Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
10-03-2023 11:30
Static task
static1
Behavioral task
behavioral1
Sample
6712500bb0de148a99ec940160d3d61850e2ce3803adca8f39e9fa8621b8ea6f.dll
Resource
win7-20230220-en
General
-
Target
6712500bb0de148a99ec940160d3d61850e2ce3803adca8f39e9fa8621b8ea6f.dll
-
Size
1MB
-
MD5
369638ac700f3c41ebaba447d4048ff8
-
SHA1
6c50a1abf9dc992e74a73279d40fb1a09368cdfe
-
SHA256
6712500bb0de148a99ec940160d3d61850e2ce3803adca8f39e9fa8621b8ea6f
-
SHA512
5f7a1913e83cd443a3339af0a52c04a4de17c67be480646d9bb02c984196a0a1ec3d7419ee88ca12d219af927aad1859c47372e08ba6a7a35ad956d5dc4ce7f5
-
SSDEEP
12288:ClORVEAueQmTmQKO2nMlqVaSEwzH7YxiCyJ86azEZy1f11pNxWOLPa:GORVEVNmaDznMlqVNE27dJ8J2inNxn
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3160-137-0x0000000002CE0000-0x0000000002CE1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
recdisc.exeupfc.exequickassist.exepid process 5108 recdisc.exe 2128 upfc.exe 2320 quickassist.exe -
Loads dropped DLL 3 IoCs
Processes:
recdisc.exeupfc.exequickassist.exepid process 5108 recdisc.exe 2128 upfc.exe 2320 quickassist.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Eqetcw = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\z7zkjY\\upfc.exe" -
Processes:
recdisc.exeupfc.exequickassist.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA recdisc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA upfc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA quickassist.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exerecdisc.exepid process 996 rundll32.exe 996 rundll32.exe 996 rundll32.exe 996 rundll32.exe 3160 3160 3160 3160 3160 3160 3160 3160 3160 3160 3160 3160 3160 3160 3160 3160 3160 3160 3160 3160 3160 3160 3160 3160 3160 3160 3160 3160 3160 3160 3160 3160 3160 3160 3160 3160 3160 3160 3160 3160 3160 3160 3160 3160 3160 3160 3160 3160 3160 3160 3160 3160 3160 3160 5108 recdisc.exe 5108 recdisc.exe 3160 3160 3160 3160 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3160 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3160 wrote to memory of 428 3160 recdisc.exe PID 3160 wrote to memory of 428 3160 recdisc.exe PID 3160 wrote to memory of 5108 3160 recdisc.exe PID 3160 wrote to memory of 5108 3160 recdisc.exe PID 3160 wrote to memory of 3216 3160 upfc.exe PID 3160 wrote to memory of 3216 3160 upfc.exe PID 3160 wrote to memory of 2128 3160 upfc.exe PID 3160 wrote to memory of 2128 3160 upfc.exe PID 3160 wrote to memory of 4132 3160 quickassist.exe PID 3160 wrote to memory of 4132 3160 quickassist.exe PID 3160 wrote to memory of 2320 3160 quickassist.exe PID 3160 wrote to memory of 2320 3160 quickassist.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6712500bb0de148a99ec940160d3d61850e2ce3803adca8f39e9fa8621b8ea6f.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\recdisc.exeC:\Windows\system32\recdisc.exe1⤵
-
C:\Users\Admin\AppData\Local\ic61lWtSQ\recdisc.exeC:\Users\Admin\AppData\Local\ic61lWtSQ\recdisc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\upfc.exeC:\Windows\system32\upfc.exe1⤵
-
C:\Users\Admin\AppData\Local\tkfmZ4\upfc.exeC:\Users\Admin\AppData\Local\tkfmZ4\upfc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\quickassist.exeC:\Windows\system32\quickassist.exe1⤵
-
C:\Users\Admin\AppData\Local\WXr8RV\quickassist.exeC:\Users\Admin\AppData\Local\WXr8RV\quickassist.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\WXr8RV\UxTheme.dllFilesize
1MB
MD520ad2a3b33c042ab05c5628829a1eb7c
SHA12ca988fa28f82a6b44667086aa7b7570e6bec3bf
SHA256613cf481532a7bb323423e6847e3a0f33d2066e132a79dfca86a6d46981741af
SHA512abd999e09d992a7c7903a6a797640d45001ffa763335537a95189fbcd191a70e1abed28c5478c14b83fe705079766d66e1f7bd91ca12520333269df5bd261e75
-
C:\Users\Admin\AppData\Local\WXr8RV\UxTheme.dllFilesize
1MB
MD520ad2a3b33c042ab05c5628829a1eb7c
SHA12ca988fa28f82a6b44667086aa7b7570e6bec3bf
SHA256613cf481532a7bb323423e6847e3a0f33d2066e132a79dfca86a6d46981741af
SHA512abd999e09d992a7c7903a6a797640d45001ffa763335537a95189fbcd191a70e1abed28c5478c14b83fe705079766d66e1f7bd91ca12520333269df5bd261e75
-
C:\Users\Admin\AppData\Local\WXr8RV\quickassist.exeFilesize
665KB
MD5d1216f9b9a64fd943539cc2b0ddfa439
SHA16fad9aeb7780bdfd88a9a5a73b35b3e843605e6c
SHA256c1e8fda00da574e8759ba262d76b6edc1d5f4a80620730ef0be7527e0d803db2
SHA512c5fd7d81d1d478056fcbed0ba887ce551832f0104e7c31753c3c8760b4d63f38324f74e996684042acc8f9682fce8a8c85172741a868257e87d5e0f988c4e567
-
C:\Users\Admin\AppData\Local\WXr8RV\quickassist.exeFilesize
665KB
MD5d1216f9b9a64fd943539cc2b0ddfa439
SHA16fad9aeb7780bdfd88a9a5a73b35b3e843605e6c
SHA256c1e8fda00da574e8759ba262d76b6edc1d5f4a80620730ef0be7527e0d803db2
SHA512c5fd7d81d1d478056fcbed0ba887ce551832f0104e7c31753c3c8760b4d63f38324f74e996684042acc8f9682fce8a8c85172741a868257e87d5e0f988c4e567
-
C:\Users\Admin\AppData\Local\ic61lWtSQ\ReAgent.dllFilesize
1MB
MD5aff86f05df9044f5662622e01c508812
SHA1c4cc73090330f8772ff03f011492d81ef744476d
SHA25674f9e567e0ec53499590f3526c853df60a806932cea29ec35ccc503b0b599b40
SHA5128479a080bb675b3417ab9c3942b9fe67f52754efcab170015b111fd429360ee48feddd8eadc2507813fa9fb7dd622eb345b8cd169d7dd52a80bcf6da35bceffb
-
C:\Users\Admin\AppData\Local\ic61lWtSQ\ReAgent.dllFilesize
1MB
MD5aff86f05df9044f5662622e01c508812
SHA1c4cc73090330f8772ff03f011492d81ef744476d
SHA25674f9e567e0ec53499590f3526c853df60a806932cea29ec35ccc503b0b599b40
SHA5128479a080bb675b3417ab9c3942b9fe67f52754efcab170015b111fd429360ee48feddd8eadc2507813fa9fb7dd622eb345b8cd169d7dd52a80bcf6da35bceffb
-
C:\Users\Admin\AppData\Local\ic61lWtSQ\recdisc.exeFilesize
193KB
MD518afee6824c84bf5115bada75ff0a3e7
SHA1d10f287a7176f57b3b2b315a5310d25b449795aa
SHA2560787b37cf197595b8149ffe3784f9c59eacde3616011f185513ff5c075a5ac4e
SHA512517356165b401dbebf15437d3b17746aef5a6a4cc62a0afe45966abc92b4cf377eee4514a36ee28b1e88e55a22a2f8a6c997df45971e7f354b66ac7d9e141845
-
C:\Users\Admin\AppData\Local\ic61lWtSQ\recdisc.exeFilesize
193KB
MD518afee6824c84bf5115bada75ff0a3e7
SHA1d10f287a7176f57b3b2b315a5310d25b449795aa
SHA2560787b37cf197595b8149ffe3784f9c59eacde3616011f185513ff5c075a5ac4e
SHA512517356165b401dbebf15437d3b17746aef5a6a4cc62a0afe45966abc92b4cf377eee4514a36ee28b1e88e55a22a2f8a6c997df45971e7f354b66ac7d9e141845
-
C:\Users\Admin\AppData\Local\tkfmZ4\XmlLite.dllFilesize
1MB
MD5a59559fd185f1c4a73f1d773eafa6a72
SHA15528c1f0a44b0eaa98197daa3ef4b5dc295e50bf
SHA25666c5d2ec2239ef6154c8e203a0acaa7fec054bdbfced1de67a92c95b6093fda6
SHA5125e43176543a57b83e847418df645104a175851d38c7a34e828f42d85d99adb11322c9bd05fc6277fe71f59a42ea7ab05ca415dfeb0ef5855a80839db815265a0
-
C:\Users\Admin\AppData\Local\tkfmZ4\XmlLite.dllFilesize
1MB
MD5a59559fd185f1c4a73f1d773eafa6a72
SHA15528c1f0a44b0eaa98197daa3ef4b5dc295e50bf
SHA25666c5d2ec2239ef6154c8e203a0acaa7fec054bdbfced1de67a92c95b6093fda6
SHA5125e43176543a57b83e847418df645104a175851d38c7a34e828f42d85d99adb11322c9bd05fc6277fe71f59a42ea7ab05ca415dfeb0ef5855a80839db815265a0
-
C:\Users\Admin\AppData\Local\tkfmZ4\upfc.exeFilesize
118KB
MD5299ea296575ccb9d2c1a779062535d5c
SHA12497169c13b0ba46a6be8a1fe493b250094079b7
SHA256ee44fe14df89c4e5eaf8398f8fb4823fd910c5a94d913653d6b9e831254f6cc2
SHA51202fc2b25167ebd7dfcc7b8aa74613e7004fdf33dfccccba6c3427434cca981c2eb50f4a801969b3a40c495a9bb0eac8176f4f2ec9091916cf3509a7f909b30fa
-
C:\Users\Admin\AppData\Local\tkfmZ4\upfc.exeFilesize
118KB
MD5299ea296575ccb9d2c1a779062535d5c
SHA12497169c13b0ba46a6be8a1fe493b250094079b7
SHA256ee44fe14df89c4e5eaf8398f8fb4823fd910c5a94d913653d6b9e831254f6cc2
SHA51202fc2b25167ebd7dfcc7b8aa74613e7004fdf33dfccccba6c3427434cca981c2eb50f4a801969b3a40c495a9bb0eac8176f4f2ec9091916cf3509a7f909b30fa
-
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Auavgaspgujdal.lnkFilesize
1KB
MD58806bab188b566ceaeb1cb1ae2b6666e
SHA13eb59e225659df594b77abbf6c37161fc6cead24
SHA25603d0f71f1d20c6bb13fa3049d31f894d40b4f2b6c03aaa30f43eb4dddaf76de6
SHA512f10af368ef24bde1c5d744c07732f2094db3ddb8e169a59f93d7fdc88b406b138638fb972c89e4abb4e77437c5f0da4bd492114c88470ccdbe7aef4966fc3610
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\Keys\R1\ReAgent.dllFilesize
1MB
MD5aff86f05df9044f5662622e01c508812
SHA1c4cc73090330f8772ff03f011492d81ef744476d
SHA25674f9e567e0ec53499590f3526c853df60a806932cea29ec35ccc503b0b599b40
SHA5128479a080bb675b3417ab9c3942b9fe67f52754efcab170015b111fd429360ee48feddd8eadc2507813fa9fb7dd622eb345b8cd169d7dd52a80bcf6da35bceffb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\z7zkjY\XmlLite.dllFilesize
1MB
MD5a59559fd185f1c4a73f1d773eafa6a72
SHA15528c1f0a44b0eaa98197daa3ef4b5dc295e50bf
SHA25666c5d2ec2239ef6154c8e203a0acaa7fec054bdbfced1de67a92c95b6093fda6
SHA5125e43176543a57b83e847418df645104a175851d38c7a34e828f42d85d99adb11322c9bd05fc6277fe71f59a42ea7ab05ca415dfeb0ef5855a80839db815265a0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\eagKrnB0\UxTheme.dllFilesize
1MB
MD520ad2a3b33c042ab05c5628829a1eb7c
SHA12ca988fa28f82a6b44667086aa7b7570e6bec3bf
SHA256613cf481532a7bb323423e6847e3a0f33d2066e132a79dfca86a6d46981741af
SHA512abd999e09d992a7c7903a6a797640d45001ffa763335537a95189fbcd191a70e1abed28c5478c14b83fe705079766d66e1f7bd91ca12520333269df5bd261e75
-
memory/996-133-0x00007FF987380000-0x00007FF987485000-memory.dmpFilesize
1MB
-
memory/996-140-0x00007FF987380000-0x00007FF987485000-memory.dmpFilesize
1MB
-
memory/996-136-0x000001F8ACD90000-0x000001F8ACD97000-memory.dmpFilesize
28KB
-
memory/2128-198-0x00007FF987440000-0x00007FF987545000-memory.dmpFilesize
1MB
-
memory/2128-194-0x000001D832730000-0x000001D832737000-memory.dmpFilesize
28KB
-
memory/2128-192-0x00007FF987440000-0x00007FF987545000-memory.dmpFilesize
1MB
-
memory/2320-209-0x00007FF985D20000-0x00007FF985E26000-memory.dmpFilesize
1MB
-
memory/2320-212-0x000001F394B80000-0x000001F394B87000-memory.dmpFilesize
28KB
-
memory/2320-215-0x00007FF985D20000-0x00007FF985E26000-memory.dmpFilesize
1MB
-
memory/3160-146-0x0000000140000000-0x0000000140105000-memory.dmpFilesize
1MB
-
memory/3160-147-0x0000000140000000-0x0000000140105000-memory.dmpFilesize
1MB
-
memory/3160-137-0x0000000002CE0000-0x0000000002CE1000-memory.dmpFilesize
4KB
-
memory/3160-139-0x0000000140000000-0x0000000140105000-memory.dmpFilesize
1MB
-
memory/3160-168-0x00007FF9A4420000-0x00007FF9A4430000-memory.dmpFilesize
64KB
-
memory/3160-165-0x0000000140000000-0x0000000140105000-memory.dmpFilesize
1MB
-
memory/3160-163-0x0000000140000000-0x0000000140105000-memory.dmpFilesize
1MB
-
memory/3160-154-0x0000000140000000-0x0000000140105000-memory.dmpFilesize
1MB
-
memory/3160-151-0x0000000000AE0000-0x0000000000AE7000-memory.dmpFilesize
28KB
-
memory/3160-141-0x0000000140000000-0x0000000140105000-memory.dmpFilesize
1MB
-
memory/3160-145-0x0000000140000000-0x0000000140105000-memory.dmpFilesize
1MB
-
memory/3160-142-0x0000000140000000-0x0000000140105000-memory.dmpFilesize
1MB
-
memory/3160-144-0x0000000140000000-0x0000000140105000-memory.dmpFilesize
1MB
-
memory/3160-143-0x0000000140000000-0x0000000140105000-memory.dmpFilesize
1MB
-
memory/5108-181-0x00007FF987440000-0x00007FF987546000-memory.dmpFilesize
1MB
-
memory/5108-175-0x00007FF987440000-0x00007FF987546000-memory.dmpFilesize
1MB
-
memory/5108-178-0x0000019466830000-0x0000019466837000-memory.dmpFilesize
28KB