Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-01-2024 02:55

General

  • Target

    7142569287a29d07ca328243db7a1f74.dll

  • Size

    1.7MB

  • MD5

    7142569287a29d07ca328243db7a1f74

  • SHA1

    0bb092d2cf5779d598f619d801bb1eda19a7f883

  • SHA256

    6d6b79a6bb6023fd10ffe393db35e78b77bc403f068b5ac7cfece64692b2edc1

  • SHA512

    9df2653a5f920d62b6d72d2f1e199d503e3328e63b7d0611fbcbcc1a084ac2b59a82739aedf665cdd64b6b08260e9b212e7d9ed20de363261dce6d2d2b4eb06f

  • SSDEEP

    12288:JVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:ofP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\7142569287a29d07ca328243db7a1f74.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4812
  • C:\Users\Admin\AppData\Local\WzbTceo\FileHistory.exe
    C:\Users\Admin\AppData\Local\WzbTceo\FileHistory.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Checks whether UAC is enabled
    PID:2240
  • C:\Windows\system32\FileHistory.exe
    C:\Windows\system32\FileHistory.exe
    1⤵
      PID:4824
    • C:\Windows\system32\systemreset.exe
      C:\Windows\system32\systemreset.exe
      1⤵
        PID:3700
      • C:\Windows\system32\WFS.exe
        C:\Windows\system32\WFS.exe
        1⤵
          PID:3660
        • C:\Users\Admin\AppData\Local\6GS\systemreset.exe
          C:\Users\Admin\AppData\Local\6GS\systemreset.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3844
        • C:\Users\Admin\AppData\Local\l4fQZS\WFS.exe
          C:\Users\Admin\AppData\Local\l4fQZS\WFS.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2828

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\6GS\DUI70.dll

          Filesize

          80KB

          MD5

          92f5e99a4a522a8909911485e63143a6

          SHA1

          6114b6105c17695a3880613e07d1ae15f452acbe

          SHA256

          982e5cc7a5620d5b0b46c8194de3137d409f02b47ae8b35beaec674f34ca7d5e

          SHA512

          2660319c8b848e37f3dac0c7c2ad3f90073b59ec43d08ecaabca095910cfd02bb65624babafffda81180595d284943534e31caa1520f2f715d8cc11d20e32fc9

        • C:\Users\Admin\AppData\Local\6GS\DUI70.dll

          Filesize

          110KB

          MD5

          527f3aaad52f2930a2e8da15135e74fd

          SHA1

          315e1cf40d9728f5ef596f035c350831f54f2206

          SHA256

          2e46587067b9b8a3a19a4b6bc3364009599cb36df99eedf3733b7ab077bdba78

          SHA512

          82af0626490fcaabe8ec617b3217c2f6ce9be942b959706c87262c0bc37ee5ea7b9254423aad947cd52557a2860b4fb76ac74d4ce8adc1828c4dde383ca6a9a5

        • C:\Users\Admin\AppData\Local\6GS\systemreset.exe

          Filesize

          294KB

          MD5

          8f99945e5223e90e81efd8e72eb3f452

          SHA1

          b85fd92e3363e5dbbe57b415ead3b54ee68fd25e

          SHA256

          33374307d0c9eebf3901afebf1ca437c8aff9986d9f7595b3ff94b390eec757a

          SHA512

          83d6ebc08714a8a8500cae571d4aeb2ef660e9fbf1d25d770990108119f41428ac87a3ccddaef40a339bf4c89c08b73cd4842e4268d0849d55b7763f9cc87944

        • C:\Users\Admin\AppData\Local\6GS\systemreset.exe

          Filesize

          89KB

          MD5

          52e879fb51b863a6dbe7eb3036cce68e

          SHA1

          12d26c7684a5d946fe3bc5273342ef762d1eae2a

          SHA256

          03da89c6ba52f123fa5683784a5a852ab0a8785ceaa8f12aef372acdd2f61055

          SHA512

          2cd17b6b16d7585f994f3e0144ed2bcb8649c334c3d65b8524ea4de5cffcdd4b3845060efe857c5e080e3e764995c43a5165735c40cb4bf5b7358b94f8b6a619

        • C:\Users\Admin\AppData\Local\WzbTceo\FileHistory.exe

          Filesize

          34KB

          MD5

          9c89a8c52e1e7b9af55df36ee6ee9b06

          SHA1

          a302aee07e67c112cdb83ba24ddf2e454642d39f

          SHA256

          90f277f3d3082ad84b2269197eaaf933a82c685f9b697e781258d1838957eb5e

          SHA512

          d7cf08c3a5a5dfeca089d2e8bfb452b419c226125ce408595158f35951f236f1ff6d1493411dcb118d8f0cd6b95363fdc89f3107aa8ae36fcaef09e823a364f3

        • C:\Users\Admin\AppData\Local\WzbTceo\FileHistory.exe

          Filesize

          244KB

          MD5

          eeba3dd643ced2781ec1b7e3cd6fa246

          SHA1

          2d394173e603625e231633fc270072e854bac17b

          SHA256

          bee0799a52fe65b8dc291de32f0c8b03b5a067915b1868bc8ba2a1b139c90b87

          SHA512

          222d4fbc7ee57d75889698a0660996293a0143518fdecc1b222618796d76d40f2d3b00b071f92ab917ac8847f195d7de02df55b5e89dad8a80d110e464cd3271

        • C:\Users\Admin\AppData\Local\WzbTceo\UxTheme.dll

          Filesize

          90KB

          MD5

          0110bfdbd98d5d71e2151d428fb5b509

          SHA1

          04934c22cb9fc4fce48d50e48d51730133921bf5

          SHA256

          668aa0e521c016871b166b9613a36fa623c72ce29700e96e46e33714b4c1b06a

          SHA512

          05aed0f37627ad4875b677bf708f947c984f82b534f16e5c3ec808515c622cb7679f422e92ac13ca13b7aed2cd6795682503449c7750288b47c386940ea48b63

        • C:\Users\Admin\AppData\Local\WzbTceo\UxTheme.dll

          Filesize

          10KB

          MD5

          fa27cf48d0e5c6b98a06f57b8c1aa4d5

          SHA1

          fef062c25c82718d3044ec4c74ee68795e3fd1a2

          SHA256

          35ed88b10eecffe46bcc900ada74b722e899e826218b01343fecde47fd91232d

          SHA512

          4e1ba7505fd157d1bbd8fe4cbe9f3657e31dea98369d0308ac1c153d1096a5c6f07d6dd0e06cf0ad74d985f6b6482690eb5167f386e08045a87bd063880d6696

        • C:\Users\Admin\AppData\Local\l4fQZS\UxTheme.dll

          Filesize

          109KB

          MD5

          c54554a391b230327222f6646e08740f

          SHA1

          c8f21f2eeb9ad4dc725ad02b0e78ff39718b7f60

          SHA256

          cdd95cfee1c5e10ca66dc7b11519c107b10cc52e7057a734ace44485526fff72

          SHA512

          3cbae839160804c35f070cd6bd93d416a1414c6a95e70ef61bb9f51fc2a5ce5a75b70c36f25ffc6f8aea38b8f38c9138f50b519f3f0dc8abe01e3b1387a0abcd

        • C:\Users\Admin\AppData\Local\l4fQZS\UxTheme.dll

          Filesize

          57KB

          MD5

          da297fc614602b88d02353ff1bf8e08f

          SHA1

          d1c24b248e3fea81aaea1c76b04b29896f63b513

          SHA256

          0285df44856608f6d342fda8847e9f361cac65d3590bf7d1c02a3b541aceef52

          SHA512

          cf0cb8f4f8a64343b66ab4c8e060f425e4b08001f0075cccb4c2a636bf172fcbd39e276a649e380b9f183ff94de3fe55ecae4ec0147da706e91a5359c793901c

        • C:\Users\Admin\AppData\Local\l4fQZS\WFS.exe

          Filesize

          96KB

          MD5

          08082633606d27676c9a3d3f8c3d82b9

          SHA1

          2f0854d72a34f6b2f8c2dc8bde7d4080dcf544d2

          SHA256

          fa10e3bc6dd79970b4ef1f5bed292329eaa1727aa50c53c8b54ee1dae7679a43

          SHA512

          052935a56d5811bec180a2ad275abe97e97ace2f4fceaf58d930741038f71511f0b66d89949a724a6a682e24d2f49090cf0599ed8b832d411d75afc2487a86e3

        • C:\Users\Admin\AppData\Local\l4fQZS\WFS.exe

          Filesize

          108KB

          MD5

          367f85df1166a09707e78a1b06f339fa

          SHA1

          f9c4b2e589c5c32b1af2fb12ff604e51606f69dc

          SHA256

          0cad7785ad5c70810a6efa05ce4330a3474705879985469bb4a0e641a3954656

          SHA512

          51a5a215bc9fc3d6fcf913794df297bfbaa2b97b76deff1fa2104e19fd3c09ed18da861ab6e27214b6e81c9f62126da3dcdbd2520ed7b6c47251e322d1f199fc

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Hxquhu.lnk

          Filesize

          1KB

          MD5

          214d5f9c37fe233401959b9cd51258e2

          SHA1

          c284c61f3a0c810be628ea353fa78bd14f06b38b

          SHA256

          00317b4cd8b40fd3ce6ca51d4ca53688b5beaa8015add7dfa8e6a75326c1538f

          SHA512

          53f6172096ad0bca09fef9961a2369568d14fff6e2b61b14230ff3141b7e473cd02ef8d5e2de6447c8a8fbe1722ac67cf0171461e3488804cc1d62a98f835674

        • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\57C5XogC\UxTheme.dll

          Filesize

          1.7MB

          MD5

          fb47cdbfc9ffb6f91f9637ca9d533bc3

          SHA1

          c423635f166c15224c9dd62418c4cf9345ab485f

          SHA256

          ad4ce9f173e7c91f00a61bfd48b3def22b93c63afe4096cf07f526f3d2d7c9e6

          SHA512

          1bcde188fa8b51124560474e05da71bf12255d5da9d55a7336bb6302e3028a00a3f521be52dbf4d4c1d0705d26c0c8f61f42fb0dc332a86a384c8032621819a6

        • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\iCrBTM3tx\UxTheme.dll

          Filesize

          783KB

          MD5

          7f02ca767aa8fbd52b0d3d6169e81361

          SHA1

          1cd2d25d308e8c7223ee22917e10c2fa3a5e1fcb

          SHA256

          c7969081a4c2119650fe5d49c6bce14a0921c5060a5998a50fd6e07605feb77c

          SHA512

          174d385e832298a2004efe70ac7c4f9c6df614b34064cbf1704fb9c97581d84ecd1e0e07af5226ae10131890dffe391aef8f3a88f1406259400da107b856b9be

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\NW7CDrfd\DUI70.dll

          Filesize

          2.0MB

          MD5

          92ba508ae41108aff9383af2f2106e20

          SHA1

          35a4a9cd6c601797f1ad8072c808504b285d6b4d

          SHA256

          73f2496461fd8e3988a0782eef3ed63e16418f1c87ce91f7d6e63a310df2027e

          SHA512

          f28c5799c085afe2e888cd932a078dd9f93f4d73629358efd42c42fbad994f77130e9320da4f8ec20bbad5f68320a69a25b2507523d9734eeefa37c896b64224

        • memory/2240-73-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/2240-69-0x00000155047F0000-0x00000155047F7000-memory.dmp

          Filesize

          28KB

        • memory/2240-67-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/2828-101-0x000001B547920000-0x000001B547927000-memory.dmp

          Filesize

          28KB

        • memory/2828-107-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3304-19-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/3304-23-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/3304-27-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/3304-28-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/3304-31-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/3304-36-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/3304-35-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/3304-37-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/3304-34-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/3304-33-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/3304-32-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/3304-30-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/3304-29-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/3304-26-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/3304-39-0x0000000002AA0000-0x0000000002AA7000-memory.dmp

          Filesize

          28KB

        • memory/3304-38-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/3304-46-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/3304-47-0x00007FF82DC40000-0x00007FF82DC50000-memory.dmp

          Filesize

          64KB

        • memory/3304-56-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/3304-58-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/3304-24-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/3304-25-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/3304-21-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/3304-22-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/3304-20-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/3304-4-0x0000000002D90000-0x0000000002D91000-memory.dmp

          Filesize

          4KB

        • memory/3304-18-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/3304-17-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/3304-16-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/3304-9-0x00007FF82CC1A000-0x00007FF82CC1B000-memory.dmp

          Filesize

          4KB

        • memory/3304-8-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/3304-10-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/3304-15-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/3304-14-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/3304-11-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/3304-7-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/3304-13-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/3304-12-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/3844-90-0x0000000140000000-0x00000001401FB000-memory.dmp

          Filesize

          2.0MB

        • memory/3844-84-0x00000109D8150000-0x00000109D8157000-memory.dmp

          Filesize

          28KB

        • memory/3844-85-0x0000000140000000-0x00000001401FB000-memory.dmp

          Filesize

          2.0MB

        • memory/4812-6-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/4812-1-0x0000000140000000-0x00000001401B5000-memory.dmp

          Filesize

          1.7MB

        • memory/4812-0-0x000001BD5C0D0000-0x000001BD5C0D7000-memory.dmp

          Filesize

          28KB