Analysis

  • max time kernel
    150s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-02-2024 03:10

General

  • Target

    88668b1d3f06f675f928f23dd79da143.dll

  • Size

    2.0MB

  • MD5

    88668b1d3f06f675f928f23dd79da143

  • SHA1

    c032664de6dc7c1c3380fba695c51cb453ade557

  • SHA256

    b211dfe06a94fe21d84592e03c8f26bc8529eccb6b4ee1bcc7784ffa27f1851a

  • SHA512

    e7a8d2f5d1ba3ffc35ae4da94c25b7b74b80bad5ade5a749b625e3740e246189f482504a04482cd7a35c7d1ca8f30d4f31b989a95a06562dccea6b38f7e018d6

  • SSDEEP

    24576:qfP7fWsK5z9A+WGAW+V5SB6Ct4bnb+sJS:+DW/e+WG0Vo6CtSn

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\88668b1d3f06f675f928f23dd79da143.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4512
  • C:\Windows\system32\ie4uinit.exe
    C:\Windows\system32\ie4uinit.exe
    1⤵
      PID:3088
    • C:\Windows\system32\ddodiag.exe
      C:\Windows\system32\ddodiag.exe
      1⤵
        PID:552
      • C:\Users\Admin\AppData\Local\dq3B\SystemSettingsAdminFlows.exe
        C:\Users\Admin\AppData\Local\dq3B\SystemSettingsAdminFlows.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1736
      • C:\Windows\system32\SystemSettingsAdminFlows.exe
        C:\Windows\system32\SystemSettingsAdminFlows.exe
        1⤵
          PID:1596
        • C:\Users\Admin\AppData\Local\P2kcu\ddodiag.exe
          C:\Users\Admin\AppData\Local\P2kcu\ddodiag.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2504
        • C:\Users\Admin\AppData\Local\UJb\ie4uinit.exe
          C:\Users\Admin\AppData\Local\UJb\ie4uinit.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1636

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\P2kcu\XmlLite.dll

          Filesize

          186KB

          MD5

          045058ca2fcbd2ac5193fcc3f4cee300

          SHA1

          12e01d71004f56d9b69c2285df3a2d361ec5a742

          SHA256

          644260e4d16276eeecbec613b1aa99c2b2e1a36879d7434e4983cb5c4faa108f

          SHA512

          2e3ccdfab1ace3cbd3bfff165d30cfafde8803632c3a66681dcd8bc5775920e91d076f40e3a7f35f0aac19778d551c674c999a80bb53e4236ce97e4822abb64b

        • C:\Users\Admin\AppData\Local\P2kcu\XmlLite.dll

          Filesize

          54KB

          MD5

          c60180e84c90d320b92789cc7721ca6f

          SHA1

          8b48683d8f97945e8e4d8e632e4c1a5878237e72

          SHA256

          b2d296c382b2c21074a4fbac5933f8e938171dab95d9d6ea3cd3223468622938

          SHA512

          a8ff5a3f201bb36530c8db76f39c9712763c2dee82725b8c6c7f5d4a4ac7f8942cd4f0885c45817a1b689fe3405e026f9775f2acdb15ef1df7f1b9d830240911

        • C:\Users\Admin\AppData\Local\P2kcu\ddodiag.exe

          Filesize

          39KB

          MD5

          85feee634a6aee90f0108e26d3d9bc1f

          SHA1

          a7b1fa32fe7ed67bd51dea438f2f767e3fef0ca2

          SHA256

          99c63175504781e9278824d487da082da7c014e99f1024227af164986d3a27c6

          SHA512

          b81a3e1723a5180c5168cd7bb5181c631f4f57c59780bb82a502160b7874777f3eef1ebe1b14f66c97f9f1a4721af13b6fbcdff2045c8563c18b5d12540953ff

        • C:\Users\Admin\AppData\Local\UJb\VERSION.dll

          Filesize

          17KB

          MD5

          bced4e56dcdeb16d699342d05184950d

          SHA1

          8f072044e2d95e54ff1f3398134c2388225440c6

          SHA256

          3d95f8f4743ee80315b02b7e785e75c4845f7960c442ac0bfc8cad74a81c1c4a

          SHA512

          c1d19da2441c2c89e1da0aa5bb4134291a3f0951e3593eff8a49529fee49298debd4d365572a2c19e56ee5ea823d6b62bf7eaf0dde048631fb0f8e84f2fbb60e

        • C:\Users\Admin\AppData\Local\UJb\VERSION.dll

          Filesize

          57KB

          MD5

          4f340d6e45deac9509106cdb8648e08c

          SHA1

          06bbe24d8c009156649fd11edbbfdb29f06e5bb0

          SHA256

          e323f1d5f0226ce9546aba89a3314a1758d74bd8fec96a2135d52dde398293c7

          SHA512

          6ccf298c8d1114ab7b42efabb3cdfe2a72e9574039f69344410228db3f50a4e97fc33cd93a9512a6cb2a2a96fd284766db140688b4986d3bb2716c3c554ae59b

        • C:\Users\Admin\AppData\Local\UJb\VERSION.dll

          Filesize

          67KB

          MD5

          11948bce6f29d1733ac160ec536ba999

          SHA1

          5f42abf57433f346a0e6039c4fa501361217b610

          SHA256

          ba8e335dc3acbccdcaad14d6af52ea44eba89caeb156e4eb57279133c443661b

          SHA512

          7d74ebd3dfa432e7acb634a60882739ef79e6a35b497198fa71879907775a5a3af20b6741efc55f3996c9b0ca4b0d0380e267d09b84776b815a8211b0322ad84

        • C:\Users\Admin\AppData\Local\UJb\VERSION.dll

          Filesize

          57KB

          MD5

          3242e3b0dcf1406d23d0780569e8e194

          SHA1

          fd5e6d44651f3d8feb65dd5e040274a070964bae

          SHA256

          7690b1fc7cca46d615f62a8331f3bf87203de00ff28291e2f7ce1c93e12548e5

          SHA512

          ddd1a22775f76114d622ce4bd7c4dd5584ca9ea9f485454a3807866ed6591e2f905b5d686bcc21ba0cdede7fbf3744e8578d13eed099fd6a3337acadec1026bd

        • C:\Users\Admin\AppData\Local\UJb\ie4uinit.exe

          Filesize

          82KB

          MD5

          a18887f7fffd958457db13671f892dba

          SHA1

          8da180a05e793bf0e1ab4fad417ab21bc9d6ce80

          SHA256

          77d81be85d71452b076bc75cbe4e5534b40a6a907cf4e4a0a92d61370550507d

          SHA512

          03f20ab266226241c2c05da8ace6b6dbc7993596f1788f6418aa5bc6053962f9d2c381af932aaedcd075230eff60e03d6467420b680fef34337cdbf64818291d

        • C:\Users\Admin\AppData\Local\UJb\ie4uinit.exe

          Filesize

          43KB

          MD5

          0024d8ffe842ce2d48bee896e22bdafc

          SHA1

          a6fa90b20123663f936d11dc9cab61fb7c846d97

          SHA256

          8f8a03e2f3ded5cc631c777410fd4ed6f71eae0b8e8261d04a34eefa60d8dde0

          SHA512

          5f622181eaec84d8bf8c1dd580cc300625ea1395997a6a69a049f1aee4a49c17b5309cf539f01da4a9148e02daedecf10b068b987a2a7f1ed72c4427e70b37a0

        • C:\Users\Admin\AppData\Local\dq3B\SystemSettingsAdminFlows.exe

          Filesize

          190KB

          MD5

          6338d0099ba676651e567cbf4dcbe5b2

          SHA1

          eed8e56364dd48af2aaa98c4cf8509f82f138b30

          SHA256

          9acfd4acd9029d9cae80a3314663013f057d51d73c0dfff35efd2eab0708013a

          SHA512

          6866ea12aa4d7caff27fe5eac3a1c1ecde2fceff4d219224b3f75a4c193c90bfff7c9d2084ec9016d1633e766754910eccb9d810234cf460c803fd4ab43733b4

        • C:\Users\Admin\AppData\Local\dq3B\SystemSettingsAdminFlows.exe

          Filesize

          272KB

          MD5

          7051c9fa2bea81e0ac43994d89dd35f1

          SHA1

          e14bc7c3d1dd9b07b217ea4d373dceae9f10bd49

          SHA256

          372d1dd36ef41648d8bdaf4574903a486c619d6eb7fb88ae8b2a745514789966

          SHA512

          267015d8ac16bdd935c709d3decbb381a02269e5ebec90a42fe5cb090542cdb2e3b7373ea655a427e4e57f81f4050a6673170fcb1bc339356463529e7632fb3c

        • C:\Users\Admin\AppData\Local\dq3B\newdev.dll

          Filesize

          92KB

          MD5

          da030710143952160134051ebf21d030

          SHA1

          943832ee23482f380dbe756ab23bdbd56f0d4314

          SHA256

          587ea16b623d56eab9f4dd2d6791e328798dd785ba50b0cca46a3b2c3a5e084b

          SHA512

          5f8d9a1af92246fcb03bbfe7c1b3942092c87a47fe35a71eabd7dd1edbe251f393ab9ed32e08d302222bb3e0b4a60cc21a32c7aea3e2abaf31955fe73fdb9688

        • C:\Users\Admin\AppData\Local\dq3B\newdev.dll

          Filesize

          106KB

          MD5

          e1db49e30bac0e2a5cae3a5a75ea2b9e

          SHA1

          51f682afc712ff979a14b37435a9eee863ecd622

          SHA256

          fa00abdac70735ae7c561b6e82495623a742b459cc60550211deb54e8cc09db2

          SHA512

          2553d7e4a6b6119d944b92da0f0071bb8b62bb28859aa0992d5857a3d0c863e43f2189033fcb0dab877b06d09cd1d6bc074ac1bafda66d33bc26cc321c1300bf

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Psfjn.lnk

          Filesize

          1KB

          MD5

          1d3aea7b755de0a26b13c77da1c152ee

          SHA1

          549dd5c34b0bbe8c3b3771d7628eb7dc10d69b07

          SHA256

          401700369e6c497ead14f7494578d01797bbfaa192413cb79fca83aa90e80b06

          SHA512

          aead37aa352e6e5ea31d87e3bf1b1be2716a2dbe6c950e49f5ae6b899dd081e2d4b6266f833ef646134bf12dc915ee17127c738762ed357f1f626cbbb88a64f3

        • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\Y7w9doSN6t\VERSION.dll

          Filesize

          32KB

          MD5

          1ed5b0e58fb35276efd2cb6bf1094b3a

          SHA1

          972665476a92ac4aefaf20d5e851a093bc29bb2d

          SHA256

          bbdfc4f7f9ba1572b3967ce3fec9a40e47c39b2a7a1d841c8c69ec0683638694

          SHA512

          c27f2836d6eff1d64319a3d4832418d4703ff62d85a7853eb244f3e21014279ade77a226701da2ff4e9d24bd9cfa110a1ff281fbb797c3f8c45f2573720b0bcf

        • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\FVo\XmlLite.dll

          Filesize

          92KB

          MD5

          26d66919f02dff6eecf798f2db57f169

          SHA1

          a6f0dab7b982c3b95477c18c684392db97bca05a

          SHA256

          124ee406256a87370035863f524aef29781e731cf031be05baf6218ae1dc249e

          SHA512

          53ac54107559ba19305d94488a21d04f368f75c22327d3062710b2777eb00b134073cfba89acc892d7a5fe2e0b0551057d37204aaeaebc7563f3eb8a5f88b553

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\2rgEfa\newdev.dll

          Filesize

          29KB

          MD5

          cac5da366ab74789d864bc72f8a7d72d

          SHA1

          d918041b4474af282d8ceceeb1c6b113fa6ba531

          SHA256

          ccf16b328fd8c2ce997200129fc7c24d4f5d479cab3bd7d3cf604dd534da7365

          SHA512

          73889ee172d28f2a1dd867af5efc00c31f5ca502da42b20ba5b4e8462cdb38c5530600bcebe52c21e07f4ad3758e1a14547a4221d4c50c99631fe1ab5dc0a884

        • memory/1636-71-0x0000017990F50000-0x000001799114F000-memory.dmp

          Filesize

          2.0MB

        • memory/1636-65-0x0000017990F50000-0x000001799114F000-memory.dmp

          Filesize

          2.0MB

        • memory/1636-67-0x0000017991200000-0x0000017991207000-memory.dmp

          Filesize

          28KB

        • memory/1736-105-0x0000000140000000-0x00000001401FF000-memory.dmp

          Filesize

          2.0MB

        • memory/1736-101-0x000001A83EAC0000-0x000001A83EAC7000-memory.dmp

          Filesize

          28KB

        • memory/2504-82-0x0000000140000000-0x00000001401FF000-memory.dmp

          Filesize

          2.0MB

        • memory/2504-84-0x00000203386A0000-0x00000203386A7000-memory.dmp

          Filesize

          28KB

        • memory/2504-88-0x0000000140000000-0x00000001401FF000-memory.dmp

          Filesize

          2.0MB

        • memory/3492-54-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/3492-9-0x00007FF9E8E0A000-0x00007FF9E8E0B000-memory.dmp

          Filesize

          4KB

        • memory/3492-18-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/3492-30-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/3492-31-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/3492-34-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/3492-35-0x0000000001250000-0x0000000001257000-memory.dmp

          Filesize

          28KB

        • memory/3492-32-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/3492-33-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/3492-29-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/3492-19-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/3492-20-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/3492-21-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/3492-22-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/3492-52-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/3492-23-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/3492-24-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/3492-25-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/3492-14-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/3492-43-0x00007FF9EA900000-0x00007FF9EA910000-memory.dmp

          Filesize

          64KB

        • memory/3492-28-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/3492-17-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/3492-16-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/3492-15-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/3492-13-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/3492-12-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/3492-11-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/3492-10-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/3492-42-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/3492-8-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/3492-27-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/3492-6-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/3492-4-0x00000000030F0000-0x00000000030F1000-memory.dmp

          Filesize

          4KB

        • memory/3492-26-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/4512-7-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB

        • memory/4512-2-0x000001E7B21B0000-0x000001E7B21B7000-memory.dmp

          Filesize

          28KB

        • memory/4512-0-0x0000000140000000-0x00000001401FE000-memory.dmp

          Filesize

          2.0MB