Resubmissions

11-02-2024 10:09

240211-l6zqlafa8x 10

26-01-2024 22:07

240126-116dhsfch6 10

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-01-2024 22:07

General

  • Target

    78833dc80091e76f426f64b576358fef.dll

  • Size

    1.9MB

  • MD5

    78833dc80091e76f426f64b576358fef

  • SHA1

    73bf7b969ae33dfbf064bd0ae6eba9e5caf12a49

  • SHA256

    c004c89e8e9190bf7629831fa4b9f1a6a90510777e4d233e119b0f4902f66222

  • SHA512

    083b730c34431022a4cea13721af99a789820de1b135a9eff815bbe7a7a8f4e7162576c3c821fb781a2366ab78d83c5382744de3a032b3af02e3db2320557a28

  • SSDEEP

    12288:9VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1Mt:kfP7fWsK5z9A+WGAW+V5SB6Ct4bnbMt

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\78833dc80091e76f426f64b576358fef.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4952
  • C:\Users\Admin\AppData\Local\EfSUafuH8\raserver.exe
    C:\Users\Admin\AppData\Local\EfSUafuH8\raserver.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Checks whether UAC is enabled
    PID:968
  • C:\Windows\system32\raserver.exe
    C:\Windows\system32\raserver.exe
    1⤵
      PID:1808
    • C:\Windows\system32\GamePanel.exe
      C:\Windows\system32\GamePanel.exe
      1⤵
        PID:4124
      • C:\Windows\system32\SysResetErr.exe
        C:\Windows\system32\SysResetErr.exe
        1⤵
          PID:4816
        • C:\Users\Admin\AppData\Local\pkV\GamePanel.exe
          C:\Users\Admin\AppData\Local\pkV\GamePanel.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4832
        • C:\Users\Admin\AppData\Local\3eOQ\SysResetErr.exe
          C:\Users\Admin\AppData\Local\3eOQ\SysResetErr.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1612

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\3eOQ\DUI70.dll

          Filesize

          246KB

          MD5

          6798a21b27de1172afab7aded7a877d6

          SHA1

          d3447fe4c629ada17528c904bc4d972fc4fcc9f3

          SHA256

          ec5e433e03a536a8b71da1d75d1c5adf92429f7e90baa9a47a919e72a68cc039

          SHA512

          30977999f20facec53004cdeab1581f2648fc80a274578271af6a61b90fb2aff93d6bf88258932c531e4d14a912d79abdbe413d7e981119d2dd0909b80236154

        • C:\Users\Admin\AppData\Local\3eOQ\DUI70.dll

          Filesize

          187KB

          MD5

          464d7756b0ba689188afe23bc84f7fe2

          SHA1

          7a56ebdab7204fa7691a9e162048df067724afe8

          SHA256

          820292c0646218c37225b12c2786fdcca6e892338cc6dc92f70f66b52a4c1d16

          SHA512

          a4824d0504165f14d551825117b5c4370617e9bb6dae523dddffbe91a2f01c345355aafdcf24aa424a47772c5cd333d460fb4eb008a7d5c3a3b180c6bdb71bfb

        • C:\Users\Admin\AppData\Local\3eOQ\SysResetErr.exe

          Filesize

          41KB

          MD5

          090c6f458d61b7ddbdcfa54e761b8b57

          SHA1

          c5a93e9d6eca4c3842156cc0262933b334113864

          SHA256

          a324e3ba7309164f215645a6db3e74ed35c7034cc07a011ebed2fa60fda4d9cd

          SHA512

          c9ef79397f3a843dcf2bcb5f761d90a4bdadb08e2ca85a35d8668cb13c308b275ed6aa2c8b9194a1f29964e0754ad05e89589025a0b670656386a8d448a1f542

        • C:\Users\Admin\AppData\Local\EfSUafuH8\WTSAPI32.dll

          Filesize

          85KB

          MD5

          3030c7a79d30887b4b19dd6c2ee26d30

          SHA1

          0020569b12db5247ff878909e7aa6b0f769f11cd

          SHA256

          e5905aecb74d8be2f0e681125d0d36f97e3526acd38ed10b6d904569a7c8b274

          SHA512

          6a47e06f332b5f40161063692688fe34c05a66af59cdc0ac2d6860d8d5d7c066b064130b3b9d614a36a2f595244570e60501244b591f2bc80f2d01e6ab343d0a

        • C:\Users\Admin\AppData\Local\EfSUafuH8\WTSAPI32.dll

          Filesize

          64KB

          MD5

          59e4ea7cdbbb854d81910c2d7d03441d

          SHA1

          f880cb5424edb7fce5609177b5736d406d8b404a

          SHA256

          6ef3893145af64466e50f7e4b3bb798235591c16d6dbc0eeab287d416dfe6f39

          SHA512

          ed43cfe9fef58687319d4954d6b1aa6e2df4bd7c9f8a40b77eef07844c65d52d0a6c5cc02bf6338b5993c0b351118ac82c84f5d735d8ed14cf6a07fc993be8a5

        • C:\Users\Admin\AppData\Local\EfSUafuH8\raserver.exe

          Filesize

          112KB

          MD5

          a84f020d6ae51dc4c481bb34c286eab2

          SHA1

          4ad094ab6d1b874e709d9a34dca5663bc2198982

          SHA256

          a110e2f03030fd67752cdfbae6e940ae0d25b2e347ed716ca9017016d794e51c

          SHA512

          662373c646f20bf9f9f0de397c2f3432b6bb4743d3be58da56284c94b72c7737c9cf14ef8c148a62276fe74ea48c3446df1600f48eaed996b3f360df99d845a5

        • C:\Users\Admin\AppData\Local\EfSUafuH8\raserver.exe

          Filesize

          45KB

          MD5

          1d3c0ed6df6157ccd8e6262dfa8d2cbf

          SHA1

          45cccd41b9f86dbf1c87e95fedfae1c7dd192c13

          SHA256

          eef504fa8d830f50b825744c862a0535f8d8342705b23a50dc21be117d21191e

          SHA512

          5f35587f3862f782b488acfe67823c9a5a34a89a35acad1a0a5acfaffc5268daf527d9d3743817a8f80afae909bd9ba0ee50f006f738048d0b3a4cb38b81c4ee

        • C:\Users\Admin\AppData\Local\pkV\GamePanel.exe

          Filesize

          39KB

          MD5

          9d7a80f85fcd59e9a4a922bcf704ab34

          SHA1

          596095995886fbb7510dd3086140518c5e95e537

          SHA256

          f69e4e96d88817e14d8a39fd46254414e09a3b902517fe04ebd685882a6765a0

          SHA512

          1d1c084ed775cc2fabdc9bb6372be46c4c416a83e9bef7ffba170c934a1f4c991f6f6fda4a04800079815a848f60583b4050d11bd9bc34e60aa813a5afbfb937

        • C:\Users\Admin\AppData\Local\pkV\GamePanel.exe

          Filesize

          10KB

          MD5

          6a31226e58e7b5ee99f21a24f3806638

          SHA1

          009258799d942dbe201a341e2431ef6d79911390

          SHA256

          a6aba25e59a74efc5154132ceda2b623c5b502ddf9106cf1e1a4b91304521b89

          SHA512

          1fe278c1baafd6a227e7ac4b8cbddef80109be22dd04d2a87c76e03d14f21c533fe459c397f6b15e53400f9d83c05e7a08ce38815b2b79c51810bef5ecaeff58

        • C:\Users\Admin\AppData\Local\pkV\dxgi.dll

          Filesize

          18KB

          MD5

          12b9b88ce623fe85f14bdd7ee72d1dbb

          SHA1

          7e08a05d0995c30fc67ae1107fe9d9b57633cd0f

          SHA256

          df609eaa3be0bebc9c52aa62f188bcea66eec4c69739f0d627dd3aabb74e1258

          SHA512

          a815529c7a9c7b2a877b43ed4d8c704d957d10637e190616f1c8eab67e52572f1d50e413c83611bcaf0899976af859d84ade7602a41759ac836bf5700ca2cdfb

        • C:\Users\Admin\AppData\Local\pkV\dxgi.dll

          Filesize

          35KB

          MD5

          b9ab24e201d12db5f0bf6b5e716d6052

          SHA1

          28ff7d6e9208d0d2898368f580929a0f00fb5700

          SHA256

          b3a9f362a0ebbe3c8c85b786623065a02947a754101b2c14bb86512407e65a27

          SHA512

          cee665127bacf0cfbe568509615e4b63f48ff464085c884b1b86a49449b1163958c17059338b5ffe4b61136199c2bf80daeaa0fd8d82200500d936a52de747dd

        • C:\Users\Admin\AppData\Local\pkV\dxgi.dll

          Filesize

          24KB

          MD5

          7d1f628d1f668220ed87aec090bc681a

          SHA1

          b812eff8c75c97181f380bce0eabc90776c59761

          SHA256

          abeb23abe628b376f34cb29b8d3562564ba38024f15b8e12a8a4ff2afd8a6683

          SHA512

          3935a1840480d61a3413fe7942c28b93b91693b1243a5fb24e1802eea407b3d6902a21133c1834ac5e0285564c858aac5120040908bdea7fd3e95272ac5c01c1

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ocuuy.lnk

          Filesize

          1KB

          MD5

          7d3f334965a186468615510866ab2e5f

          SHA1

          4cf613b15680ec187605c97620a2a7bee95b1e6b

          SHA256

          0d2cb745c05cf01188b266eff3db913ebc759d935513b79cc385c33729046164

          SHA512

          458dbc2fdd0d294d64b5dbdb0a9ceab2efa43b1196943a12ef401b34a562fe92a173d8ecc15ca1f88ee91bb89df54d5cb8f3fd9c5ce4cd4533b6d097d7d30e39

        • C:\Users\Admin\AppData\Roaming\Microsoft\Credentials\RKmR\DUI70.dll

          Filesize

          2.2MB

          MD5

          88dfc57ad7075b8598558a61875ff9c5

          SHA1

          9e00c3955a5f7ec13482f87ee9cba297468afddd

          SHA256

          ddda48d78fd7deb18a50715908b49c9db2f56156b9ebe7ce3de2c39912b894c5

          SHA512

          1a81b17656196a9d5faf9a1ecc1c0cd342ae9d5ded303d98c2f10d39238aa89e9945f39671d512ff6314f7ee4fe83ad926f73c32f9380b922980f9e297c9f503

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Qbhmw\WTSAPI32.dll

          Filesize

          2.0MB

          MD5

          5ef51b80863f71f789e43a80be38db7c

          SHA1

          a571ab4bf059d23f295d884b557a6e796ea34314

          SHA256

          b52a774125737d484ccac47e99733d1f9ba800b0e0e4681755e03145450d7c9d

          SHA512

          77e5333e5858d489e33c155df30ff38147275e99fe2d331a0bc19a0fcb4111b725586743bb1b49d0c6debd742032f4aefb36721a47a257e2c7da368d4ad95a1e

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\KgQgoP2It\dxgi.dll

          Filesize

          2.0MB

          MD5

          fdc1e4e892c1f5bfd5239fddb5072a35

          SHA1

          832d0dd6b8af960f4f42f38059aef2431de28e01

          SHA256

          ff301db9fe1dc94f0c67ec9588919efe15e40a8f9ffa66ad5c7a3f82b91a36fc

          SHA512

          bf0b760482a601224201d8795cacbb41e2067d051b53f7e7b8b2a61fc4a42749905a23bab050830434d59aa40bc4e343fc162391782e339fe1f3de88f135c631

        • memory/968-77-0x0000020AB6390000-0x0000020AB6397000-memory.dmp

          Filesize

          28KB

        • memory/968-81-0x0000000140000000-0x00000001401F4000-memory.dmp

          Filesize

          2.0MB

        • memory/968-75-0x0000000140000000-0x00000001401F4000-memory.dmp

          Filesize

          2.0MB

        • memory/1612-112-0x000001E2A0B20000-0x000001E2A0B27000-memory.dmp

          Filesize

          28KB

        • memory/3500-25-0x0000000140000000-0x00000001401F3000-memory.dmp

          Filesize

          1.9MB

        • memory/3500-42-0x0000000140000000-0x00000001401F3000-memory.dmp

          Filesize

          1.9MB

        • memory/3500-29-0x0000000140000000-0x00000001401F3000-memory.dmp

          Filesize

          1.9MB

        • memory/3500-30-0x0000000140000000-0x00000001401F3000-memory.dmp

          Filesize

          1.9MB

        • memory/3500-32-0x0000000140000000-0x00000001401F3000-memory.dmp

          Filesize

          1.9MB

        • memory/3500-33-0x0000000140000000-0x00000001401F3000-memory.dmp

          Filesize

          1.9MB

        • memory/3500-35-0x0000000140000000-0x00000001401F3000-memory.dmp

          Filesize

          1.9MB

        • memory/3500-37-0x0000000140000000-0x00000001401F3000-memory.dmp

          Filesize

          1.9MB

        • memory/3500-38-0x0000000140000000-0x00000001401F3000-memory.dmp

          Filesize

          1.9MB

        • memory/3500-39-0x0000000140000000-0x00000001401F3000-memory.dmp

          Filesize

          1.9MB

        • memory/3500-36-0x0000000140000000-0x00000001401F3000-memory.dmp

          Filesize

          1.9MB

        • memory/3500-34-0x0000000140000000-0x00000001401F3000-memory.dmp

          Filesize

          1.9MB

        • memory/3500-31-0x0000000140000000-0x00000001401F3000-memory.dmp

          Filesize

          1.9MB

        • memory/3500-23-0x0000000140000000-0x00000001401F3000-memory.dmp

          Filesize

          1.9MB

        • memory/3500-22-0x0000000140000000-0x00000001401F3000-memory.dmp

          Filesize

          1.9MB

        • memory/3500-21-0x0000000140000000-0x00000001401F3000-memory.dmp

          Filesize

          1.9MB

        • memory/3500-19-0x0000000140000000-0x00000001401F3000-memory.dmp

          Filesize

          1.9MB

        • memory/3500-41-0x0000000140000000-0x00000001401F3000-memory.dmp

          Filesize

          1.9MB

        • memory/3500-45-0x0000000140000000-0x00000001401F3000-memory.dmp

          Filesize

          1.9MB

        • memory/3500-46-0x0000000140000000-0x00000001401F3000-memory.dmp

          Filesize

          1.9MB

        • memory/3500-47-0x0000000003300000-0x0000000003307000-memory.dmp

          Filesize

          28KB

        • memory/3500-44-0x0000000140000000-0x00000001401F3000-memory.dmp

          Filesize

          1.9MB

        • memory/3500-54-0x0000000140000000-0x00000001401F3000-memory.dmp

          Filesize

          1.9MB

        • memory/3500-55-0x00007FFD76F60000-0x00007FFD76F70000-memory.dmp

          Filesize

          64KB

        • memory/3500-43-0x0000000140000000-0x00000001401F3000-memory.dmp

          Filesize

          1.9MB

        • memory/3500-28-0x0000000140000000-0x00000001401F3000-memory.dmp

          Filesize

          1.9MB

        • memory/3500-66-0x0000000140000000-0x00000001401F3000-memory.dmp

          Filesize

          1.9MB

        • memory/3500-24-0x0000000140000000-0x00000001401F3000-memory.dmp

          Filesize

          1.9MB

        • memory/3500-26-0x0000000140000000-0x00000001401F3000-memory.dmp

          Filesize

          1.9MB

        • memory/3500-27-0x0000000140000000-0x00000001401F3000-memory.dmp

          Filesize

          1.9MB

        • memory/3500-5-0x00007FFD765DA000-0x00007FFD765DB000-memory.dmp

          Filesize

          4KB

        • memory/3500-20-0x0000000140000000-0x00000001401F3000-memory.dmp

          Filesize

          1.9MB

        • memory/3500-18-0x0000000140000000-0x00000001401F3000-memory.dmp

          Filesize

          1.9MB

        • memory/3500-17-0x0000000140000000-0x00000001401F3000-memory.dmp

          Filesize

          1.9MB

        • memory/3500-16-0x0000000140000000-0x00000001401F3000-memory.dmp

          Filesize

          1.9MB

        • memory/3500-15-0x0000000140000000-0x00000001401F3000-memory.dmp

          Filesize

          1.9MB

        • memory/3500-4-0x00000000076F0000-0x00000000076F1000-memory.dmp

          Filesize

          4KB

        • memory/3500-9-0x0000000140000000-0x00000001401F3000-memory.dmp

          Filesize

          1.9MB

        • memory/3500-13-0x0000000140000000-0x00000001401F3000-memory.dmp

          Filesize

          1.9MB

        • memory/3500-14-0x0000000140000000-0x00000001401F3000-memory.dmp

          Filesize

          1.9MB

        • memory/3500-64-0x0000000140000000-0x00000001401F3000-memory.dmp

          Filesize

          1.9MB

        • memory/3500-40-0x0000000140000000-0x00000001401F3000-memory.dmp

          Filesize

          1.9MB

        • memory/3500-12-0x0000000140000000-0x00000001401F3000-memory.dmp

          Filesize

          1.9MB

        • memory/3500-11-0x0000000140000000-0x00000001401F3000-memory.dmp

          Filesize

          1.9MB

        • memory/3500-10-0x0000000140000000-0x00000001401F3000-memory.dmp

          Filesize

          1.9MB

        • memory/3500-7-0x0000000140000000-0x00000001401F3000-memory.dmp

          Filesize

          1.9MB

        • memory/4832-96-0x000001FE2A680000-0x000001FE2A687000-memory.dmp

          Filesize

          28KB

        • memory/4952-8-0x0000000140000000-0x00000001401F3000-memory.dmp

          Filesize

          1.9MB

        • memory/4952-1-0x000001FA89210000-0x000001FA89217000-memory.dmp

          Filesize

          28KB

        • memory/4952-0-0x0000000140000000-0x00000001401F3000-memory.dmp

          Filesize

          1.9MB