Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-01-2024 23:33

General

  • Target

    70d94e86e118a27adfe3f75b8db4134c.dll

  • Size

    2.1MB

  • MD5

    70d94e86e118a27adfe3f75b8db4134c

  • SHA1

    252169f8b3b9f7e3187e1c25ee2e7561de450968

  • SHA256

    814d959ae1800dc9c90f630f8f204a2f36fca00c3c4fe9c460b399f957e499f6

  • SHA512

    815381ef381bcc883564b00866ce22a22e910d948885d107c3a679c87ddd99dc8c23723ac825ec8594ba67233622d79599ad9207d9dccc3476163703c44b3052

  • SSDEEP

    12288:BVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1Web:wfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\70d94e86e118a27adfe3f75b8db4134c.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4812
  • C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    1⤵
      PID:4332
    • C:\Users\Admin\AppData\Local\dObU8T\dialer.exe
      C:\Users\Admin\AppData\Local\dObU8T\dialer.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1192
    • C:\Windows\system32\dxgiadaptercache.exe
      C:\Windows\system32\dxgiadaptercache.exe
      1⤵
        PID:3932
      • C:\Users\Admin\AppData\Local\1kYp\dxgiadaptercache.exe
        C:\Users\Admin\AppData\Local\1kYp\dxgiadaptercache.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2168
      • C:\Windows\system32\AgentService.exe
        C:\Windows\system32\AgentService.exe
        1⤵
          PID:1852
        • C:\Users\Admin\AppData\Local\ZeCnj7u\AgentService.exe
          C:\Users\Admin\AppData\Local\ZeCnj7u\AgentService.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:5044

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\1kYp\dxgi.dll

          Filesize

          184KB

          MD5

          390f005f3c3837f40b0c36ad5c11c9af

          SHA1

          f701d9368afb0d9f53e20a394e03d1d8f7fcf41c

          SHA256

          3cf15b7971db2d84174df43dfab63cc25ccf2729e320be98fffca3474fe99dbc

          SHA512

          cf108decfca258499181106f40d05ef83cb115e7babcd2f53805cce9963f8055fa52231332d6fa1f952150be20e3a5745fa3443b5cc734d10b9fe5e6d164eee5

        • C:\Users\Admin\AppData\Local\1kYp\dxgi.dll

          Filesize

          117KB

          MD5

          64130f620a69efaa52755c54beb53300

          SHA1

          1f571c422e322317bfb419c97fb05317893f1126

          SHA256

          8a22f9562b4d7e5a8170a6d6a1fc3fe0566f523c030d066704430c97c66ec910

          SHA512

          f7509cf580d1ac337b5f6af528115071e1ff8da8dd4e2e77a6a695a3229ef41c90b7e5a748feae0465ef6173790e7f6659bb621d14769b630994b85a0e192526

        • C:\Users\Admin\AppData\Local\1kYp\dxgi.dll

          Filesize

          143KB

          MD5

          aa043d56d9f02fd33dc69aa642ea0050

          SHA1

          cf04dcce34df71970be898678a8b13b8a87ee42f

          SHA256

          059ebca03641f9907e8b872d2fcae4e01ca7d98b883889701a4248cce682910d

          SHA512

          01352b3a860cb702ede03e00825e2392dc0606014bf70a24b4cbaa34874496ac896dbe6d1367ab1abc6a164a2ccdb06a449075f1fed2d30a5ae0ab0b6f05a5cd

        • C:\Users\Admin\AppData\Local\1kYp\dxgiadaptercache.exe

          Filesize

          77KB

          MD5

          ee91e5bb1a037013b1e51ada11e6b523

          SHA1

          b790ac32f6ac13eaaf0950e104fc7be270d03fd6

          SHA256

          857882938b2cca6054d0dcd026c7f4f98bec05f7e58aab15341bf44b48e9cf6b

          SHA512

          8a69f123f3dbfed490a473eff3a0fea107e1ee2ac0f83d6710854e7e652ad6e5a218a70bb3cee705ce30b05c945dcdbaeef301cb263dd5760e46a218bc88ae22

        • C:\Users\Admin\AppData\Local\1kYp\dxgiadaptercache.exe

          Filesize

          211KB

          MD5

          5af3821df5f10b3e9427ddee30de9ee8

          SHA1

          8b0084a20a4b279baedcd92900743dc0e0f1d291

          SHA256

          2c54b5c8c327244a503a25edc30ab4411e2f0d9ed3f25af325bc17dd3f055068

          SHA512

          1844b96eec4b356d5c526cb32a5d23a3eca4231b688e9cb9343d39c939b9fd9cf163fb554d6ccda0314b312aefd302b3d0cc96719f79816e52fa59bbb168eb08

        • C:\Users\Admin\AppData\Local\ZeCnj7u\AgentService.exe

          Filesize

          451KB

          MD5

          2e900fe44836e7b4c659a5fd65fb8e6f

          SHA1

          72a3c7b6f7a1ec1652d1a440fa392f7e7493f12e

          SHA256

          1be17ef566d442bdb3df7786f21516e0b72f365f5e83e40dc931fc98332a768a

          SHA512

          ff4471aa35d7f88b59f41650e3e501aea7a3c84e8211af40f50526b6d3affc9911c7b490ad2ea587999f19003755faaf0aa4a3adb3668f9eda64570a03d44fc7

        • C:\Users\Admin\AppData\Local\ZeCnj7u\AgentService.exe

          Filesize

          285KB

          MD5

          b8c247cfbb54f2d783661d6861f2e9f4

          SHA1

          0c15398d26a63ffcdaccdc89f1326d019188d5a4

          SHA256

          d7ba62d489904737d8b453e03307fa29bc2386af085f9c87b57c89d5ff800bbf

          SHA512

          83f630c61f671e1ac5171590344255fb88a4fec8773379edf9baf0456971cca5a84173028e6c0506231e876c908ba835bfb09f98d1a484b71a0cc41f8cd10d5a

        • C:\Users\Admin\AppData\Local\ZeCnj7u\VERSION.dll

          Filesize

          29KB

          MD5

          17205ab6e5db08b01f15506d1f48e76b

          SHA1

          77c9cbeec9d517a591dc3ec56ed05227e97c7c88

          SHA256

          7aa6b4041bc8d801c34f8c099c6c6fde7bbecc88e22899cda581c7bdc3550157

          SHA512

          dd75545acacda8b4a8e74752aa570a623d0b3f0ad3ff6442bdb8e1cb902ae127856fb44f997be0d5beb4bf3f26d1019b3b639f6fc731bb5fc32c84471fbcdc8e

        • C:\Users\Admin\AppData\Local\ZeCnj7u\VERSION.dll

          Filesize

          521KB

          MD5

          f19d189e42774c3b169fee6f15d7b8f5

          SHA1

          ca96c3870891f6bcfa68a148217ad9fb44f6363e

          SHA256

          2fe6bb5c93fdbe0d35df548cfad2cd5b31784368499b86b78104012c8deffea0

          SHA512

          1f3de62caea2506db659a23b5658ffc06e0958f662041307b281fb07854a14723e2b834a2d01165fc41c813d5e911c608670b46c7c1711f8f29d5fbe2aa6bd2b

        • C:\Users\Admin\AppData\Local\dObU8T\TAPI32.dll

          Filesize

          240KB

          MD5

          18ff33271362fa7aeeccac00ed472cda

          SHA1

          3a9067b8fa660e86e411161fac7ef2664d9e09d0

          SHA256

          d7882a450813586315ffa892fc43914680882406abc5718a9a0ad3a20849f111

          SHA512

          27dc999ca1adf7ef93c4f73778a6f7195e8d09abee8dc63115c5f8b34cb1d901d5a5113bc7aea34efc5c7373f009523d1ee4c64adeb5f9ed2994cfa00565d45e

        • C:\Users\Admin\AppData\Local\dObU8T\TAPI32.dll

          Filesize

          334KB

          MD5

          b09301c0687735309662d8fbd07b52d4

          SHA1

          e36035771c0466cfb084f41fdab27a22182c7ac7

          SHA256

          b7d15b24a1019e3afb95b9202bed18400942141d3584780f83a4ef9d21ce9d44

          SHA512

          e935b022b6799fa0cad7af0e1ab975c2d86528f2a4b768049b71646d200f009a802138776a2299d1c3fb67553b6036c2075c3096786bc6b4dcd33e5061065418

        • C:\Users\Admin\AppData\Local\dObU8T\dialer.exe

          Filesize

          39KB

          MD5

          b2626bdcf079c6516fc016ac5646df93

          SHA1

          838268205bd97d62a31094d53643c356ea7848a6

          SHA256

          e3ac5e6196f3a98c1946d85c653866c318bb2a86dd865deffa7b52f665d699bb

          SHA512

          615cfe1f91b895513c687906bf3439ca352afcadd3b73f950af0a3b5fb1b358168a7a25a6796407b212fde5f803dd880bcdc350d8bac7e7594090d37ce259971

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Hxquhu.lnk

          Filesize

          1KB

          MD5

          0033d767b7d3a696616321de5a00ad6c

          SHA1

          0d38b29b91945e6841a013bd5fede12703924719

          SHA256

          5013c3b752f514decc35e7c5a19ec43a5cf62f09483e0369d9303ba96a6b8826

          SHA512

          80c8be8c23307fa919c33282ab726f8b7f7bc9f68a2e32ada65205ed9c3cdeee2a5ebb556524a4c2314c1f5602064756e93cdf6cb5e45979844eb26d716d86b8

        • C:\Users\Admin\AppData\Roaming\Microsoft\AddIns\UhFAo1NN\dxgi.dll

          Filesize

          2.1MB

          MD5

          68e9e31081046b6caea90f472e106df4

          SHA1

          e4dec62d59a4eb61a7aa1b4816b6276c2f9666d6

          SHA256

          c2793e2680ffc3206cb5f933aa96363aca2270dba4d2fad5a48164dac3e32dc4

          SHA512

          49be414f4ccd37c6a7a3a0295431666b87705168e984fedcbe7685b06fda9245f70e1677cd11fbfa3ba90ecac7e72fc14c9f6e27673b3980bce616833bcbfc58

        • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\LH1ssw\VERSION.dll

          Filesize

          2.1MB

          MD5

          12eaa2702daa737186a435f027928272

          SHA1

          cf7b84dca4e43e05b94a85dec7a011798acb25c3

          SHA256

          a9291a10f6abd2e387985c8b0545fae726915dc0ec802344419d6a3784ef1e94

          SHA512

          9878b40abd6b15e55be24865474f64983b5a37bc59c0a4d6cf4551e97230163c7727507be53908808adf1857a7047777c69162db1bcc66bb2c76d2bca36332f9

        • C:\Users\Admin\AppData\Roaming\Microsoft\Vault\yLsw\TAPI32.dll

          Filesize

          2.1MB

          MD5

          b05d3562ed4c1d95f54e558cbe271043

          SHA1

          4f470c9d0cac038993d1ddf70ad9f3246e71130f

          SHA256

          2c52b52d2dd338aba1ce422df13decac098da4b52004314d87035bec074cbc6d

          SHA512

          5f9fcd86dddb0a8df41dd6b751fefe480917cfa869b773fc8283810fc58ac265f4f5fdc802ea68638080b3780354095e4050527393eb008ca12acc44ba1bf92a

        • memory/1192-82-0x0000000140000000-0x0000000140222000-memory.dmp

          Filesize

          2.1MB

        • memory/1192-78-0x00000169513F0000-0x00000169513F7000-memory.dmp

          Filesize

          28KB

        • memory/1192-76-0x0000000140000000-0x0000000140222000-memory.dmp

          Filesize

          2.1MB

        • memory/2168-94-0x0000029B368B0000-0x0000029B368B7000-memory.dmp

          Filesize

          28KB

        • memory/2168-95-0x0000000140000000-0x0000000140221000-memory.dmp

          Filesize

          2.1MB

        • memory/3304-21-0x0000000140000000-0x0000000140220000-memory.dmp

          Filesize

          2.1MB

        • memory/3304-55-0x0000000140000000-0x0000000140220000-memory.dmp

          Filesize

          2.1MB

        • memory/3304-24-0x0000000140000000-0x0000000140220000-memory.dmp

          Filesize

          2.1MB

        • memory/3304-23-0x0000000140000000-0x0000000140220000-memory.dmp

          Filesize

          2.1MB

        • memory/3304-28-0x0000000140000000-0x0000000140220000-memory.dmp

          Filesize

          2.1MB

        • memory/3304-29-0x0000000140000000-0x0000000140220000-memory.dmp

          Filesize

          2.1MB

        • memory/3304-30-0x0000000140000000-0x0000000140220000-memory.dmp

          Filesize

          2.1MB

        • memory/3304-31-0x0000000140000000-0x0000000140220000-memory.dmp

          Filesize

          2.1MB

        • memory/3304-32-0x0000000140000000-0x0000000140220000-memory.dmp

          Filesize

          2.1MB

        • memory/3304-33-0x0000000140000000-0x0000000140220000-memory.dmp

          Filesize

          2.1MB

        • memory/3304-34-0x0000000140000000-0x0000000140220000-memory.dmp

          Filesize

          2.1MB

        • memory/3304-35-0x0000000140000000-0x0000000140220000-memory.dmp

          Filesize

          2.1MB

        • memory/3304-37-0x0000000140000000-0x0000000140220000-memory.dmp

          Filesize

          2.1MB

        • memory/3304-36-0x0000000140000000-0x0000000140220000-memory.dmp

          Filesize

          2.1MB

        • memory/3304-40-0x0000000140000000-0x0000000140220000-memory.dmp

          Filesize

          2.1MB

        • memory/3304-42-0x0000000140000000-0x0000000140220000-memory.dmp

          Filesize

          2.1MB

        • memory/3304-41-0x0000000140000000-0x0000000140220000-memory.dmp

          Filesize

          2.1MB

        • memory/3304-44-0x0000000140000000-0x0000000140220000-memory.dmp

          Filesize

          2.1MB

        • memory/3304-46-0x0000000140000000-0x0000000140220000-memory.dmp

          Filesize

          2.1MB

        • memory/3304-45-0x0000000140000000-0x0000000140220000-memory.dmp

          Filesize

          2.1MB

        • memory/3304-43-0x0000000140000000-0x0000000140220000-memory.dmp

          Filesize

          2.1MB

        • memory/3304-39-0x0000000140000000-0x0000000140220000-memory.dmp

          Filesize

          2.1MB

        • memory/3304-38-0x0000000140000000-0x0000000140220000-memory.dmp

          Filesize

          2.1MB

        • memory/3304-47-0x0000000140000000-0x0000000140220000-memory.dmp

          Filesize

          2.1MB

        • memory/3304-48-0x0000000000E90000-0x0000000000E97000-memory.dmp

          Filesize

          28KB

        • memory/3304-27-0x0000000140000000-0x0000000140220000-memory.dmp

          Filesize

          2.1MB

        • memory/3304-56-0x00007FF82DC40000-0x00007FF82DC50000-memory.dmp

          Filesize

          64KB

        • memory/3304-65-0x0000000140000000-0x0000000140220000-memory.dmp

          Filesize

          2.1MB

        • memory/3304-67-0x0000000140000000-0x0000000140220000-memory.dmp

          Filesize

          2.1MB

        • memory/3304-26-0x0000000140000000-0x0000000140220000-memory.dmp

          Filesize

          2.1MB

        • memory/3304-25-0x0000000140000000-0x0000000140220000-memory.dmp

          Filesize

          2.1MB

        • memory/3304-22-0x0000000140000000-0x0000000140220000-memory.dmp

          Filesize

          2.1MB

        • memory/3304-5-0x00007FF82CC1A000-0x00007FF82CC1B000-memory.dmp

          Filesize

          4KB

        • memory/3304-20-0x0000000140000000-0x0000000140220000-memory.dmp

          Filesize

          2.1MB

        • memory/3304-19-0x0000000140000000-0x0000000140220000-memory.dmp

          Filesize

          2.1MB

        • memory/3304-17-0x0000000140000000-0x0000000140220000-memory.dmp

          Filesize

          2.1MB

        • memory/3304-18-0x0000000140000000-0x0000000140220000-memory.dmp

          Filesize

          2.1MB

        • memory/3304-15-0x0000000140000000-0x0000000140220000-memory.dmp

          Filesize

          2.1MB

        • memory/3304-16-0x0000000140000000-0x0000000140220000-memory.dmp

          Filesize

          2.1MB

        • memory/3304-13-0x0000000140000000-0x0000000140220000-memory.dmp

          Filesize

          2.1MB

        • memory/3304-14-0x0000000140000000-0x0000000140220000-memory.dmp

          Filesize

          2.1MB

        • memory/3304-12-0x0000000140000000-0x0000000140220000-memory.dmp

          Filesize

          2.1MB

        • memory/3304-9-0x0000000140000000-0x0000000140220000-memory.dmp

          Filesize

          2.1MB

        • memory/3304-11-0x0000000140000000-0x0000000140220000-memory.dmp

          Filesize

          2.1MB

        • memory/3304-10-0x0000000140000000-0x0000000140220000-memory.dmp

          Filesize

          2.1MB

        • memory/3304-4-0x0000000002D90000-0x0000000002D91000-memory.dmp

          Filesize

          4KB

        • memory/3304-7-0x0000000140000000-0x0000000140220000-memory.dmp

          Filesize

          2.1MB

        • memory/4812-8-0x0000000140000000-0x0000000140220000-memory.dmp

          Filesize

          2.1MB

        • memory/4812-1-0x0000000140000000-0x0000000140220000-memory.dmp

          Filesize

          2.1MB

        • memory/4812-0-0x000002097B570000-0x000002097B577000-memory.dmp

          Filesize

          28KB

        • memory/5044-111-0x000001AE86FA0000-0x000001AE86FA7000-memory.dmp

          Filesize

          28KB