Resubmissions

03-09-2024 14:02

240903-rb57sazdqf 10

03-09-2024 13:51

240903-q59avszclf 10

02-09-2024 19:51

240902-yk8gtsxbpd 10

02-09-2024 02:27

240902-cxh7tazflg 10

02-09-2024 02:26

240902-cwxc2sygll 10

21-06-2024 19:37

240621-yca7cszgnd 10

09-06-2024 17:07

240609-vm7rjadd73 10

13-05-2024 17:36

240513-v6qblafe3y 10

12-05-2024 17:17

240512-vty3zafh5s 10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-05-2024 16:15

General

  • Target

    Stealers/Dridex.dll

  • Size

    1.2MB

  • MD5

    304109f9a5c3726818b4c3668fdb71fd

  • SHA1

    2eb804e205d15d314e7f67d503940f69f5dc2ef8

  • SHA256

    af26296c75ff26f7ee865df424522d75366ae3e2e80d7d9e89ef8c9398b0836d

  • SHA512

    cf01fca33392dc40495f4c39eb1fd240b425018c7088ca9782d883bb135b5dd469a11941d0d680a69e881fa95c4147d70fe567aeba7e98ff6adfd5c0ca1a0e01

  • SSDEEP

    24576:ZVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:ZV8hf6STw1ZlQauvzSq01ICe6zvm

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\Stealers\Dridex.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3956
  • C:\Windows\system32\RdpSa.exe
    C:\Windows\system32\RdpSa.exe
    1⤵
      PID:4516
    • C:\Users\Admin\AppData\Local\wMyXxjwax\RdpSa.exe
      C:\Users\Admin\AppData\Local\wMyXxjwax\RdpSa.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:968
    • C:\Windows\system32\DeviceEnroller.exe
      C:\Windows\system32\DeviceEnroller.exe
      1⤵
        PID:2036
      • C:\Users\Admin\AppData\Local\DchAUp\DeviceEnroller.exe
        C:\Users\Admin\AppData\Local\DchAUp\DeviceEnroller.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:5000
      • C:\Windows\system32\raserver.exe
        C:\Windows\system32\raserver.exe
        1⤵
          PID:3216
        • C:\Users\Admin\AppData\Local\t7Quve9c\raserver.exe
          C:\Users\Admin\AppData\Local\t7Quve9c\raserver.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3756

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\DchAUp\DeviceEnroller.exe

          Filesize

          448KB

          MD5

          946d9474533f58d2613078fd14ca7473

          SHA1

          c2620ac9522fa3702a6a03299b930d6044aa5e49

          SHA256

          cf5f5fe084f172e9c435615c1dc6ae7d3bd8c5ec8ea290caa0627c2f392760cb

          SHA512

          3653d41a0553ee63a43490f682c9b528651a6336f28adafc333d4d148577351122db8279ff83ee59bb0a9c17bb384e9f6c9c78677c8c5ed671a42036dec1f8c1

        • C:\Users\Admin\AppData\Local\DchAUp\XmlLite.dll

          Filesize

          1.2MB

          MD5

          6416b738d57134b6ae8fe8a4b84b9e09

          SHA1

          5a02b350ea879cf2953553a0a2302b1f11bb828b

          SHA256

          ecc360a89911e94c098d0fff2486c682f0ae01785ba41342f7200d19367f3495

          SHA512

          e3a6c084829d24fcb0189b99796d2bb4f2fb07b7cc6cf783a9e08398705dd3274f46508cd83600fb8f51885971d690c6bd733ef3b32fbbd4dbddba7fa4aa756e

        • C:\Users\Admin\AppData\Local\t7Quve9c\WTSAPI32.dll

          Filesize

          1.2MB

          MD5

          8eaf7f0e8092b2cf7733d8bde0432ad4

          SHA1

          cc940fc93735726abc5be709f218d65bc10cc40b

          SHA256

          056a70daadd5e3e4bf47c330b78ef49a6299ff7ec2486a1fbdeba7ecac629aca

          SHA512

          b916a7f2f32c40f54356350a686c3898ddbc4ed60011742cc02c641ee9abc64828e5371f87c8cd8a631ba1258f200dca4bcc955441990eb2b155ab546d6f3ca5

        • C:\Users\Admin\AppData\Local\t7Quve9c\raserver.exe

          Filesize

          132KB

          MD5

          d1841c6ee4ea45794ced131d4b68b60e

          SHA1

          4be6d2116060d7c723ac2d0b5504efe23198ea01

          SHA256

          38732626242988cc5b8f97fe8d3b030d483046ef66ea90d7ea3607f1adc0600d

          SHA512

          d8bad215872c5956c6e8acac1cd3ad19b85f72b224b068fb71cfd1493705bc7d3390853ba923a1aa461140294f8793247df018484a378e4f026c2a12cb3fa5c9

        • C:\Users\Admin\AppData\Local\wMyXxjwax\RdpSa.exe

          Filesize

          56KB

          MD5

          5992f5b5d0b296b83877da15b54dd1b4

          SHA1

          0d87be8d4b7aeada4b55d1d05c0539df892f8f82

          SHA256

          32f60eabe54c4d0cd0f0ec29f48f55ca1ad097bf35097247b186fd70426f847c

          SHA512

          4f6da913af530301da1d0638aa2635ada446ebee6e27b5059db5c2b7fe439162ac3b1a595ecf4163a093890df9ac94d9085a53d8c991e48703f9d2691326e7e6

        • C:\Users\Admin\AppData\Local\wMyXxjwax\WINSTA.dll

          Filesize

          1.2MB

          MD5

          0dcb83d44f3bcb33d09a00417e0ec0b5

          SHA1

          f6aadc850175d88dd4a3f2125935accc9ae6b6b2

          SHA256

          e3d69079971cd152bec145cf6adb828617a0c6537cdaf743c6118919a70ab134

          SHA512

          9ee916ea09919ae58c4c3ac70189880ee4a7670320d535aa3e2727360b02c15e241c93180cdb6b0d6d4724d53ae18dc4cee984a8d648cfc529d5eef8a6124413

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yvephsk.lnk

          Filesize

          1KB

          MD5

          00a792a62bdd5a0e878357451abe8e40

          SHA1

          4e0e01a9de8647d2926f5f63a51933618706229a

          SHA256

          81cee6dfff40256ebd09a61b77396d794e7381dd4afb535fdabf5316d6fccefc

          SHA512

          e456ac09527cb4afacf4fc5558bd5bacdad41df6c8c2f13732129b5d894acf5987e239dfbf587ec0598a28eb95ffdc4137ad9e186d34a03d88a31c5fe0bcb739

        • memory/968-46-0x000001FEABCB0000-0x000001FEABCB7000-memory.dmp

          Filesize

          28KB

        • memory/968-47-0x0000000140000000-0x0000000140145000-memory.dmp

          Filesize

          1.3MB

        • memory/968-52-0x0000000140000000-0x0000000140145000-memory.dmp

          Filesize

          1.3MB

        • memory/3424-16-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

        • memory/3424-12-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

        • memory/3424-8-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

        • memory/3424-25-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

        • memory/3424-11-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

        • memory/3424-10-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

        • memory/3424-7-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

        • memory/3424-6-0x00007FFD413CA000-0x00007FFD413CB000-memory.dmp

          Filesize

          4KB

        • memory/3424-4-0x00000000033A0000-0x00000000033A1000-memory.dmp

          Filesize

          4KB

        • memory/3424-13-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

        • memory/3424-14-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

        • memory/3424-15-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

        • memory/3424-36-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

        • memory/3424-28-0x00000000010D0000-0x00000000010D7000-memory.dmp

          Filesize

          28KB

        • memory/3424-29-0x00007FFD414B0000-0x00007FFD414C0000-memory.dmp

          Filesize

          64KB

        • memory/3424-9-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

        • memory/3756-83-0x000001EEC4A40000-0x000001EEC4A47000-memory.dmp

          Filesize

          28KB

        • memory/3756-86-0x0000000140000000-0x0000000140144000-memory.dmp

          Filesize

          1.3MB

        • memory/3956-0-0x00000282EEE00000-0x00000282EEE07000-memory.dmp

          Filesize

          28KB

        • memory/3956-39-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

        • memory/3956-1-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

        • memory/5000-63-0x0000000140000000-0x0000000140144000-memory.dmp

          Filesize

          1.3MB

        • memory/5000-69-0x0000000140000000-0x0000000140144000-memory.dmp

          Filesize

          1.3MB

        • memory/5000-66-0x0000023F21EA0000-0x0000023F21EA7000-memory.dmp

          Filesize

          28KB