Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-01-2024 11:13

General

  • Target

    8443322739870ab27a1db14eabc12b55.dll

  • Size

    1.4MB

  • MD5

    8443322739870ab27a1db14eabc12b55

  • SHA1

    5481baebc9122bcd4c65e1afb7f02547f568f3f9

  • SHA256

    caebc606f9cc00c645b3cc46aa6f0fc68cf20a2b832175b14965f5777b5981ca

  • SHA512

    14f20116050d45e6bd7d91e38f87896c0c60c62b80e932325124835ded394e5984b938b544c434934a73bc4deb983e28723524d3223b376e32c5f2e8958cf925

  • SSDEEP

    12288:cVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:pfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\8443322739870ab27a1db14eabc12b55.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1180
  • C:\Users\Admin\AppData\Local\OSuYS\Taskmgr.exe
    C:\Users\Admin\AppData\Local\OSuYS\Taskmgr.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Checks whether UAC is enabled
    PID:1736
  • C:\Windows\system32\Taskmgr.exe
    C:\Windows\system32\Taskmgr.exe
    1⤵
      PID:4900
    • C:\Users\Admin\AppData\Local\htILz\dwm.exe
      C:\Users\Admin\AppData\Local\htILz\dwm.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:464
    • C:\Windows\system32\dwm.exe
      C:\Windows\system32\dwm.exe
      1⤵
        PID:2576
      • C:\Users\Admin\AppData\Local\7VPBQXWmA\GamePanel.exe
        C:\Users\Admin\AppData\Local\7VPBQXWmA\GamePanel.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3620
      • C:\Windows\system32\GamePanel.exe
        C:\Windows\system32\GamePanel.exe
        1⤵
          PID:2612

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\7VPBQXWmA\GamePanel.exe

          Filesize

          62KB

          MD5

          1e835f3b85741f25b8038c0ed4060d9b

          SHA1

          680b0082da4cfbaf33318dd049a5417c6aa96729

          SHA256

          ca5dc844975162d6f721e790b5ba85e31ecca6400bd225c78b19be6379fe9c98

          SHA512

          afc3a79ae45133d8e4f474108ffd2abfd8a71f02718880fbca678ce9ce931755fdfcce9d732ba0daa549126c8c22f973a67ff1a363c9b7984210bfdcd5ad0c94

        • C:\Users\Admin\AppData\Local\7VPBQXWmA\GamePanel.exe

          Filesize

          5KB

          MD5

          bcdc4c163bd2bd0135feb539a92926b9

          SHA1

          be578f402a1731303ff8aa5836a86afb7ba512c8

          SHA256

          e6ea49ae0d54b0090cf8bd8480a570a016205c59ad049cafc16a7732472e9656

          SHA512

          605f5b71a1e0b7caa1c50a922abe9e17f7ffc840a2f0e5cad76c065cb48a79f916fc10f0a3382d4324bca5d11ec65076ae64429068d20031dc5da58994278fe4

        • C:\Users\Admin\AppData\Local\7VPBQXWmA\dwmapi.dll

          Filesize

          39KB

          MD5

          456cd9acd64c2171db5ffe1b203aff61

          SHA1

          b9297f3c771f9ded20cd7ea2591897822f0f3452

          SHA256

          32989794afa11e4226bec989f2d6118aa1e7c2fea6f2398e995ec9a22a433237

          SHA512

          201f6e7dc40257f6ad5164511f99e8cf2fa943da07b3e15a967b227c9c37b8c7430cf5ade8a4e0c57e81079f72024837b03a12188488ef5fd52dc9d547310543

        • C:\Users\Admin\AppData\Local\7VPBQXWmA\dwmapi.dll

          Filesize

          266KB

          MD5

          70c1f61a7b5d316f00b84c6669f5ebc7

          SHA1

          2a69b2293dd8c8fff6d03129bf7462e7671068cf

          SHA256

          990fe76a9376244f7bb5d693fe5ac42bbf185679673c7c4fb070b76c72886f42

          SHA512

          8d2c24f1eeaeefcc6fee80a3dd46a79c54e1e8d3d6592921ae63b163f7bc98c3fad07f595a5056ee897830b997c7ef684d543f8dc6a547b0bd55dd8a7f89a4bb

        • C:\Users\Admin\AppData\Local\OSuYS\DUser.dll

          Filesize

          164KB

          MD5

          3bb852559f4c04f46644fa5e6d4f0945

          SHA1

          7252263020fdac58814e32264bf2fafb7d4558c3

          SHA256

          58624d22df1162bb765c9601b276f3d7ecb5ba8ce5d1ce1c8392cdec3b41c7a7

          SHA512

          836487a0e40f0e1205a91332d2f967556c4a93d64f6453a8abbbeb02f2de9a80373d95a04835fe4f84fdbcc4122c229ff54cd60364a4dab7cf6585db1396e355

        • C:\Users\Admin\AppData\Local\OSuYS\DUser.dll

          Filesize

          127KB

          MD5

          75d2ea39cdca6178c0b7471d641e6596

          SHA1

          46ba904760a383d3b407aced83af36ecf4891b1a

          SHA256

          292921a89e323c7f38751e34f43d6af35b02c68ef6f49665a718e367c18ccc72

          SHA512

          6b2b869134059fa86f4f976fb92a7082479ee13bb4edb5aa17e5069800292350866b8cf184b9792d6fdf458b41c04617358e2ff95e6bbe7b52ee8f3b79c2104c

        • C:\Users\Admin\AppData\Local\OSuYS\Taskmgr.exe

          Filesize

          146KB

          MD5

          c21c4ddd0c5a346c912204cf17dd885f

          SHA1

          4a81bafcb690038298fd386ae82b71b2855d089a

          SHA256

          2891ec65c660283c1f422475ac26ad7ab6601b794abaf30a4c753290b13c67aa

          SHA512

          b1314bff80f0191892250c7236c780e2683e565d42b6247d904461d6735420f5fcd9440cd03a1d6158be37f409720e1893d1229eef84a312c9dd46deeebb15b4

        • C:\Users\Admin\AppData\Local\OSuYS\Taskmgr.exe

          Filesize

          128KB

          MD5

          69daa7a2622592fdac3ddb45a17d82cc

          SHA1

          978d75544fd942a5bd0777cde1799bd2bc84514c

          SHA256

          40d6bb940e9d21ada5208dd1c3ec08b955a2c6ec0571b27edff0a5aaeeef4d7d

          SHA512

          f5cded6e045bd242755764d25a81d68d8d44adfe2a641133d25b21340678e321078b980242a4f97920f88b1f92a52710d327b9bae51597ea5212dff114019e0c

        • C:\Users\Admin\AppData\Local\htILz\dwm.exe

          Filesize

          70KB

          MD5

          9123d6bfc2c6cc8268a09dfac95cdeb1

          SHA1

          6a11e75f48f5e9123231298a824210c821abfb2d

          SHA256

          43750b68ccb21e1351451c0490d80d75835b1fcbdeee5e3c38d916e4a7da24f0

          SHA512

          82e03bcaa5fa7bb0450dd00b426592aefb815c5c7cad72611895cbb037c6b8455e455110315c6e6185faf1332f4162e92ca605f3c227dc39249d51778c27273e

        • C:\Users\Admin\AppData\Local\htILz\dwm.exe

          Filesize

          92KB

          MD5

          5c27608411832c5b39ba04e33d53536c

          SHA1

          f92f8b7439ce1de4c297046ed1d3ff9f20bc97af

          SHA256

          0ac827c9e35cdaa492ddd435079415805dcc276352112b040bcd34ef122cf565

          SHA512

          1fa25eabc08dff9ea25dfa7da310a677927c6344b76815696b0483f8860fa1469820ff15d88a78ed32f712d03003631d9aceaf9c9851de5dd40c1fc2a7bc1309

        • C:\Users\Admin\AppData\Local\htILz\dxgi.dll

          Filesize

          220KB

          MD5

          3c8cd65dd2ef708ec61db5110e88bc5e

          SHA1

          9bb6ab27f7ca21b55c002b7bb16cfda890bb814e

          SHA256

          b3cc96d9936f4cbf62ab5e22997b80f193fe32d4444d174f602ec7e0b0100046

          SHA512

          d59d37557685bfa5736875c089bffdcf515db5947d3054c0cdde477942c7d6cf90197bbac2feba71f0b560f1ade4a72b950ae282c02284b8abf1cc2dc00201ff

        • C:\Users\Admin\AppData\Local\htILz\dxgi.dll

          Filesize

          115KB

          MD5

          5542547040d260e40c47d795dccb5019

          SHA1

          d6c22f169d2e263ed703db7dda0cc4814333c5d1

          SHA256

          05f2fb8d80c173e992783cdaac0dabb3fa4f689cba092800dc047d2f395b2339

          SHA512

          7a20102d7a3a973700eab464fa0ea0ef5f8f58d571d2648d4bc8b44fe2fb3ca2a61109d873a52ae713faffcbc74fca2a015052ec6cce9895dbb9ec1faa13e778

        • C:\Users\Admin\AppData\Local\htILz\dxgi.dll

          Filesize

          136KB

          MD5

          0add18f63b4d84f65bc9164328e5829d

          SHA1

          65eeef41bb27b5f041062e8e3666fa7516a5eb85

          SHA256

          5c74b67d720b97a69c6bcbb5d749b7a1e2477ed0c15443bf618a1b90bd38d9f2

          SHA512

          43dd2b633e7e3619043ee7f18176fa905bfeb7d0ceb77a9a1fa0255a15f9d1e940f27d3e0dd5c8137b0c74dad7d96cfdc8d0174a1e9806f1fb6449ccca760290

        • C:\Users\Admin\AppData\Local\htILz\dxgi.dll

          Filesize

          10KB

          MD5

          122258555cae8c0d93e0ac38d8262948

          SHA1

          a180596fafa2a0dfbdc13ec6be248b5d6559c5e9

          SHA256

          2523eaa9102ec0b80117a7c739fadad48619904dee8188745d60c22cfad0a93b

          SHA512

          6760da5f6ec6de48b22261993c3958c43973341fbd2c6d62a966ac52a8d0ab2fd3e0cb22d5144407f1201399667cabd614b1f889c051d5db6f40f2fce01b3e11

        • C:\Users\Admin\AppData\Local\htILz\dxgi.dll

          Filesize

          8KB

          MD5

          e94c6cd36a9762948523962e88c0b1e4

          SHA1

          8547feb561c90b82475922a740d4f9b0b2a8c8c3

          SHA256

          d3bfd01bc45d72c049f695bcd27507dbf6b08b7a68f475592412d0d1854735ae

          SHA512

          f30b273822003d059e2732aa0010264d2a39eefcfb93b3ce9324957d7f9a322afe1b632a2b4847422d2abfaefa4a635ca5e55e520c387da9990dfcf1fb8fa652

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Psfjn.lnk

          Filesize

          1KB

          MD5

          3a1917d44a437ad074509fa866eb62f0

          SHA1

          9858d0245e109b6dc30847f99167c0650c2bee0a

          SHA256

          fa31a3ee521dc153671434c80510d690c8afc7161fd35df0f811f89c600888f9

          SHA512

          a5e84c4eee9662f67d558cce901a5b9d2e8081afed7fe23b8c66644509a4d08ee9dd1872b3fc5f52427326063c2edf42ac3e80520eba6b915b2022df65942167

        • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\w3cHL\DUser.dll

          Filesize

          1.4MB

          MD5

          92eb4eab19aed31d463b4465687e30b6

          SHA1

          d7a326feeee658440f6b639f244c99f2008022d1

          SHA256

          9d6f28b82029059378a70fd35bb21a9e4bf5063b90a57352843c01bfda504df2

          SHA512

          fedc93df62b5f8a044ce65daf237222176fb9a83b54cb2c0d09fbb1e316172652684d50cf6838e8848a168f9d349d2ee9d0e5498c1118ea144bb76596c9e0fd6

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\MV\dwmapi.dll

          Filesize

          1.4MB

          MD5

          35e661bcad34693cabd180b875efab3f

          SHA1

          ac6289eed7f0b254556490596772032f58c68c51

          SHA256

          d81fd4ce85074493218866012f351e7f7cd02e09d6e5d138bfb6d65dc7101131

          SHA512

          03cd6a120961373014a9eae1d9d021c6376caee23b3cb307d80661fa13826f3b23d510b0b66e56d1ddd03482550b39c3ac72e6bc414f233edb895ed4d036c3fc

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\MfLrTNicR\dwm.exe

          Filesize

          31KB

          MD5

          32580fa4ce5829d9174405e8ed106c07

          SHA1

          f6d51f5ba5c3ded1e6369f7580e5b8270898ce4b

          SHA256

          221e44df28ec38e4d550a7a12e1f8525ddfb53f83b9859b5d55b5765259dc3ad

          SHA512

          84a8c17d3d240cd08f5056a48d5c42a5293e84471465d0104652425775959c6ddb3c9d21049eb79e38f420e2da81b7a941e8107b3d73e395cf48baf2506ce4c8

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\MfLrTNicR\dxgi.dll

          Filesize

          1.4MB

          MD5

          fc42867378cdb2888c7810897937f847

          SHA1

          72859c10295eab63bbe1ee6881fbbe6b30412b9d

          SHA256

          c37d8a23fa03a10f9ee41325099576b448aadfabfb0f2e6aca07f685f1b0a739

          SHA512

          71050e68c5628fbcfc48314dd9c0858545391e3b5f04b5643b7ea627733e834913af496782483801145816444031a879b8c8326801daca8befcb7d501e77acc9

        • memory/464-84-0x000001F581E50000-0x000001F581E57000-memory.dmp

          Filesize

          28KB

        • memory/464-86-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/1180-8-0x0000000140000000-0x0000000140166000-memory.dmp

          Filesize

          1.4MB

        • memory/1180-0-0x0000000140000000-0x0000000140166000-memory.dmp

          Filesize

          1.4MB

        • memory/1180-2-0x00000259E2610000-0x00000259E2617000-memory.dmp

          Filesize

          28KB

        • memory/1736-96-0x0000000140000000-0x0000000140168000-memory.dmp

          Filesize

          1.4MB

        • memory/1736-101-0x0000000140000000-0x0000000140168000-memory.dmp

          Filesize

          1.4MB

        • memory/1736-95-0x0000019DD79D0000-0x0000019DD79D7000-memory.dmp

          Filesize

          28KB

        • memory/3528-31-0x0000000140000000-0x0000000140166000-memory.dmp

          Filesize

          1.4MB

        • memory/3528-15-0x0000000140000000-0x0000000140166000-memory.dmp

          Filesize

          1.4MB

        • memory/3528-17-0x0000000140000000-0x0000000140166000-memory.dmp

          Filesize

          1.4MB

        • memory/3528-14-0x0000000140000000-0x0000000140166000-memory.dmp

          Filesize

          1.4MB

        • memory/3528-41-0x00007FF9EB020000-0x00007FF9EB030000-memory.dmp

          Filesize

          64KB

        • memory/3528-50-0x0000000140000000-0x0000000140166000-memory.dmp

          Filesize

          1.4MB

        • memory/3528-52-0x0000000140000000-0x0000000140166000-memory.dmp

          Filesize

          1.4MB

        • memory/3528-20-0x0000000140000000-0x0000000140166000-memory.dmp

          Filesize

          1.4MB

        • memory/3528-21-0x0000000140000000-0x0000000140166000-memory.dmp

          Filesize

          1.4MB

        • memory/3528-5-0x00007FF9EA8AA000-0x00007FF9EA8AB000-memory.dmp

          Filesize

          4KB

        • memory/3528-4-0x0000000002D40000-0x0000000002D41000-memory.dmp

          Filesize

          4KB

        • memory/3528-9-0x0000000140000000-0x0000000140166000-memory.dmp

          Filesize

          1.4MB

        • memory/3528-22-0x0000000140000000-0x0000000140166000-memory.dmp

          Filesize

          1.4MB

        • memory/3528-23-0x0000000140000000-0x0000000140166000-memory.dmp

          Filesize

          1.4MB

        • memory/3528-24-0x0000000140000000-0x0000000140166000-memory.dmp

          Filesize

          1.4MB

        • memory/3528-25-0x0000000140000000-0x0000000140166000-memory.dmp

          Filesize

          1.4MB

        • memory/3528-27-0x0000000140000000-0x0000000140166000-memory.dmp

          Filesize

          1.4MB

        • memory/3528-29-0x0000000140000000-0x0000000140166000-memory.dmp

          Filesize

          1.4MB

        • memory/3528-40-0x0000000140000000-0x0000000140166000-memory.dmp

          Filesize

          1.4MB

        • memory/3528-28-0x0000000140000000-0x0000000140166000-memory.dmp

          Filesize

          1.4MB

        • memory/3528-30-0x0000000140000000-0x0000000140166000-memory.dmp

          Filesize

          1.4MB

        • memory/3528-32-0x0000000140000000-0x0000000140166000-memory.dmp

          Filesize

          1.4MB

        • memory/3528-33-0x0000000000B60000-0x0000000000B67000-memory.dmp

          Filesize

          28KB

        • memory/3528-26-0x0000000140000000-0x0000000140166000-memory.dmp

          Filesize

          1.4MB

        • memory/3528-19-0x0000000140000000-0x0000000140166000-memory.dmp

          Filesize

          1.4MB

        • memory/3528-18-0x0000000140000000-0x0000000140166000-memory.dmp

          Filesize

          1.4MB

        • memory/3528-16-0x0000000140000000-0x0000000140166000-memory.dmp

          Filesize

          1.4MB

        • memory/3528-13-0x0000000140000000-0x0000000140166000-memory.dmp

          Filesize

          1.4MB

        • memory/3528-7-0x0000000140000000-0x0000000140166000-memory.dmp

          Filesize

          1.4MB

        • memory/3528-12-0x0000000140000000-0x0000000140166000-memory.dmp

          Filesize

          1.4MB

        • memory/3528-11-0x0000000140000000-0x0000000140166000-memory.dmp

          Filesize

          1.4MB

        • memory/3528-10-0x0000000140000000-0x0000000140166000-memory.dmp

          Filesize

          1.4MB

        • memory/3620-63-0x0000018FC03C0000-0x0000018FC03C7000-memory.dmp

          Filesize

          28KB

        • memory/3620-67-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

        • memory/3620-61-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB