Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-01-2024 05:15

General

  • Target

    73d3e10fa82e2301bd8fb5cabf77c864.dll

  • Size

    1.8MB

  • MD5

    73d3e10fa82e2301bd8fb5cabf77c864

  • SHA1

    d2b3b357137270b8fd1a4d7e2cb60a8b6ff1dc05

  • SHA256

    bdec67160c740cc4f649a1688c8cdc2467729c086df711606600d9967c967641

  • SHA512

    8b3af541942e69cb96783ed8ea2ac18bda4e9e91d1ea57e1ab8d6b66ca07ec51c699bccf3b612e98b98ab37f929a30cb3547a7d97210289a8928e90b6fc46c81

  • SSDEEP

    12288:5VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:4fP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\73d3e10fa82e2301bd8fb5cabf77c864.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4948
  • C:\Windows\system32\isoburn.exe
    C:\Windows\system32\isoburn.exe
    1⤵
      PID:2164
    • C:\Users\Admin\AppData\Local\mslkdfAq\isoburn.exe
      C:\Users\Admin\AppData\Local\mslkdfAq\isoburn.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2284
    • C:\Windows\system32\isoburn.exe
      C:\Windows\system32\isoburn.exe
      1⤵
        PID:2072
      • C:\Windows\system32\mfpmp.exe
        C:\Windows\system32\mfpmp.exe
        1⤵
          PID:2472
        • C:\Users\Admin\AppData\Local\n3NOY\mfpmp.exe
          C:\Users\Admin\AppData\Local\n3NOY\mfpmp.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2404
        • C:\Users\Admin\AppData\Local\gvgm8wZiN\isoburn.exe
          C:\Users\Admin\AppData\Local\gvgm8wZiN\isoburn.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1412

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\gvgm8wZiN\UxTheme.dll

          Filesize

          138KB

          MD5

          15e8d2e818b6ad64d7c36234aed2d7be

          SHA1

          15417d4070fce1aa88b9ccd971dcdce8eb3879b0

          SHA256

          50ab7c606f24d71081f45dd1b780c36d64c8ca7fdf4d6aaf0f9bae9613706eeb

          SHA512

          7442becfa2d3aeeec71e1bfe07e58b21ce585b9b4ee176da97b38ae6a62520b7985325aa23a62de306120a7587aaf0734370f7ef65adc29d2f693cd3b42e8a3f

        • C:\Users\Admin\AppData\Local\gvgm8wZiN\UxTheme.dll

          Filesize

          80KB

          MD5

          07628c7eea55e8ea1d92e6a5c800a179

          SHA1

          6a942af764efbdbc75aa119f93533cb19d99e180

          SHA256

          acb0332c9d8d0ce5035cdddce2e0ca4f4fde9bcb62d1dfacf991d26237cc51af

          SHA512

          94ed070a7cd339dc7bb2d51f84dfe39a8c50b1bf10acf74d2c37b695ad461df595fe0bfe592fb98e02688685d7d3a0dc96dab6670912f4a7ebb4ac7f3197701e

        • C:\Users\Admin\AppData\Local\gvgm8wZiN\isoburn.exe

          Filesize

          71KB

          MD5

          c6c36c4b03b120d1729a7c6d1d133f0e

          SHA1

          34a936148f7db694b30773ba5d05b8936a97f00b

          SHA256

          1593c2a41473e78d0132e9c392d0db03de540ecb23e28721680b9d2c23ae964c

          SHA512

          11921c3aa80a1219394e47291ea5439e34e95b75965574a60ae0920a87e22eba8257493664b5ecf4fdebad8eb4c711070edb77652e90f2cb8832f57f657603b2

        • C:\Users\Admin\AppData\Local\mslkdfAq\UxTheme.dll

          Filesize

          15KB

          MD5

          30f3913caebdcd0081d900c4b0192a4e

          SHA1

          54b29d951346f292ae0e43064c7a9c2eb0aaeb1f

          SHA256

          a7529b76c5043ac8967f5573a44891033ee711e9165ebacef636c174f06358c0

          SHA512

          484b2678c993d8cd5a51043f1cb5379c908b32f8df0297c585342a4ac64c9879b2046a64f769b7472bfb70e55481fb6ec5ef2d2715d854b5f77ced17bf9abd21

        • C:\Users\Admin\AppData\Local\mslkdfAq\UxTheme.dll

          MD5

          d41d8cd98f00b204e9800998ecf8427e

          SHA1

          da39a3ee5e6b4b0d3255bfef95601890afd80709

          SHA256

          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

          SHA512

          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

        • C:\Users\Admin\AppData\Local\mslkdfAq\isoburn.exe

          Filesize

          35KB

          MD5

          41bfad340d11aff8e50c88de84d28b4c

          SHA1

          8d5a76bda3a584755d19a4f4a9f8a249637b8d63

          SHA256

          05eff330eef9b282c3457a6923f76fc837c23fc12145c04e56bc4c768523e534

          SHA512

          ef095ac1809d219a34d7f3abf2753924edf5c0aa9638a4097a495be6c3341feffc0d09bdd4ef52f38414d18d9a1f95c7865d336074cfd55429adaf5b8fbb6e33

        • C:\Users\Admin\AppData\Local\mslkdfAq\isoburn.exe

          Filesize

          82KB

          MD5

          f3cc8445e6753cb30ec83e58ac59d25f

          SHA1

          3dd6f18971d944475a12fbbd85d4cd829fda3720

          SHA256

          152a8b970a9676dc3af349dfea66ba83cdef15f4c4931f7de84b8c6b7a948217

          SHA512

          209058d04a90c98bceb510cff9785c1ef36823d57b415bdefcd34b8278979b461c54f3c5ce56e5000b99b720e1113f479e5b81f7281a51369a39e4182e32a48f

        • C:\Users\Admin\AppData\Local\n3NOY\MFPlat.DLL

          Filesize

          100KB

          MD5

          ca94b6cb71349a463eac16b0a329bfc6

          SHA1

          ad56dea15c0a17753d3977ebfffc81b3139b70c3

          SHA256

          db01b8e242b4cd843c1947b123217bcb68c3d2039f0402868594bd924b45c883

          SHA512

          fc74dc23e944939b926b064962705462333d8920be833727e595c96afb0dbcb5d3bc1e4d28717f36756b4e5f73fc3f96fcad435cb10cf59c2c0ce07fb80dc9d2

        • C:\Users\Admin\AppData\Local\n3NOY\MFPlat.DLL

          Filesize

          28KB

          MD5

          3413984e77be21626bf83b7b85665cd6

          SHA1

          6eb4212ce0d8452cda09ebc42b58f1ab9877f3bf

          SHA256

          c66fc32105b47c46fa6dc5a59b2a00f1f67b049bd209b4b31b54a4bf8835ce89

          SHA512

          c22b353bd9ee4a8be03da624a4ec9bb7e88741732d6bd538fe3e4d4771ff6ea0b8996a820da5ce1305243d584bd05eb5534b1c48d990b7fac1735b41e6d04216

        • C:\Users\Admin\AppData\Local\n3NOY\mfpmp.exe

          Filesize

          39KB

          MD5

          2ff57e7d66bae3d21677592a3d1ddd2f

          SHA1

          969c1bf3c8808efa66a4ced4b6a136074fc1db56

          SHA256

          db390f6f4e344617b9bc3bef92d745cb8f9859bda4773bb07b345db63d0cbc79

          SHA512

          dd2d8113d6995d1de4c32acc72885833741e66f1af7ee17b4a717fcede141041370b05c329c984855336724c0d9b1522146f3442291c936b896b68ab77d7a2f4

        • C:\Users\Admin\AppData\Local\n3NOY\mfpmp.exe

          Filesize

          46KB

          MD5

          8f8fd1988973bac0c5244431473b96a5

          SHA1

          ce81ea37260d7cafe27612606cf044921ad1304c

          SHA256

          27287ac874cef86be03aee7b6d34fdc3bd208070ed20e44621a305865fb7579e

          SHA512

          a91179e1561168b3b58f5ca893bce425d35f4a02aec20ac3d6fb944f5eb3c06b0a1b9d9f3fb9ea87869d65671d2b89b4ae19acf794372bdbd27f5e9756c5a8ab

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wdush.lnk

          Filesize

          1KB

          MD5

          404e6c92c428b627361da81ec542776c

          SHA1

          a5e33c72261afe54ea0b7912c2d1a65e8e2d3f27

          SHA256

          45ee3583d979ca2d5caa884ab1f7b458b2d2f4f3197d17860973ab8cde33c059

          SHA512

          ccc011a710310370ad7b0be723de27dab0a10aef98e3ec8fc6a4bbc8c5aa4ae731b9963c6a8aeb6863b0ea50b13bddeecbb483fcbee6f1ba799d160895f43ff7

        • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low\JPChet5\MFPlat.DLL

          Filesize

          1.2MB

          MD5

          ca28274475764cd6d8075474c5574e3e

          SHA1

          a4c57beb819ab936fa1d765b0cd1194dcbcf5d1b

          SHA256

          21052531521f0f38b2482599c6f82decf2890df1341989ea24fb2f3b7374387f

          SHA512

          08e70731de840db82ab07da3bb2ca782ce267843673a4f3870a4209402f38c148838e20e28a3a7dd03fdb67de8a84495a5d45bbb04827fa0c1207f1a35cbc586

        • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\CWCyC\UxTheme.dll

          Filesize

          1.8MB

          MD5

          9ecf31d7088b51e001aa8cb02e373bf4

          SHA1

          081920d046bb2d3fe747d1a44328e303a50df101

          SHA256

          b849fcb1345d334e85c4db081d4e23b8757552456e7b139aefd0281548a17500

          SHA512

          117eadade9f63c4f2e52e8b82f319f7a4ae09c303ce6dfc915f5d71b231b41adb5b9972fbbc94c20f26d07b1ea8d60fe81eb041beb6d5024d581233e45133d7e

        • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\CWCyC\ouKP\UxTheme.dll

          Filesize

          1.8MB

          MD5

          2e1583a5837e56cdb9c33cf16afbfff6

          SHA1

          46b6c6de029c3ddd8cd3b5bf6eb1e4fbe66b1f01

          SHA256

          2abe0c8a5de2c562a9627e4e214317daf90c42aca9012f16968d0dc94cfe70fa

          SHA512

          6d4e7e353a0db64be250e01a69959c54ef43e1559dd3427c1930be5701cad0b966ea63e359744a5856198a3a0228aaa6a249745dd95f0fb2c3951c6b710cf3bf

        • memory/1412-102-0x00000226349B0000-0x00000226349B7000-memory.dmp

          Filesize

          28KB

        • memory/2284-82-0x000002312E5A0000-0x000002312E5A7000-memory.dmp

          Filesize

          28KB

        • memory/2404-116-0x0000021484170000-0x0000021484177000-memory.dmp

          Filesize

          28KB

        • memory/3504-37-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/3504-28-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/3504-39-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/3504-40-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/3504-47-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/3504-49-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/3504-48-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/3504-46-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/3504-51-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/3504-53-0x00000000029B0000-0x00000000029B7000-memory.dmp

          Filesize

          28KB

        • memory/3504-54-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/3504-52-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/3504-50-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/3504-61-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/3504-45-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/3504-44-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/3504-69-0x00007FFAD1660000-0x00007FFAD1670000-memory.dmp

          Filesize

          64KB

        • memory/3504-43-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/3504-42-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/3504-41-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/3504-36-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/3504-35-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/3504-34-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/3504-33-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/3504-31-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/3504-29-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/3504-30-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/3504-38-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/3504-27-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/3504-26-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/3504-71-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/3504-22-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/3504-20-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/3504-73-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/3504-19-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/3504-4-0x0000000007FE0000-0x0000000007FE1000-memory.dmp

          Filesize

          4KB

        • memory/3504-32-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/3504-25-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/3504-24-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/3504-18-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/3504-17-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/3504-23-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/3504-21-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/3504-15-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/3504-14-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/3504-13-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/3504-6-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/3504-12-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/3504-8-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/3504-11-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/3504-10-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/3504-16-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/3504-9-0x00007FFAD15CA000-0x00007FFAD15CB000-memory.dmp

          Filesize

          4KB

        • memory/4948-7-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/4948-0-0x0000000140000000-0x00000001401C7000-memory.dmp

          Filesize

          1.8MB

        • memory/4948-2-0x000001F454CB0000-0x000001F454CB7000-memory.dmp

          Filesize

          28KB