Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-01-2025 06:28

General

  • Target

    b723987104cf85aaedc0a5dc457d13be8fa1e12526a8b59551729bcc9b0a6247.dll

  • Size

    776KB

  • MD5

    435455aa73a48604914eb8271db3b4a3

  • SHA1

    8d321b4bd4eb646f18e6507fff8eaa1f93982375

  • SHA256

    b723987104cf85aaedc0a5dc457d13be8fa1e12526a8b59551729bcc9b0a6247

  • SHA512

    797db5b4854395b5b4a0904abcf3e56b43d99faa507c70954216128dcd2861566d78a0d9e6f573aa7ffa3eb220212911e9a8e54a20bc7d0d01e1e0cabd81610f

  • SSDEEP

    24576:1WyoqFMVMKkN3ZvxEhb0IsaQ4KriCo0j6Ij:gKuVMK6vx2RsIKNrj

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex family
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b723987104cf85aaedc0a5dc457d13be8fa1e12526a8b59551729bcc9b0a6247.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:4888
  • C:\Windows\system32\consent.exe
    C:\Windows\system32\consent.exe
    1⤵
      PID:2852
    • C:\Users\Admin\AppData\Local\PI2KW0h\consent.exe
      C:\Users\Admin\AppData\Local\PI2KW0h\consent.exe
      1⤵
      • Executes dropped EXE
      PID:4952
    • C:\Windows\system32\EhStorAuthn.exe
      C:\Windows\system32\EhStorAuthn.exe
      1⤵
        PID:760
      • C:\Users\Admin\AppData\Local\3cm3\EhStorAuthn.exe
        C:\Users\Admin\AppData\Local\3cm3\EhStorAuthn.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3620
      • C:\Windows\system32\systemreset.exe
        C:\Windows\system32\systemreset.exe
        1⤵
          PID:1832
        • C:\Users\Admin\AppData\Local\QXWY\systemreset.exe
          C:\Users\Admin\AppData\Local\QXWY\systemreset.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2220
        • C:\Windows\system32\cmstp.exe
          C:\Windows\system32\cmstp.exe
          1⤵
            PID:4104
          • C:\Users\Admin\AppData\Local\T193by\cmstp.exe
            C:\Users\Admin\AppData\Local\T193by\cmstp.exe
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks whether UAC is enabled
            PID:5084

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\3cm3\EhStorAuthn.exe

            Filesize

            128KB

            MD5

            d45618e58303edb4268a6cca5ec99ecc

            SHA1

            1f8049fc5ea8b57bb68e19fb55cb9dc1e18e9513

            SHA256

            d527323643be9df4d174c3169c6f2c7854a59b781654bcaebd154cb51fb4219c

            SHA512

            5d7ae663dcfedfaf00836dc018131851e5a40778bd582b417b9f0bbd4bb6d1b2eb8f37f7f5a01cd2beed78b6037ef6eb2a3290248d5e901173b1407990a202bd

          • C:\Users\Admin\AppData\Local\3cm3\UxTheme.dll

            Filesize

            780KB

            MD5

            1721fbd56501c014e59fd813c37a6b0b

            SHA1

            fe8808618d7e36b7a574e655f3faf39c5ecf73db

            SHA256

            44fce13c0323a99a1e7462d512b05708268f7a859b033a437c1f67e0d220c412

            SHA512

            f42f8c3aed48c1274ffe323d0bdfb01cf0b132068a885a15ee82dd35e24adcea2125c4ad3797c179aaf237a2f9c831523eb048801d6e556a1406b209334eff3c

          • C:\Users\Admin\AppData\Local\PI2KW0h\consent.exe

            Filesize

            162KB

            MD5

            6646631ce4ad7128762352da81f3b030

            SHA1

            1095bd4b63360fc2968d75622aa745e5523428ab

            SHA256

            56b2d516376328129132b815e22379ae8e7176825f059c9374a33cc844482e64

            SHA512

            1c00ed5d8568f6ebd119524b61573cfe71ca828bd8fbdd150158ec8b5db65fa066908d120d201fce6222707bcb78e0c1151b82fdc1dccf3ada867cb810feb6da

          • C:\Users\Admin\AppData\Local\QXWY\ReAgent.dll

            Filesize

            780KB

            MD5

            6c435658064302665d3b281b7f6b9ecf

            SHA1

            a05a74b5d99e696ce97430273d364a6112008de6

            SHA256

            4c754ffbc7a6b2cc960f3ad1d4890836c319ca92e9b24278101ea11bed761005

            SHA512

            4f15ed9554215f9692883f1a9ab0f101ef2ff42b3161b74a986eafce6d69ce18e201399090dc8e9a81a8763e2893828a96e8b233387fffd2ee01e30b15aec953

          • C:\Users\Admin\AppData\Local\QXWY\systemreset.exe

            Filesize

            508KB

            MD5

            325ff647506adb89514defdd1c372194

            SHA1

            84234ff97d6ddc8a4ea21303ea842aa76a74e0ea

            SHA256

            ebff6159a7627234f94f606afa2e55e98e1548fd197d22779a5fcff24aa477ad

            SHA512

            8a9758f4af0264be08d684125827ef11efe651138059f6b463c52476f8a8e1bed94d093042f85893cb3e37c5f3ba7b55c6ce9394595001e661bccbc578da3868

          • C:\Users\Admin\AppData\Local\T193by\VERSION.dll

            Filesize

            776KB

            MD5

            0bbd44d0df86b1ff9d85aa07e2a8e4fb

            SHA1

            eaf82b6f8a15ec460e0f2b321095604923eda6ce

            SHA256

            8b0f7eac3af56b6cd2a756520a1f5bbf44c51ccae88de2d19ad109a7cca4be14

            SHA512

            7b93e39c457ad334dbf9286fc0a8eeb52a040ebcac7f35a1ee4c490dadb4e3a7c45d3e51aa2cb8953f98422f1c231f7dab2900cffed72ad0d5175b3936d9bd43

          • C:\Users\Admin\AppData\Local\T193by\cmstp.exe

            Filesize

            96KB

            MD5

            4cc43fe4d397ff79fa69f397e016df52

            SHA1

            8fd6cf81ad40c9b123cd75611860a8b95c72869c

            SHA256

            f2d3905ee38b2b5c0b724d582f14eb1db7621ffb8f3826df686a20784341614c

            SHA512

            851ef9fa5a03ec8b9fea0094c6e4bfa0b9e71cee3412ee86b2dfc34682aa5fb6455fefe7fc0092b711956d7c880cf8a5761b63ee990aa8e72f3473086ac0f157

          • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Updjljcn.lnk

            Filesize

            1KB

            MD5

            b7d61fcf8371c528ca0853cb51bd9e59

            SHA1

            926d53e24a2dc4d321d1251bfd928d58a9f509f8

            SHA256

            95373bc84dd90a1d698f3e8aa590f5aa9fae51681b6694af8f4f7ea5760f5348

            SHA512

            c97509b1b5118accfffcc422f58875a0cd29477bbf71d101420c93d7029befbf32ef19b0cfe157af71a71462be8469e9aca93e5cf9670d15d6590aa512cde183

          • memory/2220-73-0x00007FFB34640000-0x00007FFB34703000-memory.dmp

            Filesize

            780KB

          • memory/3528-9-0x0000000140000000-0x00000001400C2000-memory.dmp

            Filesize

            776KB

          • memory/3528-23-0x00007FFB43BC0000-0x00007FFB43BD0000-memory.dmp

            Filesize

            64KB

          • memory/3528-12-0x0000000140000000-0x00000001400C2000-memory.dmp

            Filesize

            776KB

          • memory/3528-11-0x0000000140000000-0x00000001400C2000-memory.dmp

            Filesize

            776KB

          • memory/3528-10-0x0000000140000000-0x00000001400C2000-memory.dmp

            Filesize

            776KB

          • memory/3528-5-0x0000000002B30000-0x0000000002B31000-memory.dmp

            Filesize

            4KB

          • memory/3528-8-0x0000000140000000-0x00000001400C2000-memory.dmp

            Filesize

            776KB

          • memory/3528-34-0x0000000140000000-0x00000001400C2000-memory.dmp

            Filesize

            776KB

          • memory/3528-32-0x0000000140000000-0x00000001400C2000-memory.dmp

            Filesize

            776KB

          • memory/3528-15-0x0000000140000000-0x00000001400C2000-memory.dmp

            Filesize

            776KB

          • memory/3528-22-0x0000000002AF0000-0x0000000002AF7000-memory.dmp

            Filesize

            28KB

          • memory/3528-14-0x0000000140000000-0x00000001400C2000-memory.dmp

            Filesize

            776KB

          • memory/3528-4-0x00007FFB41D1A000-0x00007FFB41D1B000-memory.dmp

            Filesize

            4KB

          • memory/3528-7-0x0000000140000000-0x00000001400C2000-memory.dmp

            Filesize

            776KB

          • memory/3528-21-0x0000000140000000-0x00000001400C2000-memory.dmp

            Filesize

            776KB

          • memory/3620-57-0x00007FFB34640000-0x00007FFB34703000-memory.dmp

            Filesize

            780KB

          • memory/3620-51-0x000001A7A1380000-0x000001A7A1387000-memory.dmp

            Filesize

            28KB

          • memory/3620-52-0x00007FFB34640000-0x00007FFB34703000-memory.dmp

            Filesize

            780KB

          • memory/4888-13-0x00007FFB34640000-0x00007FFB34702000-memory.dmp

            Filesize

            776KB

          • memory/4888-0-0x0000000001430000-0x0000000001437000-memory.dmp

            Filesize

            28KB

          • memory/4888-1-0x00007FFB34640000-0x00007FFB34702000-memory.dmp

            Filesize

            776KB

          • memory/5084-90-0x00007FFB34640000-0x00007FFB34702000-memory.dmp

            Filesize

            776KB