Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-01-2024 10:36

General

  • Target

    74792d6438fe27a6b4efb9c1142f875c.dll

  • Size

    1.7MB

  • MD5

    74792d6438fe27a6b4efb9c1142f875c

  • SHA1

    df86d55db627c71dfda71d31b9120875b4763655

  • SHA256

    91f4e0d55b25c852d48512dcc4852c2aa7d950cfb08fbcc53c1f373202032dae

  • SHA512

    c273b6b6e722fed5ebc10f107cce93c97bb4d32fdd89547ce1bf1392f02e1647d4eedfccd9a92cbe7cb0e239897fdce905ec15fc833f0be604856963792aa2b4

  • SSDEEP

    12288:5VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1kt:4fP7fWsK5z9A+WGAW+V5SB6Ct4bnbkt

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\74792d6438fe27a6b4efb9c1142f875c.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4692
  • C:\Windows\system32\msdt.exe
    C:\Windows\system32\msdt.exe
    1⤵
      PID:1140
    • C:\Users\Admin\AppData\Local\wFCjt\msdt.exe
      C:\Users\Admin\AppData\Local\wFCjt\msdt.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3400
    • C:\Users\Admin\AppData\Local\FfnzqlJK\RdpSaUacHelper.exe
      C:\Users\Admin\AppData\Local\FfnzqlJK\RdpSaUacHelper.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3476
    • C:\Windows\system32\RdpSaUacHelper.exe
      C:\Windows\system32\RdpSaUacHelper.exe
      1⤵
        PID:716
      • C:\Users\Admin\AppData\Local\OTzaI\rdpinit.exe
        C:\Users\Admin\AppData\Local\OTzaI\rdpinit.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4524
      • C:\Windows\system32\rdpinit.exe
        C:\Windows\system32\rdpinit.exe
        1⤵
          PID:3412

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\FfnzqlJK\RdpSaUacHelper.exe

          Filesize

          33KB

          MD5

          0d5b016ac7e7b6257c069e8bb40845de

          SHA1

          5282f30e90cbd1be8da95b73bc1b6a7d041e43c2

          SHA256

          6a6fdd834af9c79c5ffc5e6b51700030259aeae535f8626df84b07b7d2cee067

          SHA512

          cd44d8b70fc67c692e6966b4ad86a7de9c96df0bade1b3a80cb4767be159d64f3cc04dc5934f7d843b15101865089e43b8aecabddc370b22caf0c48b56b3430e

        • C:\Users\Admin\AppData\Local\FfnzqlJK\WINSTA.dll

          Filesize

          245KB

          MD5

          6d0581515307fc6b7e26202d77b4e063

          SHA1

          62090e1859ee09d8994b0c42d9195f385d9d934a

          SHA256

          7a06114c305de2940833e12b62940cac8a3c2256979b49f1b88b0e61a91797a3

          SHA512

          247974de8d24e2767693b36f3adc270c2b6844fa3549cd38c0df70dd8eca1a06f7559727bb23190ecdfa136f87f26ed31949e66c88c851a639b3a8e0fd901a8e

        • C:\Users\Admin\AppData\Local\FfnzqlJK\WINSTA.dll

          Filesize

          123KB

          MD5

          9d0681089dfd83a892eeb6cc29b021a7

          SHA1

          f115ec028ec7824df238bbc3d5ff901d76a36000

          SHA256

          af2f19e1756e9df9f182ddc6deebd5129ded534d0ca032d3c64acb483f1ffdc9

          SHA512

          f5952d9ad122f44636861f5d83275f407654a84a8c179f0f4b407072064a9adec785cd431f2a41fc5a74504e39be97fe7265207573cf474208a397a0ce7a2f41

        • C:\Users\Admin\AppData\Local\OTzaI\dwmapi.dll

          Filesize

          8KB

          MD5

          389d09e01fb9184888d04112f16bc466

          SHA1

          6a13f97f998cbace5050baa06bcd21d496e8a435

          SHA256

          e55df530bdb56471f87431b481e9042a739ce68eda871148099d389388102698

          SHA512

          a0c64576a32cc654cbd902244b12c26f4f80c1eed0a9e90e0d07851e19be70fd3c7b356c91720552a9c02835664fb915b632dd7b1b26340e1c2dab639fdfd333

        • C:\Users\Admin\AppData\Local\OTzaI\dwmapi.dll

          Filesize

          39KB

          MD5

          5aac2c1f8045fe332460af9584dfa868

          SHA1

          5022435fe9f0f40d6749a72f8482215336c2219a

          SHA256

          7481672e5828384dcc3a01b5410a97bbcfded7cfd656014af01aea09d08b0cac

          SHA512

          5e70e64f91738ec79f61414416e9bf2f4961a562ceca566321adc340ea8a6c9ef440133b46642fdf27e32d57ff2a5d0747bee91b01c6be69d638333f46494f4d

        • C:\Users\Admin\AppData\Local\OTzaI\rdpinit.exe

          Filesize

          258KB

          MD5

          416ba0e9f3f62db4bde9b94d580d5223

          SHA1

          1ea83ba6ed5e7a2efd31ee84b3586b873160ae50

          SHA256

          173a296ee7a3908135016746a171ab7c4ddd77fb6831270d9162891f5325be66

          SHA512

          338ab600b46ea44ed7d6b7873b59a7cd12cce5a2781ca86d55d289daf83cdd30214c98ce623b0e80f724cfc719fd4bc58b0009d14d719bf908847fadcc207b41

        • C:\Users\Admin\AppData\Local\OTzaI\rdpinit.exe

          Filesize

          128KB

          MD5

          38aa845daa16cddd9556f16ddbb4fabf

          SHA1

          37231f69e432cd55fcf654c16557762b96b9a70c

          SHA256

          21218dacba7caf5c9fa53c1fff4996d25ea018e2391c9d625616467f67886b0d

          SHA512

          264ab0d3bf1060f8ff2090c80f3799e45ac60a100e1edb2c0cca28ce74a02c64b9d49d77bdf44e9784f863d220d4bd067f43838528d5d19bc71d074fa193cba5

        • C:\Users\Admin\AppData\Local\wFCjt\msdt.exe

          Filesize

          174KB

          MD5

          1dc6a652c33b05a63a9b85d14b292623

          SHA1

          e5df0ff8400a0dfaf19894614abe5bd34d8624af

          SHA256

          4eee00466b15e374522456e2cafec9449c6582b6d1eb0687f5e3b1d969b20f28

          SHA512

          52da262c5e34ec56fbd5f6c61482db639ddcb9c865062f902b768eaa12a98643395bc361c84ef057b82e941f8ce5626d6c58c1a453f793a1e88874caea43d51d

        • C:\Users\Admin\AppData\Local\wFCjt\msdt.exe

          Filesize

          285KB

          MD5

          dccd8dd3a5c247d80602e949aa2772d9

          SHA1

          1b635cc5629f2c7ede0f06970170d36e42ecf831

          SHA256

          90b80b978416f2276ae418e03ccc29c55b14fb2cd8161398761305a88a8785d6

          SHA512

          7011d8674b80951417a7d83900da38f283abe37087e1c6fac792afae6cff086156be4a2151642fab692f9c6989c06b7173386f011cecbb6e7411984375aec2dc

        • C:\Users\Admin\AppData\Local\wFCjt\wer.dll

          Filesize

          81KB

          MD5

          855d1850dbadfdc6641f2c011d69269a

          SHA1

          9dcd844a81972566621b4736e869dcbfa3a7cc29

          SHA256

          4690875a323e8ca0081c1f6ae1b49a90e96be025922ed9712e571bf9d99428fb

          SHA512

          a715e246869988d6cb057b042bc3441d96829fd130f9a5f17a93ccdf46e1f994535feaa76b2f87e58f68c5788a53184ed5fc6465b31f5c28044c1fee99e1deb4

        • C:\Users\Admin\AppData\Local\wFCjt\wer.dll

          Filesize

          322KB

          MD5

          3196a3d3df9e20023f534b81348e2e9c

          SHA1

          cc9a4912655657ba6b779e88936287b83cce9303

          SHA256

          e237ad3108e8f9b5027247381e8ffc96e922621a643afa5b1d61a2c023083ff2

          SHA512

          8a7b7481024a507eabc4df318e65f85bfc904eab20a00e530d414f3a7636b2895ae8b51dd9fad31ed1ed5d7b538f555b5a880dfc1778e640af20d0bd16267fe5

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wdush.lnk

          Filesize

          1KB

          MD5

          d5850ddea424a6a861fe5e4af86f0537

          SHA1

          662909397e3d155c790168b1a089b94dca7c145f

          SHA256

          f363a2ec38f3a8d4df28df2216c75057cf4dae836c5dd8bca6b46d2f16aecdb7

          SHA512

          762506c97ca35198f14c11de67b503cbeaf0803bf0ff331ae923655d15218a21e2c53a330e08021b0cf8043bb995734ac00ad139fcb235c995c8808cad63c618

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\sOP45Z1AI\IRBiIF9rz\dwmapi.dll

          Filesize

          1.7MB

          MD5

          0b562cc32bc649840aa297a0edf3b589

          SHA1

          76d4d5be8737b37548db0be0ae7830ac7e3179cc

          SHA256

          f2990ec7cf3d3499cd0dd1e421f9e45f491830a1241c8fa4b42cc12a8bb2f7db

          SHA512

          f0e7ef0e95207f190ecfc0060109829681a2f30561b0f6aae596a73f23c4aa4ab999c8f773dad8c6a0b946de284b88cac083f35a4a2cc7700dc97f39b0eff25f

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\sOP45Z1AI\wer.dll

          Filesize

          1.7MB

          MD5

          0def2204fca1bc7279d41059036d6d4e

          SHA1

          40a0df8a2af05667101da2a41b29d1140da4ffb3

          SHA256

          cb6c4db8e86f4bf044c9e5f1b122cbf5d678cf4513e63471f1e1013afa1c2ece

          SHA512

          7a90b68caaba96c6f4f27c9606875528e470e9ac1f60782c961b02353ee07c7264705f558e3a9cb20406d3ffb77b52688e3b64776b6cc1fdba203da3d169f582

        • C:\Users\Admin\AppData\Roaming\Mozilla\Extensions\6w\WINSTA.dll

          Filesize

          1.7MB

          MD5

          15245ed1a2eab75e90beab958e2efc76

          SHA1

          54242bb7bf665e07d3c7f82ec89d353531ec5096

          SHA256

          4fb6083df9dd0c0a6d61f9bc5c04781fcc82209955d194987af5e76329765002

          SHA512

          06cdbbe63aede531e02ebd4849e15033938f7680e4510a35026c185d9aa58219e468187204ab87d493d577a2cb6dd219b0a026b555c3f074edfc242eb4b1bcf6

        • memory/3400-63-0x0000000140000000-0x00000001401AE000-memory.dmp

          Filesize

          1.7MB

        • memory/3400-68-0x0000000140000000-0x00000001401AE000-memory.dmp

          Filesize

          1.7MB

        • memory/3400-62-0x00000163F8A50000-0x00000163F8A57000-memory.dmp

          Filesize

          28KB

        • memory/3476-102-0x0000000140000000-0x00000001401AE000-memory.dmp

          Filesize

          1.7MB

        • memory/3476-98-0x0000024CE8C20000-0x0000024CE8C27000-memory.dmp

          Filesize

          28KB

        • memory/3512-19-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

        • memory/3512-16-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

        • memory/3512-44-0x00007FFFFD200000-0x00007FFFFD210000-memory.dmp

          Filesize

          64KB

        • memory/3512-41-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

        • memory/3512-24-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

        • memory/3512-22-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

        • memory/3512-21-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

        • memory/3512-20-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

        • memory/3512-5-0x00007FFFFBC9A000-0x00007FFFFBC9B000-memory.dmp

          Filesize

          4KB

        • memory/3512-51-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

        • memory/3512-53-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

        • memory/3512-15-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

        • memory/3512-14-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

        • memory/3512-26-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

        • memory/3512-35-0x0000000003370000-0x0000000003377000-memory.dmp

          Filesize

          28KB

        • memory/3512-27-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

        • memory/3512-33-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

        • memory/3512-32-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

        • memory/3512-28-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

        • memory/3512-4-0x0000000003390000-0x0000000003391000-memory.dmp

          Filesize

          4KB

        • memory/3512-7-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

        • memory/3512-31-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

        • memory/3512-30-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

        • memory/3512-29-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

        • memory/3512-23-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

        • memory/3512-18-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

        • memory/3512-17-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

        • memory/3512-9-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

        • memory/3512-25-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

        • memory/3512-13-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

        • memory/3512-12-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

        • memory/3512-11-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

        • memory/3512-10-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

        • memory/4524-79-0x000001E277C80000-0x000001E277C87000-memory.dmp

          Filesize

          28KB

        • memory/4524-80-0x0000000140000000-0x00000001401AD000-memory.dmp

          Filesize

          1.7MB

        • memory/4524-85-0x0000000140000000-0x00000001401AD000-memory.dmp

          Filesize

          1.7MB

        • memory/4692-0-0x000001942D9B0000-0x000001942D9B7000-memory.dmp

          Filesize

          28KB

        • memory/4692-1-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

        • memory/4692-8-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB