Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-03-2023 11:30

General

  • Target

    6712500bb0de148a99ec940160d3d61850e2ce3803adca8f39e9fa8621b8ea6f.dll

  • Size

    1MB

  • MD5

    369638ac700f3c41ebaba447d4048ff8

  • SHA1

    6c50a1abf9dc992e74a73279d40fb1a09368cdfe

  • SHA256

    6712500bb0de148a99ec940160d3d61850e2ce3803adca8f39e9fa8621b8ea6f

  • SHA512

    5f7a1913e83cd443a3339af0a52c04a4de17c67be480646d9bb02c984196a0a1ec3d7419ee88ca12d219af927aad1859c47372e08ba6a7a35ad956d5dc4ce7f5

  • SSDEEP

    12288:ClORVEAueQmTmQKO2nMlqVaSEwzH7YxiCyJ86azEZy1f11pNxWOLPa:GORVEVNmaDznMlqVNE27dJ8J2inNxn

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\6712500bb0de148a99ec940160d3d61850e2ce3803adca8f39e9fa8621b8ea6f.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:996
  • C:\Windows\system32\recdisc.exe
    C:\Windows\system32\recdisc.exe
    1⤵
      PID:428
    • C:\Users\Admin\AppData\Local\ic61lWtSQ\recdisc.exe
      C:\Users\Admin\AppData\Local\ic61lWtSQ\recdisc.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      PID:5108
    • C:\Windows\system32\upfc.exe
      C:\Windows\system32\upfc.exe
      1⤵
        PID:3216
      • C:\Users\Admin\AppData\Local\tkfmZ4\upfc.exe
        C:\Users\Admin\AppData\Local\tkfmZ4\upfc.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2128
      • C:\Windows\system32\quickassist.exe
        C:\Windows\system32\quickassist.exe
        1⤵
          PID:4132
        • C:\Users\Admin\AppData\Local\WXr8RV\quickassist.exe
          C:\Users\Admin\AppData\Local\WXr8RV\quickassist.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2320

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Defense Evasion

        Modify Registry

        1
        T1112

        Discovery

        System Information Discovery

        1
        T1082

        Query Registry

        1
        T1012

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\WXr8RV\UxTheme.dll
          Filesize

          1MB

          MD5

          20ad2a3b33c042ab05c5628829a1eb7c

          SHA1

          2ca988fa28f82a6b44667086aa7b7570e6bec3bf

          SHA256

          613cf481532a7bb323423e6847e3a0f33d2066e132a79dfca86a6d46981741af

          SHA512

          abd999e09d992a7c7903a6a797640d45001ffa763335537a95189fbcd191a70e1abed28c5478c14b83fe705079766d66e1f7bd91ca12520333269df5bd261e75

        • C:\Users\Admin\AppData\Local\WXr8RV\UxTheme.dll
          Filesize

          1MB

          MD5

          20ad2a3b33c042ab05c5628829a1eb7c

          SHA1

          2ca988fa28f82a6b44667086aa7b7570e6bec3bf

          SHA256

          613cf481532a7bb323423e6847e3a0f33d2066e132a79dfca86a6d46981741af

          SHA512

          abd999e09d992a7c7903a6a797640d45001ffa763335537a95189fbcd191a70e1abed28c5478c14b83fe705079766d66e1f7bd91ca12520333269df5bd261e75

        • C:\Users\Admin\AppData\Local\WXr8RV\quickassist.exe
          Filesize

          665KB

          MD5

          d1216f9b9a64fd943539cc2b0ddfa439

          SHA1

          6fad9aeb7780bdfd88a9a5a73b35b3e843605e6c

          SHA256

          c1e8fda00da574e8759ba262d76b6edc1d5f4a80620730ef0be7527e0d803db2

          SHA512

          c5fd7d81d1d478056fcbed0ba887ce551832f0104e7c31753c3c8760b4d63f38324f74e996684042acc8f9682fce8a8c85172741a868257e87d5e0f988c4e567

        • C:\Users\Admin\AppData\Local\WXr8RV\quickassist.exe
          Filesize

          665KB

          MD5

          d1216f9b9a64fd943539cc2b0ddfa439

          SHA1

          6fad9aeb7780bdfd88a9a5a73b35b3e843605e6c

          SHA256

          c1e8fda00da574e8759ba262d76b6edc1d5f4a80620730ef0be7527e0d803db2

          SHA512

          c5fd7d81d1d478056fcbed0ba887ce551832f0104e7c31753c3c8760b4d63f38324f74e996684042acc8f9682fce8a8c85172741a868257e87d5e0f988c4e567

        • C:\Users\Admin\AppData\Local\ic61lWtSQ\ReAgent.dll
          Filesize

          1MB

          MD5

          aff86f05df9044f5662622e01c508812

          SHA1

          c4cc73090330f8772ff03f011492d81ef744476d

          SHA256

          74f9e567e0ec53499590f3526c853df60a806932cea29ec35ccc503b0b599b40

          SHA512

          8479a080bb675b3417ab9c3942b9fe67f52754efcab170015b111fd429360ee48feddd8eadc2507813fa9fb7dd622eb345b8cd169d7dd52a80bcf6da35bceffb

        • C:\Users\Admin\AppData\Local\ic61lWtSQ\ReAgent.dll
          Filesize

          1MB

          MD5

          aff86f05df9044f5662622e01c508812

          SHA1

          c4cc73090330f8772ff03f011492d81ef744476d

          SHA256

          74f9e567e0ec53499590f3526c853df60a806932cea29ec35ccc503b0b599b40

          SHA512

          8479a080bb675b3417ab9c3942b9fe67f52754efcab170015b111fd429360ee48feddd8eadc2507813fa9fb7dd622eb345b8cd169d7dd52a80bcf6da35bceffb

        • C:\Users\Admin\AppData\Local\ic61lWtSQ\recdisc.exe
          Filesize

          193KB

          MD5

          18afee6824c84bf5115bada75ff0a3e7

          SHA1

          d10f287a7176f57b3b2b315a5310d25b449795aa

          SHA256

          0787b37cf197595b8149ffe3784f9c59eacde3616011f185513ff5c075a5ac4e

          SHA512

          517356165b401dbebf15437d3b17746aef5a6a4cc62a0afe45966abc92b4cf377eee4514a36ee28b1e88e55a22a2f8a6c997df45971e7f354b66ac7d9e141845

        • C:\Users\Admin\AppData\Local\ic61lWtSQ\recdisc.exe
          Filesize

          193KB

          MD5

          18afee6824c84bf5115bada75ff0a3e7

          SHA1

          d10f287a7176f57b3b2b315a5310d25b449795aa

          SHA256

          0787b37cf197595b8149ffe3784f9c59eacde3616011f185513ff5c075a5ac4e

          SHA512

          517356165b401dbebf15437d3b17746aef5a6a4cc62a0afe45966abc92b4cf377eee4514a36ee28b1e88e55a22a2f8a6c997df45971e7f354b66ac7d9e141845

        • C:\Users\Admin\AppData\Local\tkfmZ4\XmlLite.dll
          Filesize

          1MB

          MD5

          a59559fd185f1c4a73f1d773eafa6a72

          SHA1

          5528c1f0a44b0eaa98197daa3ef4b5dc295e50bf

          SHA256

          66c5d2ec2239ef6154c8e203a0acaa7fec054bdbfced1de67a92c95b6093fda6

          SHA512

          5e43176543a57b83e847418df645104a175851d38c7a34e828f42d85d99adb11322c9bd05fc6277fe71f59a42ea7ab05ca415dfeb0ef5855a80839db815265a0

        • C:\Users\Admin\AppData\Local\tkfmZ4\XmlLite.dll
          Filesize

          1MB

          MD5

          a59559fd185f1c4a73f1d773eafa6a72

          SHA1

          5528c1f0a44b0eaa98197daa3ef4b5dc295e50bf

          SHA256

          66c5d2ec2239ef6154c8e203a0acaa7fec054bdbfced1de67a92c95b6093fda6

          SHA512

          5e43176543a57b83e847418df645104a175851d38c7a34e828f42d85d99adb11322c9bd05fc6277fe71f59a42ea7ab05ca415dfeb0ef5855a80839db815265a0

        • C:\Users\Admin\AppData\Local\tkfmZ4\upfc.exe
          Filesize

          118KB

          MD5

          299ea296575ccb9d2c1a779062535d5c

          SHA1

          2497169c13b0ba46a6be8a1fe493b250094079b7

          SHA256

          ee44fe14df89c4e5eaf8398f8fb4823fd910c5a94d913653d6b9e831254f6cc2

          SHA512

          02fc2b25167ebd7dfcc7b8aa74613e7004fdf33dfccccba6c3427434cca981c2eb50f4a801969b3a40c495a9bb0eac8176f4f2ec9091916cf3509a7f909b30fa

        • C:\Users\Admin\AppData\Local\tkfmZ4\upfc.exe
          Filesize

          118KB

          MD5

          299ea296575ccb9d2c1a779062535d5c

          SHA1

          2497169c13b0ba46a6be8a1fe493b250094079b7

          SHA256

          ee44fe14df89c4e5eaf8398f8fb4823fd910c5a94d913653d6b9e831254f6cc2

          SHA512

          02fc2b25167ebd7dfcc7b8aa74613e7004fdf33dfccccba6c3427434cca981c2eb50f4a801969b3a40c495a9bb0eac8176f4f2ec9091916cf3509a7f909b30fa

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Auavgaspgujdal.lnk
          Filesize

          1KB

          MD5

          8806bab188b566ceaeb1cb1ae2b6666e

          SHA1

          3eb59e225659df594b77abbf6c37161fc6cead24

          SHA256

          03d0f71f1d20c6bb13fa3049d31f894d40b4f2b6c03aaa30f43eb4dddaf76de6

          SHA512

          f10af368ef24bde1c5d744c07732f2094db3ddb8e169a59f93d7fdc88b406b138638fb972c89e4abb4e77437c5f0da4bd492114c88470ccdbe7aef4966fc3610

        • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\Keys\R1\ReAgent.dll
          Filesize

          1MB

          MD5

          aff86f05df9044f5662622e01c508812

          SHA1

          c4cc73090330f8772ff03f011492d81ef744476d

          SHA256

          74f9e567e0ec53499590f3526c853df60a806932cea29ec35ccc503b0b599b40

          SHA512

          8479a080bb675b3417ab9c3942b9fe67f52754efcab170015b111fd429360ee48feddd8eadc2507813fa9fb7dd622eb345b8cd169d7dd52a80bcf6da35bceffb

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\z7zkjY\XmlLite.dll
          Filesize

          1MB

          MD5

          a59559fd185f1c4a73f1d773eafa6a72

          SHA1

          5528c1f0a44b0eaa98197daa3ef4b5dc295e50bf

          SHA256

          66c5d2ec2239ef6154c8e203a0acaa7fec054bdbfced1de67a92c95b6093fda6

          SHA512

          5e43176543a57b83e847418df645104a175851d38c7a34e828f42d85d99adb11322c9bd05fc6277fe71f59a42ea7ab05ca415dfeb0ef5855a80839db815265a0

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\eagKrnB0\UxTheme.dll
          Filesize

          1MB

          MD5

          20ad2a3b33c042ab05c5628829a1eb7c

          SHA1

          2ca988fa28f82a6b44667086aa7b7570e6bec3bf

          SHA256

          613cf481532a7bb323423e6847e3a0f33d2066e132a79dfca86a6d46981741af

          SHA512

          abd999e09d992a7c7903a6a797640d45001ffa763335537a95189fbcd191a70e1abed28c5478c14b83fe705079766d66e1f7bd91ca12520333269df5bd261e75

        • memory/996-133-0x00007FF987380000-0x00007FF987485000-memory.dmp
          Filesize

          1MB

        • memory/996-140-0x00007FF987380000-0x00007FF987485000-memory.dmp
          Filesize

          1MB

        • memory/996-136-0x000001F8ACD90000-0x000001F8ACD97000-memory.dmp
          Filesize

          28KB

        • memory/2128-198-0x00007FF987440000-0x00007FF987545000-memory.dmp
          Filesize

          1MB

        • memory/2128-194-0x000001D832730000-0x000001D832737000-memory.dmp
          Filesize

          28KB

        • memory/2128-192-0x00007FF987440000-0x00007FF987545000-memory.dmp
          Filesize

          1MB

        • memory/2320-209-0x00007FF985D20000-0x00007FF985E26000-memory.dmp
          Filesize

          1MB

        • memory/2320-212-0x000001F394B80000-0x000001F394B87000-memory.dmp
          Filesize

          28KB

        • memory/2320-215-0x00007FF985D20000-0x00007FF985E26000-memory.dmp
          Filesize

          1MB

        • memory/3160-146-0x0000000140000000-0x0000000140105000-memory.dmp
          Filesize

          1MB

        • memory/3160-147-0x0000000140000000-0x0000000140105000-memory.dmp
          Filesize

          1MB

        • memory/3160-137-0x0000000002CE0000-0x0000000002CE1000-memory.dmp
          Filesize

          4KB

        • memory/3160-139-0x0000000140000000-0x0000000140105000-memory.dmp
          Filesize

          1MB

        • memory/3160-168-0x00007FF9A4420000-0x00007FF9A4430000-memory.dmp
          Filesize

          64KB

        • memory/3160-165-0x0000000140000000-0x0000000140105000-memory.dmp
          Filesize

          1MB

        • memory/3160-163-0x0000000140000000-0x0000000140105000-memory.dmp
          Filesize

          1MB

        • memory/3160-154-0x0000000140000000-0x0000000140105000-memory.dmp
          Filesize

          1MB

        • memory/3160-151-0x0000000000AE0000-0x0000000000AE7000-memory.dmp
          Filesize

          28KB

        • memory/3160-141-0x0000000140000000-0x0000000140105000-memory.dmp
          Filesize

          1MB

        • memory/3160-145-0x0000000140000000-0x0000000140105000-memory.dmp
          Filesize

          1MB

        • memory/3160-142-0x0000000140000000-0x0000000140105000-memory.dmp
          Filesize

          1MB

        • memory/3160-144-0x0000000140000000-0x0000000140105000-memory.dmp
          Filesize

          1MB

        • memory/3160-143-0x0000000140000000-0x0000000140105000-memory.dmp
          Filesize

          1MB

        • memory/5108-181-0x00007FF987440000-0x00007FF987546000-memory.dmp
          Filesize

          1MB

        • memory/5108-175-0x00007FF987440000-0x00007FF987546000-memory.dmp
          Filesize

          1MB

        • memory/5108-178-0x0000019466830000-0x0000019466837000-memory.dmp
          Filesize

          28KB