Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-01-2024 21:07

General

  • Target

    7862e1e052ba3eff8d397f0c28d8fea7.dll

  • Size

    3.2MB

  • MD5

    7862e1e052ba3eff8d397f0c28d8fea7

  • SHA1

    9573a33a7a67bda2f5d4a1177397e544efb6d829

  • SHA256

    eeebc052be55ded532fd74517fae12e73ab5054eb3c0d61f000ec87ccb16f526

  • SHA512

    4a37ff3116311eefa256610e65ecff791334baa682cd4a50691be10be630ba095df4beac5ee351f4efddf9c1d850ad0250050fbdab48d7b58fed8e1630b64a3b

  • SSDEEP

    12288:zVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:ifP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\7862e1e052ba3eff8d397f0c28d8fea7.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:5080
  • C:\Windows\system32\AgentService.exe
    C:\Windows\system32\AgentService.exe
    1⤵
      PID:3404
    • C:\Users\Admin\AppData\Local\c5zN\AgentService.exe
      C:\Users\Admin\AppData\Local\c5zN\AgentService.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1668
    • C:\Windows\system32\DevicePairingWizard.exe
      C:\Windows\system32\DevicePairingWizard.exe
      1⤵
        PID:916
      • C:\Users\Admin\AppData\Local\mLoe0plH\DevicePairingWizard.exe
        C:\Users\Admin\AppData\Local\mLoe0plH\DevicePairingWizard.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2924
      • C:\Windows\system32\SystemPropertiesHardware.exe
        C:\Windows\system32\SystemPropertiesHardware.exe
        1⤵
          PID:1008
        • C:\Users\Admin\AppData\Local\0orjyp\SystemPropertiesHardware.exe
          C:\Users\Admin\AppData\Local\0orjyp\SystemPropertiesHardware.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4160

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\0orjyp\SYSDM.CPL

          Filesize

          35KB

          MD5

          9d5dd1fc6428022c50bfef95b57ca6cc

          SHA1

          0152092a47af26b0ee2b044274b7dcd63b2e8e7d

          SHA256

          2ba9fa0364b0db2e7053d2b3a8742c310e5ab86ea3f49ae6ccea460fba4fb274

          SHA512

          a19c95f45acaf21012c82aacf5f751ce0c0904b5df912feb7e8eb9273b387a2095db17db9d445100de55258b68ad69d63ed2992f3899d9a149c2fca863ce8c36

        • C:\Users\Admin\AppData\Local\0orjyp\SYSDM.CPL

          Filesize

          96KB

          MD5

          5799dad79a9acfcd465008f31eb1921d

          SHA1

          2e7b82882fe9336a334614f1d23a09db5bd1ae0d

          SHA256

          ae3cccb970c41f2fc15687b3a2c6478903d631cd774ae254078c9fa37a155f52

          SHA512

          06ffe71b59470adbf918f9ce97cc0ead3e1095fecbe5e465c8040238eaeb430073ae08b7f9071ced18684001f4d7a012c6b161bb3eafbabdfffc2cecdbaecb09

        • C:\Users\Admin\AppData\Local\0orjyp\SystemPropertiesHardware.exe

          Filesize

          82KB

          MD5

          bf5bc0d70a936890d38d2510ee07a2cd

          SHA1

          69d5971fd264d8128f5633db9003afef5fad8f10

          SHA256

          c8ebd920399ebcf3ab72bd325b71a6b4c6119dfecea03f25059a920c4d32acc7

          SHA512

          0e129044777cbbf5ea995715159c50773c1818fc5e8faa5c827fd631b44c086b34dfdcbe174b105891ccc3882cc63a8664d189fb6a631d8f589de4e01a862f51

        • C:\Users\Admin\AppData\Local\0orjyp\SystemPropertiesHardware.exe

          Filesize

          5KB

          MD5

          f82e6c45eeaf80be3ab6cfad8c9d4ce0

          SHA1

          0fcfe4e71827c498bf4bc846ac88c948dffe67de

          SHA256

          88731c259a1182fb35003d97dcd9f00134ac70ee2b2db727a9fd1de636032f89

          SHA512

          fef9be224f89319cb8515f795f4d45c37ca39bde58417b185bfae9c0419871954f2de0c460d007502c0373440d3033a7df2e65076e5af5801d6e8d7c9e456752

        • C:\Users\Admin\AppData\Local\c5zN\ACTIVEDS.dll

          Filesize

          70KB

          MD5

          581296c51dd70f3c928a784024accda8

          SHA1

          1bf4b39f28384de79c48e6812935a86a84f063ae

          SHA256

          3f786e6cd5ccceb6f97b277a022e60aee0c00ee3e67397950cd6033aace5e5ac

          SHA512

          5cb5303e5b79c11df7535eda37ac291c8bd39934c505e0c969dc996adcc3d252c6df75804d19905b4b90076997b70ed4532964a4ec99dd67e6e1dc72857448f2

        • C:\Users\Admin\AppData\Local\c5zN\ACTIVEDS.dll

          Filesize

          93KB

          MD5

          4300e9f66cff7dc91fdba571c766ed21

          SHA1

          031857b5c4f6f50edc6e03802a2bda609cc8249c

          SHA256

          a2b4593d1e784eb8245e90b7251579c71045a540f6b84de0447f43ff7c424d5e

          SHA512

          f776e8989b204a5b2299ad16c0919aa5dd230b679cadd61372cd2c2fa3c3d9cb69c21146e83a2e56de80a803eb126dcb15ac5e5a41abc005b419c6cceb0320d4

        • C:\Users\Admin\AppData\Local\c5zN\AgentService.exe

          Filesize

          63KB

          MD5

          d24cf666d82522cf733bfb410d7a2f35

          SHA1

          b47a49cfbd9e02c45a1c72656a4091d18e906481

          SHA256

          ef9ac15c64d05084a7be9d16d2d244a2591fa3d2ed7b5f2f4d9054d63f71ee41

          SHA512

          dfdd04bf32057a358d619c9dd0ce46664fdfd004eb3f906ed5f2f674c0277c70cb79c4ea43175ba1bab0dff251616605ffc3bc8eadf6a87e717be8e605889bb0

        • C:\Users\Admin\AppData\Local\c5zN\AgentService.exe

          Filesize

          33KB

          MD5

          1e0a022467dba626c731b4823b9d7b68

          SHA1

          2e30c40e0a9caa5b1eab2c5f8455d679e2ad3359

          SHA256

          74393143401ccce505dad174e64fdb654e447f84fe0d38735c6f245b5669d48b

          SHA512

          6310fd0e333a46b6a191731c85aa33ec91010bbca26eb38a69c69b45ee7ceb4697cf39947aa33e14a5d6ea7b456caf87bfd2030d5b3ef6e3da164a0d95c1d74a

        • C:\Users\Admin\AppData\Local\mLoe0plH\DevicePairingWizard.exe

          Filesize

          93KB

          MD5

          d0e40a5a0c7dad2d6e5040d7fbc37533

          SHA1

          b0eabbd37a97a1abcd90bd56394f5c45585699eb

          SHA256

          2adaf3a5d3fde149626e3fef0e943c7029a135c04688acf357b2d8d04c81981b

          SHA512

          1191c2efcadd53b74d085612025c44b6cd54dd69493632950e30ada650d5ed79e3468c138f389cd3bc21ea103059a63eb38d9d919a62d932a38830c93f57731f

        • C:\Users\Admin\AppData\Local\mLoe0plH\DevicePairingWizard.exe

          Filesize

          78KB

          MD5

          9712efbc7c8bc6ddb8614cb72dfe13d1

          SHA1

          6e366d39bdf433debc811aa70dc212ae75dc47df

          SHA256

          5ba95695d46ab4005a962c69404f1a292e79250383561e61836dd53bfac71146

          SHA512

          2b6e7cceb09a3798bcd4ebd7ca8abd1a08f994edbe2d49f3bbf921a23e579a0dff4658c25278678eee63e194c2ecf364466b1ee501be07169e95b0b3e0245203

        • C:\Users\Admin\AppData\Local\mLoe0plH\MFC42u.dll

          Filesize

          167KB

          MD5

          e5afc672aee3b692364f445d2d7adb6f

          SHA1

          de3029979f635ce2b2f2e07a3e46fd32c7fc896b

          SHA256

          350da1906ebd85f49659e0bef26985095275386201dff95aa56c4f33a3654881

          SHA512

          93d166b757bc3258849ed6de55e9891fdb48b8b132ba6a8bff37dd41b3c8891bc93552a13eb68120ea2018711e55fcab5a43a82ea3777feab3bc0a83cff2d6ac

        • C:\Users\Admin\AppData\Local\mLoe0plH\MFC42u.dll

          Filesize

          83KB

          MD5

          7420122424c76275a8042b1e0a0ac0c1

          SHA1

          3d58ee071169bf03fe868301986a90c172c8a7e7

          SHA256

          9a8ddfd28c762ea64b5146449e7ca2917c5d6f03a8f285e56497b01afc692593

          SHA512

          4cb67c8beabbe6775e7115a64f62e5e7ab31fcae5ec4fd70e6bf4b36479a7dbe75cc8c53da12dab2a6937b516c02e3bc07f783212bbabbb294819a54c2861631

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wdush.lnk

          Filesize

          1KB

          MD5

          131ed5fd730b1d258735e0d1e2bac999

          SHA1

          dee3d486196464d3ac5a65b0d311a2d0d94cf87f

          SHA256

          e218398df57ed69b562ce2793a109cc840255ff53877351461b980d2a06a7cb3

          SHA512

          e6fd21ede1082c711480f4ab6f0fb68cc271a36e44f2fe66f94ac53b5952cb00a69ba5d470f738b9870b6d27da9d435a9ce88eb54b0b65b1e6cb09fc922bd81a

        • C:\Users\Admin\AppData\Roaming\Microsoft\AddIns\XF4kfc\MFC42u.dll

          Filesize

          213KB

          MD5

          ec02758b0b29364ece3172ece700d37b

          SHA1

          4945bec190e9b453f4554412c0303a49c82cf178

          SHA256

          aca9ba9664a8d6871509e404bca7a48ce06c063663eb187468282774873ca8be

          SHA512

          9ab5cdcfafd4a0531dfb619d5da64ab738d0d71c701d47b007c427961150605b61b90ed5d1606ab946c821d25d0d74fbdd66ec6a2728c9fb29c500ba46602aca

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\72\ACTIVEDS.dll

          Filesize

          121KB

          MD5

          e551bd3a48f599cc243d08665e325db8

          SHA1

          094a21c54326de967fee71e4598448d7cfcb90fe

          SHA256

          c48ccb609c70a735c0e1f472a34c95ef0fa6df5ea1742791eed71bfdac529eb9

          SHA512

          c8b07bce487ed79ef41affe27eb10fd173cbf6f6f1e8e74c160c5f20a4b574ac6a64379bbf28144b267540687fc2f0db8e897f2462f232d4d629c50084820f2d

        • C:\Users\Admin\AppData\Roaming\Sun\y2\SYSDM.CPL

          Filesize

          5KB

          MD5

          da944b012cc14dd24573c629808d245d

          SHA1

          fc9bc07be113c666befc2779c0ebc7ba00f0b269

          SHA256

          5190dd1d76c28ba43814b085c06fc040589fbebd205c5d7447f7cf981ab8687f

          SHA512

          b9c045d09381b7ab33b01d5e329bc06124a4dcc83a0177b799bd2076da91807b3908c743953fbe180983238d506d99d6543bf78179c660b414c5a13f4d7ebe09

        • memory/1668-96-0x00000265065B0000-0x00000265065B7000-memory.dmp

          Filesize

          28KB

        • memory/2924-113-0x000001241CDE0000-0x000001241CDE7000-memory.dmp

          Filesize

          28KB

        • memory/3556-60-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/3556-46-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/3556-17-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/3556-7-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/3556-29-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/3556-33-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/3556-37-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/3556-40-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/3556-41-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/3556-43-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/3556-42-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/3556-45-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/3556-48-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/3556-52-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/3556-54-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/3556-55-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/3556-56-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/3556-58-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/3556-59-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/3556-61-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/3556-62-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/3556-64-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/3556-63-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/3556-65-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/3556-5-0x00007FFBE6C8A000-0x00007FFBE6C8B000-memory.dmp

          Filesize

          4KB

        • memory/3556-57-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/3556-68-0x0000000002350000-0x0000000002357000-memory.dmp

          Filesize

          28KB

        • memory/3556-53-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/3556-51-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/3556-76-0x00007FFBE8560000-0x00007FFBE8570000-memory.dmp

          Filesize

          64KB

        • memory/3556-50-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/3556-49-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/3556-47-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/3556-21-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/3556-44-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/3556-39-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/3556-22-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/3556-23-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/3556-27-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/3556-26-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/3556-25-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/3556-38-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/3556-36-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/3556-35-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/3556-34-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/3556-32-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/3556-31-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/3556-30-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/3556-28-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/3556-24-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/3556-20-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/3556-19-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/3556-18-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/3556-16-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/3556-4-0x00000000081A0000-0x00000000081A1000-memory.dmp

          Filesize

          4KB

        • memory/3556-11-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/3556-14-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/3556-15-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/3556-12-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/3556-13-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/3556-10-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/3556-9-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/4160-133-0x00000212C1380000-0x00000212C1387000-memory.dmp

          Filesize

          28KB

        • memory/5080-1-0x000001F97F290000-0x000001F97F297000-memory.dmp

          Filesize

          28KB

        • memory/5080-0-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB

        • memory/5080-8-0x0000000140000000-0x0000000140333000-memory.dmp

          Filesize

          3.2MB