Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-01-2024 01:48

General

  • Target

    736aa5c70532729a4ab7c493762c3d38.dll

  • Size

    1.8MB

  • MD5

    736aa5c70532729a4ab7c493762c3d38

  • SHA1

    4d8366a845fc4143af2ebb056656bdfec85bb91a

  • SHA256

    fa34c06663e6fca8921608ebcdb3bd6056258c39f2270a46397eb552e3396575

  • SHA512

    1180962f8ea4b01a8521271a51290a752d53cc389be6345c64735c84b2ef6f9640b6880e058350a02b5075ad5be839b13caab461740da5399bb6f95aa9811448

  • SSDEEP

    12288:fVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:WfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\736aa5c70532729a4ab7c493762c3d38.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1628
  • C:\Windows\system32\consent.exe
    C:\Windows\system32\consent.exe
    1⤵
      PID:4212
    • C:\Users\Admin\AppData\Local\R6V8l\consent.exe
      C:\Users\Admin\AppData\Local\R6V8l\consent.exe
      1⤵
      • Executes dropped EXE
      PID:5016
    • C:\Windows\system32\perfmon.exe
      C:\Windows\system32\perfmon.exe
      1⤵
        PID:3360
      • C:\Users\Admin\AppData\Local\t8Irx\perfmon.exe
        C:\Users\Admin\AppData\Local\t8Irx\perfmon.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1984
      • C:\Windows\system32\tabcal.exe
        C:\Windows\system32\tabcal.exe
        1⤵
          PID:2572
        • C:\Windows\system32\mspaint.exe
          C:\Windows\system32\mspaint.exe
          1⤵
            PID:2176
          • C:\Users\Admin\AppData\Local\6IK\tabcal.exe
            C:\Users\Admin\AppData\Local\6IK\tabcal.exe
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks whether UAC is enabled
            PID:5000
          • C:\Users\Admin\AppData\Local\TGkLKW\mspaint.exe
            C:\Users\Admin\AppData\Local\TGkLKW\mspaint.exe
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks whether UAC is enabled
            PID:2864

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\6IK\HID.DLL

            Filesize

            247KB

            MD5

            7ed1431b8b5ee5500db3ff397e36d893

            SHA1

            0110a6efc457986e33b2df409e3159de901a2b1c

            SHA256

            48d24aa440b086ee74523ec19b8ee1015562dec7b7a90b0b8e2e4a48ff4574a5

            SHA512

            9a39ddc98f61449077b198649ba540a0056161d60ab872391b23ef24a6b416e99194799895a91ad88bbc3551a84e82ccedf981df411cde97590ecf067266deb5

          • C:\Users\Admin\AppData\Local\6IK\HID.DLL

            Filesize

            181KB

            MD5

            f2f4fbef7c9d65ffa977c9b9cb4f898c

            SHA1

            f67c424289864f6324fedcf50c3d8b455e9d9e69

            SHA256

            54feaa2a3b5fecf31b7965e6c8ed6dee41401da3087ce98042b0c18925904559

            SHA512

            b447277861dd4d0943bff73ca82f9da27d5a392ca2b9c94695c3cf30256b898b3e1ae9e27fb46f28de65175d99abefc36adacecdb7ff989aba823d1fbdf5ce25

          • C:\Users\Admin\AppData\Local\6IK\tabcal.exe

            Filesize

            84KB

            MD5

            40f4014416ff0cbf92a9509f67a69754

            SHA1

            1798ff7324724a32c810e2075b11c09b41e4fede

            SHA256

            f31b4c751dbca276446119ba775787c3eb032da72eabcd40ad96a55826a3f33c

            SHA512

            646dfe4cfe90d068c3da4c35f7053bb0f57687875a0f3469c0683e707306e6a42b0baca3e944d78f9be5c564bb0600202c32c223a770f89d3e2b07a24673c259

          • C:\Users\Admin\AppData\Local\R6V8l\consent.exe

            Filesize

            162KB

            MD5

            6646631ce4ad7128762352da81f3b030

            SHA1

            1095bd4b63360fc2968d75622aa745e5523428ab

            SHA256

            56b2d516376328129132b815e22379ae8e7176825f059c9374a33cc844482e64

            SHA512

            1c00ed5d8568f6ebd119524b61573cfe71ca828bd8fbdd150158ec8b5db65fa066908d120d201fce6222707bcb78e0c1151b82fdc1dccf3ada867cb810feb6da

          • C:\Users\Admin\AppData\Local\TGkLKW\MFC42u.dll

            Filesize

            476KB

            MD5

            a67f6c0c5b7664f5a2aaf056c494e6c2

            SHA1

            52ae78be4e41376b83f7be835334974c84a2db6c

            SHA256

            bb1094665225e5c8eb42bb16a68c4f6f2bce5b16c6a8cac781c2278ffe7bbcc1

            SHA512

            9621669a34135205d6328c1dcbe176a57a966d1c1872665a128cce17b71c24c6dcfb7c0e1d285456e9b7d6de80a5bc40e2ccfb8352b4150cad776489d5806144

          • C:\Users\Admin\AppData\Local\TGkLKW\MFC42u.dll

            Filesize

            822KB

            MD5

            326bdb872bf4c18bdbf05f85d73abaae

            SHA1

            ce763ea71276eb13396783fa1641827759980de3

            SHA256

            894d9eefcfcd5c33d8d4cd64ac28aa566e4f26b63e9a29d73ccb91ba6b6d961c

            SHA512

            b88af2871af13abe8fa029cb3e6e10cbb9d5246ceb19ae750209b0cd07fa74a05886143159605925385442029f032610b4447b8043cfd92cb5c554ee6b1a8a5e

          • C:\Users\Admin\AppData\Local\TGkLKW\mspaint.exe

            Filesize

            918KB

            MD5

            42684e8605a33d33e4707ca9e5ab3da9

            SHA1

            3847f868319bed6db65c0a113eb0fd0ee1977682

            SHA256

            9af583e4e016595fac497f5c536f67d198e27b847af1ab90c0ec39d9cd081524

            SHA512

            7a85eeb0cbbbaa275a86797b6829f15b163f5735465d427c5cf90f7b8172cbaeca47217a6b8aa75a06ca8837d35daa561d238070eb4dc32838fcb65728864b90

          • C:\Users\Admin\AppData\Local\TGkLKW\mspaint.exe

            Filesize

            542KB

            MD5

            e166e34dedd8688d836afd921314d6d1

            SHA1

            81b13421919d41eea362e582fc123bbdaa79d2c7

            SHA256

            55efdea9bcc3b41c4d4ff3739df58786fb7d8b4922a12af6936a5417f5427445

            SHA512

            f66d8ef1bba62b38ba45d8c7bc14df57b2d57dc89185962c6d29f00e71a8f4a05ce60c985b652bd029d933d58934961ebaf1d2c53e31f03ff726ebe0b098b041

          • C:\Users\Admin\AppData\Local\t8Irx\credui.dll

            Filesize

            337KB

            MD5

            357276d19be2fcce36116c0fcb693b46

            SHA1

            9e8c6bf3b9f9d935268b92d7c9cd7cde2e4d8572

            SHA256

            37afbc207ad20c5904c01765a79d38dd3941814f24cda62388d5951d5e6493e9

            SHA512

            e3ada519d8edff655860f9ab523557811d0d552842521712ed00715222b103f4e6710db73c0659d6ec6baff5b75cfc1da7442f010d9c2f1724bb9b48a24b5509

          • C:\Users\Admin\AppData\Local\t8Irx\credui.dll

            Filesize

            376KB

            MD5

            2e6eac83b1c28747493f3c82d6459dc6

            SHA1

            54aff036806a238258ab7315586b1d85767b3c34

            SHA256

            b178ccea4e052d5b6bf0e9466601ccbd791db5a593789fa5af48f090d99c8961

            SHA512

            803ad88e765905da6aac8bca8cbb1163d05b6f755f42b7b89d9e496e4776054b10da10a7bac777b85fe45780e38c940dc99ba6b61e32139741f237caf7b68367

          • C:\Users\Admin\AppData\Local\t8Irx\perfmon.exe

            Filesize

            177KB

            MD5

            d38aa59c3bea5456bd6f95c73ad3c964

            SHA1

            40170eab389a6ba35e949f9c92962646a302d9ef

            SHA256

            5f041cff346fb37e5c5c9dab3c1272c76f8b5f579205170e97d2248d04a4ea0c

            SHA512

            59fa552a46e5d6237c7244b03d09d60e9489217b4319a212e822c73fe1f31a81837cb906ae7da92072bd3d9263fe0b967e073110ba81da3a90126f25115fff68

          • C:\Users\Admin\AppData\Local\t8Irx\perfmon.exe

            Filesize

            123KB

            MD5

            f4f9a2c0fd8cdd76bdd0d08f7695cd07

            SHA1

            f74397795f6a54b20198d7b1ff54e64730800d47

            SHA256

            6201fd292638b5b00182d98f0bd48247fa654bcc78803669a8d944bcaebc653c

            SHA512

            62431302cdebbab357e25173320824b5ed5b8359edeb00f5c11715837386ac247f5d0f492f32958e2549c59986c8c7ebfa8118d2c811e188484f582b7646046b

          • C:\Users\Admin\AppData\Roaming\Adobe\uuQQDoCZ\credui.dll

            Filesize

            1.8MB

            MD5

            5648979db1f3fee886cc2ad3b3373548

            SHA1

            540ee4fbeed1f4508a368edf8d106ce7f260f804

            SHA256

            e86d31d808570bb6100b4ff6495fce74e310e7d5846fbc63a29bd67331fa7be0

            SHA512

            032ce43d4435cd963c375e6a0c8f908beba8833e2cf28a4eee81181a59fdac481879329cd36daaa8ab4831ba6ed4258c0de12825049d0b7e6234b112d1d56bb2

          • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gvhynkxuzozqjys.lnk

            Filesize

            1KB

            MD5

            9f53967e1c293653faa833eed3b78aa5

            SHA1

            356a08b6ff5254967f756d825ab3023960c5d452

            SHA256

            bd63a8aa3b580cec7e5a6e2a19e924e10da6c290b5428c9a3b4ae9b778eac749

            SHA512

            862332b7cc78db6abd6da30d312a242ee459b9286e9f580c54f4ca3fca68ec51aaa9c5a2d9a12b407e180a076cbd36a7cb84a8349965390d9e502b02dab9693a

          • C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\ckpDAQ3F\MFC42u.dll

            Filesize

            1.8MB

            MD5

            03e31b0416674efa7d9f74c0ba890289

            SHA1

            c5ff2ca131b7fbba3bb01f04fb97396409d93d46

            SHA256

            c1a2dfc8222074db49dc1a074fecada3e74ef50892a5c23850dab950b6e6cf8c

            SHA512

            3e9deb984d1f0425b868ef2e80f4bad48ddf03b2902d201a424b9d2dcb72ea52a3e21f8c1f71e4b2561011c171f62fe694e03d5d8f5e22126ee776133e5eb32b

          • C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\ckpDAQ3F\mspaint.exe

            Filesize

            650KB

            MD5

            b33df8683fc4cbff364a8a1b91adb5c9

            SHA1

            fde72cf5f9c7300402375e71563e1908db5d3a05

            SHA256

            d2ce468f6f374d60f488da2c28cb625f9b70323424e3ce638235a7f88b176f1b

            SHA512

            4322f7f87f8e04725e184facdf78d95bb03093a232ab134696f368b57bf097fe44d9cd44b2cfe8e898f6ed6ff917034d31f364e8da6f81ba03cdcb58e4ecb801

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\IWLFXJn1gD\HID.DLL

            Filesize

            1.8MB

            MD5

            319c412643df6904316145a6c05ea9a7

            SHA1

            c044196d9cc517dfd0b015f176b4b34e95b9a6aa

            SHA256

            3d95bbfcd29ae12a732f426f13235608a52843e7f61b1c15eceae31bb0c676f0

            SHA512

            7e0e372fc31b449367bb8d3f3374791aa144a153e2c27b87c5c915a5698181f8f1b362f26483200a9c6866f60e4d10c286468af034109ded21402041fd34a69d

          • memory/1628-10-0x0000000140000000-0x00000001401D2000-memory.dmp

            Filesize

            1.8MB

          • memory/1628-1-0x0000000140000000-0x00000001401D2000-memory.dmp

            Filesize

            1.8MB

          • memory/1628-0-0x0000000140000000-0x00000001401D2000-memory.dmp

            Filesize

            1.8MB

          • memory/1628-3-0x000001EEEF410000-0x000001EEEF417000-memory.dmp

            Filesize

            28KB

          • memory/1984-96-0x0000000140000000-0x00000001401D3000-memory.dmp

            Filesize

            1.8MB

          • memory/1984-88-0x0000000140000000-0x00000001401D3000-memory.dmp

            Filesize

            1.8MB

          • memory/1984-91-0x000001311E8A0000-0x000001311E8A7000-memory.dmp

            Filesize

            28KB

          • memory/1984-89-0x0000000140000000-0x00000001401D3000-memory.dmp

            Filesize

            1.8MB

          • memory/2864-130-0x000002A89BA80000-0x000002A89BA87000-memory.dmp

            Filesize

            28KB

          • memory/2864-127-0x0000000140000000-0x00000001401D9000-memory.dmp

            Filesize

            1.8MB

          • memory/2864-133-0x0000000140000000-0x00000001401D9000-memory.dmp

            Filesize

            1.8MB

          • memory/3368-23-0x0000000140000000-0x00000001401D2000-memory.dmp

            Filesize

            1.8MB

          • memory/3368-31-0x0000000140000000-0x00000001401D2000-memory.dmp

            Filesize

            1.8MB

          • memory/3368-34-0x0000000140000000-0x00000001401D2000-memory.dmp

            Filesize

            1.8MB

          • memory/3368-35-0x0000000140000000-0x00000001401D2000-memory.dmp

            Filesize

            1.8MB

          • memory/3368-25-0x0000000140000000-0x00000001401D2000-memory.dmp

            Filesize

            1.8MB

          • memory/3368-36-0x0000000140000000-0x00000001401D2000-memory.dmp

            Filesize

            1.8MB

          • memory/3368-37-0x0000000140000000-0x00000001401D2000-memory.dmp

            Filesize

            1.8MB

          • memory/3368-39-0x0000000140000000-0x00000001401D2000-memory.dmp

            Filesize

            1.8MB

          • memory/3368-38-0x0000000140000000-0x00000001401D2000-memory.dmp

            Filesize

            1.8MB

          • memory/3368-41-0x0000000140000000-0x00000001401D2000-memory.dmp

            Filesize

            1.8MB

          • memory/3368-40-0x0000000140000000-0x00000001401D2000-memory.dmp

            Filesize

            1.8MB

          • memory/3368-42-0x0000000140000000-0x00000001401D2000-memory.dmp

            Filesize

            1.8MB

          • memory/3368-43-0x0000000140000000-0x00000001401D2000-memory.dmp

            Filesize

            1.8MB

          • memory/3368-45-0x0000000140000000-0x00000001401D2000-memory.dmp

            Filesize

            1.8MB

          • memory/3368-44-0x0000000140000000-0x00000001401D2000-memory.dmp

            Filesize

            1.8MB

          • memory/3368-46-0x0000000140000000-0x00000001401D2000-memory.dmp

            Filesize

            1.8MB

          • memory/3368-47-0x0000000140000000-0x00000001401D2000-memory.dmp

            Filesize

            1.8MB

          • memory/3368-48-0x0000000140000000-0x00000001401D2000-memory.dmp

            Filesize

            1.8MB

          • memory/3368-50-0x0000000140000000-0x00000001401D2000-memory.dmp

            Filesize

            1.8MB

          • memory/3368-49-0x0000000140000000-0x00000001401D2000-memory.dmp

            Filesize

            1.8MB

          • memory/3368-52-0x0000000000400000-0x0000000000407000-memory.dmp

            Filesize

            28KB

          • memory/3368-51-0x0000000140000000-0x00000001401D2000-memory.dmp

            Filesize

            1.8MB

          • memory/3368-59-0x0000000140000000-0x00000001401D2000-memory.dmp

            Filesize

            1.8MB

          • memory/3368-60-0x00007FFA6DFA0000-0x00007FFA6DFB0000-memory.dmp

            Filesize

            64KB

          • memory/3368-69-0x0000000140000000-0x00000001401D2000-memory.dmp

            Filesize

            1.8MB

          • memory/3368-71-0x0000000140000000-0x00000001401D2000-memory.dmp

            Filesize

            1.8MB

          • memory/3368-32-0x0000000140000000-0x00000001401D2000-memory.dmp

            Filesize

            1.8MB

          • memory/3368-33-0x0000000140000000-0x00000001401D2000-memory.dmp

            Filesize

            1.8MB

          • memory/3368-30-0x0000000140000000-0x00000001401D2000-memory.dmp

            Filesize

            1.8MB

          • memory/3368-29-0x0000000140000000-0x00000001401D2000-memory.dmp

            Filesize

            1.8MB

          • memory/3368-28-0x0000000140000000-0x00000001401D2000-memory.dmp

            Filesize

            1.8MB

          • memory/3368-26-0x0000000140000000-0x00000001401D2000-memory.dmp

            Filesize

            1.8MB

          • memory/3368-27-0x0000000140000000-0x00000001401D2000-memory.dmp

            Filesize

            1.8MB

          • memory/3368-24-0x0000000140000000-0x00000001401D2000-memory.dmp

            Filesize

            1.8MB

          • memory/3368-22-0x0000000140000000-0x00000001401D2000-memory.dmp

            Filesize

            1.8MB

          • memory/3368-19-0x0000000140000000-0x00000001401D2000-memory.dmp

            Filesize

            1.8MB

          • memory/3368-20-0x0000000140000000-0x00000001401D2000-memory.dmp

            Filesize

            1.8MB

          • memory/3368-5-0x0000000002610000-0x0000000002611000-memory.dmp

            Filesize

            4KB

          • memory/3368-9-0x0000000140000000-0x00000001401D2000-memory.dmp

            Filesize

            1.8MB

          • memory/3368-7-0x0000000140000000-0x00000001401D2000-memory.dmp

            Filesize

            1.8MB

          • memory/3368-21-0x0000000140000000-0x00000001401D2000-memory.dmp

            Filesize

            1.8MB

          • memory/3368-18-0x0000000140000000-0x00000001401D2000-memory.dmp

            Filesize

            1.8MB

          • memory/3368-17-0x0000000140000000-0x00000001401D2000-memory.dmp

            Filesize

            1.8MB

          • memory/3368-16-0x0000000140000000-0x00000001401D2000-memory.dmp

            Filesize

            1.8MB

          • memory/3368-15-0x0000000140000000-0x00000001401D2000-memory.dmp

            Filesize

            1.8MB

          • memory/3368-14-0x0000000140000000-0x00000001401D2000-memory.dmp

            Filesize

            1.8MB

          • memory/3368-13-0x0000000140000000-0x00000001401D2000-memory.dmp

            Filesize

            1.8MB

          • memory/3368-12-0x0000000140000000-0x00000001401D2000-memory.dmp

            Filesize

            1.8MB

          • memory/3368-11-0x0000000140000000-0x00000001401D2000-memory.dmp

            Filesize

            1.8MB

          • memory/3368-8-0x00007FFA6C4BA000-0x00007FFA6C4BB000-memory.dmp

            Filesize

            4KB

          • memory/5000-115-0x0000000140000000-0x00000001401D3000-memory.dmp

            Filesize

            1.8MB

          • memory/5000-107-0x0000000140000000-0x00000001401D3000-memory.dmp

            Filesize

            1.8MB

          • memory/5000-110-0x0000024D08C90000-0x0000024D08C97000-memory.dmp

            Filesize

            28KB