Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-01-2024 08:32

General

  • Target

    81f7894d5f57875aac520d9601f29693.dll

  • Size

    1.7MB

  • MD5

    81f7894d5f57875aac520d9601f29693

  • SHA1

    4d2eceac1f40f5fe233c6ba1a1653b058173afed

  • SHA256

    a6f1f005d6597eeaad112e697cdc23a870332a42fd7f897df28d80450d8f1801

  • SHA512

    529bdda31f96e411ef5666581d4fa91ec4e9a14eae64eb544fca05910a3eb52d53f2b3d91153489bfa19d1e87e44075a0a6c04607fd5acaf66e25fcdd861870f

  • SSDEEP

    12288:kVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:BfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\81f7894d5f57875aac520d9601f29693.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1136
  • C:\Windows\system32\SystemSettingsRemoveDevice.exe
    C:\Windows\system32\SystemSettingsRemoveDevice.exe
    1⤵
      PID:5016
    • C:\Users\Admin\AppData\Local\VdD28pZRG\unregmp2.exe
      C:\Users\Admin\AppData\Local\VdD28pZRG\unregmp2.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:5108
    • C:\Windows\system32\unregmp2.exe
      C:\Windows\system32\unregmp2.exe
      1⤵
        PID:1104
      • C:\Users\Admin\AppData\Local\WvpJnY8zA\SystemSettingsRemoveDevice.exe
        C:\Users\Admin\AppData\Local\WvpJnY8zA\SystemSettingsRemoveDevice.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2608
      • C:\Users\Admin\AppData\Local\m4fl\omadmclient.exe
        C:\Users\Admin\AppData\Local\m4fl\omadmclient.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3364
      • C:\Windows\system32\omadmclient.exe
        C:\Windows\system32\omadmclient.exe
        1⤵
          PID:4896

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\VdD28pZRG\VERSION.dll

          Filesize

          27KB

          MD5

          08d08b3234f0495bcc9e0a437dcb570f

          SHA1

          c590778300e7212b4ffc50f15695129d5ef3fce8

          SHA256

          6332745a8bffe8defb44b9984a304ebc01759ed53de857fa00c31bd651e91c41

          SHA512

          989ea470fa75f0ba0d8478d66f2235a51d7c2a39d65a87acebd12485722ad16d7d95aede765d4d15fa5cda08e69160c3a03bbd934ec3753f9180f16d0121b52f

        • C:\Users\Admin\AppData\Local\VdD28pZRG\VERSION.dll

          Filesize

          126KB

          MD5

          797bef31f72031a86ab349a594b18098

          SHA1

          8858975c3d4e52b219fdedb46e53d440b0cecbcc

          SHA256

          efbeee090286a8f3ad7bc706078de7e096c59df5d19a95b6f25395dd3329c377

          SHA512

          5c26d10e8a4f45c60323ecb7f20c6f8d903e82bc6367de548967b5e3181f56541bc11a5fc3b0998d78364896dc6820ffee7b73b0650cc696530e114f41f357e4

        • C:\Users\Admin\AppData\Local\VdD28pZRG\unregmp2.exe

          Filesize

          185KB

          MD5

          d0a1b8450f44d0cb58d5bf46c7cc92ee

          SHA1

          3da138ca0431109eaade623728b4b9549124f11a

          SHA256

          cf6408b3cf8df4f85cc22d81cc479908f2836100155a52eb42b52eb5cc3ab731

          SHA512

          3f1321e711a87c0e97ea7855567312cd2c0f85696b7d8f4fd1e5d6417a43961f817f991026ff47e667dfee3888fb9f60f382a9e1968294251e38a17e96467160

        • C:\Users\Admin\AppData\Local\VdD28pZRG\unregmp2.exe

          Filesize

          137KB

          MD5

          d10c86d5ab418e44caf08959c5be8a65

          SHA1

          7465d53bcc1133ffc56863e328da4b6a0bf7af8f

          SHA256

          a3278c54361b3657a6f936cbd1a0f55380c8ac74a2965d1b742b89dcbd88a704

          SHA512

          9df5764f0b00f05c786c340cd060d899b2381ee0a67ff4185473ffad303b417d870c9fe405c343f85fed23a51846790436ff4242a434e6d80b9880d2b262ebc4

        • C:\Users\Admin\AppData\Local\WvpJnY8zA\DUI70.dll

          Filesize

          140KB

          MD5

          400a4ee39f99640d6d419ee4e59a98cd

          SHA1

          3d9f0d64a67e95b3edd3f650ab79188c068c1265

          SHA256

          57cc9b75c19dbb579ebffac6061020e55e50ca6a5042ab60dff144365aeea37a

          SHA512

          a457156b7e30d428cf7fe0110f5ffa9afa6302087ae7effe92bb72d08d0f5448c035eca68144f0954b20d68c6181744b899390e71d75378b7b0c038c3e5ead9b

        • C:\Users\Admin\AppData\Local\WvpJnY8zA\DUI70.dll

          Filesize

          76KB

          MD5

          f010b10b1bd8748909c7961f43389ca7

          SHA1

          8276ab24607f93368f014564894ae2a4bd70f22d

          SHA256

          776b92945b6b1c241dc8e397d7a88089aa8db6732c93f18433f7620831b3fcbc

          SHA512

          70f2e9101a48b6fc7d25d908dbff71cbee75dc65b3434bfe273deaafadc8c4256d41a64766b3ea15d75808c099017e4897a1352d1480aa78d89711b9b3062140

        • C:\Users\Admin\AppData\Local\WvpJnY8zA\SystemSettingsRemoveDevice.exe

          Filesize

          39KB

          MD5

          7853f1c933690bb7c53c67151cbddeb0

          SHA1

          d47a1ad0ccba4c988c8ffc5cbf9636fd4f4fa6e6

          SHA256

          9500731b2a3442f11dfd08a8adfe027e7f32ef5834c628eed4b78be74168470d

          SHA512

          831993d610539d44422d769de6561a4622e1b9cb3d73253774b6cecabf57654a74cd88b4ebe20921585ea96d977225b9501f02a0f6a1fc7d2cad6824fd539304

        • C:\Users\Admin\AppData\Local\m4fl\XmlLite.dll

          Filesize

          32KB

          MD5

          ba1cec90191f1a8b20da53334d5bfa20

          SHA1

          bfb1fb6c9d3b3641fcf5cb4c6961bbbc5f350aec

          SHA256

          a26eb2a5904e92846aa6d12e863ea5f1885e91d824ec83aeb30b77de38a25e94

          SHA512

          25e548f04f164a3237a62c02c9b6680282806a7372cca234fe8ed4a751cd0fc20ccea37b824ea87344c7e5f8ad28b22cf94ecf38ba9d6fd2bbf6b77b4c23ca89

        • C:\Users\Admin\AppData\Local\m4fl\XmlLite.dll

          Filesize

          52KB

          MD5

          fb7d33ee4a20af72ecc6ea965678535d

          SHA1

          36db5d468f20aac8d632a7fa9751b23a627423aa

          SHA256

          d5830d02ee4316c47d52bd1823ddebc2b7cfecb381777eebd738d9ccb8800490

          SHA512

          cea51d60109dee14d05cc258e7876c08caeb415939dcbbbc2930cf7979678f3d88bde8ce876ddf76c08a5c3f630bc8e60c000e7569189fa21632f78f311409db

        • C:\Users\Admin\AppData\Local\m4fl\XmlLite.dll

          Filesize

          95KB

          MD5

          ff3f8a929746a725cf85b1d510a1e1f4

          SHA1

          3eceab234664a92ae6e98cc5a706e39f1de40bb8

          SHA256

          6e6a004023f2f84d5def2aab053ae7f4566a01e2a5a7570c0d10d62c672e1f47

          SHA512

          488581ace358ad8bf428f4fe2dfecf0aa3542ba797a4a1f8b7f0c0b838e486c547c912474547a791c388292b9a9d892055b0b70dfbe9959fcbf59a0e9cfff56b

        • C:\Users\Admin\AppData\Local\m4fl\XmlLite.dll

          Filesize

          79KB

          MD5

          9cf34faa56f6605fe3767f11e10c1a06

          SHA1

          90a85049292d5700fdec001babc5afab6b2d8122

          SHA256

          2fd0053e925ca9ed1ebff358cb5fdec870fcb1f414578d538f198e7d0693f7e2

          SHA512

          a36545482bdc1383ed5e5d176cd1319a7eb333b12baadfe78a6687acfdc84c563fdae57b4f4fb981741df44bb3b55268137d003191ddba8784f8d8131dfa9f63

        • C:\Users\Admin\AppData\Local\m4fl\omadmclient.exe

          Filesize

          174KB

          MD5

          ddd43e4cd14f00464bcccac07377ef3d

          SHA1

          23fa6a289c4a0cf8bb86d80a99d86a3f19d4e83a

          SHA256

          f9d707e837f90b461347b1b47536c2cd9fff57df93857b40db6fafb4d9995d4a

          SHA512

          6b75f579e52488d4e4f5feb40c43bfab4b23bfdc004ee6cf22eb938519e4d29205ffe968698b0147368fb92855b6c7128dbb12063ec638c0b686e23fbcf069b1

        • C:\Users\Admin\AppData\Local\m4fl\omadmclient.exe

          Filesize

          59KB

          MD5

          1ef83946bcd8823a19ddf7b4cddcd7fc

          SHA1

          b57863d45d32d4cc7ba6d2dce4a78b48da202fd3

          SHA256

          a3110dc6b6cd638d0c3c0d3d224db085528118001a9a54f9e8d9698d2dd7fd83

          SHA512

          f19ac7071961bb940c74efb3641e463a8870ec07e09e110cdab2f7487718b2629d997e838a0b2214136e1a0695319ffc80baeb2346f6f8f2efd8115bcb569593

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Iydemppuyghrhln.lnk

          Filesize

          1KB

          MD5

          a7169a125d656f9894788e516f65b449

          SHA1

          5aeffdc0bf69cce74c6780d70c90fe30a026194c

          SHA256

          4d9e9ab009c8cd607ecdddbece2b262ac261d5a3f3680c05574440152ecb0611

          SHA512

          b74662d1b3dbb54520a775fb28aee9f235ffca65916614cd05c028afe59c92c21d931e1eb7457c053619af607a46e7071110bcd9f7e9bc537ff464ba6799a397

        • C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\G89CEFtxeqh\XmlLite.dll

          Filesize

          1.7MB

          MD5

          b03fe2b4fc5b44f3a712195fe25d01fa

          SHA1

          eebba9382e9acfd1aec05a75791d33c0249ee960

          SHA256

          2395e6cfba5ee8f2383907e8cc1a6db701e0005f11ae22029e24a77cd69b5c8c

          SHA512

          86129b92d8192646065ff95086adca22fc9d4772fb5982b2db0800f345dcf60f9868966ee8c9f449383e652d1af75aefe6528a9199f6275e725796a0e277a950

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\iDoJf\DUI70.dll

          Filesize

          151KB

          MD5

          6037a7e861928571deaac5a97714c20f

          SHA1

          80e54e1d63ee2386ccb09aa5d4e1ab6926c928ee

          SHA256

          60aec2c5caf467cff223fb899a84104ffd8fcf503e0aad95cf660db5f1148c07

          SHA512

          0b4701b9d14b4a0cd08f0436bfb6514dc8ad6c74b1d9eff0acc29d2c07beced4f524414ce775bc1c3ed3bb29f6cb26749aaf20bfdf24a6db496099a82b8ca0e4

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\9wDq\VERSION.dll

          MD5

          d41d8cd98f00b204e9800998ecf8427e

          SHA1

          da39a3ee5e6b4b0d3255bfef95601890afd80709

          SHA256

          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

          SHA512

          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

        • memory/1136-8-0x0000000140000000-0x00000001401B9000-memory.dmp

          Filesize

          1.7MB

        • memory/1136-0-0x0000021A9AB20000-0x0000021A9AB27000-memory.dmp

          Filesize

          28KB

        • memory/1136-1-0x0000000140000000-0x00000001401B9000-memory.dmp

          Filesize

          1.7MB

        • memory/2608-92-0x00000273F0D10000-0x00000273F0D17000-memory.dmp

          Filesize

          28KB

        • memory/2608-93-0x0000000140000000-0x00000001401FF000-memory.dmp

          Filesize

          2.0MB

        • memory/3328-23-0x0000000140000000-0x00000001401B9000-memory.dmp

          Filesize

          1.7MB

        • memory/3328-13-0x0000000140000000-0x00000001401B9000-memory.dmp

          Filesize

          1.7MB

        • memory/3328-30-0x0000000140000000-0x00000001401B9000-memory.dmp

          Filesize

          1.7MB

        • memory/3328-33-0x0000000140000000-0x00000001401B9000-memory.dmp

          Filesize

          1.7MB

        • memory/3328-34-0x0000000140000000-0x00000001401B9000-memory.dmp

          Filesize

          1.7MB

        • memory/3328-35-0x0000000140000000-0x00000001401B9000-memory.dmp

          Filesize

          1.7MB

        • memory/3328-36-0x0000000140000000-0x00000001401B9000-memory.dmp

          Filesize

          1.7MB

        • memory/3328-32-0x0000000140000000-0x00000001401B9000-memory.dmp

          Filesize

          1.7MB

        • memory/3328-31-0x0000000140000000-0x00000001401B9000-memory.dmp

          Filesize

          1.7MB

        • memory/3328-38-0x0000000140000000-0x00000001401B9000-memory.dmp

          Filesize

          1.7MB

        • memory/3328-37-0x0000000140000000-0x00000001401B9000-memory.dmp

          Filesize

          1.7MB

        • memory/3328-39-0x0000000140000000-0x00000001401B9000-memory.dmp

          Filesize

          1.7MB

        • memory/3328-41-0x0000000140000000-0x00000001401B9000-memory.dmp

          Filesize

          1.7MB

        • memory/3328-40-0x0000000140000000-0x00000001401B9000-memory.dmp

          Filesize

          1.7MB

        • memory/3328-28-0x0000000140000000-0x00000001401B9000-memory.dmp

          Filesize

          1.7MB

        • memory/3328-42-0x0000000140000000-0x00000001401B9000-memory.dmp

          Filesize

          1.7MB

        • memory/3328-22-0x0000000140000000-0x00000001401B9000-memory.dmp

          Filesize

          1.7MB

        • memory/3328-43-0x0000000140000000-0x00000001401B9000-memory.dmp

          Filesize

          1.7MB

        • memory/3328-19-0x0000000140000000-0x00000001401B9000-memory.dmp

          Filesize

          1.7MB

        • memory/3328-44-0x0000000140000000-0x00000001401B9000-memory.dmp

          Filesize

          1.7MB

        • memory/3328-46-0x0000000140000000-0x00000001401B9000-memory.dmp

          Filesize

          1.7MB

        • memory/3328-47-0x00000000012F0000-0x00000000012F7000-memory.dmp

          Filesize

          28KB

        • memory/3328-54-0x0000000140000000-0x00000001401B9000-memory.dmp

          Filesize

          1.7MB

        • memory/3328-45-0x0000000140000000-0x00000001401B9000-memory.dmp

          Filesize

          1.7MB

        • memory/3328-18-0x0000000140000000-0x00000001401B9000-memory.dmp

          Filesize

          1.7MB

        • memory/3328-29-0x0000000140000000-0x00000001401B9000-memory.dmp

          Filesize

          1.7MB

        • memory/3328-12-0x0000000140000000-0x00000001401B9000-memory.dmp

          Filesize

          1.7MB

        • memory/3328-9-0x0000000140000000-0x00000001401B9000-memory.dmp

          Filesize

          1.7MB

        • memory/3328-66-0x0000000140000000-0x00000001401B9000-memory.dmp

          Filesize

          1.7MB

        • memory/3328-64-0x0000000140000000-0x00000001401B9000-memory.dmp

          Filesize

          1.7MB

        • memory/3328-55-0x00007FFF78A80000-0x00007FFF78A90000-memory.dmp

          Filesize

          64KB

        • memory/3328-24-0x0000000140000000-0x00000001401B9000-memory.dmp

          Filesize

          1.7MB

        • memory/3328-26-0x0000000140000000-0x00000001401B9000-memory.dmp

          Filesize

          1.7MB

        • memory/3328-27-0x0000000140000000-0x00000001401B9000-memory.dmp

          Filesize

          1.7MB

        • memory/3328-25-0x0000000140000000-0x00000001401B9000-memory.dmp

          Filesize

          1.7MB

        • memory/3328-20-0x0000000140000000-0x00000001401B9000-memory.dmp

          Filesize

          1.7MB

        • memory/3328-21-0x0000000140000000-0x00000001401B9000-memory.dmp

          Filesize

          1.7MB

        • memory/3328-5-0x00007FFF7792A000-0x00007FFF7792B000-memory.dmp

          Filesize

          4KB

        • memory/3328-14-0x0000000140000000-0x00000001401B9000-memory.dmp

          Filesize

          1.7MB

        • memory/3328-17-0x0000000140000000-0x00000001401B9000-memory.dmp

          Filesize

          1.7MB

        • memory/3328-16-0x0000000140000000-0x00000001401B9000-memory.dmp

          Filesize

          1.7MB

        • memory/3328-15-0x0000000140000000-0x00000001401B9000-memory.dmp

          Filesize

          1.7MB

        • memory/3328-11-0x0000000140000000-0x00000001401B9000-memory.dmp

          Filesize

          1.7MB

        • memory/3328-10-0x0000000140000000-0x00000001401B9000-memory.dmp

          Filesize

          1.7MB

        • memory/3328-7-0x0000000140000000-0x00000001401B9000-memory.dmp

          Filesize

          1.7MB

        • memory/3328-4-0x00000000015B0000-0x00000000015B1000-memory.dmp

          Filesize

          4KB

        • memory/3364-114-0x0000014B242D0000-0x0000014B242D7000-memory.dmp

          Filesize

          28KB

        • memory/5108-76-0x0000015CA9890000-0x0000015CA9897000-memory.dmp

          Filesize

          28KB

        • memory/5108-81-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB

        • memory/5108-75-0x0000000140000000-0x00000001401BA000-memory.dmp

          Filesize

          1.7MB