dridex | b1c932b82e70544a381a0a0ffe1116a71a0dbc1c2b3e5afd63d7ddd0507489ca

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7v20210410
submitted
05-05-2021 15:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

export of document 342612.xlsm
Size

83KB
MD5

bff1d0bc3ea7daf787e62e14d7a87f2f
SHA1

679615484ee10e8170ac96f1472e3a54ad2447f0
SHA256

b1c932b82e70544a381a0a0ffe1116a71a0dbc1c2b3e5afd63d7ddd0507489ca
SHA512

b09fc21d4cd1308967a8bb97a978af2e6ec3c75e21b2a5ba0ba3b5dbf557a2f1050c33c00fbb7b70cb56add7c5ef4a8a9553ecc32b20cfa7661718b6442d6b38

Score

10^/10

dridex 22201 botnet evasion loader trojan

Malware Config

Extracted

Family

dridex

Botnet

22201

45.55.134.126:443

67.207.83.96:8172

193.160.214.95:4125

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exerundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1652	1640	rundll32.exe	EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	340	1640	rundll32.exe	EXCEL.EXE

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral1/memory/1652-77-0x0000000010000000-0x000000001002E000-memory.dmp	dridex_ldr

Downloads MZ/PE file
Loads dropped DLL 8 IoCs

Processes:

rundll32.exerundll32.exe

pid process

1652 rundll32.exe
1652 rundll32.exe
1652 rundll32.exe
1652 rundll32.exe
340 rundll32.exe
340 rundll32.exe
340 rundll32.exe
340 rundll32.exe

pid	process
1652	rundll32.exe
1652	rundll32.exe
1652	rundll32.exe
1652	rundll32.exe
340	rundll32.exe
340	rundll32.exe
340	rundll32.exe
340	rundll32.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\TypeLib\{4F70DE4A-FD65-4C23-9541-CE5194601F8B}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE\\MSForms.exd"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLHidden"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4F70DE4A-FD65-4C23-9541-CE5194601F8B}\2.0\HELPDIR	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents10"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\TypeLib\{4F70DE4A-FD65-4C23-9541-CE5194601F8B}\2.0\ = "Microsoft Forms 2.0 Object Library"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}\ = "MdcListEvents"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4F70DE4A-FD65-4C23-9541-CE5194601F8B}\2.0\0\win32	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLHidden"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\TypeLib\{4F70DE4A-FD65-4C23-9541-CE5194601F8B}\2.0\HELPDIR	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\TypeLib\{4F70DE4A-FD65-4C23-9541-CE5194601F8B}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}\ = "MdcListEvents"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Interface	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCombo"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl"	EXCEL.EXE

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 5 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1640 EXCEL.EXE
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

1640 EXCEL.EXE
1640 EXCEL.EXE
1640 EXCEL.EXE

description	flow	ioc
HTTP User-Agent header	5	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
1640	EXCEL.EXE

pid	process
1640	EXCEL.EXE
1640	EXCEL.EXE
1640	EXCEL.EXE

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

EXCEL.EXE

description	pid	process	target process
PID 1640 wrote to memory of 1652	1640	EXCEL.EXE	rundll32.exe
PID 1640 wrote to memory of 1652	1640	EXCEL.EXE	rundll32.exe
PID 1640 wrote to memory of 1652	1640	EXCEL.EXE	rundll32.exe
PID 1640 wrote to memory of 1652	1640	EXCEL.EXE	rundll32.exe
PID 1640 wrote to memory of 1652	1640	EXCEL.EXE	rundll32.exe
PID 1640 wrote to memory of 1652	1640	EXCEL.EXE	rundll32.exe
PID 1640 wrote to memory of 1652	1640	EXCEL.EXE	rundll32.exe
PID 1640 wrote to memory of 340	1640	EXCEL.EXE	rundll32.exe
PID 1640 wrote to memory of 340	1640	EXCEL.EXE	rundll32.exe
PID 1640 wrote to memory of 340	1640	EXCEL.EXE	rundll32.exe
PID 1640 wrote to memory of 340	1640	EXCEL.EXE	rundll32.exe
PID 1640 wrote to memory of 340	1640	EXCEL.EXE	rundll32.exe
PID 1640 wrote to memory of 340	1640	EXCEL.EXE	rundll32.exe
PID 1640 wrote to memory of 340	1640	EXCEL.EXE	rundll32.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\export of document 342612.xlsm"
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Roaming\35650.dll" CreateBitmap
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1652

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Roaming\35650.dll" CreateBitmap
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Checks whether UAC is enabled
PID:340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\35650.dll
MD5
6c51689086e55b3b45883de804656313

SHA1
20faa552a4545ec245b2a2055f77da6e1651c6a8

SHA256
7e3e91adad89cc5cea636adb89dac4b3c865be5b303beecf0c5809ee616d82a3

SHA512
8c203e0c73342bed77fd2e11907f4c825107dc8c0ea70cfe955ddbf73fe7d09791771d9264c56355818d79410c22f6d5fd90fdc2fa113f08146da556a7d4cc15

Download Submit
\Users\Admin\AppData\Roaming\35650.dll
MD5
6c51689086e55b3b45883de804656313

SHA1
20faa552a4545ec245b2a2055f77da6e1651c6a8

SHA256
7e3e91adad89cc5cea636adb89dac4b3c865be5b303beecf0c5809ee616d82a3

SHA512
8c203e0c73342bed77fd2e11907f4c825107dc8c0ea70cfe955ddbf73fe7d09791771d9264c56355818d79410c22f6d5fd90fdc2fa113f08146da556a7d4cc15

Download Submit
\Users\Admin\AppData\Roaming\35650.dll
MD5
6c51689086e55b3b45883de804656313

SHA1
20faa552a4545ec245b2a2055f77da6e1651c6a8

SHA256
7e3e91adad89cc5cea636adb89dac4b3c865be5b303beecf0c5809ee616d82a3

SHA512
8c203e0c73342bed77fd2e11907f4c825107dc8c0ea70cfe955ddbf73fe7d09791771d9264c56355818d79410c22f6d5fd90fdc2fa113f08146da556a7d4cc15

Download Submit
\Users\Admin\AppData\Roaming\35650.dll
MD5
6c51689086e55b3b45883de804656313

SHA1
20faa552a4545ec245b2a2055f77da6e1651c6a8

SHA256
7e3e91adad89cc5cea636adb89dac4b3c865be5b303beecf0c5809ee616d82a3

SHA512
8c203e0c73342bed77fd2e11907f4c825107dc8c0ea70cfe955ddbf73fe7d09791771d9264c56355818d79410c22f6d5fd90fdc2fa113f08146da556a7d4cc15

Download Submit
\Users\Admin\AppData\Roaming\35650.dll
MD5
6c51689086e55b3b45883de804656313

SHA1
20faa552a4545ec245b2a2055f77da6e1651c6a8

SHA256
7e3e91adad89cc5cea636adb89dac4b3c865be5b303beecf0c5809ee616d82a3

SHA512
8c203e0c73342bed77fd2e11907f4c825107dc8c0ea70cfe955ddbf73fe7d09791771d9264c56355818d79410c22f6d5fd90fdc2fa113f08146da556a7d4cc15

Download Submit
\Users\Admin\AppData\Roaming\35650.dll
MD5
6c51689086e55b3b45883de804656313

SHA1
20faa552a4545ec245b2a2055f77da6e1651c6a8

SHA256
7e3e91adad89cc5cea636adb89dac4b3c865be5b303beecf0c5809ee616d82a3

SHA512
8c203e0c73342bed77fd2e11907f4c825107dc8c0ea70cfe955ddbf73fe7d09791771d9264c56355818d79410c22f6d5fd90fdc2fa113f08146da556a7d4cc15

Download Submit
\Users\Admin\AppData\Roaming\35650.dll
MD5
6c51689086e55b3b45883de804656313

SHA1
20faa552a4545ec245b2a2055f77da6e1651c6a8

SHA256
7e3e91adad89cc5cea636adb89dac4b3c865be5b303beecf0c5809ee616d82a3

SHA512
8c203e0c73342bed77fd2e11907f4c825107dc8c0ea70cfe955ddbf73fe7d09791771d9264c56355818d79410c22f6d5fd90fdc2fa113f08146da556a7d4cc15

Download Submit
\Users\Admin\AppData\Roaming\35650.dll
MD5
6c51689086e55b3b45883de804656313

SHA1
20faa552a4545ec245b2a2055f77da6e1651c6a8

SHA256
7e3e91adad89cc5cea636adb89dac4b3c865be5b303beecf0c5809ee616d82a3

SHA512
8c203e0c73342bed77fd2e11907f4c825107dc8c0ea70cfe955ddbf73fe7d09791771d9264c56355818d79410c22f6d5fd90fdc2fa113f08146da556a7d4cc15

Download Submit
\Users\Admin\AppData\Roaming\35650.dll
MD5
6c51689086e55b3b45883de804656313

SHA1
20faa552a4545ec245b2a2055f77da6e1651c6a8

SHA256
7e3e91adad89cc5cea636adb89dac4b3c865be5b303beecf0c5809ee616d82a3

SHA512
8c203e0c73342bed77fd2e11907f4c825107dc8c0ea70cfe955ddbf73fe7d09791771d9264c56355818d79410c22f6d5fd90fdc2fa113f08146da556a7d4cc15

Download Submit
memory/340-71-0x0000000000000000-mapping.dmp

Download
memory/1640-60-0x000000002FE41000-0x000000002FE44000-memory.dmp

Filesize
12KB

Download
memory/1640-63-0x0000000005AE0000-0x0000000005AE2000-memory.dmp

Filesize
8KB

Download
memory/1640-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1640-61-0x0000000071081000-0x0000000071083000-memory.dmp

Filesize
8KB

Download
memory/1652-65-0x0000000075631000-0x0000000075633000-memory.dmp

Filesize
8KB

Download
memory/1652-64-0x0000000000000000-mapping.dmp

Download
memory/1652-77-0x0000000010000000-0x000000001002E000-memory.dmp

Filesize
184KB

Download
memory/1652-79-0x0000000000190000-0x0000000000196000-memory.dmp

Filesize
24KB

Download