Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-01-2024 22:26

General

  • Target

    82b98a019126a5f30050d77d82814f93.dll

  • Size

    3.5MB

  • MD5

    82b98a019126a5f30050d77d82814f93

  • SHA1

    903191e96053b8e6ac7ba8cbea36462ca8cf27c0

  • SHA256

    9463a439b0c76f66e03535405b713b906c9bce1453dfdc13a0ce3579c7059e41

  • SHA512

    aa8c585df62b333496bae2c05db6dbb026df46f2dc0a535a6a743479c8f7b6d2c7c4146e21430d955f9d60f4742e5c808267e535059d9470ba921c758b88d90e

  • SSDEEP

    12288:ZVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:YfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\82b98a019126a5f30050d77d82814f93.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1960
  • C:\Windows\system32\recdisc.exe
    C:\Windows\system32\recdisc.exe
    1⤵
      PID:4152
    • C:\Users\Admin\AppData\Local\dumg9s1h\recdisc.exe
      C:\Users\Admin\AppData\Local\dumg9s1h\recdisc.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1232
    • C:\Windows\system32\Magnify.exe
      C:\Windows\system32\Magnify.exe
      1⤵
        PID:5104
      • C:\Users\Admin\AppData\Local\YJxUai\Magnify.exe
        C:\Users\Admin\AppData\Local\YJxUai\Magnify.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4812
      • C:\Windows\system32\printfilterpipelinesvc.exe
        C:\Windows\system32\printfilterpipelinesvc.exe
        1⤵
          PID:3012
        • C:\Users\Admin\AppData\Local\3e7S5ve\printfilterpipelinesvc.exe
          C:\Users\Admin\AppData\Local\3e7S5ve\printfilterpipelinesvc.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2888

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\3e7S5ve\XmlLite.dll

          Filesize

          80KB

          MD5

          2f67b49be077de9206e0d3281231c0b0

          SHA1

          a4e6ce15536e6e1d014c5a3406ebd7b41e297f05

          SHA256

          84594403fdd80a7fcf9f2230733312b9361becadc4ad75bdd60a8b2811d7eacb

          SHA512

          ef56025433045ae9d67b049a18bc903d5c9852a61094a256bebad59a451f6da2aec82364f7b9c6f1b8fe1f5f1321866b61da2c6316b2b7ca10390ca0bd6ed5f4

        • C:\Users\Admin\AppData\Local\3e7S5ve\XmlLite.dll

          Filesize

          98KB

          MD5

          15b0ec01e7112858406b45bc4508dc80

          SHA1

          8fddb90a029fd103b45ab96f4524f197141e7223

          SHA256

          70b9133761ae929289c0425acf39ae3b1cb1be2034e366303d1900f712e3b78b

          SHA512

          96387346aeb9c559da45abcc2a59ae294d38e5904ffe12d0c07323bf4f685d06d2225d77bce53f6491e142da2038296bc9d1a75d8098397e9f3c49c2a52ac705

        • C:\Users\Admin\AppData\Local\3e7S5ve\XmlLite.dll

          Filesize

          225KB

          MD5

          97e5d336c66a40a95cabe8d11d7934f6

          SHA1

          00da531f5d97dba5ab01417cb2c987966f85c89b

          SHA256

          381018d15fcfd415812615b1511916d52315359bbf54c2513f15e26dde284261

          SHA512

          be27f590f7e7ddcec05ebb515bbf7407c15b315181b87de6883bd7e7f360bf5a427e4aec9b2eaf8da0154d644d2ec9ca25593bb6eef7bb56dc8b87e1444fdff4

        • C:\Users\Admin\AppData\Local\3e7S5ve\XmlLite.dll

          Filesize

          129KB

          MD5

          2528a332d5b018a416ebcfe4a8d4ac7a

          SHA1

          e20ca9b86da2d8e082d780ba9d6155b5df2ccdb7

          SHA256

          21d24fdd050057028802ba280b2445bfe455785bf498d131d132fb600f6dcb40

          SHA512

          046d5c2e996977ef3c49ee11fcf128f503b54e0fa7b43aee09c8e71fab151febdb02f46d3d35766d4fb80b381a3e5ac3cce1d4f62ea8244cd8694b77f49b792d

        • C:\Users\Admin\AppData\Local\3e7S5ve\printfilterpipelinesvc.exe

          Filesize

          167KB

          MD5

          312661a7a84e4ffb65ba9ba78d5a0c66

          SHA1

          d08d209c2ecb0abf44d4f7d91a8fa80770c0ea68

          SHA256

          18cb096c0617af0ee4a4a8338abc11c130b18d541622cae66bd74ed8a13d9d23

          SHA512

          cbecd8e4712d174e029c859dc942ddcb09e697db2064b9a71e2727aa004cde7e873807395f0f7d780eb5ac0c49eb5e6ba33ed638b9e06f6586742f9b894212ed

        • C:\Users\Admin\AppData\Local\3e7S5ve\printfilterpipelinesvc.exe

          Filesize

          126KB

          MD5

          b2a7dc13ac88ca37015d28aa5dd8b5cc

          SHA1

          145c4d0c8fb9b5616a0dd618d51fe58bd9b89c5f

          SHA256

          5d3deaef291851ea58d24dbe693982c93540daa66f2e61b6d7712d4ecf50b362

          SHA512

          1f466f4d0baf1b9cdd7cd1664909389474aeac11260645e67e208d005762e00726da101e764b650edd270285beeffadd1417beed5b49532d6b28dbe5b135d840

        • C:\Users\Admin\AppData\Local\YJxUai\Magnify.exe

          Filesize

          105KB

          MD5

          deb1c965788b8d51905637c6b9b12ebd

          SHA1

          82af1c3eecf4f3d1c5a454839ff7f30cb04204b8

          SHA256

          2d23f281f0815d9d42786ab3f5475330f74cf8c3b5abe7760ab4367f369bd6d3

          SHA512

          95af508738a46b88a2750afdf49a1389b7e5ec73f4a70d88376d7fb08e169c51a0822003fac048cd9153b47484fa636e24f778b46f5dff422908dda719f139ed

        • C:\Users\Admin\AppData\Local\YJxUai\Magnify.exe

          Filesize

          44KB

          MD5

          eee85e2706d0c28bf678caa3a819581a

          SHA1

          eba01b433fcd6a3bbbf5478af195efc8616f4ba4

          SHA256

          05e4a557572e181c926d8e8346bdf5f5fe11335907445c65948e5deb983fa577

          SHA512

          a3a88f51c632ee7ab64f53bb3b191da772a850b7e64469a678fe1f48bce4b593be0005489c7de619648609deb17774f0dbad22fdbedec519de89ff6c9ffbd54b

        • C:\Users\Admin\AppData\Local\YJxUai\dwmapi.dll

          Filesize

          92KB

          MD5

          238491598e30e0e05afc18e216f9104d

          SHA1

          3b48144b145cc0309efdaa190ea5e9736524fc8b

          SHA256

          8197a292eaa6639b88366fbe5dd2e05aaf389f1afc7031d06b6ad00e50c773aa

          SHA512

          42767d2cd712b3718310b5d84c929ee5e9b19ca74911371bc5fb1e83c7e9b1af0f69fc23f954d463dc24fb0886b3637bf41ae10ad89563aa98eed8b369f74f8e

        • C:\Users\Admin\AppData\Local\YJxUai\dwmapi.dll

          Filesize

          53KB

          MD5

          472d16df6c93c35aa6d4d01680987b08

          SHA1

          3474903bb8f48a895da704d1a706322747c969c8

          SHA256

          89d2f715cb926c9b9db5b65374a325ea2df01404af3a3e88c84f667a4c16acfa

          SHA512

          9b5242dfe8d70482aae01277f99b1eddb110d38c040f1e8319f0e9455d61df723f57bd96ad3d7247efc21fc917a3f6b7a737e7b12e72a3c392bd46de4afc11b9

        • C:\Users\Admin\AppData\Local\YJxUai\dwmapi.dll

          Filesize

          69KB

          MD5

          2e09da7e42797a019887261ede6b438d

          SHA1

          251fb0a23528d1a41485543b3cda3b5ccab2ce0a

          SHA256

          651569c7469a0140286b2e32bb9b57d63b171c147efaaa15f38ff9a881c01d05

          SHA512

          98dc51d602c78a9d6c68b9782ff4ceb6671034e46e855abad4facd353044c0aef84580e2a10cef4c33233bc2a79d857d5e2052647125fb5b04805d5e4f0bcdea

        • C:\Users\Admin\AppData\Local\dumg9s1h\ReAgent.dll

          Filesize

          48KB

          MD5

          2439cf0a43a430357c184fe161b91233

          SHA1

          71c25e7c809d003bd4ea1ce66fbf4f60c2b97146

          SHA256

          4174d734ed3ac9cdd63b26741317df5b32cea2dfe52ff370f6070e189f8fb478

          SHA512

          36d9ee9daadfa362406a1d7b54d6becc38e68bfeeff3235687617c12e942ed0502df65b148af00b5687753b16dc962273d95937891f014c6a3885b0c9a997fd1

        • C:\Users\Admin\AppData\Local\dumg9s1h\ReAgent.dll

          Filesize

          95KB

          MD5

          9e03bb817133a629095b722891d1382c

          SHA1

          aa486a54795b1c7dc718fb5ed85d878920afdbfb

          SHA256

          c81987311af44f0bc3d460ff76fc9e907dbec10af4d03d14d3ed15a98d26c99b

          SHA512

          87f65e9d9ef2c47f075df85a778e4556d1219052bde5885567d8a8bd2ae6d2b18444f20105953765ab4201bd65ecb006d9166b10e5b4d6c031af68acb0ed83bc

        • C:\Users\Admin\AppData\Local\dumg9s1h\recdisc.exe

          Filesize

          193KB

          MD5

          18afee6824c84bf5115bada75ff0a3e7

          SHA1

          d10f287a7176f57b3b2b315a5310d25b449795aa

          SHA256

          0787b37cf197595b8149ffe3784f9c59eacde3616011f185513ff5c075a5ac4e

          SHA512

          517356165b401dbebf15437d3b17746aef5a6a4cc62a0afe45966abc92b4cf377eee4514a36ee28b1e88e55a22a2f8a6c997df45971e7f354b66ac7d9e141845

        • C:\Users\Admin\AppData\Local\dumg9s1h\recdisc.exe

          Filesize

          65KB

          MD5

          f461ff54eb3ba45b7b7a0d5d65398fd0

          SHA1

          017653bdca6b48f76f5adfc7496408dc18e9de67

          SHA256

          22c017dd7b992c6c64d7110935507563341334787b383f08aeeec1af51698228

          SHA512

          cde6689565085fc76267c05b2808f111e33f2d06c1a22e7b5bfb9501b9cf65c030834b4235ce1c39f1204467d0ff8ff3c5f13fdb07b048edd61b06815bef1b3f

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Udjzqp.lnk

          Filesize

          1KB

          MD5

          02f2ac4ba174c36e5207ccb0d2835d0b

          SHA1

          8590f7447b84754a10bd1316d98aa58c1b5c33a9

          SHA256

          7c1cecc18aad4b30117e06a7ed126bf4455395363cfffc09e2bf9aa8fc969ea1

          SHA512

          33806b0f719e49130049091bfb161afdde98cf6080cc78371c3d09a53b16dffcae8eb6ce3f2575648435063cc5c34924edc600ab870b0510f59bf9445987a21c

        • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\7NrnvntQdBQ\XmlLite.dll

          Filesize

          88KB

          MD5

          26e7b2591db586bc497bb7b2b75714c0

          SHA1

          e47e4a72f99991dad99d48e88c8e35f92d744764

          SHA256

          18bd7ca051de5d28aeb11dc0669d5bfd56f5eea45dc338aa00d05a5b5ff3d352

          SHA512

          bcf5f62409af904c6a09f3c134f8c879507f74f15b035f453690af7e2ebc44f27d57e4844d40a232291d391a3511849d2044e58d26fee2fbd4e99616bb288866

        • C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\WHxH\ReAgent.dll

          Filesize

          115KB

          MD5

          a42b4d81aff86fbfb69b9cbd3299546d

          SHA1

          4d227c3d71e1606fb1b6330a196d4128f1b668be

          SHA256

          d75264272b61ac364b71c8ce020e95bf270117cae9eee496746cb5896f8a39da

          SHA512

          b27f3b3c0f49b10c9b7fb6f8d51e0abeefac4ab24f05a336a4d85294ffc1d27c2807a2f4a1fa5bc563d4da1f796e08f9d769fdd0c58f598f07efb409b17257ac

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\B6NiKt4I3cg\dwmapi.dll

          Filesize

          22KB

          MD5

          a07cfdfc907ba3b00df4745718687f53

          SHA1

          dde00128b69da5f1178e55bf2f54f4c53b5b811c

          SHA256

          d2539bba3d06d664d00d29cc453a9edbdd43a0ae5611d6f7405cd46b3dcb34b9

          SHA512

          5823812905caa1c670f41a9a76b4e9e3151dbc3e05317a3840c22371663691fdcd6f51bd157cdea085da933ccc831fc3cd4b5e2fb23feb0410459b7801d6337b

        • memory/1232-102-0x0000018976350000-0x0000018976357000-memory.dmp

          Filesize

          28KB

        • memory/1960-1-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/1960-8-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/1960-0-0x000001A460ED0000-0x000001A460ED7000-memory.dmp

          Filesize

          28KB

        • memory/2888-139-0x00000226384C0000-0x00000226384C7000-memory.dmp

          Filesize

          28KB

        • memory/3440-28-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/3440-63-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/3440-34-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/3440-37-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/3440-39-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/3440-41-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/3440-40-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/3440-38-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/3440-36-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/3440-35-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/3440-33-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/3440-32-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/3440-26-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/3440-25-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/3440-21-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/3440-43-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/3440-44-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/3440-45-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/3440-46-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/3440-42-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/3440-48-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/3440-50-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/3440-51-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/3440-52-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/3440-49-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/3440-47-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/3440-54-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/3440-53-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/3440-57-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/3440-60-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/3440-62-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/3440-31-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/3440-61-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/3440-59-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/3440-58-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/3440-56-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/3440-55-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/3440-64-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/3440-65-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/3440-73-0x0000000002810000-0x0000000002817000-memory.dmp

          Filesize

          28KB

        • memory/3440-81-0x00007FFEBAB80000-0x00007FFEBAB90000-memory.dmp

          Filesize

          64KB

        • memory/3440-30-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/3440-29-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/3440-27-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/3440-24-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/3440-23-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/3440-22-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/3440-7-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/3440-10-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/3440-4-0x0000000002850000-0x0000000002851000-memory.dmp

          Filesize

          4KB

        • memory/3440-6-0x00007FFEB93FA000-0x00007FFEB93FB000-memory.dmp

          Filesize

          4KB

        • memory/3440-11-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/3440-20-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/3440-19-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/3440-18-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/3440-17-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/3440-16-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/3440-15-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/3440-14-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/3440-13-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/3440-12-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/3440-9-0x0000000140000000-0x000000014037F000-memory.dmp

          Filesize

          3.5MB

        • memory/4812-119-0x000001FEEA710000-0x000001FEEAA90000-memory.dmp

          Filesize

          3.5MB

        • memory/4812-122-0x000001FEEA770000-0x000001FEEA777000-memory.dmp

          Filesize

          28KB