Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-02-2024 04:04

General

  • Target

    85e07e2192815cfa564f16edf062c8af.dll

  • Size

    2.2MB

  • MD5

    85e07e2192815cfa564f16edf062c8af

  • SHA1

    843a10890c2c0c2df9d3bf43de2334cf020726d9

  • SHA256

    04952d47ce4e62e8f4c7917d557ae78e8d6944b20d050e33444f5dfae68e784c

  • SHA512

    45e193918f286b142000ca3a66afbc204262c0d03b88f5e54bf991aa8a5addb15e762a6dfaf9a1ace4ea0ede4a9afdb7297f894d9aa6e2d64f2ae106f21a5396

  • SSDEEP

    12288:iVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1oeGf:/fP7fWsK5z9A+WGAW+V5SB6Ct4bnbod

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\85e07e2192815cfa564f16edf062c8af.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2136
  • C:\Windows\system32\LicensingUI.exe
    C:\Windows\system32\LicensingUI.exe
    1⤵
      PID:536
    • C:\Users\Admin\AppData\Local\FKI5\LicensingUI.exe
      C:\Users\Admin\AppData\Local\FKI5\LicensingUI.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:660
    • C:\Windows\system32\DisplaySwitch.exe
      C:\Windows\system32\DisplaySwitch.exe
      1⤵
        PID:3552
      • C:\Users\Admin\AppData\Local\H0m8IOS\DisplaySwitch.exe
        C:\Users\Admin\AppData\Local\H0m8IOS\DisplaySwitch.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1364
      • C:\Users\Admin\AppData\Local\JPial\RecoveryDrive.exe
        C:\Users\Admin\AppData\Local\JPial\RecoveryDrive.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4564
      • C:\Windows\system32\RecoveryDrive.exe
        C:\Windows\system32\RecoveryDrive.exe
        1⤵
          PID:3176

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\FKI5\DUI70.dll

          Filesize

          149KB

          MD5

          597ee22f75ea48c02b692a78086e743a

          SHA1

          7db50ce8413d59ded3cb48f7ddcfb815a228b552

          SHA256

          7f2d44beb3898fba16880656abcd4ef29dbee5a6c6e3117ec865ababebe5384c

          SHA512

          fb7114ad9016862fdfe12c9dbc1301abf5aa44544c9b86fd05892cc6fc151b8590d5ce180d19ac6c1c241d6f21d90e3ad8d46fa18f6ab102772d8de71c13713a

        • C:\Users\Admin\AppData\Local\FKI5\DUI70.dll

          Filesize

          144KB

          MD5

          bee73c7867ededd226f7e90a6e292a24

          SHA1

          fbad3701ec60d8c9a458b9002d96f3f61723563a

          SHA256

          eacd0357f677df1fc194aab5f12c3538336c75e6075fd2ef0a19b4d99b5238ec

          SHA512

          60e2333f2f157308d80abcee62ac65270f2a44d709a21d3047d3480ee0e3a9ca54eb69a99eee3a20d081ad0e951568754dd10441c2c7a7ebfce87637ab2d1c83

        • C:\Users\Admin\AppData\Local\FKI5\LicensingUI.exe

          Filesize

          142KB

          MD5

          8b4abc637473c79a003d30bb9c7a05e5

          SHA1

          d1cab953c16d4fdec2b53262f56ac14a914558ca

          SHA256

          0e9eb89aa0df9bb84a8f11b0bb3e9d89905355de34c91508968b4cb78bc3f6c5

          SHA512

          5a40c846c5b3a53ae09114709239d8238c322a7d3758b20ed3fc8e097fc1409f62b4990557c1192e894eabfa89741a9d88bd5175850d039b97dfdf380d1c6eeb

        • C:\Users\Admin\AppData\Local\FKI5\LicensingUI.exe

          Filesize

          98KB

          MD5

          45a74f29bfa4209e84f4a40c7f40973e

          SHA1

          12f6a209cfc2f05c7b9eb2f12044fc4bc88242d9

          SHA256

          75b298681ecfdc53f44d623e690aa2c85023f176cff9fec5676b6d309649f1db

          SHA512

          a96a644c5c5c3d349c905678374c234903c4b97b27c8334e224aedd8565bdfd7e87b6254d51e9d6e9b0f38b6e1e2ec8d56b879e45c208b58296a6454deded386

        • C:\Users\Admin\AppData\Local\H0m8IOS\DisplaySwitch.exe

          Filesize

          364KB

          MD5

          d5695cf2b78ca077756c00c84a451cae

          SHA1

          9abed1c9c64b9b75f046213dd5ed97ff2c8b1ab4

          SHA256

          822b70663928fc181a29d163386dda8f761278f0df7405c27aad6f38e75abd3b

          SHA512

          147787ee4a8143942367116dd428b21f5afe1ffb2ed5addbd9a9ea213541349500c3cda2e1cbdae1db0285c91fa10dc7b16c11bb803da110b8a9fad116c9f90b

        • C:\Users\Admin\AppData\Local\H0m8IOS\DisplaySwitch.exe

          Filesize

          353KB

          MD5

          862f8be58fa3c88a5ec9cc7d6d24f5fc

          SHA1

          83f60f2ab310a16e49beb3990ca0975bfac11f56

          SHA256

          f2132c13cdbd4bfc67fa6cb5a0bfa8635d58e0555ef73faab8b7e2749db4c651

          SHA512

          9004d816875d3b7978e5656faf9169f30a24048622b830c1bbd31e4a225514807524bb62af896fc06a938b7e96ad53f0cf35396f5b48a1844d1e384d072eae0e

        • C:\Users\Admin\AppData\Local\H0m8IOS\WINSTA.dll

          Filesize

          21KB

          MD5

          35661b80f377796daa6919bede0c76c7

          SHA1

          14beccc011dc71df877d48422f568d9510949d9e

          SHA256

          c5e541876a0ca81da859088183a7fcafd0338c08aa75d8047142949ba348ad2e

          SHA512

          90c195b4d695e0a55507998f13c16a538fcddcc7c7f47706b807fb0d2217419b64a52929fc1eb5254731e97eda845deb372514fd15c4484e2c9a3197ec4ef057

        • C:\Users\Admin\AppData\Local\H0m8IOS\WINSTA.dll

          Filesize

          41KB

          MD5

          92a7a431ff406430593d2bb5eea68b0a

          SHA1

          f85877ea075e73e8e97644fe43540d2a0d59959b

          SHA256

          e5bdcd1d4014f621969651d5fc402f767decacd88e8433cb40a96b9acf606b5e

          SHA512

          cabf6f0c1b8dbc23656e28f18a868b7deaa5e8c9916d42ecd00733fb0e01af98246d2ff092652697b9d8ea8820e6ee6bb39892c4abb5f17c35e9ac6a25d0bd36

        • C:\Users\Admin\AppData\Local\JPial\ReAgent.dll

          Filesize

          83KB

          MD5

          e83e1287997473f2118102dd5cf38fa4

          SHA1

          4e7bfde741cabea9abef528c7f586e6bf6ab8515

          SHA256

          109421e9389c179036b3d4de2b9020a6c4a15c211a6518e86d510732439e258d

          SHA512

          7bde864f64631a99b4bec2c85fa43fc61490c9a6698417a5f298dac7eb7043c4f9666e4bb60fe7f8fe113ad4b029f24677c18f3cf7b1855203193988777dba38

        • C:\Users\Admin\AppData\Local\JPial\ReAgent.dll

          Filesize

          41KB

          MD5

          9318de3fab9388da342b8349bde9fef0

          SHA1

          bff6ae6eba07ed136e34e9b6ecff86325b39ff64

          SHA256

          1ef967d341e69be196d5c4c2458df2cda364fb360b856946d7badc0c04ea86ab

          SHA512

          fa08683fcded3d42a21e7a844eae8cb8efe88a46aecda452fc303d6ad18234d2cbbce063d880654ba5f3ea8667e9a1927f620575b119b9421690074d1482555f

        • C:\Users\Admin\AppData\Local\JPial\RecoveryDrive.exe

          Filesize

          78KB

          MD5

          819f4f6a66b72a1b6d1179108e10862b

          SHA1

          ecf126a3d089063bae8e2e28efe357096e9947c4

          SHA256

          442a14a283172cba0ce8ca1db418ef78662178c6fdd02cd7d2a9cfd76a08cffd

          SHA512

          42df10cff5c028e93ae9f0e9fae97ff0c59b872bd64a2092b6b2058453a079bb4b40eee8039269ab1a9b5fb42ec1736151b72e2cb4fa951f44080309ed45eca1

        • C:\Users\Admin\AppData\Local\JPial\RecoveryDrive.exe

          Filesize

          62KB

          MD5

          39229701c166367982e04e7cf61dd619

          SHA1

          0a29e58fbd6612f94e4fb7bcc3d9c84bbfb9f829

          SHA256

          a8da48ba6cc0b5a2ff7d9474398f222e7ea9b3bbe9da1823914ec31e32701595

          SHA512

          e42a0ab3b6969c1ab6a7a5dbcdce544c29dad89e96a1bee1399e4b191354d41735d5053088240734034d42ff23661fad3351c056147f96711562f4ee194d579f

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqwbkkvq.lnk

          Filesize

          1KB

          MD5

          d1f591c64a16683d40dae45cc26805ac

          SHA1

          b1c932de6da31c7257fb0ea6aea80d6f68ea1228

          SHA256

          ee5d3d17630dee44212c92c15dbafdbca58e79c25ba382852504e319556455ca

          SHA512

          1b333b0de9d44f8a1c24aee0638f0795430329ffbb82d67e6d5a7b7edcba789804fdd0d83171e9364fc579fa2f8a6c8ddfb029fb4892f6e00c28ccc1d1e1ebfe

        • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\RblThYkrfK\WINSTA.dll

          Filesize

          2.2MB

          MD5

          4bb5fbad8072db1e33204b6c0b97b57d

          SHA1

          76e54b3912192747f8a974fd453b95a685ae6618

          SHA256

          437bc590b06702f6ab6b1766db98f30e14bfb79a2ed9872d8a6d5292045a8410

          SHA512

          1c95ed01dac600ba983d807990410a179a88b3e9ea8fe6c520a0bb5d1096672508977799296a7d9f43e85549670c803c498f4017e8dd0602e83a1ec81269ed4d

        • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\VfR\DUI70.dll

          Filesize

          2.5MB

          MD5

          4762200a5a80b1dd8e69bec7e6674e82

          SHA1

          cb6e3e0c77f70b7e6ed2d9dc26fb1d2af30929a2

          SHA256

          aec08acf04f25ec5260428fdb3a53f8b345572314c88ef34442ecc0310c53c64

          SHA512

          604d1eeaaaa339c4e8043c177f56172d7565881e36563233d6fd3f9175c7f04cf79a3c56624ffa73a4e19dc096aa6c2187bbeff45ad70c6fdc97d8cdb2465787

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dvy3\ReAgent.dll

          Filesize

          2.2MB

          MD5

          42abe37bb4f5cf2c2a5dbd4134b87614

          SHA1

          acfcbc1b06a65d0d3ccc85edfadf0f4c879b1305

          SHA256

          e447f93f1b43f42b7783add163653e6484864e94faca1489014de62befaf040d

          SHA512

          f334c4bc781240d12768741636b6b07cd9fbbc6fd221c501f3a32465115424dbb79c95c62a749f60806cee46b2a567d34bfbb70b83aed6ce50a7c3785d473553

        • memory/660-66-0x0000000140000000-0x0000000140279000-memory.dmp

          Filesize

          2.5MB

        • memory/660-60-0x0000000140000000-0x0000000140279000-memory.dmp

          Filesize

          2.5MB

        • memory/660-62-0x000001B768D30000-0x000001B768D37000-memory.dmp

          Filesize

          28KB

        • memory/1364-96-0x0000027D1B3E0000-0x0000027D1B3E7000-memory.dmp

          Filesize

          28KB

        • memory/1364-94-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/1364-100-0x0000000140000000-0x0000000140235000-memory.dmp

          Filesize

          2.2MB

        • memory/2136-7-0x0000000140000000-0x0000000140233000-memory.dmp

          Filesize

          2.2MB

        • memory/2136-0-0x0000000140000000-0x0000000140233000-memory.dmp

          Filesize

          2.2MB

        • memory/2136-2-0x000002C2419A0000-0x000002C2419A7000-memory.dmp

          Filesize

          28KB

        • memory/3452-11-0x0000000140000000-0x0000000140233000-memory.dmp

          Filesize

          2.2MB

        • memory/3452-19-0x0000000140000000-0x0000000140233000-memory.dmp

          Filesize

          2.2MB

        • memory/3452-14-0x0000000140000000-0x0000000140233000-memory.dmp

          Filesize

          2.2MB

        • memory/3452-22-0x0000000140000000-0x0000000140233000-memory.dmp

          Filesize

          2.2MB

        • memory/3452-10-0x0000000140000000-0x0000000140233000-memory.dmp

          Filesize

          2.2MB

        • memory/3452-9-0x00007FF8E831A000-0x00007FF8E831B000-memory.dmp

          Filesize

          4KB

        • memory/3452-30-0x0000000140000000-0x0000000140233000-memory.dmp

          Filesize

          2.2MB

        • memory/3452-33-0x0000000002DC0000-0x0000000002DC7000-memory.dmp

          Filesize

          28KB

        • memory/3452-31-0x0000000140000000-0x0000000140233000-memory.dmp

          Filesize

          2.2MB

        • memory/3452-23-0x0000000140000000-0x0000000140233000-memory.dmp

          Filesize

          2.2MB

        • memory/3452-24-0x0000000140000000-0x0000000140233000-memory.dmp

          Filesize

          2.2MB

        • memory/3452-26-0x0000000140000000-0x0000000140233000-memory.dmp

          Filesize

          2.2MB

        • memory/3452-27-0x0000000140000000-0x0000000140233000-memory.dmp

          Filesize

          2.2MB

        • memory/3452-39-0x0000000140000000-0x0000000140233000-memory.dmp

          Filesize

          2.2MB

        • memory/3452-40-0x00007FF8E8920000-0x00007FF8E8930000-memory.dmp

          Filesize

          64KB

        • memory/3452-49-0x0000000140000000-0x0000000140233000-memory.dmp

          Filesize

          2.2MB

        • memory/3452-51-0x0000000140000000-0x0000000140233000-memory.dmp

          Filesize

          2.2MB

        • memory/3452-4-0x0000000004080000-0x0000000004081000-memory.dmp

          Filesize

          4KB

        • memory/3452-8-0x0000000140000000-0x0000000140233000-memory.dmp

          Filesize

          2.2MB

        • memory/3452-6-0x0000000140000000-0x0000000140233000-memory.dmp

          Filesize

          2.2MB

        • memory/3452-29-0x0000000140000000-0x0000000140233000-memory.dmp

          Filesize

          2.2MB

        • memory/3452-28-0x0000000140000000-0x0000000140233000-memory.dmp

          Filesize

          2.2MB

        • memory/3452-25-0x0000000140000000-0x0000000140233000-memory.dmp

          Filesize

          2.2MB

        • memory/3452-21-0x0000000140000000-0x0000000140233000-memory.dmp

          Filesize

          2.2MB

        • memory/3452-16-0x0000000140000000-0x0000000140233000-memory.dmp

          Filesize

          2.2MB

        • memory/3452-15-0x0000000140000000-0x0000000140233000-memory.dmp

          Filesize

          2.2MB

        • memory/3452-20-0x0000000140000000-0x0000000140233000-memory.dmp

          Filesize

          2.2MB

        • memory/3452-18-0x0000000140000000-0x0000000140233000-memory.dmp

          Filesize

          2.2MB

        • memory/3452-17-0x0000000140000000-0x0000000140233000-memory.dmp

          Filesize

          2.2MB

        • memory/3452-12-0x0000000140000000-0x0000000140233000-memory.dmp

          Filesize

          2.2MB

        • memory/3452-13-0x0000000140000000-0x0000000140233000-memory.dmp

          Filesize

          2.2MB

        • memory/4564-78-0x0000000140000000-0x0000000140234000-memory.dmp

          Filesize

          2.2MB

        • memory/4564-83-0x0000000140000000-0x0000000140234000-memory.dmp

          Filesize

          2.2MB

        • memory/4564-77-0x0000023811540000-0x0000023811547000-memory.dmp

          Filesize

          28KB