA256

          859d0e5a712509fbb8e12d91fe6edf77b9c10844fae96eb464f7c251b18850b4

          SHA512

          5acd4e2e7bfb3b3af56a608bc96c59e94d9e6093ad730aa71929bb902707476272a215437b52cb721f23c81de5088b1d3f5aa014ef951b1b2b7d0e0248cf9508

        • C:\Users\Admin\AppData\Local\63ZE8qx\MFC42u.dll

          Filesize

          149KB

          MD5

          54b7c8d1324f00bae261d9491df0da00

          SHA1

          608ef1104361ec2dddf70c43d6b78c9ff49c7022

          SHA256

          578f46c289a050933cbba3ce82bc5a20a6752b5e1122372694c63788439d1c79

          SHA512

          e3c582aa6053b3876d2bdaf56866bfcf2002684de8f9d8298ba2a57dc0cfffa7b74bc095b2b6b49f09c96b0e47cfc1904b375691152ba960341cc06407873c22

        • C:\Users\Admin\AppData\Local\GgmHemHr\UxTheme.dll

          Filesize

          122KB

          MD5

          cd7a0dc0979c29163e515a93322dad7b

          SHA1

          f78d56ebcaa40676b85eb8ac6508b08d06b5ee96

          SHA256

          ca125724013118043cbd16f4a9c3a2295e61539fac93bd3762433ccb76fb1e2b

          SHA512

          50aefa848a6c4b26d36b79e432102a148a33f6cde225064aa33f39561e4a37f2b310a124e960f8c851ab8944fd9d7a0e5dcbac521a429c201997c9fac511eec6

        • C:\Users\Admin\AppData\Local\GgmHemHr\UxTheme.dll

          Filesize

          194KB

          MD5

          f1b170ea1dda44677c3ba38e3cbf50cd

          SHA1

          50681fbf6da59e7f2db40b624f0bda7dcb187894

          SHA256

          7d6a5854e3b9d9b1c5cb37535ba0e57702205e370799fa63853955dd72917e03

          SHA512

          e495817e48f96403b083fd6372917ea93f8b08fbe729c343a05221b28c14c723bcf24980a1c43fefd1bb29627a267a12093888736f47aca257d0fd08b293c79b

        • C:\Users\Admin\AppData\Local\GgmHemHr\isoburn.exe

          Filesize

          116KB

          MD5

          d0424a92635b8082986fa890fd11533a

          SHA1

          2817f53c507781cc07fe1573acd6cac65c3d210f

          SHA256

          6d08bbb342146b59718ee5968209b752cd0888b17de7d5ab07e2496e4368c3f9

          SHA512

          4594cd42d3590aba6ff0cc7704949cf0e30cabce06a9841a76145e2c08451af8513b335dc5ff90871831be5f50f96f244fbcfe9c3fc19310b5df1a57b7be083e

        • C:\Users\Admin\AppData\Local\GgmHemHr\isoburn.exe

          Filesize

          73KB

          MD5

          a89c25f7990178de6ade691a6a4af103

          SHA1

          22198054dd8dd2ea22b8af496f46bfe522be638c

          SHA256

          4325a1d1bf5359c223124d5f8317ab5e62e19752f8516beab36bcf32d6f4d0f0

          SHA512

          eb7fbbe9cc6a1520b0d810973e071f93495fefbb68c4854e3067d432bcc6c43734d1af4f28df6354aa718437d614726a9b7b73c3b3454836af8548b1a0678555

        • C:\Users\Admin\AppData\Local\WzoIOwa\SYSDM.CPL

          Filesize

          105KB

          MD5

          34b6806c6b5cee9a6ca238024ff34e0e

          SHA1

          80f3aa1b9f309b563115a7133e1a780644f0379f

          SHA256

          fc0e646a4f94f492b6d7e74ed8d69d64b6e0d461a923e21af8b90e938c3018e1

          SHA512

          1599926952e0d0d599551c21330c1286b01a3153458e3773dcb9dfa4f17392131eea85c2c16d5ab2e78268563fdfa15f9ba1ca2178b686a5df8e636ea246c2c6

        • C:\Users\Admin\AppData\Local\WzoIOwa\SYSDM.CPL

          Filesize

          452KB

          MD5

          defec8037532b01c15373ca2a9faa987

          SHA1

          c05c4ecf7e8758ca32178aee0f29f607b31aed67

          SHA256

          142b4a6c9804c21e3630ce1f1b1ddc98ecd3dce485275e3413a74de69a6e1a4e

          SHA512

          ce08385d306f75c8eb645b729b79a86feb3d7baf84ff38f71b4c359caa28eeac9c86bfde2d9f19597e90250d514b75427836ce4a72b2f63a11a6c85a3e2edd48

        • C:\Users\Admin\AppData\Local\WzoIOwa\SystemPropertiesComputerName.exe

          Filesize

          82KB

          MD5

          6711765f323289f5008a6a2a04b6f264

          SHA1

          d8116fdf73608b4b254ad83c74f2232584d24144

          SHA256

          bd3a97327326e2245938ec6099f20059b446ff0fe1c10b9317d15d1a1dd5331e

          SHA512

          438abd282d9d1c0e7e5db2ce027ff9522c3980278b32b2eae09c595884a8dcbfd5178bc5926b1d15f03174303382e13f5d5ecab9a5d8e31fc07ef39e66c012e8

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Psfjn.lnk

          Filesize

          1KB

          MD5

          f97f2c7bbed73335d9eb0b27914fa94f

          SHA1

          b185772d2c4b65b575728de30ef436fe2cee97c5

          SHA256

          ef16912de6cfd3e449cd4d288622abb72d4afc3f9e53209e237c274290332c2f

          SHA512

          b9b4acb39d4d9b1be5258c7cc30bb6da46ce3ba82be7a02430c40c16725b1a71c5bfea02954ec4eaef94d04fcd8e6b316c43a5431471f1b2aac2af62e50a5e30

        • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\lMA9ZqiHm2\SYSDM.CPL

          Filesize

          1.5MB

          MD5

          29b7a3b41d5c013158cb24fb27366b6c

          SHA1

          8be2170d516911459511cd5adf848a5dfd6ce6d7

          SHA256

          16248768ad81ea58fb6751d8ef3099fbc89ae1df4026a4f4dae25143d5468587

          SHA512

          6e86899e5f279da4f708b8ea1de37eb84fb0d6843f1ee5d18d69a0685fc9e92b6e58b533167f767c656850030ddada16874b6e036aa9c3eacff4f46ec186ebd9

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\h7\MFC42u.dll

          Filesize

          1.5MB

          MD5

          1f8679b303071771b9e742575293f492

          SHA1

          93940b3b0add0f5c6b974f20c6c0c0b0552b39fa

          SHA256

          8323786991091280c896af68b3403bbce9cf821a7eba7a01e3540bd676883b5b

          SHA512

          926dc13398d342a6f914c01ff0bdae0a8201c74c9b71700b8dac0adbf6633b7ce545db69320178ad5e6e191b7a4d9d07dace3a9b790f64738da29c730361805e

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\DWt1\UxTheme.dll

          Filesize

          1.5MB

          MD5

          de2ddd33bda4fb19b4cc48e0ed787584

          SHA1

          0cb9cbec7027d3edf5bbc8b7a21beee280f7782a

          SHA256

          eafdb8b7c07513866d1d663d056514f94a6c6805f6298d26d71a81730efde818

          SHA512

          b1a9fe8dbc749139ee828bb5cea4d23fdb23e3ce0e51881efdfd56e07396b09fff1530c04a1332e3a44fbdb3d55f9dfb5bc3074ce5278a039cb67b7881e62bd6

        • memory/212-8-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/212-2-0x00000139245E0000-0x00000139245E7000-memory.dmp

          Filesize

          28KB

        • memory/212-0-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/788-116-0x00000213CDCB0000-0x00000213CDCB7000-memory.dmp

          Filesize

          28KB

        • memory/788-121-0x0000000140000000-0x0000000140186000-memory.dmp

          Filesize

          1.5MB

        • memory/2400-77-0x0000000140000000-0x000000014018C000-memory.dmp

          Filesize

          1.5MB

        • memory/2400-80-0x0000000140000000-0x000000014018C000-memory.dmp

          Filesize

          1.5MB

        • memory/2400-83-0x00000198F9660000-0x00000198F9667000-memory.dmp

          Filesize

          28KB

        • memory/2400-84-0x0000000140000000-0x000000014018C000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-41-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-42-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-27-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-28-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-14-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-13-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-29-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-12-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-32-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-37-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-38-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-39-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-40-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-25-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-45-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-47-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-50-0x0000000003330000-0x0000000003337000-memory.dmp

          Filesize

          28KB

        • memory/3480-48-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-46-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-56-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-44-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-57-0x00007FFB321E0000-0x00007FFB321F0000-memory.dmp

          Filesize

          64KB

        • memory/3480-68-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-66-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-43-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-26-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-36-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-35-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-34-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-33-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-31-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-30-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-5-0x00007FFB30A7A000-0x00007FFB30A7B000-memory.dmp

          Filesize

          4KB

        • memory/3480-4-0x00000000092E0000-0x00000000092E1000-memory.dmp

          Filesize

          4KB

        • memory/3480-7-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-20-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-23-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-24-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-21-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-22-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-19-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-18-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-17-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-16-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-15-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-11-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-10-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/3480-9-0x0000000140000000-0x0000000140185000-memory.dmp

          Filesize

          1.5MB

        • memory/4632-103-0x0000000140000000-0x0000000140186000-memory.dmp

          Filesize

          1.5MB

        • memory/4632-96-0x0000000140000000-0x0000000140186000-memory.dmp

          Filesize

          1.5MB

        • memory/4632-95-0x0000000140000000-0x0000000140186000-memory.dmp

          Filesize

          1.5MB

        • memory/4632-98-0x00000198B8A90000-0x00000198B8A97000-memory.dmp

          Filesize

          28KB