Analysis

  • max time kernel
    150s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-01-2024 13:37

General

  • Target

    77810543496dc906d195460796a0219f.dll

  • Size

    1.7MB

  • MD5

    77810543496dc906d195460796a0219f

  • SHA1

    715be388b02b3699ec35b93d4ad823e6b0127c91

  • SHA256

    3df740c27f3febda3ee2de2dfb8825fec9efdf4017ef648ff61b91d77f76f8ba

  • SHA512

    21fc370d2143019708e8980c089ec7ab3c930b3c5040c8a05b579312ddd16295d4efeb191a7c4b3cfd6ee570b7a351052268633880bd79aa68330f1bca1c033d

  • SSDEEP

    12288:sVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:ZfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\77810543496dc906d195460796a0219f.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4020
  • C:\Windows\system32\AtBroker.exe
    C:\Windows\system32\AtBroker.exe
    1⤵
      PID:4932
    • C:\Windows\system32\systemreset.exe
      C:\Windows\system32\systemreset.exe
      1⤵
        PID:4132
      • C:\Users\Admin\AppData\Local\QdZ5Bwt\AtBroker.exe
        C:\Users\Admin\AppData\Local\QdZ5Bwt\AtBroker.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:988
      • C:\Users\Admin\AppData\Local\dJgTvRi\EhStorAuthn.exe
        C:\Users\Admin\AppData\Local\dJgTvRi\EhStorAuthn.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4548
      • C:\Windows\system32\EhStorAuthn.exe
        C:\Windows\system32\EhStorAuthn.exe
        1⤵
          PID:3484
        • C:\Users\Admin\AppData\Local\5G7xm\systemreset.exe
          C:\Users\Admin\AppData\Local\5G7xm\systemreset.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:412

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\5G7xm\DUI70.dll

          Filesize

          199KB

          MD5

          762310ea2eca4622b44e466283371c07

          SHA1

          7dfbac795fd290b31ac89780a922bb5b3d8c74e4

          SHA256

          f1fd6074901f0087e75c75868f8624a4d44a4340a9d2bb3c2beade7015fe303d

          SHA512

          74501fd37804cb8ccde169449cc5bd35fce5b8f1a6996677dbe9bece901045f7b5d0feec289be5a563af4f08a7b3d5a099824a735d78d7f8d2c512877351a1d4

        • C:\Users\Admin\AppData\Local\5G7xm\DUI70.dll

          Filesize

          265KB

          MD5

          c1fdef9cb5a486cec13ab0a0b9c1ec47

          SHA1

          73050dfd82610eaf4aab94132ea987cca0c3b448

          SHA256

          346e505adba442e4ed24ed0a5411c8cba5c1f6116d4f5d39f781577e9b4f57fa

          SHA512

          c985ea62ab99b95de8ed2334a59e60a51f245a3d91adaa4b402fd3a646fa60d067a43d02978d339c549ace264ce17fe3c144e701c362e6362bb86535396e73ea

        • C:\Users\Admin\AppData\Local\5G7xm\systemreset.exe

          Filesize

          213KB

          MD5

          7a3610f4791f1f830fd63ae3639f125d

          SHA1

          8fe74c2d138e9ee5994ccb77d51fb53815eaa24b

          SHA256

          799e6366b1e99ea1375f36ba30a0f33f28c6ad51b0fa39c86d06d105455029dd

          SHA512

          30724274283679377ba394adbf239fe0a3d2e4afb0bf97a081af8a33119b058b33288fc447632bdb634c7b596c94b3ff3476ab378621d67fcedd32a5d90e8982

        • C:\Users\Admin\AppData\Local\5G7xm\systemreset.exe

          Filesize

          369KB

          MD5

          3a23d0827667afbdcca619b4941db045

          SHA1

          eebb3430d31493e0ed821b34ca3add851fa66124

          SHA256

          002413f7f9faac9b4a85fa7c937bf4808fbd665f030d7c99408ca8a9c3c92e0a

          SHA512

          288a07c4173a714a6f49c035f7a3c80f29f2d50568e01f41a34f5f9d73fac2149af0ba60bcf0aa5b4d45b593915d946778c995cc1fe869114720b865115a85a7

        • C:\Users\Admin\AppData\Local\QdZ5Bwt\AtBroker.exe

          Filesize

          72KB

          MD5

          d7316d8d8c2f6b190d064dc78ea35097

          SHA1

          977e46dccdc9370063e3d79b72e7e3bbadc1bad4

          SHA256

          e6c7adbeb656493e80678c39a9aeeb7f661115e9f2ef68a72c94c4ca8fe23a5a

          SHA512

          6f225ee0c45cfc1b7497e199b2bcca1ca1302d4b36727381fce9b60f81ac6979e3a9007bf3d739baf485234396b458ca4298aaf85e5d951a52fd1a06aa4a5042

        • C:\Users\Admin\AppData\Local\QdZ5Bwt\AtBroker.exe

          Filesize

          27KB

          MD5

          bbe0e6ab91825aaec6024603775d974a

          SHA1

          005ad3b471504b42070707a8a848872e63abf912

          SHA256

          31b14add5d9c1cbb77ac1cdaa41c27a7c01a89d628331f077f5b815a191a8212

          SHA512

          908190231c68f2a4f4cf3886b8927ab0010f78cd4d7ac5883ae5430865c9661d7a4745af98abe192fd38da791cfb7dc2c64ad60aebe8bab202807eb3fca4d08c

        • C:\Users\Admin\AppData\Local\QdZ5Bwt\UxTheme.dll

          Filesize

          1KB

          MD5

          126c0a0246f19fdd40515507e41e7150

          SHA1

          4ec21a3e2b6c14b57d577fcbfd734826604a31c2

          SHA256

          5271c6d1548a1f0d58313f180c7d67e7a05d95cd107acd30c7362022c3756ea1

          SHA512

          833b308332496e8bf44e84f276b0ce7aca4f9f08b1d2d097f8d36671883f1824b987dd00b633cff170b7e5030e616bad5a037b90e9fbf1a4499a6f333ff01e36

        • C:\Users\Admin\AppData\Local\QdZ5Bwt\UxTheme.dll

          Filesize

          108KB

          MD5

          f92e228a04e07c36d532ce876346eef2

          SHA1

          99b5060a3bb68c0b305eace35d6a9d033fd9fdd9

          SHA256

          152ea844ebe7e5705a7fa080ef95ddd1604d019da02f584227606c3b00559362

          SHA512

          4390f93fbee75a956681051879d3019587c3da1b6937c1db11ab0c27a9b9c60f0636cc1782cb229bf72e9fbdf4601bb2b248d23461523b276fe50a9b5dc57c69

        • C:\Users\Admin\AppData\Local\dJgTvRi\EhStorAuthn.exe

          Filesize

          34KB

          MD5

          7eb67f31850799483f270fc5e8aff05c

          SHA1

          ccabf97839e6258a354baf023fbf4c84117b96e3

          SHA256

          edd7c265d7e5d049ddb73b49bb646574b9bdab7778335c8f101685b9136b078a

          SHA512

          b3a0d83aa03cef6431b0de4b9f06f47c6acc5e71be6d2a9f75cb5c016ce8516019a5934581a465c615ab31026a9dd180271fb8fd155888c511f9efa2911c2fa8

        • C:\Users\Admin\AppData\Local\dJgTvRi\EhStorAuthn.exe

          Filesize

          110KB

          MD5

          44d518b25536fc18a1d557e740c5f8a5

          SHA1

          6a13afbc4246355f67d7645db3e2d22ca9c374ed

          SHA256

          78f4d467ff54df8a57dc75297a8df123dd37796be33b6381bcf49d7e07e00954

          SHA512

          b8929a99228a28cdb17b1f3ecc1cdabd5867a1b29b74f6d9acda254da08569d6e6e14aef63be51a867af152813104d56e9df46987d4c433c329e3a30251cc14f

        • C:\Users\Admin\AppData\Local\dJgTvRi\UxTheme.dll

          Filesize

          77KB

          MD5

          f4a9b2db3eeeb4bda7e66eadd878931a

          SHA1

          cfbe561b55f2ad19edf136fed14d57ac5de47b4b

          SHA256

          d085a13dfa2a0152f0bff75dfa48cba606f1fe287f0ac67c3a2b2e9e8d17b97f

          SHA512

          dbf9fceb00dfe264ab92d7cbb069b6b584def2f9f36557ca69d7ee271a9d0d03c765eb9a4eaf305d8f3b0f86a521f8457d3c04af724533f6522bb0732089eb80

        • C:\Users\Admin\AppData\Local\dJgTvRi\UxTheme.dll

          Filesize

          114KB

          MD5

          9883de854a2311f419bc5137c2d6e50f

          SHA1

          eeadc55ba781bd7e0aec977b68db76c41d30387d

          SHA256

          94acc7abc7bacfd5309ebaee5f45cb8bb80eaf61a66b4a26a99693a3fcaaaaca

          SHA512

          b1c6a03b49fbbd76fb1a93549fad3351e6662739175d20e8c8bf66e00906d9da8704c94275475151bb031dee1f23120057f9d50f313f2e333ddee58614a7be19

        • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\dU1spxDPWv3\UxTheme.dll

          Filesize

          1.7MB

          MD5

          c71cdf92725e5b349a59687bf85d8eab

          SHA1

          feffb41918733c6a00cf932335da645b9bb41017

          SHA256

          4ac0bdf4659028729ea81a27de3a4f50704fb509980ffe996028520cb1fbef6f

          SHA512

          39855c39066e66fd11bdda2bc7db4ae9f80579bd0a4527a688279b3a21eadccaf12f3fab879305bd759cf7a3ee7129a66b2d80f11fbdc10daeff73be9cf49ba0

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Psfjn.lnk

          Filesize

          1KB

          MD5

          b25f89916aae7d6a8b62a8ba7dcabdb6

          SHA1

          e86f5cc16de4e72df2d21a1f11a0ecfd0910f1aa

          SHA256

          4fd8c91cbf481a21a8d40bd2391c620b293e857a1b223e91c4a0673684797d6d

          SHA512

          fe00fb02de8a5754e1a1d46ad8281efcc33909d2e2f02081083e94fdbb547d7e5129de75928784bf10d88793a78e4068d1871d211a5364d3f8c869ce861ed95e

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\zByGk0uRM5B\UxTheme.dll

          Filesize

          1.7MB

          MD5

          670dbf9a7310cb70fc963709ce8bf323

          SHA1

          46dafadd88d37da81380797f134645c9f95a5835

          SHA256

          a5813a8bef1057eca38239a46df47526c19eff8e6185b24098a3d225501b7524

          SHA512

          1ef536618d12cd92cb13c5ead31516d16d02134fa598ecee31e99fd7d307be67c5662df6765d658ab7f79833a9c45e51c10a0813b7596d0c6c75fa6e34e179af

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ODA5IqI97Q\DUI70.dll

          Filesize

          2.0MB

          MD5

          9e1407d0219abcbd5a5b156110b31284

          SHA1

          e1942a4783f8153ab6169e5e5b5f6f85db37d3d3

          SHA256

          fa67e693965b7cdede23075c6274a5dd2a41d78e60c677ef6f1c787c2c1bec4e

          SHA512

          7c530986db1ac2253f6658d144ebcdd821963781f210d75ef4cc736cb6d09727b7d613838c5d9f4918749ba0e8fd42426977254df5855269cc2f74f7f03dd1f1

        • memory/412-89-0x00000167F30E0000-0x00000167F30E7000-memory.dmp

          Filesize

          28KB

        • memory/412-92-0x0000000140000000-0x00000001401FD000-memory.dmp

          Filesize

          2.0MB

        • memory/412-86-0x0000000140000000-0x00000001401FD000-memory.dmp

          Filesize

          2.0MB

        • memory/988-69-0x0000000140000000-0x00000001401B8000-memory.dmp

          Filesize

          1.7MB

        • memory/988-75-0x0000000140000000-0x00000001401B8000-memory.dmp

          Filesize

          1.7MB

        • memory/988-71-0x000002578E8C0000-0x000002578E8C7000-memory.dmp

          Filesize

          28KB

        • memory/3428-30-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-27-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-22-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-15-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-14-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-13-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-8-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-35-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-38-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-37-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-39-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-40-0x0000000002180000-0x0000000002187000-memory.dmp

          Filesize

          28KB

        • memory/3428-41-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-48-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-49-0x00007FFF89F00000-0x00007FFF89F10000-memory.dmp

          Filesize

          64KB

        • memory/3428-36-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-34-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-33-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-60-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-58-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-32-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-25-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-26-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-23-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-28-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-29-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-31-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-4-0x0000000002BA0000-0x0000000002BA1000-memory.dmp

          Filesize

          4KB

        • memory/3428-24-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-21-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-20-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-19-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-6-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-10-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-18-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-17-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-16-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-12-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-11-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/3428-9-0x00007FFF882FA000-0x00007FFF882FB000-memory.dmp

          Filesize

          4KB

        • memory/4020-7-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/4020-0-0x000002481AB70000-0x000002481AB77000-memory.dmp

          Filesize

          28KB

        • memory/4020-1-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/4548-109-0x0000000140000000-0x00000001401B8000-memory.dmp

          Filesize

          1.7MB

        • memory/4548-103-0x000001CDC0910000-0x000001CDC0917000-memory.dmp

          Filesize

          28KB