Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-01-2024 15:12

General

  • Target

    6fc1300c924c848e73451dec1a26af99.dll

  • Size

    1.5MB

  • MD5

    6fc1300c924c848e73451dec1a26af99

  • SHA1

    356d8a25843e120f2e5974fbd4c2cb992dc4b881

  • SHA256

    b18bf10683e2178f9b1f99b4ced10b08880b29eac55ba5d252c34e3b0d70833b

  • SHA512

    e5ae18253c6d93810db46d694d798097c1d5706df51889f03faeaa8a12d9de9691c71914f4fc6589c863e4269ad69ec2b041d77a37ea5efe5aaf196f5914b3b2

  • SSDEEP

    12288:LVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:KfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\6fc1300c924c848e73451dec1a26af99.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1856
  • C:\Windows\system32\dpapimig.exe
    C:\Windows\system32\dpapimig.exe
    1⤵
      PID:2536
    • C:\Users\Admin\AppData\Local\CmtDliaq\dpapimig.exe
      C:\Users\Admin\AppData\Local\CmtDliaq\dpapimig.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3844
    • C:\Windows\system32\sppsvc.exe
      C:\Windows\system32\sppsvc.exe
      1⤵
        PID:1708
      • C:\Users\Admin\AppData\Local\38pLgPaHe\sppsvc.exe
        C:\Users\Admin\AppData\Local\38pLgPaHe\sppsvc.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:5116
      • C:\Windows\system32\mmc.exe
        C:\Windows\system32\mmc.exe
        1⤵
          PID:4740
        • C:\Users\Admin\AppData\Local\iwNTaDx\mmc.exe
          C:\Users\Admin\AppData\Local\iwNTaDx\mmc.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1584

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\38pLgPaHe\XmlLite.dll

          Filesize

          57KB

          MD5

          faa618074b32b1bbfa8b1b25f71c8cdb

          SHA1

          81515ad18f4948f63e04252d6fa11c46d9cb77cc

          SHA256

          4fb17da098a95484aeb3e3f218c89552ffece405734770f102dbd0aea6e5c274

          SHA512

          15ef82215045a55888a11c241a3ee63d4a3b7c999757f1c80a71f4bba36e78ad7c892a73943ed2445ed23a646cc89256939b2595c48944fbf2ea8b5f42fd34ae

        • C:\Users\Admin\AppData\Local\38pLgPaHe\XmlLite.dll

          Filesize

          62KB

          MD5

          107d0533c5710f99caf763bd62c39530

          SHA1

          cf610e9361e0a1d35614da08e38e45abb5d8b68d

          SHA256

          f0b13484e027ae77030facaac26c87e1e0985c2181afd8a72fd476ab19d6e965

          SHA512

          d4af64372b78d56037731d85deb4b2bb99f6bd0429b0e8202bcd950a05092fbe02bfadbb34f3c8267b590f5d86143d1d8ebd836d96645e19115226f70dfd1e0b

        • C:\Users\Admin\AppData\Local\38pLgPaHe\sppsvc.exe

          Filesize

          92KB

          MD5

          164eabbf0e4c1804e1a830f760cdff02

          SHA1

          2c58b490aab45bd9900a76d3dde56206dfef3fa6

          SHA256

          479338a06d1309d5fd9f435f43a9c1b92f26b34443ef89becbfcaad098981dab

          SHA512

          f020253511c955898ead469a26c91c2bab01f8a8cc0a7e84b29bbcb312685d6c809475223ed573a0f9322c99b0ee85333b81ead374e7feb262a3498274cb9950

        • C:\Users\Admin\AppData\Local\38pLgPaHe\sppsvc.exe

          Filesize

          68KB

          MD5

          be2083ae719c0131123a89c0b4218fef

          SHA1

          4bb54ea4c70c70b32f8d5d91b4e6335f1f2a0dca

          SHA256

          48ee402012f6501e23f54c373b6ce8c2c8bef908a30ab1576e155802e10394ec

          SHA512

          46e7e9c673233b436a529d6816e0a0584e86a80fd696fd3deb3460c5ed97ce171f349cda203a0487be632763bfeb77b0627eb0894a82f79889323f66258a8afa

        • C:\Users\Admin\AppData\Local\CmtDliaq\DUI70.dll

          Filesize

          308KB

          MD5

          1247fc3ec268fdf0feb31bd3ee4520b6

          SHA1

          b780f108dbf1d969463b7e7a408e0ccbd02b0b1b

          SHA256

          b6dbde4a851e09ae2e12f26127c362284e8ee096cba35e8c1c4fe6ab7ff776b0

          SHA512

          012a5f2234e00191f54e4722b864b3bcb36b0bd11e1e021a0a3584a00e8281f30b8636a7954a19539b0e85bb0cdb4e3d40e13f63bca60d07cde3ebd0026ae543

        • C:\Users\Admin\AppData\Local\CmtDliaq\DUI70.dll

          Filesize

          65KB

          MD5

          dd34cc7eb08c3bf2519283502319b009

          SHA1

          81a60d3cb5f8c4f9b7b4d271339e3dbe79e3ac8c

          SHA256

          1d46e17ebf9fa98c8b9cc31a58dbc35812c3d163cdb0044c4be3ff8d3cac3ef0

          SHA512

          f78bf51fd21f89e25dabafaa1c1690fc2806b853267856c7269c6c4cc06055f778eae45f2432c7c1401abe98b639181abb6ca716508366e50e1e51f4d058711e

        • C:\Users\Admin\AppData\Local\CmtDliaq\dpapimig.exe

          Filesize

          76KB

          MD5

          b6d6477a0c90a81624c6a8548026b4d0

          SHA1

          e6eac6941d27f76bbd306c2938c0a962dbf1ced1

          SHA256

          a8147d08b82609c72d588a0a604cd3c1f2076befcc719d282c7cbd6525ae89eb

          SHA512

          72ec8b79e3438f0f981129a323ad39db84df7dd14a796a820bdbc74ea8fa13eee843d1ea030a0c1caeda2e2d69952f14a821a73825b38dd9415047aca597b1fe

        • C:\Users\Admin\AppData\Local\iwNTaDx\DUser.dll

          Filesize

          87KB

          MD5

          ffd0c168b848f53a8fd60399ff2e291a

          SHA1

          da951318eabead3fd5f380536a07f0b226c1e53b

          SHA256

          78bc5f5793ea8c33ce57e3679ba555803f21eca0729109cd2cdc6331ed899540

          SHA512

          04e46f71d6897b5fcdedd19336e8ab8594f48f88de490ae27fc6912ce75d4a723bbb42a899bc126f14c5c1c047b653852fe83f57467f5b9714f3245e307e5172

        • C:\Users\Admin\AppData\Local\iwNTaDx\DUser.dll

          Filesize

          120KB

          MD5

          427526ca19978f5b1e8b65a5cd74100a

          SHA1

          f396b3b391d6ef74fb170831194c8b3db59c7edf

          SHA256

          9aa47dc7297c4931388596ae2746240ee853b9e32ac3b27b642de09a6f189c9f

          SHA512

          ff4275d69bdcdc88765f904c9e7f4083bbf93a6b81c88b6d27ed381861b97075d7b1fd47e81504b89bdbb771f7e733498530c6fa22b53c41da9db6c2aaf091a3

        • C:\Users\Admin\AppData\Local\iwNTaDx\mmc.exe

          Filesize

          84KB

          MD5

          7900824645271a92c81898a3b54dddeb

          SHA1

          ef7027d99914b2dc2c7bdfb562782edc5e390d31

          SHA256

          f58fa282cf71e4beaa9ba475786c61dac50d662733e4594cc4607ee4b66d1bb6

          SHA512

          855bb5d52d7d88b18c8336e1774ae0921f430e08d29469f4afbd48155c958aafdb93127cf0f4d4320165cdd4a468b5ff23f342571cac3c45764f5d4b147527a6

        • C:\Users\Admin\AppData\Local\iwNTaDx\mmc.exe

          Filesize

          80KB

          MD5

          29d13cb15d3b390dda0f49b4f13f61ca

          SHA1

          7b2260d86a4aab5fd856e3149ee44275ee49125e

          SHA256

          bb4d7d43f1ff2f3ba8ab400199d1774eae3e04822692963a87586f92533de568

          SHA512

          0ded9713030fe10f051fc0665dfc3f0b58bd4a2e7342da23d0024121c9399be290cec3d10b00bc36466d1f307894c751fac317bd2f8b367d6c311f027f1597f3

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wdush.lnk

          Filesize

          1KB

          MD5

          2bca0a3010dc597a59a2212f7a241614

          SHA1

          4e802c8bec46f9f8827bba59e4f2a8e5160f5395

          SHA256

          3ecac193f0a42b9a1ffa2fca13fee7feff2f8ee6b5159075e152f30ef6179996

          SHA512

          d7e96a5039fc90e683f3e25ddd9f82a5f5c9e79c9ab6285923f774b582b59a79d3488b1a1048b91a138ea4030fa862416a233aec698e0af9775eba6cc03e85a3

        • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\kVNM3Eq\XmlLite.dll

          Filesize

          1.5MB

          MD5

          668b6474544bbcc7c374c1ed002e487c

          SHA1

          e04182530a92e09b0dade56284f8b9bee8655c10

          SHA256

          e44ffe3d53cefa61f498885cc3ee8b0574863e16a922bbd17cc16d2596f2c25c

          SHA512

          1f785ea8332a16aab452ab555bf842629d9ad235e6da7d4633ebfa45921e8f577f0a886305e28ade17fe442978cd62e263b2f587697f026ecb1a88dad90af4e5

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\aCrC2c\DUser.dll

          Filesize

          1.5MB

          MD5

          0edcb38193388cfa04548f1bcc526eb5

          SHA1

          472a7b1db4605a0d392c5ff6302e1d8febfd4f80

          SHA256

          26676f72046ae85745a316249d59a2be73211735cd665e2c703a29899f4bc727

          SHA512

          0e4bb14feb2ec62b0c444b48755deac5764890e751327421417ffee4a626efd878e2eafb48f06a5155657bf454bdd453c1c65fd775251efcbc0b3c53e5dc92d9

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\aCrC2c\mmc.exe

          Filesize

          67KB

          MD5

          7f9b28f43e5f4a64b5e5ac02c16b62ce

          SHA1

          503df090d1e8a646bd09117cd9327ef0932eba2d

          SHA256

          82d8dbed51c1881750acefe0e9a276643926245800fb87f53d967c23b450005a

          SHA512

          58aba44d90d4c7f5e2ca77b7ef5203ef56676dce5ffe39214fb19d91d9b2fe24e29e71d611ee10c2dbdf30767ae8c575cd508754cc15a40f2ae18a31c3a0399a

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\fJ\DUI70.dll

          Filesize

          1.8MB

          MD5

          af861a3fb539f715253efddf648bb76a

          SHA1

          7c76372d2d22d6c3b5f8ff4bd2077a4df2ddeb60

          SHA256

          d7ba348bf8901300e80ba192a26a358c3081a38e09931029ba9efe9fcf35243e

          SHA512

          095b83ca161041c6eb22d5cbfc2c898ba0aad2e2f87fda8e932c9a3b62ec091aaa6a78e1382510547cb1bfa5fc118f31fda22d2e56222655cc0fb47b8d5d9c23

        • memory/1584-110-0x0000000002EF0000-0x0000000002EF7000-memory.dmp

          Filesize

          28KB

        • memory/1584-108-0x0000000140000000-0x0000000140181000-memory.dmp

          Filesize

          1.5MB

        • memory/1856-0-0x000002A4FE820000-0x000002A4FE827000-memory.dmp

          Filesize

          28KB

        • memory/1856-7-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/1856-1-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/3532-26-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/3532-32-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/3532-29-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/3532-30-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/3532-31-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/3532-18-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/3532-15-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/3532-6-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/3532-33-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/3532-37-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/3532-38-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/3532-41-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/3532-42-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/3532-39-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/3532-46-0x00000000027E0000-0x00000000027E7000-memory.dmp

          Filesize

          28KB

        • memory/3532-44-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/3532-43-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/3532-40-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/3532-52-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/3532-62-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/3532-64-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/3532-53-0x00007FFAF3EE0000-0x00007FFAF3EF0000-memory.dmp

          Filesize

          64KB

        • memory/3532-36-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/3532-35-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/3532-34-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/3532-19-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/3532-4-0x0000000002CE0000-0x0000000002CE1000-memory.dmp

          Filesize

          4KB

        • memory/3532-9-0x00007FFAF3A0A000-0x00007FFAF3A0B000-memory.dmp

          Filesize

          4KB

        • memory/3532-28-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/3532-10-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/3532-20-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/3532-27-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/3532-12-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/3532-11-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/3532-13-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/3532-21-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/3532-22-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/3532-23-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/3532-25-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/3532-24-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/3532-16-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/3532-17-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/3532-8-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/3532-14-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/3844-79-0x0000000140000000-0x00000001401C5000-memory.dmp

          Filesize

          1.8MB

        • memory/3844-75-0x000002270E0A0000-0x000002270E0A7000-memory.dmp

          Filesize

          28KB

        • memory/3844-73-0x0000000140000000-0x00000001401C5000-memory.dmp

          Filesize

          1.8MB

        • memory/5116-96-0x0000000140000000-0x0000000140180000-memory.dmp

          Filesize

          1.5MB

        • memory/5116-93-0x0000022C79F10000-0x0000022C79F17000-memory.dmp

          Filesize

          28KB

        • memory/5116-90-0x0000000140000000-0x0000000140180000-memory.dmp

          Filesize

          1.5MB