Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-01-2024 05:13

General

  • Target

    76793acc5d4fbc8010e234153b47c147.dll

  • Size

    2.9MB

  • MD5

    76793acc5d4fbc8010e234153b47c147

  • SHA1

    4b78ec6bf864956998aba727320eb629d82e15d9

  • SHA256

    51148fdd8214cd04462c3c1e06dea7736dcbc85cacf0e7ed50a028df5812136c

  • SHA512

    b7e5911d471a4f1a8cb882c0d1fbd07c1cfdc0368716d0ddc25872012018bed4fe574bf65543ea4196fd68c4c205b896a11375c1a38cef784fd792541579d885

  • SSDEEP

    12288:SVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:PfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\76793acc5d4fbc8010e234153b47c147.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:5088
  • C:\Windows\system32\SystemPropertiesAdvanced.exe
    C:\Windows\system32\SystemPropertiesAdvanced.exe
    1⤵
      PID:1004
    • C:\Users\Admin\AppData\Local\tlgeDC63\SystemPropertiesAdvanced.exe
      C:\Users\Admin\AppData\Local\tlgeDC63\SystemPropertiesAdvanced.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2052
    • C:\Windows\system32\printfilterpipelinesvc.exe
      C:\Windows\system32\printfilterpipelinesvc.exe
      1⤵
        PID:224
      • C:\Users\Admin\AppData\Local\nNMrQGskp\printfilterpipelinesvc.exe
        C:\Users\Admin\AppData\Local\nNMrQGskp\printfilterpipelinesvc.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2348
      • C:\Windows\system32\bdeunlock.exe
        C:\Windows\system32\bdeunlock.exe
        1⤵
          PID:1628
        • C:\Users\Admin\AppData\Local\uLG\bdeunlock.exe
          C:\Users\Admin\AppData\Local\uLG\bdeunlock.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1728

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\nNMrQGskp\XmlLite.dll

          Filesize

          93KB

          MD5

          ed4aaeb37f1d477538ebfe5309cc1bdb

          SHA1

          07cf8d4ce5c549ac0a575394ab78068a668a1b7d

          SHA256

          716b0a044fd914f992936944394e1ecd2e3dc167559358f4973b2ac93c057781

          SHA512

          b1d180fa0ac15bdb0395eea4fbef1d6cea6f7c9cfd5daabc8fdbcb6fee5f09b815227c7ddb7cac16b18823c8ea93f75a4da44a87d7cd2d2b9f3685416b0dd78d

        • C:\Users\Admin\AppData\Local\nNMrQGskp\XmlLite.dll

          Filesize

          57KB

          MD5

          cb9ab12e4567f0b1784fd441248b1fd6

          SHA1

          1bee91b559a3fa57fa48347142cbf54473779c99

          SHA256

          362894302e95a54271c7fb05d73d4617f4e9ddde1cae90fe140928be2e7f4b10

          SHA512

          989c0dde65eb30be4857f680f7b0b71222dc19d6f5a8516ea158d17db78061629b784b724d834a67abb5974486052653aa60580395b16a361364bb5e2eef7775

        • C:\Users\Admin\AppData\Local\nNMrQGskp\XmlLite.dll

          Filesize

          24KB

          MD5

          144f51a1af5c41117ea79d195989574a

          SHA1

          28614c6d528b585b7eb479e95dc85df9cb967823

          SHA256

          daa3cf6c34eeef0aa71f26346f8a7ee48cc92b4942155f691e497df95e341023

          SHA512

          82fcb9fde6ba493d6ca975839aa7605f3c568fbd5d3d1d961501e2f6afbe76b0532048647cd12f9b8e57ba4b7f1a1c4bbe28e8dcb715e3faf791e12b5a2d2bbf

        • C:\Users\Admin\AppData\Local\nNMrQGskp\XmlLite.dll

          Filesize

          17KB

          MD5

          9db5c005f69e70cdabf121d7d66b2a65

          SHA1

          b5eb0de62831a9270ace0b5c1836f593f9039a8e

          SHA256

          d617da00f457ccc168193eef738fe6101cab94ab5e59f3c936bb373805bba354

          SHA512

          bbe681f2e80355a3f75bb94f5ff416dd0a9aabb51b1184e1e119c0c465c90bdc5a2c4de978689bcebc4b3abbf0829051599b1b529083d000babdfe8755d90749

        • C:\Users\Admin\AppData\Local\nNMrQGskp\printfilterpipelinesvc.exe

          Filesize

          5KB

          MD5

          e831aa98e3d242f3f39aae4324a3e8ca

          SHA1

          279d6dc99e1612a16cb29efe420e89738741f418

          SHA256

          2cb7389275733145d5f21babc6548036aedeab6b572dd811af7efa47f39c686a

          SHA512

          3af8076e6d54fe5ee1450071a2658a3cf9fb6d2dc4fad237185a780db92ed09034dad90caa0a462fae7f8d46824a023a2a1c128f9c09277269c8ed1618f5f2b5

        • C:\Users\Admin\AppData\Local\nNMrQGskp\printfilterpipelinesvc.exe

          Filesize

          49KB

          MD5

          b27fe2847d7aec11eaa37b39fd59f48a

          SHA1

          a27e5bef02fd327643034c66f78e86f40134c51e

          SHA256

          9837ca7c841c6dc0ceca8a2f15877327f9c40071a8783afe1e05a7f30bc1c44b

          SHA512

          95b565353f9b6f12903d89ae7fb68e7a39d43d0d16750ce1d807bb52f2130250916634c76307dc21d75a85d34da92802b3cae3eb0db740dac5e99720ba2fa75e

        • C:\Users\Admin\AppData\Local\tlgeDC63\SYSDM.CPL

          Filesize

          47KB

          MD5

          ecef734e5c803f2bdbc04100ecf7d187

          SHA1

          139d9da50692d3ecf3ca40ebc6bc4d17cdac3140

          SHA256

          48d45c8729b4a41e6cb7c307dfc5bb51138fa2837550ec1201a662e0772c7c9a

          SHA512

          4a9bf7b986bb4ec6b46b3f808ec7875f08d8bbc145e16bc8bbe9e72e36968d3ca1532c26df460704a70e7d495a1b7d2fe3cc6736a70aefa9ec4fe73ba492fe50

        • C:\Users\Admin\AppData\Local\tlgeDC63\SYSDM.CPL

          Filesize

          44KB

          MD5

          d3a6b64eece3b1d9c19f62c378753eef

          SHA1

          a9314018d9415b6866afb512e8f06e31fd861a11

          SHA256

          baae41684023bd330c3fa8f79b8c1413bdf7109370e0feb9b583e9c243a4301b

          SHA512

          39d7f4eb16322f02ab91e1c0edc9d71db23844b6b28a268249ca90ddb892e29959f960bd9bf6ce767730802fa14eca23815b09c78aba627f42c4d129f8efbdbb

        • C:\Users\Admin\AppData\Local\tlgeDC63\SystemPropertiesAdvanced.exe

          Filesize

          49KB

          MD5

          d5727a90b4d438997974d785da8e0a3a

          SHA1

          574d2e20b1596a846a6849968856b255ff8ef4d9

          SHA256

          db3f2a3d117e9eba69bf07780b313008d9129118559368daaef0ba3056f15273

          SHA512

          af0dc3dcbc96ec77c632f166f83b2760634cc6d48428794b4b4b8a816f1ec84e21c7fba27366e015d14f6781855548a4e8e618d7afc90d548c7827669caa773d

        • C:\Users\Admin\AppData\Local\tlgeDC63\SystemPropertiesAdvanced.exe

          Filesize

          58KB

          MD5

          e67a9f30b41780d4edd0ca7d4f030090

          SHA1

          c4f21c0eb614e49ba1e1bc9143802932defcd659

          SHA256

          42d0c2833f23e10f645232aef679f0e79a2576a7f2d43c8406569cafd91bad85

          SHA512

          63d566ca25eb3d75c3e5b37c80c3d8648a3142f0a08b5c9ed51be9f924829617aa42aee1ed79bb3f21b2a64287706b00495209a491b41c624307a246c2f49b67

        • C:\Users\Admin\AppData\Local\uLG\DUI70.dll

          Filesize

          158KB

          MD5

          3bfc227ea2ad39e7600c72e7de031911

          SHA1

          a41adab3991c1937e0bbf1c8852a9e2e398b2672

          SHA256

          28b9bbd39f6403a823006644667f47b95a336a5ce7fd1e5f49e3d8986e56c3b9

          SHA512

          09dc7dcdeaa332b89ef19e399df79068f2c919d49a7196a78dabc90b22c40c638b0bab827782860f936b2325ab069f53bea9aa7491349bb3247ebeb3d7472d45

        • C:\Users\Admin\AppData\Local\uLG\DUI70.dll

          Filesize

          66KB

          MD5

          eca9c89256b066ecb428d4963284cddd

          SHA1

          ba63fe0014bfb6a2ede543e866b6cd5ccee4091a

          SHA256

          34d7de7056612992d15e20614ae785a2aae080257a31476841068b63e48947b8

          SHA512

          203292acf050de65750da57baa627d2d15a6ac3bc7fc0064add11cd8619fabdf4a5e6e76e5f2a90560d4b09304f67c7bae917eb659df7c2ffa32955bb95bbea0

        • C:\Users\Admin\AppData\Local\uLG\bdeunlock.exe

          Filesize

          72KB

          MD5

          61a41c59a8dd644dabfdba5cfa334929

          SHA1

          0b324b6e2e5e9e8d2b69fd47b26cb16ecad280f8

          SHA256

          231de3a14afe28f135e836704cb6cd4d0d2db2ced456b5c92247fad78331fc0f

          SHA512

          3e9795d426aaf8901b51f14abfb05eb78b610e3407ae590a8fa50f6a1b02fc3fb3d3987fedd08db1d5fbc27cdad066087151e0b1d6deed26355b94754618a096

        • C:\Users\Admin\AppData\Local\uLG\bdeunlock.exe

          Filesize

          46KB

          MD5

          430a969eaf7fb883f5ab453798c22fe1

          SHA1

          ec4a893a20ea50433e2fa3b81f58864894ec7ab5

          SHA256

          94969312da8ee28bc2bec1805f76ff5a04ed64e39440c785663c3d729129b1ae

          SHA512

          733456df25ecdb37226149c1231cfc9089aa3311d9deaab000d75d0f28bb4bdfc34ee3bbe18d273e0e21d3fa238f9b78cedd9d06bcff93e8691a32b2cbea9998

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Psfjn.lnk

          Filesize

          1KB

          MD5

          fe8b3d14d1adde97ef72313a94ed64f0

          SHA1

          9b1fd8a838a021c0b211dc0b5dd3059a62272d34

          SHA256

          670322299f6e038a61668930411e4237b92d0bd2dfd40c3e07561a7e1dd3f991

          SHA512

          6417e41d2095480abcefb51604fbd6376d0022078f64aefec0bb094e3733df2680b594ac35e707a379cb44e12affff38d4a80481c4710933cdc7d2b226059781

        • C:\Users\Admin\AppData\Roaming\Microsoft\Vault\vs\SYSDM.CPL

          Filesize

          77KB

          MD5

          b522b7201b9f98a972df9d75fc6b6d84

          SHA1

          c2da96b48415d7571465992ee7dcb3e9a575bb9f

          SHA256

          956e8bb1d95529f2b0ba2b2af0ee05410a502fc7743c6bfec210b1f35a11677f

          SHA512

          3b20c97c37805697b890fb3c790f4b28316decd693aa8c69d529d832b0c4c2c73bc6893bef52e98ab3cae1556caa462b69d5df5ab204e91a4ff18e273ac5f8b7

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\lzXIzLxPEi\XmlLite.dll

          Filesize

          92KB

          MD5

          0aba01ad921a6100a9d9ca7f7c332958

          SHA1

          08e74a9d3caf916e868c66db383c4dbaf3ddec13

          SHA256

          8dcf1743185e3bef420d937af31fa9ffa5e02ae2051753f5871a3e9754b04b16

          SHA512

          7341b88315662057a022e0d453e2dd4ba4dea9988380783b564dbd4d08932256f90984edc09ba2ca96f86280683b4dcd2eb999c251c385f27567333f1227bd39

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\YjLvN\DUI70.dll

          Filesize

          86KB

          MD5

          269c9e089e97b60c073c26bb14daabd7

          SHA1

          28b54c0bac1e54545198cbe809364c88ee34afd1

          SHA256

          69674e0d0fd7a75356fa0f5357cf509a96495e38f1dea29924b0850d809e69fc

          SHA512

          e44765e76c76e97ed6e057abab2e71132dccdf0d0818f88201971615b670eb31971590567fc4d79306a2e1f19fa6b2b059fec39015a14d09f1b2871770527745

        • memory/1728-133-0x00000144757C0000-0x00000144757C7000-memory.dmp

          Filesize

          28KB

        • memory/2052-97-0x0000022871FB0000-0x0000022871FB7000-memory.dmp

          Filesize

          28KB

        • memory/2348-117-0x000001DC55BE0000-0x000001DC55BE7000-memory.dmp

          Filesize

          28KB

        • memory/3540-43-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/3540-30-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/3540-49-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/3540-48-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/3540-50-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/3540-46-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/3540-51-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/3540-45-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/3540-44-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/3540-42-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/3540-41-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/3540-40-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/3540-53-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/3540-56-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/3540-60-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/3540-61-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/3540-59-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/3540-62-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/3540-65-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/3540-64-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/3540-69-0x0000000002DF0000-0x0000000002DF7000-memory.dmp

          Filesize

          28KB

        • memory/3540-63-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/3540-58-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/3540-57-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/3540-55-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/3540-54-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/3540-52-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/3540-39-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/3540-36-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/3540-77-0x00007FFEA4580000-0x00007FFEA4590000-memory.dmp

          Filesize

          64KB

        • memory/3540-35-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/3540-32-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/3540-31-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/3540-47-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/3540-28-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/3540-26-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/3540-25-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/3540-23-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/3540-6-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/3540-38-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/3540-37-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/3540-34-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/3540-33-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/3540-22-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/3540-29-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/3540-27-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/3540-24-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/3540-20-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/3540-19-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/3540-17-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/3540-21-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/3540-16-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/3540-13-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/3540-18-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/3540-12-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/3540-11-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/3540-15-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/3540-14-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/3540-10-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/3540-8-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/3540-4-0x0000000008740000-0x0000000008741000-memory.dmp

          Filesize

          4KB

        • memory/3540-9-0x00007FFEA3A1A000-0x00007FFEA3A1B000-memory.dmp

          Filesize

          4KB

        • memory/5088-0-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/5088-7-0x0000000140000000-0x00000001402DF000-memory.dmp

          Filesize

          2.9MB

        • memory/5088-2-0x0000028CD0070000-0x0000028CD0077000-memory.dmp

          Filesize

          28KB