Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-01-2024 08:16

General

  • Target

    71bb36f4bcc6b93c90c000f353db7173.dll

  • Size

    1.6MB

  • MD5

    71bb36f4bcc6b93c90c000f353db7173

  • SHA1

    4089e571bfda56a10036636485e1113cfb5fe669

  • SHA256

    bad6364c6a3a60c2e7982bb223a06f05ec95abf264dc500f75d2454642d84034

  • SHA512

    7845c3f5a2e5c78251e2accc1a0be49c9e0d6b3c85231bd417b2e806048e62389bb2d6088a6909f39e1573daf455f9cec629d98d9c0f02ab41099c5f96317615

  • SSDEEP

    12288:QVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:VfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\71bb36f4bcc6b93c90c000f353db7173.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4104
  • C:\Windows\system32\mblctr.exe
    C:\Windows\system32\mblctr.exe
    1⤵
      PID:4224
    • C:\Users\Admin\AppData\Local\fyoiHUH\mblctr.exe
      C:\Users\Admin\AppData\Local\fyoiHUH\mblctr.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:216
    • C:\Windows\system32\ApplySettingsTemplateCatalog.exe
      C:\Windows\system32\ApplySettingsTemplateCatalog.exe
      1⤵
        PID:3128
      • C:\Users\Admin\AppData\Local\wIzru6PhH\ApplySettingsTemplateCatalog.exe
        C:\Users\Admin\AppData\Local\wIzru6PhH\ApplySettingsTemplateCatalog.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1376
      • C:\Windows\system32\DevicePairingWizard.exe
        C:\Windows\system32\DevicePairingWizard.exe
        1⤵
          PID:2416
        • C:\Users\Admin\AppData\Local\V6ALARLt\DevicePairingWizard.exe
          C:\Users\Admin\AppData\Local\V6ALARLt\DevicePairingWizard.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4252

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\V6ALARLt\DevicePairingWizard.exe

          Filesize

          93KB

          MD5

          d0e40a5a0c7dad2d6e5040d7fbc37533

          SHA1

          b0eabbd37a97a1abcd90bd56394f5c45585699eb

          SHA256

          2adaf3a5d3fde149626e3fef0e943c7029a135c04688acf357b2d8d04c81981b

          SHA512

          1191c2efcadd53b74d085612025c44b6cd54dd69493632950e30ada650d5ed79e3468c138f389cd3bc21ea103059a63eb38d9d919a62d932a38830c93f57731f

        • C:\Users\Admin\AppData\Local\V6ALARLt\MFC42u.dll

          Filesize

          132KB

          MD5

          169fc68af57622948b8add9a2787d7d6

          SHA1

          f234c1bfb534f386507dd18731aab216c0e6aab4

          SHA256

          3a6c128699383137586ae8a96f422e0d352f04e68b46d123dfce3eb8268b6663

          SHA512

          6af9d390591074393fd4b7a7894db8c66033f6e7f8420b16d9a756f439e3dd49ba299c7c8b52e956d64d827b7ab62dfa04e90454364b203ea46758dbd9f2b1e9

        • C:\Users\Admin\AppData\Local\V6ALARLt\MFC42u.dll

          Filesize

          248KB

          MD5

          03559cfcb23cce149625e1d45e7cfacc

          SHA1

          70982f958a8ee4392eb8f315a8c62830855df35f

          SHA256

          0110f5826d6892311cd8bf1966d6e985e73ad2481097fbd0a7a38063360075ad

          SHA512

          8226e3a50990202545e6dc40d4d9aaf1d754bd1bc141c172aa4f0e159eaf1541647bb08687e10e0ce825276c3b317bda2f587288b863a7271c2259de5fbdde75

        • C:\Users\Admin\AppData\Local\fyoiHUH\WTSAPI32.dll

          Filesize

          40KB

          MD5

          8d6dad690a9bfaa023cef1efa56d66db

          SHA1

          e2246baf53d7ec696d3d955aacb153b96b54b16f

          SHA256

          60574a54197367fcadfbc37ee2e791ac6753b93a3a3f57e4d656994fa978ab1d

          SHA512

          b1c51970bd92886eb3f8375f0ca23c79d2c3b06935468b8c122bb47f6dbd836d54726ba566a8224f9c7f0fa24a1f409a4f03fc3e76fd99c91c3eabf2497c9a87

        • C:\Users\Admin\AppData\Local\fyoiHUH\WTSAPI32.dll

          Filesize

          14KB

          MD5

          d9d5686b623ebd5e502552beab13e1b7

          SHA1

          b07c6e788fe8c2f1e70b4a199d032808e5210aa2

          SHA256

          51e01f2dbc21d193e6b57b563df2db001a643a4d2174a3e89d6e3da1c5ae73cf

          SHA512

          022d4ca4c39a329db2d8b8328871944db9ed0d4d1f14e2dc6861044abaf9b596d619d065352bea4139eb1cd703eb9baa301e020edae310035fb5a2781c477096

        • C:\Users\Admin\AppData\Local\fyoiHUH\mblctr.exe

          Filesize

          61KB

          MD5

          ebb094ee735e2148f70944bc99aa988d

          SHA1

          7b4d94e3487815ecfce0f95c1b1e6f3086c0a04c

          SHA256

          c92529afbf01d9a0ef45d50a7d8c52a4ef051e29e2c2e22b12d713edd12bb40d

          SHA512

          e61faba18a213088a1f0fdf2de1353fb669a8ccec20cec2b6b5ef06d0995290da7f22f9bf5bfbd577b4cbcf144cf7e37f142a1c8fc2131c32dee7494d343ee3c

        • C:\Users\Admin\AppData\Local\fyoiHUH\mblctr.exe

          Filesize

          1KB

          MD5

          ca27c46cfde45c526bfc7468ebc176bc

          SHA1

          b9627d4aec68c9335407c6fbb722630a5c7f996f

          SHA256

          2e59635834b06ea3b71078a1c3014e5025be0c35cb5744213d710ccf0cc1317b

          SHA512

          4995c5f66c2cff918f0cd2602344b6d62078c43530d4bae804ced30a79319a4e37108401d8317c5565c792c446b3774e7acd887717aa6182070c0e19e6cdc0aa

        • C:\Users\Admin\AppData\Local\wIzru6PhH\ACTIVEDS.dll

          Filesize

          98KB

          MD5

          12aea8f25b78db5cae16b0898f2d6168

          SHA1

          1dcf592b8fd961d418b1c212ebcbef96f761356b

          SHA256

          acf4312f9d5ee67bca9919b63082c419dc6ca1da6377a7fe857189be9239d0c4

          SHA512

          f300cc05a6eacdcbc4294b6197bffe1d8d6d0670eeec8db5751853a14ab2c141c526d31c9d298b43fffbdc7ac9cdd0ac283a9be713a7f2abae16a8e6c9644ad2

        • C:\Users\Admin\AppData\Local\wIzru6PhH\ACTIVEDS.dll

          Filesize

          1KB

          MD5

          722386c8c9297b09a2e9d94a45503ec0

          SHA1

          9c475333698ce74b43f73602ae759f24a75e6e4a

          SHA256

          2c73b547df5401a307eb8de97a64645ea7aad583f3b0b7529adccb4385b01676

          SHA512

          17eba0cfb595e008caf9908d8c53a76c1765f295fe957c186c0b867248c95ac3c8ca847d44f1e5c7a14a3b5ab48d147c3acc02b1e653bac50eb9b6e1ad91bc7d

        • C:\Users\Admin\AppData\Local\wIzru6PhH\ApplySettingsTemplateCatalog.exe

          Filesize

          149KB

          MD5

          03b685b3b5cc75961c104348158f4da4

          SHA1

          48e9151614630f960956eec156c62a44f868a385

          SHA256

          e640ef8e5fb077d36af548e25d532de52188bfd4b268b3bb96b427e75d5886d4

          SHA512

          461a12aa73c5809088ce990573682316c12023b3b08332be05c0fb6e7e0341460cc5bcd651cf226fff0a522a0a6f3197f4ba9db48e0c25b1588a89814dc974a4

        • C:\Users\Admin\AppData\Local\wIzru6PhH\ApplySettingsTemplateCatalog.exe

          Filesize

          57KB

          MD5

          61af8973de81bdd904335d887206f0e9

          SHA1

          441eb9dd71368d7d1df1fc8a531a7fd9c69bae77

          SHA256

          f01c9ce442b4aa439a84954c14b735a347ff51b4337fedbd9e13ff2ad1577f06

          SHA512

          a4f86afdb49f987d7edae9ffa8bae3d517836822b711e33e4d27664d1e841ebbf8a2336397837485be54dc0df68c4f844c569ab58808c067cbcc7ad392c9801c

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ocuuy.lnk

          Filesize

          1KB

          MD5

          a3bb3cd635636283e53adc5a7de6446d

          SHA1

          437514f9b89b006ce969df23930e3a9f84db64da

          SHA256

          d93ad0d17e76d89ae7300106d029ce3c53b1a7ffb6e33f5cd6d67586c269a464

          SHA512

          23f3f984ebca5ffcc9a5003deaa567945a6075d3f30fbe06ffdff15d4cc7e5d40184168b3b79c485e84c799670891983c8fe21f2972337209c213e70cdf62285

        • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\5lcAp0\MFC42u.dll

          Filesize

          1.6MB

          MD5

          1036b97b23e0cf6eb216734c275110e5

          SHA1

          8dd74e54c975a5c172e9e0636eb4e84f6485f491

          SHA256

          ca5d649a82e516738cb4d8ff1ff94fcd46b2157cc1c70711b062e2959c009a97

          SHA512

          c3a7acd27ee15341da17bc7a20235fea7fa93c129a120f5cc1f777926d5b9ecf9f2dd4d238e8ca55d7abaf4ccd78bcc56971651a8db952fbdaff7fc8b5b5083d

        • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\wSArnh7L\WTSAPI32.dll

          Filesize

          1.6MB

          MD5

          facb62c12ac78217a8a63bad5870ce9d

          SHA1

          5721b62dfc1058096afb1162f35a460fd802127a

          SHA256

          dfe1f64e671e3961c8bc96155e188ed25cc745837cd3a140782ab0a9be416983

          SHA512

          976c42145dc6634b4b4a58c64706b0dc27fb1f0c3799af572b9609a8d081094ea443feed8355a72d7e1007b1c8138e44ed114ed5508fcd0b42e5575b3f4b70cd

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\bf\ACTIVEDS.dll

          Filesize

          1.6MB

          MD5

          be745c43d1e5fcda08db22902047c7f0

          SHA1

          f55b67bb848a035e277c1bba433a046a74f4b789

          SHA256

          97a0124b2ff29ef23aaf57002525c62e6cf92c0b618dc0accafc56079b269d99

          SHA512

          57417bfe61fa76e33f632426be697fb6a2644f1c2930e112d4982eabd3ab916f31197e419d6b67ac5a35eb038fa2d7fa7ee57037fb6062217fc6346bbb921704

        • memory/216-79-0x0000000140000000-0x0000000140194000-memory.dmp

          Filesize

          1.6MB

        • memory/216-80-0x00000236B9080000-0x00000236B9087000-memory.dmp

          Filesize

          28KB

        • memory/1376-98-0x000002A4AA680000-0x000002A4AA687000-memory.dmp

          Filesize

          28KB

        • memory/3568-22-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/3568-18-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/3568-30-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/3568-37-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/3568-43-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/3568-47-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/3568-49-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/3568-48-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/3568-50-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/3568-51-0x0000000001F00000-0x0000000001F07000-memory.dmp

          Filesize

          28KB

        • memory/3568-46-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/3568-45-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/3568-44-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/3568-42-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/3568-58-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/3568-68-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/3568-5-0x00007FFE7742A000-0x00007FFE7742B000-memory.dmp

          Filesize

          4KB

        • memory/3568-10-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/3568-12-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/3568-20-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/3568-21-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/3568-15-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/3568-70-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/3568-59-0x00007FFE77E80000-0x00007FFE77E90000-memory.dmp

          Filesize

          64KB

        • memory/3568-16-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/3568-17-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/3568-19-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/3568-4-0x0000000007E40000-0x0000000007E41000-memory.dmp

          Filesize

          4KB

        • memory/3568-41-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/3568-14-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/3568-40-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/3568-39-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/3568-38-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/3568-35-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/3568-36-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/3568-34-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/3568-33-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/3568-32-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/3568-31-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/3568-13-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/3568-11-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/3568-7-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/3568-9-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/3568-29-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/3568-28-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/3568-27-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/3568-26-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/3568-25-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/3568-24-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/3568-23-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/4104-0-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/4104-8-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

        • memory/4104-1-0x000002DBD57C0000-0x000002DBD57C7000-memory.dmp

          Filesize

          28KB

        • memory/4252-115-0x000001D33F210000-0x000001D33F217000-memory.dmp

          Filesize

          28KB