Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-01-2024 21:17

General

  • Target

    786915fd97a5568543a2c219b4116abf.dll

  • Size

    1.4MB

  • MD5

    786915fd97a5568543a2c219b4116abf

  • SHA1

    4c76633b4440df5c58a8e835001c8921a5171cd0

  • SHA256

    a4c35298a6852c3e1ebec89e8d2c739c9dafe977cd2931af02f46f8d640dabe0

  • SHA512

    4c78d00677052e2cc189862f72ef6a8acc490fadba92e157292b0af022a437f685794617a3b462d59feb18178f1234019e503b23087cba4d3f3d2e1fa61b47ea

  • SSDEEP

    12288:yVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:vfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\786915fd97a5568543a2c219b4116abf.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:2920
  • C:\Users\Admin\AppData\Local\1Jr\SystemPropertiesDataExecutionPrevention.exe
    C:\Users\Admin\AppData\Local\1Jr\SystemPropertiesDataExecutionPrevention.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Checks whether UAC is enabled
    PID:4468
  • C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
    C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
    1⤵
      PID:3896
    • C:\Windows\system32\SystemPropertiesPerformance.exe
      C:\Windows\system32\SystemPropertiesPerformance.exe
      1⤵
        PID:3284
      • C:\Users\Admin\AppData\Local\wkWWol\SystemPropertiesComputerName.exe
        C:\Users\Admin\AppData\Local\wkWWol\SystemPropertiesComputerName.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2500
      • C:\Windows\system32\SystemPropertiesComputerName.exe
        C:\Windows\system32\SystemPropertiesComputerName.exe
        1⤵
          PID:776
        • C:\Users\Admin\AppData\Local\7dqD3zTM\SystemPropertiesPerformance.exe
          C:\Users\Admin\AppData\Local\7dqD3zTM\SystemPropertiesPerformance.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1780

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\1Jr\SYSDM.CPL

          Filesize

          23KB

          MD5

          87d99fd6fe3586e8a5f3f3506dacf026

          SHA1

          df231005ec1c586a4a2461e9d3dff78b6b8e7226

          SHA256

          66b4282dbb2ce2ae9858be918f1261e1dca06f6dc0a7dab16c5b4ffdc0ba2975

          SHA512

          ebc1020c1ff76f725feaa7272a6b02a5bcfd89c96b32ba7e8ab49efa4c3c65cfcc41751243297c9f064c21d6d6a047b9dc03613aea9e3aa69f11e4fd9c7dce74

        • C:\Users\Admin\AppData\Local\1Jr\SYSDM.CPL

          Filesize

          57KB

          MD5

          de2d0344d43f4bc280bf787d706706db

          SHA1

          ff99dea3d2f7b96d24bfb42e0ace9858a7ce114a

          SHA256

          45362ba34f0ef22ae2dcb2359bb278bc67a12b68b01518850101c9df5482011e

          SHA512

          aacae331a73e91deb653650ebcd45c299a9ac149605c4814f9b2436d7580829173f655547efd3023a8008e2a780f9f396ffd0a64f19d3ab06f208eab20988be8

        • C:\Users\Admin\AppData\Local\1Jr\SystemPropertiesDataExecutionPrevention.exe

          Filesize

          4KB

          MD5

          c2b47442b11544d310b48ac17b0ce799

          SHA1

          99cf9f4965e5cb10daeeb9f0f18b5fd44f04ff37

          SHA256

          44b1d058b093fdaf95994a0efa7d7d6b97d815f3d68adb76c4dbfc211b49882e

          SHA512

          6d9fb36a91dfa29427c1e3bf0fe2f80f8f2a857242e548eefa586b519031368b9c2f37625a32afd7f96e0873edf0594471ae337e52db181871b351d634380874

        • C:\Users\Admin\AppData\Local\1Jr\SystemPropertiesDataExecutionPrevention.exe

          Filesize

          82KB

          MD5

          de58532954c2704f2b2309ffc320651d

          SHA1

          0a9fc98f4d47dccb0b231edf9a63309314f68e3b

          SHA256

          1f810658969560f6e7d7a14f71d1196382e53b984ca190fa9b178ac4a32acfb3

          SHA512

          d4d57cc30d9079f4e9193ba42631e8e53d86b22e9c655d7a8c25e5be0e5e1d6dfff4714ddc23e3e392809d623b4f8d43c63893f74c325fc77459ac03c7a451ed

        • C:\Users\Admin\AppData\Local\7dqD3zTM\SYSDM.CPL

          Filesize

          118KB

          MD5

          40aa53dd1b76a076ef34f4527d945b52

          SHA1

          590f541c86d329e165cdeda1c42a5b0f307d15d5

          SHA256

          336760afa14920af1f657dda517ef1d9a994426ab8f7fdfc2c315a20320f221d

          SHA512

          7f9959e5e4994aa5df7b0eba45608d1a6f213aa8c6a20ebbd55cc5b61c9a46b0cd6c3194cd15a437c63d1476a565efec5d5623bb2a6b0df28e5fc2d242178bba

        • C:\Users\Admin\AppData\Local\7dqD3zTM\SYSDM.CPL

          Filesize

          185KB

          MD5

          c14cdd357c64cf8f358ac36b000d216c

          SHA1

          affb276602034c97b8c6bec379a05d0b5b444426

          SHA256

          fe9e2b19ba46525c3b2a6d24dfc0aee2ccfa4332d04a7fc4fba321e50064826e

          SHA512

          0732727f614fea77feead6d3de6b24bb8fec0ca0a958229fc3b924f01face0869133576269182de76962224670e425e741b49946853d5eaea0c35b53f2815f51

        • C:\Users\Admin\AppData\Local\7dqD3zTM\SystemPropertiesPerformance.exe

          Filesize

          82KB

          MD5

          e4fbf7cab8669c7c9cef92205d2f2ffc

          SHA1

          adbfa782b7998720fa85678cc85863b961975e28

          SHA256

          b266318d45a4245556a2e39b763f2f11eca780969105f6f103e53dd0a492bb30

          SHA512

          c5c62578d04133352d6cb7b018df96a7b55c18d6111ab8bf2bfe232a3315a63b07047fa5b0b88551d152085776c66169b47566242c8c4c5e0333c55adc64e1b6

        • C:\Users\Admin\AppData\Local\wkWWol\SYSDM.CPL

          Filesize

          155KB

          MD5

          f043c303c7030a1b295cf4991867bad8

          SHA1

          559236ee36894b67137ecad4fb425be17e8cea34

          SHA256

          24eb2954d9a9a9cc0500626b120efbf6b4edf75b53dc546820c25e62385ec7ea

          SHA512

          e347bb113ea8ebd98ffc7372aef8acf5e553d6c12368a9031e077ec9d5a5434d8669b99f970e540e5a34f2d9ef6fe2b5a50a3766bea03761f330080668c90c59

        • C:\Users\Admin\AppData\Local\wkWWol\SYSDM.CPL

          Filesize

          149KB

          MD5

          28c06d75c1575da7300f65d7696becdf

          SHA1

          d2fc2f6acc2c2f6e91f93e7c5820dd7d0b240ee4

          SHA256

          beba11f1a54d4431a08a0861a72da23e96a26a790fae3eacda0eae48961a7855

          SHA512

          4bb5677ff99e1afdf6c2a652a3e7a62116ff28d48bb0f7760728e7dfdb2c3db5051ee19bd426a6bf0c416d4a7088be90517b50774cca610f4e6177033bfe4421

        • C:\Users\Admin\AppData\Local\wkWWol\SystemPropertiesComputerName.exe

          Filesize

          82KB

          MD5

          6711765f323289f5008a6a2a04b6f264

          SHA1

          d8116fdf73608b4b254ad83c74f2232584d24144

          SHA256

          bd3a97327326e2245938ec6099f20059b446ff0fe1c10b9317d15d1a1dd5331e

          SHA512

          438abd282d9d1c0e7e5db2ce027ff9522c3980278b32b2eae09c595884a8dcbfd5178bc5926b1d15f03174303382e13f5d5ecab9a5d8e31fc07ef39e66c012e8

        • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\rxnkz\SYSDM.CPL

          Filesize

          1.4MB

          MD5

          badabdfa4073bfd02c0bb1cc338fcc56

          SHA1

          585aad23e994cc1d75b4cacefb219c89151c4da7

          SHA256

          3743a4dd9e49d305b1f2cdf98e84465c3744838b6c95bed7c4d8356f9e1d90e8

          SHA512

          572368b01a33d6bf705832eed869ba49c8dc3ef28704dc5b49ba323a2a1b2de172f8bc64762506a28560eb1b566231db3b93bf86caaf36e748bbb9eeb8eaf76d

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ocuuy.lnk

          Filesize

          1KB

          MD5

          7ce68d5202e98af3abc360048df6aa85

          SHA1

          4dc94e98c1cafbffe4564f0474e38f3bbf03f670

          SHA256

          50656b1e5d764d8837d1959563aa76bf113cca5f575ae73601636798efa8997d

          SHA512

          63e4681f67733b56d3aadbddecb1dfd1b61779d0b2e156aa191c870f10fcded8bd3f26847b101c550e62e8880981010db6d2e20ae2c88753d9e5ba1c37b00c2d

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\CloudStore\xiLRQ9\SYSDM.CPL

          Filesize

          1.4MB

          MD5

          bc07d76c057f9dd38ee477d838b7e8e0

          SHA1

          57e2abb3956c680ed6bd5f4ed9b92deaae8c725f

          SHA256

          71c8eea5e2cae90fa696a7554771b2c40149360c9509034da622ccde9d0be60d

          SHA512

          1e43774ab1036f01cd5940869cddb1f2a61161b1ced32aeeb3dab6929509ce27173dbedf290eb14f2f81660aa7e302c2bed8066b3ecc0eba534787ce9651be2b

        • C:\Users\Admin\AppData\Roaming\Sun\Java\RD\SYSDM.CPL

          Filesize

          1.4MB

          MD5

          4b3f78c1616282df7a9f4e63a91c6038

          SHA1

          546454d6b7f43c10f6b16cc1ca235fd207bfb597

          SHA256

          6d752e313d63c421be77de25c75a89e0564515c477d6e2610aa6d766d4104207

          SHA512

          915dca94b8f67af7220e2de83db17953e30e76d0eb07a2f67744063889a04a860f60c97d67ae34c558de483d7df985f765ab1dd4de88491cb382645e73119e94

        • memory/1780-85-0x0000000140000000-0x0000000140168000-memory.dmp

          Filesize

          1.4MB

        • memory/1780-81-0x000001E46F100000-0x000001E46F107000-memory.dmp

          Filesize

          28KB

        • memory/2500-99-0x000001F19D370000-0x000001F19D377000-memory.dmp

          Filesize

          28KB

        • memory/2500-102-0x0000000140000000-0x0000000140168000-memory.dmp

          Filesize

          1.4MB

        • memory/2920-1-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/2920-8-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/2920-0-0x0000000002370000-0x0000000002377000-memory.dmp

          Filesize

          28KB

        • memory/3468-22-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/3468-21-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/3468-51-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/3468-50-0x00007FFEE04A0000-0x00007FFEE04B0000-memory.dmp

          Filesize

          64KB

        • memory/3468-30-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/3468-29-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/3468-28-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/3468-26-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/3468-24-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/3468-20-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/3468-18-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/3468-19-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/3468-9-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/3468-4-0x00000000080D0000-0x00000000080D1000-memory.dmp

          Filesize

          4KB

        • memory/3468-53-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/3468-41-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/3468-5-0x00007FFEE030A000-0x00007FFEE030B000-memory.dmp

          Filesize

          4KB

        • memory/3468-10-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/3468-34-0x00000000027D0000-0x00000000027D7000-memory.dmp

          Filesize

          28KB

        • memory/3468-31-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/3468-11-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/3468-32-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/3468-25-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/3468-27-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/3468-23-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/3468-33-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/3468-17-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/3468-12-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/3468-13-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/3468-16-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/3468-15-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/3468-14-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/3468-7-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/4468-68-0x0000000140000000-0x0000000140168000-memory.dmp

          Filesize

          1.4MB

        • memory/4468-63-0x000001EE51730000-0x000001EE51737000-memory.dmp

          Filesize

          28KB

        • memory/4468-62-0x0000000140000000-0x0000000140168000-memory.dmp

          Filesize

          1.4MB