Analysis

  • max time kernel
    149s
  • max time network
    105s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-01-2024 23:33

General

  • Target

    70d941d4f0bc1d1f47611a7b8ce5c05d.dll

  • Size

    2.6MB

  • MD5

    70d941d4f0bc1d1f47611a7b8ce5c05d

  • SHA1

    b66d763099541372aa30d4ccd5922b29c991ef3a

  • SHA256

    6f1a36b2dc535c3a9a2e9611c3261d7d5970599318c0811e556b9ee731865de2

  • SHA512

    5aaf75580bec3c99f034e60e8eac36b5a0f9d0921b206b17d93fd6920d0f6a3add25254e51c0605f4e8ca36e5b1573a2c7a89ae7b7c21c74b67c35b1d91a260f

  • SSDEEP

    12288:LVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:KfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\70d941d4f0bc1d1f47611a7b8ce5c05d.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2504
  • C:\Windows\system32\WMPDMC.exe
    C:\Windows\system32\WMPDMC.exe
    1⤵
      PID:2228
    • C:\Windows\system32\RecoveryDrive.exe
      C:\Windows\system32\RecoveryDrive.exe
      1⤵
        PID:1192
      • C:\Users\Admin\AppData\Local\KDDMrF\RecoveryDrive.exe
        C:\Users\Admin\AppData\Local\KDDMrF\RecoveryDrive.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2940
      • C:\Users\Admin\AppData\Local\KEKwB9\wbengine.exe
        C:\Users\Admin\AppData\Local\KEKwB9\wbengine.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1488
      • C:\Windows\system32\wbengine.exe
        C:\Windows\system32\wbengine.exe
        1⤵
          PID:2256
        • C:\Users\Admin\AppData\Local\QbEKq\WMPDMC.exe
          C:\Users\Admin\AppData\Local\QbEKq\WMPDMC.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3088

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\KDDMrF\RecoveryDrive.exe

          Filesize

          180KB

          MD5

          9e07dddae4fe2fac394befc7f4766170

          SHA1

          95d7869750b18f3908445f5e5bd54709fcff45d3

          SHA256

          4e36f73a29533254cc44ec0e61714a290e4129cc66831eb6447993092c1bae1f

          SHA512

          e93500a09e42c7e61e7ad3287adff3561c1e1fe327c5fda3655b10f19f8608f61d87f6a0a70e2fb0a565035c3d54f282620180464b1424995f45a7e6e461b2f0

        • C:\Users\Admin\AppData\Local\KDDMrF\RecoveryDrive.exe

          Filesize

          93KB

          MD5

          52ade092db507528dc40c142fc0e44c0

          SHA1

          2a9586f571290df73f4718ad61fd62f36032e981

          SHA256

          c77cae909765589ea5edf000bd6cc6e47e10a321a9568f77c4117cc133cf4412

          SHA512

          1cae050d64d046e4f7e8ba0be63aafa7d9c81af8a3a057f670a621e0fbaf421cf9c868e51bd1ba91299d0d51a3030d9a931feb31f89936e08a2928a561fe453e

        • C:\Users\Admin\AppData\Local\KDDMrF\UxTheme.dll

          Filesize

          173KB

          MD5

          91760a547a469aa0224f80c4e94da8b2

          SHA1

          b73b9be814ecccd1117579fff841ac56e3684995

          SHA256

          efb5ade41a13875e68f6a8be44747c79b3859060798a879bc243d77e1d890d62

          SHA512

          f308b7bb51be0eb043f2bac4b9d65128476ab77f8ad59d8c0c36d76ee598c88a43c2b0316c443c6b25b81721c97399879eb56a8d07b5037f7f9778cc0aca959f

        • C:\Users\Admin\AppData\Local\KDDMrF\UxTheme.dll

          Filesize

          185KB

          MD5

          82020c7761eacda5920e6b60e99e8779

          SHA1

          576506d82a0701fc3f9fe8b51adc80890802af51

          SHA256

          980d6ffbc37f1efb0e7f67a97dd4b255f6597aebd4f598fe8304f06c02997d1b

          SHA512

          6e8f0c4f6d4c0447e46ca3f26e09246468eb5ecd6789076e8abc2d78de3ce3441bbdfe1e0b0048ef72aee87b6e02230b2280c4002f2ac413936cfb494d2265e6

        • C:\Users\Admin\AppData\Local\KEKwB9\XmlLite.dll

          Filesize

          224KB

          MD5

          f6cbdeb7fbe098b50ada4f5f504d6cc2

          SHA1

          bde49b91de8d72a75d45d379e84ed206c9d11933

          SHA256

          0a7e7a21d8f3454fbf4bd74496c43e8ba98fbae8495482e734f64330bb77860d

          SHA512

          95673344d7add14980de9531e5bc947e25149ca80001a54d92e453ba398ecba9afc794ad681eb197cfcfd33b73f2f990098b607fd5e4765299d1f24fa7e2b0a6

        • C:\Users\Admin\AppData\Local\KEKwB9\XmlLite.dll

          Filesize

          85KB

          MD5

          562b9ee74a341ecb582e806465510656

          SHA1

          23a4fe9db4d13a2754f4e1a249bd1cbcddc45dac

          SHA256

          8ce831e4ffa5f3fc76c4c36b3d2a295573eec062adfc4597e29ddc8a8445464b

          SHA512

          1ec1e45b1a42f2a0d01c2df83841178ed9eddbed66e11d6e5d6be7053144dbf14fd2147c970ec791f5ea60dacbacf822812b8350a8f73887642c54d4865a7822

        • C:\Users\Admin\AppData\Local\KEKwB9\wbengine.exe

          Filesize

          83KB

          MD5

          2fe2a1150f66da9fe541de948b8d0826

          SHA1

          7f73274b542d3d6c379271d1982ec63ef35f06e6

          SHA256

          adda884b2d4a27d0815ddd9c9320595f695cbdd3229e9544a2d2bc129dce1fd2

          SHA512

          93db05dafeb907b44dc37854d0f297a956dda032c8ed6250b13bbeb40192012eed5216053ad9e8cea258134df43df1b153b9cd7df6963b82cb1dc432a8ee4664

        • C:\Users\Admin\AppData\Local\KEKwB9\wbengine.exe

          Filesize

          294KB

          MD5

          5f41a263d0a325c1515dc217040bf8a3

          SHA1

          b691b5cdc936a8e58d1ff39364987159099436d9

          SHA256

          1e47922237744c3fb3f484a06e0a650ea61b5dc341ea200be987108521b86fde

          SHA512

          909d4ce409d008fa3100e95dd090f3534d414779b45116e45dd1f9eed43b4762bd3434607067320f025325fabf3e2c9b33ba5efcf30fc0b5f2073bbc80a2c070

        • C:\Users\Admin\AppData\Local\QbEKq\UxTheme.dll

          Filesize

          338KB

          MD5

          99f1edc3e0fa63da2f400197085fbef8

          SHA1

          4dc560fe5988d3e42cc26d0f45ed37a8dae80b31

          SHA256

          4e1fc97cac3db6120835f30787360c9c2b4544391f2880b8da28c8bf3557d026

          SHA512

          5ab8d3c227a362c8bacc498d074f3efb1299f79d835e83501164891710b932418c2bbc060baa830e0c9204c3ed9ad01b7023eae02354c749bf52778626c6851d

        • C:\Users\Admin\AppData\Local\QbEKq\UxTheme.dll

          Filesize

          185KB

          MD5

          2797de3c7bea458794a05e5c3fabfef6

          SHA1

          eacc7d7cf8faea4ab2395021fb78a14ae90321ea

          SHA256

          63292e2c36ff19fd5bd013e16c1f98306ade84342fb3674097621bcdaede6e23

          SHA512

          9923ca1d4c03b3ba22e4374f1b6536d2ae9ffdd5aaea529277ab68df47e3ac9a7c523bb5fce0a7cf6ad3069608381ed259b6f55582cf9ef97fbc09402ff53f9b

        • C:\Users\Admin\AppData\Local\QbEKq\WMPDMC.exe

          Filesize

          61KB

          MD5

          49962542f81528145cd3cda238746aa6

          SHA1

          a3ad40353c83dcab970e217d6b5835c0452e735a

          SHA256

          4714ad5b0e6cc3054042b510e0d594a02c97f0429a3966749dfff6011631e55d

          SHA512

          1f9f167c3274abbad7bb1875022ad55e053c00597fe8aadca9d44f9b7b4203c55c47c0060aab79b38be4d97b00df47fbad732e9e79e12fcddc263e5b84c0f3ea

        • C:\Users\Admin\AppData\Local\QbEKq\WMPDMC.exe

          Filesize

          190KB

          MD5

          8d4184e72cf1958ba8d0801b3d1dd587

          SHA1

          de09c8d315949b3a995a11d82ff85ed4a00bdec8

          SHA256

          265b572d68f2424baa98c5b15d5450a50e750b57a75b8359bdb142b18a9e1b05

          SHA512

          ecb5b9a2c99069f2e87d89f02069156789a15e1d20e976116caf9f6f6f885e234a6f2d9409308a63c98b8b2a2bed21c81fd9364eb29de20412234b9691b29c54

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqwbkkvq.lnk

          Filesize

          1KB

          MD5

          2027f6d684167f0467856e4fc20814dc

          SHA1

          09364a18cf647d90c6b4b9c016ef86663a15b709

          SHA256

          092e8c2fa6b94c6bd5d4b3bf228dbdd74d5513fa3e7f72b684401666fe72ec0e

          SHA512

          06c9c5d3fd5262a27c9d6aa011dc1973fbfa6a152c5f9994a1f878c2042d6de8b017d1eb8bee64eeb66442f2f422cee818672b04dd6f7ebf5b29985664f995dc

        • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\iyOgOacQ9LD\XmlLite.dll

          Filesize

          2.6MB

          MD5

          d8483d37fa563e49ed2a3a51a17b83cd

          SHA1

          e63786ca7649262cb371bb7ed42bedd39f1eed59

          SHA256

          4e8c0572f402b59aa4e05b06bc55ed4894422779fe7042ac86599369250cfb36

          SHA512

          706f56ebc6e5af648d020fea1e23f8688344c6dd72ef9a5a036d9e60d0ce1d0a05cc0c2bcd0740978f4bd669c4651cb24e86f61cb76a61ad6c47311e310e8f00

        • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\w285\UxTheme.dll

          Filesize

          2.6MB

          MD5

          63eea6391c95980c0394cfe5a1e7ffe4

          SHA1

          74d6bb67f5a4363cb64d57a44b69bb9467b2516b

          SHA256

          938622fb48c67b127b266b57b64e1a1e0fe00abffbf4e7f19a71610b623be4f9

          SHA512

          4ce8b83218d794d77defe45f54fcf73d554fd9210ca23672378701fd2fe28a6471a762f223f978cbe0133cb149b5c61b3556f72eb0db94254d53a1c472c5d764

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\27\UxTheme.dll

          Filesize

          2.6MB

          MD5

          55a43a93aeb047ea7e848eb9e7e7b1c0

          SHA1

          9499c7c2db525fde3771e7936e567ba0f0227792

          SHA256

          98826b25fe1d109f1d2d9ab993fd57f9a26e6104550071a791c792d69118f692

          SHA512

          67f2c0b2519204497a52a857dd2e352b0428bb09a9dacb841ac301c582d5f6ad9d1152092c847c09641905e796c3d1b49027f677cf51d953cbf39c90b9f6501d

        • memory/1488-103-0x0000000140000000-0x0000000140294000-memory.dmp

          Filesize

          2.6MB

        • memory/1488-98-0x0000013D3D170000-0x0000013D3D177000-memory.dmp

          Filesize

          28KB

        • memory/1488-96-0x0000000140000000-0x0000000140294000-memory.dmp

          Filesize

          2.6MB

        • memory/2504-0-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/2504-8-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/2504-3-0x000001C78FC70000-0x000001C78FC77000-memory.dmp

          Filesize

          28KB

        • memory/2504-1-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/2940-118-0x000001FA0DA90000-0x000001FA0DA97000-memory.dmp

          Filesize

          28KB

        • memory/2940-122-0x0000000140000000-0x0000000140294000-memory.dmp

          Filesize

          2.6MB

        • memory/2940-115-0x0000000140000000-0x0000000140294000-memory.dmp

          Filesize

          2.6MB

        • memory/3088-80-0x000002578C300000-0x000002578C307000-memory.dmp

          Filesize

          28KB

        • memory/3088-84-0x0000000140000000-0x0000000140294000-memory.dmp

          Filesize

          2.6MB

        • memory/3088-78-0x0000000140000000-0x0000000140294000-memory.dmp

          Filesize

          2.6MB

        • memory/3420-22-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/3420-33-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/3420-36-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/3420-31-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/3420-37-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/3420-40-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/3420-39-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/3420-42-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/3420-41-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/3420-38-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/3420-30-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/3420-43-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/3420-44-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/3420-45-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/3420-47-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/3420-48-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/3420-50-0x0000000001EB0000-0x0000000001EB7000-memory.dmp

          Filesize

          28KB

        • memory/3420-49-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/3420-46-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/3420-57-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/3420-58-0x00007FF807F60000-0x00007FF807F70000-memory.dmp

          Filesize

          64KB

        • memory/3420-67-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/3420-69-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/3420-35-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/3420-34-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/3420-32-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/3420-29-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/3420-28-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/3420-27-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/3420-26-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/3420-25-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/3420-24-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/3420-23-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/3420-21-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/3420-20-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/3420-19-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/3420-18-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/3420-17-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/3420-16-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/3420-9-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/3420-7-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/3420-15-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/3420-14-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/3420-13-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/3420-12-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/3420-11-0x0000000140000000-0x0000000140293000-memory.dmp

          Filesize

          2.6MB

        • memory/3420-10-0x00007FF807ECA000-0x00007FF807ECB000-memory.dmp

          Filesize

          4KB

        • memory/3420-5-0x0000000001F00000-0x0000000001F01000-memory.dmp

          Filesize

          4KB