Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2023 16:37

General

  • Target

    f518a4dec5de3386e7aa4a19fd0f8ac1.dll

  • Size

    1.8MB

  • MD5

    f518a4dec5de3386e7aa4a19fd0f8ac1

  • SHA1

    0ef8670d9d1e4184daba2959bb6ac675e9ece0b5

  • SHA256

    89423c76e59074527f58059a7fbc88c65fb85fa4404b809f6f481d2bb3b602df

  • SHA512

    fd16896a386b8f23fa834f37c492d427be4a38cbc474e6264461fd0461cf0143db56cdfb6eed6835117f4debaf9c5237c8694104abe56ca53e34be8a8785f680

  • SSDEEP

    12288:LVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:KfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\f518a4dec5de3386e7aa4a19fd0f8ac1.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2324
  • C:\Windows\system32\DmNotificationBroker.exe
    C:\Windows\system32\DmNotificationBroker.exe
    1⤵
      PID:2336
    • C:\Users\Admin\AppData\Local\4Jzo13c\DmNotificationBroker.exe
      C:\Users\Admin\AppData\Local\4Jzo13c\DmNotificationBroker.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:5072
    • C:\Windows\system32\ie4ushowIE.exe
      C:\Windows\system32\ie4ushowIE.exe
      1⤵
        PID:3084
      • C:\Users\Admin\AppData\Local\n7RuIB1\ie4ushowIE.exe
        C:\Users\Admin\AppData\Local\n7RuIB1\ie4ushowIE.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4524
      • C:\Windows\system32\Utilman.exe
        C:\Windows\system32\Utilman.exe
        1⤵
          PID:4316
        • C:\Users\Admin\AppData\Local\IoKui7\Utilman.exe
          C:\Users\Admin\AppData\Local\IoKui7\Utilman.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:220

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\4Jzo13c\DUI70.dll

          Filesize

          47KB

          MD5

          1d7e6b18e09acd28c4dbe51eb52b6abb

          SHA1

          ed1b5357bae847e9432c7618faa365c71eb2e2a1

          SHA256

          6b9a58aafa5015fb4c84403fe4b05618ecd18ff65192df364b49532dc2f1a224

          SHA512

          6a59c09de5ea489c01f07fbe1289fd895ba31abc93b5eff186676048fca7c555ea816831a6cdf24579ff071ddcd1ec105e6d6b3c550ae9e87f3d59122dd80293

        • C:\Users\Admin\AppData\Local\4Jzo13c\DUI70.dll

          Filesize

          67KB

          MD5

          fe666220d48d3d4f781de128af227725

          SHA1

          36d2fec7080b218951eee00bc8d3ac0a161db12e

          SHA256

          a50feb1ae5423de432e1368370f034ed9bb3979b313a17298cf1e0fa78fa7299

          SHA512

          ab417881d5a7184d7ec1d974b594afe8997d6082fbb8e88275c6c3becf907f37283d321dc7083f7047173fdb2690c7cfababe45d07024c2fd91379e6318e5da8

        • C:\Users\Admin\AppData\Local\4Jzo13c\DmNotificationBroker.exe

          Filesize

          23KB

          MD5

          95b98bda6ce9006a5a187fb8ec58b222

          SHA1

          7c6e67b83ec8ee3dd0814410433be6104894adb9

          SHA256

          b2084912919f42f5051d50b76955bf4de4283c7a68bdc889ff9bae83a9fa0de8

          SHA512

          7c98e5e85fe57a4ffea66a01766c75e4b59116b536b1ab1c94c3785a714ed121dc2b6deb770aea8516d3a6b4c366c63173d4fd9961134eb58b62b30a9e9f5b73

        • C:\Users\Admin\AppData\Local\4Jzo13c\DmNotificationBroker.exe

          Filesize

          5KB

          MD5

          6bfdaf07e48351e167fd0d373419bf29

          SHA1

          d535bf0a1b0bdda1e0230726300cef1e7a41c84e

          SHA256

          0d53612b8c87468f38d9e9b91357bb05bf1c5cd11524e0c6d44345a4b6aa6d75

          SHA512

          01ad89e25a4fd0ffe835a60a73fa916c666e5602a08a86785eeb68f81b0f92f76b4638b23b89f459fac4b2e59c10d195bddc07777609f0e1581219437fb81da3

        • C:\Users\Admin\AppData\Local\IoKui7\DUI70.dll

          Filesize

          32KB

          MD5

          dd8144d6dd4df0c5511a6daf61d11298

          SHA1

          de0f9dd9b9b54dbf2eb83f4f5fccf328165778bf

          SHA256

          5a6c38de64d6331ba79a68f149d7d10e7026256594ca04b5dc9322544dc2fb71

          SHA512

          456c4714ed7d7a8b195acd2f8f7cc6f3ae7c4f2ecc1d8dab276fd076bdb029fb72c99bbf251f2d3396eab2c8c5a08c588161afa21e36466247e6299deb7fecd1

        • C:\Users\Admin\AppData\Local\IoKui7\DUI70.dll

          Filesize

          45KB

          MD5

          4cc7bcd184563aa4556031a08a48ef66

          SHA1

          4b228f73ff2507cd51e148134bc122f22d9099b7

          SHA256

          dcd246d625d0a4230084448b9b969bfffc18e2d5aa1abcb94ba01789125e3e9d

          SHA512

          84697db6d1bbd07e06b9556beb017406cd3775d939972a1d7c5d7a1760630948a396bb14c3a0732d95db5842e264f6388e9a2f29d077db1ade74a59058755ec2

        • C:\Users\Admin\AppData\Local\IoKui7\Utilman.exe

          Filesize

          123KB

          MD5

          a117edc0e74ab4770acf7f7e86e573f7

          SHA1

          5ceffb1a5e05e52aafcbc2d44e1e8445440706f3

          SHA256

          b5bc4fce58403ea554691db678e6c8c448310fe59990990f0e37cd4357567d37

          SHA512

          72883f794ff585fe7e86e818d4d8c54fa9781cab6c3fac6f6956f58a016a91f676e70d14691cbe054ae7b7469c6b4783152fbb694e92b940d9e3595fe3f41d97

        • C:\Users\Admin\AppData\Local\IoKui7\Utilman.exe

          Filesize

          36KB

          MD5

          e9a598e1ffd49c3988c3747a9f23c9bf

          SHA1

          4b808df14e38b7a46a001e37da9a87dae3c4b7f3

          SHA256

          fb62d6e0322edf5cf705a3e5a181f7b3adae648b387f24ed6479b11658b10c4a

          SHA512

          f8aa8d529c6dfecefa844e3e7b02a3b0593400bdcdc66824becf2e50ead2494ae4b108ccebcaa4df34e21fb4eed39c273a9b0a9bff69637e771d50913081f556

        • C:\Users\Admin\AppData\Local\n7RuIB1\VERSION.dll

          Filesize

          200KB

          MD5

          e7180b507e12d1394f66539f590be8ea

          SHA1

          5f3473a7b0d5f6016b3181aac27155655dc6adb1

          SHA256

          58a5a094a2444331b255367dfd29515db0ebeb237b11e3325e7ba5e3b37df80f

          SHA512

          62a64b2b35c6a1313e57baf645f1f6757d0f2ba4ccff8283cc434cb7d4d9ec3b15db367088aeb2d7fa705ff81de212689173d2adc0cf69c8f36f9f4fddc43288

        • C:\Users\Admin\AppData\Local\n7RuIB1\VERSION.dll

          Filesize

          225KB

          MD5

          9e31924645529bd81958c0289bf67fa5

          SHA1

          1c9603f1b559d35f0b3f464de67386b1b5fbf7d0

          SHA256

          abaf8362d04d97c53238c3d04e1f4bd6326a297c61fc7a7613658da4366b3dc5

          SHA512

          8c2229463f775a3d859a762f1b42fd1aabf51df1a80cbffc6e2e7e9891066a6d0473b7702500cc319f6f3186add28e46ead61390bc42a94bbcdef27dd84952d0

        • C:\Users\Admin\AppData\Local\n7RuIB1\ie4ushowIE.exe

          Filesize

          76KB

          MD5

          9de952f476abab0cd62bfd81e20a3deb

          SHA1

          109cc4467b78dad4b12a3225020ea590bccee3e6

          SHA256

          e9cb6336359ac6f71ac75af2836efb28daa3bafd10a1f0b775dcdc2ec8850a6b

          SHA512

          3cbe50a146ca50b0657a78a2d89a34630c69823005668906785b2d2015cc6139c8dbbf7aefa5fe55957ef55ae06e758933b3b41eaf822e49dba3b7700582e2c9

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dvizybqqo.lnk

          Filesize

          1KB

          MD5

          649740c52874e75f85388b85ec7174e2

          SHA1

          d30e325e0582fad695adc30c68e81e16634bec71

          SHA256

          7b7fe45d83d3c049f7d30717d314fec3b50fb76564d81915951db8a71cf0e5ac

          SHA512

          9b7b99dc327b083121a39d70e0564b91b9b414561086f502e8d2e2e1f921109d79a6df2fb15a39f486020e6cc9e07e776419f3134a3a6b69701555a2b02ddb7f

        • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\21rt\DUI70.dll

          Filesize

          2.1MB

          MD5

          e97dee7d404ff65f8a16a2f3335a5462

          SHA1

          1cdd8062570ae9e81ef5de50c579f13aa5dffd48

          SHA256

          1629c1af956df2c51ea9439551be536818fed0786e5785d014e5a6d7c2e89231

          SHA512

          dc2af906666a6dd4803f02bd73cbb131cf139030539c77138b0c92962ed1fdc8c578aa7c7d62dcaaea8a5158fb43fd9c758b9257feb9136259002527b5307b97

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\mXeefoD3Qb\DUI70.dll

          Filesize

          2.1MB

          MD5

          984279825598b907281251d5b2f342c3

          SHA1

          9d686f4c3ebdd6047142306c5ba5942a79b2a9ae

          SHA256

          8045dd7e4dae5175c7f019b48eb69ad5aa349d205f23b2a13dfddf34fd7caa0b

          SHA512

          b839a4919a8e36c85cce58559fb1e871bf743a6886da962688389055dfdd8c642fb2607cc48b15eee5e3507408671a446259b3f87ad995ff15bf8e1946388cdd

        • C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\yi4Q3lXai\VERSION.dll

          Filesize

          1.8MB

          MD5

          a2648ef04ab16cfd6c30cb898ca83070

          SHA1

          0f401e5946c4d9d792d1b4ab6b6f98b0343173d9

          SHA256

          aa08eca91487ed4816f60181954eb6a624d838e10a7759ad0162763bf811466e

          SHA512

          3da82eb9506e96ffcd1d7d02c761220690bd4d18271b7e3fac8dc10953854b115948e06716d67e58c6779ffbcfd16ad213d0c8c09df8f4c6c104eae77c645186

        • memory/220-113-0x000002472F230000-0x000002472F237000-memory.dmp

          Filesize

          28KB

        • memory/2324-7-0x0000000140000000-0x00000001401CB000-memory.dmp

          Filesize

          1.8MB

        • memory/2324-0-0x0000028CC17C0000-0x0000028CC17C7000-memory.dmp

          Filesize

          28KB

        • memory/2324-1-0x0000000140000000-0x00000001401CB000-memory.dmp

          Filesize

          1.8MB

        • memory/3460-23-0x0000000140000000-0x00000001401CB000-memory.dmp

          Filesize

          1.8MB

        • memory/3460-52-0x00000000007C0000-0x00000000007C7000-memory.dmp

          Filesize

          28KB

        • memory/3460-27-0x0000000140000000-0x00000001401CB000-memory.dmp

          Filesize

          1.8MB

        • memory/3460-28-0x0000000140000000-0x00000001401CB000-memory.dmp

          Filesize

          1.8MB

        • memory/3460-25-0x0000000140000000-0x00000001401CB000-memory.dmp

          Filesize

          1.8MB

        • memory/3460-30-0x0000000140000000-0x00000001401CB000-memory.dmp

          Filesize

          1.8MB

        • memory/3460-32-0x0000000140000000-0x00000001401CB000-memory.dmp

          Filesize

          1.8MB

        • memory/3460-35-0x0000000140000000-0x00000001401CB000-memory.dmp

          Filesize

          1.8MB

        • memory/3460-36-0x0000000140000000-0x00000001401CB000-memory.dmp

          Filesize

          1.8MB

        • memory/3460-37-0x0000000140000000-0x00000001401CB000-memory.dmp

          Filesize

          1.8MB

        • memory/3460-38-0x0000000140000000-0x00000001401CB000-memory.dmp

          Filesize

          1.8MB

        • memory/3460-39-0x0000000140000000-0x00000001401CB000-memory.dmp

          Filesize

          1.8MB

        • memory/3460-41-0x0000000140000000-0x00000001401CB000-memory.dmp

          Filesize

          1.8MB

        • memory/3460-40-0x0000000140000000-0x00000001401CB000-memory.dmp

          Filesize

          1.8MB

        • memory/3460-34-0x0000000140000000-0x00000001401CB000-memory.dmp

          Filesize

          1.8MB

        • memory/3460-42-0x0000000140000000-0x00000001401CB000-memory.dmp

          Filesize

          1.8MB

        • memory/3460-43-0x0000000140000000-0x00000001401CB000-memory.dmp

          Filesize

          1.8MB

        • memory/3460-33-0x0000000140000000-0x00000001401CB000-memory.dmp

          Filesize

          1.8MB

        • memory/3460-31-0x0000000140000000-0x00000001401CB000-memory.dmp

          Filesize

          1.8MB

        • memory/3460-29-0x0000000140000000-0x00000001401CB000-memory.dmp

          Filesize

          1.8MB

        • memory/3460-21-0x0000000140000000-0x00000001401CB000-memory.dmp

          Filesize

          1.8MB

        • memory/3460-16-0x0000000140000000-0x00000001401CB000-memory.dmp

          Filesize

          1.8MB

        • memory/3460-44-0x0000000140000000-0x00000001401CB000-memory.dmp

          Filesize

          1.8MB

        • memory/3460-45-0x0000000140000000-0x00000001401CB000-memory.dmp

          Filesize

          1.8MB

        • memory/3460-46-0x0000000140000000-0x00000001401CB000-memory.dmp

          Filesize

          1.8MB

        • memory/3460-48-0x0000000140000000-0x00000001401CB000-memory.dmp

          Filesize

          1.8MB

        • memory/3460-50-0x0000000140000000-0x00000001401CB000-memory.dmp

          Filesize

          1.8MB

        • memory/3460-26-0x0000000140000000-0x00000001401CB000-memory.dmp

          Filesize

          1.8MB

        • memory/3460-49-0x0000000140000000-0x00000001401CB000-memory.dmp

          Filesize

          1.8MB

        • memory/3460-47-0x0000000140000000-0x00000001401CB000-memory.dmp

          Filesize

          1.8MB

        • memory/3460-58-0x0000000140000000-0x00000001401CB000-memory.dmp

          Filesize

          1.8MB

        • memory/3460-59-0x00007FFB556A0000-0x00007FFB556B0000-memory.dmp

          Filesize

          64KB

        • memory/3460-68-0x0000000140000000-0x00000001401CB000-memory.dmp

          Filesize

          1.8MB

        • memory/3460-70-0x0000000140000000-0x00000001401CB000-memory.dmp

          Filesize

          1.8MB

        • memory/3460-24-0x0000000140000000-0x00000001401CB000-memory.dmp

          Filesize

          1.8MB

        • memory/3460-22-0x0000000140000000-0x00000001401CB000-memory.dmp

          Filesize

          1.8MB

        • memory/3460-4-0x0000000002080000-0x0000000002081000-memory.dmp

          Filesize

          4KB

        • memory/3460-6-0x0000000140000000-0x00000001401CB000-memory.dmp

          Filesize

          1.8MB

        • memory/3460-20-0x0000000140000000-0x00000001401CB000-memory.dmp

          Filesize

          1.8MB

        • memory/3460-19-0x0000000140000000-0x00000001401CB000-memory.dmp

          Filesize

          1.8MB

        • memory/3460-17-0x0000000140000000-0x00000001401CB000-memory.dmp

          Filesize

          1.8MB

        • memory/3460-18-0x0000000140000000-0x00000001401CB000-memory.dmp

          Filesize

          1.8MB

        • memory/3460-15-0x0000000140000000-0x00000001401CB000-memory.dmp

          Filesize

          1.8MB

        • memory/3460-9-0x00007FFB54CAA000-0x00007FFB54CAB000-memory.dmp

          Filesize

          4KB

        • memory/3460-14-0x0000000140000000-0x00000001401CB000-memory.dmp

          Filesize

          1.8MB

        • memory/3460-13-0x0000000140000000-0x00000001401CB000-memory.dmp

          Filesize

          1.8MB

        • memory/3460-8-0x0000000140000000-0x00000001401CB000-memory.dmp

          Filesize

          1.8MB

        • memory/3460-12-0x0000000140000000-0x00000001401CB000-memory.dmp

          Filesize

          1.8MB

        • memory/3460-11-0x0000000140000000-0x00000001401CB000-memory.dmp

          Filesize

          1.8MB

        • memory/3460-10-0x0000000140000000-0x00000001401CB000-memory.dmp

          Filesize

          1.8MB

        • memory/4524-96-0x0000016A263A0000-0x0000016A263A7000-memory.dmp

          Filesize

          28KB

        • memory/5072-80-0x0000000140000000-0x0000000140211000-memory.dmp

          Filesize

          2.1MB

        • memory/5072-79-0x000001DE270A0000-0x000001DE270A7000-memory.dmp

          Filesize

          28KB