Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-01-2024 14:01

General

  • Target

    778d4730d5f23525661b573a83f5a65f.dll

  • Size

    1.7MB

  • MD5

    778d4730d5f23525661b573a83f5a65f

  • SHA1

    b4363f418266b63f4036546ab4a54e52fd530c2d

  • SHA256

    72ab82c1cb0c63ec0a02f3bd9061de964700d7490d0704cafc3eb3459b0e906d

  • SHA512

    0ae77c82fb95805277f52235354ae296455ffb7c33a863dff46b6245738fadec923dfe742c2554bdbb53cebc664c58630cbce935c5ddf714ca1bf55f9ae105cd

  • SSDEEP

    12288:CVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:ffP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\778d4730d5f23525661b573a83f5a65f.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4616
  • C:\Windows\system32\FileHistory.exe
    C:\Windows\system32\FileHistory.exe
    1⤵
      PID:4048
    • C:\Users\Admin\AppData\Local\ILOlUnA\FileHistory.exe
      C:\Users\Admin\AppData\Local\ILOlUnA\FileHistory.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1584
    • C:\Windows\system32\rdpinput.exe
      C:\Windows\system32\rdpinput.exe
      1⤵
        PID:3716
      • C:\Windows\system32\CameraSettingsUIHost.exe
        C:\Windows\system32\CameraSettingsUIHost.exe
        1⤵
          PID:2776
        • C:\Users\Admin\AppData\Local\3EQz\rdpinput.exe
          C:\Users\Admin\AppData\Local\3EQz\rdpinput.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4612
        • C:\Users\Admin\AppData\Local\OR365dd\CameraSettingsUIHost.exe
          C:\Users\Admin\AppData\Local\OR365dd\CameraSettingsUIHost.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4736

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\3EQz\WTSAPI32.dll

          Filesize

          61KB

          MD5

          aaca957bea06f0c413cc43d373278ab9

          SHA1

          4ed5c08126eaa86d41131da65b35d47d739bb23f

          SHA256

          de606ff3d0ced095a808df46c2710351284ba3eadc19ccf730068c7f88769ef9

          SHA512

          9b599c9dc4b776d24fe162409891773fc46db741a28e3c15ed3054165d83929409cccb65d7508ec1f1222d657c6a2cb417c2e77e486c95277a199fd81b566213

        • C:\Users\Admin\AppData\Local\3EQz\WTSAPI32.dll

          Filesize

          64KB

          MD5

          d1e14d377e3852932b064e68815b4bdd

          SHA1

          7ccbce62539a4208fdb4cd1b9de25a88db55b57b

          SHA256

          b343b47ddfb95a6ba891f1ea0c32861fd129ee35fdb9bd6be6233afd8d649e1c

          SHA512

          719c3ddf2e7abdaa2294d5e6cf425587a6e8150219cfd2d55ae1cfba6d5bd226a393e30ed8236b6fc493562147f6133793fde89a1e5d8fe60a72d96e7101bdab

        • C:\Users\Admin\AppData\Local\3EQz\rdpinput.exe

          Filesize

          53KB

          MD5

          047a1fa4b4508077b121c33b0e8961bb

          SHA1

          88d45575be36637302b0c80fc5b17ed57f1e07d8

          SHA256

          dd720f2e1f97263342dc49385ddf2331ade65e548d487532d1084dd9dfeb4e27

          SHA512

          abecc0aab398226efb5a92cb7f8765844ed64353aaf035ac3a7697ebcd3c7339d431b48112a5dd959e49e3e395771198debff784ead63d799912482ef62d8d59

        • C:\Users\Admin\AppData\Local\3EQz\rdpinput.exe

          Filesize

          28KB

          MD5

          df819096c593e0eb4517065091fa539e

          SHA1

          fbd453245c324a9a725ed09a2739ff21eda32e65

          SHA256

          77894be49ef07bc2bcc9fdd0b543d96eeb86a6bd6dfdb423617b8dd6b20e71c1

          SHA512

          79765a71bdd13f5b386f47dc6af23668fc45792110d8244b02ec8b73d30e543e9afafcd60a9a98e8e9601f6646f8215e6f0faf001232c262321362539a57f1b9

        • C:\Users\Admin\AppData\Local\ILOlUnA\FileHistory.exe

          Filesize

          45KB

          MD5

          98422fa6e3634d976bb2113bffeeded9

          SHA1

          0ebbdbb8e85659bfbd5ced0d84e01a634c156611

          SHA256

          3723fd1be24117d4cdc283fbaf7b13ea62aa9ba72496263b9e3f9a3363506d4a

          SHA512

          ca654412f5c6efc2bf2b1f391e3b1bd007029b297c53a9fd4d7db903b563d3b2ab9c85c38ea1d423194ad8da2f971c6b4d8ac9a34f470253d39106a829c79697

        • C:\Users\Admin\AppData\Local\ILOlUnA\FileHistory.exe

          Filesize

          39KB

          MD5

          b259bfc10b1eb89c109bc840c5927a33

          SHA1

          ea8e883bd8628573a695f5e7316a2174fd9b2b77

          SHA256

          198b2485ef951d552a22fec9e3c7250f94a7dd3ffd3db63909556e4cdf817387

          SHA512

          96ad9dc137062221f1813df79540fcb6e593e5597b756d7c60b92362c78485cef8527260d5b28e9e9e71ab1e2896217d89ab229051b2fc296ba8135a9080c421

        • C:\Users\Admin\AppData\Local\ILOlUnA\UxTheme.dll

          Filesize

          26KB

          MD5

          9a629552bd220598094051e6add8a3dc

          SHA1

          06885d1056dbd4483b1a098ea6ce2483d30337ac

          SHA256

          8a16472dbe08d90b5e0a56815c72c66f751dea047ef898f58ae4e93242c43850

          SHA512

          89c23451c6e5deff2386e040466b30c831e5862605da0e5271f57f1278d48eb78333d15ae83863fd1214e7f13c1c473cc58a70da543599217de773e75dbae988

        • C:\Users\Admin\AppData\Local\ILOlUnA\UxTheme.dll

          Filesize

          64KB

          MD5

          70d7d8564f5e8f6764e8ba01efe2c9aa

          SHA1

          b688e28edbb3b3587ddadea0497d29bcef5b1b87

          SHA256

          f205ed9943460fcd660e59ddc69f56d4f0d2d4befdfc1e1066c8937231446ecb

          SHA512

          e089d4849833b508cb3dee0854f1d83202cca5c32f91ff088e08dff78b8d2cf8070fe3c53cd541dbd255a5eb657aa437cb5128daaddc85c1a1eaeff5b494d21f

        • C:\Users\Admin\AppData\Local\OR365dd\CameraSettingsUIHost.exe

          Filesize

          23KB

          MD5

          da17a6a7d6e3ff35a7f5984ce97be49c

          SHA1

          0a2664f81f50e4e179210bb1cf128d4001f504fc

          SHA256

          4c02e14d02c38996e0579860808befb6d4a3e713d84e73e1647009a9483fef1f

          SHA512

          2cfec5fc388dc7cc8f6ffacbb08061989b2b5dbbe1019b6d461b4d5ad7472f4f0db550c5d9bdb40c5e37fe094552ab1246ccc3dc977d0199a9827aae22bbf335

        • C:\Users\Admin\AppData\Local\OR365dd\CameraSettingsUIHost.exe

          Filesize

          5KB

          MD5

          d84edd8bffdca396bc4c10344b2154c9

          SHA1

          4e54b42f487e588fdfc6ffeb8fef28aefc582215

          SHA256

          95631f91287943b0bb91f39831e4b0151065707df2dd1e545471dccaafc731fd

          SHA512

          5fea155287c3e3d9a24ef33189c433a70caf71f4cc1502f614619c1d46d37aff18bad07c02dc5e39e7dd5145ac008f4f60d95b4da1d8383dbdfed294af524822

        • C:\Users\Admin\AppData\Local\OR365dd\DUI70.dll

          Filesize

          17KB

          MD5

          02d76c496c9a36de55e8900443319258

          SHA1

          e4a982ba7779ac895375ba79b7c8dc94fb55405a

          SHA256

          e141019b34848238b47bc7c43418c5f3341b531f9b06cf31bcf921a8328636ec

          SHA512

          9d70bb58422029c424040be6ab29960d344ea0bc9270c8dde1f0786345b79d710495782abb063458c3005fa2a57c25c89d4ecb0622cd59c30d92f0c78a9ba51f

        • C:\Users\Admin\AppData\Local\OR365dd\DUI70.dll

          Filesize

          30KB

          MD5

          d699e2eb5e20f8280f69215d180cfa86

          SHA1

          bdd47d3ffaba4d1fb7ed7b23edf11deb264b93ed

          SHA256

          3a67b4d27805e686e45dafed6cdec6c95b59848dc844f43a0c400b03a9d9bbb5

          SHA512

          0d0f9154094780da1d22da95a9b74e96c1028dea7fca536497a38fc6a5d79c3c771d05acc1e1750209b480d8dfc35e0df243d4367349f39c680e623466ed5cb3

        • C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\NativeCache\T61lOVAof6C\UxTheme.dll

          Filesize

          1.7MB

          MD5

          6d39d78de04f93b4d647cbb566b4951b

          SHA1

          4bbd6fd6e77de810f09e336e790f7dc7e4423049

          SHA256

          a380cc7170ae3d265161b3fabba51d01dbafbb7a96ba3b424e537ef31b34e4e0

          SHA512

          9f5796173b9f66dc48ca16e213b3eb3e99a0ba427840f6b975c8fbfaba46b0752426542d58c463db309698167dc688130a2da7d4e48af3565841a1942cf6bec4

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wdush.lnk

          Filesize

          1KB

          MD5

          b43be7c81b662e32f94928d5a3c48512

          SHA1

          547a724a447ed3c8597d7f8fc2a138d27ffcb0e6

          SHA256

          7e2e42dade5620715d8e2d4d011a1869014e285eb63d0621b17a9326e12ae9c9

          SHA512

          4e919334a5d6369b1e4529dfcc119655a8a195d3705cdbd4569322d36098440a6bf51278e9d28b58f8d0ed40986cd9640c5bfe1639feb5ff438911fa93a69b88

        • C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\62wNgUSp4K7\WTSAPI32.dll

          Filesize

          1.7MB

          MD5

          c3f5b04fd3f9dd4e9b637973e8fe6dfd

          SHA1

          251267a5660413fe4a60f057d19cac21c2050ee8

          SHA256

          83fbe09fa0d77634fc78b4cdaf85b7b47558c80ddff3cfec915a756a9a24b144

          SHA512

          0f846191d996d32dc3a7cd84eaaf1ee27c3815060c214221b5cf97829fe0325340086b4de809e9871cf524dbddcbbe172228d1e93ffad11941b7783b2b5c9c0d

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\yNfEYmKGrv\DUI70.dll

          Filesize

          2.0MB

          MD5

          b45d5f3b3fe2668c50b4e6ffd24bc60b

          SHA1

          28ffc6d8c05a45bb2babac05ab89c08ea808ebcb

          SHA256

          aaae862c980f4907ec442c109d24fa5f80abd0682086de34b4bf19f64a641218

          SHA512

          9435891efa832ff363d5accc6e5e8f7a931bb7cb3e87497f01580e2364a610bbdb3711082dfcd3e4c27e188e43247deed7314d0b12d8d7187f14b46d6f49df04

        • memory/1584-69-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/1584-70-0x00000197D3400000-0x00000197D3407000-memory.dmp

          Filesize

          28KB

        • memory/1584-75-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/3524-32-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3524-8-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3524-40-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3524-48-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3524-39-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3524-36-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3524-37-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3524-35-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3524-49-0x00007FFE69F40000-0x00007FFE69F50000-memory.dmp

          Filesize

          64KB

        • memory/3524-58-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3524-60-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3524-34-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3524-26-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3524-25-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3524-21-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3524-20-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3524-19-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3524-18-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3524-17-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3524-14-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3524-13-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3524-12-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3524-9-0x00007FFE6990A000-0x00007FFE6990B000-memory.dmp

          Filesize

          4KB

        • memory/3524-41-0x0000000006C90000-0x0000000006C97000-memory.dmp

          Filesize

          28KB

        • memory/3524-38-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3524-29-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3524-31-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3524-4-0x0000000007EF0000-0x0000000007EF1000-memory.dmp

          Filesize

          4KB

        • memory/3524-33-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3524-30-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3524-6-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3524-11-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3524-27-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3524-28-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3524-24-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3524-23-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3524-22-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3524-10-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3524-16-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/3524-15-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/4612-94-0x0000000140000000-0x00000001401B7000-memory.dmp

          Filesize

          1.7MB

        • memory/4612-89-0x000002923F6A0000-0x000002923F6A7000-memory.dmp

          Filesize

          28KB

        • memory/4616-7-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/4616-0-0x000002412E1D0000-0x000002412E1D7000-memory.dmp

          Filesize

          28KB

        • memory/4616-1-0x0000000140000000-0x00000001401B6000-memory.dmp

          Filesize

          1.7MB

        • memory/4736-105-0x000001B82C070000-0x000001B82C077000-memory.dmp

          Filesize

          28KB

        • memory/4736-111-0x0000000140000000-0x00000001401FC000-memory.dmp

          Filesize

          2.0MB

        • memory/4736-106-0x0000000140000000-0x00000001401FC000-memory.dmp

          Filesize

          2.0MB