Analysis

  • max time kernel
    151s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-12-2023 20:39

General

  • Target

    0363154b6154c58e1968193a92704afc.dll

  • Size

    2.0MB

  • MD5

    0363154b6154c58e1968193a92704afc

  • SHA1

    cefe766c0f88c2ca05a0d84ad75a7c65cf51f484

  • SHA256

    5828977b2ceed7da8ad59af7255116b6eacb7624a0106f0604bc3ce29e4470be

  • SHA512

    772f23f5b47f9802caad4d0f693dc5cba562eb2028e3a20aa0120989b5c5e0a88c6ce037e6cf3dfada990bd936d05fe0d56403f101fcc6639ac11a5e2af56ab6

  • SSDEEP

    12288:3VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:+fP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\0363154b6154c58e1968193a92704afc.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:924
  • C:\Users\Admin\AppData\Local\T12i\MDMAppInstaller.exe
    C:\Users\Admin\AppData\Local\T12i\MDMAppInstaller.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Checks whether UAC is enabled
    PID:2400
  • C:\Windows\system32\MDMAppInstaller.exe
    C:\Windows\system32\MDMAppInstaller.exe
    1⤵
      PID:3428
    • C:\Windows\system32\RecoveryDrive.exe
      C:\Windows\system32\RecoveryDrive.exe
      1⤵
        PID:2880
      • C:\Users\Admin\AppData\Local\DiB7SxO4K\RecoveryDrive.exe
        C:\Users\Admin\AppData\Local\DiB7SxO4K\RecoveryDrive.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4416
      • C:\Windows\system32\OptionalFeatures.exe
        C:\Windows\system32\OptionalFeatures.exe
        1⤵
          PID:4080
        • C:\Users\Admin\AppData\Local\ynvUt\OptionalFeatures.exe
          C:\Users\Admin\AppData\Local\ynvUt\OptionalFeatures.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4760

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\DiB7SxO4K\ReAgent.dll

          Filesize

          70KB

          MD5

          b2e6aa6df3db504b5d79157b7cd09ab4

          SHA1

          bdd2a3d924cbbaaa867ac91c4495662acbb9b4cf

          SHA256

          1e0cc051f55c4e93d5b5d19a7517afe804302c6971d40f49d81c9076d1151bb4

          SHA512

          d8891971ba5c3696ccef5aac92737daf25a4e9fc2e6c6a511c335bb3f483fce824185380ea5d0eef558e0cefdc417ac44697118b7f71f45e758fc70e84e9dae3

        • C:\Users\Admin\AppData\Local\DiB7SxO4K\ReAgent.dll

          Filesize

          148KB

          MD5

          0b5d2c967d288cfd28af7e641f43f7df

          SHA1

          50a2a3bcba8ec563edd5f6c7eef438ef34dfe788

          SHA256

          1e006587c028461d9f578e9be4da920d1a51c89080981e38f8307c47cde64712

          SHA512

          1f6412fae4c314afae3fa6cff6eba25713ffaf82a30a7c1725bf9916e4fb31c35437fc9cddde722ac42b0f7ef065a5a2e77ca51ab9bf6cd6dc70c29be2e6480f

        • C:\Users\Admin\AppData\Local\DiB7SxO4K\RecoveryDrive.exe

          Filesize

          150KB

          MD5

          39f3931498bcf86baaedbc9b37339f24

          SHA1

          10778ed0b8989a187a94cce735f05d93942743e2

          SHA256

          a0124dd2b5748bf50b419cb203928138788addbd91146393b9d56be40fb99223

          SHA512

          a727201d04c8257ed6f9f8824c93700f56213d71162b45242ce0f5d70fbc2b528f9723683a8ae732a3948d122b8f6395fd87cadd1c852dafc667d04ea5ccf0df

        • C:\Users\Admin\AppData\Local\DiB7SxO4K\RecoveryDrive.exe

          Filesize

          123KB

          MD5

          b4170e0267f661f6d8bb2d91f2bf92a0

          SHA1

          4cae850d79e2ca8ad3adb3d130eb8a070622f622

          SHA256

          bed0cd1ce22617111543504d1f3c34a7d29a3002b19805407ee2693c8732282c

          SHA512

          70651a46c86ab1a856cd2d50734ed528d840e052a7a7ab37b4097e1ce075005b1c4ef1fdb05b1f05f6a2f7f0e9fa2d420ff5c754f915e9f9f11dd822f98bdf45

        • C:\Users\Admin\AppData\Local\T12i\MDMAppInstaller.exe

          Filesize

          151KB

          MD5

          30e978cc6830b04f1e7ed285cccaa746

          SHA1

          e915147c17e113c676c635e2102bbff90fb7aa52

          SHA256

          dc821931f63117962e2266acd3266e86bf8116d4a14b3adbebfade1d40b84766

          SHA512

          331923fa479f71c4c80b0e86ea238628666f95b6cf61cf4d741ae4a27ea2b8c636864dfac543d14599b4873f3b2ab397d07c4e4c17aca3f3b4e5871e24e50214

        • C:\Users\Admin\AppData\Local\T12i\MDMAppInstaller.exe

          Filesize

          148KB

          MD5

          8642ade7f1b6db865b2fc489f509f622

          SHA1

          9414ac31c33f9c67e1d73da482440b0455902d8b

          SHA256

          052dd4150d0e7c3e79e5958dacdfc1aee87cc76e1c4ec75dcc071f2473b19a44

          SHA512

          6fce6477d24481e0ab4002a078329ec95c0a4875918e5183b1a41826907d837f0cce997f2557e107c9aee057a04b447787d30be36353b5099a094cf6716ddf88

        • C:\Users\Admin\AppData\Local\T12i\WTSAPI32.dll

          Filesize

          185KB

          MD5

          3fa0b7885789ab1186f3a43c8f4f9bab

          SHA1

          09a636f2d4b7462eba81f8a1caffa9ba4cccb334

          SHA256

          83c3b77e51732759ed40056919fe6efe4ebf107a864b10299ee8f0a1070be40c

          SHA512

          fccb95e3c9c911fb5bcca0b8128c057dbbd514ab6f84549d79a303c156899993ff00bb0a6faeacd57865316969fcb22851c68066a59baf894c36baf814bb2aec

        • C:\Users\Admin\AppData\Local\T12i\WTSAPI32.dll

          Filesize

          208KB

          MD5

          03b19b3c61bcac1feeca77f069bbd1e5

          SHA1

          3e9dd661aea282ddd05d061ba542db36fb9bf255

          SHA256

          d0cfeb1b04176ec5e1179b7230d9c72ab12b9e6b895ed2b01a4ea357b3206af4

          SHA512

          37b333156e6d98955d0a6f16277087e72ec45e4f1bd3fa60142168d7fff33075ff133cf08da38b111d8594aa7ffbc9cbcbf9758a9d2fa502018cde5f962299a4

        • C:\Users\Admin\AppData\Local\ynvUt\OptionalFeatures.exe

          Filesize

          110KB

          MD5

          d6cd8bef71458804dbc33b88ace56372

          SHA1

          a18b58445be2492c5d37abad69b5aa0d29416a60

          SHA256

          fa2e741416994f2c1bf9ef7a16b9c4dbf20c84267e3da91ae6f1ad75ee9f49b8

          SHA512

          1bed8af2cf99a7f3bb36a34f4a71c34787904bd072ecdc731fb7498290dcf4024b956fb8b6912ad050b74aa861f0b0349081b77088f72732bda5075413b1f83d

        • C:\Users\Admin\AppData\Local\ynvUt\OptionalFeatures.exe

          Filesize

          79KB

          MD5

          10f70fbe0067afc89a0a6f2cdc547c80

          SHA1

          2d39851a8dbc7f49a75b34a1f0e735fae51a996c

          SHA256

          44ec5b759837632271e8273bc9cc8d2db245651a38ad61983a149bcf3c303341

          SHA512

          a6bc5a763addbcf415380753a2a86140083df225b3ad449adf757914e53c80f9e70ee0a97bd3dcf029267cd2cb4deb5a896911b70d164632b550f00f04c2cd9f

        • C:\Users\Admin\AppData\Local\ynvUt\appwiz.cpl

          Filesize

          31KB

          MD5

          7b9dc495effd6f8b350bda01192d5d38

          SHA1

          86c4fd9648b22420664aa854665c4274ca2c5bee

          SHA256

          d3aabcd52cdfc6d3949cf3c6faf614fa5fba663670526c74061ddad23722f052

          SHA512

          70fb73b75646136b77911399ec889f4c0cd636c8d3b320fca189bcd10fc9cf776e7dd2131caa804d3ee81c53a646d88c57d82c9de8b697dd8a269bf9f755e2ad

        • C:\Users\Admin\AppData\Local\ynvUt\appwiz.cpl

          Filesize

          100KB

          MD5

          8b2e50cd9081acc9e81bcfdf1218a461

          SHA1

          35488e703a8da322e34ac84e802645db574917e9

          SHA256

          6e0b7cf8e54d4ccb651d8530a5f3634dc88e348547da15cc72b15f3f231c9669

          SHA512

          65f6c72c63b5a9e0e02b3daaf264f3c36d3bf844f7213c58cdc1379f56a38bd5b9ca5d934de2c94fa9a9ff28ea570ffcf09b53591429abf6d92c8747cc06e5eb

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dvizybqqo.lnk

          Filesize

          1KB

          MD5

          085d583552d1eb72e1422fc92c69242c

          SHA1

          6fbfc1bbc9224c111147df9e9594b773791f203b

          SHA256

          32d006352829aacee3c6cc3da82f93296e56f6ac343fbcf75b7f10dfe620862b

          SHA512

          3233442b3d70892b41e46fd4cc4894c322cb0106e1a63d028b58d9d8e270f02c8ee859c0a9ea2604e39191e1e2b4135afa7d62ebecb0c6271b323d1a2472ce78

        • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\Keys\S0\ReAgent.dll

          Filesize

          2.0MB

          MD5

          03368cacb42d1be38ad6af5c7f08c3ed

          SHA1

          ecbdb102613bd6d90fc14e5c1a2804fa11c56868

          SHA256

          e3732f1b5cd7a29876fc285f45c1aed7d9792b84ebe70c0e29f833fd19824d6e

          SHA512

          9685534ec032e37ff005a0625c64388fd3815c797a03059548b4b13171f4efe6a55b8bdd5986324eb9a98fca54cd0dc8a491095ece446bb9851f40a865ce6c7a

        • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\7FO9lXLVf\WTSAPI32.dll

          Filesize

          2.0MB

          MD5

          5a9b99c4d0575658dfa0c8156609afa3

          SHA1

          378242aa0f286110e9b4716919310e1a8b4e94d1

          SHA256

          6802c75118da28d6e0db40eed175205f32f1b3d1b3b1f37884121e800af3bdb2

          SHA512

          e92bd8246896c2803a832a0bfbe01e077fd913b2e2d3080f2bda413c570173c25f1e9dfc26ffa6ff58533e04bd6916f53c147c1fc4c97faa4b8611cf23e3534f

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\KUs38Vbc\appwiz.cpl

          Filesize

          2.0MB

          MD5

          04346ed6595d8fbaac2ae155cf02a221

          SHA1

          a904f217a90183047678e4dfeaf2cc3592fe3caf

          SHA256

          4a0d9a6fea773ea64be87b3a9efdd3f61afc553a9e55d1a4000d514c90739aba

          SHA512

          f707f140dfaaa4980183354b9b7718d13514222c9b47f1a0c8cb8eefce249094585558835f1c2383d9a492afddde98bb6bee03dde5b198758f320ff8637645f0

        • memory/924-7-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/924-0-0x000001D3FB4E0000-0x000001D3FB4E7000-memory.dmp

          Filesize

          28KB

        • memory/924-1-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/2400-64-0x000001FE99730000-0x000001FE99737000-memory.dmp

          Filesize

          28KB

        • memory/2400-69-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/2400-63-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/3388-18-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3388-21-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3388-27-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3388-30-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3388-31-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3388-33-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3388-32-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3388-35-0x00000000036E0000-0x00000000036E7000-memory.dmp

          Filesize

          28KB

        • memory/3388-34-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3388-29-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3388-28-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3388-42-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3388-43-0x00007FFD83B60000-0x00007FFD83B70000-memory.dmp

          Filesize

          64KB

        • memory/3388-52-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3388-54-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3388-25-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3388-24-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3388-23-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3388-22-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3388-26-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3388-20-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3388-19-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3388-17-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3388-4-0x0000000002F80000-0x0000000002F81000-memory.dmp

          Filesize

          4KB

        • memory/3388-16-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3388-15-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3388-6-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3388-14-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3388-13-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3388-12-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3388-9-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3388-8-0x00007FFD81E2A000-0x00007FFD81E2B000-memory.dmp

          Filesize

          4KB

        • memory/3388-11-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/3388-10-0x0000000140000000-0x00000001401F8000-memory.dmp

          Filesize

          2.0MB

        • memory/4416-86-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/4416-80-0x000002BDDBA70000-0x000002BDDBA77000-memory.dmp

          Filesize

          28KB

        • memory/4760-103-0x0000000140000000-0x00000001401F9000-memory.dmp

          Filesize

          2.0MB

        • memory/4760-97-0x000002403D6E0000-0x000002403D6E7000-memory.dmp

          Filesize

          28KB