Analysis

  • max time kernel
    157s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-01-2024 14:05

General

  • Target

    726f982410725cb34272e9e44b3c0310.dll

  • Size

    2.0MB

  • MD5

    726f982410725cb34272e9e44b3c0310

  • SHA1

    8450bd8609660c8fee5e0a8460e391b44ef07bfd

  • SHA256

    1af3b38b228078c0c78e70ef3bf82e55635240069d5f982819899db2bf5d9972

  • SHA512

    e1540efb22d0c7bf2f5a0f1a9ad38f0d78d741db0c49c4628f620f315e4a093b449628b12aabd597c89042344318b3db6dad4ca03e3390d67944c84f72cfb728

  • SSDEEP

    12288:MVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:5fP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\726f982410725cb34272e9e44b3c0310.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3756
  • C:\Windows\system32\dwm.exe
    C:\Windows\system32\dwm.exe
    1⤵
      PID:4912
    • C:\Users\Admin\AppData\Local\Lon\dwm.exe
      C:\Users\Admin\AppData\Local\Lon\dwm.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2260
    • C:\Windows\system32\wscript.exe
      C:\Windows\system32\wscript.exe
      1⤵
        PID:4672
      • C:\Users\Admin\AppData\Local\QiLahXPh\wscript.exe
        C:\Users\Admin\AppData\Local\QiLahXPh\wscript.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2468
      • C:\Windows\system32\dxgiadaptercache.exe
        C:\Windows\system32\dxgiadaptercache.exe
        1⤵
          PID:3476
        • C:\Users\Admin\AppData\Local\2E7\dxgiadaptercache.exe
          C:\Users\Admin\AppData\Local\2E7\dxgiadaptercache.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4396

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\2E7\dxgi.dll

          Filesize

          2.0MB

          MD5

          16c98692c5084c130b1e879d2a897d9d

          SHA1

          251f0fc95f148648d70765dd56015b0448f35ed6

          SHA256

          1004e2a96c12a2e36ff82b030e9e52e29709be8711692036b73ec68485393468

          SHA512

          4ba9fabd865fdef392ccd655c94178e094fd3214d960b116f59203f27718380aa15a7eb1c536a8644b2a2fd14da15d08569c3f14952eca700894f6c81a41c1f0

        • C:\Users\Admin\AppData\Local\2E7\dxgiadaptercache.exe

          Filesize

          230KB

          MD5

          e62f89130b7253f7780a862ed9aff294

          SHA1

          b031e64a36e93f95f2061be5b0383069efac2070

          SHA256

          4bea9f741fe4ca9d6262477849896b9fa6377326d11af044561c31bde2d994b5

          SHA512

          05649d38a0b5d825bb8442549427b0ff77b139c9dd297b04d6c0fb1415504c95ed750cd79efea2ff514abfc5d1003e6251a3cd871d352dcea06be0cdeb0304f7

        • C:\Users\Admin\AppData\Local\Lon\dwm.exe

          Filesize

          92KB

          MD5

          5c27608411832c5b39ba04e33d53536c

          SHA1

          f92f8b7439ce1de4c297046ed1d3ff9f20bc97af

          SHA256

          0ac827c9e35cdaa492ddd435079415805dcc276352112b040bcd34ef122cf565

          SHA512

          1fa25eabc08dff9ea25dfa7da310a677927c6344b76815696b0483f8860fa1469820ff15d88a78ed32f712d03003631d9aceaf9c9851de5dd40c1fc2a7bc1309

        • C:\Users\Admin\AppData\Local\Lon\dxgi.dll

          Filesize

          2.0MB

          MD5

          ba5bc234bab1074284c75a7a5061abd2

          SHA1

          42b69a8a48846a96dae731d35d572d91b50f5349

          SHA256

          bf931d98854caaa34f32ad71bb0b5426f960f9dc92f13d985acafe63d7c32d71

          SHA512

          3ee9598562262df8a422f0e5c264a70e6ccf72abc4ec436549b3acdced811ac73cf128a8dbb7abe8d8fdca0d3c46a6c044575d78d961da7c51f4eb2e570fb3d6

        • C:\Users\Admin\AppData\Local\QiLahXPh\VERSION.dll

          Filesize

          2.0MB

          MD5

          cdd945637df738d5e01f46dadc42150f

          SHA1

          a2653caf9defd9c4ac10abcba29497e53c017548

          SHA256

          5e8b2944c60588abf9dafd922207ec9d1affd026bbd90b56fdb257b95456071c

          SHA512

          2debce4a16eda445949d2f38f1aa760b983d8a3a341c22fbdc5da4a1e66a22b3a948dac5eb27d7739cf57c5bd9956bc7aebccbb17baa74279793198030ee6fa0

        • C:\Users\Admin\AppData\Local\QiLahXPh\wscript.exe

          Filesize

          166KB

          MD5

          a47cbe969ea935bdd3ab568bb126bc80

          SHA1

          15f2facfd05daf46d2c63912916bf2887cebd98a

          SHA256

          34008e2057df8842df210246995385a0441dc1e081d60ad15bd481e062e7f100

          SHA512

          f5c81e6dc4d916944304fc85136e1ff6dee29a21e50a54fe6280a475343eccbfe094171d62475db5f38e07898c061126158c34d48b9d8f4f57f76d49e564e3fc

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk

          Filesize

          1KB

          MD5

          19cbd2347125c2aebda1917c9e9203ef

          SHA1

          57653a3ea430e99adc834f056101e9d0211af67c

          SHA256

          e2cd6d8174ba1e4ebe1ca5d2e880ee9e309c62f78f7ec99b765011d380f0d5ee

          SHA512

          cad13580d54aa26ec8cecb3a46b01c948eba5f9719cb604faf15f0038757414849e269279797d1e73d3b4114d7fd14c90f15be281d8bfd76bb34f2a1226d0f6d

        • memory/2260-76-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/2260-73-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/2260-72-0x000001D73DDA0000-0x000001D73DDA7000-memory.dmp

          Filesize

          28KB

        • memory/2468-91-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/2468-86-0x0000011DACED0000-0x0000011DACED7000-memory.dmp

          Filesize

          28KB

        • memory/3408-17-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/3408-36-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/3408-4-0x0000000003850000-0x0000000003851000-memory.dmp

          Filesize

          4KB

        • memory/3408-18-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/3408-19-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/3408-20-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/3408-21-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/3408-22-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/3408-23-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/3408-25-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/3408-24-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/3408-26-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/3408-27-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/3408-28-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/3408-29-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/3408-30-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/3408-31-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/3408-32-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/3408-33-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/3408-34-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/3408-35-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/3408-16-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/3408-37-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/3408-38-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/3408-40-0x00000000031A0000-0x00000000031A7000-memory.dmp

          Filesize

          28KB

        • memory/3408-39-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/3408-47-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/3408-48-0x00007FFD97820000-0x00007FFD97830000-memory.dmp

          Filesize

          64KB

        • memory/3408-57-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/3408-59-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/3408-15-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/3408-14-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/3408-13-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/3408-12-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/3408-11-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/3408-10-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/3408-5-0x00007FFD96C5A000-0x00007FFD96C5B000-memory.dmp

          Filesize

          4KB

        • memory/3408-7-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/3408-9-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/3756-8-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/3756-1-0x0000000140000000-0x00000001401F7000-memory.dmp

          Filesize

          2.0MB

        • memory/3756-0-0x000001989B050000-0x000001989B057000-memory.dmp

          Filesize

          28KB

        • memory/4396-104-0x000001F450900000-0x000001F450907000-memory.dmp

          Filesize

          28KB

        • memory/4396-109-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB