Analysis
-
max time kernel
150s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
24-11-2020 17:38
Static task
static1
Behavioral task
behavioral1
Sample
XmlLite.dll
Resource
win7v20201028
General
-
Target
XmlLite.dll
-
Size
1.2MB
-
MD5
1a72ddab7ae064892517b65c138b6078
-
SHA1
428521bc64f6ca137f31cc382e97c7619b33169c
-
SHA256
d594d6c6cd43b07dd9a683a089d03db2c396e2c4472a16a9c89d12c0225d605b
-
SHA512
39b12f7cc153a19f4f8084614f1ff3023276dc01b1cf88eb4a95eb2210e3e3a378a9aad3cbb7ddc911592e1e9513da954aa1ff9f88a160612b3d6d66012e68e0
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3988-0-0x0000000140000000-0x0000000140086000-memory.dmp dridex_ldr behavioral2/memory/3036-3-0x0000000140000000-0x0000000140131000-memory.dmp dridex_ldr -
Executes dropped EXE 4 IoCs
Processes:
bdechangepin.exeDxpserver.execonsent.exeFXSCOVER.exepid process 4056 bdechangepin.exe 2124 Dxpserver.exe 2324 consent.exe 3840 FXSCOVER.exe -
Loads dropped DLL 3 IoCs
Processes:
bdechangepin.exeDxpserver.exeFXSCOVER.exepid process 4056 bdechangepin.exe 2124 Dxpserver.exe 3840 FXSCOVER.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Celpcunis = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\CuhHyJA\\Dxpserver.exe" -
Processes:
bdechangepin.exeDxpserver.exeFXSCOVER.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bdechangepin.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Dxpserver.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA FXSCOVER.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Modifies registry class 2 IoCs
Processes:
description ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance -
Suspicious behavior: EnumeratesProcesses 585 IoCs
Processes:
rundll32.exepid process 3988 rundll32.exe 3988 rundll32.exe 3988 rundll32.exe 3988 rundll32.exe 3988 rundll32.exe 3988 rundll32.exe 3988 rundll32.exe 3988 rundll32.exe 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3036 Token: SeCreatePagefilePrivilege 3036 Token: SeShutdownPrivilege 3036 Token: SeCreatePagefilePrivilege 3036 -
Suspicious use of FindShellTrayWindow 8 IoCs
Processes:
pid process 3036 3036 3036 3036 3036 3036 3036 3036 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3036 -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
description pid process target process PID 3036 wrote to memory of 996 3036 bdechangepin.exe PID 3036 wrote to memory of 996 3036 bdechangepin.exe PID 3036 wrote to memory of 4056 3036 bdechangepin.exe PID 3036 wrote to memory of 4056 3036 bdechangepin.exe PID 3036 wrote to memory of 3592 3036 Dxpserver.exe PID 3036 wrote to memory of 3592 3036 Dxpserver.exe PID 3036 wrote to memory of 2124 3036 Dxpserver.exe PID 3036 wrote to memory of 2124 3036 Dxpserver.exe PID 3036 wrote to memory of 1668 3036 consent.exe PID 3036 wrote to memory of 1668 3036 consent.exe PID 3036 wrote to memory of 2324 3036 consent.exe PID 3036 wrote to memory of 2324 3036 consent.exe PID 3036 wrote to memory of 3864 3036 FXSCOVER.exe PID 3036 wrote to memory of 3864 3036 FXSCOVER.exe PID 3036 wrote to memory of 3840 3036 FXSCOVER.exe PID 3036 wrote to memory of 3840 3036 FXSCOVER.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\XmlLite.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\bdechangepin.exeC:\Windows\system32\bdechangepin.exe1⤵
-
C:\Users\Admin\AppData\Local\LhGGTd\bdechangepin.exeC:\Users\Admin\AppData\Local\LhGGTd\bdechangepin.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\Dxpserver.exeC:\Windows\system32\Dxpserver.exe1⤵
-
C:\Users\Admin\AppData\Local\l3P3iE69\Dxpserver.exeC:\Users\Admin\AppData\Local\l3P3iE69\Dxpserver.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\consent.exeC:\Windows\system32\consent.exe1⤵
-
C:\Users\Admin\AppData\Local\Ziz0WEDP\consent.exeC:\Users\Admin\AppData\Local\Ziz0WEDP\consent.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\FXSCOVER.exeC:\Windows\system32\FXSCOVER.exe1⤵
-
C:\Users\Admin\AppData\Local\8Uu4TQC\FXSCOVER.exeC:\Users\Admin\AppData\Local\8Uu4TQC\FXSCOVER.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\8Uu4TQC\FXSCOVER.exeMD5
fd8a15f70619a553acd265264c3e435d
SHA1394f6a1db57b502eb5196d9276d1c00afc791663
SHA256b9eec80e92a71b7405db190ac0d1fc177ba3d1f97411c43328a340d30a9d71a4
SHA512af30027401e97a69aa57847c00c73ccafd4113e58349efd9addf5e7c3a5809f5ff35430d181844c5acd0abba947ff9acb450ff3e0383ef7c187bd9b7808a8799
-
C:\Users\Admin\AppData\Local\8Uu4TQC\MFC42u.dllMD5
8a59276d9531d90ff4a1841121bc9831
SHA193c86b4e43e58fc76cedbc63d7f9e9b5be8af964
SHA256b02b53af1ab91ddc32d4d5f8facfb45d1a3980c3b668105078983a0fd8da9694
SHA512fa4df7d5b7408e139aa4051471bb41f9165a2f7da0f2cca63d1a8c5db31e9abb12475d7460a23a0768b17066d5c603ec78d1ba4b0e9177350efbc26a928bb3b0
-
C:\Users\Admin\AppData\Local\LhGGTd\DUI70.dllMD5
cdc85803f04da5dd0f011fc9ee2a20ed
SHA186d42d2b13d822971cbfef6638c5aeefc14a8fda
SHA25688bd6705154e45c52a43b60b65a12f28e6b123dcab679fdda78ee9058a9a4384
SHA51297089744094e5087c4613d2e87f244f286c632df3999c7e3ccc7f71d195c531ffb3d7b00bd84fd2ff7fa85996039e1ad9c0b021b7548470b540a308acf431ba7
-
C:\Users\Admin\AppData\Local\LhGGTd\bdechangepin.exeMD5
c1c59d7307da404788e5a4294f671213
SHA1d7d7d2b898c072ecd1fa1207dfa6277b1b328af8
SHA256dc5078956ac057a7560285440fbb315db6f2718c1fc6bd88d50b1e49f8f8ad1b
SHA512d138e672a81f9b957c96d9c236bb6dc5141ebb1c19b1446c7ace1a10bc6522c527a27d969a990fafdae04c03bfe5c664b955d9ac2aa3c8dfc3e282ad81693989
-
C:\Users\Admin\AppData\Local\Ziz0WEDP\consent.exeMD5
6d7e9c7bad50da67b1f23c6b4a9e1f7f
SHA1b02648a975909e63d93e3531c1250f89ba676f9f
SHA256b9711ed459bdbf39679f731ab67221068e0b6b8d8be88f22f4e89467ebac223b
SHA5123e1aeb0ed4bc63319d7720356d8d7f01a9f5a28906f818941d41e434ca7a2ede0b26f63ea8275c2bc244621e88c017050f6c6118140108c35fe7b6e2371e7d12
-
C:\Users\Admin\AppData\Local\l3P3iE69\Dxpserver.exeMD5
110511ba5a11541db9fc1d7fab136599
SHA187db2d6c14f8f4e45f0ca17aedb1803638b07feb
SHA256fdbe91686b9e869b34e78f7cc976d5e709d86298450a3653ad2dd23cd61315a0
SHA512b47b491a687c65a599e7108eeea831ccc7e868a189b67003823efba6b525b044621e4c4ed8ce7b555b41a027e6200ef198681ba3eb2b66be7ad4581dde586a06
-
C:\Users\Admin\AppData\Local\l3P3iE69\dwmapi.dllMD5
fa53b39aa2692b06724473a8cb8f5a74
SHA10d261a9cdf45949e94fbde50f5236f1b5107225b
SHA256075115413d764e3ae8745fc8f8da624313e58e52e5eb24888764aedd282c38d1
SHA512f454920bf29a13c25085b2e0e9cb58eced8f3cc325fef130e651879f840914194c1ac7b106f654cde59c95ec4c395fef95e807f918f0766d371590b1da887479
-
\Users\Admin\AppData\Local\8Uu4TQC\MFC42u.dllMD5
8a59276d9531d90ff4a1841121bc9831
SHA193c86b4e43e58fc76cedbc63d7f9e9b5be8af964
SHA256b02b53af1ab91ddc32d4d5f8facfb45d1a3980c3b668105078983a0fd8da9694
SHA512fa4df7d5b7408e139aa4051471bb41f9165a2f7da0f2cca63d1a8c5db31e9abb12475d7460a23a0768b17066d5c603ec78d1ba4b0e9177350efbc26a928bb3b0
-
\Users\Admin\AppData\Local\LhGGTd\DUI70.dllMD5
cdc85803f04da5dd0f011fc9ee2a20ed
SHA186d42d2b13d822971cbfef6638c5aeefc14a8fda
SHA25688bd6705154e45c52a43b60b65a12f28e6b123dcab679fdda78ee9058a9a4384
SHA51297089744094e5087c4613d2e87f244f286c632df3999c7e3ccc7f71d195c531ffb3d7b00bd84fd2ff7fa85996039e1ad9c0b021b7548470b540a308acf431ba7
-
\Users\Admin\AppData\Local\l3P3iE69\dwmapi.dllMD5
fa53b39aa2692b06724473a8cb8f5a74
SHA10d261a9cdf45949e94fbde50f5236f1b5107225b
SHA256075115413d764e3ae8745fc8f8da624313e58e52e5eb24888764aedd282c38d1
SHA512f454920bf29a13c25085b2e0e9cb58eced8f3cc325fef130e651879f840914194c1ac7b106f654cde59c95ec4c395fef95e807f918f0766d371590b1da887479
-
memory/2124-9-0x0000000000000000-mapping.dmp
-
memory/2324-14-0x0000000000000000-mapping.dmp
-
memory/3036-3-0x0000000140000000-0x0000000140131000-memory.dmpFilesize
1.2MB
-
memory/3036-2-0x0000000140000000-0x0000000140131000-memory.dmpFilesize
1.2MB
-
memory/3036-1-0x0000000000ED0000-0x0000000000ED1000-memory.dmpFilesize
4KB
-
memory/3840-16-0x0000000000000000-mapping.dmp
-
memory/3988-0-0x0000000140000000-0x0000000140086000-memory.dmpFilesize
536KB
-
memory/4056-4-0x0000000000000000-mapping.dmp