Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-02-2024 09:36

General

  • Target

    868df0fad643001bb45bb8b38cfd7ec2.dll

  • Size

    2.2MB

  • MD5

    868df0fad643001bb45bb8b38cfd7ec2

  • SHA1

    3d4d21cfb078c2c8eed5adcef1a16b919f2e3b5b

  • SHA256

    35a57a2f4ae0a954f51d0b5da7bbebd60fbd047b7d9dc92da62bc442eb26429e

  • SHA512

    58e116d1627baf816257f2eaddcb01617b2d540b310bd3b9f0a34798bf78dd5631b873ad783bb50fb7f76f573c272445f938aeb9ba171f540c69c92cdb4c3f1d

  • SSDEEP

    12288:7VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:afP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\868df0fad643001bb45bb8b38cfd7ec2.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3236
  • C:\Windows\system32\wermgr.exe
    C:\Windows\system32\wermgr.exe
    1⤵
      PID:3444
    • C:\Windows\system32\rdpshell.exe
      C:\Windows\system32\rdpshell.exe
      1⤵
        PID:2812
      • C:\Windows\system32\CameraSettingsUIHost.exe
        C:\Windows\system32\CameraSettingsUIHost.exe
        1⤵
          PID:2120
        • C:\Users\Admin\AppData\Local\T0A7R1we\rdpshell.exe
          C:\Users\Admin\AppData\Local\T0A7R1we\rdpshell.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1616
        • C:\Users\Admin\AppData\Local\3lgk\wermgr.exe
          C:\Users\Admin\AppData\Local\3lgk\wermgr.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4692
        • C:\Users\Admin\AppData\Local\Zrkg\CameraSettingsUIHost.exe
          C:\Users\Admin\AppData\Local\Zrkg\CameraSettingsUIHost.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1400

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\3lgk\wer.dll

          Filesize

          153KB

          MD5

          cc85ca465742d3255e9990b59cb10b69

          SHA1

          7f7b8c2cdea5d9ac2736ee597a1f713519bd062d

          SHA256

          8fe06c39c610a82619a9bba3c09f83ed764839676d7aec90f0e2ffd783b983b9

          SHA512

          ab0a47c0c424c2bc605d1ee5098ea9a814fe10e94aba6ed4868d423536abf654474f54077086df86eff4c979ecf28c3ea8c0391c7661b0b2c999dfa8495c5b28

        • C:\Users\Admin\AppData\Local\3lgk\wer.dll

          Filesize

          209KB

          MD5

          d80f79e5b1eac19dac428df5da4210d9

          SHA1

          037a777c7482c40a5d29d12640a24e33509bc1f1

          SHA256

          29b44bfc8ad46b3d6c2583e5be8b043a199b1abce5709ca69c941cfe12e953a1

          SHA512

          da06bfda132c5c411054cc6ea8bac1737c97030fc882b8d56501fa8379d780c11b52981eb040305a082421805eb0eda50828eaf46b824d90010077ebcf74c8f8

        • C:\Users\Admin\AppData\Local\3lgk\wermgr.exe

          Filesize

          149KB

          MD5

          f0290d52ed1be017930790f9dfbd4c97

          SHA1

          5c960668c6b1213259736a93b24c118314bec560

          SHA256

          5cbb932752f9e5624f16f2dc0f5d33487984f424f12ac0e5e87ff856505279ac

          SHA512

          b0022e3e9056287aaa63513ed8e09d43c346ed3d511a3c1781dd8b0557cd260b9d6a3f63f7a3425129684ef8e7125d626ec523d66c3e7ac20633ec30cb86e4c7

        • C:\Users\Admin\AppData\Local\3lgk\wermgr.exe

          Filesize

          118KB

          MD5

          d3963f52f8c0abf67f229bfa8ad0d73a

          SHA1

          c9f90ebbc9b6f4b34f823378bfe4e1108a3be92a

          SHA256

          b5764e757f94aaabb0fa958c1358eed33d6fd81a593b04c64f82b3273a3f883d

          SHA512

          6c2c470cc190f31d76e22440c47ff104430cc4f06d8a2acd990c8e7ae9a09fe8e9fcd2ff2ae5cdf7e3c4c940e8abb5a6f3cf555575f4fe3b231eb83a9fb1769a

        • C:\Users\Admin\AppData\Local\T0A7R1we\WTSAPI32.dll

          Filesize

          86KB

          MD5

          fcdc3243d4476c7ee5aca417c7a87bb5

          SHA1

          545e885c5e33e2f4fd852e233a27c7a1cb12954d

          SHA256

          b306b19e0d60bba3342cfdc210c54115a9fa73f041e8be989cf5a7ba2f966b35

          SHA512

          83c159d436462d050458df052b1b3da4401904a92498bd0d8d8aec6471e0ff2237780ea69302fc0f3aad403872c247abd319f0eb844426aa0f2420dae68faf34

        • C:\Users\Admin\AppData\Local\T0A7R1we\WTSAPI32.dll

          Filesize

          132KB

          MD5

          5edba5994b49f14fc6bef0b74c71d7ef

          SHA1

          f37177cd4e721b829df67d7a8fbdb3a04babff92

          SHA256

          f8427baaf2480c1d44768c31771b2aa13636470a6fd99092bec0e14a0e3a1c2b

          SHA512

          cd4089e2b37bc3487a17147c502db752c33e0c88f92d18a625b32e656b697d027c73fe211a0c87d6f0ed02c19698ec6623dd98fd1ba849217576b06fc127565f

        • C:\Users\Admin\AppData\Local\T0A7R1we\rdpshell.exe

          Filesize

          67KB

          MD5

          5b4a14d793b24d89b0be96b5713c980d

          SHA1

          496fa4f9fea7479ebbfd727ea1487b5bd33bef49

          SHA256

          810856a5877f380d353f595be7c653485293de01bf8987d30f13012eee7f6cd1

          SHA512

          fbfd6a6ae33f868304a27385bc04cef5500618e27373d8dff3e4c1fc6ff356a8c390de615888762cca8515d9488f4f1cda04f6071beb3356d28a020eed8d8fa2

        • C:\Users\Admin\AppData\Local\T0A7R1we\rdpshell.exe

          Filesize

          102KB

          MD5

          df327a60a368d75cb46ce0ad48ea4a1e

          SHA1

          5bc83e186c1b87f606253431b7d8b0ae90344a76

          SHA256

          a250660ca0413cab558b7c1aa7f2a9304eb02ad1ec258d611ab86575e65f3052

          SHA512

          6677670afdf39b632c41b760ddc5453bbbde989dccb8a31dbf315fd083f3eca177d0e4fe49fe93a6798cc7c2e290252648c74f85707bb91f6a6674fc8309bad0

        • C:\Users\Admin\AppData\Local\Zrkg\CameraSettingsUIHost.exe

          Filesize

          31KB

          MD5

          9e98636523a653c7a648f37be229cf69

          SHA1

          bd4da030e7cf4d55b7c644dfacd26b152e6a14c4

          SHA256

          3bf20bc5a208dfa1ea26a042fd0010b1268dcfedc94ed775f11890bc1d95e717

          SHA512

          41966166e2ddfe40e6f4e6da26bc490775caac9997465c6dd94ba6a664d3a797ffc2aa5684c95702e8657e5cea62a46a75aee3e7d5e07a47dcaaa5c4da565e78

        • C:\Users\Admin\AppData\Local\Zrkg\DUI70.dll

          Filesize

          229KB

          MD5

          791076ab34e22acbc7976f3b53caf8cc

          SHA1

          2d38e0fb1660143bcecc2357cfeee83399f0fe4c

          SHA256

          b349954ab2e72b34f99db204136f30d86613655cf00fab65e02e02ac7d8ffc1d

          SHA512

          7965f5287f4f38aceca7608b17e49a631427e9a5492a551a2d69551fe3e14da5effcf68c526590860d03c6ce5b8e8059dd2cd0a23104f2910828233aadf5a1db

        • C:\Users\Admin\AppData\Local\Zrkg\DUI70.dll

          Filesize

          230KB

          MD5

          1d8450348de10657d793211c01e1423b

          SHA1

          ac1d6105eed9703da5d63ab0d4bd0a47cc545e59

          SHA256

          f69ca0691f6fbd8ae6d3af1f8883f24975e90e8b0806922f6665687443e52789

          SHA512

          e5defa660a73f893690c2b7881f0097d9302bf4d094368c32f6036898dc1e5283a9af4ecf0c4e9898ee4af991eb9c226547604d31464f1dee25564490d0ce676

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ocuuy.lnk

          Filesize

          1KB

          MD5

          0c9e8c90bd569b766ee0d8f81bb2185c

          SHA1

          ad568e549361f8314612597b8cbf6e4d0c03781c

          SHA256

          0c845afd25468e6bc6b94d32f54292b02e961efe41089ff65622763aebe2898d

          SHA512

          d269b4c4337b298e65787d6ce286fdfb0e5035a9c22eda0c8066cc0accddc70416733be05476606abfdfef44f115eaa7185ff4f8a32c84fba938095f59ca5d22

        • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\1wd\wer.dll

          Filesize

          11KB

          MD5

          8283232934a41d7452eed2b88e208dbc

          SHA1

          23cd6227871c2191037a4953c8c15f647fef21f0

          SHA256

          49a551d977cf770ad59b318394604e5d49f46af59186cb4dd4789a7bab9dbbd0

          SHA512

          b6ed9e07754629caa7ed31cd1f98bc1240e56df7b8ff85493969dd2fa44c500f1f8a9d8766cc170becece1defb17eb8714f7e4ffd7024f32fd51ee4db45d7976

        • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\Q20r690eNLh\DUI70.dll

          Filesize

          50KB

          MD5

          7d89922aa33d13c03b554e792e8fc7c6

          SHA1

          e8631ca5423577ab4a6767fad2f8fce33f80a771

          SHA256

          d12b282c79a9005a19f6eb1e613a5fd9fe36a74fb50de808f83037b97528ac55

          SHA512

          c9daa9e4ed099ce3893494e0e7b97e78e00e8504556c042f1623360b097628ce204b887f8210b7bc32a3e622ce71e5aecb396877507cec41ccaa50b501dd7a5d

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\0gF4kz\WTSAPI32.dll

          Filesize

          100KB

          MD5

          1ad6773b5d92bc290ef6a07b451ea749

          SHA1

          37fa77626267b31afb7a67fecd3cda6fcaa189da

          SHA256

          f29c80a5fa69278eb998839b4d076fceccbee186a380ff650e76e0fa38bded61

          SHA512

          37cb1eb4ea06e37fa677002e275f7cd683f688bb602848974d749e88f101e7a3fcc979fa68621fe95ed5f9375efb0c937bd803e975fabcdba89cf03f5d710ad4

        • memory/1400-115-0x000001A288800000-0x000001A288807000-memory.dmp

          Filesize

          28KB

        • memory/1616-96-0x000002B3E8D10000-0x000002B3E8D17000-memory.dmp

          Filesize

          28KB

        • memory/3236-6-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/3236-0-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/3236-2-0x0000026840380000-0x0000026840387000-memory.dmp

          Filesize

          28KB

        • memory/3408-23-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/3408-69-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/3408-20-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/3408-27-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/3408-26-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/3408-28-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/3408-33-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/3408-35-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/3408-36-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/3408-34-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/3408-32-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/3408-31-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/3408-30-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/3408-29-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/3408-37-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/3408-43-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/3408-48-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/3408-50-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/3408-49-0x00000000014F0000-0x00000000014F7000-memory.dmp

          Filesize

          28KB

        • memory/3408-57-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/3408-47-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/3408-46-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/3408-45-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/3408-58-0x00007FFDE8CA0000-0x00007FFDE8CB0000-memory.dmp

          Filesize

          64KB

        • memory/3408-67-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/3408-21-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/3408-44-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/3408-42-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/3408-41-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/3408-4-0x00000000015C0000-0x00000000015C1000-memory.dmp

          Filesize

          4KB

        • memory/3408-7-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/3408-9-0x00007FFDE7C5A000-0x00007FFDE7C5B000-memory.dmp

          Filesize

          4KB

        • memory/3408-25-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/3408-24-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/3408-22-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/3408-19-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/3408-18-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/3408-17-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/3408-16-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/3408-15-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/3408-14-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/3408-40-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/3408-39-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/3408-13-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/3408-8-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/3408-12-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/3408-11-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/3408-38-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/3408-10-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/4692-84-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

        • memory/4692-80-0x0000017F7E980000-0x0000017F7E987000-memory.dmp

          Filesize

          28KB

        • memory/4692-78-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB