Analysis

  • max time kernel
    131s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-01-2024 05:15

General

  • Target

    818f6364c18d61853f5e7875c46b41b7.dll

  • Size

    2.2MB

  • MD5

    818f6364c18d61853f5e7875c46b41b7

  • SHA1

    0996afc6bdf46c9714f85894e9501c31573d80d0

  • SHA256

    354581ef623c4841ef267fae935ea55b0aa622c1de1aec7c31d3fbfe05005e00

  • SHA512

    4d4c4029cc74ea98745a605b7e1bd0cf5cc5aa05c77bb9ec6ff71a01797a5347cc7be07ab2c414e4c23128655f4eb4f30e80d76520e189e359487e30380a5866

  • SSDEEP

    12288:DVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:SfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\818f6364c18d61853f5e7875c46b41b7.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2280
  • C:\Users\Admin\AppData\Local\XSLR4F7mS\rdpinput.exe
    C:\Users\Admin\AppData\Local\XSLR4F7mS\rdpinput.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Checks whether UAC is enabled
    PID:972
  • C:\Windows\system32\wlrmdr.exe
    C:\Windows\system32\wlrmdr.exe
    1⤵
      PID:2432
    • C:\Windows\system32\rdpinput.exe
      C:\Windows\system32\rdpinput.exe
      1⤵
        PID:3140
      • C:\Users\Admin\AppData\Local\x85\wlrmdr.exe
        C:\Users\Admin\AppData\Local\x85\wlrmdr.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3652
      • C:\Windows\system32\sethc.exe
        C:\Windows\system32\sethc.exe
        1⤵
          PID:3980
        • C:\Users\Admin\AppData\Local\swX7\sethc.exe
          C:\Users\Admin\AppData\Local\swX7\sethc.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4692

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\XSLR4F7mS\WINSTA.dll

          Filesize

          62KB

          MD5

          f31e1ea3f455c9cf77ff62594370396f

          SHA1

          53596b8971fdd53080b3d6e8cfce87b6834ada57

          SHA256

          1946cd25b41870560867b984fa88e61aa81b2e9c55fb5cd9d904e78d31ac739d

          SHA512

          7641921136dfb34b6b395038f8a4320ea288e3a0496538e96d9a421d40a71f9b21e11df7c04b99288f80b317ef55a2b66f5c9a513da920c4a2c5bcc7f3e104fa

        • C:\Users\Admin\AppData\Local\XSLR4F7mS\WINSTA.dll

          Filesize

          79KB

          MD5

          57bb8b24d89cc7e9266107503113cd3d

          SHA1

          39126cff71e10501cadac8c50453324c1ca31a73

          SHA256

          694d883da6561b9ab8cd2b22262062ead9c06e35e7e20fbd8f4266cb05fe676c

          SHA512

          b17158a64a84ba826445d2bfc85445ba3754eccdcf7a174988df55cf93414d869de0aa065a21bd6c8b99f85cce0e19eda1e11b1990f77548d446f650764a784a

        • C:\Users\Admin\AppData\Local\XSLR4F7mS\rdpinput.exe

          Filesize

          180KB

          MD5

          bd99eeca92869f9a3084d689f335c734

          SHA1

          a2839f6038ea50a4456cd5c2a3ea003e7b77688c

          SHA256

          39bfb2214efeed47f4f5e50e6dff05541e29caeb27966520bdadd52c3d5e7143

          SHA512

          355433c3bbbaa3bcb849633d45713d8a7ac6f87a025732fbe83e259ec3a0cb4eabb18239df26609453f9fc6764c7276c5d0472f11cf12d15ef806aa7594d090e

        • C:\Users\Admin\AppData\Local\XSLR4F7mS\rdpinput.exe

          Filesize

          4KB

          MD5

          98db82126c29023e05ec1bb6c3351ce1

          SHA1

          3cd19753b1bfc047c7fcf3bdd83d1d6ff5f5bea5

          SHA256

          1baab8693d6fbbc472085ba171736c459d4ad66e923d5e1b48f939331c7a6d10

          SHA512

          3fd10735098f66a4fb7f30e23a35c4ba202ce396026cdb8b8659559b6c0a926f9141a2e09cc3365240b08451141f48043f8bf07e62235e6c8f32ea884da6f6f9

        • C:\Users\Admin\AppData\Local\swX7\OLEACC.dll

          Filesize

          25KB

          MD5

          71e1d5254bf334ee4527ef6cad795dec

          SHA1

          4c0ea7d705abf262e4e3e27b76feb41b83b7e28d

          SHA256

          b4c782e10187bde171527a1228679acc9c49be4b122c810e70b9afc4ee5c8f93

          SHA512

          e8e2e7fd0aa2987b33a3df65f2a87904a909f18ec8160b99be2d45876fc43b9bdb1f03728d349450c822e7393e76178d3602e00733ba32e576e5cc0f016759e8

        • C:\Users\Admin\AppData\Local\swX7\OLEACC.dll

          Filesize

          85KB

          MD5

          03ca70b4315eba71c70020823ed8fa49

          SHA1

          9fd3a4692c0951239e3743184207e2b326368f90

          SHA256

          5437745dd8bd5a1e06eb644fe1bebd5d7d5f9d2d6dea6d2e850817d91d104518

          SHA512

          f6b4144eed2dc97be9b5bdb1d5a7bea4464d490e5cf329395e387149a11a83eedbd05c7d6ad3b049cfcd9bbf7e28f03ea2e12ee478fa46db01366319e912b190

        • C:\Users\Admin\AppData\Local\swX7\sethc.exe

          Filesize

          29KB

          MD5

          9a188a8b9116b1a59f437328821716d4

          SHA1

          c4940ffe21ec20155c66a4a6ae42b7bf48933486

          SHA256

          1642cfac46db4da96d73a1f94af537bd22458e441f0e5dd7a8834f465488c96d

          SHA512

          a7f92717716e2e76c0a004964063a59f5cd829920c44b7c5fc64419b4c1bb0d4c33ae9ddf5a9dd72db5ba27c6f7ab25ee0857ff617c1899aaede310370165684

        • C:\Users\Admin\AppData\Local\swX7\sethc.exe

          Filesize

          1KB

          MD5

          2adf4668a6b0cf1eca412b90f9a3aeb9

          SHA1

          8b993639c8629672f8efe1fd063b02e6dce4eefd

          SHA256

          1ec0517370cc05c441fb90423d26280b5ab2951b40388d3187cdec3f968c0590

          SHA512

          2861928dab32130cf1408e3cb0a601bdd1f666c096bd9e2270dce176be32921342adf6a1d8d35f3cb57b52ec3be72bf701e8ebd884e421bc3be3c58179e7d895

        • C:\Users\Admin\AppData\Local\x85\DUI70.dll

          Filesize

          100KB

          MD5

          a5c31dee2a20ed09c68956f3d989067e

          SHA1

          9303e302dcf793ae5f49e967445d222225a40628

          SHA256

          5306b7bd81386fe03f0f6771533a57e5ee59676e59c8e90893c45d562df1eb1d

          SHA512

          56b589bc7a62d30a56989c0c9487e109cc7087e469b1fcfed04556e6575089ac00432104ad45a98bf1041a04d42aeebd34ab32ffc48920dc7dd106d608e77ced

        • C:\Users\Admin\AppData\Local\x85\DUI70.dll

          Filesize

          93KB

          MD5

          019247d3a01d27e400006bf4014c4a6c

          SHA1

          f9f889fda9beb81c5574e948021de16187efb423

          SHA256

          14b540a4a62283e0c084852fe2e614c84fa63c7a0b457196bd93fc92da88d602

          SHA512

          7984a14973bb462acf8537585a84cc60179edc6a5e4dcbb6af71f9410b27543dae2c6e258930dab23d69b0a3ef08b874e3b7aab659ad88b041b3e61fcc5d49eb

        • C:\Users\Admin\AppData\Local\x85\wlrmdr.exe

          Filesize

          63KB

          MD5

          d7f43233c53ad1dc2a51e13a05f2afd7

          SHA1

          f2178d40939e7526a3cf1744afb2f436f6940e2a

          SHA256

          cbdc9b0468082c8d87184fc0489771ac32d02cc6ce69bbcdc7eb022e7ab66fb3

          SHA512

          7a79ecb474985b0d590939080b6a302d4aba9809c28e98aea8a54fdb4c1c808232672ad8e44bd896146d0753fd9445059cf585aaa00ab73dd9ca6c04252e39ab

        • C:\Users\Admin\AppData\Local\x85\wlrmdr.exe

          Filesize

          66KB

          MD5

          ef9bba7a637a11b224a90bf90a8943ac

          SHA1

          4747ec6efd2d41e049159249c2d888189bb33d1d

          SHA256

          2fda95aafb2e9284c730bf912b93f60a75b151941adc14445ed1e056140325b1

          SHA512

          4c1fdb8e4bf25546a2a33c95268593746f5ae2666ce36c6d9ba5833357f13720c4722231224e82308af8c156485a2c86ffd97e3093717a28d1300d3787ef1831

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Psfjn.lnk

          Filesize

          1KB

          MD5

          c34f3b22688936ce3efd547744de53e1

          SHA1

          e13613447cece208c13d49d8ff6c46d5f45bc6e6

          SHA256

          41c1560c983eff74da4fb86d54e9e3f6e3c362bb9c15c4c7883ffb8dfab05db7

          SHA512

          914bb6ba14c3cb6b251bf5187aa33b1f20048755a5e193c8e7152e1cf08f76d3c4a33242ef85ad44da1c477e011c5b60ab1de3050123c033532a90c48bb0628a

        • C:\Users\Admin\AppData\Roaming\Microsoft\8nbxRuK\WINSTA.dll

          Filesize

          207KB

          MD5

          2cf421d2c3d3a370a1401b89393b6ea7

          SHA1

          4325ff38ef271661a9cee55d4272c815bfe6ab3d

          SHA256

          7cb24762facf1071281d189d05efaefe6c08ef46caea218a188bc1a6cee1fd45

          SHA512

          a006ce3b0e8e725e43c8237e1505c24f64acf584d81ccc847b4704278debd23670ff5c4828b5d6a98f4288ecdcef5e8dafafe469a5445d84e57984a75e5ae3c3

        • C:\Users\Admin\AppData\Roaming\Microsoft\8nbxRuK\qCrs054\DUI70.dll

          Filesize

          182KB

          MD5

          7f14c5294024b823314f71296a351800

          SHA1

          7781568f4cf91c2471314a42f4d8b98967a425ff

          SHA256

          2e74be119835cbd098c2009ebe51bc30bc0bdb3c72f186c8f13b110055f7bc4a

          SHA512

          ccb23e533e1f8a0dc954a3bcd9530cb94ef6a476718ab510ab19bfb837943fbe3f67ae71ac3f4a43be1a798e51ad03e50b2abbd5b28f37baddc29c278d55366c

        • C:\Users\Admin\AppData\Roaming\Microsoft\Word\Sfw\OLEACC.dll

          Filesize

          2.2MB

          MD5

          33cf460b026cf971050fdbf216bbb959

          SHA1

          f7b384fd0897affc96b93bd86da41bb507c16ad1

          SHA256

          a78c37a86f012e0c56096575622afa201f12c39a6d3d72c60d1589f3bef550e6

          SHA512

          b2677f6403d42525e284ac17dcdc705612d6107df0b9bfb61ced506cf8f74b3a06482e7a11d6b5c2c976b70a525174dbd662a85ae1372b25a1f84cff639d787a

        • memory/972-80-0x000001B0ECFB0000-0x000001B0ECFB7000-memory.dmp

          Filesize

          28KB

        • memory/972-81-0x0000000140000000-0x0000000140239000-memory.dmp

          Filesize

          2.2MB

        • memory/2280-0-0x0000017405EC0000-0x0000017405EC7000-memory.dmp

          Filesize

          28KB

        • memory/2280-1-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/2280-7-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/3492-51-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/3492-32-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/3492-48-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/3492-37-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/3492-69-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/3492-71-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/3492-59-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/3492-47-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/3492-46-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/3492-45-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/3492-42-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/3492-40-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/3492-49-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/3492-38-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/3492-12-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/3492-11-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/3492-10-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/3492-8-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/3492-27-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/3492-9-0x00007FFF27BAA000-0x00007FFF27BAB000-memory.dmp

          Filesize

          4KB

        • memory/3492-62-0x00007FFF28E80000-0x00007FFF28E90000-memory.dmp

          Filesize

          64KB

        • memory/3492-36-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/3492-35-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/3492-50-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/3492-44-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/3492-43-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/3492-6-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/3492-33-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/3492-52-0x0000000000D30000-0x0000000000D37000-memory.dmp

          Filesize

          28KB

        • memory/3492-41-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/3492-13-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/3492-4-0x0000000000D60000-0x0000000000D61000-memory.dmp

          Filesize

          4KB

        • memory/3492-34-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/3492-39-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/3492-23-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/3492-31-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/3492-30-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/3492-29-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/3492-28-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/3492-26-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/3492-25-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/3492-24-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/3492-22-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/3492-21-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/3492-19-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/3492-20-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/3492-16-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/3492-15-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/3492-14-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/3492-18-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/3492-17-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/3652-98-0x0000027E16AF0000-0x0000027E16AF7000-memory.dmp

          Filesize

          28KB

        • memory/4692-115-0x000002114A210000-0x000002114A217000-memory.dmp

          Filesize

          28KB