Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-01-2024 23:29

General

  • Target

    82db4107f6e131cd91a70e918dc4bfb2.dll

  • Size

    3.1MB

  • MD5

    82db4107f6e131cd91a70e918dc4bfb2

  • SHA1

    113d6fe86befdae836743292ba115bbfd63edbd7

  • SHA256

    297b30d04329d60ca335b82dd1d813b21d884fe642e602b61a9314501ad69782

  • SHA512

    92c92584210b0c0bf9b6d1798a0db0b21901763ef07f93bf176a607ae6448be6e2e82ecc909df5aa65f3a02899cf80c75357d08e544e85438e11a1430c14c6a7

  • SSDEEP

    12288:FVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1I1:cfP7fWsK5z9A+WGAW+V5SB6Ct4bnbI1

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\82db4107f6e131cd91a70e918dc4bfb2.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:636
  • C:\Windows\system32\msinfo32.exe
    C:\Windows\system32\msinfo32.exe
    1⤵
      PID:4312
    • C:\Users\Admin\AppData\Local\ETb9oF\msinfo32.exe
      C:\Users\Admin\AppData\Local\ETb9oF\msinfo32.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1008
    • C:\Windows\system32\MusNotificationUx.exe
      C:\Windows\system32\MusNotificationUx.exe
      1⤵
        PID:4764
      • C:\Users\Admin\AppData\Local\LSxc\MusNotificationUx.exe
        C:\Users\Admin\AppData\Local\LSxc\MusNotificationUx.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1484
      • C:\Windows\system32\slui.exe
        C:\Windows\system32\slui.exe
        1⤵
          PID:4376
        • C:\Users\Admin\AppData\Local\3n0LOro\slui.exe
          C:\Users\Admin\AppData\Local\3n0LOro\slui.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3068

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\3n0LOro\WTSAPI32.dll

          Filesize

          1KB

          MD5

          aab395b3713100e89968143e6660d35d

          SHA1

          3401423701e8f003683cfda11376e224f17219e7

          SHA256

          2861ea6962e3d0e73a4aa6376d29a487aebeeb419e3bf9ddf6d7a9b6503ed4d6

          SHA512

          31fe9bf069e7192e62dcd1ee71c273c041b242f7735f45f3666fec88dd9b8adc850b750ba6f2614be7a93c4fff6d4a99c4363a5f96605221add0b1bf7ae0db5f

        • C:\Users\Admin\AppData\Local\3n0LOro\WTSAPI32.dll

          Filesize

          49KB

          MD5

          e66e436895e57e36c87716f377be5c73

          SHA1

          80545353a7dcb288ccbbab4ae39b80206dcffe76

          SHA256

          62e3232323b8e0ce851e7c931c45eabdcc88b4b935ce8a05771bc817566cefa9

          SHA512

          6de6d76d9a9ed8125564c16e63470d6394250c047d3cdd99c97abe579eec53921ea74a470b2768233695aff7462fd6a85983358e25cf97ea76035b39465554e7

        • C:\Users\Admin\AppData\Local\3n0LOro\slui.exe

          Filesize

          5KB

          MD5

          985e280b5f1a4e8c3d9a2488141f33da

          SHA1

          e487e8db6d6b4cdb265ee645cc3c115297d4a8bf

          SHA256

          bdb1ad1ce7a7b4d755c05bd9e8406a4b86bd7909e17e469f4dd05a2bb459654a

          SHA512

          1152466037a41791ed3555566fa1a0a95b8ac07df090bd47356bac8d9372e4ee689c129c436c7a3e0a2afb9924c261aae652e11f5bf86bc418f90173a8668b5c

        • C:\Users\Admin\AppData\Local\3n0LOro\slui.exe

          Filesize

          208KB

          MD5

          de50f3cd9d2e00d1f010963cf90471dc

          SHA1

          410e4f258916a40c146f7a341ae53cc624ae3b56

          SHA256

          ef072f41d0973cbeb251e721bb35fc6ffde04824f3e9bdbdda6901c057dfc294

          SHA512

          fd7d2ffd6c2a87b02e38ca1ce735f42cbecbbe9e6397a4a83ecf0626b145bcfdd3fb36823082ca259692db5c218f7d7f3bd3c8c9d2bd3f138c37cc152e3f33a2

        • C:\Users\Admin\AppData\Local\ETb9oF\MFC42u.dll

          Filesize

          254KB

          MD5

          0328f872e56e03d431511b816bafdaa5

          SHA1

          7c909e864144d88156fc17c9b8786a2f16168bb7

          SHA256

          e2a0a81c3951f9453c4cecb6087a51926b07a2d6d41379934af124b1bcb3256e

          SHA512

          47394a42af1555a8edf82c18fc68a840e958bcb4b191ff5f57152044a0a065d68d3540df897a39b19b5b94429161e31b904281796c1a6e4e24b703a18a2044e7

        • C:\Users\Admin\AppData\Local\ETb9oF\MFC42u.dll

          Filesize

          320KB

          MD5

          aed8988e35f05063b928a88f8fcd708c

          SHA1

          b26042d06d73bc0430ce041ea3f913e1f396df3f

          SHA256

          047911a6ade8398496049caab8a5c2b1742d55f48968c11ddc545777af11f249

          SHA512

          2efbc38985950099a8b02e0a730937e12464d4c36fa3bea04916ffb909935d08215b2e3cd72b017b697ed9c6630b042fab3bfd2d40581d60479e7400901bf521

        • C:\Users\Admin\AppData\Local\ETb9oF\msinfo32.exe

          Filesize

          210KB

          MD5

          85ac749bb1b114cce683f3ec15f4e548

          SHA1

          d6157ec509d2d3fb138f5a4b4c39b4df5ae00c97

          SHA256

          f014450fa8d4ccbd171997988a40848f081292e1971f8a6bacf229dc59744c16

          SHA512

          50ae04abccc807a6f4d2bdf4014ac9631cba47d4d9ebbd61aba327e74d2827bf7c9fe096dfe32b910893bc256eb523e6daa22f47637cfa0bd663076d0cad5434

        • C:\Users\Admin\AppData\Local\ETb9oF\msinfo32.exe

          Filesize

          206KB

          MD5

          a31dd2bf8868f96e8e4da799b3c5efed

          SHA1

          669ebd8fce571337106619a95455b20fceaeba04

          SHA256

          9a1241c18510db5a3378143ca2381e61344de975784e348b166180ef8daa5e80

          SHA512

          f8df5d64d4459bbb1ee62bad65fc8f5b6de280edb3e4c8251604b93b330572146148b1a8da02b3409ae61f9c2d7a5dfc4b4cfb9e0e718db5a0ca1c3be18243c3

        • C:\Users\Admin\AppData\Local\LSxc\MusNotificationUx.exe

          Filesize

          165KB

          MD5

          270a4f431525a7368784707bbe0b438a

          SHA1

          993c33261fb6f4957418cb058b11c204e5f7f83c

          SHA256

          4ae2a9c5280b042c2dd6cf75f58b389838600cffa4362e55f224e9ca35f413a3

          SHA512

          e3f35c1c40fc96e296ac0fe80abd7c260642727a05be921c1c7884ca6dbdf2f05008bfbe9ba71c31e1c63b64ef55ae43dd2d4b0b52fa051f5661fc253beaa485

        • C:\Users\Admin\AppData\Local\LSxc\MusNotificationUx.exe

          Filesize

          69KB

          MD5

          a3f58d7cff2631a3bd997e11c93ff494

          SHA1

          1d574e7628728c95c2771a95f83cad8e33f08477

          SHA256

          7a5ea80a67ddc4c68cf99e206452fb6b894f7f11479cc56b24d4f912010d2b60

          SHA512

          8f574e2ade7a6178b2889b78f147a64722c7249de85e4ef1d8feb89a3b13d5ddbb6a9307edc8c293e519b6bb3e41be27bae784a26d336ee4fdfdd8d668a964d1

        • C:\Users\Admin\AppData\Local\LSxc\XmlLite.dll

          Filesize

          185KB

          MD5

          d1dcac7fbc53da70821f2e6cddd3aab7

          SHA1

          8618b0294bf6902075f91096ad9c3dc39ef9d1a7

          SHA256

          67a0688cf98d2691014fd1b807bc832deab5bd32e83429f02138f654e5fc7311

          SHA512

          843de3e08f004a3dfac90931400585f500cb3522fb6f8c39a17f384d6af4c2f8283084fa787c900ae58a536d1bf7c8b581ca4279123722649bd27a4e10191dd8

        • C:\Users\Admin\AppData\Local\LSxc\XmlLite.dll

          Filesize

          142KB

          MD5

          51efdb3baf5676cc76272bfa7c27827f

          SHA1

          e8d6da2c8f0df8c03ef37812b5c0e8afcd10f900

          SHA256

          ab2dd218c7a94e951c87b066741171b21871882e8bc05f9b5f93fc0b151ab82c

          SHA512

          75d88cbe1c33346a3ba0a9119fe4468cb13a59d20db81022455fc54b038542a59df216c61f7872e767104aeb2081bc867c5873d1739cc94e613c29841840cf46

        • C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\nb2H8mUe\WTSAPI32.dll

          Filesize

          332KB

          MD5

          b845a2df799155ba80eafae496796b04

          SHA1

          62805690f4cd9a13711529d72cacd5d359db3cbc

          SHA256

          961497d529a1d85b61e0d0eb35a37c587d40e30875f8632f16fb921a58565e56

          SHA512

          4e139803559bdfa8f8fbf606b9dc43969580a09bd22777f759362bb540f7f68138b54395182f0d80932fa02b72fe049920847f4a09667861452b65ab20749c92

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dyngdiaoitf.lnk

          Filesize

          1KB

          MD5

          0862b73d5c2ac2616453a66be3f9ce93

          SHA1

          c2c69b4107d61641c253027548a0b26fd1c39aa2

          SHA256

          d7b31e9d67250c2145e103acd9fac29faf3b2d5104395a60765faa31aedb1f07

          SHA512

          bb042ec82c4d63c067f5e113381d417249a7fd057e7e556f02237e85ec4a28703b96da4d807594a0584331e4fb634180e91378bdad4994cc5728c141847201eb

        • C:\Users\Admin\AppData\Roaming\Microsoft\AddIns\VO9Pe2\XmlLite.dll

          Filesize

          3.1MB

          MD5

          045b2896f94f4f10a4863f7e09aa9c09

          SHA1

          0cf695742d107d544c3c41e5c8debe11e9c96f47

          SHA256

          c71d16a5b71de29c5d2dff9df340044bc038329c44949e7aaa3ffd78ad4e4d77

          SHA512

          b0fb4850b59d2c35cc5785465673cae149cfb43de393e1d8f899fc5a3492fbd8cd4619bd6e244dd3839b36c4fe22ef47eadb76862a15ec690913fc0c9c9c6f7b

        • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\Jy5vuk5G\MFC42u.dll

          Filesize

          3.2MB

          MD5

          43bf94dd5a162e83cf4acd8db1c915fd

          SHA1

          e9afd1847746851722ae05b030b96b8edebb10b3

          SHA256

          6550eca6923c644d6accfb896bb085522a7d9dbbf468695182b95beba3aa3d3f

          SHA512

          418370019f8f44dc475bbaebf33263bd5f73de417e656854e2a64e44c1738ab2e1b41f9966dca0f242bc47e7edeff02a5b6c96bac1eedf0abc205d7a24314088

        • memory/636-7-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/636-0-0x000001227DCF0000-0x000001227DCF7000-memory.dmp

          Filesize

          28KB

        • memory/636-1-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/1008-98-0x0000025E31D50000-0x0000025E31D57000-memory.dmp

          Filesize

          28KB

        • memory/1484-115-0x0000021EBDB90000-0x0000021EBDB97000-memory.dmp

          Filesize

          28KB

        • memory/3068-132-0x000001D8E7A80000-0x000001D8E7A87000-memory.dmp

          Filesize

          28KB

        • memory/3392-41-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/3392-50-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/3392-23-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/3392-24-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/3392-25-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/3392-26-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/3392-27-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/3392-28-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/3392-29-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/3392-31-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/3392-33-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/3392-34-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/3392-36-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/3392-35-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/3392-32-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/3392-30-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/3392-38-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/3392-37-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/3392-39-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/3392-40-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/3392-21-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/3392-42-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/3392-44-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/3392-43-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/3392-45-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/3392-46-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/3392-48-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/3392-47-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/3392-49-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/3392-52-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/3392-51-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/3392-22-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/3392-53-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/3392-54-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/3392-55-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/3392-58-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/3392-60-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/3392-62-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/3392-61-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/3392-59-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/3392-57-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/3392-56-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/3392-63-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/3392-20-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/3392-19-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/3392-18-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/3392-17-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/3392-15-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/3392-16-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/3392-13-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/3392-14-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/3392-12-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/3392-10-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/3392-11-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/3392-9-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/3392-8-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/3392-4-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

          Filesize

          4KB

        • memory/3392-5-0x00007FF8C5A7A000-0x00007FF8C5A7B000-memory.dmp

          Filesize

          4KB

        • memory/3392-65-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/3392-64-0x0000000140000000-0x0000000140325000-memory.dmp

          Filesize

          3.1MB

        • memory/3392-70-0x0000000000B40000-0x0000000000B47000-memory.dmp

          Filesize

          28KB

        • memory/3392-78-0x00007FF8C5D20000-0x00007FF8C5D30000-memory.dmp

          Filesize

          64KB