Analysis
-
max time kernel
166s -
max time network
87s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
17-04-2022 16:35
General
-
Target
985a0bde29b03b987245abf186f4840538585fb6f0204e737ebc56e79d1484ea.dll
-
Size
1.2MB
-
MD5
dc0390d145ecd8967fa2ac796ceb7086
-
SHA1
6824dcf9398dc587524c61cf9b5eba8fc022da27
-
SHA256
985a0bde29b03b987245abf186f4840538585fb6f0204e737ebc56e79d1484ea
-
SHA512
80571cccc3c2dae5678547331a9ba3de522d4d48014d0e9359cdbaa9aeef260823875e374e945059919b885d1f307bbbd3f3ebf324e1eba1a6d2a7308c4eb2b4
Malware Config
Signatures
-
Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
-
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\985a0bde29b03b987245abf186f4840538585fb6f0204e737ebc56e79d1484ea.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\SystemPropertiesComputerName.exeC:\Windows\system32\SystemPropertiesComputerName.exe1⤵
-
C:\Users\Admin\AppData\Local\DzDw\SystemPropertiesComputerName.exeC:\Users\Admin\AppData\Local\DzDw\SystemPropertiesComputerName.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\DmNotificationBroker.exeC:\Windows\system32\DmNotificationBroker.exe1⤵
-
C:\Users\Admin\AppData\Local\iVln9T\DmNotificationBroker.exeC:\Users\Admin\AppData\Local\iVln9T\DmNotificationBroker.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\WMPDMC.exeC:\Windows\system32\WMPDMC.exe1⤵
-
C:\Users\Admin\AppData\Local\yEx34Gs\WMPDMC.exeC:\Users\Admin\AppData\Local\yEx34Gs\WMPDMC.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\DzDw\SYSDM.CPLFilesize
1.2MB
MD5cd2e9dd09540a38795ab1e826073ea49
SHA1ab9eb1f0fd2dd6c9b82acd30d7ac67c9eff4250a
SHA256a8db4d7283aab84f436dcf2bec58eec0995b51c294cde54d410747a33a09eb7d
SHA51222f9b033298e460e42c054811228dd0b82e83282190c790d87fc4dfcbe745418413d58228bec48e970adc32f8b51e660e69102b25567d8055ca45c0f52bb559a
-
C:\Users\Admin\AppData\Local\DzDw\SYSDM.CPLFilesize
1.2MB
MD5cd2e9dd09540a38795ab1e826073ea49
SHA1ab9eb1f0fd2dd6c9b82acd30d7ac67c9eff4250a
SHA256a8db4d7283aab84f436dcf2bec58eec0995b51c294cde54d410747a33a09eb7d
SHA51222f9b033298e460e42c054811228dd0b82e83282190c790d87fc4dfcbe745418413d58228bec48e970adc32f8b51e660e69102b25567d8055ca45c0f52bb559a
-
C:\Users\Admin\AppData\Local\DzDw\SystemPropertiesComputerName.exeFilesize
82KB
MD56711765f323289f5008a6a2a04b6f264
SHA1d8116fdf73608b4b254ad83c74f2232584d24144
SHA256bd3a97327326e2245938ec6099f20059b446ff0fe1c10b9317d15d1a1dd5331e
SHA512438abd282d9d1c0e7e5db2ce027ff9522c3980278b32b2eae09c595884a8dcbfd5178bc5926b1d15f03174303382e13f5d5ecab9a5d8e31fc07ef39e66c012e8
-
C:\Users\Admin\AppData\Local\iVln9T\DUI70.dllFilesize
1.5MB
MD5ca6a745be5aef712289e6159a66586f0
SHA10674b2e4adc10d66a68feed1ff7ce8a64e85e9c4
SHA256019c4208e0196413e7a8e1faca030bce672cb7a41cd995d691fedea19ce96296
SHA512378df111f585c1b35cc6cc0b121e5cea530709b67f0aa05fd5c4314eb35667ddfc6db151399db7b4938f9ac9d3201f3e36ed53b9c1e017e6ce55d6854be6b5de
-
C:\Users\Admin\AppData\Local\iVln9T\DUI70.dllFilesize
1.5MB
MD5ca6a745be5aef712289e6159a66586f0
SHA10674b2e4adc10d66a68feed1ff7ce8a64e85e9c4
SHA256019c4208e0196413e7a8e1faca030bce672cb7a41cd995d691fedea19ce96296
SHA512378df111f585c1b35cc6cc0b121e5cea530709b67f0aa05fd5c4314eb35667ddfc6db151399db7b4938f9ac9d3201f3e36ed53b9c1e017e6ce55d6854be6b5de
-
C:\Users\Admin\AppData\Local\iVln9T\DmNotificationBroker.exeFilesize
32KB
MD5f0bdc20540d314a2aad951c7e2c88420
SHA14ab344595a4a81ab5f31ed96d72f217b4cee790b
SHA256f87537e5f26193a2273380f86cc9ac16d977f65b0eff2435e40be830fd99f7b5
SHA512cb69e35b2954406735264a4ae8fe1eca1bd4575f553ab2178c70749ab997bda3c06496d2fce97872c51215a19093e51eea7cc8971af62ad9d5726f3a0d2730aa
-
C:\Users\Admin\AppData\Local\yEx34Gs\UxTheme.dllFilesize
1.3MB
MD5f344fa2ec41a7aca9590176514e422d1
SHA11cfcc99634f08ed827a62bb1f689aaf46c79c152
SHA25690e22aa36ca7819e3aab47ed412a7ce80e13a1c69402d26d2e4f963bd74106d6
SHA512c8b58790920780298d668ad9912454ee7bdde861d184afa68f8b96695e928d326225f70b32829fa73ddd43a2027536775d8177ac1c5b07da20aed804c784cd95
-
C:\Users\Admin\AppData\Local\yEx34Gs\UxTheme.dllFilesize
1.3MB
MD5f344fa2ec41a7aca9590176514e422d1
SHA11cfcc99634f08ed827a62bb1f689aaf46c79c152
SHA25690e22aa36ca7819e3aab47ed412a7ce80e13a1c69402d26d2e4f963bd74106d6
SHA512c8b58790920780298d668ad9912454ee7bdde861d184afa68f8b96695e928d326225f70b32829fa73ddd43a2027536775d8177ac1c5b07da20aed804c784cd95
-
C:\Users\Admin\AppData\Local\yEx34Gs\WMPDMC.exeFilesize
1.5MB
MD559ce6e554da0a622febce19eb61c4d34
SHA1176a4a410cb97b3d4361d2aea0edbf17e15d04c7
SHA256c36eba7186f7367fe717595f3372a49503c9613893c2ab2eff38b625a50d04ba
SHA512e9b0d310416b66e0055381391bb6b0c19ee26bbcf0e3bb9ea7d696d5851e6efbdd9bdeb250c74638b7d73b20528ea1dfb718e75ad5977aaad77aae36cc7b7e18
-
memory/1648-130-0x00007FF94EFD0000-0x00007FF94F117000-memory.dmpFilesize
1.3MB
-
memory/1648-134-0x00000233B8EA0000-0x00000233B8EA7000-memory.dmpFilesize
28KB
-
memory/2424-168-0x000002A460790000-0x000002A460797000-memory.dmpFilesize
28KB
-
memory/2424-164-0x00007FF94EFD0000-0x00007FF94F118000-memory.dmpFilesize
1.3MB
-
memory/2424-160-0x0000000000000000-mapping.dmp
-
memory/2916-173-0x00007FF95D790000-0x00007FF95D91D000-memory.dmpFilesize
1.6MB
-
memory/2916-169-0x0000000000000000-mapping.dmp
-
memory/2916-177-0x000002D6095E0000-0x000002D6095E7000-memory.dmpFilesize
28KB
-
memory/3128-142-0x0000000140000000-0x0000000140147000-memory.dmpFilesize
1.3MB
-
memory/3128-144-0x0000000140000000-0x0000000140147000-memory.dmpFilesize
1.3MB
-
memory/3128-159-0x00007FF96C630000-0x00007FF96C640000-memory.dmpFilesize
64KB
-
memory/3128-158-0x00007FF96C6EC000-0x00007FF96C6ED000-memory.dmpFilesize
4KB
-
memory/3128-150-0x0000000001270000-0x0000000001277000-memory.dmpFilesize
28KB
-
memory/3128-148-0x0000000140000000-0x0000000140147000-memory.dmpFilesize
1.3MB
-
memory/3128-147-0x0000000140000000-0x0000000140147000-memory.dmpFilesize
1.3MB
-
memory/3128-146-0x0000000140000000-0x0000000140147000-memory.dmpFilesize
1.3MB
-
memory/3128-145-0x0000000140000000-0x0000000140147000-memory.dmpFilesize
1.3MB
-
memory/3128-157-0x00007FF96C71C000-0x00007FF96C71D000-memory.dmpFilesize
4KB
-
memory/3128-143-0x0000000140000000-0x0000000140147000-memory.dmpFilesize
1.3MB
-
memory/3128-141-0x0000000140000000-0x0000000140147000-memory.dmpFilesize
1.3MB
-
memory/3128-140-0x0000000140000000-0x0000000140147000-memory.dmpFilesize
1.3MB
-
memory/3128-139-0x0000000140000000-0x0000000140147000-memory.dmpFilesize
1.3MB
-
memory/3128-136-0x0000000140000000-0x0000000140147000-memory.dmpFilesize
1.3MB
-
memory/3128-135-0x0000000001260000-0x0000000001261000-memory.dmpFilesize
4KB
-
memory/3128-138-0x0000000140000000-0x0000000140147000-memory.dmpFilesize
1.3MB
-
memory/3128-137-0x0000000140000000-0x0000000140147000-memory.dmpFilesize
1.3MB
-
memory/3600-178-0x0000000000000000-mapping.dmp
-
memory/3600-186-0x000001EA324D0000-0x000001EA324D7000-memory.dmpFilesize
28KB