Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-01-2024 23:02

General

  • Target

    7315a7e24b903536485987c77dc91956.dll

  • Size

    2.9MB

  • MD5

    7315a7e24b903536485987c77dc91956

  • SHA1

    526cd2d7389cda304cc3c81c002c1114073f1c92

  • SHA256

    17b5bae1fc1b7efdbcd4dc107c246ffe24201cdb7e3bafe80e23b7e5f3c1169b

  • SHA512

    b3399a9415848cb351726ff2bebf8124086f61d5cb5823a7789dab291da8780f5ef313b662a1a925054e8ffde76f5f5b960b774f51b9b894d02733bd4ef33489

  • SSDEEP

    12288:RVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:gfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\7315a7e24b903536485987c77dc91956.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2540
  • C:\Windows\system32\wermgr.exe
    C:\Windows\system32\wermgr.exe
    1⤵
      PID:2196
    • C:\Users\Admin\AppData\Local\hfh2T\wermgr.exe
      C:\Users\Admin\AppData\Local\hfh2T\wermgr.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1140
    • C:\Windows\system32\WindowsActionDialog.exe
      C:\Windows\system32\WindowsActionDialog.exe
      1⤵
        PID:8
      • C:\Users\Admin\AppData\Local\XMFFPoOS\SystemPropertiesPerformance.exe
        C:\Users\Admin\AppData\Local\XMFFPoOS\SystemPropertiesPerformance.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3664
      • C:\Windows\system32\SystemPropertiesPerformance.exe
        C:\Windows\system32\SystemPropertiesPerformance.exe
        1⤵
          PID:832
        • C:\Users\Admin\AppData\Local\q9oRT1OQu\WindowsActionDialog.exe
          C:\Users\Admin\AppData\Local\q9oRT1OQu\WindowsActionDialog.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:944

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\XMFFPoOS\SYSDM.CPL

          Filesize

          91KB

          MD5

          ce33dad82399d6ac36fc44c84068a255

          SHA1

          9d8ae4c44ed4ab3dc7437fcebd2214cf90ab9bd8

          SHA256

          cc77a05cb6bbe2f6485fb0705444525f316ceb94aad066b929fb0f6e306d64d3

          SHA512

          beb46d76e4a60d13ef872ca9fa60ca289fef6692a946c6a221411c31efdfd0150dce4d8a4e21b616183b74228f1c65bf2fcc402a5bf7a89293a35ef932185a78

        • C:\Users\Admin\AppData\Local\XMFFPoOS\SYSDM.CPL

          Filesize

          186KB

          MD5

          7eecc70a2af6c67cbf073a1a9877a8d2

          SHA1

          298ea5133202bba47d16a7bffe92c0d079913b7d

          SHA256

          9545225d34644d38838307a53c4bad67c8e0b875a3492976d794e37e847a2b08

          SHA512

          06e79c88db8cdd8ca64c415c0635ebccf786a60c0afb0d52540e4d30576bfb2d2d9a63f15e04c0ecd1510ed154683967ebb4b71404a78d8be417cc61ab14b9e2

        • C:\Users\Admin\AppData\Local\XMFFPoOS\SystemPropertiesPerformance.exe

          Filesize

          61KB

          MD5

          dd4ca15d85b439dfd9a0defb21597de1

          SHA1

          f85f568a6150bea37cb3b408f5d1fa0515d676f4

          SHA256

          79d3f31067d0d1583769f4ad37f52e641c5e2c2519763ec05507ea13c692b85a

          SHA512

          aa2b96297d8311b35bb7b4882646a229ba60a4e53db724a5cc8de04c923dd36dc3ecfd782b7e1971a1a2de1411342fd753e07a6548a7e829f4faf3bb7197e29e

        • C:\Users\Admin\AppData\Local\XMFFPoOS\SystemPropertiesPerformance.exe

          Filesize

          82KB

          MD5

          e4fbf7cab8669c7c9cef92205d2f2ffc

          SHA1

          adbfa782b7998720fa85678cc85863b961975e28

          SHA256

          b266318d45a4245556a2e39b763f2f11eca780969105f6f103e53dd0a492bb30

          SHA512

          c5c62578d04133352d6cb7b018df96a7b55c18d6111ab8bf2bfe232a3315a63b07047fa5b0b88551d152085776c66169b47566242c8c4c5e0333c55adc64e1b6

        • C:\Users\Admin\AppData\Local\hfh2T\wer.dll

          Filesize

          21KB

          MD5

          30036a22f610fba4cba7a6e73f29b0cc

          SHA1

          d81de8a459b18939f127176bf6079864024b7717

          SHA256

          45ac2a17e2cb0eeac42a91cef1ef65e83405a8f90bdf7935d74b3385684de27a

          SHA512

          1ca05fb5bb7ab6392d0b37c812ba895aa606c5a381ad657916d83269b0a58226e928eee241a568451a72abd4336f464639e053c93dd8cd0fda773508595dea49

        • C:\Users\Admin\AppData\Local\hfh2T\wer.dll

          Filesize

          55KB

          MD5

          89699660c36e2f026cf5419b90c685f4

          SHA1

          297ac8a9c23a48fa41fe18189a3b87abc35e5a11

          SHA256

          9f43af45382abe74baebd1a49bb979ff9ecd861a730ee31e3eee1fd4bc909153

          SHA512

          c54ceee340137e61925875b5ad28d808ff9eb20121998289964139542726bb811677ff195f3f37d803210d1123b3b97ffb122da0520fb66d59ec0498b2da5dd9

        • C:\Users\Admin\AppData\Local\hfh2T\wermgr.exe

          Filesize

          155KB

          MD5

          81eb3cae0925383c3f6ea5ce082adc6a

          SHA1

          fea6e79f859ceeccdce73ed1a6bebe14564251b8

          SHA256

          7b091829e990568a6b42f482b3163895e36bd5654f4fd0eca370e3033429ea22

          SHA512

          33bda227dac25b17d6f7bd7a3ce74f6d6bd9647af8c7bbca03921e4fb92d80808f3295265d5cb1ae30e3a52728540313904d563f3b7dcdabd61e17aaf09d2d33

        • C:\Users\Admin\AppData\Local\hfh2T\wermgr.exe

          Filesize

          1KB

          MD5

          230ef8b1058b75e97f084989c74dc96b

          SHA1

          f6e1a353feae755573ecb1d31f255c42dd2665b6

          SHA256

          d6ae5bfd214bd94d4b9984a689c188e814d0513a8eb3c5211c33526f9388772a

          SHA512

          9a1a0b3f6cd7b6ab58f44dfa20f736475795888ccc13ad894a07439a158956fc8d4e84c19a3af522d4124ee3ed89631b0869e04dfb1e5b8c9787c3a9536b0f91

        • C:\Users\Admin\AppData\Local\q9oRT1OQu\DUI70.dll

          Filesize

          37KB

          MD5

          7af5e968c0ca0ad5cc33dc0538bb782f

          SHA1

          7ea7d55ccf187e8baea28031481f75f4180e4280

          SHA256

          9eae608108dbfc93a752d04e8fe30cda745e717c9c139586a5e9a039833375dd

          SHA512

          4fdaa2886cb869104c29dc525bf61bb45662bf03e054961c3a55bbe3bbbdcfa6f61207bf230c05fd7a67425730a1d95b11659fab03dc60a5ff434e8a8b38a75a

        • C:\Users\Admin\AppData\Local\q9oRT1OQu\DUI70.dll

          Filesize

          69KB

          MD5

          2cd7579f6042e8f71f4109c109c6bab0

          SHA1

          d239821a4201902114faf58ae60a47063de836af

          SHA256

          d2ab351d90dfc440a0229930d0e03141226f77b702ed189fa4e094da1055403c

          SHA512

          be6c467baef91e196efb3b215904c0756f8b1e2b3b933dc387afdbfef07a29ab686cee37f52415a0d4030e0a62a371e222ff6abc29c208b606ba3bddfaa04591

        • C:\Users\Admin\AppData\Local\q9oRT1OQu\WindowsActionDialog.exe

          Filesize

          61KB

          MD5

          73c523b6556f2dc7eefc662338d66f8d

          SHA1

          1e6f9a1d885efa4d76f1e7a8be2e974f2b65cea5

          SHA256

          0c6397bfbcd7b1fcefb6de01a506578e36651725a61078c69708f1f92c41ea31

          SHA512

          69d0f23d1abaad657dd4672532936ef35f0e9d443caf9e19898017656a66ed46e75e7e05261c7e7636799c58feccd01dc93975d6a598cbb73242ddb48c6ec912

        • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Collab\g8NH\DUI70.dll

          Filesize

          87KB

          MD5

          7a9b84a8a91d94fa1b9200421dec2df4

          SHA1

          86de5b54956dae1c805c4f12a8eb62e7a9399b1b

          SHA256

          12ba51f62ae8f3d2554f88dedacabc193e8ab5eed3a70b7f9324cb67128ba6a2

          SHA512

          0af9754e0a657b05bde0f76586d58b7b534248c9180f426264872b429f9cc3ff3a40d1948676039521192130751bc52760d5cef5badd9cdd5b08c5815ced9329

        • C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\NativeCache\9w16\wer.dll

          Filesize

          89KB

          MD5

          4779f3f8fe070c35bfe0c2a4d69515e9

          SHA1

          8121a4bcbdb0685bd81e4599026615cbe30e870d

          SHA256

          67e14e9ac4cd27fa45496d73b9bff74a09e0548783538b98888fa38bb6fdae6b

          SHA512

          9668f4933008f9ac95ceac1a3c833ebd9dcd2bd5a68ce59e0331020e4632e7426f6e037a678188b12af8a0b87c9697f3ee8a01e48a005b3ff6d786c570e81961

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Iydemppuyghrhln.lnk

          Filesize

          1KB

          MD5

          8bfa0d03b77f9343a47c9aa3e42bac58

          SHA1

          4f9564bf241bfca52ea4d3023617fef8d3a7b047

          SHA256

          f2d4425ac4a58a52c8485c64b900471bf0ccca1781a1c778d5a2a24f283abb56

          SHA512

          26ed47dbc5d73465c44e017b5f947ef62b3c69750dd9826f33a87127f34db6b49ad8719e48b253d185ae946e7e974bf6d9c1db1e368b57aadd811f61ecfb1cad

        • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\hWbJ7o9\SYSDM.CPL

          Filesize

          349KB

          MD5

          c1691a80aed6ac9ee6bd27b02f829b6f

          SHA1

          36e73f92b63faca833c2226b70913c27d7cae48a

          SHA256

          636978bff1f2258f21a5d8660e095b20c8341fcdc891692f82bd5a2d63fba15d

          SHA512

          d8b03f7950a98449b9bd169e84ff0406f048af0615d0a7f0effb9b84789d1f29570666117631f36f175fd77050e32c88a62f9d3cc0b308ab89b867eac8ede4a9

        • memory/944-135-0x00000210CE280000-0x00000210CE287000-memory.dmp

          Filesize

          28KB

        • memory/1140-100-0x000001F8C56D0000-0x000001F8C56D7000-memory.dmp

          Filesize

          28KB

        • memory/2540-0-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/2540-7-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/2540-1-0x000002432E7C0000-0x000002432E7C7000-memory.dmp

          Filesize

          28KB

        • memory/3560-55-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/3560-56-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/3560-32-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/3560-31-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/3560-37-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/3560-36-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/3560-38-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/3560-34-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/3560-35-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/3560-42-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/3560-40-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/3560-44-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/3560-43-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/3560-41-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/3560-46-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/3560-45-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/3560-47-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/3560-49-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/3560-52-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/3560-54-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/3560-30-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/3560-58-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/3560-59-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/3560-61-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/3560-62-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/3560-64-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/3560-65-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/3560-63-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/3560-60-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/3560-71-0x0000000002E60000-0x0000000002E67000-memory.dmp

          Filesize

          28KB

        • memory/3560-57-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/3560-29-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/3560-79-0x00007FFBEC400000-0x00007FFBEC410000-memory.dmp

          Filesize

          64KB

        • memory/3560-27-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/3560-20-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/3560-21-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/3560-17-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/3560-53-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/3560-51-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/3560-50-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/3560-48-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/3560-19-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/3560-39-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/3560-33-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/3560-28-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/3560-18-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/3560-16-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/3560-5-0x00007FFBEB9FA000-0x00007FFBEB9FB000-memory.dmp

          Filesize

          4KB

        • memory/3560-15-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/3560-13-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/3560-26-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/3560-25-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/3560-24-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/3560-23-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/3560-22-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/3560-12-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/3560-14-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/3560-11-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/3560-10-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/3560-9-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/3560-8-0x0000000140000000-0x00000001402E3000-memory.dmp

          Filesize

          2.9MB

        • memory/3560-4-0x0000000007AE0000-0x0000000007AE1000-memory.dmp

          Filesize

          4KB

        • memory/3664-117-0x000002474BA20000-0x000002474BA27000-memory.dmp

          Filesize

          28KB