Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-02-2024 13:56

General

  • Target

    870eeef933351d3ca6e6f77f6f1b0506.dll

  • Size

    3.5MB

  • MD5

    870eeef933351d3ca6e6f77f6f1b0506

  • SHA1

    292b7b5c4c378e9d4f9271ceb61af16ccecca218

  • SHA256

    0244e314ec929575d050f32ef42e74e572b141b849802f6929ca22fc1401553e

  • SHA512

    3116fc28269a0056ad24e65c488ac694e7a1d67880130f006c1ee1002a9345f9c7b04264cd6788aeb24f086adbed527a0cdff2abd3c6af35f5162ede228a38df

  • SSDEEP

    12288:iVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1Fag:/fP7fWsK5z9A+WGAW+V5SB6Ct4bnbFa

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\870eeef933351d3ca6e6f77f6f1b0506.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:460
  • C:\Windows\system32\SystemPropertiesProtection.exe
    C:\Windows\system32\SystemPropertiesProtection.exe
    1⤵
      PID:1216
    • C:\Users\Admin\AppData\Local\mtcGu\SystemPropertiesProtection.exe
      C:\Users\Admin\AppData\Local\mtcGu\SystemPropertiesProtection.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3228
    • C:\Windows\system32\WFS.exe
      C:\Windows\system32\WFS.exe
      1⤵
        PID:3552
      • C:\Windows\system32\consent.exe
        C:\Windows\system32\consent.exe
        1⤵
          PID:2180
        • C:\Windows\system32\shrpubw.exe
          C:\Windows\system32\shrpubw.exe
          1⤵
            PID:1368
          • C:\Users\Admin\AppData\Local\gvap\consent.exe
            C:\Users\Admin\AppData\Local\gvap\consent.exe
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            PID:4500
          • C:\Users\Admin\AppData\Local\ADK\WFS.exe
            C:\Users\Admin\AppData\Local\ADK\WFS.exe
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks whether UAC is enabled
            PID:4060
          • C:\Users\Admin\AppData\Local\dSVFnZs\shrpubw.exe
            C:\Users\Admin\AppData\Local\dSVFnZs\shrpubw.exe
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks whether UAC is enabled
            PID:2508

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\ADK\MFC42u.dll

            Filesize

            150KB

            MD5

            f874e7f70ba7e648e6364f4519836820

            SHA1

            aa29ac2a691c06d36caed0f779846bcdd864a273

            SHA256

            6a088ca7339d67c77901613491ff748001b45083d9d665a568bd925a34403cd3

            SHA512

            747730284889f497acd3275a23d6a6e9ac46a3a90be2de5889cbeafa940b44d4e10743f59a6eba54d0109aa49e7a3e3b0105486b6c51f5a9ff30ad69c1cb7b9a

          • C:\Users\Admin\AppData\Local\ADK\MFC42u.dll

            Filesize

            35KB

            MD5

            bb1317768fe31286457f39467bf2752d

            SHA1

            4c9e326001306fe436197670ad75e5c430086e05

            SHA256

            685bd7ce4a7e3ca87c46107d78fcef99393987eede3de909c4e1320030488a0a

            SHA512

            75844ceee768a464f7153a1b791f0d97fcbb153ad9d0c98265563394d73944fdfc05f3643179787d09d8b1abd68755d9de3e6291cb0df54b5f0ac2a308b8e2eb

          • C:\Users\Admin\AppData\Local\ADK\WFS.exe

            Filesize

            172KB

            MD5

            58e102b977551521d268d5841c102882

            SHA1

            ccd5f076b6fc1b2738b9418980495df700ad034c

            SHA256

            37e8c54d0bd4463edce627cf303fc655ad9d02e5881754e94ece65c8a26733a5

            SHA512

            def1b7320cd2393be3bbc125ae59023d1314c0c7fe06369bc471896d8f91b4f3887b4f0634db89e4e4630958bf6b3c6da97c5186796ac7e1d9bb632dbdecfb96

          • C:\Users\Admin\AppData\Local\ADK\WFS.exe

            Filesize

            68KB

            MD5

            a4fc10fb34de2050f1c2bc3bb57ca38b

            SHA1

            b31204bc6ba850a65c944c8c2a19427707f59bc9

            SHA256

            a7ce6dd8f834a9864af1790c18d15ea9a73e0af3d573a0aae5d6226894e6a2b2

            SHA512

            61ad5ee5beb4063230ad928d7bc07453918a9dfe576059462e9ea90389cdabf7069a09aad0c42d41588f49dac0cb0906150bc01cc06ec815a4091fa19b8ebcaf

          • C:\Users\Admin\AppData\Local\dSVFnZs\MFC42u.dll

            Filesize

            106KB

            MD5

            57c644384f898efdd1069670223b6fa6

            SHA1

            153a945ee8893c0d1f5c08e262a7eee0517aedea

            SHA256

            3a2382dee7e7aeb7f240e17b2bd53d9a47587d3fb651401350a3c510270f340c

            SHA512

            1f9b6ccbe698840c79e4c30429f74a3fe30198c2335713c3b92b0552157fd72892eafb49f7db41133440c3ca8ec06fafb580f4232122287e5b261d19be102c0b

          • C:\Users\Admin\AppData\Local\dSVFnZs\MFC42u.dll

            Filesize

            54KB

            MD5

            d822ac764e42024860f8bc246860f8d8

            SHA1

            51d11a7b6d6d64a887e9b23441192aa04c3a04d5

            SHA256

            dee3d1fac3f1fb3b5b8eb978be94d37e90213c4b3fd1daaa7bb1eea82a81dfa2

            SHA512

            66be7830f258344375131914e1a85e8ba1742b91c5eedb23f1d676085381aa8755be70fdad802ac39a272602194aa64a69f76406127a199a914ff48b02db7dea

          • C:\Users\Admin\AppData\Local\dSVFnZs\shrpubw.exe

            Filesize

            59KB

            MD5

            9910d5c62428ec5f92b04abf9428eec9

            SHA1

            05f27d7515e8ae1fa3bc974ec65b864ec4c9ac8b

            SHA256

            6b84e6e55d8572d7edf0b6243d00abb651fcb0cddddac8461de5f9bb80035a2e

            SHA512

            01be043f7ff879a683e53962eec58456ba200d6787ea66581bb62669ae65d5e58a5577cdf23441165f7a535fce1dec933e3ad2465c72172b4a1488b24ce722cb

          • C:\Users\Admin\AppData\Local\gvap\WINSTA.dll

            Filesize

            186KB

            MD5

            41dae782693423580eaa8c26a9772e7c

            SHA1

            6580bf99762ac852c9e62c4d7dcfb490e3732aa0

            SHA256

            41883c7e3c6235b762e53989c93b3226c5043b0452eb899716c889f97b405877

            SHA512

            92aba9cc04221d0f809b05481eac17b665e8b504c6a368d1379a0f0c64300fcef80112522f25e19acc0383c4213e6ffcc6b6fbfbba879abaaffad3aa4f400efa

          • C:\Users\Admin\AppData\Local\gvap\WINSTA.dll

            Filesize

            97KB

            MD5

            d01001e27e3a8140e652d0e7c58bf51d

            SHA1

            f7f29d15146db5883d83ef62f007032b7974866d

            SHA256

            108429afda69982d1dcc1a75c728ee14c714f92f14765605c36b82f1efc280b1

            SHA512

            b7f06486173d60bbdfd2db50c0fdfbd079dcff261e16e46a6780034d103008e814ebc8e7887dd31a5ed1e227361dc49b8dbdb8f4ce5b88a647585e415e727819

          • C:\Users\Admin\AppData\Local\gvap\consent.exe

            Filesize

            162KB

            MD5

            6646631ce4ad7128762352da81f3b030

            SHA1

            1095bd4b63360fc2968d75622aa745e5523428ab

            SHA256

            56b2d516376328129132b815e22379ae8e7176825f059c9374a33cc844482e64

            SHA512

            1c00ed5d8568f6ebd119524b61573cfe71ca828bd8fbdd150158ec8b5db65fa066908d120d201fce6222707bcb78e0c1151b82fdc1dccf3ada867cb810feb6da

          • C:\Users\Admin\AppData\Local\mtcGu\SYSDM.CPL

            Filesize

            14KB

            MD5

            8cfacb5c8d1497eddaf2d46b3dc2f99d

            SHA1

            8d51d5fc8e72fe63f7e976d5addba68a2dc1b8a9

            SHA256

            ed0bee0074bf9b003470c5763314c0c788b4e39632cdb269728f558f7456580d

            SHA512

            371379be397cb435629473fb2eb1ff881c36580ca82a95716689f5bec83a2a30bb99c627757ddc8d9dc542fc8cc92c61245a6e2e4cab83294015d98badf51c39

          • C:\Users\Admin\AppData\Local\mtcGu\SYSDM.CPL

            Filesize

            68KB

            MD5

            b4adef0fdc696c64168afc2b5aa74c2a

            SHA1

            e6fcd4a17b2bd50738036ac62faad8e803d76d7d

            SHA256

            4eaa94e941140ce791ccf3cf314ca9a33ee2f6d2bf81f8d88e0be7544d43c151

            SHA512

            c79f188af494f6a80c922beff72f6f2f82850668bcaad050560810ae3662ea8e7c576a00eae0790c12057fb5262659763da84c4e63561a2af31a6c3a3d245582

          • C:\Users\Admin\AppData\Local\mtcGu\SystemPropertiesProtection.exe

            Filesize

            82KB

            MD5

            26640d2d4fa912fc9a354ef6cfe500ff

            SHA1

            a343fd82659ce2d8de3beb587088867cf2ab8857

            SHA256

            a8ddf1b17b0cbc96a7eaedb0003aa7b1631da09ebfe85b387f8f630222511b37

            SHA512

            26162a3d9d4a8e3290dbcf6fe387b5c48ab1d9552aa02a38954649d877f408cb282e57580f81e15128e3a41da0eb58328d1d6253e1b57232f9a8cecdd99991dc

          • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Collab\it23j0u\MFC42u.dll

            Filesize

            240KB

            MD5

            6e1dd9f95694dedfe1321641f505e026

            SHA1

            e3852d37e0b7e91f6cf177387f39e12f8480bef8

            SHA256

            8f1bbecd68e1f0a46b8bbffe5275a9c90066c59955b7b25d8c6e0b42105f1a0e

            SHA512

            944defbf6b91f4dec0a178f3cbf092120c985aef31bfe9656b7081297cb42f63c1e94458c3228711aeb0487cd8fd2569f2d7f022dd8c2a70ba769486eb0b9386

          • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wdush.lnk

            Filesize

            1KB

            MD5

            ffcaa9d01c3434b14f464349f67178d0

            SHA1

            b7154af0a606e44cacc45b39a81dd98c1eece769

            SHA256

            a89c9f31810c8862b7c511fdbcb969cafa16bde8cbd951096151c629b80bd995

            SHA512

            6a6f46b4734d4be35e87900908b671bb0d4ced99287b29c53902726c6ae07661b0330d0ce0d79106cb9628d1eaefb18c61055beaba3a3685cdb77ecad1497869

          • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\jFZztRz\MFC42u.dll

            Filesize

            223KB

            MD5

            bbe2d681c41296565c824df4b6faa504

            SHA1

            2e8d7e7011c972b0a651db179b0c0112a8f2971b

            SHA256

            fff4ffe577adeeed35308c0d925071fa06f5ce402570a77012ea7dd046423dba

            SHA512

            710dc54066cac025d528b3ccb9616b1bbdcdbd7d8e4ce151a10c5417f5c5f54db33c2550753edb9f0ec6709032fa633729c9a15a955d18b580806cb9976d35ca

          • C:\Users\Admin\AppData\Roaming\Sun\Seekc4vKb\SYSDM.CPL

            Filesize

            72KB

            MD5

            e8c1d4e7df174db73428d0ba5004f090

            SHA1

            c16078d7046046fb6800b2b08add56edccdfa804

            SHA256

            076541ff52f6c0c0464fa0bf754f8f016e562d1836353018d9cf7c86c389c4d7

            SHA512

            ea94e88d3fdf9f532bc01c18a70dd6065b5402edc1ebff48ea40f135fa24f3bb02715096d38f1f45e338ca307165a8cfb27cd5b7a930d6aac5459ac04a284e4b

          • memory/460-6-0x0000000140000000-0x0000000140380000-memory.dmp

            Filesize

            3.5MB

          • memory/460-1-0x0000000140000000-0x0000000140380000-memory.dmp

            Filesize

            3.5MB

          • memory/460-0-0x0000023B1A4B0000-0x0000023B1A4B7000-memory.dmp

            Filesize

            28KB

          • memory/2508-142-0x0000023DB8F40000-0x0000023DB8F47000-memory.dmp

            Filesize

            28KB

          • memory/3228-98-0x0000021E6CB90000-0x0000021E6CB97000-memory.dmp

            Filesize

            28KB

          • memory/3568-36-0x0000000140000000-0x0000000140380000-memory.dmp

            Filesize

            3.5MB

          • memory/3568-62-0x0000000140000000-0x0000000140380000-memory.dmp

            Filesize

            3.5MB

          • memory/3568-23-0x0000000140000000-0x0000000140380000-memory.dmp

            Filesize

            3.5MB

          • memory/3568-24-0x0000000140000000-0x0000000140380000-memory.dmp

            Filesize

            3.5MB

          • memory/3568-26-0x0000000140000000-0x0000000140380000-memory.dmp

            Filesize

            3.5MB

          • memory/3568-27-0x0000000140000000-0x0000000140380000-memory.dmp

            Filesize

            3.5MB

          • memory/3568-28-0x0000000140000000-0x0000000140380000-memory.dmp

            Filesize

            3.5MB

          • memory/3568-25-0x0000000140000000-0x0000000140380000-memory.dmp

            Filesize

            3.5MB

          • memory/3568-30-0x0000000140000000-0x0000000140380000-memory.dmp

            Filesize

            3.5MB

          • memory/3568-29-0x0000000140000000-0x0000000140380000-memory.dmp

            Filesize

            3.5MB

          • memory/3568-31-0x0000000140000000-0x0000000140380000-memory.dmp

            Filesize

            3.5MB

          • memory/3568-32-0x0000000140000000-0x0000000140380000-memory.dmp

            Filesize

            3.5MB

          • memory/3568-34-0x0000000140000000-0x0000000140380000-memory.dmp

            Filesize

            3.5MB

          • memory/3568-35-0x0000000140000000-0x0000000140380000-memory.dmp

            Filesize

            3.5MB

          • memory/3568-39-0x0000000140000000-0x0000000140380000-memory.dmp

            Filesize

            3.5MB

          • memory/3568-40-0x0000000140000000-0x0000000140380000-memory.dmp

            Filesize

            3.5MB

          • memory/3568-41-0x0000000140000000-0x0000000140380000-memory.dmp

            Filesize

            3.5MB

          • memory/3568-42-0x0000000140000000-0x0000000140380000-memory.dmp

            Filesize

            3.5MB

          • memory/3568-38-0x0000000140000000-0x0000000140380000-memory.dmp

            Filesize

            3.5MB

          • memory/3568-37-0x0000000140000000-0x0000000140380000-memory.dmp

            Filesize

            3.5MB

          • memory/3568-21-0x0000000140000000-0x0000000140380000-memory.dmp

            Filesize

            3.5MB

          • memory/3568-33-0x0000000140000000-0x0000000140380000-memory.dmp

            Filesize

            3.5MB

          • memory/3568-43-0x0000000140000000-0x0000000140380000-memory.dmp

            Filesize

            3.5MB

          • memory/3568-46-0x0000000140000000-0x0000000140380000-memory.dmp

            Filesize

            3.5MB

          • memory/3568-50-0x0000000140000000-0x0000000140380000-memory.dmp

            Filesize

            3.5MB

          • memory/3568-52-0x0000000140000000-0x0000000140380000-memory.dmp

            Filesize

            3.5MB

          • memory/3568-55-0x0000000140000000-0x0000000140380000-memory.dmp

            Filesize

            3.5MB

          • memory/3568-56-0x0000000140000000-0x0000000140380000-memory.dmp

            Filesize

            3.5MB

          • memory/3568-57-0x0000000140000000-0x0000000140380000-memory.dmp

            Filesize

            3.5MB

          • memory/3568-59-0x0000000140000000-0x0000000140380000-memory.dmp

            Filesize

            3.5MB

          • memory/3568-61-0x0000000140000000-0x0000000140380000-memory.dmp

            Filesize

            3.5MB

          • memory/3568-22-0x0000000140000000-0x0000000140380000-memory.dmp

            Filesize

            3.5MB

          • memory/3568-63-0x0000000140000000-0x0000000140380000-memory.dmp

            Filesize

            3.5MB

          • memory/3568-64-0x0000000140000000-0x0000000140380000-memory.dmp

            Filesize

            3.5MB

          • memory/3568-65-0x0000000140000000-0x0000000140380000-memory.dmp

            Filesize

            3.5MB

          • memory/3568-60-0x0000000140000000-0x0000000140380000-memory.dmp

            Filesize

            3.5MB

          • memory/3568-58-0x0000000140000000-0x0000000140380000-memory.dmp

            Filesize

            3.5MB

          • memory/3568-53-0x0000000140000000-0x0000000140380000-memory.dmp

            Filesize

            3.5MB

          • memory/3568-54-0x0000000140000000-0x0000000140380000-memory.dmp

            Filesize

            3.5MB

          • memory/3568-70-0x00000000010D0000-0x00000000010D7000-memory.dmp

            Filesize

            28KB

          • memory/3568-51-0x0000000140000000-0x0000000140380000-memory.dmp

            Filesize

            3.5MB

          • memory/3568-49-0x0000000140000000-0x0000000140380000-memory.dmp

            Filesize

            3.5MB

          • memory/3568-48-0x0000000140000000-0x0000000140380000-memory.dmp

            Filesize

            3.5MB

          • memory/3568-20-0x0000000140000000-0x0000000140380000-memory.dmp

            Filesize

            3.5MB

          • memory/3568-47-0x0000000140000000-0x0000000140380000-memory.dmp

            Filesize

            3.5MB

          • memory/3568-78-0x00007FFA3F800000-0x00007FFA3F810000-memory.dmp

            Filesize

            64KB

          • memory/3568-45-0x0000000140000000-0x0000000140380000-memory.dmp

            Filesize

            3.5MB

          • memory/3568-44-0x0000000140000000-0x0000000140380000-memory.dmp

            Filesize

            3.5MB

          • memory/3568-4-0x0000000002EC0000-0x0000000002EC1000-memory.dmp

            Filesize

            4KB

          • memory/3568-19-0x0000000140000000-0x0000000140380000-memory.dmp

            Filesize

            3.5MB

          • memory/3568-18-0x0000000140000000-0x0000000140380000-memory.dmp

            Filesize

            3.5MB

          • memory/3568-17-0x0000000140000000-0x0000000140380000-memory.dmp

            Filesize

            3.5MB

          • memory/3568-16-0x0000000140000000-0x0000000140380000-memory.dmp

            Filesize

            3.5MB

          • memory/3568-15-0x0000000140000000-0x0000000140380000-memory.dmp

            Filesize

            3.5MB

          • memory/3568-14-0x0000000140000000-0x0000000140380000-memory.dmp

            Filesize

            3.5MB

          • memory/3568-13-0x0000000140000000-0x0000000140380000-memory.dmp

            Filesize

            3.5MB

          • memory/3568-12-0x0000000140000000-0x0000000140380000-memory.dmp

            Filesize

            3.5MB

          • memory/3568-10-0x0000000140000000-0x0000000140380000-memory.dmp

            Filesize

            3.5MB

          • memory/3568-11-0x0000000140000000-0x0000000140380000-memory.dmp

            Filesize

            3.5MB

          • memory/3568-8-0x0000000140000000-0x0000000140380000-memory.dmp

            Filesize

            3.5MB

          • memory/3568-9-0x00007FFA3DC8A000-0x00007FFA3DC8B000-memory.dmp

            Filesize

            4KB

          • memory/3568-7-0x0000000140000000-0x0000000140380000-memory.dmp

            Filesize

            3.5MB

          • memory/4060-117-0x00000207AF720000-0x00000207AF727000-memory.dmp

            Filesize

            28KB