Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-01-2024 06:47

General

  • Target

    76ab58fddc3a0bfc0befb9c1840e58c0.dll

  • Size

    2.0MB

  • MD5

    76ab58fddc3a0bfc0befb9c1840e58c0

  • SHA1

    af815a39e30a201a65f0669e7b957072e57939de

  • SHA256

    1476d58e91f48e2f1a549b08316ea6a465b85edd954d01b4d33a8c86ac56898e

  • SHA512

    c14eec86c7ac0a9a869b559e7078326cf11961d9252f2075acc55263494e2ae1c0263f491fc018f8c8482023904a9656806f3bb71aeb682faffb09321f0e971c

  • SSDEEP

    12288:2VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:rfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\76ab58fddc3a0bfc0befb9c1840e58c0.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1568
  • C:\Windows\system32\Magnify.exe
    C:\Windows\system32\Magnify.exe
    1⤵
      PID:4196
    • C:\Users\Admin\AppData\Local\ZJE\Magnify.exe
      C:\Users\Admin\AppData\Local\ZJE\Magnify.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4276
    • C:\Users\Admin\AppData\Local\vs1F3kfd\sdclt.exe
      C:\Users\Admin\AppData\Local\vs1F3kfd\sdclt.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1088
    • C:\Windows\system32\sdclt.exe
      C:\Windows\system32\sdclt.exe
      1⤵
        PID:4868
      • C:\Users\Admin\AppData\Local\rYGJ\msinfo32.exe
        C:\Users\Admin\AppData\Local\rYGJ\msinfo32.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2708
      • C:\Windows\system32\msinfo32.exe
        C:\Windows\system32\msinfo32.exe
        1⤵
          PID:2828

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\ZJE\Magnify.exe

          Filesize

          149KB

          MD5

          915851f133bd9c0e431e73b1cbd21550

          SHA1

          24c0cf0aecbf709ec0a178006ebd05ed560f582f

          SHA256

          07f5b6960262f063136e017384557643df57e073d7d8c7bdb812af09da64140c

          SHA512

          ee67b1913ec5d92316b0106be2b089d34797af158c7266fb6205885438c79e390e9f269152ccf31a26d375f4bbc52f9e26224bd8090c47fbac2af5931f498e8a

        • C:\Users\Admin\AppData\Local\ZJE\dwmapi.dll

          Filesize

          168KB

          MD5

          2287a38a76fdaa3ccb60ade49f67d862

          SHA1

          f85f513abd19d9b4569cb54c6767ec03a1d0d0d1

          SHA256

          47fbd9ec6608008ae27e3f50e7e46f6ead13416bd80ac02278cf0ebeae3fdf8a

          SHA512

          93fb74f26f220b2a487736ccabef3836cb9fcf234ab8c841dae41788a497c562939d5813fe1b12d05b6cc24d51d7195b2314ff4b1b3558dabc4a1e290e244335

        • C:\Users\Admin\AppData\Local\ZJE\dwmapi.dll

          Filesize

          149KB

          MD5

          95beb85ebb3d9feecfc5fd2e0eed5884

          SHA1

          454a35c9d1e44f53d3e16eadbfacc055adecd697

          SHA256

          4770f8c5b23b07bf72b7944da99731922b28ad3ed08a2b2a98515d091c0ae019

          SHA512

          bb5624f85f367af7b328bc89dbdf7c3bf835e975a3cc45fcbceca1f229d2029df2a9fd1b1496b841ecba71cbbcce9cd5d498b3cde33d822679ea7c69ef7ede11

        • C:\Users\Admin\AppData\Local\rYGJ\SLC.dll

          Filesize

          81KB

          MD5

          be301255ab82f72a9acc9b65fe784ab6

          SHA1

          db0ebba36a4685b08542eb201926f52ac5fb112a

          SHA256

          dfc7b330c65ec66cfc9413eff06ac5bd7fd0ef7d88e76a3e9882b22af1dabd32

          SHA512

          f77e1c407963725ca8b2a611fb4ca73b44d30b765e6eec450d2bd1d8cdba0c6dc6aca57377e0df7740256588a52d4ee80a075dee666089a5f21beca25d1b5c89

        • C:\Users\Admin\AppData\Local\rYGJ\SLC.dll

          Filesize

          61KB

          MD5

          b913937015b92cbde1ad3b0471a76b28

          SHA1

          33272e40934a81e62d5a9813633042ff1fd731b6

          SHA256

          5c88d69b72e77eca7fcb7b77c896d5c2880737147f2880b58b5f153c3e29760f

          SHA512

          f7b8ef56e64c95d526264f6499b42c9081a60ee0019794471d8d9f31436729f921a1e64746f022ac4de7730e161bbc123f13c2eca333277e8bd5d6e3a6d20572

        • C:\Users\Admin\AppData\Local\rYGJ\msinfo32.exe

          Filesize

          56KB

          MD5

          ee7c92dbb5f2c94e227637dec29c4f0a

          SHA1

          2de6d2c2b6c3f0bb6779a7b60b20fe6da8a119a5

          SHA256

          e034865d69650c30f02c0054b594207d35ff72358ac479503d08aa829f505e74

          SHA512

          b7d484994f7cc42e7f01c7c92b4cca154a0ba049298b17cd5e644e18a16f52758ad22c548df6aeaf6a2fbd59af490f85688080677d0499f8ecdf9ea387803aca

        • C:\Users\Admin\AppData\Local\rYGJ\msinfo32.exe

          Filesize

          346KB

          MD5

          54501828e12542a579b8b18e238401f8

          SHA1

          e09586b324df680ba85ac31fc757556df8b5555e

          SHA256

          0a8864c458a49fa0c01c3c257726ddd30182ceaed7a1714884213922975f49bb

          SHA512

          39f36ddf4481255f4bfee933e2cd748e7245a487e688ff36877b8ddb01c635be827f2a280f78392ffd842428cf342be725cb1481a2cf06a4ef087813c99250b3

        • C:\Users\Admin\AppData\Local\vs1F3kfd\WTSAPI32.dll

          Filesize

          103KB

          MD5

          35196c56a058582ccad07a996ed9b024

          SHA1

          abd05efff5c91a1c6fbd7476c9a1f57322486f60

          SHA256

          9d7111bb2c827c08535978d480d115939a78ca19c4a804c887b37c349a41cbc2

          SHA512

          560f44495b84136d873836eb47ce30d2f989f7294680a2f0ada77f202354efd4a503429ec583c1e20a47e4a57f1cd5030b3f81bc57ae29cb84026980f4916b03

        • C:\Users\Admin\AppData\Local\vs1F3kfd\WTSAPI32.dll

          Filesize

          140KB

          MD5

          5994182c37adc884cccbc50f16e5bcd2

          SHA1

          653452f3bfc779492258e1f763d56a855ef66e9f

          SHA256

          76bb5136a60f8b38417ef1b59f9d21904c3bbdc2d1dc6bdd40acb6553ee50772

          SHA512

          cfa2a2b283964b2a2f8676cf8c2bb2b58800ce7644e8cf2273c841baccdb4d91cab3ef99ebf7c8da40a2cba4c89570ddb0b7cd4b4141145ad101aa825d60a7d5

        • C:\Users\Admin\AppData\Local\vs1F3kfd\sdclt.exe

          Filesize

          133KB

          MD5

          46f63a256874f0851cb07386ce5c43e2

          SHA1

          1dc73fa9e6771df0ac20ff10e3e64a3abd369dd7

          SHA256

          a55e6266f8477403232f160134ea9d399b93b9da17e4582e1ccf83d2c6eef113

          SHA512

          bf53443044ddaf6491472120799963925a87d31e92b6a0c53892953e9ab40ed0f1522356d631abd4556ab16f14ed88fb59876721f22e911bccea77bd2858a438

        • C:\Users\Admin\AppData\Local\vs1F3kfd\sdclt.exe

          Filesize

          149KB

          MD5

          dfa53879ba72970e4d284b6d5f8a50e1

          SHA1

          81d25825f1fc03052ca177cce6f9da5a307c0405

          SHA256

          d044b2b516a51f1288e4ff126831b5072c0e5413bfc59d85de5c0e3f8f7f1eb7

          SHA512

          65b0d99f69c16112e6611d69d88ed65998c3c5d58b262221bf0a46ee7e74bbdb3149a6f43daa865acccd89bd6f54b5d505f532cbeea55f620758683aea43fc72

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mkzwiunlad.lnk

          Filesize

          1KB

          MD5

          6909f4fe13b480ed47992f0309f9ccb7

          SHA1

          f0d4cedc0ef187449bcd071b71bc04e0841c7319

          SHA256

          0fde514a5ec438f487a507930265f48d171749f2d6b73eda03fc0adab6b55e20

          SHA512

          38a1eeece6f63b4a8b1abad3ee3bc7c4f3905bf61a17abff3fe268d2ba466685fc529ca7c399dac76bb242e41042ae735c3e5a42ba7c309d5a325fbb9acc1f7b

        • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\YoSD0KT\WTSAPI32.dll

          Filesize

          2.0MB

          MD5

          6f36a8cb34f492831b93691b1ade1ab6

          SHA1

          df71e34d69f116d16b626542a0239474568aa05d

          SHA256

          5e37e9525728379d5987677e8cf73091d43ec9f8538c95512bbe0f7598893824

          SHA512

          a00d71b8163ecc9e40c2bf9ba3f05cb51dc3f614510390427f4dcc4e4a44e3a627ceb0ddf63af74d98d06aaed6230a210c8d3c692da4461ce9cf1ba490dd5ed7

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\2uWbturT1qt\dwmapi.dll

          Filesize

          2.0MB

          MD5

          567f432979d582531f403ca45bd5f6f3

          SHA1

          b8568ca8bba311fff33aa90f636800e44eb5e14c

          SHA256

          cbd61e6a2b6a2815d38e7f48e7f97012215ac10509657ad6c30752e1c24397fd

          SHA512

          741362cffd484a51864e12bb1a51b4e33de6af649f580ac11f250cfb215f5339346bd47b2db0497ad59208c7c98a2f8980a289de69e843fa7fa82cc4d154d3bb

        • C:\Users\Admin\AppData\Roaming\Sun\Java\O0L1lh\SLC.dll

          Filesize

          2.0MB

          MD5

          0b1e6a95de1b74c3c47c54ef2efc10e1

          SHA1

          f72e212a29b2fd16c0bf3ee52266d43f19b5599c

          SHA256

          20a3e395b16491cc0bc177f786144edf93a991c5415d08d1c4aa8d17ea96644a

          SHA512

          54e4b5e432b35809b7f69364e316d0c61b88ff76c06c92da996b91ecabe4a6dd46609117c38981aafc1984284fbba16ea1cce5180b19c6b0603c3ca56444c97b

        • memory/1088-83-0x0000028CF1EE0000-0x0000028CF1EE7000-memory.dmp

          Filesize

          28KB

        • memory/1088-86-0x0000000140000000-0x00000001401FA000-memory.dmp

          Filesize

          2.0MB

        • memory/1568-0-0x0000026E08C20000-0x0000026E08C27000-memory.dmp

          Filesize

          28KB

        • memory/1568-8-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/1568-1-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/2708-97-0x0000013391F50000-0x0000013391F57000-memory.dmp

          Filesize

          28KB

        • memory/2708-103-0x0000000140000000-0x00000001401FA000-memory.dmp

          Filesize

          2.0MB

        • memory/3600-28-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/3600-16-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/3600-31-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/3600-35-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/3600-34-0x0000000000E80000-0x0000000000E87000-memory.dmp

          Filesize

          28KB

        • memory/3600-29-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/3600-33-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/3600-27-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/3600-26-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/3600-24-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/3600-23-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/3600-43-0x00007FF88A5C0000-0x00007FF88A5D0000-memory.dmp

          Filesize

          64KB

        • memory/3600-42-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/3600-52-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/3600-54-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/3600-30-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/3600-25-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/3600-22-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/3600-5-0x00007FF8899BA000-0x00007FF8899BB000-memory.dmp

          Filesize

          4KB

        • memory/3600-4-0x0000000003070000-0x0000000003071000-memory.dmp

          Filesize

          4KB

        • memory/3600-7-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/3600-21-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/3600-20-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/3600-19-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/3600-18-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/3600-9-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/3600-17-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/3600-10-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/3600-32-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/3600-15-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/3600-14-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/3600-13-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/3600-12-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/3600-11-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/4276-69-0x0000000140000000-0x00000001401FA000-memory.dmp

          Filesize

          2.0MB

        • memory/4276-64-0x0000000140000000-0x00000001401FA000-memory.dmp

          Filesize

          2.0MB

        • memory/4276-63-0x00000202468E0000-0x00000202468E7000-memory.dmp

          Filesize

          28KB