Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-01-2024 12:18

General

  • Target

    846540a9573e476e30b92db75daf0040.dll

  • Size

    1.7MB

  • MD5

    846540a9573e476e30b92db75daf0040

  • SHA1

    855922518de0270d786c73a8fff57122dcd0c91b

  • SHA256

    5e53ece48ca9fe32af72a2718f10fe2dd25db88a393f7011a3805115f6b6bd46

  • SHA512

    697f7c5a25e285d8d308d94e7172851083ea0e51a791ff9838c5999c560667a2850d3912593e3c94ec4eef256577487b008a5aef5448d56d1c437d4cd4e4646c

  • SSDEEP

    12288:zVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1a1:ifP7fWsK5z9A+WGAW+V5SB6Ct4bnba1

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\846540a9573e476e30b92db75daf0040.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1632
  • C:\Users\Admin\AppData\Local\FCo\tabcal.exe
    C:\Users\Admin\AppData\Local\FCo\tabcal.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Checks whether UAC is enabled
    PID:3528
  • C:\Windows\system32\Taskmgr.exe
    C:\Windows\system32\Taskmgr.exe
    1⤵
      PID:2884
    • C:\Users\Admin\AppData\Local\P7i2fm7d\Taskmgr.exe
      C:\Users\Admin\AppData\Local\P7i2fm7d\Taskmgr.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2888
    • C:\Windows\system32\tabcal.exe
      C:\Windows\system32\tabcal.exe
      1⤵
        PID:4904
      • C:\Windows\system32\SystemSettingsRemoveDevice.exe
        C:\Windows\system32\SystemSettingsRemoveDevice.exe
        1⤵
          PID:4788
        • C:\Users\Admin\AppData\Local\djC8\SystemSettingsRemoveDevice.exe
          C:\Users\Admin\AppData\Local\djC8\SystemSettingsRemoveDevice.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4104

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\FCo\HID.DLL

          Filesize

          197KB

          MD5

          e16b852ad225cfe8701bbf96c5066fd6

          SHA1

          2236213edc4a9d9f0510d113f058936a477b44e4

          SHA256

          555a00014e686c391f976ca4d40642575242aa92e2c9316183f2bb270f16b622

          SHA512

          58b566a792be5a2aba451120356c88fd6593418ea53f2d349bd47a64d8dfb915e18a0ed4778cdc77a4794bf941a00719899874c52abc757c1a7b592c0ad79f32

        • C:\Users\Admin\AppData\Local\FCo\HID.DLL

          Filesize

          116KB

          MD5

          0d92f5dde6d48b3ccbb1f23b5e50725f

          SHA1

          fd9c9078cabc2bef9ece6e61acb5443a3cdda4d6

          SHA256

          3e187888153c2970d3f1011fcebc7b84e7deee708090194da9d28d038c0db229

          SHA512

          1bcaf6f258cafb97795c860c8671a2aac8c92070f3adbb46c955b5f97b5a4448c57af040d2d4484444356a240bd4f2365555dca2621c4cac69ef1f4eb8dd37f1

        • C:\Users\Admin\AppData\Local\FCo\tabcal.exe

          Filesize

          84KB

          MD5

          40f4014416ff0cbf92a9509f67a69754

          SHA1

          1798ff7324724a32c810e2075b11c09b41e4fede

          SHA256

          f31b4c751dbca276446119ba775787c3eb032da72eabcd40ad96a55826a3f33c

          SHA512

          646dfe4cfe90d068c3da4c35f7053bb0f57687875a0f3469c0683e707306e6a42b0baca3e944d78f9be5c564bb0600202c32c223a770f89d3e2b07a24673c259

        • C:\Users\Admin\AppData\Local\FCo\tabcal.exe

          Filesize

          64KB

          MD5

          f775f99812e3478654cfe51c7624a3e1

          SHA1

          596a9265f299a6d2fcf9a6f26f34a16fc0381d43

          SHA256

          58d03f748eea6b8ee9defdb3e4822682550afb5437fbdd234e0752e90d785caf

          SHA512

          15c84af025ed5e54e3bf746a45c0d5b4347082cd09cd2298d604db255f6fa91b7b9f03dfb52cf3613c7fbd2e1c1935a34d11ac3ad8903b8ca25ef88dd6ce2b30

        • C:\Users\Admin\AppData\Local\P7i2fm7d\Taskmgr.exe

          Filesize

          92KB

          MD5

          7b091b311e32e4247470225bfb6c5e8d

          SHA1

          9cd0dcc0719d1aa94ba94027512a2df490ec5791

          SHA256

          78b9de939e411b18e43dd381d5258317f1a3e189a10c549751aac1dcd9f55cbb

          SHA512

          7edf82ea12a6960031235ae13b8acfd4fe7ce81906d1c8f336ea80d94dfe9f32e46adaf98ea85933c8a3ac0e2b06b1d3a98a83ead6ad4a721e2b0e630e742882

        • C:\Users\Admin\AppData\Local\P7i2fm7d\Taskmgr.exe

          Filesize

          553KB

          MD5

          41c865e0ed719e994dbe76d727b911c3

          SHA1

          9611f367db454a09df2a01e96a83eea4e28276e3

          SHA256

          f6d0fc8250c8ca6a647d9d5154fc8131301b0866e143afd6ea221ba4333aefdf

          SHA512

          3305041629b52eea474608d2b398e82a6c9eff6be6da60ac61f1aeae78b2bc0adf238a60f8c50c16703b71277c050b8426d5fb981a0695bccea2954c9f44b8d6

        • C:\Users\Admin\AppData\Local\P7i2fm7d\UxTheme.dll

          Filesize

          52KB

          MD5

          da13880c91a4a3e754d74d84e1b96f2a

          SHA1

          b10854057c7cd9617e5a2a85c316f65b638f3a40

          SHA256

          28486df92c1480bacc636d113d2d1de6087188e38e74ec4f420dad86278ee9b6

          SHA512

          317540c6b3e3727c40c5dc9cf43e459b10d1555536ec8d57326b0c440f6708e2e876206a811a9c5f923f1c3cad4ec1533b0fe25a30a7ef5691bd3fce76aad7a4

        • C:\Users\Admin\AppData\Local\P7i2fm7d\UxTheme.dll

          Filesize

          50KB

          MD5

          ddc4b8cc8f081cb550dacf29c3ed98da

          SHA1

          c7a81bded3091196d1bca25f6f0e2dc3564edcd3

          SHA256

          e02527e87dbd68e7cf5946e2af0663371769d209282c56a081b2daa2d2b14351

          SHA512

          ab89959ad05c64c9843f2211b158432553b08843e73528b5e48bcb2bea27828956597384bedeae71796c707a2fe72691bf490d617bae873256e5b244126d04f0

        • C:\Users\Admin\AppData\Local\djC8\DUI70.dll

          Filesize

          236KB

          MD5

          6873d168d1b157ce0306fca408ab51b0

          SHA1

          eb02734b0845d4e56c42bc6bc7672877e44d6c96

          SHA256

          42e201f86c65c03ea848b815eecd036ae7541aca573cd2066419aaba52038352

          SHA512

          f32f1c28ae938c4e0629954eaf2b5870cca0b92a3d61d16dccff39d23589caadaa8752e27c78acb02e80f77d31a8219efdd7604974a20e10117a81324ddaefba

        • C:\Users\Admin\AppData\Local\djC8\DUI70.dll

          Filesize

          450KB

          MD5

          ef4619bc348e58fa377280e819c3ba8a

          SHA1

          8a3bdeb739454f5d33b9a09e2dde787aa81831e3

          SHA256

          cb6bb444012aad5b160828b25a1453d88f21805a4559d8f03df4e1622e53a0be

          SHA512

          73e73ebb65a1c673ad814c5160e6987cfb840182aee318126ced81a5d872775c28f75bbc40d9687860868d25586fff7b74d662e881f3a0b52e4b18c7a9e390c0

        • C:\Users\Admin\AppData\Local\djC8\SystemSettingsRemoveDevice.exe

          Filesize

          39KB

          MD5

          7853f1c933690bb7c53c67151cbddeb0

          SHA1

          d47a1ad0ccba4c988c8ffc5cbf9636fd4f4fa6e6

          SHA256

          9500731b2a3442f11dfd08a8adfe027e7f32ef5834c628eed4b78be74168470d

          SHA512

          831993d610539d44422d769de6561a4622e1b9cb3d73253774b6cecabf57654a74cd88b4ebe20921585ea96d977225b9501f02a0f6a1fc7d2cad6824fd539304

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Iydemppuyghrhln.lnk

          Filesize

          1KB

          MD5

          21b3f963cd5bce3a3f89ba85a17a7252

          SHA1

          684c759d568130ad9281a12f4e16907c24d64504

          SHA256

          27ed215a8b71a6a6efc6aca911708144a1e5f215b7a96d9b76689ac15c8c7a7a

          SHA512

          3203be0f6f546fa95a30d64f59cdd64839f5ed08a28d501490833a750074c3830a82ee3fcb97016afc9a19db554e55c9413d2b0328a2ef199b433546894bba55

        • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\C9\HID.DLL

          Filesize

          1.7MB

          MD5

          c613576a44366b8c492b68951e2dff47

          SHA1

          1f719649578fbdc34ed9d626473fe58470c736b2

          SHA256

          b4ba1ae0c083849c449ddc9b0723846769ca68c841ba058552fd7ea9d829213a

          SHA512

          8e0fb3dc4725f3f143eeb42c63bc4c99294002f090046e54224d02b3ffd13a19f076366b2b89b4ece9e8b438b46443a1ca3bd986e535170633dbba63865ff14e

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\FTEAFjRbqiP\DUI70.dll

          Filesize

          2.0MB

          MD5

          ec2ed4ce93f96b5b29c337f3d2d887b0

          SHA1

          a7d326ae5d06f2066e9e4b11a647682ce6729ff8

          SHA256

          18437cd52a2a4cbcbf3b61c65c024348655cc8be54227f415a95b4b94cfb33f8

          SHA512

          5ec3abee2195e15c921eccd3d0960c7bd7d6aeed4d17aac5c6e87fb179310029251862aa334c7aa6cc7440f1049089a00cca928185a3998767575b907eefe95d

        • C:\Users\Admin\AppData\Roaming\Microsoft\Word\AD23jVrT\UxTheme.dll

          Filesize

          1.7MB

          MD5

          f1954dc28c2666fef391397468703799

          SHA1

          82ffe18308f183f0ba2621ae7d20f89c7cccd4d4

          SHA256

          258372d47d52d302d28a9857ab253fd110bab5997f0299e95307025b8c2a4b94

          SHA512

          877052fd9ae1b7d15b2e5026aefd8a25dc298a6e24e6e4a263bd8d36b7af5dda6054cf770dc576f9d68faadb5c0d2c555aead3299e4d190253ac0372c068001f

        • memory/1632-1-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/1632-7-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/1632-0-0x00000183BDAD0000-0x00000183BDAD7000-memory.dmp

          Filesize

          28KB

        • memory/2888-81-0x00000130D18B0000-0x00000130D18B7000-memory.dmp

          Filesize

          28KB

        • memory/2888-87-0x0000000140000000-0x00000001401B0000-memory.dmp

          Filesize

          1.7MB

        • memory/3424-18-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/3424-9-0x00007FFF0690A000-0x00007FFF0690B000-memory.dmp

          Filesize

          4KB

        • memory/3424-24-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/3424-26-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/3424-29-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/3424-33-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/3424-32-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/3424-34-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/3424-37-0x0000000002D60000-0x0000000002D67000-memory.dmp

          Filesize

          28KB

        • memory/3424-35-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/3424-30-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/3424-31-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/3424-27-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/3424-28-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/3424-43-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/3424-44-0x00007FFF07A20000-0x00007FFF07A30000-memory.dmp

          Filesize

          64KB

        • memory/3424-53-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/3424-55-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/3424-23-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/3424-4-0x0000000002EE0000-0x0000000002EE1000-memory.dmp

          Filesize

          4KB

        • memory/3424-8-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/3424-10-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/3424-22-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/3424-21-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/3424-20-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/3424-19-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/3424-17-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/3424-6-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/3424-16-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/3424-14-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/3424-15-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/3424-25-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/3424-12-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/3424-11-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/3424-13-0x0000000140000000-0x00000001401AF000-memory.dmp

          Filesize

          1.7MB

        • memory/3528-64-0x0000000140000000-0x00000001401B0000-memory.dmp

          Filesize

          1.7MB

        • memory/3528-70-0x0000000140000000-0x00000001401B0000-memory.dmp

          Filesize

          1.7MB

        • memory/3528-65-0x000001E46D0B0000-0x000001E46D0B7000-memory.dmp

          Filesize

          28KB

        • memory/4104-106-0x0000000140000000-0x00000001401F5000-memory.dmp

          Filesize

          2.0MB

        • memory/4104-101-0x0000000140000000-0x00000001401F5000-memory.dmp

          Filesize

          2.0MB

        • memory/4104-100-0x0000024C820D0000-0x0000024C820D7000-memory.dmp

          Filesize

          28KB