Analysis

  • max time kernel
    147s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-01-2024 05:36

General

  • Target

    7968f591e01c7a4a04d2d9c53d667082.dll

  • Size

    1.9MB

  • MD5

    7968f591e01c7a4a04d2d9c53d667082

  • SHA1

    d360ace519351b3109e26800067532b2d26ee952

  • SHA256

    00a23ef486863b29a272d8b4405e375fefa0a629927a9bccd0434886b02c5cdd

  • SHA512

    261007611f113167d1e3a8c9fc1d7e6867fcb82ec8c1bf0c82f5ae6d17de7abf8807834c4d6d68720ed83c6fca428d0400ca4e86119cfe80fe1315b3cb1f29cc

  • SSDEEP

    12288:3VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1V:+fP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\7968f591e01c7a4a04d2d9c53d667082.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1012
  • C:\Windows\system32\RdpSa.exe
    C:\Windows\system32\RdpSa.exe
    1⤵
      PID:4376
    • C:\Users\Admin\AppData\Local\7GMpuEOP\RdpSa.exe
      C:\Users\Admin\AppData\Local\7GMpuEOP\RdpSa.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3160
    • C:\Users\Admin\AppData\Local\6EJeq90wu\Taskmgr.exe
      C:\Users\Admin\AppData\Local\6EJeq90wu\Taskmgr.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4976
    • C:\Windows\system32\mstsc.exe
      C:\Windows\system32\mstsc.exe
      1⤵
        PID:3020
      • C:\Users\Admin\AppData\Local\glOyVHOM\mstsc.exe
        C:\Users\Admin\AppData\Local\glOyVHOM\mstsc.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1756
      • C:\Windows\system32\Taskmgr.exe
        C:\Windows\system32\Taskmgr.exe
        1⤵
          PID:4600

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\6EJeq90wu\Taskmgr.exe

          Filesize

          192KB

          MD5

          ba4df2e7cda214b318acd0a2f619bc68

          SHA1

          9ea8b8aec96e725e1411c37c325cf4dbc874802e

          SHA256

          d9a76aa0ed696031ef8d1aa45e7721b1a4901a345e0128090f5c5243f725af36

          SHA512

          965ed7ed9aab11d63764d15fcf055a17d662116082437fc58c0cd992f327d102cf6d60caf6f19e40bdf85564c20b7c34d6df860a6c4cf2361062a393023722d3

        • C:\Users\Admin\AppData\Local\6EJeq90wu\Taskmgr.exe

          Filesize

          21KB

          MD5

          d151dec7a4474bac9c74d995bb23aab5

          SHA1

          fb21b02a2cb62f7c1e75d5cb4892794c393d024e

          SHA256

          b3853b47475ee8e54f750d8fe30c6e6d62e83db46012f2e7a393e51fe9fa811d

          SHA512

          e75b6cb49353357ddd7530fd285e9d197926bfe29254c1a4323110ad608684f2333107393f37504978f2a07a608f7ce1e6af17e93507fedf358934ad559ec21d

        • C:\Users\Admin\AppData\Local\6EJeq90wu\credui.dll

          Filesize

          237KB

          MD5

          da5b1956e5ed121e0b85bdb441bc0375

          SHA1

          edba9f515fdc85bec1801cfc540a8f03cce0c3b5

          SHA256

          9077cb97a0600dfc69cf803c56587d2b71e043804942a73546a74022a13a0fe6

          SHA512

          493393ee3e4df034d651a1f9f7dff73a8e6e75bcc432dddb731e5b1114bc0c5b55e8694779cbcfde2eb39552e549c6cac2328416b04c535d58715cb78ca405f5

        • C:\Users\Admin\AppData\Local\6EJeq90wu\credui.dll

          Filesize

          224KB

          MD5

          3bcdc623cdce76e61ee2ebb00172632f

          SHA1

          6c71e446b281d936950f709eb55f9d41d26e95a8

          SHA256

          5ed787a8fc60e02a4e39af5af7af2b3106cc8259c88a561c94473b4a6f7a732b

          SHA512

          a8c387b294d0da8efb50a802a15b7500389e76b438e347f325ab8dc6c9753f35e5e04aa7dc16f1f3c6ef8fc18eea5dfa675d5cd4d89d63f29ef89ce330455f8e

        • C:\Users\Admin\AppData\Local\7GMpuEOP\RdpSa.exe

          Filesize

          56KB

          MD5

          5992f5b5d0b296b83877da15b54dd1b4

          SHA1

          0d87be8d4b7aeada4b55d1d05c0539df892f8f82

          SHA256

          32f60eabe54c4d0cd0f0ec29f48f55ca1ad097bf35097247b186fd70426f847c

          SHA512

          4f6da913af530301da1d0638aa2635ada446ebee6e27b5059db5c2b7fe439162ac3b1a595ecf4163a093890df9ac94d9085a53d8c991e48703f9d2691326e7e6

        • C:\Users\Admin\AppData\Local\7GMpuEOP\WINSTA.dll

          Filesize

          286KB

          MD5

          9b8d5f33c847938b3bba5437374d1ac2

          SHA1

          2a1c9cff9dc47e0e3f96e5f256a2b3e5e2a5e4be

          SHA256

          c84214609f66f9c09d359a05fed610db4af4a564af2249fa562a6b645e47769d

          SHA512

          e7190abd3f9ffdf070e0b73d36d3f892b08621a3bebf675e58a4124bfc7c5318d1967c4d61636bf9591ec9346afcd2abaeb8db28c0026b3d630235ece722a12d

        • C:\Users\Admin\AppData\Local\7GMpuEOP\WINSTA.dll

          Filesize

          279KB

          MD5

          8eadc5168ad087530c70f483363d60d4

          SHA1

          0bcb3acf63a92ee1ed469a489631ebd61054f8c5

          SHA256

          7e02b02c71039b7714064bceabd416758ad1ca3f211be928d4c0a7fdee1561f4

          SHA512

          37724bd31d488121d51f0c851a43c001088d93b9c24087c66fe6d610855df975ba7926d97fd269cbbe0c5ba626816d4f59af1a7cbc21239e79f80c6cc2ea9810

        • C:\Users\Admin\AppData\Local\glOyVHOM\VERSION.dll

          Filesize

          243KB

          MD5

          66aa0c66cdf33b01b2d24144003b4512

          SHA1

          2fc004d13c12225680ce402e7131950f57c46f97

          SHA256

          6c5b2cb6ba9f81798cf519ae2a48803aeb06bc5d2daad3bd03b4593df127b2f3

          SHA512

          22fe22cc7ee620eb5ce0aaba0f51ef3c317f3660ed2c69d8e6ee9124aa82674440b88a61aa5aeb3a68c5d167944df0f643e44b6819054559daec6b3323e1db78

        • C:\Users\Admin\AppData\Local\glOyVHOM\VERSION.dll

          Filesize

          62KB

          MD5

          af845f23646a5b7cf1442a5bd007b86c

          SHA1

          3c1656b6a5d5f7405af85b3ae2f8dcdbb0fd20cf

          SHA256

          1aaec93d0522117af33476ac582daed081f5f6d0d8bc6664f3704887d17978b5

          SHA512

          71fde2009ae3f68d4c704a7162dd7b9642314bae35d9bcb8e6829df81f8cbbf5ac9cfa7a59adf585d305ae6ae8e21c1e61fbe2ed5d0538ccbf3093c2f22b65c2

        • C:\Users\Admin\AppData\Local\glOyVHOM\mstsc.exe

          Filesize

          283KB

          MD5

          a789b5b578ed10d31fa4b9ff98adf2b6

          SHA1

          010a7cd4b12bcab656c0f8c3b0cf4e77b5ea1a46

          SHA256

          9099f5dcf5f53572fdabbf6d12ce9515ba1f2fa89369be12900a1a0dd244b494

          SHA512

          b978f736b2cdbad381b179d4c24c28d5d841ab7d04926d3863cf764f5360c27f1bfcbf9ed113fe9557b00ede9c7d12aac8cc41ad607ddf8cd41c61cdfafff9a3

        • C:\Users\Admin\AppData\Local\glOyVHOM\mstsc.exe

          Filesize

          236KB

          MD5

          bfa99bd8a693a6e090dec1f56a78a2bc

          SHA1

          791c1bab4bf016368d38def7fb788d75f1cd4d52

          SHA256

          133893f9757f740ff7eeefbeba5db6a22ca4dc48da6c264acbb175e8f1294509

          SHA512

          2963615a252d4d405c4bbc6cc7914be34839a4b2f092e5c29c5e1069cddad94b01a478353af61c678e1c19a31f5ecba9fa92b86ef4fcb654c2ad083cf57aaf12

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wdush.lnk

          Filesize

          1KB

          MD5

          1c9d31f7b53a9a57bfd66ac004a055d4

          SHA1

          a2490bdd9933a2abbbddbac10a27ae99a8c2c456

          SHA256

          0c0f980af1d8ec21185e3be35c1db8f62c47c24b690d74c95d99261ef3f9c0c1

          SHA512

          cf1f373aba37024b51688ae568624b2b7cb3cf37edad4c4af27bedb441ff94a7e8830b388ed32f6bfd730861b8e47ff25616105fb9a7a00ab4a3c22e38a43a21

        • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\hT1PPa\credui.dll

          Filesize

          1.9MB

          MD5

          cf334860cff3fcb18b627eebfd497f0b

          SHA1

          8bcdb7cf473d4e684dd539ad668547cb8b7390ce

          SHA256

          aea7a8c764b3194fa69c3f5ced7e701c3ac8e1bc03f8731048a1ac97cf054c55

          SHA512

          fb1639573076e9689f5ef8317d8858641d97cbc23d9762d2483c984c7d3b670cb3dac304958c287a7000e79e7d4272203f5a52619a2cc8d2f0fee897cd553b25

        • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\78Lv\WINSTA.dll

          Filesize

          1.9MB

          MD5

          0c075860d8a3a1db2b481c8d52a0dbfa

          SHA1

          88ea911bef105668ff00ead3d2bdba5f9b9eb532

          SHA256

          c83a3973295b475a94e358536cefa9455eedf05e46a6a3754ce01dbbc78ce869

          SHA512

          5715761af43d3930f28de9a1034f7c6c743b97d046fe5fc6916e65b2846fbd7e1f51c1876c9a48086d72858edb49d361a4aa20f2c27d4961173e9d3e3074a4f7

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SesmRCj\VERSION.dll

          Filesize

          1.9MB

          MD5

          07f7b67cebd6ade6b49ba150217c1d08

          SHA1

          8548b8a60091b1dfecb761101cf8c8ab5e4cfddb

          SHA256

          243c1cf15886c8c1e92b1d9a423d8c7414112ce30aca16565c9db02fb0c8b79f

          SHA512

          e479ae2f33ee3c6b738e2acdcc438ee04fe02b01cccfe726f946243eb5a525000e4134da84a1607e30ca2d9286e409018549a5e1a9ce3847fc6683af49f01ae6

        • memory/1012-0-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/1012-8-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/1012-2-0x000001F2B17F0000-0x000001F2B17F7000-memory.dmp

          Filesize

          28KB

        • memory/1756-101-0x0000000140000000-0x00000001401F2000-memory.dmp

          Filesize

          1.9MB

        • memory/1756-95-0x000001CA3EC70000-0x000001CA3EC77000-memory.dmp

          Filesize

          28KB

        • memory/3160-61-0x0000000140000000-0x00000001401F3000-memory.dmp

          Filesize

          1.9MB

        • memory/3160-62-0x000001FA3B700000-0x000001FA3B707000-memory.dmp

          Filesize

          28KB

        • memory/3160-67-0x0000000140000000-0x00000001401F3000-memory.dmp

          Filesize

          1.9MB

        • memory/3472-29-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/3472-28-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/3472-18-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/3472-17-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/3472-16-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/3472-15-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/3472-12-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/3472-10-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/3472-7-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/3472-4-0x0000000006D10000-0x0000000006D11000-memory.dmp

          Filesize

          4KB

        • memory/3472-50-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/3472-52-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/3472-23-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/3472-26-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/3472-41-0x00007FFD09E00000-0x00007FFD09E10000-memory.dmp

          Filesize

          64KB

        • memory/3472-25-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/3472-5-0x00007FFD09D5A000-0x00007FFD09D5B000-memory.dmp

          Filesize

          4KB

        • memory/3472-9-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/3472-11-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/3472-30-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/3472-40-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/3472-31-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/3472-33-0x0000000006AF0000-0x0000000006AF7000-memory.dmp

          Filesize

          28KB

        • memory/3472-32-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/3472-27-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/3472-22-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/3472-24-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/3472-21-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/3472-19-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/3472-20-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/3472-14-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/3472-13-0x0000000140000000-0x00000001401F1000-memory.dmp

          Filesize

          1.9MB

        • memory/4976-84-0x0000000140000000-0x00000001401F2000-memory.dmp

          Filesize

          1.9MB

        • memory/4976-79-0x000002655F600000-0x000002655F607000-memory.dmp

          Filesize

          28KB

        • memory/4976-78-0x0000000140000000-0x00000001401F2000-memory.dmp

          Filesize

          1.9MB