Analysis

  • max time kernel
    151s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-01-2024 04:39

General

  • Target

    837792f925aca842eba981ebc7aff9a1.dll

  • Size

    2.2MB

  • MD5

    837792f925aca842eba981ebc7aff9a1

  • SHA1

    527e5a2d67f6422ae44a5276ae6cf67f7e597823

  • SHA256

    3806ec3c6ae591fb47c6b48f5dbfaf45d7500d6efb12c07311ecdc5e9c9d514d

  • SHA512

    a4b0865d290225b514fd4b711ae83d5f659b19edf1fd2409920054ef706eb580e2d2a816ba34ceaa5778d1c43bce7149575b736e8828de9c942906800512c90f

  • SSDEEP

    12288:eVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:DfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\837792f925aca842eba981ebc7aff9a1.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:3904
  • C:\Windows\system32\quickassist.exe
    C:\Windows\system32\quickassist.exe
    1⤵
      PID:656
    • C:\Users\Admin\AppData\Local\4cnzpoY\quickassist.exe
      C:\Users\Admin\AppData\Local\4cnzpoY\quickassist.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4832
    • C:\Windows\system32\MusNotificationUx.exe
      C:\Windows\system32\MusNotificationUx.exe
      1⤵
        PID:4224
      • C:\Users\Admin\AppData\Local\3J8wl4c\MusNotificationUx.exe
        C:\Users\Admin\AppData\Local\3J8wl4c\MusNotificationUx.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4408
      • C:\Windows\system32\isoburn.exe
        C:\Windows\system32\isoburn.exe
        1⤵
          PID:2316
        • C:\Users\Admin\AppData\Local\3ZobJ\isoburn.exe
          C:\Users\Admin\AppData\Local\3ZobJ\isoburn.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1008

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\3J8wl4c\MusNotificationUx.exe

          Filesize

          615KB

          MD5

          869a214114a81712199f3de5d69d9aad

          SHA1

          be973e4188eff0d53fdf0e9360106e8ad946d89f

          SHA256

          405c2df9a36d7cfb5c8382c96f04792eb88c11a6cfa36b1d2ec3e0bec8d17361

          SHA512

          befcdeb8de6e68b9ee0bacd4cbc80f7393a0213d4039b239c98585e0cd5db1755c75559a62372374cbfb7132b6a7973ea9e6a31952e0e0ba007079c56e6d9012

        • C:\Users\Admin\AppData\Local\3J8wl4c\XmlLite.dll

          Filesize

          2.2MB

          MD5

          dd3443ca746d2de4ad3fb6c39214650b

          SHA1

          b09b644b86a0ab18eaaaf942fdcb8b3f159baac5

          SHA256

          98cfdffaf902883364b3a625be4506ff6256507583b02fba5fc03071b775f517

          SHA512

          6830ea76c35d5ccacc7de010244be71c8c76cea870ddb15990b036d9fb1b980d5ab719e331e2512faeacdde30868b4e44f88c47b4c6ecadc3a38f98b4c618c4e

        • C:\Users\Admin\AppData\Local\3ZobJ\UxTheme.dll

          Filesize

          2.2MB

          MD5

          eb00165aadcb47d6bee4a5d9dc587744

          SHA1

          3691011d5cb6bddc6f9a7f4d2e274b30fcb829ad

          SHA256

          86f8d6993e9a48698cd8cc161b443172a2ed10aef2608b0f1ccdf53f2c18f544

          SHA512

          c3699499943108e72e10f021b289c2d20d411c88f7ddfad4d01a2d85f8cc507c2cc914d1e28a761174cb0b34c57bbf958f2e1438c2c55d1d20732cdcf19194bc

        • C:\Users\Admin\AppData\Local\3ZobJ\isoburn.exe

          Filesize

          119KB

          MD5

          68078583d028a4873399ae7f25f64bad

          SHA1

          a3c928fe57856a10aed7fee17670627fe663e6fe

          SHA256

          9478c095afe212bce91d2de1a3c3647109f2d54e46b9bf70843e839324458567

          SHA512

          25503a47c53fe83eeb56726b5a5eec5cb01bc783e866306f92242a7a8cbafa20a3209217e0f4561febfec78d2f64f1725727a6b2d3ee6da512618984d0bb0bc1

        • C:\Users\Admin\AppData\Local\4cnzpoY\UxTheme.dll

          Filesize

          2.2MB

          MD5

          ed5bf30ce05e3cff7854bf9ffaca08f5

          SHA1

          f5daaa1b33a039c224500c083bf8146eba59e97d

          SHA256

          d42eb85ce48c35c3da642ea90ca87df59c7986ce45c09c475303af8d9ed0a11f

          SHA512

          ff75b84b15328b5f5eb693c3fb0e75d673096701584aeb024f7302d2c02c675a97259911d92c5f0b3a0d2b0a16a14fb2c65261928402e41b0ebbe8502716f05c

        • C:\Users\Admin\AppData\Local\4cnzpoY\quickassist.exe

          Filesize

          665KB

          MD5

          d1216f9b9a64fd943539cc2b0ddfa439

          SHA1

          6fad9aeb7780bdfd88a9a5a73b35b3e843605e6c

          SHA256

          c1e8fda00da574e8759ba262d76b6edc1d5f4a80620730ef0be7527e0d803db2

          SHA512

          c5fd7d81d1d478056fcbed0ba887ce551832f0104e7c31753c3c8760b4d63f38324f74e996684042acc8f9682fce8a8c85172741a868257e87d5e0f988c4e567

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk

          Filesize

          1KB

          MD5

          f1f71ccfe60d089abd759eb656643c89

          SHA1

          fb2aeecbf68609fa06fd80c529b72003d7a4a798

          SHA256

          74005608bb7afc7bbdd14824ea760fd2282855943f740147c3b1263a8332fb9e

          SHA512

          ee55544874138a3ff3a5b594d2ab3f639b730b87eab4ffa61412ffea2ef5f0a61576b09173eb5fdd4f29f488e45c17cfcbee4a4cc719bd485685dda77c188d4f

        • memory/1008-111-0x0000026180B40000-0x0000026180B47000-memory.dmp

          Filesize

          28KB

        • memory/3480-36-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3480-41-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3480-16-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3480-18-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3480-19-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3480-20-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3480-17-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3480-22-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3480-23-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3480-24-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3480-25-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3480-26-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3480-21-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3480-27-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3480-28-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3480-29-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3480-30-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3480-33-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3480-32-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3480-31-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3480-34-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3480-35-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3480-4-0x0000000001350000-0x0000000001351000-memory.dmp

          Filesize

          4KB

        • memory/3480-37-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3480-38-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3480-39-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3480-40-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3480-15-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3480-42-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3480-43-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3480-44-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3480-45-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3480-46-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3480-48-0x0000000001310000-0x0000000001317000-memory.dmp

          Filesize

          28KB

        • memory/3480-47-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3480-55-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3480-58-0x00007FFE93140000-0x00007FFE93150000-memory.dmp

          Filesize

          64KB

        • memory/3480-65-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3480-67-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3480-14-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3480-13-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3480-6-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3480-9-0x00007FFE914BA000-0x00007FFE914BB000-memory.dmp

          Filesize

          4KB

        • memory/3480-8-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3480-10-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3480-11-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3480-12-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3904-7-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3904-1-0x0000000140000000-0x0000000140232000-memory.dmp

          Filesize

          2.2MB

        • memory/3904-0-0x0000000000810000-0x0000000000817000-memory.dmp

          Filesize

          28KB

        • memory/4408-93-0x00000280567B0000-0x00000280567B7000-memory.dmp

          Filesize

          28KB

        • memory/4832-82-0x0000000140000000-0x0000000140233000-memory.dmp

          Filesize

          2.2MB

        • memory/4832-76-0x0000000140000000-0x0000000140233000-memory.dmp

          Filesize

          2.2MB

        • memory/4832-77-0x00000253A2F40000-0x00000253A2F47000-memory.dmp

          Filesize

          28KB