Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-01-2024 08:33

General

  • Target

    81f8648768d984dad73854085026281b.dll

  • Size

    1.7MB

  • MD5

    81f8648768d984dad73854085026281b

  • SHA1

    46693723c9775aa609b2a4fdb53bb7d383c9adf3

  • SHA256

    f5a2a17ec58c0e535e888c046a88eb1703fd65111fff76073fa8b540702f5efa

  • SHA512

    0372bb40acb5549ddc542b2899358c10bc50d77acea5cc8de2cc808e859f87bcf5979843ede11723e6aee0b227ee6191e2186f4e5ed70e174723a0242f52f914

  • SSDEEP

    12288:MVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:5fP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\81f8648768d984dad73854085026281b.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3268
  • C:\Windows\system32\usocoreworker.exe
    C:\Windows\system32\usocoreworker.exe
    1⤵
      PID:1136
    • C:\Windows\system32\rstrui.exe
      C:\Windows\system32\rstrui.exe
      1⤵
        PID:4580
      • C:\Users\Admin\AppData\Local\mSo\EhStorAuthn.exe
        C:\Users\Admin\AppData\Local\mSo\EhStorAuthn.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2432
      • C:\Windows\system32\EhStorAuthn.exe
        C:\Windows\system32\EhStorAuthn.exe
        1⤵
          PID:1768
        • C:\Users\Admin\AppData\Local\6d0thiHU9\rstrui.exe
          C:\Users\Admin\AppData\Local\6d0thiHU9\rstrui.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:228
        • C:\Users\Admin\AppData\Local\x1y7nj\usocoreworker.exe
          C:\Users\Admin\AppData\Local\x1y7nj\usocoreworker.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:920

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\6d0thiHU9\SRCORE.dll

          Filesize

          79KB

          MD5

          67a493cadf34cdbe32904bbddd53d8eb

          SHA1

          7206f5affc12f074af5ad54b91b0613dd8ff3c25

          SHA256

          ec1cf2ec6b82810344a7a83b0a93f0521fdc778eded59f9adce79aa356ec3150

          SHA512

          b2b053b78d3f975fa42dc1dd0f083871b7ce8c861560bc43d2f0bc8ab0f5472189e9f04e1f146bdfd4218809769a26168d0a926e6579a1b69d13f4d8b15a0da5

        • C:\Users\Admin\AppData\Local\6d0thiHU9\SRCORE.dll

          Filesize

          176KB

          MD5

          b50731d2c099fa3ef07db0cf847c824a

          SHA1

          076806d99f650a81772442988b9faaf6433be4db

          SHA256

          2fef6b7d31a6f764439d62e965af6e27411324673fdfb25e5b1bc4dd6ff31a08

          SHA512

          3c4936c6c1d160c1f1203f738c4f77e4e1dcf6055a0f3ef65dc0b64a2bf586879d67852d75eb86993284c6f439c1921d746d547068a58d67095161d69118f417

        • C:\Users\Admin\AppData\Local\6d0thiHU9\rstrui.exe

          Filesize

          181KB

          MD5

          babfeec2b422d6866878a7b640316f45

          SHA1

          ccf9b3653fa46b75e3100b0a1f95a58c751f0def

          SHA256

          a43089f5d230971c959d50425f2111766b7cac07656442f09ed03cfe3a918b1a

          SHA512

          da8b95bb93959613ca7935082d2ded544d50d7d84bfe2d2a1154e48f33f64ef6161e73911dbe586c6e5f242ab013eb83b460859f38c838d4763b7d4238860a77

        • C:\Users\Admin\AppData\Local\6d0thiHU9\rstrui.exe

          Filesize

          147KB

          MD5

          b9702639a523d362466dc9acd1f280ef

          SHA1

          c848fc6f27d3369645508cd5c6418daaae8e01a7

          SHA256

          8d314314ac5b629385a15017cdd49b47428d96ddf7f5515f42dd0d99829b4e60

          SHA512

          12a25f4a507145e8b4e82b8d22acf2a1d4fc91c298e00745771f1bdfba232adb70c59c1703007bec55b879c8d6c96acbcbe0469589eb5a6a78c3bb358eabda61

        • C:\Users\Admin\AppData\Local\mSo\EhStorAuthn.exe

          Filesize

          86KB

          MD5

          84585f0aacad6cd4cea6ad7f70331cd6

          SHA1

          7f09414206caedf673b994834cd8a49982ead768

          SHA256

          eaeb361c51d7082d24ceadeb36c3539a1011bd1427c2c7be253156961eeef7fc

          SHA512

          607d2b0383baeaf1571d5185e0ba5247a6618538f92f843af034b5b5c84473eaadca5206529cebb4d072f6e7f6ad49b03b2fb76bb32b39f41fee038e1fcc7944

        • C:\Users\Admin\AppData\Local\mSo\EhStorAuthn.exe

          Filesize

          64KB

          MD5

          bd3ad25a9f050cbe28433233476ef6c9

          SHA1

          4a2dbe376a631e9e4718f18b89786c1f9b6db6d5

          SHA256

          a175f44a0c62117cc36d24fe591935f6c2ebfe55e3337113abe018b202fb8db8

          SHA512

          0c851a66f6104110fdd62f6cc7ff2310878d20d9ed6bc8b43ea3e39e7d93fd0e71d2e3df3af90daa2f724a1832f7bcc769635bd6195431e666209eb34f7304b3

        • C:\Users\Admin\AppData\Local\mSo\UxTheme.dll

          Filesize

          121KB

          MD5

          9c8d1d303d29b6845305cae2f862192d

          SHA1

          d6c96966f7e8829b405edd59a11a798211f30c02

          SHA256

          e286ba710464a0b83f7e9f26214c2d5775b96d5616a4ef95fad912b2a1175212

          SHA512

          402dcb16087e0c5fe17ff08b470f95fa1f5eb9472433271d29f31a442d3c594c666b476768cd4d0447333bf83818f1f865192107f228a54b7c6602f2034a79e1

        • C:\Users\Admin\AppData\Local\mSo\UxTheme.dll

          Filesize

          93KB

          MD5

          1426522736a8c2d0f3ddeed0208ba8c9

          SHA1

          02b41a7faa55c48817028420eee1b2a63128bb70

          SHA256

          00496f202b9dbf2b1e45c7c6f835728656e16356d40d4af7f73e19f430db3f44

          SHA512

          b421f77ec2c6deec0d88262b84df40dd7319e33e7a7bee5ef1a923d963c9b291406e46ea695c67a9d97158ca0ba0b7dbc90a215b3926958793f45e185eb53cab

        • C:\Users\Admin\AppData\Local\x1y7nj\XmlLite.dll

          Filesize

          189KB

          MD5

          fe31cad26fc164d117941501eddba804

          SHA1

          54bb56b28f547ea01bfa8b956b9d05f6c6d3e4a6

          SHA256

          43fb17984ab4889eafe66cf27c1d1a858902875cf96ef1889ed9008caf84604e

          SHA512

          c36af5713817007a0393ff277e0ea3e27c17035aa96ab9b2a13bd560d9a728d95983fde2af6fccc9468cd8172dadb1c2c4b9262a940bf0e4f3db10cc35db1007

        • C:\Users\Admin\AppData\Local\x1y7nj\XmlLite.dll

          Filesize

          130KB

          MD5

          71e8dec73738379659c9db9c7845d39a

          SHA1

          d9ab9aae07f485694fb80e54d5bc6dfd3f530636

          SHA256

          1f10d7d4167b788ad6b2d0c370bc5adcc4511c2166c20ee4c814874dfaf32e7d

          SHA512

          edba2d5f17c69dbcf53892ba600595ba3f3a0ef4c81b855cfbb5486571af24daea063891251457fba5f263275ac7f4fa41744bd3f986863caf6f4febf23c6e05

        • C:\Users\Admin\AppData\Local\x1y7nj\usocoreworker.exe

          Filesize

          288KB

          MD5

          18ac52ebbdc18216bed23a6176495e42

          SHA1

          47efd4300b3ea9dc187a53bf43a0253734af7fe2

          SHA256

          3d9a1325ba6abeaaede69984fb6fe0d813e8fdbe81e78b612e89520381e41bbc

          SHA512

          3e589a86acbc31a61961820da77ce6785f6e94f87367a17f44ca4a1d063a0ea3814435e3f81094ef9fa9cf45e5bcb325ce8e3ca8d21f6cdbc6c0c8c9c8cf84ef

        • C:\Users\Admin\AppData\Local\x1y7nj\usocoreworker.exe

          Filesize

          198KB

          MD5

          b24b17dc01a17e1e8f5962c851862df3

          SHA1

          fa61e91ae0bd78688db8e2c5a6922e7e1bf999a8

          SHA256

          1310c5ee988d99efbaff366a474cb59fdb47a12a0a2441f863dad00f0b19bf39

          SHA512

          ac5bd4f2af7b4044ad8618293f52793f9f4b349d6efdf53ddc6e754671f97e357bcfb6196d09837ad58545eada447e82e390b25af8533bd0df759318f1101d82

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Iydemppuyghrhln.lnk

          Filesize

          1KB

          MD5

          022fc602cb526eca72602c5809ae3e09

          SHA1

          14772ab7faa65c0176bd3760187b5d926dfe6180

          SHA256

          67cb76bf0445051c5d7717450220159540c38f17251968ad921f1620ab25ed0d

          SHA512

          4a3677c85f11daec772244df24333cf143ca80114d4c26c82f36651e37b0d4dc1dc84f213ce1dabf79a0b72d19e647b829cd7bae9ac00102ad94505068b85830

        • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\LmJLI\SRCORE.dll

          Filesize

          1.5MB

          MD5

          510517f27dd9e9b19014869605ee7aa2

          SHA1

          0722ed65956f8b1dfec5cef85cb2b4396326dc16

          SHA256

          6dd2365e06b59ddb2aec5c5af8138014834f8071117e00ce122dedd9565fa2b7

          SHA512

          1e01bb67eca5d6809262b3cba64ef984f7337ce3e0ec32d5fabfe0d08fe339ae0586447618e0ea4695600aa062b8d8af90b3c0232939b8dbc06306b1b9b535d2

        • C:\Users\Admin\AppData\Roaming\Microsoft\Proof\C6wOn8bTok\UxTheme.dll

          Filesize

          1.7MB

          MD5

          2422584c0bcba20017a616f8a37bb81a

          SHA1

          83e627ba24069f752c83eaed1536351381207fe6

          SHA256

          1eebc8c0dfb7d8c68c21f44fe842b743aaeb6a833836de21657f59ad3bbf5b96

          SHA512

          5cc257557fccdde0c17fdf658b4176b32ac5f52247900b52270c227dada4d2195d4bc11f62582f1714ac14032850ccbed1344f5af8aa5dd49768393cebf765a1

        • C:\Users\Admin\AppData\Roaming\Mozilla\Z400\XmlLite.dll

          Filesize

          1.7MB

          MD5

          12478287df165eb6e16307330512ddae

          SHA1

          a5ad952ea4873a37f49ae3bb74d7ddebf9ce6884

          SHA256

          82b3fa7ad1ecdf13a7c98fc166b23c037934c80c10fc98c6f67c2bf7211689f7

          SHA512

          225bb02a8befe337e197dfefa35e7d3989c6c1ffe10b3de41fd90cc37d43c3d588553da38b25151d9b5fe5632f96fd8bf193c6aa5cb8c87ddd26789e22ba4f5d

        • memory/228-80-0x000001866B750000-0x000001866B757000-memory.dmp

          Filesize

          28KB

        • memory/228-83-0x0000000140000000-0x00000001401AB000-memory.dmp

          Filesize

          1.7MB

        • memory/920-63-0x000002A09E1D0000-0x000002A09E1D7000-memory.dmp

          Filesize

          28KB

        • memory/920-66-0x0000000140000000-0x00000001401AB000-memory.dmp

          Filesize

          1.7MB

        • memory/920-60-0x0000000140000000-0x00000001401AB000-memory.dmp

          Filesize

          1.7MB

        • memory/2432-100-0x0000000140000000-0x00000001401AB000-memory.dmp

          Filesize

          1.7MB

        • memory/2432-95-0x000001E6920F0000-0x000001E6920F7000-memory.dmp

          Filesize

          28KB

        • memory/3268-7-0x0000000140000000-0x00000001401AA000-memory.dmp

          Filesize

          1.7MB

        • memory/3268-0-0x0000000140000000-0x00000001401AA000-memory.dmp

          Filesize

          1.7MB

        • memory/3268-2-0x0000021187020000-0x0000021187027000-memory.dmp

          Filesize

          28KB

        • memory/3480-20-0x0000000140000000-0x00000001401AA000-memory.dmp

          Filesize

          1.7MB

        • memory/3480-26-0x0000000140000000-0x00000001401AA000-memory.dmp

          Filesize

          1.7MB

        • memory/3480-30-0x0000000140000000-0x00000001401AA000-memory.dmp

          Filesize

          1.7MB

        • memory/3480-29-0x0000000140000000-0x00000001401AA000-memory.dmp

          Filesize

          1.7MB

        • memory/3480-39-0x0000000140000000-0x00000001401AA000-memory.dmp

          Filesize

          1.7MB

        • memory/3480-40-0x00007FFD12DA0000-0x00007FFD12DB0000-memory.dmp

          Filesize

          64KB

        • memory/3480-49-0x0000000140000000-0x00000001401AA000-memory.dmp

          Filesize

          1.7MB

        • memory/3480-31-0x0000000140000000-0x00000001401AA000-memory.dmp

          Filesize

          1.7MB

        • memory/3480-4-0x00000000020E0000-0x00000000020E1000-memory.dmp

          Filesize

          4KB

        • memory/3480-14-0x0000000140000000-0x00000001401AA000-memory.dmp

          Filesize

          1.7MB

        • memory/3480-22-0x0000000140000000-0x00000001401AA000-memory.dmp

          Filesize

          1.7MB

        • memory/3480-24-0x0000000140000000-0x00000001401AA000-memory.dmp

          Filesize

          1.7MB

        • memory/3480-25-0x0000000140000000-0x00000001401AA000-memory.dmp

          Filesize

          1.7MB

        • memory/3480-27-0x0000000140000000-0x00000001401AA000-memory.dmp

          Filesize

          1.7MB

        • memory/3480-28-0x0000000140000000-0x00000001401AA000-memory.dmp

          Filesize

          1.7MB

        • memory/3480-33-0x0000000000700000-0x0000000000707000-memory.dmp

          Filesize

          28KB

        • memory/3480-23-0x0000000140000000-0x00000001401AA000-memory.dmp

          Filesize

          1.7MB

        • memory/3480-15-0x0000000140000000-0x00000001401AA000-memory.dmp

          Filesize

          1.7MB

        • memory/3480-19-0x0000000140000000-0x00000001401AA000-memory.dmp

          Filesize

          1.7MB

        • memory/3480-21-0x0000000140000000-0x00000001401AA000-memory.dmp

          Filesize

          1.7MB

        • memory/3480-18-0x0000000140000000-0x00000001401AA000-memory.dmp

          Filesize

          1.7MB

        • memory/3480-17-0x0000000140000000-0x00000001401AA000-memory.dmp

          Filesize

          1.7MB

        • memory/3480-16-0x0000000140000000-0x00000001401AA000-memory.dmp

          Filesize

          1.7MB

        • memory/3480-13-0x0000000140000000-0x00000001401AA000-memory.dmp

          Filesize

          1.7MB

        • memory/3480-8-0x0000000140000000-0x00000001401AA000-memory.dmp

          Filesize

          1.7MB

        • memory/3480-12-0x0000000140000000-0x00000001401AA000-memory.dmp

          Filesize

          1.7MB

        • memory/3480-51-0x0000000140000000-0x00000001401AA000-memory.dmp

          Filesize

          1.7MB

        • memory/3480-10-0x0000000140000000-0x00000001401AA000-memory.dmp

          Filesize

          1.7MB

        • memory/3480-11-0x0000000140000000-0x00000001401AA000-memory.dmp

          Filesize

          1.7MB

        • memory/3480-9-0x00007FFD11FBA000-0x00007FFD11FBB000-memory.dmp

          Filesize

          4KB

        • memory/3480-6-0x0000000140000000-0x00000001401AA000-memory.dmp

          Filesize

          1.7MB