Analysis

  • max time kernel
    1s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-01-2024 19:52

General

  • Target

    706c428f1cdf3c4e2003ba9c1a54b608.dll

  • Size

    1.4MB

  • MD5

    706c428f1cdf3c4e2003ba9c1a54b608

  • SHA1

    3b476cac8210f67bbca4ba8a89216f169c977883

  • SHA256

    22cfa40d7e29bf79dc313aa90b86ea3a7716d0a95e553cfe8d112098645a039b

  • SHA512

    f2ae94b7dd481354bba7e05cc2af08e8e99f81ec960f70e128657476b28b6645dea26e02e5c702a7e8f3a75aec403767f5fe9e35796b03a354dbe1fde6b5cc26

  • SSDEEP

    12288:7VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:afP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\706c428f1cdf3c4e2003ba9c1a54b608.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2640
  • C:\Windows\system32\omadmclient.exe
    C:\Windows\system32\omadmclient.exe
    1⤵
      PID:916
    • C:\Windows\system32\EhStorAuthn.exe
      C:\Windows\system32\EhStorAuthn.exe
      1⤵
        PID:2720
      • C:\Windows\system32\SystemPropertiesPerformance.exe
        C:\Windows\system32\SystemPropertiesPerformance.exe
        1⤵
          PID:1080
        • C:\Users\Admin\AppData\Local\edlk\SystemPropertiesPerformance.exe
          C:\Users\Admin\AppData\Local\edlk\SystemPropertiesPerformance.exe
          1⤵
            PID:64
          • C:\Users\Admin\AppData\Local\vaJ8\EhStorAuthn.exe
            C:\Users\Admin\AppData\Local\vaJ8\EhStorAuthn.exe
            1⤵
              PID:1936
            • C:\Users\Admin\AppData\Local\bOjF4Jk\omadmclient.exe
              C:\Users\Admin\AppData\Local\bOjF4Jk\omadmclient.exe
              1⤵
                PID:1208

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\bOjF4Jk\XmlLite.dll

                Filesize

                81KB

                MD5

                701a71f2b74f5092847975606808ca4d

                SHA1

                89274d5e375a3c62007f2e894cbbeb4879d315c7

                SHA256

                65c283350046436b646cdc292b860b9a2cfd608b8c507a7bcce9affecb8a503e

                SHA512

                ea74780939280255210feb24392af2d16eef96fe4892bb3c6cffc9acfca8354831ae01c97fb79987ddd32c63ca88866afce1aa8250aff76b757c36f69f5ff8b8

              • C:\Users\Admin\AppData\Local\bOjF4Jk\XmlLite.dll

                Filesize

                110KB

                MD5

                a2fe86348bd66d0555a70d2ddc5bc8ec

                SHA1

                a0c494062a629c2759285d67a4f3650b767d868a

                SHA256

                bc3dea993c6c2ac149584374088881120456a33a63c1ff22de4e6608cb3e5e98

                SHA512

                8e97c2c9fd102741d75e6a71a2e149c4356d74875be10e0820d4c461f0b5340cc4fb5650873ce46684f8f9e2af81c763933939747f395717804a72f9f1d5e0a9

              • C:\Users\Admin\AppData\Local\bOjF4Jk\XmlLite.dll

                Filesize

                131KB

                MD5

                3839d0bf80748bf372ab51605802e633

                SHA1

                a91366466ff5f3948a48d920779c33f464d7a5d1

                SHA256

                a236a146ff2a84b2d7b4e9abb9a640576cc223bafccb22575817c351878fa424

                SHA512

                ab4f570a848cabd985106e553cd05a96481fd4db6ff4deee675a2141a9e2e031d9cea7a9bae55da4a17a434357cc2a83bd122c1b06cbb79105272ba46f6e76bc

              • C:\Users\Admin\AppData\Local\bOjF4Jk\XmlLite.dll

                Filesize

                29KB

                MD5

                287c9cde6c9b41d941245a271ad72bad

                SHA1

                49f13e6cb1887a2055fade2ddb34d8358ac69073

                SHA256

                3607509832b1ac80d6020d6a710db27a251105ba7943a75b33c77a6fbfa53c3f

                SHA512

                9f1df7fcf686b72a7a977e7fe9054b0703b48cfd2eaa9efa989f61499a65854af974316d1d61898af2c9200535f5bd9348134dc1f8d973c5d7c75d94adc97acd

              • C:\Users\Admin\AppData\Local\bOjF4Jk\omadmclient.exe

                Filesize

                85KB

                MD5

                643b671742f0ce8f4d6fc96d00e71597

                SHA1

                79735cf624c98a932b75fbfcd860be807b7d8ee2

                SHA256

                3a75a4cf5833ba5ecd1196d8d2b16cf040fc3d2daf0aebf4298014aa3e596976

                SHA512

                9fe3df3a7de19934a07ce83d51e3275d6cbfc007c9d15cdfe71f576bda941ad1fc6e129c65a7aee93e4f0f81bca528cad746cebdcfa9b978fcf86c7e1ac33a49

              • C:\Users\Admin\AppData\Local\bOjF4Jk\omadmclient.exe

                Filesize

                155KB

                MD5

                616ae83739ea1f90abe55f89bf96fcc5

                SHA1

                997aef54da588559bfe642b8605bcd1546d28489

                SHA256

                0bb5de5f2177663061d5d52146f8138a71e734c950cd436a5f695b423ed17f70

                SHA512

                deafd997cb8669158b7578bc044fdc6bf52499a507b3b737ec536fab68795029b2661093b12edef745ecec6a4862bdf35f46cafe87aec23cd321acd3c02b20b8

              • C:\Users\Admin\AppData\Local\edlk\SYSDM.CPL

                Filesize

                201KB

                MD5

                a19228387e84b10ead3513cbf29d768a

                SHA1

                6f2beb8e878a2dd88230d65b4fb48b2588f5a240

                SHA256

                e99c2dfb1ca37677e8f835ffee92b7e56ed2fbe4601b5f7e0919263f5f0924ab

                SHA512

                6056ccbb9be2d25f135981a6b2fd38710add3d93420a8eca5079524d270b829e4d430fab091fb80c55bbc3d6eab5c20e97358fe4780abad857a2e4276c87d1ea

              • C:\Users\Admin\AppData\Local\edlk\SYSDM.CPL

                Filesize

                287KB

                MD5

                d1fd78be8f1d9e8bf3762965356b1fbc

                SHA1

                67396f71236dea6868997ea2e05ff784e761cda6

                SHA256

                5bb77831ec8687e9849eecc000b7cd5766d205efe018d811129c4b64d33f901c

                SHA512

                1232a5c73fae3548f06198f3726d457f50dba68f1aaa1cbe022a7a3b877556aecf446eb79a64495d56d2a17ba2690ecbd2d6e2133182cdfd976b345d7a738f9a

              • C:\Users\Admin\AppData\Local\edlk\SystemPropertiesPerformance.exe

                Filesize

                82KB

                MD5

                e4fbf7cab8669c7c9cef92205d2f2ffc

                SHA1

                adbfa782b7998720fa85678cc85863b961975e28

                SHA256

                b266318d45a4245556a2e39b763f2f11eca780969105f6f103e53dd0a492bb30

                SHA512

                c5c62578d04133352d6cb7b018df96a7b55c18d6111ab8bf2bfe232a3315a63b07047fa5b0b88551d152085776c66169b47566242c8c4c5e0333c55adc64e1b6

              • C:\Users\Admin\AppData\Local\vaJ8\EhStorAuthn.exe

                Filesize

                128KB

                MD5

                d45618e58303edb4268a6cca5ec99ecc

                SHA1

                1f8049fc5ea8b57bb68e19fb55cb9dc1e18e9513

                SHA256

                d527323643be9df4d174c3169c6f2c7854a59b781654bcaebd154cb51fb4219c

                SHA512

                5d7ae663dcfedfaf00836dc018131851e5a40778bd582b417b9f0bbd4bb6d1b2eb8f37f7f5a01cd2beed78b6037ef6eb2a3290248d5e901173b1407990a202bd

              • C:\Users\Admin\AppData\Local\vaJ8\UxTheme.dll

                Filesize

                203KB

                MD5

                6cf801a60387ea807170680e796d55da

                SHA1

                05df3f71b273da19268137cf882444ec7cefe2ca

                SHA256

                294398b842356ddb9a4c8a1565429752768936974e5076677edb1cb599996cd5

                SHA512

                81074b61209cfcd6155d5bea46ef95360dd4d8b4870fe6dfb1cebc23c92247910433ac52910f8fc6416e006e610114de52c4161930f661d4fd12f2bb34c3bcaa

              • C:\Users\Admin\AppData\Local\vaJ8\UxTheme.dll

                Filesize

                283KB

                MD5

                8211d674831d4c6b4c94c22de4ee5aef

                SHA1

                e35f1276f1f65111d1791f30ae5542a6ca140053

                SHA256

                b60c8a916116f3afb93d101ebc9e63bb3c4a637f5f6c46e4ccd7cdd9394a2b62

                SHA512

                32b764a15e0bfdf7d40bfea8f84d898aa33269d7471a3b00a7329f89b956cd0362be1914ba6bc41bfc9bb67d1de1c6169e855cf7329604c0a6fa13d2f3e47b7c

              • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Udjzqp.lnk

                Filesize

                1KB

                MD5

                d919b6d93ec53dbe68e19e2e7b6a1ff9

                SHA1

                0ebbf3bedcc35b57557aaf7e65ac404f5c1dcdc2

                SHA256

                79c3324f6c65bc68b4e7bb4a5cf00e8bbab687aa019d1df538c1415ab382eeed

                SHA512

                b0fadaf41f76613da72503d38ed4ce96eba0a7f65425c0e508d5da517214fd75245fc9369e0c045bf025da30eaffb9b5b58f184b565d776448caa698e7d91b3c

              • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\aoDuCF8rbr\XmlLite.dll

                Filesize

                116KB

                MD5

                371dba2f4e4568c391788ea271d6275b

                SHA1

                73354a0bdfa49eb2e02696c83ca3049d2b954348

                SHA256

                ddbf2d2f5f720f756f4180c1fb8eff0ea83ddca514ab01ff6bdf7dfbfc35c2b7

                SHA512

                53917b9a16d84ac66d02ab0bb5563e58387b7986d9388faa0a5a5db933956bbbd305554da99edacbc65cdc37098fc5da5e5ec563bab3c5b87a4d0b026349d76f

              • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\aoDuCF8rbr\XzRaiWMOq\UxTheme.dll

                Filesize

                62KB

                MD5

                d78b7c50e9a19001281da02040a0b6d2

                SHA1

                ce9fcd4b6df0418528143e011bb42a4f969914b5

                SHA256

                2d667f18803916a2e619cb89785fcd7070c960b66a8510523980920ac269c330

                SHA512

                a22f7a87e380fb902e4c3ba57c0ea10e6bd465e23812f96b1833ba37a2b6e23b925092cad44eef2531a558a3d51f0986b150f51824a527ba9ca5b0a82ea908e2

              • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\ogj\SYSDM.CPL

                Filesize

                80KB

                MD5

                cb45f96921418a42eb64cd2efde7c8a4

                SHA1

                76f965faf6cfd37b6e3cec01626c9f953b1cc7b3

                SHA256

                06851a71f213e55d80b637c3e29e10f68c9d59d2cad18ff887d1787712a6f701

                SHA512

                a3b2a5e58eef50b227381928d54bd33e4a5bed9df3408a77c0d5c00dd464996e7767280ae48be1350b802ab3fd4d67ae16be02c190b6fd66d1bc335737d21a94

              • memory/64-106-0x0000000140000000-0x000000014016A000-memory.dmp

                Filesize

                1.4MB

              • memory/64-101-0x000001E4208E0000-0x000001E4208E7000-memory.dmp

                Filesize

                28KB

              • memory/1208-72-0x0000000140000000-0x000000014016A000-memory.dmp

                Filesize

                1.4MB

              • memory/1208-66-0x0000000140000000-0x000000014016A000-memory.dmp

                Filesize

                1.4MB

              • memory/1208-67-0x0000020FD4DF0000-0x0000020FD4DF7000-memory.dmp

                Filesize

                28KB

              • memory/1936-83-0x0000021834A60000-0x0000021834A67000-memory.dmp

                Filesize

                28KB

              • memory/1936-89-0x0000000140000000-0x000000014016A000-memory.dmp

                Filesize

                1.4MB

              • memory/2640-0-0x00000244CFA70000-0x00000244CFA77000-memory.dmp

                Filesize

                28KB

              • memory/2640-8-0x0000000140000000-0x0000000140169000-memory.dmp

                Filesize

                1.4MB

              • memory/2640-1-0x0000000140000000-0x0000000140169000-memory.dmp

                Filesize

                1.4MB

              • memory/3556-34-0x0000000140000000-0x0000000140169000-memory.dmp

                Filesize

                1.4MB

              • memory/3556-24-0x0000000140000000-0x0000000140169000-memory.dmp

                Filesize

                1.4MB

              • memory/3556-14-0x0000000140000000-0x0000000140169000-memory.dmp

                Filesize

                1.4MB

              • memory/3556-12-0x0000000140000000-0x0000000140169000-memory.dmp

                Filesize

                1.4MB

              • memory/3556-10-0x0000000140000000-0x0000000140169000-memory.dmp

                Filesize

                1.4MB

              • memory/3556-9-0x0000000140000000-0x0000000140169000-memory.dmp

                Filesize

                1.4MB

              • memory/3556-43-0x0000000140000000-0x0000000140169000-memory.dmp

                Filesize

                1.4MB

              • memory/3556-44-0x00007FFAF3160000-0x00007FFAF3170000-memory.dmp

                Filesize

                64KB

              • memory/3556-15-0x0000000140000000-0x0000000140169000-memory.dmp

                Filesize

                1.4MB

              • memory/3556-4-0x0000000007650000-0x0000000007651000-memory.dmp

                Filesize

                4KB

              • memory/3556-53-0x0000000140000000-0x0000000140169000-memory.dmp

                Filesize

                1.4MB

              • memory/3556-55-0x0000000140000000-0x0000000140169000-memory.dmp

                Filesize

                1.4MB

              • memory/3556-17-0x0000000140000000-0x0000000140169000-memory.dmp

                Filesize

                1.4MB

              • memory/3556-18-0x0000000140000000-0x0000000140169000-memory.dmp

                Filesize

                1.4MB

              • memory/3556-19-0x0000000140000000-0x0000000140169000-memory.dmp

                Filesize

                1.4MB

              • memory/3556-21-0x0000000140000000-0x0000000140169000-memory.dmp

                Filesize

                1.4MB

              • memory/3556-22-0x0000000140000000-0x0000000140169000-memory.dmp

                Filesize

                1.4MB

              • memory/3556-13-0x0000000140000000-0x0000000140169000-memory.dmp

                Filesize

                1.4MB

              • memory/3556-30-0x0000000140000000-0x0000000140169000-memory.dmp

                Filesize

                1.4MB

              • memory/3556-35-0x0000000140000000-0x0000000140169000-memory.dmp

                Filesize

                1.4MB

              • memory/3556-36-0x0000000007630000-0x0000000007637000-memory.dmp

                Filesize

                28KB

              • memory/3556-33-0x0000000140000000-0x0000000140169000-memory.dmp

                Filesize

                1.4MB

              • memory/3556-32-0x0000000140000000-0x0000000140169000-memory.dmp

                Filesize

                1.4MB

              • memory/3556-31-0x0000000140000000-0x0000000140169000-memory.dmp

                Filesize

                1.4MB

              • memory/3556-28-0x0000000140000000-0x0000000140169000-memory.dmp

                Filesize

                1.4MB

              • memory/3556-29-0x0000000140000000-0x0000000140169000-memory.dmp

                Filesize

                1.4MB

              • memory/3556-27-0x0000000140000000-0x0000000140169000-memory.dmp

                Filesize

                1.4MB

              • memory/3556-26-0x0000000140000000-0x0000000140169000-memory.dmp

                Filesize

                1.4MB

              • memory/3556-23-0x0000000140000000-0x0000000140169000-memory.dmp

                Filesize

                1.4MB

              • memory/3556-25-0x0000000140000000-0x0000000140169000-memory.dmp

                Filesize

                1.4MB

              • memory/3556-20-0x0000000140000000-0x0000000140169000-memory.dmp

                Filesize

                1.4MB

              • memory/3556-16-0x0000000140000000-0x0000000140169000-memory.dmp

                Filesize

                1.4MB

              • memory/3556-11-0x0000000140000000-0x0000000140169000-memory.dmp

                Filesize

                1.4MB

              • memory/3556-7-0x0000000140000000-0x0000000140169000-memory.dmp

                Filesize

                1.4MB

              • memory/3556-5-0x00007FFAF2DBA000-0x00007FFAF2DBB000-memory.dmp

                Filesize

                4KB