Analysis

  • max time kernel
    0s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-01-2024 01:58

General

  • Target

    736f4c09867897af390e3e0bf50a0b23.dll

  • Size

    3.5MB

  • MD5

    736f4c09867897af390e3e0bf50a0b23

  • SHA1

    3194159767a1ca1c25f18e33b5f790394c9f5cd9

  • SHA256

    fee679a74d93c6adee409515fdf168e955e056dae2949cbf848a48e03a8ac97d

  • SHA512

    3c33731da1c256f43480f8b6e9480209a9f65dcefd9ea45f3bfa754e8f21fa022dca160f227fd223da04027d692e7001ed19882e0c3ba60962d79c119b76d497

  • SSDEEP

    12288:SVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:PfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\736f4c09867897af390e3e0bf50a0b23.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4752
  • C:\Windows\system32\rdpinit.exe
    C:\Windows\system32\rdpinit.exe
    1⤵
      PID:2324
    • C:\Windows\system32\tabcal.exe
      C:\Windows\system32\tabcal.exe
      1⤵
        PID:2572
      • C:\Users\Admin\AppData\Local\I1dV\tabcal.exe
        C:\Users\Admin\AppData\Local\I1dV\tabcal.exe
        1⤵
          PID:3820
        • C:\Users\Admin\AppData\Local\4QvI\unregmp2.exe
          C:\Users\Admin\AppData\Local\4QvI\unregmp2.exe
          1⤵
            PID:776
          • C:\Windows\system32\unregmp2.exe
            C:\Windows\system32\unregmp2.exe
            1⤵
              PID:1164
            • C:\Users\Admin\AppData\Local\ouTw\rdpinit.exe
              C:\Users\Admin\AppData\Local\ouTw\rdpinit.exe
              1⤵
                PID:652

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\4QvI\VERSION.dll

                Filesize

                48KB

                MD5

                0ab3ef9eb975e98a5a16da5284e6cbeb

                SHA1

                232f41fb251f1afabae748d01b98af258bdd9d32

                SHA256

                4613bf931ff2a64db868f799ed322faa1c91b2501a80b8a2c3794101aca7ead8

                SHA512

                bcbf42d3b3b81c1cd15e76389437b7cd3fc66d2e4ce3c7afde552788cac651f18d8cdad732c9f6fba3038ed96304d2af8e55800db9e5d22d283f581db88f58c2

              • C:\Users\Admin\AppData\Local\4QvI\VERSION.dll

                Filesize

                37KB

                MD5

                cc5ef8a99065f897429bfcbb4d006182

                SHA1

                2394913f7fc638a64a2e80a61d20e00fd18db933

                SHA256

                94361032eb2f48f73c9dad85977445b7a6f309ca5b96ffd66895bcb89c2a06c4

                SHA512

                8172b99525a871348d38636aedebe2a98306d7c4d7ff01aadb2d058732fd4c2e1543dfd7685ede32f3dc743e152391c71fb9c0d9cb0cd9852cc98c458a2228b5

              • C:\Users\Admin\AppData\Local\4QvI\unregmp2.exe

                Filesize

                10KB

                MD5

                dd816d990e088461d2effcc101016437

                SHA1

                fd280d5678bb2457821bcae025a364f557b73ff2

                SHA256

                53de8ba90bc45a2e781b110438dc54327225556e9340448bc79cf36bfa9946cd

                SHA512

                3c453757be6e198305d53c6edb2a5b5dffd947bdc5e09d77a053e27119f9fe7283a34541dccd655c2c894261a6270c986a01a4a4af97e2fad20dfd2df9173fa5

              • C:\Users\Admin\AppData\Local\4QvI\unregmp2.exe

                Filesize

                36KB

                MD5

                0114a6dde0ac90a0958e935f8d60d00a

                SHA1

                ea0685a568f273d103b1f5f276939063f6926293

                SHA256

                a7a1b91ef43934111c1900486d446157587a592d3a4bd25389c29674ba690e10

                SHA512

                24f2c7cce2dd65ad5b816ba5a117b36a62bcb38166ca40953246bd5b8329f54fbefaf1dd766f8c7213e192a792d56560f0d50d02c5032b1b32440dbd6bcc1eb4

              • C:\Users\Admin\AppData\Local\I1dV\HID.DLL

                Filesize

                37KB

                MD5

                134a973f4be89dff7dda8569df5c90d4

                SHA1

                e6141f063d896c13a43ba7961be87e085b73391d

                SHA256

                e88491164066572aec8f0eba853d88baaa16c8cac62c5df5df179854ea5f524c

                SHA512

                dd3d305b58877624a431202c6f58cab70817d72d6ead53238efa43735e43ebd09e7d01fa60389f68830ccbe38515d021f808d9d6f214dacec1039450417df426

              • C:\Users\Admin\AppData\Local\I1dV\HID.DLL

                Filesize

                64KB

                MD5

                29e420e28b5c434713e2a26a3162c9e4

                SHA1

                aa9db52988713e5c884b6b5d16073ccccbf5d889

                SHA256

                8c431afad454a6eef73df50bfbc95d056909e1dea35fc0b2126dbd6f44ca24e7

                SHA512

                7620265e0f3606618dc83640b91e7b5e2b0fe14c8b2db5ad5920b9d3e890924bf2c64f55a954211cd52d5cda0923d424e5c61fb407c8bf7454814382dde72dcd

              • C:\Users\Admin\AppData\Local\I1dV\tabcal.exe

                Filesize

                58KB

                MD5

                06e9b28a3b363ca0e48f18838f2a83a5

                SHA1

                9b4a30a7ec7dfff854cec32aa80026bcf97dddd9

                SHA256

                49dc58405aaaf780343ba83308d073b017e5857af73ce26e3a947a79b66ebd61

                SHA512

                25b0f2e458e3b35850dc7a65a7ee45fe12c238dbb2d0ad55538d9cf858712cc2c8de4da6f9394b645dbfdf112a51fd295c6d75377df16debd96c6c3d35b8be24

              • C:\Users\Admin\AppData\Local\I1dV\tabcal.exe

                Filesize

                12KB

                MD5

                80fa3f2ef26e9907a4a563ab895270f6

                SHA1

                6866489f96f66dcf3b299eb0af690987a8eccd5b

                SHA256

                d16c9df8f5be3249379537a03f787d8a10ed5545285d7a150006c2534374c8d1

                SHA512

                c9cae8bc9b070bb56860597688c4426fb30009e6bf5caa13c1abd98d242344b505227c4476f5e575f740830ab2862f17fdfcbc850cae84b8cf477cde7d0de11f

              • C:\Users\Admin\AppData\Local\ouTw\dwmapi.dll

                Filesize

                27KB

                MD5

                c5eb6e49fca25b6fe96bcef681b2d834

                SHA1

                3564b4a46b51505ba014ec3e56c957be8bd8c2f2

                SHA256

                2e822b974cf59d7c5cb35ae6268ac5dd4ac1b6ef66aa64ba405f5d68ca27517d

                SHA512

                5ad8d6356ed4bec81a8b78793ee9381d575958cf215e99f929cbfdebd9e9bc49310edf607c207776759dcf8f69573ada5a357ec4e7c0462341fc3e2a4492e6c4

              • C:\Users\Admin\AppData\Local\ouTw\dwmapi.dll

                Filesize

                12KB

                MD5

                2b8f1bba13981c24e973a5200953697d

                SHA1

                9beb70b38b464c3a84a8c6a7484de7fbd9091e36

                SHA256

                579096f8d85d13b16a86eebd75bcbf051702d3b945bce47789ced46471031adf

                SHA512

                490a1df25fb6b7ade00c1a48947b827aeed183075e75fca6aa8b4b92ed88adae5bb4041173583f7c40675cf23d117a77aa7dbd661b4b5baaa5e6c619e26e25f7

              • C:\Users\Admin\AppData\Local\ouTw\rdpinit.exe

                Filesize

                19KB

                MD5

                d1aa2f6b121ee1720bc96c43586d53e4

                SHA1

                fb9a4add8819166517ef41ea6e339a159d78a678

                SHA256

                f16051cc00f9a09b4edbd36c90db27ff473c0a30a98e4d140b7fa542aa5d7a2a

                SHA512

                a8037698f8708616c2502dc14f62afa5e0d755d41ee526881fc48b5c0c6c92a4cc86861f300f210722384e4258dd4a55e2b6494b77c841dea4450f357240746d

              • C:\Users\Admin\AppData\Local\ouTw\rdpinit.exe

                Filesize

                64KB

                MD5

                8a6bd96793482deb5ba0b4480507ef68

                SHA1

                beacb9719b6dba6475779a78d7566408552a5e7b

                SHA256

                275a8bd3c97affabccc37e50e431ae473b7f5a7dab735420bc75875dc00750ed

                SHA512

                2034634c3c1a781fbf90f76255141ff6d4d101fedccfae165a1b56dafbfcde4dc345f2804d03addf48613f5866619a2de1c99d92c749e35d58f03eee9399e3d6

              • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Iydemppuyghrhln.lnk

                Filesize

                1KB

                MD5

                4a77fd1cb398a293be6fbeaa1a9fa43c

                SHA1

                8e9f6a2e970860f263df18914bacb182285dee86

                SHA256

                a7afd238100140185208f1bcde06643f9804ac002b88d634265a10bde9b96cd3

                SHA512

                67a235fb2166f78bfaab0227dead3d9a5a8ea4003c59c7f10242d449205fe7f7e9e37da36f3ba954cf37328623c89bbb832ee45b065c6c4d29154a2094d32603

              • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\xS7DOTg4YA\VERSION.dll

                Filesize

                83KB

                MD5

                9ece18e459dcc1d0244185a118600d25

                SHA1

                1f519661af4f4cf8e31d76b46cf973659fcefa3f

                SHA256

                f95677f22210a378df2a30626dae7653091a1dfbca6894573876d1d8932a6f4b

                SHA512

                9e31a58ac620683f223875d441e89b6be382acb8351526da62d37a1708751774956dd0820f2625525b7146bf26029a72f070251838da4d609e1d521d4f27f5a7

              • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\mXH1SS4Scy\dwmapi.dll

                Filesize

                156KB

                MD5

                374b1a87db7a944d44f90b8ea6ba0e2a

                SHA1

                d7670aeb3878be26113f8735239937df99e4520d

                SHA256

                e23c4e81843af1a169980dc56bf99c3decbaf07a2214695039b99c0ce8a912d7

                SHA512

                3d7adad8406cdd17d3608735d500fa57822eb49d5d4d1444e8cfaa49ead730d0784de3a04e4c0cf49b70daf07a52267b85d68b8ce8c3f7dec872fde7ab2d7dbe

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NLv9\HID.DLL

                Filesize

                9KB

                MD5

                d243039eba4df7ffc30ddea5c6c67294

                SHA1

                07c66e1669705ac708452e715f5f5fee013b4740

                SHA256

                a1e15f2a9d6a38eecb215b09cf8a2ba7da89f6fb943f303117526f938f656393

                SHA512

                defe15e24d3431ceb6c5b026830378637b121398c7e70e142eb39d4a1a64907fe4600897d922ebaef98a1e68f7285c958d6d123a7102b6e80ec860ce8a00e434

              • memory/652-102-0x000001DCE2EC0000-0x000001DCE2EC7000-memory.dmp

                Filesize

                28KB

              • memory/652-106-0x0000000140000000-0x000000014037B000-memory.dmp

                Filesize

                3.5MB

              • memory/652-99-0x0000000140000000-0x000000014037B000-memory.dmp

                Filesize

                3.5MB

              • memory/776-144-0x0000000140000000-0x000000014037B000-memory.dmp

                Filesize

                3.5MB

              • memory/776-139-0x0000024F73960000-0x0000024F73967000-memory.dmp

                Filesize

                28KB

              • memory/776-137-0x0000000140000000-0x000000014037B000-memory.dmp

                Filesize

                3.5MB

              • memory/3560-25-0x0000000140000000-0x000000014037A000-memory.dmp

                Filesize

                3.5MB

              • memory/3560-50-0x0000000140000000-0x000000014037A000-memory.dmp

                Filesize

                3.5MB

              • memory/3560-27-0x0000000140000000-0x000000014037A000-memory.dmp

                Filesize

                3.5MB

              • memory/3560-28-0x0000000140000000-0x000000014037A000-memory.dmp

                Filesize

                3.5MB

              • memory/3560-31-0x0000000140000000-0x000000014037A000-memory.dmp

                Filesize

                3.5MB

              • memory/3560-33-0x0000000140000000-0x000000014037A000-memory.dmp

                Filesize

                3.5MB

              • memory/3560-35-0x0000000140000000-0x000000014037A000-memory.dmp

                Filesize

                3.5MB

              • memory/3560-34-0x0000000140000000-0x000000014037A000-memory.dmp

                Filesize

                3.5MB

              • memory/3560-36-0x0000000140000000-0x000000014037A000-memory.dmp

                Filesize

                3.5MB

              • memory/3560-38-0x0000000140000000-0x000000014037A000-memory.dmp

                Filesize

                3.5MB

              • memory/3560-39-0x0000000140000000-0x000000014037A000-memory.dmp

                Filesize

                3.5MB

              • memory/3560-37-0x0000000140000000-0x000000014037A000-memory.dmp

                Filesize

                3.5MB

              • memory/3560-40-0x0000000140000000-0x000000014037A000-memory.dmp

                Filesize

                3.5MB

              • memory/3560-32-0x0000000140000000-0x000000014037A000-memory.dmp

                Filesize

                3.5MB

              • memory/3560-30-0x0000000140000000-0x000000014037A000-memory.dmp

                Filesize

                3.5MB

              • memory/3560-42-0x0000000140000000-0x000000014037A000-memory.dmp

                Filesize

                3.5MB

              • memory/3560-44-0x0000000140000000-0x000000014037A000-memory.dmp

                Filesize

                3.5MB

              • memory/3560-49-0x0000000140000000-0x000000014037A000-memory.dmp

                Filesize

                3.5MB

              • memory/3560-52-0x0000000140000000-0x000000014037A000-memory.dmp

                Filesize

                3.5MB

              • memory/3560-53-0x0000000140000000-0x000000014037A000-memory.dmp

                Filesize

                3.5MB

              • memory/3560-54-0x0000000140000000-0x000000014037A000-memory.dmp

                Filesize

                3.5MB

              • memory/3560-56-0x0000000140000000-0x000000014037A000-memory.dmp

                Filesize

                3.5MB

              • memory/3560-57-0x0000000140000000-0x000000014037A000-memory.dmp

                Filesize

                3.5MB

              • memory/3560-59-0x0000000140000000-0x000000014037A000-memory.dmp

                Filesize

                3.5MB

              • memory/3560-60-0x0000000140000000-0x000000014037A000-memory.dmp

                Filesize

                3.5MB

              • memory/3560-62-0x0000000140000000-0x000000014037A000-memory.dmp

                Filesize

                3.5MB

              • memory/3560-61-0x0000000140000000-0x000000014037A000-memory.dmp

                Filesize

                3.5MB

              • memory/3560-58-0x0000000140000000-0x000000014037A000-memory.dmp

                Filesize

                3.5MB

              • memory/3560-63-0x0000000140000000-0x000000014037A000-memory.dmp

                Filesize

                3.5MB

              • memory/3560-65-0x0000000140000000-0x000000014037A000-memory.dmp

                Filesize

                3.5MB

              • memory/3560-66-0x0000000140000000-0x000000014037A000-memory.dmp

                Filesize

                3.5MB

              • memory/3560-64-0x0000000140000000-0x000000014037A000-memory.dmp

                Filesize

                3.5MB

              • memory/3560-70-0x0000000002270000-0x0000000002277000-memory.dmp

                Filesize

                28KB

              • memory/3560-55-0x0000000140000000-0x000000014037A000-memory.dmp

                Filesize

                3.5MB

              • memory/3560-51-0x0000000140000000-0x000000014037A000-memory.dmp

                Filesize

                3.5MB

              • memory/3560-26-0x0000000140000000-0x000000014037A000-memory.dmp

                Filesize

                3.5MB

              • memory/3560-48-0x0000000140000000-0x000000014037A000-memory.dmp

                Filesize

                3.5MB

              • memory/3560-47-0x0000000140000000-0x000000014037A000-memory.dmp

                Filesize

                3.5MB

              • memory/3560-78-0x00007FF9413E0000-0x00007FF9413F0000-memory.dmp

                Filesize

                64KB

              • memory/3560-46-0x0000000140000000-0x000000014037A000-memory.dmp

                Filesize

                3.5MB

              • memory/3560-45-0x0000000140000000-0x000000014037A000-memory.dmp

                Filesize

                3.5MB

              • memory/3560-43-0x0000000140000000-0x000000014037A000-memory.dmp

                Filesize

                3.5MB

              • memory/3560-41-0x0000000140000000-0x000000014037A000-memory.dmp

                Filesize

                3.5MB

              • memory/3560-29-0x0000000140000000-0x000000014037A000-memory.dmp

                Filesize

                3.5MB

              • memory/3560-6-0x00007FF93FD3A000-0x00007FF93FD3B000-memory.dmp

                Filesize

                4KB

              • memory/3560-24-0x0000000140000000-0x000000014037A000-memory.dmp

                Filesize

                3.5MB

              • memory/3560-23-0x0000000140000000-0x000000014037A000-memory.dmp

                Filesize

                3.5MB

              • memory/3560-22-0x0000000140000000-0x000000014037A000-memory.dmp

                Filesize

                3.5MB

              • memory/3560-17-0x0000000140000000-0x000000014037A000-memory.dmp

                Filesize

                3.5MB

              • memory/3560-21-0x0000000140000000-0x000000014037A000-memory.dmp

                Filesize

                3.5MB

              • memory/3560-5-0x00000000026E0000-0x00000000026E1000-memory.dmp

                Filesize

                4KB

              • memory/3560-9-0x0000000140000000-0x000000014037A000-memory.dmp

                Filesize

                3.5MB

              • memory/3560-20-0x0000000140000000-0x000000014037A000-memory.dmp

                Filesize

                3.5MB

              • memory/3560-19-0x0000000140000000-0x000000014037A000-memory.dmp

                Filesize

                3.5MB

              • memory/3560-18-0x0000000140000000-0x000000014037A000-memory.dmp

                Filesize

                3.5MB

              • memory/3560-16-0x0000000140000000-0x000000014037A000-memory.dmp

                Filesize

                3.5MB

              • memory/3560-15-0x0000000140000000-0x000000014037A000-memory.dmp

                Filesize

                3.5MB

              • memory/3560-14-0x0000000140000000-0x000000014037A000-memory.dmp

                Filesize

                3.5MB

              • memory/3560-13-0x0000000140000000-0x000000014037A000-memory.dmp

                Filesize

                3.5MB

              • memory/3560-12-0x0000000140000000-0x000000014037A000-memory.dmp

                Filesize

                3.5MB

              • memory/3560-10-0x0000000140000000-0x000000014037A000-memory.dmp

                Filesize

                3.5MB

              • memory/3560-11-0x0000000140000000-0x000000014037A000-memory.dmp

                Filesize

                3.5MB

              • memory/3820-119-0x0000000140000000-0x000000014037B000-memory.dmp

                Filesize

                3.5MB

              • memory/3820-125-0x0000000140000000-0x000000014037B000-memory.dmp

                Filesize

                3.5MB

              • memory/3820-121-0x000001A377FD0000-0x000001A377FD7000-memory.dmp

                Filesize

                28KB

              • memory/4752-8-0x0000000140000000-0x000000014037A000-memory.dmp

                Filesize

                3.5MB

              • memory/4752-1-0x0000000140000000-0x000000014037A000-memory.dmp

                Filesize

                3.5MB

              • memory/4752-2-0x0000022958F00000-0x0000022958F07000-memory.dmp

                Filesize

                28KB

              • memory/4752-0-0x0000000140000000-0x000000014037A000-memory.dmp

                Filesize

                3.5MB