Resubmissions
21-06-2024 19:37
240621-yca7cszgnd 1009-06-2024 17:07
240609-vm7rjadd73 1013-05-2024 17:36
240513-v6qblafe3y 1012-05-2024 17:17
240512-vty3zafh5s 1012-05-2024 16:15
240512-tqd3ysdh3t 1010-05-2024 18:05
240510-wpghssdd27 1010-05-2024 17:48
240510-wdyypscg56 10Analysis
-
max time kernel
151s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
09-06-2024 17:07
General
-
Target
Stealers/Dridex.dll
-
Size
1.2MB
-
MD5
304109f9a5c3726818b4c3668fdb71fd
-
SHA1
2eb804e205d15d314e7f67d503940f69f5dc2ef8
-
SHA256
af26296c75ff26f7ee865df424522d75366ae3e2e80d7d9e89ef8c9398b0836d
-
SHA512
cf01fca33392dc40495f4c39eb1fd240b425018c7088ca9782d883bb135b5dd469a11941d0d680a69e881fa95c4147d70fe567aeba7e98ff6adfd5c0ca1a0e01
-
SSDEEP
24576:ZVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:ZV8hf6STw1ZlQauvzSq01ICe6zvm
Malware Config
Signatures
-
Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
-
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\Stealers\Dridex.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\MoUsoCoreWorker.exeC:\Windows\system32\MoUsoCoreWorker.exe1⤵
-
C:\Users\Admin\AppData\Local\iS9g\MoUsoCoreWorker.exeC:\Users\Admin\AppData\Local\iS9g\MoUsoCoreWorker.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\SystemPropertiesAdvanced.exeC:\Windows\system32\SystemPropertiesAdvanced.exe1⤵
-
C:\Users\Admin\AppData\Local\jjojMc\SystemPropertiesAdvanced.exeC:\Users\Admin\AppData\Local\jjojMc\SystemPropertiesAdvanced.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\DmNotificationBroker.exeC:\Windows\system32\DmNotificationBroker.exe1⤵
-
C:\Users\Admin\AppData\Local\cqAFtGf6\DmNotificationBroker.exeC:\Users\Admin\AppData\Local\cqAFtGf6\DmNotificationBroker.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\cqAFtGf6\DUI70.dllFilesize
1.5MB
MD53c6fcbf1b387407ebf1282ae6893c31d
SHA1750bfe247affe71481fa4ed09d70beac0cf24cfb
SHA2561b2dd973a47f9e82e55303e392e91e807d9c5cb330da23eb9050ae178c4214d5
SHA5121008075dcb2f50a78d6e058237315aff7d3d0c248c4e16583aa6ee42aab31b4c2fd7e0510db1543fbdccd375e13ad44b61894a1c1dadd22e3bb6b672990d72f8
-
C:\Users\Admin\AppData\Local\cqAFtGf6\DmNotificationBroker.exeFilesize
32KB
MD5f0bdc20540d314a2aad951c7e2c88420
SHA14ab344595a4a81ab5f31ed96d72f217b4cee790b
SHA256f87537e5f26193a2273380f86cc9ac16d977f65b0eff2435e40be830fd99f7b5
SHA512cb69e35b2954406735264a4ae8fe1eca1bd4575f553ab2178c70749ab997bda3c06496d2fce97872c51215a19093e51eea7cc8971af62ad9d5726f3a0d2730aa
-
C:\Users\Admin\AppData\Local\iS9g\MoUsoCoreWorker.exeFilesize
1.6MB
MD547c6b45ff22b73caf40bb29392386ce3
SHA17e29a8d98fbb9b02d3d22e3576f4fd61ab50ffe9
SHA256cbccb642725edb42e749e26ded68a16b3aa20e291a1a7793a2d4efebb75f99c0
SHA512c919ab84a497616e7969d58c251f4e6efc337b41ef6956864b86d66ae1437294c124232fec54433eab3a6518ed529f8445dd0b23706b2f42f3fa42e69711f331
-
C:\Users\Admin\AppData\Local\iS9g\XmlLite.dllFilesize
1.2MB
MD57a76818f31534e512f7f63d95b37dbe8
SHA18a21c04c4bed0fc441ac93e5e0056ac6caae9a32
SHA2567b78699abe7ec5a35510e6400e439516ce0b178245a0fd65f423e781d5903059
SHA512e964c6d9a10dcee6f672cef391b760372c84bbf9a82273935f554c1a743b96424847df2579e796d4459e4a557912c90efc4c3e991802810d08674684d5a36d8a
-
C:\Users\Admin\AppData\Local\jjojMc\SYSDM.CPLFilesize
1.2MB
MD5ef0cb0467a701669abd54f9a5cc1483d
SHA1b9a82a117fdd226cad2bad47f739cabee35ccc30
SHA256ab2d8ee1934413fec5784a0f002f9fa0860bb36b3d40c3ace7127abd2288dba3
SHA51215a1903a8cdf77458c76074628a63dd62b9958f83edcefcf9eace372f75ca3421f23f90831d27af764ab1ad3fd22611b9b5c0270d054b2474412b225449804fd
-
C:\Users\Admin\AppData\Local\jjojMc\SystemPropertiesAdvanced.exeFilesize
82KB
MD5fa040b18d2d2061ab38cf4e52e753854
SHA1b1b37124e9afd6c860189ce4d49cebbb2e4c57bc
SHA256c61fa0f8c5d8d61110adbcceaa453a6c1d31255b3244dc7e3b605a4a931c245c
SHA512511f5981bd2c446f1f3039f6674f972651512305630bd688b1ef159af36a23cb836b43d7010b132a86b5f4d6c46206057abd31600f1e7dc930cb32ed962298a4
-
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Axoeay.lnkFilesize
1KB
MD5db8fec722ca00a96bf76bf295b0db3a0
SHA1eac22dd351c8e664b2495a4ea9726f6fcd2aecdc
SHA256d4abf374463aeec3667a88ed592a5b3917edf1730d4469775dec3a87185d376a
SHA512506a2d286f4278836b82704bdb4b0ce892ab2335a2c27c5b0d5eab1987e4e99d10e0359eee228f56f9eafbf69e232d24a50dc3c619d9962e36cb46cbeef03103
-
memory/400-81-0x0000000140000000-0x0000000140189000-memory.dmpFilesize
1.5MB
-
memory/400-80-0x0000019F47670000-0x0000019F47677000-memory.dmpFilesize
28KB
-
memory/400-86-0x0000000140000000-0x0000000140189000-memory.dmpFilesize
1.5MB
-
memory/792-69-0x0000000140000000-0x0000000140144000-memory.dmpFilesize
1.3MB
-
memory/792-63-0x000001DD3C5A0000-0x000001DD3C5A7000-memory.dmpFilesize
28KB
-
memory/1436-0-0x000001AF6B1B0000-0x000001AF6B1B7000-memory.dmpFilesize
28KB
-
memory/1436-39-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/1436-1-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/3000-52-0x0000000140000000-0x0000000140144000-memory.dmpFilesize
1.3MB
-
memory/3000-49-0x00000267D15D0000-0x00000267D15D7000-memory.dmpFilesize
28KB
-
memory/3000-46-0x0000000140000000-0x0000000140144000-memory.dmpFilesize
1.3MB
-
memory/3296-14-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/3296-36-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/3296-26-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/3296-8-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/3296-13-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/3296-25-0x0000000001390000-0x0000000001397000-memory.dmpFilesize
28KB
-
memory/3296-9-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/3296-10-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/3296-11-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/3296-12-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/3296-29-0x00007FFEF6050000-0x00007FFEF6060000-memory.dmpFilesize
64KB
-
memory/3296-24-0x00007FFEF537A000-0x00007FFEF537B000-memory.dmpFilesize
4KB
-
memory/3296-15-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/3296-7-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/3296-6-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/3296-4-0x0000000003310000-0x0000000003311000-memory.dmpFilesize
4KB