Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-01-2024 22:19

General

  • Target

    70b4e740a07d198ec5ac903eaed6ff43.dll

  • Size

    2.0MB

  • MD5

    70b4e740a07d198ec5ac903eaed6ff43

  • SHA1

    7f30bccf96428c20875a437c2995388987fa2e84

  • SHA256

    718a533c6fd5cccfb5c4afd72ad1d850327a0b4e6a37aed68679e7bb4afce5ce

  • SHA512

    c0e2e1771108c56358814da4618a4d6c5fdfcb3e8ad536e6ecbb1c12afb47819f7a3c5770b4033e73011dd117249474fb6ac44bb017c041b2f5c289ebd74834e

  • SSDEEP

    12288:uVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1+o6:zfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\70b4e740a07d198ec5ac903eaed6ff43.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1208
  • C:\Windows\system32\EhStorAuthn.exe
    C:\Windows\system32\EhStorAuthn.exe
    1⤵
      PID:2760
    • C:\Users\Admin\AppData\Local\VkS\EhStorAuthn.exe
      C:\Users\Admin\AppData\Local\VkS\EhStorAuthn.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3016
    • C:\Windows\system32\DisplaySwitch.exe
      C:\Windows\system32\DisplaySwitch.exe
      1⤵
        PID:3760
      • C:\Users\Admin\AppData\Local\N3cxLFj\DisplaySwitch.exe
        C:\Users\Admin\AppData\Local\N3cxLFj\DisplaySwitch.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2196
      • C:\Windows\system32\recdisc.exe
        C:\Windows\system32\recdisc.exe
        1⤵
          PID:1516
        • C:\Users\Admin\AppData\Local\Yi1lYyLD\recdisc.exe
          C:\Users\Admin\AppData\Local\Yi1lYyLD\recdisc.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4492

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\N3cxLFj\DUser.dll

          Filesize

          453KB

          MD5

          6e1b445fdc95d49a910990b74a810361

          SHA1

          c2eb16c1274d667679d612d4fac674c2e30a5134

          SHA256

          d6dbe459c91b9347d11973e61eabf1dbe6dee46c33bc85cfe3d36cd46dbcbd50

          SHA512

          d2bc77f335e1e0a6a3bd26a06f269f25f4c0c8dddf47e83e63f025b65202618d6c6f8f09ca586e76be4760951f9aa90bf344e81d0af37c6f0b69503a6ebb3de5

        • C:\Users\Admin\AppData\Local\N3cxLFj\DUser.dll

          Filesize

          627KB

          MD5

          892bc86121ff29941810ea6850712196

          SHA1

          bc11a183354d72bb099dd6fcab66be03ff743765

          SHA256

          816ad33e3627107def478cb9e4c96126792f51e5de362c8d7c432a22f3134529

          SHA512

          e6fb7f2e36c7673fa9020b7c08e687ebf0e0c0714311d5354f7633bdc1afaa8c7849e5279ea1b43e73f62ca0e45a740af0d8b2fb31b8756465d17efd0d4f107c

        • C:\Users\Admin\AppData\Local\N3cxLFj\DisplaySwitch.exe

          Filesize

          425KB

          MD5

          47d22888c4b9855ec38b6c5d0192d4c5

          SHA1

          4a7100ae1ea332176fdb9b0b35ace23952f8d8b0

          SHA256

          26bc6232758bf094620082c441aab8ae6c9f1f658e4259ef25c6d3da6aa80bd3

          SHA512

          1c7e9fab54f352460aa71b01c3d9530b7e0995e57662eb16933b46a1070e1ea1d611c33139a6cb944b277515a1a9a84137dc727c3a0088a063010e059fdd2131

        • C:\Users\Admin\AppData\Local\N3cxLFj\DisplaySwitch.exe

          Filesize

          585KB

          MD5

          57774c84ab1c462e681f163bd0ec34b2

          SHA1

          8d832a6f708e9c4bc4ed9981ebd5490eca17566b

          SHA256

          99c04229c3a4a7dc8065f61ac40d170211140b510c731328fd5bafb7f103690a

          SHA512

          372762e8b4eb4f43a4117af2343d74d6c90fe8b995eb14e0f54fb1f275882e7830ddf87e9a43c5633b49be03d781837e1f44fe3fc4b7d64dc49f5f955abd9822

        • C:\Users\Admin\AppData\Local\VkS\EhStorAuthn.exe

          Filesize

          128KB

          MD5

          d45618e58303edb4268a6cca5ec99ecc

          SHA1

          1f8049fc5ea8b57bb68e19fb55cb9dc1e18e9513

          SHA256

          d527323643be9df4d174c3169c6f2c7854a59b781654bcaebd154cb51fb4219c

          SHA512

          5d7ae663dcfedfaf00836dc018131851e5a40778bd582b417b9f0bbd4bb6d1b2eb8f37f7f5a01cd2beed78b6037ef6eb2a3290248d5e901173b1407990a202bd

        • C:\Users\Admin\AppData\Local\VkS\UxTheme.dll

          Filesize

          546KB

          MD5

          f19c295517a2544f0c76fd35367c200e

          SHA1

          b687df2b1499be9d52119e5aabbee4ad2ff2a12a

          SHA256

          d99d1066c8a403ea596b117e10551df4f5a609561f8d19efd26d54c1de39fac2

          SHA512

          bd07e5134e2c53dc97d0b900d1cb2c20997ac81c67aab0c2e51221eb0c0702134303679d38be70f2c9bdda8ea0a969c3ac8d702b2a2aae60e4c9e3e3dd0536ab

        • C:\Users\Admin\AppData\Local\VkS\UxTheme.dll

          Filesize

          602KB

          MD5

          ba418bb8c71b995a4bb720cbfd18cbc8

          SHA1

          a5894fe11034def0b8d8a26544fb060ad2542cb7

          SHA256

          53dabed7df35dc900577ca99ce018b184106655e1b98d1032af5fbfbad8537a2

          SHA512

          5f8ac0ae0aa689f956f13e130456268a72270173998186b161d0ad68ad66db8d9f73ad29baafa50db2ed563080996a0d1672bb2aaaac644f22d932493a2ca6b1

        • C:\Users\Admin\AppData\Local\Yi1lYyLD\ReAgent.dll

          Filesize

          387KB

          MD5

          bb1e752b02f68738d12685c448e6b504

          SHA1

          0e87e4b96f785a586df169cc6135ede4d0d65b8f

          SHA256

          5b67b9cdf78e3d5c1ef5db616f777343969ec29035740bf84e3ed8c2d42dd55d

          SHA512

          2da4283cefddeb66e5b00de36a96733ea7c250bc6bd22c89e66d2e33ee524b50ae6fe312f207228024f2dc5ec2b42b1f58be9e709025e12703ef3c98f9796fa6

        • C:\Users\Admin\AppData\Local\Yi1lYyLD\ReAgent.dll

          Filesize

          500KB

          MD5

          047b3a9325bf1f9c957a70fe85784625

          SHA1

          1e4ff4d52dc4424df44f263ec8160eb83c2d9c1c

          SHA256

          6040ff3766bcc7ce674683141273196f9b4ae0f603df3a7cf0b7a2b444c7fdc1

          SHA512

          aaa1997275dd2aae6ae3afe8c19eb49161187f1b1e2768180c2abfdc23892c2270b7af38faf54e0202735b1d36fb1b932ab7910145e1acfb1ef96fe4b473bfea

        • C:\Users\Admin\AppData\Local\Yi1lYyLD\recdisc.exe

          Filesize

          193KB

          MD5

          18afee6824c84bf5115bada75ff0a3e7

          SHA1

          d10f287a7176f57b3b2b315a5310d25b449795aa

          SHA256

          0787b37cf197595b8149ffe3784f9c59eacde3616011f185513ff5c075a5ac4e

          SHA512

          517356165b401dbebf15437d3b17746aef5a6a4cc62a0afe45966abc92b4cf377eee4514a36ee28b1e88e55a22a2f8a6c997df45971e7f354b66ac7d9e141845

        • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\ZM\UxTheme.dll

          Filesize

          2.0MB

          MD5

          f27bcccd664dd381f38b2293794ae986

          SHA1

          21c054ad027086551177c14fe9206e943e8ce5cf

          SHA256

          ff4abbf4680ecb72f085b251f3fc4de867e4d6c61dec24f6f3bb1fd80546146f

          SHA512

          58ffa37f2d766b71c28f57e81173c3715ef0008d6c00a69f4708ebb86cd007ec319620baa094661e7974199ffaa085b2282fbf66ad542222ff6e2915c3b7768f

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dvizybqqo.lnk

          Filesize

          1KB

          MD5

          62878cea522ae4fa8a542e1e69f6a774

          SHA1

          5648faa1df93a0e2fd138e4781b81eae8fe8e916

          SHA256

          efe28dee85281e7505f8948b46181a4e21609fca751e28cb11785b9106afe2f8

          SHA512

          f9f2a0fc33d866bca56dc594cbdec09a87329a0e4382f43b2cf76ca732b17549fddc2e5178ed7ffd757ad5f48f87e778561bdea95729e0728ab747020755a0aa

        • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\9Cutlz\ReAgent.dll

          Filesize

          2.0MB

          MD5

          32c5cf7c9a788050a2a1b60b86878ad8

          SHA1

          d45fbbd392b7155b9b63eff73343d412f13ea3f8

          SHA256

          9f42583af85355acc2b9738b2412ae643c06895363fcb3e77e7e807082c71ec4

          SHA512

          ca6546a319e9fa3e208c531ed6b608d5429ff5f4fed53a373bdd636e1bbfb48169827d63f230c180ef0edcf3bb09b5c5e518ab18e3645f5bbdc0cd47598741e4

        • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\YH\DUser.dll

          Filesize

          2.0MB

          MD5

          1ed377af627d161e726bc312332939ee

          SHA1

          14bfb3e65a023d356c1a7081a76c51a68859df6f

          SHA256

          f3a5a198ca08eb31dbe795be2738ad3997f7d4064c8d3ffc92cd663609db1e83

          SHA512

          bae97b3b5753fe284615e242d188a7b86ec26fdda8c05d2d2639ff6aac2a8c0cbded987e8f37f508a42f5f65cfa8b312719235aaf1567627305f2cd4b329bee6

        • memory/1208-0-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/1208-1-0x000001F7E9FA0000-0x000001F7E9FA7000-memory.dmp

          Filesize

          28KB

        • memory/1208-7-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/2196-86-0x0000000140000000-0x00000001401FA000-memory.dmp

          Filesize

          2.0MB

        • memory/2196-85-0x0000024D87860000-0x0000024D87867000-memory.dmp

          Filesize

          28KB

        • memory/2196-91-0x0000000140000000-0x00000001401FA000-memory.dmp

          Filesize

          2.0MB

        • memory/3016-74-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/3016-68-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/3016-69-0x0000021B0E9E0000-0x0000021B0E9E7000-memory.dmp

          Filesize

          28KB

        • memory/3484-19-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3484-25-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3484-26-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3484-24-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3484-30-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3484-34-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3484-35-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3484-38-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3484-40-0x00000000011D0000-0x00000000011D7000-memory.dmp

          Filesize

          28KB

        • memory/3484-39-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3484-37-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3484-36-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3484-33-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3484-32-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3484-31-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3484-47-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3484-50-0x00007FFF61440000-0x00007FFF61450000-memory.dmp

          Filesize

          64KB

        • memory/3484-57-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3484-59-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3484-28-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3484-29-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3484-27-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3484-23-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3484-22-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3484-21-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3484-20-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3484-18-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3484-17-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3484-16-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3484-11-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3484-15-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3484-14-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3484-13-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3484-5-0x00007FFF5FE1A000-0x00007FFF5FE1B000-memory.dmp

          Filesize

          4KB

        • memory/3484-12-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3484-10-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3484-4-0x00000000011C0000-0x00000000011C1000-memory.dmp

          Filesize

          4KB

        • memory/3484-9-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3484-8-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/4492-108-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/4492-102-0x000002C3E3410000-0x000002C3E3417000-memory.dmp

          Filesize

          28KB