Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-01-2024 03:30

General

  • Target

    69602855143bf25085262765aa2cd991.dll

  • Size

    1.7MB

  • MD5

    69602855143bf25085262765aa2cd991

  • SHA1

    0d84b772f3bb26d79fb722330554563a667b4c04

  • SHA256

    14c81cca53cfefe7eaaad66283b38b081c7e31c5bda2f3f0e0386f68f1d6c216

  • SHA512

    b4801df13a886b77038eae6b4472dc8e4665c3cd2a3ada39e9bd25c921d0832ba76fcb68ede443c9cce5199225d09bcd173341629b1bb6ed810c708b22f8a912

  • SSDEEP

    12288:9VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:kfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\69602855143bf25085262765aa2cd991.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4488
  • C:\Windows\system32\SystemSettingsAdminFlows.exe
    C:\Windows\system32\SystemSettingsAdminFlows.exe
    1⤵
      PID:3684
    • C:\Users\Admin\AppData\Local\PNg2Ui\SystemSettingsAdminFlows.exe
      C:\Users\Admin\AppData\Local\PNg2Ui\SystemSettingsAdminFlows.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2124
    • C:\Windows\system32\SystemSettingsAdminFlows.exe
      C:\Windows\system32\SystemSettingsAdminFlows.exe
      1⤵
        PID:2084
      • C:\Users\Admin\AppData\Local\q0lJQO\SystemSettingsAdminFlows.exe
        C:\Users\Admin\AppData\Local\q0lJQO\SystemSettingsAdminFlows.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2056
      • C:\Windows\system32\unregmp2.exe
        C:\Windows\system32\unregmp2.exe
        1⤵
          PID:4124
        • C:\Users\Admin\AppData\Local\RkSgnqjiZ\unregmp2.exe
          C:\Users\Admin\AppData\Local\RkSgnqjiZ\unregmp2.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3400

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\PNg2Ui\SystemSettingsAdminFlows.exe

          Filesize

          169KB

          MD5

          d0546c4830e096ef58606e641e47dbb4

          SHA1

          219f75fbd6a89378719257eefa19505a1f031d2e

          SHA256

          2abc9984f2f6eee4a599810235e7a5323d59bce18147c9353ef10736458c0c4e

          SHA512

          1b9b5129ef804b18a316fd8d8cf6b8c6903c16a111c64bc533c9fd38f6ddaaf4f66c75ee98571737acf5cb697896b0c1069cbae28fbf79bfbcb07515901b71c5

        • C:\Users\Admin\AppData\Local\PNg2Ui\SystemSettingsAdminFlows.exe

          Filesize

          99KB

          MD5

          1cd118ffa0726cc6d52ba3a30e54ca02

          SHA1

          4c6f5fbb731e0db7d6bec435068f7840032019c0

          SHA256

          288edd6eedb0a59875afe9f298c8c3093622c82eaf5ad5f62409bdc77435ac58

          SHA512

          f591b15f6431c820ce91cf07af6c5fc8cf214578f9049f36828a6357acaba8425c658f10ceab1eb8a863d56ee445fb06be615a60fff1f59e9a560d9f27f6f73d

        • C:\Users\Admin\AppData\Local\PNg2Ui\newdev.dll

          Filesize

          26KB

          MD5

          4d3ffb15f5fbb365f44e4311f01c0be3

          SHA1

          3260bc68775cc3f8cbcad735569156444f714a2e

          SHA256

          84f457e0dd7e4b222eeeb65f7516eed279d372052799c305812def75511a8e70

          SHA512

          ecac7bce370a4c0fd40b9bad4ed9ad9a45e956e1b930f71d4c126b04e64595e75f70ed0c7066c1ba014be61b932e22151e8394e5882d20a8a75c842055634db6

        • C:\Users\Admin\AppData\Local\PNg2Ui\newdev.dll

          Filesize

          17KB

          MD5

          a16b33ad0238bfcc1dad29120617c303

          SHA1

          3511ec7169d7c273d28647c6bd81ad516aa85ba6

          SHA256

          a2750ddccd49739d1896114d3784d90310d8f51eb63846870c79a03421626437

          SHA512

          e9664e1fd61cee27177ebd6cc4bd8bebbe268dad5f5e1d149d7ffdadabc5c21ba47e8c282dda921e563dd93a39fb4e548921171f1f10ba3fbcd5621576ad36ff

        • C:\Users\Admin\AppData\Local\RkSgnqjiZ\VERSION.dll

          Filesize

          56KB

          MD5

          753b4eb952ef4ad40fff6d629e7375b4

          SHA1

          a43f513da158fc08b6ca3d6ed7386d5f1e546467

          SHA256

          a0035356841a033d2b7008a777a84623e93d6df75a33ec9466e258c0e16ea86d

          SHA512

          338f143ade45da7d8e39372bf5c7ce6fe57ee45663f3c781b4d3e5008a6c3a7cd0eb2952b1e66b573db2ec2ac4ad5772bad0a35b5f6ca22a8366d873bb6e86f2

        • C:\Users\Admin\AppData\Local\RkSgnqjiZ\VERSION.dll

          Filesize

          90KB

          MD5

          0eb7db93e6f576aefe118320067e2ee8

          SHA1

          ad654f9b9c95bf0dd9649bcafde5f38eba5f21ea

          SHA256

          1fd6d15a91f6baf16a620415b2fb7fcd688d721abd46c8d7916b481c315e558e

          SHA512

          30e1478e75020f0332891fba3e80b855ad9476c68f5b12185467b7f3069c7172b53e2504b3300f8414e0370c5963eb8c0dc207ba7474b6a6e3132bd6532705d9

        • C:\Users\Admin\AppData\Local\RkSgnqjiZ\unregmp2.exe

          Filesize

          33KB

          MD5

          2d0e30b9e231693f77bec57dc601d6f6

          SHA1

          41e7115645ca8b04efea9e962b776a38f4e93d41

          SHA256

          69072c074b3ce44686c8aeef212334beef5e231c29c30b70303ae262f09b53f8

          SHA512

          a8544c7a6c911930467febc9433a99374f7594e476960ab242469c40672aa422a5b2b4cc12cba96b588998d818c7ca0a7bde711782e21cb836cdf608af7eceb0

        • C:\Users\Admin\AppData\Local\RkSgnqjiZ\unregmp2.exe

          Filesize

          64KB

          MD5

          af7c83528bc2dc5fc085efb7ec613155

          SHA1

          46b6d23ee308a5990f3620dc68672ea5294039a2

          SHA256

          45a34430795632cd804a5bca3017038e62ee9cd4e0c09a1ffd5d7f25785c2a37

          SHA512

          f2d1a6e440749a063665f89bf8706dd12ac2b53907e0ebee7ea6a8ff20e59cdaf22fb44a214a27dbd1b6568b28915fed184168f0bca20e4ac04602c6591e523a

        • C:\Users\Admin\AppData\Local\q0lJQO\DUI70.dll

          Filesize

          74KB

          MD5

          dc10a29f073f93375a5eb6f90d24c88a

          SHA1

          e030546d41fe236a79f75b39d8f7d3d2e917a991

          SHA256

          a0a04956e01750079f378892788cdaa8faa6f173a1bd2fd81685f28249823b18

          SHA512

          a07fd0dcafde5cebb6df020533e4e160b7cfe13e16f196d737899dc47ea2079d1529504dbdc41f826e10ef32d5c002f2b65fbb2ae58118631bd00dcd26b79c21

        • C:\Users\Admin\AppData\Local\q0lJQO\DUI70.dll

          Filesize

          149KB

          MD5

          41f2b2f8cb3cdf4bca07ebe606ae60a2

          SHA1

          2f2d288d8333ee031aca20387c2bd3da3e1f27c2

          SHA256

          af8d26d35ad4e0044c713a8c13335397772e0031259916a2962b78c018999765

          SHA512

          f3854907f0608740f88199fe950a754b14623e579b10bbd59750fcb8c153402c631a197bda50ce84d8d31708d0099c00ccc0ab868d5b74afe7f935dd4d05754e

        • C:\Users\Admin\AppData\Local\q0lJQO\SystemSettingsAdminFlows.exe

          Filesize

          76KB

          MD5

          e1f715b91192831cca3f8cd9a57151cd

          SHA1

          508afaef0c7f952f6049eb1a8c75e30293f9e1a3

          SHA256

          643cb338930be76c88919152f1b11d17e8685bb83a6f7d7127969ccfe9d736b7

          SHA512

          f9114bafc5b251926a8468f4770219b94b39d7e2c11fa2050dfe661fd002070db6333ca76697a03db58610ed018ba6f7f4fd4081f1b71bc1efce063c6d522f33

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqwbkkvq.lnk

          Filesize

          1KB

          MD5

          8575ac6dee2801b196a8ce3b655cb8f8

          SHA1

          c3bb53f1cfe1361a6d1856c3d8b03f384200de1d

          SHA256

          019ad295c9d8d9515d62946fc8197814471f8dba5082b90835d84a52a8a7589b

          SHA512

          459e3b168c3fcee642a3253963405ec4e2684c0d9128a0f80117fb27ed1d2f36463640435c5677c491c31c470246dc2644c9874d665831714f4a1fa5a4bea78f

        • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\U2xe0FOyVqb\newdev.dll

          Filesize

          1.7MB

          MD5

          dfab52fcc9773b6a2fdd39bf7fb50eb9

          SHA1

          2571c9c39478766c20e2b989279a3dc9c410239f

          SHA256

          9159cf35b5dc3f86899215a89284c72b3cc14e238c2c832226456550b87638c3

          SHA512

          f7a4169cb6a96edfefaf66a57d3fb9b74088c21ce44fb2a490a955a566ce60ab33febe664a08cfe3f00ea3821762def33e4e0124470f63211c8327abee086b69

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\e9HbDZAVC\VERSION.dll

          Filesize

          1.7MB

          MD5

          4645e2975c4cdef057efdc23dad89f77

          SHA1

          acf8701415557b830856269feb774efdc52da38e

          SHA256

          54cd89b456a69c574c6a12bdcce634a5b2c53b0e525d420c034026545b95c23b

          SHA512

          cf17e1814a30350dfb352d9e01e392b012259469ae772ceee3404ba17d11a672dc0ce551bc6193c83c48670e3bab7773124c7adef3109c838e61fb45500a00a1

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\AlVTlz\DUI70.dll

          Filesize

          2.0MB

          MD5

          68d6a67e801da4c0ce1cd46bb9140c08

          SHA1

          cb6fc02e6ced75d2b8453ee7bedb6ad71ef2d4ad

          SHA256

          157b4dc55b8355a7949a6f6f2ee7b7df542b6dcc138cf916639a87a6aaee3021

          SHA512

          a1de5b291fd36be5dafa8dc6900b68ed13ab273b33ccbc365f90d2d4c31ae34318649ab4bc38c3643c748cc456029306b4df016b94dcdcfb6ca8725d73bff453

        • memory/2056-96-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/2056-90-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/2056-92-0x0000022CDA300000-0x0000022CDA307000-memory.dmp

          Filesize

          28KB

        • memory/2124-77-0x0000000140000000-0x00000001401BE000-memory.dmp

          Filesize

          1.7MB

        • memory/2124-73-0x00000143E39E0000-0x00000143E39E7000-memory.dmp

          Filesize

          28KB

        • memory/2124-71-0x0000000140000000-0x00000001401BE000-memory.dmp

          Filesize

          1.7MB

        • memory/3400-110-0x0000021BF0A10000-0x0000021BF0A17000-memory.dmp

          Filesize

          28KB

        • memory/3528-20-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/3528-32-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/3528-34-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/3528-33-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/3528-30-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/3528-29-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/3528-38-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/3528-39-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/3528-28-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/3528-27-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/3528-26-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/3528-23-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/3528-21-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/3528-22-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/3528-16-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/3528-40-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/3528-43-0x0000000007F40000-0x0000000007F47000-memory.dmp

          Filesize

          28KB

        • memory/3528-42-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/3528-50-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/3528-51-0x00007FF95A700000-0x00007FF95A710000-memory.dmp

          Filesize

          64KB

        • memory/3528-62-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/3528-36-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/3528-37-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/3528-35-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/3528-31-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/3528-25-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/3528-24-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/3528-5-0x00007FF95885A000-0x00007FF95885B000-memory.dmp

          Filesize

          4KB

        • memory/3528-60-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/3528-41-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/3528-17-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/3528-18-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/3528-19-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/3528-15-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/3528-7-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/3528-14-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/3528-13-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/3528-12-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/3528-11-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/3528-10-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/3528-9-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/3528-4-0x0000000007F60000-0x0000000007F61000-memory.dmp

          Filesize

          4KB

        • memory/4488-8-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB

        • memory/4488-1-0x000002CB076B0000-0x000002CB076B7000-memory.dmp

          Filesize

          28KB

        • memory/4488-0-0x0000000140000000-0x00000001401BD000-memory.dmp

          Filesize

          1.7MB