Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-01-2024 14:31

General

  • Target

    779ba17cb5ed3bb94e1d07aa171986a5.dll

  • Size

    2.2MB

  • MD5

    779ba17cb5ed3bb94e1d07aa171986a5

  • SHA1

    058718b265fcc9798876a651e78bc532bc472e8f

  • SHA256

    be9b2a400439006f513f0980901a98e17cc45eb12faab2c4bf9dbb87615049fb

  • SHA512

    8063b1a68cd965b671b943e7b90306df0c62726b31a0a8cbdb6b8bac2b68644fa73f559c5780682a4f6562fec46819610d8fa0016a22935b1faf85f9434db256

  • SSDEEP

    12288:KVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:XfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\779ba17cb5ed3bb94e1d07aa171986a5.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2920
  • C:\Windows\system32\rdpinput.exe
    C:\Windows\system32\rdpinput.exe
    1⤵
      PID:4004
    • C:\Windows\system32\SystemPropertiesComputerName.exe
      C:\Windows\system32\SystemPropertiesComputerName.exe
      1⤵
        PID:844
      • C:\Windows\system32\FXSCOVER.exe
        C:\Windows\system32\FXSCOVER.exe
        1⤵
          PID:4656
        • C:\Users\Admin\AppData\Local\5kcC1y\SystemPropertiesComputerName.exe
          C:\Users\Admin\AppData\Local\5kcC1y\SystemPropertiesComputerName.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3048
        • C:\Users\Admin\AppData\Local\fyEfBO9cR\rdpinput.exe
          C:\Users\Admin\AppData\Local\fyEfBO9cR\rdpinput.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4624
        • C:\Users\Admin\AppData\Local\CvGX89V\FXSCOVER.exe
          C:\Users\Admin\AppData\Local\CvGX89V\FXSCOVER.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2544

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\5kcC1y\SYSDM.CPL

          Filesize

          327KB

          MD5

          b828b9327cc57e4aaf82f919b804f7de

          SHA1

          ce3fcf0a6c08029bc919f1cd794d100a82b1cdc9

          SHA256

          b18c656d611ab58537305bd13a0bc7ed030e298f2c5a6e9a90cdfe059aa936af

          SHA512

          b791a0602a451f98672dda3cc72c8397e5ed411f3c0226c9ac3523eb159bccaee97430afbc37c032eaf87ae9351e73ed2bf0daabb75678b9328bec0bff6ca5a4

        • C:\Users\Admin\AppData\Local\5kcC1y\SYSDM.CPL

          Filesize

          214KB

          MD5

          98709fa8e58635ac4ded425d9386d86d

          SHA1

          0860e8dd30c150aa0143ff0853c1ef7dd44343f9

          SHA256

          a275dc59b9b0d487379166f7a6a48f884c5ba1969b2ea08b9f71de2a11f6165d

          SHA512

          55e243a0f96224a45e64dc6eced8586579f5b98b449ffc9d285a4ea6e99e737b5e3e78f5baa8e9f69cd566c4a24e08a4542f50b3984a1c1842f1c2d1813bb753

        • C:\Users\Admin\AppData\Local\5kcC1y\SystemPropertiesComputerName.exe

          Filesize

          82KB

          MD5

          6711765f323289f5008a6a2a04b6f264

          SHA1

          d8116fdf73608b4b254ad83c74f2232584d24144

          SHA256

          bd3a97327326e2245938ec6099f20059b446ff0fe1c10b9317d15d1a1dd5331e

          SHA512

          438abd282d9d1c0e7e5db2ce027ff9522c3980278b32b2eae09c595884a8dcbfd5178bc5926b1d15f03174303382e13f5d5ecab9a5d8e31fc07ef39e66c012e8

        • C:\Users\Admin\AppData\Local\CvGX89V\FXSCOVER.exe

          Filesize

          120KB

          MD5

          71fabda854453b29722b0b8e1c6499d8

          SHA1

          ee0364e9f923c41aa2d303c39df5fbeaee7bb198

          SHA256

          c4bc06478eb59c4dbdb6ec2b5f583595b070ede423e5313337d4409ac40b5c19

          SHA512

          e5c485b31b7141587841eda6ecbe317ff8f6f62291036401eaab15c620baf93fd7bda137ca194eafde5de5eb9fed20f27bb0b3700d54b2bfcbd3d420fd3f148c

        • C:\Users\Admin\AppData\Local\CvGX89V\FXSCOVER.exe

          Filesize

          197KB

          MD5

          979f3680b37d31380aa93c2d0268c7f4

          SHA1

          3669d896f70a22942ef8eb94f20decbd10897893

          SHA256

          852c6104b621e755c7638ccf5d357f41142f47221382c380ffd3b91882d64808

          SHA512

          013c430b35fb51bc461b5507a2aae6f135cec424e0c507e9ba2904595d7cd8f05a43df2eb4d09e8376253799814e5019fb1512642f7943da42a438cd774fadba

        • C:\Users\Admin\AppData\Local\CvGX89V\MFC42u.dll

          Filesize

          77KB

          MD5

          f213dbae3c43ef5443e591fc0070dc03

          SHA1

          bb0fa97b9ed5e9e3190da17a5aee584e23b11a50

          SHA256

          924fdeeaec56007031f720f87e4d1031f10097efcb178ab0922fb3745cdf6f00

          SHA512

          033b3da367b7050907785d8e58bf62ffd472eeee4f22a16c5465203745db0d5a2b32c2a25514b851610c50f1370d96bd1cdcadf680559700e29512fa92d0c4c1

        • C:\Users\Admin\AppData\Local\CvGX89V\MFC42u.dll

          Filesize

          74KB

          MD5

          e8d49534b90f6a525ed02636f3acf536

          SHA1

          945901dd6674f58c3149e5c216e1f38054982d74

          SHA256

          76f97124851efa940f9c7ec141e8804ee704b00503c6bfc2118b046a69266c42

          SHA512

          ad9e8e643bb5879608b56fbb554abb1381522fe63263cf47eba29853050f546d563739fe0e4353eeadb3f64bfeabff1b4b3e7cbaed1fc003cca08ba55fe5d0fd

        • C:\Users\Admin\AppData\Local\fyEfBO9cR\WINSTA.dll

          Filesize

          279KB

          MD5

          ebb5f0d6faec9c94981bebad96fcb5ea

          SHA1

          a0b6962bac724922acbb12bd67f1affc08bfb4f1

          SHA256

          c2af4805346b14b6f9c12364ea38345ba728dace585cc85026ebe7cd38f823ec

          SHA512

          48102691cd1673582be9a804653fe891b4f687b3f9473d2076d5221feca46e32c1657fe7970e47530e13c217f0ca9e2809a3041d9bdf71a6f6fc9349970b2b19

        • C:\Users\Admin\AppData\Local\fyEfBO9cR\WINSTA.dll

          Filesize

          329KB

          MD5

          e8ac224d0dd1cb202e1ce850765b0965

          SHA1

          b9ecfb2fb96e6d4933049813b0f9e8bbd75e7c33

          SHA256

          cecd041061f80a06b689a08ae45a78a6504148e8e7f47914657c8dffc1797bb0

          SHA512

          121526c6e833eb93dbfdc979b25028268f994d9d9a41fe576ad7a39450d0a0587bb503a4d85f5d29e048e19840861c959fba7d55b717524ab65207af60131160

        • C:\Users\Admin\AppData\Local\fyEfBO9cR\rdpinput.exe

          Filesize

          100KB

          MD5

          9fb7dfdb15ae38a9fe3cd14b4ad2917b

          SHA1

          c5efbe902bfe7fbd7d5448681ff1d512516ebe3c

          SHA256

          f4b0fb857862ff143b8fba3f44f01bcb95392c85b1c9b0abda505821a57f4c2c

          SHA512

          6d691979cfd239fac25cd00d9a998400e313e8631564495e84e086cb8ce3b5ca29a1bc4ff347f23c796ab4a2ebe7b1e0ed122f0148a306563199c7cdaf321829

        • C:\Users\Admin\AppData\Local\fyEfBO9cR\rdpinput.exe

          Filesize

          180KB

          MD5

          bd99eeca92869f9a3084d689f335c734

          SHA1

          a2839f6038ea50a4456cd5c2a3ea003e7b77688c

          SHA256

          39bfb2214efeed47f4f5e50e6dff05541e29caeb27966520bdadd52c3d5e7143

          SHA512

          355433c3bbbaa3bcb849633d45713d8a7ac6f87a025732fbe83e259ec3a0cb4eabb18239df26609453f9fc6764c7276c5d0472f11cf12d15ef806aa7594d090e

        • C:\Users\Admin\AppData\Roaming\Adobe\6Nixs\MFC42u.dll

          Filesize

          1.1MB

          MD5

          9c77ecd87759126614a82a7fc961b4b4

          SHA1

          c294e4f30d244b57e8fe4ae0d3bced1442024609

          SHA256

          c11f6fdae7c4f9b65a59650006f38c1fb20d9197ac8d6cf800891dd6fda9d44a

          SHA512

          d25370ee899926fd96701ceb4333ad6e2eab57c4e345c64693017eb748508eb1b197774670205c8c965c7178aebb94164757e3fcc022985fd805db2930e88644

        • C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\NativeCache\ZQBTZCpNDH7\WINSTA.dll

          Filesize

          194KB

          MD5

          07215a8ad602c7c6d229eba9dbfdd5a3

          SHA1

          a32adbb46778080aa76278b0b4418c6937cddd14

          SHA256

          ef824b45c3d8ea684ed2ec08d2d0076eeedc7062bd2afd82b38b27c52a2358d2

          SHA512

          3f08daf276d4c5ccf40f4f06e658343ef2f899637cc6c4215fe2532a992c09c992a156b22fec1b2773b12da3169def3c2fa17b8fdc09b60f9dab85e281317cbc

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wdush.lnk

          Filesize

          974B

          MD5

          0d96c6fbaf821e534f898eded76ad57e

          SHA1

          7692c8a2e70e764cb3160c483032cd10ec72fff3

          SHA256

          5580dd9aeac75e2d6c5958d8b0b197286dcd2b329d48ce09b1635d40ea896cf8

          SHA512

          5dca6dda7a11ea95df5a4476e167c25d3fc815f5f2213398028079ce7e9b5b60c4609fe04dfe90e29f27ebfd82a6676f1289381c4dfa6d67d91f05a722c15a06

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\mcJSBCfEbv\SYSDM.CPL

          Filesize

          2.2MB

          MD5

          5f5eccc8dd887d6ca400c496810470a1

          SHA1

          cc966825acfbed6e7799f0f8995b9e58b1f322fe

          SHA256

          ff72417f278a7028c812013cddd4ddf6a75abaf7c5169f548a0f4a049321e026

          SHA512

          c49c4b3774aa4fc5695a95a165a9dd4beb47591a0eb23f5ff1f99ba6cb6f777495cc3b2bd2ba2287baaa4f76b25fbeaa5e4c83c48967a2113ec96cf70a6681ca

        • memory/2544-109-0x00000254427C0000-0x00000254427C7000-memory.dmp

          Filesize

          28KB

        • memory/2544-113-0x0000000140000000-0x0000000140245000-memory.dmp

          Filesize

          2.3MB

        • memory/2544-107-0x0000000140000000-0x0000000140245000-memory.dmp

          Filesize

          2.3MB

        • memory/2920-8-0x0000000140000000-0x000000014023E000-memory.dmp

          Filesize

          2.2MB

        • memory/2920-1-0x0000000140000000-0x000000014023E000-memory.dmp

          Filesize

          2.2MB

        • memory/2920-0-0x0000000140000000-0x000000014023E000-memory.dmp

          Filesize

          2.2MB

        • memory/2920-4-0x000001A349320000-0x000001A349327000-memory.dmp

          Filesize

          28KB

        • memory/3048-90-0x0000020587F80000-0x0000020587F87000-memory.dmp

          Filesize

          28KB

        • memory/3048-95-0x0000000140000000-0x000000014023F000-memory.dmp

          Filesize

          2.2MB

        • memory/3048-88-0x0000000140000000-0x000000014023F000-memory.dmp

          Filesize

          2.2MB

        • memory/3048-89-0x0000000140000000-0x000000014023F000-memory.dmp

          Filesize

          2.2MB

        • memory/3628-34-0x0000000140000000-0x000000014023E000-memory.dmp

          Filesize

          2.2MB

        • memory/3628-32-0x0000000140000000-0x000000014023E000-memory.dmp

          Filesize

          2.2MB

        • memory/3628-29-0x0000000140000000-0x000000014023E000-memory.dmp

          Filesize

          2.2MB

        • memory/3628-28-0x0000000140000000-0x000000014023E000-memory.dmp

          Filesize

          2.2MB

        • memory/3628-25-0x0000000140000000-0x000000014023E000-memory.dmp

          Filesize

          2.2MB

        • memory/3628-24-0x0000000140000000-0x000000014023E000-memory.dmp

          Filesize

          2.2MB

        • memory/3628-23-0x0000000140000000-0x000000014023E000-memory.dmp

          Filesize

          2.2MB

        • memory/3628-21-0x0000000140000000-0x000000014023E000-memory.dmp

          Filesize

          2.2MB

        • memory/3628-20-0x0000000140000000-0x000000014023E000-memory.dmp

          Filesize

          2.2MB

        • memory/3628-17-0x0000000140000000-0x000000014023E000-memory.dmp

          Filesize

          2.2MB

        • memory/3628-18-0x0000000140000000-0x000000014023E000-memory.dmp

          Filesize

          2.2MB

        • memory/3628-16-0x0000000140000000-0x000000014023E000-memory.dmp

          Filesize

          2.2MB

        • memory/3628-15-0x0000000140000000-0x000000014023E000-memory.dmp

          Filesize

          2.2MB

        • memory/3628-50-0x00007FFDA1440000-0x00007FFDA1450000-memory.dmp

          Filesize

          64KB

        • memory/3628-59-0x0000000140000000-0x000000014023E000-memory.dmp

          Filesize

          2.2MB

        • memory/3628-61-0x0000000140000000-0x000000014023E000-memory.dmp

          Filesize

          2.2MB

        • memory/3628-13-0x0000000140000000-0x000000014023E000-memory.dmp

          Filesize

          2.2MB

        • memory/3628-9-0x0000000140000000-0x000000014023E000-memory.dmp

          Filesize

          2.2MB

        • memory/3628-49-0x0000000140000000-0x000000014023E000-memory.dmp

          Filesize

          2.2MB

        • memory/3628-5-0x0000000002B00000-0x0000000002B01000-memory.dmp

          Filesize

          4KB

        • memory/3628-7-0x0000000140000000-0x000000014023E000-memory.dmp

          Filesize

          2.2MB

        • memory/3628-10-0x00007FFD9FD1A000-0x00007FFD9FD1B000-memory.dmp

          Filesize

          4KB

        • memory/3628-40-0x0000000140000000-0x000000014023E000-memory.dmp

          Filesize

          2.2MB

        • memory/3628-11-0x0000000140000000-0x000000014023E000-memory.dmp

          Filesize

          2.2MB

        • memory/3628-42-0x0000000140000000-0x000000014023E000-memory.dmp

          Filesize

          2.2MB

        • memory/3628-41-0x0000000000D50000-0x0000000000D57000-memory.dmp

          Filesize

          28KB

        • memory/3628-38-0x0000000140000000-0x000000014023E000-memory.dmp

          Filesize

          2.2MB

        • memory/3628-33-0x0000000140000000-0x000000014023E000-memory.dmp

          Filesize

          2.2MB

        • memory/3628-37-0x0000000140000000-0x000000014023E000-memory.dmp

          Filesize

          2.2MB

        • memory/3628-36-0x0000000140000000-0x000000014023E000-memory.dmp

          Filesize

          2.2MB

        • memory/3628-35-0x0000000140000000-0x000000014023E000-memory.dmp

          Filesize

          2.2MB

        • memory/3628-39-0x0000000140000000-0x000000014023E000-memory.dmp

          Filesize

          2.2MB

        • memory/3628-31-0x0000000140000000-0x000000014023E000-memory.dmp

          Filesize

          2.2MB

        • memory/3628-30-0x0000000140000000-0x000000014023E000-memory.dmp

          Filesize

          2.2MB

        • memory/3628-27-0x0000000140000000-0x000000014023E000-memory.dmp

          Filesize

          2.2MB

        • memory/3628-26-0x0000000140000000-0x000000014023E000-memory.dmp

          Filesize

          2.2MB

        • memory/3628-22-0x0000000140000000-0x000000014023E000-memory.dmp

          Filesize

          2.2MB

        • memory/3628-19-0x0000000140000000-0x000000014023E000-memory.dmp

          Filesize

          2.2MB

        • memory/3628-14-0x0000000140000000-0x000000014023E000-memory.dmp

          Filesize

          2.2MB

        • memory/3628-12-0x0000000140000000-0x000000014023E000-memory.dmp

          Filesize

          2.2MB

        • memory/4624-71-0x0000000140000000-0x0000000140240000-memory.dmp

          Filesize

          2.2MB

        • memory/4624-70-0x0000000140000000-0x0000000140240000-memory.dmp

          Filesize

          2.2MB

        • memory/4624-77-0x0000000140000000-0x0000000140240000-memory.dmp

          Filesize

          2.2MB

        • memory/4624-73-0x00000252C9990000-0x00000252C9997000-memory.dmp

          Filesize

          28KB