Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-01-2024 12:10

General

  • Target

    74aa7a7b1a55a686da6fb64c99496b53.dll

  • Size

    3.2MB

  • MD5

    74aa7a7b1a55a686da6fb64c99496b53

  • SHA1

    baf7fcf0fe7a57031c1285f02cb4a0814e54fa31

  • SHA256

    e12d72cce77128cc87490c508bb9e32003d1141cf5ccc962117961d65c2d71ab

  • SHA512

    6e7d2349024ceb235cb85ddc9c88695796197d9dd84f19518e0639f93f5cd0cd713c216d04f85e961be6115b93e34e4fc39912b8b9262b2f8b69ed7d68ef05b1

  • SSDEEP

    12288:4VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:tfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\74aa7a7b1a55a686da6fb64c99496b53.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3424
  • C:\Windows\system32\EhStorAuthn.exe
    C:\Windows\system32\EhStorAuthn.exe
    1⤵
      PID:1740
    • C:\Users\Admin\AppData\Local\yXJ\EhStorAuthn.exe
      C:\Users\Admin\AppData\Local\yXJ\EhStorAuthn.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2656
    • C:\Windows\system32\Magnify.exe
      C:\Windows\system32\Magnify.exe
      1⤵
        PID:5112
      • C:\Users\Admin\AppData\Local\DWMDW\Magnify.exe
        C:\Users\Admin\AppData\Local\DWMDW\Magnify.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4080
      • C:\Windows\system32\DisplaySwitch.exe
        C:\Windows\system32\DisplaySwitch.exe
        1⤵
          PID:2532
        • C:\Users\Admin\AppData\Local\33RqMbJFy\DisplaySwitch.exe
          C:\Users\Admin\AppData\Local\33RqMbJFy\DisplaySwitch.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2804

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\33RqMbJFy\DisplaySwitch.exe

          Filesize

          102KB

          MD5

          c456f9456ab2c10e6a450774a0c5f12d

          SHA1

          ef1a4693f0422b5e33fe05607a40efdac223291e

          SHA256

          304e4bee3e97ee224f61ee69586117de32c4aee6a1d4670d7bc5ac4fdf877407

          SHA512

          8d690cf8b403111dcedbadbe72768c2d22f3d83dc2ed7e6d734c6d142d6ee008baa5062dff8450d5ce9ba4ea4547a1d3c966975528c184d84c8f9e8cdd22c2f0

        • C:\Users\Admin\AppData\Local\33RqMbJFy\DisplaySwitch.exe

          Filesize

          105KB

          MD5

          927469bd68cffc984c7d8a4f70d3e27a

          SHA1

          1816a60271cf6ed0e33b0698375ba6e8481135bb

          SHA256

          70cb5ab064921c435646b71c3e4f8fb2a58abf6b9d91f63a7e105250d77d76a8

          SHA512

          4e8c34a3b915f79fcd4b8124f1f1b778aa067f617ff08f1a44ec965ccb91a4beee225ce4d5b05b03cb14bc692c20ab7e364de7849ef9770eb00f10454c746fd5

        • C:\Users\Admin\AppData\Local\33RqMbJFy\dwmapi.dll

          Filesize

          44KB

          MD5

          299a69a9d497dd1412d3ab0b9dd19842

          SHA1

          3f6f3d975d3f80b940fa5e20357973980a8b59c1

          SHA256

          71a6f6a1270be185841f216578a12d4bcf4da3124c856c299c99d421cef058cf

          SHA512

          187904f53fb9d29fe18bfee786e9dcd640da801fbb16f1377af5001579d7240d13b17a0d6a044ef4251a5866aa230077c01fe0fce00faefdd98fc7af782df70e

        • C:\Users\Admin\AppData\Local\33RqMbJFy\dwmapi.dll

          Filesize

          125KB

          MD5

          f1db6aa239bc086024781eec7677854b

          SHA1

          b77e055837df699913e3fb0d1b865897e3716677

          SHA256

          201315ec402af52015717be57b18d8849d30b0faed1c2d97519e8ebee42323ad

          SHA512

          47556054bce21112365e59341e857c8138dabcdc9098c4c2da9ceb6fed2ae4573010a38fcc46a82b6e22f5cc8953b60ed8149ceb5f3d9feb001d26e77571afa1

        • C:\Users\Admin\AppData\Local\DWMDW\Magnify.exe

          Filesize

          2KB

          MD5

          5da5e2cbe72d985f0f1292ed1bafacf0

          SHA1

          41d36867961c0693e187e018e077e7b49aaab87f

          SHA256

          9774bc5d8dc26260232a7b7d692c6b2d4b6ebaab95e31e0eaf0d198b98039676

          SHA512

          d55a522cf064ba879f32d29240d22fe99ad209f56ff026197a4202838d74f662ba431f3259cc756aaeceb31fb755f56134c6ddf651332d7f5ed862aa38fe52b4

        • C:\Users\Admin\AppData\Local\DWMDW\Magnify.exe

          Filesize

          88KB

          MD5

          899e3acc33ebad157869cca44f246c17

          SHA1

          fb7bc664dcb05c8b374a6a6975fe98d1ff759c3a

          SHA256

          5e82e2db83b30234e55f53d6f9e515732035dbd6fa8429c5523d73b8bdc5f753

          SHA512

          c7c1ff5cb58509042553b186c7fbd2f9a52804a3b87c75a45a977efa6b3d1b7ec5edf97cd7fe5d104e8d1b33087b76cba601efaba1f67c70e06c61817ea29b2a

        • C:\Users\Admin\AppData\Local\DWMDW\OLEACC.dll

          Filesize

          1KB

          MD5

          3daf82f38febfb846ff31d2fde3d0261

          SHA1

          752df68973e944cce9bc108aaffdf169e9e0c344

          SHA256

          75df4874486770d9e9e8009b2b6c884c3d549763361a707b9f4f710cfd4f8b3a

          SHA512

          15e4b87da1091985b015eac0502fe7d07463fdc5a8e02aa6d93a939707f6909025a51dce32d8903292c9eab61d385c4083151fef720143391929c9fa329be58c

        • C:\Users\Admin\AppData\Local\DWMDW\OLEACC.dll

          Filesize

          13KB

          MD5

          9ab6a16141a441aedfb775e91d706e70

          SHA1

          8510537bac495fac273a287efde91f833cccc1f4

          SHA256

          ddacfa9e484fe133c55055210cf24f48625cfbaa07a3cf26801df41fe78a1adb

          SHA512

          5a1e3607a9f5966fb4157f7fabadf02e65cd74e6be39c03f8484ce90448200030acc0874b3d00d0b891b9f9682fe91726448b8db539744f0b2735c3142b7b2e6

        • C:\Users\Admin\AppData\Local\yXJ\EhStorAuthn.exe

          Filesize

          17KB

          MD5

          714add8cad098e4cc8b5b6ea6243b468

          SHA1

          6dc8eea3cfdb9b3d1b0bc9127760eb5573c55462

          SHA256

          0e05f2799dc5044c228f6a5ac3d9cd84b6139005da26c5be1b95f883b716204a

          SHA512

          c9baef1d4417e88eb36e6555632ac53ad6f8ccf9c84e06e369335507c7539c320b994eb12e7d497266fa3c29ad22a49b6bddfccb529b8883af1871ba077394f2

        • C:\Users\Admin\AppData\Local\yXJ\EhStorAuthn.exe

          Filesize

          128KB

          MD5

          d45618e58303edb4268a6cca5ec99ecc

          SHA1

          1f8049fc5ea8b57bb68e19fb55cb9dc1e18e9513

          SHA256

          d527323643be9df4d174c3169c6f2c7854a59b781654bcaebd154cb51fb4219c

          SHA512

          5d7ae663dcfedfaf00836dc018131851e5a40778bd582b417b9f0bbd4bb6d1b2eb8f37f7f5a01cd2beed78b6037ef6eb2a3290248d5e901173b1407990a202bd

        • C:\Users\Admin\AppData\Local\yXJ\UxTheme.dll

          Filesize

          27KB

          MD5

          91f7a3214f77b36e2d11f29a64912313

          SHA1

          90fa67b99df3606dbd33bcf84ec6f6d3155539ad

          SHA256

          7c0fa92783d3d91f3251484ad04f08cab55c6c4a857e5f21c72658b4e13ce282

          SHA512

          7726c9fd2ee4bb7683fdaed48d121d6a47e0112e1eefc2d96f787cf1c1dfcba5b4d4d37fe186271ffee081f325d85e6a3c83f1a410ed7376575c94962b6bc786

        • C:\Users\Admin\AppData\Local\yXJ\UxTheme.dll

          Filesize

          29KB

          MD5

          18de228734bda5f4204c6017d039eefb

          SHA1

          0bce34d79a07fbf533e59440e985088d37dbdf36

          SHA256

          e63fe511780c3adb2cbddb95ea3c728d0ac37d85d3fd91a44a88d12f930cfb83

          SHA512

          1ffb4affdbe439994868b4c007f96c75f9cc5033d4cf3d255a7f971cb563d9289f43cf3a45ef6e56b95db7d022bf0d4a33ebb60eaf41008d7bb81d8d28dfea65

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqwbkkvq.lnk

          Filesize

          1KB

          MD5

          a544a2705e4b77593278b9533df83d7b

          SHA1

          df08981052acc2dca538d693e708470d0664d315

          SHA256

          a265f133e04ee2c60277e2098f22365cdb43073df8af45f36d0af24808dab6a4

          SHA512

          8f1abe3b1226688c65728a01ec8d3fcdda7970907f7bcea9d3f30e02471d7d367952b135d512d64b557aae766227606e58a274c4c47564ac478b77b6e7af64e0

        • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\OdSJwHJVq\3i\dwmapi.dll

          Filesize

          72KB

          MD5

          50490958d2000be16f9095e1680e966a

          SHA1

          67490d6b8a704912b75ae843e5a63218cfef5a74

          SHA256

          84acc5efc3f82c8864f391b7aaa617cac870e08aadf555d1cee9add153f1c693

          SHA512

          e0a4e9b6a58184b743594e9b75034d6042f37d0b0aa1cf17b6c3f1dad2f09b433c21eb562be3d0f631fd2b0a78a1ab8a7eac82728c29a5349096f64ad699f36b

        • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\OdSJwHJVq\UxTheme.dll

          Filesize

          6KB

          MD5

          1ec502e4532cf2074eac46988cd8e261

          SHA1

          bc9246ba7381da74c2d39db7f44da27550c79c0e

          SHA256

          0a0b4f0d748b8867dcab18d84195dccab762394134ebc504a72ea33f42a243b9

          SHA512

          1396b4369bb562f9f955ec86b6bab2c65d870ed4ac84a0b45a0b0471b73483db26f16657dee0c7a8425de0eb2ca7f7bc744400812b58632385d77f37682a055f

        • C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\OVcMs\OLEACC.dll

          Filesize

          9KB

          MD5

          3c6e5614b2e26c85b365d150c874b67c

          SHA1

          76b2dab45ec1a217a9189fd2296a9781b9312781

          SHA256

          8023573b7c19dc8120d712a9f1f4cb3526532f6a89d76b39048b45c1bff98496

          SHA512

          2394f07628f7dc0c8e7aa9016937de5bdbfb3d4194ae02f3f16da1f1d23753e85e465a32152b8a3b95a198676b4f947b215d68ef0d2859e51e869b034c340919

        • memory/2656-108-0x0000000140000000-0x000000014033F000-memory.dmp

          Filesize

          3.2MB

        • memory/2656-103-0x000001D0917F0000-0x000001D0917F7000-memory.dmp

          Filesize

          28KB

        • memory/2656-101-0x0000000140000000-0x000000014033F000-memory.dmp

          Filesize

          3.2MB

        • memory/2804-140-0x000001D55EE10000-0x000001D55EE17000-memory.dmp

          Filesize

          28KB

        • memory/2804-138-0x0000000140000000-0x000000014033F000-memory.dmp

          Filesize

          3.2MB

        • memory/2804-145-0x0000000140000000-0x000000014033F000-memory.dmp

          Filesize

          3.2MB

        • memory/3424-3-0x000002A917BC0000-0x000002A917BC7000-memory.dmp

          Filesize

          28KB

        • memory/3424-0-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/3424-9-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/3424-1-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/3488-26-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/3488-63-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/3488-36-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/3488-38-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/3488-39-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/3488-42-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/3488-41-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/3488-40-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/3488-44-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/3488-43-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/3488-37-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/3488-35-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/3488-29-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/3488-28-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/3488-27-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/3488-25-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/3488-45-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/3488-47-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/3488-48-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/3488-50-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/3488-51-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/3488-52-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/3488-55-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/3488-56-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/3488-59-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/3488-60-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/3488-57-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/3488-61-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/3488-64-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/3488-66-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/3488-65-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/3488-33-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/3488-62-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/3488-58-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/3488-54-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/3488-53-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/3488-49-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/3488-72-0x0000000002F50000-0x0000000002F57000-memory.dmp

          Filesize

          28KB

        • memory/3488-46-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/3488-80-0x00007FFBB0A20000-0x00007FFBB0A30000-memory.dmp

          Filesize

          64KB

        • memory/3488-34-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/3488-32-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/3488-31-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/3488-30-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/3488-18-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/3488-20-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/3488-24-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/3488-23-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/3488-22-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/3488-6-0x00007FFBB098A000-0x00007FFBB098B000-memory.dmp

          Filesize

          4KB

        • memory/3488-21-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/3488-5-0x0000000008B20000-0x0000000008B21000-memory.dmp

          Filesize

          4KB

        • memory/3488-19-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/3488-17-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/3488-16-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/3488-10-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/3488-15-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/3488-13-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/3488-14-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/3488-12-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/3488-11-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/3488-8-0x0000000140000000-0x000000014033E000-memory.dmp

          Filesize

          3.2MB

        • memory/4080-126-0x0000000140000000-0x000000014033F000-memory.dmp

          Filesize

          3.2MB

        • memory/4080-120-0x000002B1A4F30000-0x000002B1A4F37000-memory.dmp

          Filesize

          28KB