Analysis

  • max time kernel
    3s
  • max time network
    115s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2023 16:33

General

  • Target

    f325ee7a242e62a3685763de8d71db15.dll

  • Size

    873KB

  • MD5

    f325ee7a242e62a3685763de8d71db15

  • SHA1

    3439a0a62364526a7bcecda134f532d20e578bc0

  • SHA256

    064dd0fe494677278bb6d1bc0bc811f872b583604d27a81258023f7c695c0a20

  • SHA512

    549c34b5e9f097b91c26c1bf37688eb60169cef025a0466212536446494cda53e4f08d626cdf6ec97c393f18b9119543d1064da7783390438f6519aea631ebb1

  • SSDEEP

    24576:Zxru6GOISSgyFCsIysmcWy0WToFwYqOss:Zw6jsgyzGTQ

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Loader 'dmod' strings 9 IoCs

    Detects 'dmod' strings in Dridex loader.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\f325ee7a242e62a3685763de8d71db15.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1624
  • C:\Users\Admin\AppData\Local\cRq\tcmsetup.exe
    C:\Users\Admin\AppData\Local\cRq\tcmsetup.exe
    1⤵
      PID:3888
    • C:\Windows\system32\tcmsetup.exe
      C:\Windows\system32\tcmsetup.exe
      1⤵
        PID:760
      • C:\Users\Admin\AppData\Local\o1jLI\phoneactivate.exe
        C:\Users\Admin\AppData\Local\o1jLI\phoneactivate.exe
        1⤵
          PID:4812
        • C:\Windows\system32\phoneactivate.exe
          C:\Windows\system32\phoneactivate.exe
          1⤵
            PID:2984
          • C:\Users\Admin\AppData\Local\2EQlojm9\MusNotificationUx.exe
            C:\Users\Admin\AppData\Local\2EQlojm9\MusNotificationUx.exe
            1⤵
              PID:4192
            • C:\Windows\system32\MusNotificationUx.exe
              C:\Windows\system32\MusNotificationUx.exe
              1⤵
                PID:1968

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\2EQlojm9\MusNotificationUx.exe

                Filesize

                45KB

                MD5

                34a442145739e7b68a831c1f7a468c50

                SHA1

                50518e78044b7ac30e694f431a0d2f21fb724367

                SHA256

                38180a11bf6ba4b94f9dc851fee5a20d23b557327cbf68063b3979931ac2bc85

                SHA512

                6a811268691daec7a2e9c39734a1d2ec6a05ae6425bbc300fd6d38330a19795032e99fd8b3a49f9642d1229f033a490620c7d7eeedf788dac2744d8eec87c057

              • C:\Users\Admin\AppData\Local\2EQlojm9\MusNotificationUx.exe

                Filesize

                57KB

                MD5

                969a614ead88811dcc6baacb769ac975

                SHA1

                fe23dfdaa316cbef7452c75735157ac2d1c8097f

                SHA256

                d2e72d9bac3bd2e27b648de69aa5e37063e8d1047042b306a924171d8b5e0d37

                SHA512

                2527105d94b620bee1beb1060b0eb39fef7d72441438080000daf23c0f9fbbb816ee2ca8c5ccb3a26cbf5aa49f45c06969eded8983453316f90d47f1d6b75f1e

              • C:\Users\Admin\AppData\Local\2EQlojm9\XmlLite.dll

                Filesize

                28KB

                MD5

                df4d3cbd5baeb935f75db51d21c93085

                SHA1

                caedaa90d81f7ee680cb242d156c867df911bb5c

                SHA256

                48e7f910a5a7a985d2522c00e8cf2a49aa6b281e1b4b167d52efdbccca777e1c

                SHA512

                450d7a41041707c5d154461a22591face2ccfaf8178581606bf2fe9318d43576b1c930b51a58406785cc4338f9485a35b2f9b24ca8cea174e3fb25f335fadf3f

              • C:\Users\Admin\AppData\Local\2EQlojm9\XmlLite.dll

                Filesize

                78KB

                MD5

                4bd77062a0094b7a2d9b1dc56c6f824b

                SHA1

                f28b1f14b49e978612a46c80c7edcc1be8316d9d

                SHA256

                2d33f403f7c52de56974ee44d42d14038a2766c2bcd0629088b0c347fe7f3378

                SHA512

                3d2ff237ec4d7558ef29c17b9da340b470aa503f5e96d4388094cb81820ccc26b8aceeef94c78007d3b9e8b25824ec9885da4efde7f0b3f3e63361c761c80591

              • C:\Users\Admin\AppData\Local\cRq\TAPI32.dll

                Filesize

                56KB

                MD5

                c8dd9e948f61bbb66355a45ea585b227

                SHA1

                0239a7f3cd55b6302f0fc62b3164654dc88bc770

                SHA256

                0e5ec84a61d77170be46d8beff2d577e281e9ec66d01985ae589948b2bf3f336

                SHA512

                37da10a158420b6e55a96863560c38ef0db513d20f000462b51cbfb594a1e21fdc0f08c46558b53e6229decc2ee3bf1dfc96373678b6b265f943b2f721a2f9e5

              • C:\Users\Admin\AppData\Local\cRq\TAPI32.dll

                Filesize

                24KB

                MD5

                03785321acfcca8033aae84ae14d1da9

                SHA1

                55a56835446983774edc229dbb3d798bcce73e7e

                SHA256

                612a59c6820fbdb44abd15141e5abb12d9be36c4febef9074f5a4d406ea10e0d

                SHA512

                ba65229f19e345cb197225db36be2f23da71ff0f6b0af3fa688777e8b365d9309af86d2932eae8723d7b9facac350adca7b391b5a564e48b122a632059114715

              • C:\Users\Admin\AppData\Local\cRq\tcmsetup.exe

                Filesize

                16KB

                MD5

                58f3b915b9ae7d63431772c2616b0945

                SHA1

                6346e837da3b0f551becb7cac6d160e3063696e9

                SHA256

                e243501ba2ef7a6f04f51410bb916faffe0ec23450a4d030ce6bfe747e544b39

                SHA512

                7b09192af460c502d1a94989a0d06191c8c7a058ce3a4541e3f45960a1e12529d0cdaff9da3d5bacfdceed57aeb6dc9a159c6c0a95675c438f99bf7e418c6dc5

              • C:\Users\Admin\AppData\Local\o1jLI\SLC.dll

                Filesize

                10KB

                MD5

                34e91e814e0da8dcc6a3d43abe93ece8

                SHA1

                002b651f40abc5d1a02bf493062c5e425455c60b

                SHA256

                33a85bb6ff30c08f471b2315c43d682a52bbb824dc3c177a0554d15b4aeb42bd

                SHA512

                2b466bfde295f04a898b2df94dbaf175cfe6da70cf60413e02a2d6e9af78309050a78e4c42332985b7aaa5e0f7541b1bba05e0ff8dc44007a1e646c62b232e65

              • C:\Users\Admin\AppData\Local\o1jLI\SLC.dll

                Filesize

                22KB

                MD5

                3c72f408c697c23f3b012b25bee3305d

                SHA1

                805b6b550aaac871483ae05ddb8876257c94c6ec

                SHA256

                3aef5400aa44369e01564b35c218bbbd8df99703c955faca8d3dead3865b5e6b

                SHA512

                157723290c060c9598ed65ee04d9b076f15e0b76702cefaf3b3da8eacd126bd34d20e29a341a8d6ac737e7e0cbfeaab9a5f19384894e794adfbcfd287ab6075e

              • C:\Users\Admin\AppData\Local\o1jLI\phoneactivate.exe

                Filesize

                43KB

                MD5

                56b51e0ac4ee47fbd7ee166fedc0a847

                SHA1

                4a8232b4b3b3f6f82a8b58c60e567d276af6b8d5

                SHA256

                485983a549421906ccdc20bf06870180061fb6cc17480fb59139fbed0459e1b4

                SHA512

                1a02726e90d0e10e3176623217556a758b1107a99c12cbaee86770bca46221c8f7fc033dee1976381bd15e7a208ef929cbb13bc249bbd59e2a5a4ac00a6cf567

              • C:\Users\Admin\AppData\Local\o1jLI\phoneactivate.exe

                Filesize

                29KB

                MD5

                d9c4beb0e8fb3f0e724e09729ec1769c

                SHA1

                30fd237f5472f9cc4b195b0e5db31ea40e55daa3

                SHA256

                3acc447b497ecf478cb97c7b44041856f4cbc16e03f20e92f4ef24b558c6d230

                SHA512

                c38b0991b9421f4076beffe6a3a74ec733f706261c2e5dd24ebb5bf261673df6a602073a8dc6e89364590dadc723b07a5a05def5cc2af1a5419f2bf3a47300a6

              • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqwbkkvq.lnk

                Filesize

                1KB

                MD5

                1ed3497323b0d5b36f3aa8b93987e661

                SHA1

                344cfb057f4f26c8d82ff501f76897aeb5a5a45b

                SHA256

                2427fda69f560c383d233af9dfb385423e1156d10e7df783248493b8c4318f43

                SHA512

                98c776e11b8b2a7d326a1bd209cfa8a1b375cf1d77f41dc01b1f293a2e80e4a23aa50ebd6c6c18139f5425ade90d3def4350657eaae63993e9f26a95aeeb8b8d

              • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\2Ul9Dtn02zO\SLC.dll

                Filesize

                5KB

                MD5

                86533f0faaf510444bea8c39c9657c39

                SHA1

                a6495b8ca9d377c93c6d910d08e96de7ed2264c6

                SHA256

                0f64a778ad3d646a877e9a1c651f081d89d39bbf141b9bdf10ad905bfe521101

                SHA512

                b59d6bad2ca234f9360b44ef81a323c8f6a566717745c286d10cd7d11979bdb5631a9284c2c58130a801b06a54e53c0f3a8e62c0b9bc50c0349ee6aaeeadca87

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CM2xvn6VC\XmlLite.dll

                Filesize

                35KB

                MD5

                a5f7c9f4b6cbab0d6e61e149fc035063

                SHA1

                52c22976d2a6d57310067050a47f6ee6eea4b9c2

                SHA256

                44e3dc2a40f332855635400e31ea831ef7f8be20edc09629a6014c371270ad7f

                SHA512

                7ad5866dc768246177ebf162f4e7d4a8d5a6e02041980c9432c4f1b03fd7aff68cc8755cf4e2b938a16941adcd22d8e308e968a9afd287b9c85d8e68570aa8d7

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\p3V64Sj\TAPI32.dll

                MD5

                d41d8cd98f00b204e9800998ecf8427e

                SHA1

                da39a3ee5e6b4b0d3255bfef95601890afd80709

                SHA256

                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                SHA512

                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

              • memory/1624-0-0x000001EB16960000-0x000001EB16967000-memory.dmp

                Filesize

                28KB

              • memory/1624-37-0x0000000140000000-0x00000001400E2000-memory.dmp

                Filesize

                904KB

              • memory/1624-1-0x0000000140000000-0x00000001400E2000-memory.dmp

                Filesize

                904KB

              • memory/3404-12-0x0000000140000000-0x00000001400E2000-memory.dmp

                Filesize

                904KB

              • memory/3404-14-0x0000000140000000-0x00000001400E2000-memory.dmp

                Filesize

                904KB

              • memory/3404-15-0x0000000140000000-0x00000001400E2000-memory.dmp

                Filesize

                904KB

              • memory/3404-17-0x0000000000F70000-0x0000000000F77000-memory.dmp

                Filesize

                28KB

              • memory/3404-5-0x00007FFB2280A000-0x00007FFB2280B000-memory.dmp

                Filesize

                4KB

              • memory/3404-24-0x0000000140000000-0x00000001400E2000-memory.dmp

                Filesize

                904KB

              • memory/3404-7-0x0000000140000000-0x00000001400E2000-memory.dmp

                Filesize

                904KB

              • memory/3404-8-0x0000000140000000-0x00000001400E2000-memory.dmp

                Filesize

                904KB

              • memory/3404-25-0x00007FFB24410000-0x00007FFB24420000-memory.dmp

                Filesize

                64KB

              • memory/3404-9-0x0000000140000000-0x00000001400E2000-memory.dmp

                Filesize

                904KB

              • memory/3404-34-0x0000000140000000-0x00000001400E2000-memory.dmp

                Filesize

                904KB

              • memory/3404-16-0x0000000140000000-0x00000001400E2000-memory.dmp

                Filesize

                904KB

              • memory/3404-10-0x0000000140000000-0x00000001400E2000-memory.dmp

                Filesize

                904KB

              • memory/3404-11-0x0000000140000000-0x00000001400E2000-memory.dmp

                Filesize

                904KB

              • memory/3404-13-0x0000000140000000-0x00000001400E2000-memory.dmp

                Filesize

                904KB

              • memory/3404-4-0x0000000002A40000-0x0000000002A41000-memory.dmp

                Filesize

                4KB

              • memory/3888-44-0x0000000140000000-0x00000001400E4000-memory.dmp

                Filesize

                912KB

              • memory/3888-47-0x0000022AB2430000-0x0000022AB2437000-memory.dmp

                Filesize

                28KB

              • memory/3888-50-0x0000000140000000-0x00000001400E4000-memory.dmp

                Filesize

                912KB

              • memory/4192-84-0x0000000140000000-0x00000001400E3000-memory.dmp

                Filesize

                908KB

              • memory/4192-81-0x0000023EC9180000-0x0000023EC9187000-memory.dmp

                Filesize

                28KB

              • memory/4812-61-0x0000000140000000-0x00000001400E3000-memory.dmp

                Filesize

                908KB

              • memory/4812-64-0x00000214F2C30000-0x00000214F2C37000-memory.dmp

                Filesize

                28KB

              • memory/4812-67-0x0000000140000000-0x00000001400E3000-memory.dmp

                Filesize

                908KB