Analysis

  • max time kernel
    151s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-01-2024 17:41

General

  • Target

    6b0a5e806359b4b92fc00861e1bf8bff.dll

  • Size

    3.2MB

  • MD5

    6b0a5e806359b4b92fc00861e1bf8bff

  • SHA1

    a4fccec989a80717b2561e7ee9e049406e6d8449

  • SHA256

    7687e9f3abc61ee051493a66f54044eea80c149788100ff4295211af104676cb

  • SHA512

    491512bfc8cf2ceabe5d36137820711af46091bbbf64751eb93f0a90361ee8a347959b6227a77285ebf8528d9e12ff9f1d2175df9039c99f3586070859bfae66

  • SSDEEP

    12288:rVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:qfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\6b0a5e806359b4b92fc00861e1bf8bff.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4040
  • C:\Windows\system32\ddodiag.exe
    C:\Windows\system32\ddodiag.exe
    1⤵
      PID:4528
    • C:\Users\Admin\AppData\Local\2iF5zG\ddodiag.exe
      C:\Users\Admin\AppData\Local\2iF5zG\ddodiag.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4996
    • C:\Windows\system32\EaseOfAccessDialog.exe
      C:\Windows\system32\EaseOfAccessDialog.exe
      1⤵
        PID:1724
      • C:\Users\Admin\AppData\Local\ygDgV5C1\EaseOfAccessDialog.exe
        C:\Users\Admin\AppData\Local\ygDgV5C1\EaseOfAccessDialog.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1832
      • C:\Windows\system32\SystemSettingsAdminFlows.exe
        C:\Windows\system32\SystemSettingsAdminFlows.exe
        1⤵
          PID:2868
        • C:\Users\Admin\AppData\Local\duSHcq\SystemSettingsAdminFlows.exe
          C:\Users\Admin\AppData\Local\duSHcq\SystemSettingsAdminFlows.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1436

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\2iF5zG\XmlLite.dll

          Filesize

          158KB

          MD5

          deee50d10ae72bb742b42cd7c86edaed

          SHA1

          81d5b748bd2b429245e62b34b3c7939e68c115d8

          SHA256

          407f88db24b1106e95975f81ad1bf515d3d6dd06f8e8bacbd3c2562301ada020

          SHA512

          7288ae0da2a7ba51ddbcf288aca80d0ac96b8546013d27bdc7ad9ccd8f21b4841db962290012f7c4e472321c3d0bf3aa04772270fe757e2a5482259f1ad88d6a

        • C:\Users\Admin\AppData\Local\2iF5zG\XmlLite.dll

          Filesize

          5KB

          MD5

          15167b9af8291e0d6af123ffd20d44d1

          SHA1

          6ee6cec69aabc5c95b2c63ea6b3941e664aaa3d1

          SHA256

          2beaeb66bcd73a79fe997cd971bdd67a9cb3ce0c13cb595db27417a83578ed91

          SHA512

          c3022bcaefd79e3b2aae01f576b5f77c2a436aa8d2171339bc03facde98d1fdab3e81046f4c3e8b933cf423013c5ad5930748002a820237f9906f83be348a5c0

        • C:\Users\Admin\AppData\Local\2iF5zG\ddodiag.exe

          Filesize

          39KB

          MD5

          85feee634a6aee90f0108e26d3d9bc1f

          SHA1

          a7b1fa32fe7ed67bd51dea438f2f767e3fef0ca2

          SHA256

          99c63175504781e9278824d487da082da7c014e99f1024227af164986d3a27c6

          SHA512

          b81a3e1723a5180c5168cd7bb5181c631f4f57c59780bb82a502160b7874777f3eef1ebe1b14f66c97f9f1a4721af13b6fbcdff2045c8563c18b5d12540953ff

        • C:\Users\Admin\AppData\Local\duSHcq\DUI70.dll

          Filesize

          167KB

          MD5

          cbec2db00a4bb653a1c5b8c69edea31d

          SHA1

          92c2d6dc9351da341a80003da9de54a28aab1ab4

          SHA256

          acee873d72b1f06f59a1a6f0959af82a025464148bb740cf0a6a9bb5e76945cd

          SHA512

          558aae5f1f75367702474ae3d33c68a01de85828c9c01b38e16ae23accd22e9c69b5c929abd66de523cfab18191532485a67afe73a80bc9a669308cdeb470aa8

        • C:\Users\Admin\AppData\Local\duSHcq\DUI70.dll

          Filesize

          321KB

          MD5

          fb0849152995b0a98c3868357292c623

          SHA1

          7e315b0d28e5803bf3fe3a4bc6081658371f0648

          SHA256

          23d44719b42de6bd2c4da2d10a2a8ac8d32f9ef44a4434cc852f69d062ba6dae

          SHA512

          e7703d2c64f492ebe8446d905fd4cb259b616a8c6917860937aeff6a3f558b31aa0911d8add2b74e1746705756f45c79bec8da0491cedcddd575709cad33cdad

        • C:\Users\Admin\AppData\Local\duSHcq\SystemSettingsAdminFlows.exe

          Filesize

          237KB

          MD5

          325562720d6aa6eb20cc2b8ecef49884

          SHA1

          c8424c2c4c14870c75d380cbf80f4ade68ccc38e

          SHA256

          620bef9fdd5b589960ba4d75a6feb214eb75bdfba21b25869ddbe3e38777d082

          SHA512

          c0b8e7a77ae2dcec09d1268c7d9ea7fec4d804bf1afab781aa6910116b1cbe6e9f7b92ee153d96f5458f1d9d88d3831687763ee862deb0f92a3361d7fd3d24aa

        • C:\Users\Admin\AppData\Local\duSHcq\SystemSettingsAdminFlows.exe

          Filesize

          57KB

          MD5

          094e356c4b9a9e7bf90cb827f93ead3a

          SHA1

          41f1f988ad7a36c232b45dc6fddd1f5e892b008c

          SHA256

          e3d0982cbf71c6f758f8327fe6a2e5d2dcb382436497151ce6ae48e384cfc22d

          SHA512

          20104e2c187213bf6be4edca24efaf25caee3977db7810ec29c15a564e76d951a6f63f9a1afa1f68d1af1a65a170bd857a55d26472a836182da489c164d7ecfb

        • C:\Users\Admin\AppData\Local\ygDgV5C1\DUser.dll

          Filesize

          418KB

          MD5

          ad67707c1856cf3a6bb04027e6489c96

          SHA1

          fce271e41241ff67cbb2de8a09b3d618bff1e093

          SHA256

          755e3a45ee17b6e45f9e0ac221bbd4e05dca3f373725b55d87355a16063d76a4

          SHA512

          68b027d7f6f847b30ee654a2bada172e587fb6237532c2380d388215b3276ce53a6a0f68cad39f8aa47d7dd0f82f284ffc36b183bf64e35872cca488de1abbac

        • C:\Users\Admin\AppData\Local\ygDgV5C1\DUser.dll

          Filesize

          271KB

          MD5

          ea2f7ed0798f4795e8dfdfa1b3af4caa

          SHA1

          b14e38afa9ad8c4d369eea9bee26d1b4cc245c5e

          SHA256

          d26f41e8d6afda3eade338bf4416c05ecbe13f82446288f56f5230791619f15b

          SHA512

          02b010bce82fc2cfb1f68e8449c2fe828a361d43153b1d41213594ada22836c3669f6aca27d93b7da781dc2c3b0865630b80fd9c67404a7f6771d54c858deceb

        • C:\Users\Admin\AppData\Local\ygDgV5C1\EaseOfAccessDialog.exe

          Filesize

          123KB

          MD5

          e75ee992c1041341f709a517c8723c87

          SHA1

          471021260055eac0021f0abffa2d0ba77a2f380e

          SHA256

          0b1731562413eaa972b373cd7388c644a3059940ce67eb89668e4073f3e068dc

          SHA512

          48c3a8531df6bcc5077367cdf32af104c94cf7701118a85e8beabba2e9c4f511ae14e47b6d1b57d11a2bc1e8b4f6d5bacae27a8d16fcd09a8f9e0018f5a6370a

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dyngdiaoitf.lnk

          Filesize

          1KB

          MD5

          5adbbd74eee1417a342568bdd1650b3a

          SHA1

          a55df6a2b7a57fc52e35396ebc6740a5b03da675

          SHA256

          be5cd6627b0b1c9762b5144179cdc458835fcf5f0232a00baf65d3321fc935d1

          SHA512

          26fcbd3edc0652c849c551213820c58dff7134ef230e49de9e1f1943ebac041ed4d5e45f09cea687b02671d2d0141b3cc2ed0f363c7062220242233d3b1ef4ac

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\CAS2M1KTt\DUser.dll

          Filesize

          3.2MB

          MD5

          6c7e663925c2f6c65bb904a9b3721f9b

          SHA1

          d225029169cb8e05fb64cdd1bdcb1802b1694c3a

          SHA256

          1a1b07837db7cc5adb87ca41e27e268b0812db8d165dc32bd5892f7e38e6e966

          SHA512

          5defad9db3376f70bd0637c696a9d062d6efcfbb7e26d6e77b446db69ccffa6cbd64df1e0cac3b5928ce40c01a785c7bf3366664d39fc4c61ac2d0742d622cb5

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\8148Is\9fEWSgBS\DUI70.dll

          Filesize

          3.5MB

          MD5

          0cf106ac4ef4e179eb1f6046ed11cca3

          SHA1

          b47bc9af1d4851a639317fd73f8adb0284663b9b

          SHA256

          e43254c2bd6f9fc83024e530948fb4ec32614fd2b2f7f1073580c966ff42f130

          SHA512

          036169370627843be89d6a59c3351f0f5f937247fd7cbca1d96deb1cc1b56665ce09e396923f9890056505075a0f72aaae8ea321eef37aac7e7084daaaf56323

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\8148Is\XmlLite.dll

          Filesize

          3.2MB

          MD5

          fd9ef5b903a08c01a5f580e32d522fa8

          SHA1

          dc5b9bf88ee193391e12e3e155f3a740f5521654

          SHA256

          ad21945b2d63a28f639c6db66262b3ea8f21fe9c49c76ae7f30963e3ce238fc3

          SHA512

          cb6ee74565f019177048c5c61c9af1f03753a7e4ed69f244cb74f9a3de8d673aeb20ffe8393bd5258bd8b387cc70879afe2291f6626c073713e6304c2828fe9a

        • memory/1436-130-0x00000180269D0000-0x00000180269D7000-memory.dmp

          Filesize

          28KB

        • memory/1832-113-0x000001D5EF980000-0x000001D5EF987000-memory.dmp

          Filesize

          28KB

        • memory/3516-28-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/3516-64-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/3516-24-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/3516-25-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/3516-26-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/3516-27-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/3516-30-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/3516-32-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/3516-34-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/3516-36-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/3516-37-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/3516-38-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/3516-40-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/3516-39-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/3516-42-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/3516-43-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/3516-44-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/3516-45-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/3516-46-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/3516-41-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/3516-35-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/3516-33-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/3516-31-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/3516-29-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/3516-5-0x00007FFFDB45A000-0x00007FFFDB45B000-memory.dmp

          Filesize

          4KB

        • memory/3516-47-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/3516-50-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/3516-53-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/3516-54-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/3516-56-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/3516-57-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/3516-60-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/3516-62-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/3516-23-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/3516-65-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/3516-63-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/3516-61-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/3516-59-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/3516-58-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/3516-55-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/3516-52-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/3516-51-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/3516-49-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/3516-48-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/3516-67-0x0000000000E80000-0x0000000000E87000-memory.dmp

          Filesize

          28KB

        • memory/3516-76-0x00007FFFDBDA0000-0x00007FFFDBDB0000-memory.dmp

          Filesize

          64KB

        • memory/3516-22-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/3516-4-0x0000000002E70000-0x0000000002E71000-memory.dmp

          Filesize

          4KB

        • memory/3516-9-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/3516-7-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/3516-10-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/3516-21-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/3516-20-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/3516-19-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/3516-18-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/3516-17-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/3516-16-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/3516-15-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/3516-14-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/3516-13-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/3516-12-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/3516-11-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/4040-8-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/4040-0-0x0000018721750000-0x0000018721757000-memory.dmp

          Filesize

          28KB

        • memory/4040-1-0x0000000140000000-0x0000000140339000-memory.dmp

          Filesize

          3.2MB

        • memory/4996-96-0x0000020200390000-0x0000020200397000-memory.dmp

          Filesize

          28KB