Analysis

  • max time kernel
    3s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-12-2023 19:48

General

  • Target

    023797dc02047e4d9ff5a2192e29df8a.dll

  • Size

    2.3MB

  • MD5

    023797dc02047e4d9ff5a2192e29df8a

  • SHA1

    bc008687c6b96d7bc46acff71d9a241ca71356fe

  • SHA256

    9f8c3763244712c98190cd47b908b20c1a3486de99e3cf4b0d9b59b02bcb5f9e

  • SHA512

    37b71cf639bdd78a10062511269b785c22eec6bf578ada8b0385c98b826a654d8351efe4f57d3e03afc9d32623ea212fbd0753da5fd1bfe15a18dd1047185867

  • SSDEEP

    12288:DVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:SfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\023797dc02047e4d9ff5a2192e29df8a.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4812
  • C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    1⤵
      PID:804
    • C:\Windows\system32\LicensingUI.exe
      C:\Windows\system32\LicensingUI.exe
      1⤵
        PID:4944
      • C:\Users\Admin\AppData\Local\KB5CgUxjh\dialer.exe
        C:\Users\Admin\AppData\Local\KB5CgUxjh\dialer.exe
        1⤵
          PID:716
        • C:\Windows\system32\dialer.exe
          C:\Windows\system32\dialer.exe
          1⤵
            PID:3124
          • C:\Users\Admin\AppData\Local\YeJ7\LicensingUI.exe
            C:\Users\Admin\AppData\Local\YeJ7\LicensingUI.exe
            1⤵
              PID:4308
            • C:\Users\Admin\AppData\Local\r9IkvDO\dialer.exe
              C:\Users\Admin\AppData\Local\r9IkvDO\dialer.exe
              1⤵
                PID:1656

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\KB5CgUxjh\TAPI32.dll

                Filesize

                92KB

                MD5

                53b19f4741865c00149f7ccd4114443e

                SHA1

                ef11b91625870aac6d44ee8617e1e4d25ae7f3ad

                SHA256

                3aed139ae8d03c9c789b8b73c957b3b09b588d7ee4f97a21f3627fd32522703f

                SHA512

                8b0d28956d076b5237761e692123e9dd85ebb4c69db69e6e48da3b5e0c34492300ce1c406e0fcaaba40fa1f7c2cf5dde746897ba579ddd8f2ffb9e4660f547b2

              • C:\Users\Admin\AppData\Local\KB5CgUxjh\TAPI32.dll

                Filesize

                99KB

                MD5

                63b0450f40216bd8631d96045489b35a

                SHA1

                973d8caf21289625a51f3ed5b0ff6379b68a080c

                SHA256

                bcefa3d6718919dd2759b753d59d06be35dc1871702a6a1bf1a257e5f51bf08c

                SHA512

                ff3a63637cf6fdf0e583c354afb38bb5567ecbd01105f094003e7e6591b836587340047b5bd68a807fb6e2700f91fbbe3c6ae900fef9479d7a8c202f65323eef

              • C:\Users\Admin\AppData\Local\KB5CgUxjh\dialer.exe

                Filesize

                39KB

                MD5

                b2626bdcf079c6516fc016ac5646df93

                SHA1

                838268205bd97d62a31094d53643c356ea7848a6

                SHA256

                e3ac5e6196f3a98c1946d85c653866c318bb2a86dd865deffa7b52f665d699bb

                SHA512

                615cfe1f91b895513c687906bf3439ca352afcadd3b73f950af0a3b5fb1b358168a7a25a6796407b212fde5f803dd880bcdc350d8bac7e7594090d37ce259971

              • C:\Users\Admin\AppData\Local\YeJ7\DUI70.dll

                Filesize

                60KB

                MD5

                6935f8327e12e0621cb0500ea483fb07

                SHA1

                dfd9e0ffb9c88f310298b2ed8f586c20334f5218

                SHA256

                241cf89f6bc845ec4161301c51f1959ac4b2b8c54c4974c50e70400838217e51

                SHA512

                867d59d46b7a4ee30946eb6597648b61d509362027a055703b719f000303f1044dcd3a8f9eebcff1a47438142527e966143dbe7539f9c372b512b998cb0b8f82

              • C:\Users\Admin\AppData\Local\YeJ7\DUI70.dll

                Filesize

                40KB

                MD5

                27fc04ca19a90bab9a6822da738f5bae

                SHA1

                a87ca76a7685f1667cd1fa9bea68ba984b9cdc81

                SHA256

                e33f1b0bc286780fec32e49087f411c269d43e0281dec2538ee2db6de9b98d87

                SHA512

                913943a569371ec28551b8bb1874f75ccaeb55bb3cd04444daa6c125385f76c082471afcb28720a35b397b80ac8e0dbc481281388051e0d410115740c2cc217d

              • C:\Users\Admin\AppData\Local\YeJ7\LicensingUI.exe

                Filesize

                61KB

                MD5

                b7c03d0089301703a6a00188238d99c2

                SHA1

                effa01d8c6c52aade41dc62aaefa5fc7c6744749

                SHA256

                aa1658de85bf7b7ebb76ff89b9bb1406b84605aac72f814598062a0cabc2de19

                SHA512

                0cc07d16c2f49a9bc906e1caa68bb9d928f650a88ec754f32ec14ff21db9e2d7d6b4fd7ff6fed899ad6d97955538f21699ec7200d9b90f29bece95bd37dd948e

              • C:\Users\Admin\AppData\Local\YeJ7\LicensingUI.exe

                Filesize

                54KB

                MD5

                5eb2b7f44228a667dd409c347998416f

                SHA1

                0ef5465f0a985fb16cdde886d3ad5c91d7d8ef0e

                SHA256

                2199746702b0e7b8046dc4d1e8f7881ccef8bbb300065da36dcff34cfd3b8a99

                SHA512

                605df9a6c73c10a0b1c558131ed6356431cf035950f1c2f1624939acafa2eee0c9a7c4894621a20c01b07119f3eafcf275c3d7c4a81193278566508632df6929

              • C:\Users\Admin\AppData\Local\r9IkvDO\TAPI32.dll

                Filesize

                136KB

                MD5

                a0caa52fb29e049448f12d5b7f43eef5

                SHA1

                15e8dff88427f7315997849de6eabbbae717b5a6

                SHA256

                1717c25a8614e45f86b6e8d8c57ab97659a3f30008091997f88b585321ac1121

                SHA512

                eca2e54d24866b7e7aa4b3347010b9ec36f57e0271dbe139f723e6ae988c608852d0ffca37ea264f29dad04e8284c5cc809940c69fe23f8e25471d8068bfc19b

              • C:\Users\Admin\AppData\Local\r9IkvDO\TAPI32.dll

                Filesize

                52KB

                MD5

                2907587a1274db6cfb96630b29a305eb

                SHA1

                4458b6c7516b599dd495533224e22a9a1af802c2

                SHA256

                e7b0959d6dd76423baa8e5fa5ca426a8c4b5437d9f563678361d5d51c59bf55d

                SHA512

                bf422e99feb3f66b294341f921d60584d839d78211be1dc6ffe19be71e225017fa5d65a4489b63161cfe0873b3eb1a72f8b154289751fe65796de17b5f6af50c

              • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ocuuy.lnk

                Filesize

                1KB

                MD5

                36b8766b97d083b60fc22c8f2a0210a1

                SHA1

                1d08d6e13121a572684a2e5bbd668d7b127de7aa

                SHA256

                383689f17588b4d90e11c67f31cee386276c3c9bf4b76533e4761457ae711d13

                SHA512

                0128f03989b55bf1e33d38f36f2ba24dcf4b394c569304133f65fcf631be177db14ea6f64d1febcb92975ddb339bef0d3ad5dda6b5adba18e1dec730b98408dc

              • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\RUUq1Pv\DUI70.dll

                Filesize

                6KB

                MD5

                a43ac31b698b4e87d1e68ee7f06fcdfa

                SHA1

                8f8030d54650e75d392f6f8af28105093138af2b

                SHA256

                7d2853c574bc884e0cc243957cd8175ba026b890d5a8814443f2cb9ae953c8cb

                SHA512

                4cbc3db213fa4cd588391331d43e4f14c16b09637a6907b23429c54a68f375c656c8100f0ece5e75abedf9b1e8fb37d06f074f7b6cf96e8c09dcc312c9a670a4

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\3iOBJ\TAPI32.dll

                Filesize

                19KB

                MD5

                3c2a9eb4c98dbbe0e42ef375fa57414b

                SHA1

                7e994852adb8e113a8d793a0849fc586c52c7c39

                SHA256

                bc49eaf09842a7c3b8a1fa37b94ba51e17f948736417cb4ba3d877738c8f4663

                SHA512

                6a894e3aa9a12a280540a67769072eac518a43dcdc942059117a9664708386c5b80d5ddbf9970113fda7a3c0c0337ef8eacfe091f5618bf2b4c129b415013bba

              • C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\f334QZGVhPi\TAPI32.dll

                Filesize

                143KB

                MD5

                5596e4bd85f6a8e667e1f9ed7206ed0d

                SHA1

                74c5aea666751edbae4ef95cdd7cd9f4bd9cd1fa

                SHA256

                711a964371584613d2dcaae383070d9ae5f3c195ed74dfdc8787bd5010701eb5

                SHA512

                60bdda8ba5782c53724a545f21d7f48e500b0ccaaf1dbe466e2bde8b2f607da62caf36247b49120854735f9b25dc5e1ed21d3a73c6034e2579ffaa0fe345e5f9

              • memory/716-77-0x0000000140000000-0x000000014024A000-memory.dmp

                Filesize

                2.3MB

              • memory/716-82-0x0000000140000000-0x000000014024A000-memory.dmp

                Filesize

                2.3MB

              • memory/716-76-0x000001D670F90000-0x000001D670F97000-memory.dmp

                Filesize

                28KB

              • memory/1656-110-0x0000000140000000-0x000000014024A000-memory.dmp

                Filesize

                2.3MB

              • memory/1656-113-0x000001C6E4920000-0x000001C6E4927000-memory.dmp

                Filesize

                28KB

              • memory/1656-120-0x0000000140000000-0x000000014024A000-memory.dmp

                Filesize

                2.3MB

              • memory/3428-33-0x0000000140000000-0x0000000140248000-memory.dmp

                Filesize

                2.3MB

              • memory/3428-30-0x0000000140000000-0x0000000140248000-memory.dmp

                Filesize

                2.3MB

              • memory/3428-67-0x0000000140000000-0x0000000140248000-memory.dmp

                Filesize

                2.3MB

              • memory/3428-56-0x00007FFDC4D40000-0x00007FFDC4D50000-memory.dmp

                Filesize

                64KB

              • memory/3428-43-0x0000000140000000-0x0000000140248000-memory.dmp

                Filesize

                2.3MB

              • memory/3428-55-0x0000000140000000-0x0000000140248000-memory.dmp

                Filesize

                2.3MB

              • memory/3428-45-0x0000000140000000-0x0000000140248000-memory.dmp

                Filesize

                2.3MB

              • memory/3428-47-0x0000000140000000-0x0000000140248000-memory.dmp

                Filesize

                2.3MB

              • memory/3428-48-0x0000000002AF0000-0x0000000002AF7000-memory.dmp

                Filesize

                28KB

              • memory/3428-42-0x0000000140000000-0x0000000140248000-memory.dmp

                Filesize

                2.3MB

              • memory/3428-41-0x0000000140000000-0x0000000140248000-memory.dmp

                Filesize

                2.3MB

              • memory/3428-40-0x0000000140000000-0x0000000140248000-memory.dmp

                Filesize

                2.3MB

              • memory/3428-37-0x0000000140000000-0x0000000140248000-memory.dmp

                Filesize

                2.3MB

              • memory/3428-36-0x0000000140000000-0x0000000140248000-memory.dmp

                Filesize

                2.3MB

              • memory/3428-35-0x0000000140000000-0x0000000140248000-memory.dmp

                Filesize

                2.3MB

              • memory/3428-5-0x00007FFDC2DFA000-0x00007FFDC2DFB000-memory.dmp

                Filesize

                4KB

              • memory/3428-32-0x0000000140000000-0x0000000140248000-memory.dmp

                Filesize

                2.3MB

              • memory/3428-4-0x0000000002E80000-0x0000000002E81000-memory.dmp

                Filesize

                4KB

              • memory/3428-12-0x0000000140000000-0x0000000140248000-memory.dmp

                Filesize

                2.3MB

              • memory/3428-46-0x0000000140000000-0x0000000140248000-memory.dmp

                Filesize

                2.3MB

              • memory/3428-44-0x0000000140000000-0x0000000140248000-memory.dmp

                Filesize

                2.3MB

              • memory/3428-39-0x0000000140000000-0x0000000140248000-memory.dmp

                Filesize

                2.3MB

              • memory/3428-38-0x0000000140000000-0x0000000140248000-memory.dmp

                Filesize

                2.3MB

              • memory/3428-29-0x0000000140000000-0x0000000140248000-memory.dmp

                Filesize

                2.3MB

              • memory/3428-34-0x0000000140000000-0x0000000140248000-memory.dmp

                Filesize

                2.3MB

              • memory/3428-65-0x0000000140000000-0x0000000140248000-memory.dmp

                Filesize

                2.3MB

              • memory/3428-31-0x0000000140000000-0x0000000140248000-memory.dmp

                Filesize

                2.3MB

              • memory/3428-26-0x0000000140000000-0x0000000140248000-memory.dmp

                Filesize

                2.3MB

              • memory/3428-22-0x0000000140000000-0x0000000140248000-memory.dmp

                Filesize

                2.3MB

              • memory/3428-28-0x0000000140000000-0x0000000140248000-memory.dmp

                Filesize

                2.3MB

              • memory/3428-27-0x0000000140000000-0x0000000140248000-memory.dmp

                Filesize

                2.3MB

              • memory/3428-25-0x0000000140000000-0x0000000140248000-memory.dmp

                Filesize

                2.3MB

              • memory/3428-24-0x0000000140000000-0x0000000140248000-memory.dmp

                Filesize

                2.3MB

              • memory/3428-23-0x0000000140000000-0x0000000140248000-memory.dmp

                Filesize

                2.3MB

              • memory/3428-21-0x0000000140000000-0x0000000140248000-memory.dmp

                Filesize

                2.3MB

              • memory/3428-20-0x0000000140000000-0x0000000140248000-memory.dmp

                Filesize

                2.3MB

              • memory/3428-19-0x0000000140000000-0x0000000140248000-memory.dmp

                Filesize

                2.3MB

              • memory/3428-16-0x0000000140000000-0x0000000140248000-memory.dmp

                Filesize

                2.3MB

              • memory/3428-15-0x0000000140000000-0x0000000140248000-memory.dmp

                Filesize

                2.3MB

              • memory/3428-14-0x0000000140000000-0x0000000140248000-memory.dmp

                Filesize

                2.3MB

              • memory/3428-13-0x0000000140000000-0x0000000140248000-memory.dmp

                Filesize

                2.3MB

              • memory/3428-11-0x0000000140000000-0x0000000140248000-memory.dmp

                Filesize

                2.3MB

              • memory/3428-10-0x0000000140000000-0x0000000140248000-memory.dmp

                Filesize

                2.3MB

              • memory/3428-9-0x0000000140000000-0x0000000140248000-memory.dmp

                Filesize

                2.3MB

              • memory/3428-7-0x0000000140000000-0x0000000140248000-memory.dmp

                Filesize

                2.3MB

              • memory/3428-18-0x0000000140000000-0x0000000140248000-memory.dmp

                Filesize

                2.3MB

              • memory/3428-17-0x0000000140000000-0x0000000140248000-memory.dmp

                Filesize

                2.3MB

              • memory/4308-94-0x0000000140000000-0x000000014028E000-memory.dmp

                Filesize

                2.6MB

              • memory/4308-93-0x000001CE21600000-0x000001CE21607000-memory.dmp

                Filesize

                28KB

              • memory/4812-1-0x0000029DDA2D0000-0x0000029DDA2D7000-memory.dmp

                Filesize

                28KB

              • memory/4812-0-0x0000000140000000-0x0000000140248000-memory.dmp

                Filesize

                2.3MB

              • memory/4812-8-0x0000000140000000-0x0000000140248000-memory.dmp

                Filesize

                2.3MB