Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-02-2024 16:32

General

  • Target

    875d030c5fc6c9897bd817f84ca43711.dll

  • Size

    2.9MB

  • MD5

    875d030c5fc6c9897bd817f84ca43711

  • SHA1

    865b73891c48646127255bfdc6104552b7aa90a4

  • SHA256

    2303cd17c0c377a2c2446c1267c7ff5a772e4cc30c721eddf332fae15489d256

  • SHA512

    d67ae0e3134a96e7c3948813206839eb330f411104751450cd600b4b7aea549aa2c140b9b45c9c7d36c21b4c09c3ed83c89eac384816dd5942c4d07490cca48b

  • SSDEEP

    12288:tVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:0fP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\875d030c5fc6c9897bd817f84ca43711.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4792
  • C:\Windows\system32\SystemPropertiesPerformance.exe
    C:\Windows\system32\SystemPropertiesPerformance.exe
    1⤵
      PID:4584
    • C:\Users\Admin\AppData\Local\pN8UjZK6U\SystemPropertiesPerformance.exe
      C:\Users\Admin\AppData\Local\pN8UjZK6U\SystemPropertiesPerformance.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2108
    • C:\Windows\system32\perfmon.exe
      C:\Windows\system32\perfmon.exe
      1⤵
        PID:3656
      • C:\Users\Admin\AppData\Local\aKU\perfmon.exe
        C:\Users\Admin\AppData\Local\aKU\perfmon.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4932
      • C:\Windows\system32\rdpinit.exe
        C:\Windows\system32\rdpinit.exe
        1⤵
          PID:2932
        • C:\Users\Admin\AppData\Local\Gxb4\rdpinit.exe
          C:\Users\Admin\AppData\Local\Gxb4\rdpinit.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4804

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Gxb4\dwmapi.dll

          Filesize

          148KB

          MD5

          2cf6b0e09a31ad97cf6b4b5742dccd5e

          SHA1

          6e6f298fdfeb06e63c9079242f52609bff76f045

          SHA256

          1bee8d526438e1a705405fc5b047350fba22848f6d7f5a420e92e97b098d0862

          SHA512

          9222b7c9382ff49f312223abf513a4c769bc484a71d9181b366cc8fa52ea9c41c3a72f7d1e49cb48c8ed214c4e295e444a35dc03305aff79434e72bc416b53fc

        • C:\Users\Admin\AppData\Local\Gxb4\dwmapi.dll

          Filesize

          114KB

          MD5

          949e25ad7091fdc09721ba28aa3217b4

          SHA1

          122b9594d991b31c5f653e7718479157c8417cf7

          SHA256

          41d34657d5cede6c9b325b8d923cf5ef893f633963480461a50cb557143da3de

          SHA512

          965fd301f93e09697b5f7e4ac903e4a264739ff25fb09eac84e7e1ef7bab22d6c92db997bce7554930a5bda9c0cc09c79c5536ede530f934bfa4ac14943b4bda

        • C:\Users\Admin\AppData\Local\Gxb4\rdpinit.exe

          Filesize

          146KB

          MD5

          d8d69894d1c8208c1de0a8160ef00b03

          SHA1

          bac8472e728de47a79068aa5fa94e7bf7dd1a48d

          SHA256

          d1f854b6c5686b6bcb5816b63b5a609c5cbba9a00fc52abff7b0ce26d98e95b0

          SHA512

          f7595477a4fe9e3807f89a5c0d778ef17fe4162f8b94c65d46e1a4b365406dc6b380eb8805ca8d5d878377b7c2f77783859b01282335e422d2e6e1cb10f1bc35

        • C:\Users\Admin\AppData\Local\Gxb4\rdpinit.exe

          Filesize

          128KB

          MD5

          675e58c5c39098da7b62e2d2e2a0ad8d

          SHA1

          05e6ac73545584462366c6f2ee01a0bdf718d7a1

          SHA256

          eb0051a83c533515346aced55567dd51da28bb51442e64463dcd54fc5b7dba12

          SHA512

          517c7f3db24b74e0f56dd211ad69d5a336996722003ebfca0e250c18bbf3cff2296769a5f7bd941fd9685a23320bd4582451fc1b73fbde4b0fbbd6363079b245

        • C:\Users\Admin\AppData\Local\aKU\credui.dll

          Filesize

          23KB

          MD5

          314f6c7f16d5fb2716e1522aa9a18820

          SHA1

          872a0560e675a97e3eb2af699a1cd7e00263d31b

          SHA256

          c49b4a248359597b2e45c46ba7650d2bd6ac220a84cb3e2101c0f43ee7b2fc86

          SHA512

          cf1eb185f8770943dca341dea026f84a3536a2a9f0eed3d7414da18d6e4bb9423222bc773f6b77726247d3f533f61facfd4dd12421707cb6ef609f47624fccb6

        • C:\Users\Admin\AppData\Local\aKU\credui.dll

          Filesize

          50KB

          MD5

          d7dc8eed4044324135c15a3b0514d98d

          SHA1

          2f5e0282cd5425681882306356c7bd0207a9895d

          SHA256

          c949a9d53dc13743462e07e659644dcbc5125680e171a6924e55e872b9e00bac

          SHA512

          7879db1f6b9546fe1129d64d595af3da516fda9924f3bb47d19c7950b2aaaa56b8aeb9a79f2da7dc46decef65bd90172930bcd043f82f695170fb539f2a5d5a8

        • C:\Users\Admin\AppData\Local\aKU\perfmon.exe

          Filesize

          9KB

          MD5

          e6fcb021f69f747424d5cae244231d7b

          SHA1

          9e498a85ff65b1e68dcc78f0e651de5dd29bbdaf

          SHA256

          d94d3e2cd29a7bff5798312b800be0760958edbcad1f1881c2c4237b592117e5

          SHA512

          c3e14b43e4e0a5692a98398d2d6ba3a3f1da2ccec4d37d10ce958ebdfcabe4fe0a6e0877b5ceaba20f19c1f7901833d0e79d134337e0400d30f730516173b495

        • C:\Users\Admin\AppData\Local\aKU\perfmon.exe

          Filesize

          9KB

          MD5

          fd4fe809327ed3aa30e2257f29845fb7

          SHA1

          d60dbd95d482b20b09bd093d8d5bc675a5070f46

          SHA256

          39d2138c161977b9e80124f181af493a22a01f571a6477e1aed200ccb6d66120

          SHA512

          1c932b5a130959632d34f63a30ada402cb9c4b0505cf5554d60cfbec42597f0f76f5561273f647717e6bdbed5b1b41baa1a3b026f3dd3fb8bfb3846fbd1f88e8

        • C:\Users\Admin\AppData\Local\pN8UjZK6U\SYSDM.CPL

          Filesize

          79KB

          MD5

          e0f222df7b84a9832baaa2d20a2cb3ce

          SHA1

          7bf1f284857d55e1e4fcbff5e91641990b070cd8

          SHA256

          d170dc3a00e24d1af0d4e935455c5cdb4998f92499e11d56fb13a8e45a3e8285

          SHA512

          fb6cc7980d6625fd2e40f4c7a8f367c5f09ebf542d1393df9a79b0a624417e4ace3d90e941c74a2c4111a5c28c1831626a9ca3a778c2df0eb0146692690cd362

        • C:\Users\Admin\AppData\Local\pN8UjZK6U\SYSDM.CPL

          Filesize

          54KB

          MD5

          032a00a6cec70c25dab3d7a07d7156d9

          SHA1

          6ba1018ad30743908e6b4dd11aa2fcd140ae3c61

          SHA256

          3f0d10ef9e89208237346f65b687408bf1a4131dadf80f9ae6bcab7c89992aab

          SHA512

          5bf896c720a90e5575e990e0874b367d9780e2dc0d96b2cdce51121fb462851c1f21e5e0b619aef40b8841917fa1f5147688564c101cf6b80e55bb35ce9f1b45

        • C:\Users\Admin\AppData\Local\pN8UjZK6U\SystemPropertiesPerformance.exe

          Filesize

          74KB

          MD5

          286000af312605193247bc0f4b1a6f40

          SHA1

          0303ec4a444cb95182cc0e950039d35e67e26f7f

          SHA256

          5d2b95c69a7a218f389b33d3e0f795085d63a7e16ec5f1ad66ddf9bfce5a3d71

          SHA512

          6345414821b189afff6860562b29de06977198a17c08346cbe732ee18041368c766bce380f649c7ad23d622fc2e912e6936bec95ec77dc1ea8460f3542dc98ca

        • C:\Users\Admin\AppData\Local\pN8UjZK6U\SystemPropertiesPerformance.exe

          Filesize

          75KB

          MD5

          4a70d5107178e91de8887eb7bf432c0e

          SHA1

          083ee63cf469f311c77dd9b17d6a7780813ab29f

          SHA256

          b351f0efc5bc8d34de7dae95e2e1521147b690e3ce487429178799b7961d313a

          SHA512

          282df6d36a2964ccbd3fc7e6b5867b5927c1cded6682d4f35a70d6e6ca65e5a8a7b4148d81a958f94ac36a6abb198d512ae4aa5979fd2c646df76f66751c1a50

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wdush.lnk

          Filesize

          979B

          MD5

          50712ca3160b5a7dec36f0034ea14ad2

          SHA1

          adb8f59bf905df10865360325834dee373daa699

          SHA256

          46241544c90c79b13411d6f72a335de136fcfeaac55edf88703081fdd1f8751b

          SHA512

          0d16ba5716ec680bab45201c49dfcb85198d019d951190af82c1033988a9797f691db92fcf4c5367015a00451aa0ea9ab1cd90c45eda74e602335a587048d858

        • C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\EQt19Hh\SYSDM.CPL

          Filesize

          51KB

          MD5

          615bab233249caeb3c60f103fa44a937

          SHA1

          75856f11a63be04eac227f183def37e3af93cb36

          SHA256

          074e6ca2a537ddb30eaec59e1d284803e28add7060c1467b3b22d377b334db87

          SHA512

          46d29771d497371f66e37fce1c6b7ad5d25873ac096c34885a851dadcc13f5c5adbb6dccb533ced5fa837e660acec8149769a9103b5e7fd376e0b834e261a94e

        • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\AOkJb\credui.dll

          Filesize

          167KB

          MD5

          4000828f80141e667e09fadabb6b1dca

          SHA1

          fd7addfa2b4ee4ada753e25f300788ee589df16f

          SHA256

          2f7a5eae5026ad437e92561fb1f92a69d2d87dce611b0c5a88e8159b1c76380b

          SHA512

          3c8d5a952726056e48f29cdf58b914ce38f653697889563e04621ba2bb80198540cdb2f50d5bcc99100021629592f9d8c2c6f3323ba8830be513c1929c16cd5e

        • C:\Users\Admin\AppData\Roaming\Sun\ArRkyy4tW\dwmapi.dll

          Filesize

          54KB

          MD5

          e61a06405aeb928ab6294e54f1aedbb7

          SHA1

          32698792cb2d3c272db080a1481380e6f82c7cdc

          SHA256

          b58b4f6c40230f8e59f22ef569457b04d9b3ccab32091e4dc676337bc66960a5

          SHA512

          fd2e08571c19cc3dca750dc9a309e7c67f4c33872dfe7c10dc8580573ec5bc78df66545b1573b4afdfb94c892c980409ab22a2e8037717cce425e998ee97d8de

        • memory/2108-96-0x0000017810C70000-0x0000017810C77000-memory.dmp

          Filesize

          28KB

        • memory/3476-55-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/3476-39-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/3476-47-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/3476-51-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/3476-4-0x0000000002F70000-0x0000000002F71000-memory.dmp

          Filesize

          4KB

        • memory/3476-57-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/3476-60-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/3476-63-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/3476-64-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/3476-66-0x0000000002D10000-0x0000000002D17000-memory.dmp

          Filesize

          28KB

        • memory/3476-65-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/3476-62-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/3476-74-0x00007FF931B60000-0x00007FF931B70000-memory.dmp

          Filesize

          64KB

        • memory/3476-61-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/3476-59-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/3476-58-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/3476-56-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/3476-54-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/3476-53-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/3476-52-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/3476-50-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/3476-49-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/3476-48-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/3476-46-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/3476-45-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/3476-43-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/3476-41-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/3476-42-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/3476-37-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/3476-35-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/3476-32-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/3476-40-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/3476-30-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/3476-44-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/3476-38-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/3476-36-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/3476-34-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/3476-24-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/3476-22-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/3476-6-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/3476-17-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/3476-33-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/3476-20-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/3476-31-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/3476-29-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/3476-18-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/3476-8-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/3476-19-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/3476-16-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/3476-12-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/3476-28-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/3476-27-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/3476-26-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/3476-25-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/3476-23-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/3476-21-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/3476-15-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/3476-14-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/3476-13-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/3476-11-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/3476-10-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/3476-9-0x00007FF9317DA000-0x00007FF9317DB000-memory.dmp

          Filesize

          4KB

        • memory/4792-7-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/4792-0-0x0000000140000000-0x00000001402DC000-memory.dmp

          Filesize

          2.9MB

        • memory/4792-1-0x00000279B47C0000-0x00000279B47C7000-memory.dmp

          Filesize

          28KB

        • memory/4804-128-0x00000267F5E70000-0x00000267F5E77000-memory.dmp

          Filesize

          28KB

        • memory/4932-113-0x0000025D10830000-0x0000025D10837000-memory.dmp

          Filesize

          28KB