Analysis

  • max time kernel
    42s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-01-2024 22:48

General

  • Target

    78978e5afac60e6f6b472c51b7fc6180.dll

  • Size

    3.3MB

  • MD5

    78978e5afac60e6f6b472c51b7fc6180

  • SHA1

    14062e7ebe696b055b7c78bf1816159cb8206692

  • SHA256

    36d11f59d8e8c07bc7d44ff589ff73669cd9794257680dab506d9badb7b80a47

  • SHA512

    0c5cc1cc61645539bc8d6291ac72bd98aaed32a33424dc5c1f69549034648afa75eb6b677e2dc2f71fd4ae26720195c377e7460f57ee853b508d21871db0d981

  • SSDEEP

    12288:jVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:yfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\78978e5afac60e6f6b472c51b7fc6180.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2196
  • C:\Windows\system32\PresentationSettings.exe
    C:\Windows\system32\PresentationSettings.exe
    1⤵
      PID:1428
    • C:\Users\Admin\AppData\Local\nYiqOsAm\PresentationSettings.exe
      C:\Users\Admin\AppData\Local\nYiqOsAm\PresentationSettings.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3772
    • C:\Windows\system32\SystemPropertiesHardware.exe
      C:\Windows\system32\SystemPropertiesHardware.exe
      1⤵
        PID:4796
      • C:\Users\Admin\AppData\Local\suukkMCsY\SystemPropertiesHardware.exe
        C:\Users\Admin\AppData\Local\suukkMCsY\SystemPropertiesHardware.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4972
      • C:\Windows\system32\sdclt.exe
        C:\Windows\system32\sdclt.exe
        1⤵
          PID:2360
        • C:\Users\Admin\AppData\Local\mRb\sdclt.exe
          C:\Users\Admin\AppData\Local\mRb\sdclt.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4480

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\mRb\SPP.dll

          Filesize

          128KB

          MD5

          1177e35d69f6fe08fdc1dde3c6641636

          SHA1

          194249cc0af0ec01c131baff4e20740644a7b8e3

          SHA256

          7bad7e53ef664b11c4e165260a74952d0917c75917de38e3ed0875092acc03ee

          SHA512

          90d5f41bd01d9bd08a14be588a7fd2dd5333b391aabafc71231773b5abe8149e550c2475b332c608d208c3f36bde0a9cd46e7f935c0426be4bd026f1fd933efa

        • C:\Users\Admin\AppData\Local\mRb\SPP.dll

          Filesize

          101KB

          MD5

          ccac2f4d762388488404b2d32eb97b87

          SHA1

          bb3be19671957cc4916c4560227ed78befef64a1

          SHA256

          964780d7b2fb7b912a3e5621be5260108face604f023e1c3e05343a90f693a4e

          SHA512

          718f1b43af9c51d1d4ed659721f69f904937cdb2c38682038a96baaa880ac1e12bdfaa7da42f283fcaf4826c34d9849aa1125aa716b5132061aa5e23e40809c8

        • C:\Users\Admin\AppData\Local\mRb\sdclt.exe

          Filesize

          68KB

          MD5

          8ddedf58c1953829dacbb26fd760be3a

          SHA1

          1bc115d12b8eeb49e79b7337614cc73a2930b423

          SHA256

          a85bee1606f4e07f24cb84dd6ab540e023caca4369fd28925138a00b79d329f5

          SHA512

          24d523c693f0b75e0b06c495ddbca269e26a6b87ecb4b021ca9c23b69e6d7f36b7c276b7020eee205ae8f92cb6c4183848ad406f38420646c7031add7f5b7679

        • C:\Users\Admin\AppData\Local\mRb\sdclt.exe

          Filesize

          142KB

          MD5

          1b52289172a0a4ce3af4ec968ab2d4a4

          SHA1

          f214341cb25008afa5cd084213174ca838b27090

          SHA256

          5ff8d694cbd0cce076e760577ea29f70f5224f50edda1223948bbd5fcb09d324

          SHA512

          8bdc8c3d41812268c2dc9f5de09bde244ef08f1bcd2e1cafa16e00d7304284b7b94c2539a53daeb9ea8374f108e786561bfb2b70a00635bed9b8d6a5d336ade6

        • C:\Users\Admin\AppData\Local\nYiqOsAm\PresentationSettings.exe

          Filesize

          152KB

          MD5

          6c5002fa89fbd08956cc7ff5eec66e96

          SHA1

          82c2e8491ea107c5326067b8aeda6c1fa76aa48d

          SHA256

          df5f177c06449bdf9b192ae8c8201f7e930baf2fbf310826efcb4c7f1b3542be

          SHA512

          f653e6a3bd9ba3dfed4add719ae9633069db92fd0f8248ad00b8fb0afd762a2924ee976d1baecc2d5a61074b884c93cc4337db411f62ce7eed2cb22a2e17397f

        • C:\Users\Admin\AppData\Local\nYiqOsAm\PresentationSettings.exe

          Filesize

          219KB

          MD5

          790799a168c41689849310f6c15f98fa

          SHA1

          a5d213fc1c71a56de9441b2e35411d83770c01ec

          SHA256

          6e59ab1a0b4ac177dc3397a54afcf68fcea3c1ee72c33bd08c89f04a6dac64b8

          SHA512

          8153b79d4681f21ade7afe995841c386bff8e491ad347f8e7c287df5f9053cae7458e273339146d9a920ceaa2ba0f41cc793d7b2c0fa80efbb41477d39470866

        • C:\Users\Admin\AppData\Local\nYiqOsAm\WINMM.dll

          Filesize

          140KB

          MD5

          d1b910a03b8f4bfe95720558a1975938

          SHA1

          342efe03db27b02d744ae0346718cf14b38a2cf3

          SHA256

          f831be563e728416089006de7dae879e0bb0a0252a71c29eaa8629e3d9e1b1d5

          SHA512

          738f5ecb27d5cb8ff768a75fab8c9d306a045ee920eb80678244c8fdae4e742daf06b99ede79923e4ad781947f8ed373584ee4a9b127db7609eebdaf79a1537e

        • C:\Users\Admin\AppData\Local\nYiqOsAm\WINMM.dll

          Filesize

          166KB

          MD5

          854db991d8c6f587fc6f1b75b79ff107

          SHA1

          74a38fb2a32e606e9a8552927b842b645a1a00af

          SHA256

          e7a8193697d5696c68a75e04091f5712f7040a9f45c7cde3c1776151dc9559bf

          SHA512

          e550e53cda4dd1b80088cd4dc909d643795b290c839b42678e06f208460010da9b23bb73b6cfa976daf0e10a8d3d824e44be1ad2a0bc0df6acde7f8088524445

        • C:\Users\Admin\AppData\Local\suukkMCsY\SYSDM.CPL

          Filesize

          94KB

          MD5

          262255f1c91c1e487125efd25ef18162

          SHA1

          1d94eb0044dcb8085a60e084f725442031076f01

          SHA256

          3986dc12dcfceb488a6cebf638ef63e47bb2769aa63537018007ca636c4bffe3

          SHA512

          ecfb062a4634f89fe61c5d7a3bd20fdcb453121f24fbe26e7665f33285a2fda59a6f4a19a7ea6554a6aae13dc2c4815420d35f215bfdfac2e129cbf74cafbea5

        • C:\Users\Admin\AppData\Local\suukkMCsY\SYSDM.CPL

          Filesize

          89KB

          MD5

          58a5a6f26575161a6a88b841b092b4d3

          SHA1

          f6738ae79e4f654b075ee233b490705596c01058

          SHA256

          8f68bb5ce74c600901e7f2cf9148abf8f6ac164a38e4ddfc09c37bc5562b6e77

          SHA512

          15250eeb68234321ace7668bcbed86bcb39dff0ed893c982d95fc16a9caec6b321db409cc09a212bd9213536514218c11b9301cb90c8f97c2170e88f5e87c3ee

        • C:\Users\Admin\AppData\Local\suukkMCsY\SystemPropertiesHardware.exe

          Filesize

          82KB

          MD5

          bf5bc0d70a936890d38d2510ee07a2cd

          SHA1

          69d5971fd264d8128f5633db9003afef5fad8f10

          SHA256

          c8ebd920399ebcf3ab72bd325b71a6b4c6119dfecea03f25059a920c4d32acc7

          SHA512

          0e129044777cbbf5ea995715159c50773c1818fc5e8faa5c827fd631b44c086b34dfdcbe174b105891ccc3882cc63a8664d189fb6a631d8f589de4e01a862f51

        • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\Dqcm\SPP.dll

          Filesize

          72KB

          MD5

          436feabfa766100fa40536199f90c569

          SHA1

          65730e06636c3ce65727e46c8d761e947e45c1b4

          SHA256

          5cfaea2b7140c823afd6e2cc924437f1ad39d40a6fe0200c3c19a7e0ad539dd3

          SHA512

          dc4784bb6f5f9cace0ec87ea0dba7f55a2b284bfeadc8eef6c75b701230a61e153475ddbbaef5f4e02d0843f25111e9e7abb6722a3262ad2917ac0b131465f15

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Psfjn.lnk

          Filesize

          1KB

          MD5

          c841f81a4a07a848f4cdcdd18ef839af

          SHA1

          c52d4615e42be2c3dc2754d577e55473e368499a

          SHA256

          5412350925f8cff2bdc6bcc25a4186eff6ce5f37f3b6c3b681f1d16d18561268

          SHA512

          8fdf6ef7d05da54081446adcc1d2b3699b686b00e2f3d82ade2f85287b32fbd6a0f40776ea04539d3c94e3cc3884955fc3361a6dc425b5e450ae18a86d9bae80

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\mi\SYSDM.CPL

          Filesize

          97KB

          MD5

          e32320145b777baa7db3ed35d9532e8d

          SHA1

          b34db6e329ca94abb4d56602c6410ae8ee0d5941

          SHA256

          2cf54b07a4f510b1ff944a9368f91c585a9f976d3e9ea4d5144e88d011e4a92c

          SHA512

          6e69da05e4a3d9756cb4b730fd0aaccdb49e1972bf5c6927a786af0c38fab8910569bacaa3e40d4cdab333596b1b4b96cd8cecc7fe6e721c3aee0c88cb5bd450

        • C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\QNnZ2E\WINMM.dll

          Filesize

          97KB

          MD5

          fa3f83acd3efccb75d8966e33172d4ad

          SHA1

          49f1025a0554bf6cf36fea8c9b8aecf8ae653326

          SHA256

          63956becdd55ec6cc9914b47c732c008d95fb5c6a3cd6cfdee9b6f3f43fa47b3

          SHA512

          e3d489d9474bed9cf183073c58558f27f343a001c82ce171e9f75870b41cd648174564cd6c9c55a70f05b1e8db07bd01d305def26777ac072b268c62a4393148

        • memory/2196-8-0x0000000140000000-0x0000000140342000-memory.dmp

          Filesize

          3.3MB

        • memory/2196-1-0x0000000140000000-0x0000000140342000-memory.dmp

          Filesize

          3.3MB

        • memory/2196-0-0x000001A0560D0000-0x000001A0560D7000-memory.dmp

          Filesize

          28KB

        • memory/3456-26-0x0000000140000000-0x0000000140342000-memory.dmp

          Filesize

          3.3MB

        • memory/3456-51-0x0000000140000000-0x0000000140342000-memory.dmp

          Filesize

          3.3MB

        • memory/3456-19-0x0000000140000000-0x0000000140342000-memory.dmp

          Filesize

          3.3MB

        • memory/3456-20-0x0000000140000000-0x0000000140342000-memory.dmp

          Filesize

          3.3MB

        • memory/3456-21-0x0000000140000000-0x0000000140342000-memory.dmp

          Filesize

          3.3MB

        • memory/3456-22-0x0000000140000000-0x0000000140342000-memory.dmp

          Filesize

          3.3MB

        • memory/3456-23-0x0000000140000000-0x0000000140342000-memory.dmp

          Filesize

          3.3MB

        • memory/3456-24-0x0000000140000000-0x0000000140342000-memory.dmp

          Filesize

          3.3MB

        • memory/3456-25-0x0000000140000000-0x0000000140342000-memory.dmp

          Filesize

          3.3MB

        • memory/3456-28-0x0000000140000000-0x0000000140342000-memory.dmp

          Filesize

          3.3MB

        • memory/3456-31-0x0000000140000000-0x0000000140342000-memory.dmp

          Filesize

          3.3MB

        • memory/3456-32-0x0000000140000000-0x0000000140342000-memory.dmp

          Filesize

          3.3MB

        • memory/3456-33-0x0000000140000000-0x0000000140342000-memory.dmp

          Filesize

          3.3MB

        • memory/3456-34-0x0000000140000000-0x0000000140342000-memory.dmp

          Filesize

          3.3MB

        • memory/3456-35-0x0000000140000000-0x0000000140342000-memory.dmp

          Filesize

          3.3MB

        • memory/3456-37-0x0000000140000000-0x0000000140342000-memory.dmp

          Filesize

          3.3MB

        • memory/3456-36-0x0000000140000000-0x0000000140342000-memory.dmp

          Filesize

          3.3MB

        • memory/3456-30-0x0000000140000000-0x0000000140342000-memory.dmp

          Filesize

          3.3MB

        • memory/3456-38-0x0000000140000000-0x0000000140342000-memory.dmp

          Filesize

          3.3MB

        • memory/3456-39-0x0000000140000000-0x0000000140342000-memory.dmp

          Filesize

          3.3MB

        • memory/3456-29-0x0000000140000000-0x0000000140342000-memory.dmp

          Filesize

          3.3MB

        • memory/3456-27-0x0000000140000000-0x0000000140342000-memory.dmp

          Filesize

          3.3MB

        • memory/3456-17-0x0000000140000000-0x0000000140342000-memory.dmp

          Filesize

          3.3MB

        • memory/3456-40-0x0000000140000000-0x0000000140342000-memory.dmp

          Filesize

          3.3MB

        • memory/3456-43-0x0000000140000000-0x0000000140342000-memory.dmp

          Filesize

          3.3MB

        • memory/3456-44-0x0000000140000000-0x0000000140342000-memory.dmp

          Filesize

          3.3MB

        • memory/3456-46-0x0000000140000000-0x0000000140342000-memory.dmp

          Filesize

          3.3MB

        • memory/3456-47-0x0000000140000000-0x0000000140342000-memory.dmp

          Filesize

          3.3MB

        • memory/3456-48-0x0000000140000000-0x0000000140342000-memory.dmp

          Filesize

          3.3MB

        • memory/3456-45-0x0000000140000000-0x0000000140342000-memory.dmp

          Filesize

          3.3MB

        • memory/3456-49-0x0000000140000000-0x0000000140342000-memory.dmp

          Filesize

          3.3MB

        • memory/3456-42-0x0000000140000000-0x0000000140342000-memory.dmp

          Filesize

          3.3MB

        • memory/3456-52-0x0000000140000000-0x0000000140342000-memory.dmp

          Filesize

          3.3MB

        • memory/3456-18-0x0000000140000000-0x0000000140342000-memory.dmp

          Filesize

          3.3MB

        • memory/3456-50-0x0000000140000000-0x0000000140342000-memory.dmp

          Filesize

          3.3MB

        • memory/3456-41-0x0000000140000000-0x0000000140342000-memory.dmp

          Filesize

          3.3MB

        • memory/3456-54-0x0000000140000000-0x0000000140342000-memory.dmp

          Filesize

          3.3MB

        • memory/3456-55-0x0000000140000000-0x0000000140342000-memory.dmp

          Filesize

          3.3MB

        • memory/3456-56-0x0000000140000000-0x0000000140342000-memory.dmp

          Filesize

          3.3MB

        • memory/3456-59-0x0000000140000000-0x0000000140342000-memory.dmp

          Filesize

          3.3MB

        • memory/3456-60-0x0000000140000000-0x0000000140342000-memory.dmp

          Filesize

          3.3MB

        • memory/3456-61-0x0000000140000000-0x0000000140342000-memory.dmp

          Filesize

          3.3MB

        • memory/3456-62-0x0000000140000000-0x0000000140342000-memory.dmp

          Filesize

          3.3MB

        • memory/3456-58-0x0000000140000000-0x0000000140342000-memory.dmp

          Filesize

          3.3MB

        • memory/3456-57-0x0000000140000000-0x0000000140342000-memory.dmp

          Filesize

          3.3MB

        • memory/3456-64-0x0000000140000000-0x0000000140342000-memory.dmp

          Filesize

          3.3MB

        • memory/3456-65-0x0000000140000000-0x0000000140342000-memory.dmp

          Filesize

          3.3MB

        • memory/3456-63-0x0000000140000000-0x0000000140342000-memory.dmp

          Filesize

          3.3MB

        • memory/3456-53-0x0000000140000000-0x0000000140342000-memory.dmp

          Filesize

          3.3MB

        • memory/3456-14-0x0000000140000000-0x0000000140342000-memory.dmp

          Filesize

          3.3MB

        • memory/3456-16-0x0000000140000000-0x0000000140342000-memory.dmp

          Filesize

          3.3MB

        • memory/3456-74-0x0000000000160000-0x0000000000167000-memory.dmp

          Filesize

          28KB

        • memory/3456-85-0x00007FFB4D280000-0x00007FFB4D290000-memory.dmp

          Filesize

          64KB

        • memory/3456-5-0x00007FFB4D05A000-0x00007FFB4D05B000-memory.dmp

          Filesize

          4KB

        • memory/3456-7-0x0000000140000000-0x0000000140342000-memory.dmp

          Filesize

          3.3MB

        • memory/3456-15-0x0000000140000000-0x0000000140342000-memory.dmp

          Filesize

          3.3MB

        • memory/3456-13-0x0000000140000000-0x0000000140342000-memory.dmp

          Filesize

          3.3MB

        • memory/3456-12-0x0000000140000000-0x0000000140342000-memory.dmp

          Filesize

          3.3MB

        • memory/3456-9-0x0000000140000000-0x0000000140342000-memory.dmp

          Filesize

          3.3MB

        • memory/3456-11-0x0000000140000000-0x0000000140342000-memory.dmp

          Filesize

          3.3MB

        • memory/3456-4-0x0000000002670000-0x0000000002671000-memory.dmp

          Filesize

          4KB

        • memory/3456-10-0x0000000140000000-0x0000000140342000-memory.dmp

          Filesize

          3.3MB

        • memory/3772-102-0x000001498D500000-0x000001498D507000-memory.dmp

          Filesize

          28KB

        • memory/4480-138-0x0000020514550000-0x0000020514557000-memory.dmp

          Filesize

          28KB

        • memory/4972-121-0x00000138EAF00000-0x00000138EAF07000-memory.dmp

          Filesize

          28KB