Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-01-2024 05:49

General

  • Target

    73e4b574f7a058d63f9b35f74580a338.dll

  • Size

    2.0MB

  • MD5

    73e4b574f7a058d63f9b35f74580a338

  • SHA1

    4abd585b62be4d0a8efbd763891772521390c3f6

  • SHA256

    d8ae9023a64efcbaf60e37647a920cf6757fa96a6e1e7357d67a3ac970c86eca

  • SHA512

    4e9aa099ae2b51d59db1818768b34662b8b812fdd37a26aa72bb7994b3219b34d1f0e14902154ae5c51eade8bdcf5bb0da7aa48fe23f7ca6de3c36974b4f5d97

  • SSDEEP

    12288:lVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1L:8fP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\73e4b574f7a058d63f9b35f74580a338.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4472
  • C:\Windows\system32\MusNotificationUx.exe
    C:\Windows\system32\MusNotificationUx.exe
    1⤵
      PID:2464
    • C:\Windows\system32\iexpress.exe
      C:\Windows\system32\iexpress.exe
      1⤵
        PID:2592
      • C:\Users\Admin\AppData\Local\TLOsXXq\iexpress.exe
        C:\Users\Admin\AppData\Local\TLOsXXq\iexpress.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3160
      • C:\Users\Admin\AppData\Local\depNl9\mfpmp.exe
        C:\Users\Admin\AppData\Local\depNl9\mfpmp.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4884
      • C:\Windows\system32\mfpmp.exe
        C:\Windows\system32\mfpmp.exe
        1⤵
          PID:3504
        • C:\Users\Admin\AppData\Local\eTSNNOaO4\MusNotificationUx.exe
          C:\Users\Admin\AppData\Local\eTSNNOaO4\MusNotificationUx.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4616

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\TLOsXXq\VERSION.dll

          Filesize

          218KB

          MD5

          d9952dc5d97cc9c3f0282b901116b146

          SHA1

          a844c858f296e7fcc33d8ee88a1fdf67644b7dca

          SHA256

          af3ca2cc9655f7ef5e8e1f61decdc4cf86dc436324e641f77286f11e6b8450ee

          SHA512

          5442786b95ae55b15ff3bdf57d402c200ca1d4464591b1bf791408a44612be9875e2583ff386f3b6964690c5ce59ffb2aaa010c27c05e27dba71c2565654325b

        • C:\Users\Admin\AppData\Local\TLOsXXq\VERSION.dll

          Filesize

          254KB

          MD5

          d9d52cd198acbf4737dd3f9384a7b736

          SHA1

          4f866b35338a0398f85e5acd507efa004c8c4eea

          SHA256

          319cb81937ca28d46f7f4c0d90589192907f3c9b3c6527001781d87a9ea78740

          SHA512

          e56913b2af5ff74716333c52686d27e0e4079a81529a6f03c4ece933286e27ee1ff4b6ff01b1193d96eb0353844394b62e002e7bce2ec9b2d13fd0e9410ef75e

        • C:\Users\Admin\AppData\Local\TLOsXXq\iexpress.exe

          Filesize

          99KB

          MD5

          227ab2fc33a1cc8fa4fb0237741fc617

          SHA1

          50690f645bf47779fa1d8e80578a797cfd87b6b6

          SHA256

          cfabe68c6aa58ace3da85eb09dc5fcf79d5155010edb71437a1e602a9240b878

          SHA512

          94db1c88f56705e992310a833c86e3dcc69d6c13249306fe7a3efd20c956cbd8a8ad6ce9c32ef384f986df3ea017cf4856aa3b2b38960ed5f1b775dc7c9b2c8c

        • C:\Users\Admin\AppData\Local\TLOsXXq\iexpress.exe

          Filesize

          166KB

          MD5

          17b93a43e25d821d01af40ba6babcc8c

          SHA1

          97c978d78056d995f751dfef1388d7cce4cc404a

          SHA256

          d070b79fa254c528babb73d607a7a8fd53db89795d751f42fc0a283b61a76fd3

          SHA512

          6b5743b37a3be8ae9ee2ab84e0749c32c60544298a7cce396470aa40bbd13f2e838d5d98159f21d500d20817c51ebce4b1d2f554e3e05f6c7fc97bc9d70ea391

        • C:\Users\Admin\AppData\Local\depNl9\MFPlat.DLL

          Filesize

          192KB

          MD5

          b28d560feee94aa29f2b811385d97bbe

          SHA1

          c44a548f7b403c6e664fcb4c94b1462a308e0142

          SHA256

          baff44255ff72d66715f8860a02e7714ca403d15d62baebb0c971fb93adfd004

          SHA512

          92d9bcc5c572faff1982bfab98d014c7984cb25cee32c6a25062af6a2946e96a12e66673d06ab3f45bf63de9b4b727c7d3ee20d58f304a595379447b8840141b

        • C:\Users\Admin\AppData\Local\depNl9\MFPlat.DLL

          Filesize

          270KB

          MD5

          c50d98c861256764d4fa7d47390bbbd8

          SHA1

          3ae9f1c353703c0d4e8eaf4c470089e4da18fa8d

          SHA256

          0fe9efcc0deb9cf66cc46008730ab68f187e93aad09597194a5073c38df3545f

          SHA512

          dda1b67cc1f0897bbb595527bf2f3867d66750957d25ff5ba2479c461f476315a652914ca3c943a68c4d87fff5891c43bcbc6602175d13694c56c174c5f66e3c

        • C:\Users\Admin\AppData\Local\depNl9\mfpmp.exe

          Filesize

          46KB

          MD5

          8f8fd1988973bac0c5244431473b96a5

          SHA1

          ce81ea37260d7cafe27612606cf044921ad1304c

          SHA256

          27287ac874cef86be03aee7b6d34fdc3bd208070ed20e44621a305865fb7579e

          SHA512

          a91179e1561168b3b58f5ca893bce425d35f4a02aec20ac3d6fb944f5eb3c06b0a1b9d9f3fb9ea87869d65671d2b89b4ae19acf794372bdbd27f5e9756c5a8ab

        • C:\Users\Admin\AppData\Local\eTSNNOaO4\MusNotificationUx.exe

          Filesize

          389KB

          MD5

          45dc6e99453e1cdf35359447794dd776

          SHA1

          aab3ac86ab0f4c80ba091899ea80b29bf3894880

          SHA256

          5aefeb3c2a946e5829e8eb478f0e2047a738619b8417343afe68fe448e203bb6

          SHA512

          8c374c3eadcdeb79f4d7a2fc24821e346c458f75767bbbd8c656eb38e757838b7cd84e479fba588e5a6a9496baa176827e4ce70d77d4578ea78eb2224e3df5af

        • C:\Users\Admin\AppData\Local\eTSNNOaO4\MusNotificationUx.exe

          Filesize

          233KB

          MD5

          606717695e29b8f039d948015e00003d

          SHA1

          690da4edffbe50ea1de3e6c482182a70c316a51f

          SHA256

          0f66ba44232658822e5bb5a7cdf8698850db92b0e916b7c908764ab67bec3e7b

          SHA512

          de76525bee845410e2658a3ac42fcb7a54d77a67c6dff4292dbea057377cdd78326364a5918290f1f45ea381b28dafccb6a94480a2d8181bc8c6e54e5e1c0cc0

        • C:\Users\Admin\AppData\Local\eTSNNOaO4\XmlLite.dll

          Filesize

          174KB

          MD5

          81cea3d511bdbe79b733d7ed35abea05

          SHA1

          d811ba18d3fc5ac2de26a0a9d0eadca3ea68408b

          SHA256

          d5a5d37c0354cf166298171b7579b4902b321eeafbf3c751ad6ee3ecac3063c0

          SHA512

          97e3fdd0135f015ac75bee40f7098f5d4ec01ff7d0d703b7e79d58da0519f868c76ba7e6487527802f4bf08fb0879a6c0a0283c485328e21196153e9fa3b54c3

        • C:\Users\Admin\AppData\Local\eTSNNOaO4\XmlLite.dll

          Filesize

          387KB

          MD5

          c7cabcfb1af104ac2fbb360b1221ea1b

          SHA1

          dfcdd8a5f08ad36e782970eba26451166ded50c1

          SHA256

          44e0087aacb083e1f9e0dcc285243c97d85fe72115530db02e86a27de39b7809

          SHA512

          ee524f087cd07c7a9d8bcbf256fd385aa58e420358adbeb0f1378b8466986a9ea4572da5c9d56be94e0f9f3c064dc703dd270185b95ff52acb983aec5f46c70a

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wdush.lnk

          Filesize

          1KB

          MD5

          40046bbec3c19f403608a345603d1a10

          SHA1

          eb3b1db462107936baf9e24b8c842ebeaa782a1e

          SHA256

          ca030d8455840e50bce97872e5fbe8677b8f54876ee02a5fb3130d34fcf3d8d7

          SHA512

          5617bb88da6bd0d3e8b65bc435e9c06df4e09bfaa59293437b181c45c77d47f858db4183100a4c67676dd539f2be292bf92bf526c51be68e2db054d093a8ae55

        • C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\nlJWpe\XmlLite.dll

          Filesize

          2.0MB

          MD5

          04b4170dc230fded01356074d3802a0a

          SHA1

          c1259e7a90a7ded5ce2cf855c20b4830f5b55a3c

          SHA256

          f4f4483765dcd61b550d99a02ebfc33eecd3784dbf5fe504495039e4a7591190

          SHA512

          927e4a7dbb0a6b5e46e3d5cecfac13ce26f3a1948141a2e2a3625a98d0a5bb6577e45691314ad23f79824cf4ab1fd3a50bcddb14cabfc3560e745b17cabd7c3b

        • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\91w\MFPlat.DLL

          Filesize

          2.0MB

          MD5

          76c5af9abee001e721c3b6c1eec89276

          SHA1

          a848688581557c61d7d67970aaf666d7cc86ebf2

          SHA256

          d0d9c8e7955ad3eefd4943b75f3fa0d95af81a00b519fa1ff2bba3dd42430e34

          SHA512

          f3b8da1f99e4d3c661f994a319bd7f57152813ad4bd1cca401529c6f9e65b7d9aec8908f3acb146fbad7cd7b8720350c2a85f375a28a8824a34bca5302190d13

        • C:\Users\Admin\AppData\Roaming\Microsoft\Vault\EkuQ\VERSION.dll

          Filesize

          2.0MB

          MD5

          1054dfd902ffa49ed554c6b8cc50da6a

          SHA1

          62a4ac626c025c553589375d5e50b696689b2faf

          SHA256

          cae591410d9deebbdacdcef826473def1d15f9bf36aaa13ddbd2900836bb2a24

          SHA512

          b8d7a7dae1893847f6fc739a8c7272644679a2a83792b7e6add50d6d4c9f94d3763a73c86e6b8a90f4a638b3e4b6fcd21122f2f9c050d556644a9655f40d557e

        • memory/3160-108-0x0000024946820000-0x0000024946827000-memory.dmp

          Filesize

          28KB

        • memory/3524-25-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3524-10-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3524-23-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3524-27-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3524-29-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3524-30-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3524-32-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3524-34-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3524-37-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3524-39-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3524-43-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3524-46-0x0000000000CC0000-0x0000000000CC7000-memory.dmp

          Filesize

          28KB

        • memory/3524-45-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3524-44-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3524-42-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3524-41-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3524-40-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3524-38-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3524-36-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3524-35-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3524-33-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3524-31-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3524-28-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3524-22-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3524-21-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3524-18-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3524-13-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3524-4-0x0000000002600000-0x0000000002601000-memory.dmp

          Filesize

          4KB

        • memory/3524-54-0x00007FFA76D00000-0x00007FFA76D10000-memory.dmp

          Filesize

          64KB

        • memory/3524-53-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3524-65-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3524-63-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3524-26-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3524-8-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3524-6-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3524-24-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3524-19-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3524-20-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3524-9-0x00007FFA7671A000-0x00007FFA7671B000-memory.dmp

          Filesize

          4KB

        • memory/3524-11-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3524-12-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3524-17-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3524-14-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3524-15-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/3524-16-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/4472-7-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/4472-1-0x0000000140000000-0x0000000140203000-memory.dmp

          Filesize

          2.0MB

        • memory/4472-0-0x0000018CC4F50000-0x0000018CC4F57000-memory.dmp

          Filesize

          28KB

        • memory/4616-76-0x0000011A13EE0000-0x0000011A13EE7000-memory.dmp

          Filesize

          28KB

        • memory/4616-78-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/4616-74-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/4884-91-0x0000000140000000-0x0000000140205000-memory.dmp

          Filesize

          2.0MB

        • memory/4884-97-0x0000000140000000-0x0000000140205000-memory.dmp

          Filesize

          2.0MB

        • memory/4884-92-0x0000015C513B0000-0x0000015C513B7000-memory.dmp

          Filesize

          28KB