Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2024 20:27

General

  • Target

    1e4aed6e957b55dad4f63b7d5f44cb8ce6a7216b6ad4e51d971d307007ed3d2a.dll

  • Size

    940KB

  • MD5

    e6ffe9204f9d5606d662bf6f355c3863

  • SHA1

    1632dfd22740045fad5a1fa5149cde3eb694ae7c

  • SHA256

    1e4aed6e957b55dad4f63b7d5f44cb8ce6a7216b6ad4e51d971d307007ed3d2a

  • SHA512

    e08cde0affdc24597bd0bbde592fb78afcba4b187d25d3bb0b72949b3a2825c5f8e62d1ef8cf23ce495167517f16516d7448909b538085101c317845b3159ea3

  • SSDEEP

    12288:CPVKLvdxQPKSoVXxTaGcb68Uzx2TBeOWhZJpK8:CtKTrsKSKBTSb6DUXWq8

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Dridex payload 8 IoCs

    Detects Dridex x64 core DLL in memory.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\1e4aed6e957b55dad4f63b7d5f44cb8ce6a7216b6ad4e51d971d307007ed3d2a.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3872
  • C:\Windows\system32\SystemPropertiesRemote.exe
    C:\Windows\system32\SystemPropertiesRemote.exe
    1⤵
      PID:2672
    • C:\Users\Admin\AppData\Local\gvb\SystemPropertiesRemote.exe
      C:\Users\Admin\AppData\Local\gvb\SystemPropertiesRemote.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3372
    • C:\Windows\system32\MusNotifyIcon.exe
      C:\Windows\system32\MusNotifyIcon.exe
      1⤵
        PID:3780
      • C:\Users\Admin\AppData\Local\EyedR8\MusNotifyIcon.exe
        C:\Users\Admin\AppData\Local\EyedR8\MusNotifyIcon.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4836
      • C:\Windows\system32\isoburn.exe
        C:\Windows\system32\isoburn.exe
        1⤵
          PID:3464
        • C:\Users\Admin\AppData\Local\rE1kZ\isoburn.exe
          C:\Users\Admin\AppData\Local\rE1kZ\isoburn.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:820

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\EyedR8\MusNotifyIcon.exe

          Filesize

          629KB

          MD5

          c54b1a69a21e03b83ebb0aeb3758b6f7

          SHA1

          b32ee7e5b813554c4b8e8f96f176570e0f6e8b6c

          SHA256

          ac3e12011b70144cc84539bbccacdfae35bd4ea3ee61b4a9fca5f082d044d8bf

          SHA512

          2680ab501ffe7d40fed28eb207d812880c8a71d71a29d59ba3da27c0bae98c74893e04807d93fba7b5e673c3e13a1ad21bfaab10bdb871d83349ff4e7c614b19

        • C:\Users\Admin\AppData\Local\EyedR8\UxTheme.dll

          Filesize

          944KB

          MD5

          cc9f5df006b6a91b9c57bdc58124600c

          SHA1

          49933a4b2a5ca0c1112e7500d1f6d815bcbff808

          SHA256

          6c3fbdd81cd9878c5f6bc5353fffb577a01fc1c5673287eb334e1c7da0b2a181

          SHA512

          46e1fbd19426a25c5c7ee3f35da39bd24765d5b661cf04713f51ee0a0df4d61fa08a527010d5f6de4ad0f4482f2c55f4c4f50db43319d0814078269c49df11bc

        • C:\Users\Admin\AppData\Local\gvb\SYSDM.CPL

          Filesize

          944KB

          MD5

          5ea07bca61b6771aa3443cdef68aeca6

          SHA1

          84b2684ee5d4f05edda019c29225b487f2623801

          SHA256

          0a02248046b75cba8602d27f5e3346b104ec5333bad1142eb0807e9d8c605edc

          SHA512

          c0b5e2d8bfd64e9575ca487aca00f8ae86a4689e38edf3fe0967a1cb852e90229a75bb15254d2d633a6b3479d664b69017ff14af19a3f5fa18a95c5e2a4ddade

        • C:\Users\Admin\AppData\Local\gvb\SystemPropertiesRemote.exe

          Filesize

          82KB

          MD5

          cdce1ee7f316f249a3c20cc7a0197da9

          SHA1

          dadb23af07827758005ec0235ac1573ffcea0da6

          SHA256

          7984e2bff295c8dbcbd3cd296d0741e3a6844b8db9f962abdbc8d333e9a83932

          SHA512

          f1dc529ebfed814adcf3e68041243ee02ba33b56c356a63eba5ef2cb6ede1eda192e03349f6a200d34dfab67263df79cf295be3706f4197b9008ccdc53410c26

        • C:\Users\Admin\AppData\Local\rE1kZ\UxTheme.dll

          Filesize

          944KB

          MD5

          9be4e1dd8859cf232e8c73ced853a2e6

          SHA1

          6900e3d21aa934c21bdc23bb78e0f2e5adc516d9

          SHA256

          eaabc6c6c47983d921c10be8255121e3a93d7b2a5704a4e7f6205891f4fb5d0a

          SHA512

          6af95b4ddb74011decbb3c1b46fc77056cbc6e09a48d955b3a524b8e99b637702fd67ff746c093cc9e71edbf0796cc052a254d098d31bcd1ef99899ef070b680

        • C:\Users\Admin\AppData\Local\rE1kZ\isoburn.exe

          Filesize

          119KB

          MD5

          68078583d028a4873399ae7f25f64bad

          SHA1

          a3c928fe57856a10aed7fee17670627fe663e6fe

          SHA256

          9478c095afe212bce91d2de1a3c3647109f2d54e46b9bf70843e839324458567

          SHA512

          25503a47c53fe83eeb56726b5a5eec5cb01bc783e866306f92242a7a8cbafa20a3209217e0f4561febfec78d2f64f1725727a6b2d3ee6da512618984d0bb0bc1

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ehuvmtvuxjwd.lnk

          Filesize

          1KB

          MD5

          69e333244267a20c51eeedc35e06e451

          SHA1

          741174a29ad3dcebfbf9c9114b64c00e7db14652

          SHA256

          866185b6a66553e5441d89a9c605e100f9d32853191eef82bccb80a4c8c83866

          SHA512

          09bc6bb4101d0e9f3fe5747c67550ba49363e656a46639bf4c9cb292b4e9c9b818ec49ce3b5cec57b5abe27dcef61270a6fbbaeaf321e2d1fdce08cf09dc6392

        • memory/820-81-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

        • memory/3364-15-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

        • memory/3364-12-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

        • memory/3364-25-0x00007FFE41AC0000-0x00007FFE41AD0000-memory.dmp

          Filesize

          64KB

        • memory/3364-35-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

        • memory/3364-11-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

        • memory/3364-10-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

        • memory/3364-9-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

        • memory/3364-8-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

        • memory/3364-5-0x00007FFE3FD0A000-0x00007FFE3FD0B000-memory.dmp

          Filesize

          4KB

        • memory/3364-7-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

        • memory/3364-6-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

        • memory/3364-3-0x0000000003240000-0x0000000003241000-memory.dmp

          Filesize

          4KB

        • memory/3364-24-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

        • memory/3364-26-0x00007FFE41AB0000-0x00007FFE41AC0000-memory.dmp

          Filesize

          64KB

        • memory/3364-13-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

        • memory/3364-14-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

        • memory/3364-23-0x0000000001470000-0x0000000001477000-memory.dmp

          Filesize

          28KB

        • memory/3372-50-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

        • memory/3372-46-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

        • memory/3372-45-0x000001DFB5FE0000-0x000001DFB5FE7000-memory.dmp

          Filesize

          28KB

        • memory/3872-38-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

        • memory/3872-0-0x000001B50C050000-0x000001B50C057000-memory.dmp

          Filesize

          28KB

        • memory/3872-1-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

        • memory/4836-61-0x000001CB5BB40000-0x000001CB5BB47000-memory.dmp

          Filesize

          28KB

        • memory/4836-66-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB