Analysis

  • max time kernel
    152s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-01-2024 05:17

General

  • Target

    767b661339f842a24584de1cfd7ff58a.dll

  • Size

    2.0MB

  • MD5

    767b661339f842a24584de1cfd7ff58a

  • SHA1

    e01e2af3f556dab1835683abc02c7e6f4886568e

  • SHA256

    12f891dd73ef13029a6cb2422c35d390835c149c627ec7f52a985633b4ec14d4

  • SHA512

    ac3f08cd8a55c437a73d79529ff0e3133a7c30d666dc11ef200a5096435ffa15a6c3030f41b1de623e7cb080508d2e89b25539230e886abbd6c2c7ed58861b9c

  • SSDEEP

    12288:bVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:6fP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\767b661339f842a24584de1cfd7ff58a.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4740
  • C:\Windows\system32\MoUsoCoreWorker.exe
    C:\Windows\system32\MoUsoCoreWorker.exe
    1⤵
      PID:3336
    • C:\Users\Admin\AppData\Local\hun60\MoUsoCoreWorker.exe
      C:\Users\Admin\AppData\Local\hun60\MoUsoCoreWorker.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3864
    • C:\Windows\system32\RecoveryDrive.exe
      C:\Windows\system32\RecoveryDrive.exe
      1⤵
        PID:4520
      • C:\Users\Admin\AppData\Local\c3hKHAicR\RecoveryDrive.exe
        C:\Users\Admin\AppData\Local\c3hKHAicR\RecoveryDrive.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3900
      • C:\Windows\system32\perfmon.exe
        C:\Windows\system32\perfmon.exe
        1⤵
          PID:3340
        • C:\Users\Admin\AppData\Local\zczKA\perfmon.exe
          C:\Users\Admin\AppData\Local\zczKA\perfmon.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2320

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\c3hKHAicR\RecoveryDrive.exe

          Filesize

          75KB

          MD5

          64b8099e4a6b1f7a1c36671d0c10352d

          SHA1

          9b53b23f8e3502c5615c60b68d5a6a5a318bcb65

          SHA256

          ef5d2a55f33c89e3beb65fd9cd7511231ecaf19a2cd863f84d9d8c6f838f1d5d

          SHA512

          8b6057320af434c7d2aeb698511f850c058e1d9d37e0c168e9daedb5e45e6b29b64531db44ddfe1db06a21267381c48f083c0c7d1d12cc779f0ee00fd116cd7d

        • C:\Users\Admin\AppData\Local\c3hKHAicR\RecoveryDrive.exe

          Filesize

          1KB

          MD5

          8412a15bcbb2617d77b0ca3a054dae32

          SHA1

          ce1c1abe24fcfa0707de26399f3a390dfd21a1ff

          SHA256

          ff44ce6e99fc581a53fc00b4e3ddd7a05b99c226f2371b4704aa4e121af95011

          SHA512

          b2572d5dc34ac549b611f1060f4faa2c9ebe7de85d17199463ad6893c37fa48c114c5f01c20ff7d185d119fc91acd8520b7a2daa0a0f8c9d6610a4a047801159

        • C:\Users\Admin\AppData\Local\c3hKHAicR\UxTheme.dll

          Filesize

          71KB

          MD5

          6b116d5069c93bb6e6951999f7e299e5

          SHA1

          3efa069904f2b15808619f7782ea5a0cfa70b61f

          SHA256

          ade3ad486310bd4fee2998e94d102ec2bb6a581bab23efbb40d9badd14871e16

          SHA512

          34b2e858870993a0e7ccf612556e08db1f56c648a7d9d93b0712737497b11826ba82e610aba6d339d0886f9be1df5dafd849d5957f86642f76c8daa19ff457f4

        • C:\Users\Admin\AppData\Local\c3hKHAicR\UxTheme.dll

          Filesize

          1KB

          MD5

          fd5f4081ee8502d29506ffab9226f0ea

          SHA1

          4ac3c1e43655c61283c1d8b0fb2a4952f6fc8e34

          SHA256

          14a0740d8d0d4a2ca2574450c40253ddad48bbd5526535f6ea267892acd6c932

          SHA512

          c4592fa92549894f9991ded78b2c43f64f86258f869fefba400e5ca546ce6f8d79549c3511eb6fd72e778473676c7de3d6130fae92abd7bb2a53b37918bfe731

        • C:\Users\Admin\AppData\Local\hun60\MoUsoCoreWorker.exe

          Filesize

          121KB

          MD5

          ffb0966c6bcdf74f3d829337e69adb22

          SHA1

          982e88941a43ada22d4cfc289812700b03d05b1d

          SHA256

          e476fa9a77feb177033a8260fff32a17adc7b3dd5aa1e1b866a1ad3d46084bf6

          SHA512

          5048f3fbb84eaca777d2f83f11d6e5c983bc06bb6dacc6fe6d58bc01c097543f4ab174f509c6b4a2fcc8c0004a7d411e2f086592178e0a455af1224868275ad2

        • C:\Users\Admin\AppData\Local\hun60\MoUsoCoreWorker.exe

          Filesize

          159KB

          MD5

          a9f832070aeb475b2c506c2d68ad5225

          SHA1

          9663de78c286e25430211a79fb2046d6b113c8a4

          SHA256

          6b6a76f581f6d4749e5ee7c8db4953674645604473dcb9ace3845812ab8342c6

          SHA512

          a3ed2ec5534e1884a5c6c20faa979b9bcaf43b6c27c426bdb8145238b1cbec9ee83af6293d28e4a5707d1bbea194605978e2c93241db25c4e957ca0bb4c801f8

        • C:\Users\Admin\AppData\Local\hun60\XmlLite.dll

          Filesize

          196KB

          MD5

          d9788eb9c606dc0e1026594b54b8586c

          SHA1

          03c1eb8f5f69a249bac3bdfdfdc50321ccb4a666

          SHA256

          962a72967037d6a7b6aa02a48a0f61a13528e7d859f0b23cf250d5b0ec0db079

          SHA512

          54dad99dd5024e091a6c11978b7629e09265db9cc674928b91766983a246c3fabf8163680916d1424d6ea4d7266ff5b1d9840aca9f954c89bebd7b75a7325fde

        • C:\Users\Admin\AppData\Local\hun60\XmlLite.dll

          Filesize

          286KB

          MD5

          2b8149b75caf86521bdd3888ecd6fb7f

          SHA1

          49b9248e1419bc0ba206b38c0a6e64eba60875ff

          SHA256

          09eaad9c5c60064016ff94b0b569806693b14d630a5c6115dc15ae84333dd8a5

          SHA512

          b354110cc4549ec17510a20f152496025433ceaca330c149fa350229cb2a4fa5fc917342084147607d4a1c6a22d9c69f30dfee3e6afa60a51656a9d50d5c8e8e

        • C:\Users\Admin\AppData\Local\zczKA\credui.dll

          Filesize

          194KB

          MD5

          0e92a19a4ca1a01c699c9651217bb13c

          SHA1

          56bc35b7886ff63bb8307338af3c1a951d3a4fee

          SHA256

          ffc4b90ace75d99d962c30c7c1139dcf3c0ec34a9372de52c181b0d7eaef0971

          SHA512

          7254e0333b05cef9904801543f5641efb6f18a7f0193ac7394b45601d0c84b51cfe7313a507385e158c710cfd967a8911c7a637015b6e3742dd2c3f091ac7f65

        • C:\Users\Admin\AppData\Local\zczKA\credui.dll

          Filesize

          189KB

          MD5

          0ea23e2f4c476502961fb7473812b8a4

          SHA1

          be47fc151f2662af71fe4ac2685135012b96fec7

          SHA256

          abe3adadb2a3f3b29eb6d441fff1a54f8bb0011128a5e25f33ce8ee56b854c4c

          SHA512

          45ca94ad5e9ea171fb89dbd0f185f253a0b6c1ecf9a67e20f7615e50a9067339b04650543acc80438b797b130a0402f2f1fe1c3e1a189cc40da76c4a9123e5b2

        • C:\Users\Admin\AppData\Local\zczKA\perfmon.exe

          Filesize

          97KB

          MD5

          ad8d568e60982d26fa53c86c08149f33

          SHA1

          733d7c010ef44f654dcfb5417f7be17053481b53

          SHA256

          6439b5ed226205bea9287102b604bad9bf6ccfc636c5cea196a5e1167afc53fc

          SHA512

          93e05a2a88c0768332ba64d63c7bd5118bee0cd9b93ba809b9d0098f96c92be20102793ae54334f431f7ca0f9fb3e6fa62bccd72daac7c15b6190ea99f215e0e

        • C:\Users\Admin\AppData\Local\zczKA\perfmon.exe

          Filesize

          177KB

          MD5

          d38aa59c3bea5456bd6f95c73ad3c964

          SHA1

          40170eab389a6ba35e949f9c92962646a302d9ef

          SHA256

          5f041cff346fb37e5c5c9dab3c1272c76f8b5f579205170e97d2248d04a4ea0c

          SHA512

          59fa552a46e5d6237c7244b03d09d60e9489217b4319a212e822c73fe1f31a81837cb906ae7da92072bd3d9263fe0b967e073110ba81da3a90126f25115fff68

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dyngdiaoitf.lnk

          Filesize

          1KB

          MD5

          1adc4e2e7197b16a8ba64d5ee6f2887b

          SHA1

          46d03f3ca8c688746d125c699728f9e2c4eb4d7e

          SHA256

          8da6da494d52b68c9a9f4d90c1fd8e42caae8061c0e28d46a49600ff5a3eb678

          SHA512

          9ae6aead995b45e956ce6c12521697c03242110487adf622452123941b6d7ad82d6974605462862378af2fb778dee9d079653629780b014e81c27f8bb94145c5

        • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\ICxF9fmWOMp\UxTheme.dll

          Filesize

          2.0MB

          MD5

          9c1833e2a0babc939c6945a3d76ec900

          SHA1

          2737b5715ea9497656482f45882b5a39332541e1

          SHA256

          2cb7976e0501232818963f95aca412cd162a06db4e2e0aeaf52eb46f01bb57e4

          SHA512

          95f7f255d8631f1e94f342b1e9cafeedad2cb64176fad33789afdf5c3df2dd43ebaf380508e1c694176446b7fc375b5773320d4dfeb01d3507c17a6bdb69b4ea

        • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low\CsIZGcz\credui.dll

          Filesize

          2.0MB

          MD5

          7c3d532854c1583d1dafdd19a325d240

          SHA1

          2579363112f72461e9c7f27be95b80d3c73a4896

          SHA256

          c77333e92b5cd0ee200e2d45899b101052bab5e19d78baaa6e7b8b1cc8d3fbe9

          SHA512

          8e1732257fa5b65be8c20d380d529ec62cf9ab480c8f276af56b751183da7f50148c99cc89fc9cc6f3a736c89da0c49d3cdf96a5f0ec4aabfd87001c6b41e7c0

        • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\rxyG9hn\XmlLite.dll

          Filesize

          2.0MB

          MD5

          ca2f6123acb29c389ed27e7501c41340

          SHA1

          26b5e1f05284199684982b5203907a4885d50587

          SHA256

          d07dad79d6ef019fb88d02fba0bd4d1001cf0c80e21b49e8a8bb50282db7d0b1

          SHA512

          0397f0f9a3cde818e98b9cb0a0a9a1a89bd8d4ee6449a9d558e96a42ecadf325a363a21ea7e3fbc43788ef41117bb75412f8a8738d5643bc5bab2452231eb6f3

        • memory/2320-111-0x000002798B950000-0x000002798B957000-memory.dmp

          Filesize

          28KB

        • memory/3464-43-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3464-55-0x00007FF848260000-0x00007FF848270000-memory.dmp

          Filesize

          64KB

        • memory/3464-23-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3464-26-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3464-27-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3464-28-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3464-25-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3464-29-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3464-31-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3464-32-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3464-36-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3464-38-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3464-37-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3464-35-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3464-40-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3464-41-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3464-42-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3464-22-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3464-45-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3464-46-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3464-47-0x0000000001030000-0x0000000001037000-memory.dmp

          Filesize

          28KB

        • memory/3464-44-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3464-39-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3464-34-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3464-33-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3464-30-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3464-54-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3464-24-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3464-64-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3464-66-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3464-4-0x0000000002D40000-0x0000000002D41000-memory.dmp

          Filesize

          4KB

        • memory/3464-7-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3464-9-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3464-21-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3464-20-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3464-13-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3464-19-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3464-18-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3464-17-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3464-10-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3464-16-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3464-15-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3464-14-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3464-6-0x00007FF84726A000-0x00007FF84726B000-memory.dmp

          Filesize

          4KB

        • memory/3464-12-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3464-11-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3864-81-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/3864-76-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/3864-75-0x0000028964C30000-0x0000028964C37000-memory.dmp

          Filesize

          28KB

        • memory/3900-92-0x000001C84F5A0000-0x000001C84F5A7000-memory.dmp

          Filesize

          28KB

        • memory/4740-1-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/4740-0-0x00000193959C0000-0x00000193959C7000-memory.dmp

          Filesize

          28KB

        • memory/4740-8-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB