Analysis

  • max time kernel
    153s
  • max time network
    162s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-12-2023 19:17

General

  • Target

    017476e0432360ddcea82be7784d62c3.dll

  • Size

    1.1MB

  • MD5

    017476e0432360ddcea82be7784d62c3

  • SHA1

    76763b98160cd831bbb09e2d7c99bd62d5f326c0

  • SHA256

    442c78bea97cb5946f1754ba2e848784a617e377208e3c7f06f3e33b1a5192a1

  • SHA512

    67a6fed3bf7893abe319a3df10baa17b9fbb38604a990c59f0f93fed127dae0efe2084088210ccc61da9bb6c372d0eaff01c4f030df1108b4da59182d1f54b40

  • SSDEEP

    12288:vVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:GfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\017476e0432360ddcea82be7784d62c3.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3048
  • C:\Windows\system32\MoUsoCoreWorker.exe
    C:\Windows\system32\MoUsoCoreWorker.exe
    1⤵
      PID:3092
    • C:\Users\Admin\AppData\Local\M0UOXkdys\MoUsoCoreWorker.exe
      C:\Users\Admin\AppData\Local\M0UOXkdys\MoUsoCoreWorker.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4228
    • C:\Windows\system32\ie4ushowIE.exe
      C:\Windows\system32\ie4ushowIE.exe
      1⤵
        PID:3040
      • C:\Users\Admin\AppData\Local\Xmke\ie4ushowIE.exe
        C:\Users\Admin\AppData\Local\Xmke\ie4ushowIE.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3016
      • C:\Windows\system32\dwm.exe
        C:\Windows\system32\dwm.exe
        1⤵
          PID:384
        • C:\Users\Admin\AppData\Local\urv5ZMZ0\dwm.exe
          C:\Users\Admin\AppData\Local\urv5ZMZ0\dwm.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4468

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\M0UOXkdys\MoUsoCoreWorker.exe

          Filesize

          96KB

          MD5

          5798d6e8309c1d87997a7d2b8a256f28

          SHA1

          f30a2583fd14d2cdf3478f2ee0ac9abc273f12eb

          SHA256

          8f8a5f82327324df4e30a27bb87dd0da120b9a46f078e360bc68d66e2c07138a

          SHA512

          9a152df70ff8e03c01d079591b0367bc1148943e521d175303de32cb134956dbcc1d8e961f6a3e370fc36ec78bcc5eab015d69e86e524bbf8c4f11bd478a860b

        • C:\Users\Admin\AppData\Local\M0UOXkdys\MoUsoCoreWorker.exe

          Filesize

          44KB

          MD5

          994781cb4455e854e8a56d0d86729418

          SHA1

          120998cfad2fe8ef6213a3883e4dab288a35bb37

          SHA256

          048a9900741ff3fa27aa0d47c78202aa19824733ff9800d6cb302c87c2529420

          SHA512

          a76d895bfca20939fdd3c2092c1d16a334f5ddfb4fafb6283627a9a1b1afa66fe44d59311f10f4ae7acbf1492bfee038e9dbad058c65e2e458003e3d4afdfc22

        • C:\Users\Admin\AppData\Local\M0UOXkdys\XmlLite.dll

          Filesize

          115KB

          MD5

          6096d8f2691f521c5471e3831f488dee

          SHA1

          007d807b79a94996687a857d9033439aa35ddacd

          SHA256

          a306c80116053da01af073f3b8e4110ed508f57ee93defc6526f5323468dedcb

          SHA512

          3062f62e73b18740eca5386f1e6e3c5c1fb65e29ec938a4848f72f5be66134ca76bed52af2618459b85392f0ec4274d58bcb4585b9480b29f82e0b7516e22faa

        • C:\Users\Admin\AppData\Local\M0UOXkdys\XmlLite.dll

          Filesize

          57KB

          MD5

          10a2bc5895c41998ca5fd710990cfd84

          SHA1

          f8b261cd7242352c67b15c5bb31b832f2d7c11b0

          SHA256

          548759fe1cfd85af75bf80ad8e8a17277e4ae43dd36160e03c6f0a2757399878

          SHA512

          5bdc1b2709bd355c0485c18490375d3c3bc8f1a858af113405875afebb56bba9a839370a9fc6bf785ef9c2bf40d1fed926b233419aafb72b48729b3eb9b99d43

        • C:\Users\Admin\AppData\Local\Xmke\VERSION.dll

          Filesize

          25KB

          MD5

          8856aa57a9c31bd25ca41fd7e58a3faa

          SHA1

          a0b667482771a97e269232539c5bb8e25dde2ac4

          SHA256

          114debababba8166086ef482c0aaf85f62b23aa10cf0516ec1563543a6e8be7e

          SHA512

          3810c3192f6e9c2b65e2a275191e259868638c9cccdf3fb262028194bc1bb2d1dfc7cf851251bdf86f342e8eb3e9602cba0f4e638396f50d7a04660ba2459546

        • C:\Users\Admin\AppData\Local\Xmke\VERSION.dll

          Filesize

          83KB

          MD5

          afc5d6acf9fe46db2055363762df8cb2

          SHA1

          098d3185228e3cc9d8f80a83a957aa6983b320d4

          SHA256

          4d60a60d6b290863176389e6c029cafa4dd03ca07db7c5fd8cf0eee479c372b5

          SHA512

          0edc56ca9381475b65f38b4bebe09bcb3b26488f316b33db23a20c6d0fe2443fb1e5f7d5decd25bdce61d79ea158ba1b6ef161d58f0859723844ba6a98fc5b23

        • C:\Users\Admin\AppData\Local\Xmke\ie4ushowIE.exe

          Filesize

          19KB

          MD5

          22bbbaea87d84f8ea435d55620d8b903

          SHA1

          7dfc373050fffd3d2a3d7ce1f718b3e940b0c931

          SHA256

          55f06d181995eb462551ee1b9538464f08a465bdea10cbf3325338db240d4c21

          SHA512

          7aabbdbf33096980c5617bf5f0247650cbea3d1ea5f6f7e8924fc5b06379a28e1417b8115df0a7dedc45a36841021f58d6bd4e1da6e93d73f2cc028ae11e09d1

        • C:\Users\Admin\AppData\Local\Xmke\ie4ushowIE.exe

          Filesize

          29KB

          MD5

          20c3e4c84ab7086f24d852bfebc35881

          SHA1

          067750987872d1b8822b5b93880694cf61fc7968

          SHA256

          f3b3f537cff90e40986d92aa02865717633ae7406c0e0b9add37292c9a197548

          SHA512

          89672ac81368de470abfef063632d4c985c963fcf0220894c36d9a06cb4b37cb4c961a0528ab528bcb25eaf06c87f7de722ee063ce202b4d0ba65fa31d04dcc4

        • C:\Users\Admin\AppData\Local\urv5ZMZ0\dwm.exe

          Filesize

          92KB

          MD5

          5c27608411832c5b39ba04e33d53536c

          SHA1

          f92f8b7439ce1de4c297046ed1d3ff9f20bc97af

          SHA256

          0ac827c9e35cdaa492ddd435079415805dcc276352112b040bcd34ef122cf565

          SHA512

          1fa25eabc08dff9ea25dfa7da310a677927c6344b76815696b0483f8860fa1469820ff15d88a78ed32f712d03003631d9aceaf9c9851de5dd40c1fc2a7bc1309

        • C:\Users\Admin\AppData\Local\urv5ZMZ0\dxgi.dll

          Filesize

          54KB

          MD5

          21514a7f978d38c6841800dedbd4f69e

          SHA1

          9ce6d8337b669ba8a179ed77276a25222d783205

          SHA256

          95e6ff2d8a8b922c9fc03f149db07f8a0fa91ecad6f30c6da67534ca45cf8afe

          SHA512

          ae40682596ccf15269a8f9e884d7bdcd27e6c515c7c58fe368661e7629e92e08f7fca7a52ade82fba71ea31a7033294c29626623bb032280376923b8bcd99697

        • C:\Users\Admin\AppData\Local\urv5ZMZ0\dxgi.dll

          Filesize

          5KB

          MD5

          c4b41df8931b6353ddf2da18ddc76e9e

          SHA1

          269a7ae60cb1bfdc2378e3845d6c3261052dc12f

          SHA256

          6f68ddf53c7d90f40ce7e1446e6a72fd97ca36f62f6eea38d5a331a563e9d4b2

          SHA512

          88c01cc49c46beab8ff9c3fbf58bc31b4621efee754df31302605859e0c2e671127c4f1c2bb9d3c00f001a5bce531777e2a6f948c05c70cac508510f596c6467

        • C:\Users\Admin\AppData\Local\urv5ZMZ0\dxgi.dll

          Filesize

          26KB

          MD5

          c091d844941b361df762c89e57920116

          SHA1

          8d29420979ba0a787dd15d68d6af07a9dd2db2e4

          SHA256

          a91781d29c6c30a430514991fbb0df808d28a75bbf9a0325bd6be9f843ade3aa

          SHA512

          101b999888019a17cd1a2b74ff722eb77cebe4b58b97d28757cf4c088be9d4e80e22a71de39574e72f18844b0e831035f7e98e62fd84ba0f03d5544c475a5b2d

        • C:\Users\Admin\AppData\Local\urv5ZMZ0\dxgi.dll

          Filesize

          834B

          MD5

          6585b45da54640f428d6ee10032658f0

          SHA1

          1bba686537e5b535fb719d63553f540bc4613578

          SHA256

          5e67dd45e731676f365be0f9cca039ce53adaef4a624f54bc1685dc801620b20

          SHA512

          2070b74c7c457a39aa56447a166863f6db9d09d80690cc71f5295e36a70c2d254963b97a8a06fb5ac354d6246589112a3d926563b5d6587a59cb7d5ded3410fd

        • C:\Users\Admin\AppData\Local\urv5ZMZ0\dxgi.dll

          Filesize

          38KB

          MD5

          b0d16ec2fd98c9bdeb0fe2fd889e9a46

          SHA1

          2648b5cb2db0c93cf83e46e1831503df96d21bf0

          SHA256

          2d0e9de7d2f3cad063edc19daa5418cd3930932eac7128b2da19d43806904da7

          SHA512

          a17ce379b2011cc6d59280f4280b211860c9bfbf930ebc4efebb5830840f16993b10c915cc5ea3ac6ea00b8a1de00ece0c4f46aac12071796c4a7bfde81ae022

        • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\wfZbTn\dwm.exe

          Filesize

          81KB

          MD5

          c50ea7490866ff7e7ae4256eb55f0261

          SHA1

          3cbdb8cc6415e847670bb28cfdf45076551c0f0e

          SHA256

          50ea683500d42c02ea7c42e047a6f3b77fc3d09bbe50144e04d176627256b184

          SHA512

          ba96a75e4a54f682943999c51550044edf8c99f846a2363d54d7c0bdc444038bce2183769539c6562fbe27ae86343c3a542b59c16cf58eb9627e8e2c22332194

        • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\wfZbTn\dxgi.dll

          Filesize

          1.2MB

          MD5

          44a884e87359dfe3b64dfb2f511d2f64

          SHA1

          bdff65ff64c46b86aa1d64625ac9608cbf465e70

          SHA256

          228b12016dfb6a383206a73d6dd8a15b79081aa59f300f91bde748e2cc34f0d6

          SHA512

          eeb5025de4af3758d8bc795ad558a454890dedee60e037f6e61723c69bb3a23bed60051dba0aa96041fce94e338d8970a519b73b269bd88283c9050475ede0fd

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Udjzqp.lnk

          Filesize

          1KB

          MD5

          536baf1f96d7ada7018620ea51441c5b

          SHA1

          6aad011d42375eb68faa60e3b0e901596529eef7

          SHA256

          990379399172149d9842b416eddaddfc521d25a8870ebc7b07f9ac987ca90983

          SHA512

          d40a0bf91b8e2073190f12f7460417c0fd66bed36d39b52ad1260c8d7567f1445b13479381c3580c80d35a9f691f9834a6aa0a6302a393d84fd7d1ddc7eefe96

        • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\fOqG4CXzx\XmlLite.dll

          Filesize

          1.2MB

          MD5

          9ad373dec65387a0f825167ac6f53011

          SHA1

          9af6f90f439eb9a1c5382e4108def543d54ba004

          SHA256

          690345c90bcb5668f1d4d64b779b722e654d4d5b665ba21157c80b6aac942314

          SHA512

          3892e8a8c5644d1c3f9215b3a3311a6882b70e988c1e4e83adbb9a422b003105c1dc62a7a24ddbd16eac3f7cce46226a9b2182dd29eca1b5eaf6e0d0048defed

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\mU20k\VERSION.dll

          Filesize

          1.2MB

          MD5

          16a74b844d1f3277d1b75490a853a28a

          SHA1

          b950e2fe55ed18e89b6717866024e26d3a8876e7

          SHA256

          78296eeff56307a35478ddea5902a6fd8e3794635dcb7d718809545680a83623

          SHA512

          b08ccc7b9f7354255aa45c43bae16a705bea89c2f1ac9904b541799f22afa7c801d04905cf52a43fc8f1a25c5de21dccce98a7ac15c5660a5d2d2c774f1bcf9d

        • memory/3016-84-0x0000000140000000-0x0000000140127000-memory.dmp

          Filesize

          1.2MB

        • memory/3016-80-0x000001FAF5D90000-0x000001FAF5D97000-memory.dmp

          Filesize

          28KB

        • memory/3048-0-0x0000000140000000-0x0000000140126000-memory.dmp

          Filesize

          1.1MB

        • memory/3048-8-0x0000000140000000-0x0000000140126000-memory.dmp

          Filesize

          1.1MB

        • memory/3048-2-0x000001E70CA00000-0x000001E70CA07000-memory.dmp

          Filesize

          28KB

        • memory/3436-19-0x0000000140000000-0x0000000140126000-memory.dmp

          Filesize

          1.1MB

        • memory/3436-23-0x0000000140000000-0x0000000140126000-memory.dmp

          Filesize

          1.1MB

        • memory/3436-32-0x0000000003280000-0x0000000003287000-memory.dmp

          Filesize

          28KB

        • memory/3436-29-0x0000000140000000-0x0000000140126000-memory.dmp

          Filesize

          1.1MB

        • memory/3436-40-0x0000000140000000-0x0000000140126000-memory.dmp

          Filesize

          1.1MB

        • memory/3436-25-0x0000000140000000-0x0000000140126000-memory.dmp

          Filesize

          1.1MB

        • memory/3436-41-0x00007FFD0B1E0000-0x00007FFD0B1F0000-memory.dmp

          Filesize

          64KB

        • memory/3436-26-0x0000000140000000-0x0000000140126000-memory.dmp

          Filesize

          1.1MB

        • memory/3436-16-0x0000000140000000-0x0000000140126000-memory.dmp

          Filesize

          1.1MB

        • memory/3436-50-0x0000000140000000-0x0000000140126000-memory.dmp

          Filesize

          1.1MB

        • memory/3436-52-0x0000000140000000-0x0000000140126000-memory.dmp

          Filesize

          1.1MB

        • memory/3436-30-0x0000000140000000-0x0000000140126000-memory.dmp

          Filesize

          1.1MB

        • memory/3436-31-0x0000000140000000-0x0000000140126000-memory.dmp

          Filesize

          1.1MB

        • memory/3436-27-0x0000000140000000-0x0000000140126000-memory.dmp

          Filesize

          1.1MB

        • memory/3436-5-0x00007FFD09E0A000-0x00007FFD09E0B000-memory.dmp

          Filesize

          4KB

        • memory/3436-4-0x0000000002C90000-0x0000000002C91000-memory.dmp

          Filesize

          4KB

        • memory/3436-7-0x0000000140000000-0x0000000140126000-memory.dmp

          Filesize

          1.1MB

        • memory/3436-28-0x0000000140000000-0x0000000140126000-memory.dmp

          Filesize

          1.1MB

        • memory/3436-24-0x0000000140000000-0x0000000140126000-memory.dmp

          Filesize

          1.1MB

        • memory/3436-33-0x0000000140000000-0x0000000140126000-memory.dmp

          Filesize

          1.1MB

        • memory/3436-20-0x0000000140000000-0x0000000140126000-memory.dmp

          Filesize

          1.1MB

        • memory/3436-22-0x0000000140000000-0x0000000140126000-memory.dmp

          Filesize

          1.1MB

        • memory/3436-21-0x0000000140000000-0x0000000140126000-memory.dmp

          Filesize

          1.1MB

        • memory/3436-18-0x0000000140000000-0x0000000140126000-memory.dmp

          Filesize

          1.1MB

        • memory/3436-17-0x0000000140000000-0x0000000140126000-memory.dmp

          Filesize

          1.1MB

        • memory/3436-15-0x0000000140000000-0x0000000140126000-memory.dmp

          Filesize

          1.1MB

        • memory/3436-14-0x0000000140000000-0x0000000140126000-memory.dmp

          Filesize

          1.1MB

        • memory/3436-13-0x0000000140000000-0x0000000140126000-memory.dmp

          Filesize

          1.1MB

        • memory/3436-9-0x0000000140000000-0x0000000140126000-memory.dmp

          Filesize

          1.1MB

        • memory/3436-10-0x0000000140000000-0x0000000140126000-memory.dmp

          Filesize

          1.1MB

        • memory/3436-12-0x0000000140000000-0x0000000140126000-memory.dmp

          Filesize

          1.1MB

        • memory/3436-11-0x0000000140000000-0x0000000140126000-memory.dmp

          Filesize

          1.1MB

        • memory/4228-67-0x0000000140000000-0x0000000140127000-memory.dmp

          Filesize

          1.2MB

        • memory/4228-61-0x0000000140000000-0x0000000140127000-memory.dmp

          Filesize

          1.2MB

        • memory/4228-62-0x00000237B41F0000-0x00000237B41F7000-memory.dmp

          Filesize

          28KB

        • memory/4468-99-0x000001F469B70000-0x000001F469B77000-memory.dmp

          Filesize

          28KB

        • memory/4468-103-0x0000000140000000-0x0000000140127000-memory.dmp

          Filesize

          1.2MB