Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-01-2024 11:50

General

  • Target

    7747f0093a61bd648a9356cf2797bc88.dll

  • Size

    1.7MB

  • MD5

    7747f0093a61bd648a9356cf2797bc88

  • SHA1

    2d2ad0030c4569e867ceb32bdc0f23a30a1dbcb3

  • SHA256

    2a93a9d8dcfa728e06e4cde541d13154ee6a07f1439f177e54d31dea176dc681

  • SHA512

    6e131a6cfa2f256b7d757ba2e52f4fa89f8f3fd80529fe1fdb3324e4ab277d9d3041ce802ee78163e72081ffd1118b7f9a66d8dcda0028743251ddd677f622d5

  • SSDEEP

    12288:NVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:UfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\7747f0093a61bd648a9356cf2797bc88.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4868
  • C:\Windows\system32\isoburn.exe
    C:\Windows\system32\isoburn.exe
    1⤵
      PID:4888
    • C:\Users\Admin\AppData\Local\fzQ1UvIMV\isoburn.exe
      C:\Users\Admin\AppData\Local\fzQ1UvIMV\isoburn.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2788
    • C:\Windows\system32\eudcedit.exe
      C:\Windows\system32\eudcedit.exe
      1⤵
        PID:1276
      • C:\Users\Admin\AppData\Local\p7Fxwh3\eudcedit.exe
        C:\Users\Admin\AppData\Local\p7Fxwh3\eudcedit.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2800
      • C:\Windows\system32\quickassist.exe
        C:\Windows\system32\quickassist.exe
        1⤵
          PID:4488
        • C:\Users\Admin\AppData\Local\KHa\quickassist.exe
          C:\Users\Admin\AppData\Local\KHa\quickassist.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4088

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\KHa\UxTheme.dll

          Filesize

          1.3MB

          MD5

          aecfb8a223946b5d005cc07fb5e85e0c

          SHA1

          43f4e23bb4b62b4c994a00d32f5cf595b86926f7

          SHA256

          dc4970b703b65c3c31c7392e63470a0bdca54794a55112b14dcaf811a7fb43b1

          SHA512

          25d9e1266123c056a4c7f5d062d656c832371fb95bed8b947562aa0928f6e55cfdc16f2c68659c7fac7490d8fbbbd2995f5060939b805b1b6a0ce05ad8867bc7

        • C:\Users\Admin\AppData\Local\KHa\UxTheme.dll

          Filesize

          1.6MB

          MD5

          213c40d094b5fbe42b2e571842d509da

          SHA1

          e9976d39656009e618af27c46629ec1c3caf4f3f

          SHA256

          b4e4a1082b770be47ef79b6dc3db3677adc14daae328dda0dad4af4c39df117a

          SHA512

          c16190a7dade514051ab3ad5b5979520bcfd939c68ee34b3a0f47533b55a692d7bc9692ca1df891d5cb1c0584109fad5d3d57ff0d7db9e9f864c899838b60db1

        • C:\Users\Admin\AppData\Local\KHa\quickassist.exe

          Filesize

          665KB

          MD5

          d1216f9b9a64fd943539cc2b0ddfa439

          SHA1

          6fad9aeb7780bdfd88a9a5a73b35b3e843605e6c

          SHA256

          c1e8fda00da574e8759ba262d76b6edc1d5f4a80620730ef0be7527e0d803db2

          SHA512

          c5fd7d81d1d478056fcbed0ba887ce551832f0104e7c31753c3c8760b4d63f38324f74e996684042acc8f9682fce8a8c85172741a868257e87d5e0f988c4e567

        • C:\Users\Admin\AppData\Local\fzQ1UvIMV\UxTheme.dll

          Filesize

          418KB

          MD5

          c4ae0c89306390bd0c132b1a366ed683

          SHA1

          67743a161fa42f19d86bca2f306fb56a49af1710

          SHA256

          fe27d49f45c771c8e3a9c4a4655643352dd27545031ae0a5854d21b99a96c239

          SHA512

          347410dfd97107e9672931e90d8f203146cf9e9909e2aea30428fe685b8b07d0a7cd8d1b8eb8eeade995fd217c2a7e48ade8cec33136791b17b37c67ded62c93

        • C:\Users\Admin\AppData\Local\fzQ1UvIMV\UxTheme.dll

          Filesize

          553KB

          MD5

          7dd72ec1fe877bf9667e63860e11b8b1

          SHA1

          b13e8a928de3af87208949c024d20d000880df1f

          SHA256

          7d8dda363470163994ccdc381f6231bd7dc3ba9655bb619a15f135d3b8c9860f

          SHA512

          238899be24cbde891ce48fcdd9fef7b92773b50c1ccdaae6deef27018b549524deae18b9d476501be2a455865a73753083f3a0c77e987aa836decc9a016478d2

        • C:\Users\Admin\AppData\Local\fzQ1UvIMV\isoburn.exe

          Filesize

          119KB

          MD5

          68078583d028a4873399ae7f25f64bad

          SHA1

          a3c928fe57856a10aed7fee17670627fe663e6fe

          SHA256

          9478c095afe212bce91d2de1a3c3647109f2d54e46b9bf70843e839324458567

          SHA512

          25503a47c53fe83eeb56726b5a5eec5cb01bc783e866306f92242a7a8cbafa20a3209217e0f4561febfec78d2f64f1725727a6b2d3ee6da512618984d0bb0bc1

        • C:\Users\Admin\AppData\Local\p7Fxwh3\MFC42u.dll

          Filesize

          1.1MB

          MD5

          6027b47258cbd04e04381400faa9ed80

          SHA1

          7545f2da4a6f70c07ea378593a6cf8c904b0cda8

          SHA256

          b2824f2a80c7c79cbfd20731a097cec51b349e8b9e8d68aa8e7020d2c834c715

          SHA512

          31a4109271f3228faf43cb573d9a6fb5a3003260a51858d604d26925cf640e6605ffacd9b2a2d7da2096f08481adcf7c15313fb727a4d15b53bcad9d90a42dbb

        • C:\Users\Admin\AppData\Local\p7Fxwh3\MFC42u.dll

          Filesize

          723KB

          MD5

          b033b5ea88f9c68e78d36a86f9e5a857

          SHA1

          9ee0a8ffaf696d744fb2c939536ab40ab0741fb5

          SHA256

          be0da881793ca1975ca3996417951a65a578f758e04c7bfbed85bb9601b28552

          SHA512

          30faf690cc124b04aa1e0a160fa71790f478b8ee5a54362e97da48dd1fc0393e2b0eb7808b6411d8d973a67fe69cc83b1823d7aaebe69df843fb771e8e1b99a5

        • C:\Users\Admin\AppData\Local\p7Fxwh3\eudcedit.exe

          Filesize

          365KB

          MD5

          a9de6557179d371938fbe52511b551ce

          SHA1

          def460b4028788ded82dc55c36cb0df28599fd5f

          SHA256

          83c8d1a7582b24b4bbc0d453c813487185c2b05c483bd1759ef647a7e7e92dfe

          SHA512

          5790cac8dae16a785b48f790e6645b137f211c1587fb64ea88e743b846ff3a886324afcfef4bebc61f869023b9a22ba925c461dfb2e12497b70f501e6b79153c

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Enpllr.lnk

          Filesize

          1KB

          MD5

          57e6455139b7dad256543f59de4e6369

          SHA1

          b420fe8580101b3bce9429a8c558008de4fc859e

          SHA256

          a42d731a250b877906113fa8cc6fa8d288185e6c9d58764c6886df05e1f40c71

          SHA512

          97a59e269f5137b785332a8c7b18a03e44161c9523149edd22a2bc8baa8fa4ba7b5e1b6069e6df085d008b95aa2397ecec5de206f0bcf549139ec470aa3d4c01

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\T6iRqx2\UxTheme.dll

          Filesize

          1.7MB

          MD5

          de1dadcaa1ba24b0e19457b39e750416

          SHA1

          9b249407252d92e6cf30390687745901d3a3ca77

          SHA256

          18cb5f964acba5dff393b3b10933993612918e8041f735fbe874e2fd06bc879a

          SHA512

          f24fb23856249b8f970cc44d94e2b4943c12748fc05f7f6097fbf421b78c3a1f85b75b17d2c423e3077dfa7fca7ec3b00e3be8e40f5080d52a80ef18afbb7247

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\lp5CtG\MFC42u.dll

          Filesize

          1.8MB

          MD5

          86563819e97e99f877cca706b07c8edc

          SHA1

          38c9e6c27bc1129966ac722a5f89abe3cbd03cd9

          SHA256

          56e9f74e3345f1a608724b2f475a80033f70160e2085dee7b4e877b6dfb1df1d

          SHA512

          a6e140018488d41e0a66636403485f99f9b360cc16561a59b2926b918a1f6e551be72c04aa9806d2ceb46c1da6c67bdd8e6ae253bbfb6d3c5419962edc18e77b

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Lvq\UxTheme.dll

          Filesize

          1.7MB

          MD5

          0e821ba42f3184fc0abae1193d5cb101

          SHA1

          f86cbec6000dab84b0e8ef97e941c01f14a7d692

          SHA256

          24dd8879f44db9214d0de70b0760849665ff37accfa6084178fa0294f0fa5f33

          SHA512

          cb976c84413714040b919115ac423bf3a54808688d333402eefbf355b538512b3a536f0263bd2d8d47b7494302c12fa5201318cf59af35923980c3fc0bf5bf0f

        • memory/2788-77-0x000001721DC40000-0x000001721DC47000-memory.dmp

          Filesize

          28KB

        • memory/2788-81-0x0000000140000000-0x00000001401BB000-memory.dmp

          Filesize

          1.7MB

        • memory/2788-75-0x0000000140000000-0x00000001401BB000-memory.dmp

          Filesize

          1.7MB

        • memory/2800-93-0x0000000140000000-0x00000001401C1000-memory.dmp

          Filesize

          1.8MB

        • memory/2800-92-0x0000021108470000-0x0000021108477000-memory.dmp

          Filesize

          28KB

        • memory/3380-21-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/3380-47-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/3380-20-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/3380-25-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/3380-24-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/3380-26-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/3380-28-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/3380-29-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/3380-27-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/3380-30-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/3380-32-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/3380-33-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/3380-34-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/3380-36-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/3380-35-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/3380-31-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/3380-37-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/3380-38-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/3380-40-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/3380-43-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/3380-44-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/3380-45-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/3380-42-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/3380-41-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/3380-39-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/3380-23-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/3380-46-0x00000000030D0000-0x00000000030D7000-memory.dmp

          Filesize

          28KB

        • memory/3380-54-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/3380-55-0x00007FFB5D7A0000-0x00007FFB5D7B0000-memory.dmp

          Filesize

          64KB

        • memory/3380-64-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/3380-66-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/3380-22-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/3380-5-0x00007FFB5BB6A000-0x00007FFB5BB6B000-memory.dmp

          Filesize

          4KB

        • memory/3380-19-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/3380-18-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/3380-17-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/3380-16-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/3380-15-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/3380-14-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/3380-13-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/3380-12-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/3380-11-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/3380-10-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/3380-9-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/3380-4-0x0000000003600000-0x0000000003601000-memory.dmp

          Filesize

          4KB

        • memory/3380-7-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/4088-111-0x00000261FE6A0000-0x00000261FE6A7000-memory.dmp

          Filesize

          28KB

        • memory/4868-8-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/4868-1-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/4868-0-0x0000014258850000-0x0000014258857000-memory.dmp

          Filesize

          28KB