Analysis

  • max time kernel
    145s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-02-2024 23:34

General

  • Target

    87f4ff988b3efc9a3e0d996f68db1be0.dll

  • Size

    2.0MB

  • MD5

    87f4ff988b3efc9a3e0d996f68db1be0

  • SHA1

    89c3b7a72d3dab1fbf000ec432f9e4bdf8169c67

  • SHA256

    a7f598f265286347b55802674110210e08986dad0a49bdd83caf30ee6d6085f0

  • SHA512

    7487d405c81a5a1fb200ffd92223569f782168a092fb09d318e55ba76faece7a8edfbaf97f727f9bff7c92f695a69f33b78d77e66a989e51071d9641669292c0

  • SSDEEP

    12288:kVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1dP4bL:BfP7fWsK5z9A+WGAW+V5SB6Ct4bnbc

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\87f4ff988b3efc9a3e0d996f68db1be0.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4528
  • C:\Windows\system32\recdisc.exe
    C:\Windows\system32\recdisc.exe
    1⤵
      PID:4380
    • C:\Users\Admin\AppData\Local\LktVSnhJ\recdisc.exe
      C:\Users\Admin\AppData\Local\LktVSnhJ\recdisc.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3916
    • C:\Windows\system32\sigverif.exe
      C:\Windows\system32\sigverif.exe
      1⤵
        PID:2256
      • C:\Users\Admin\AppData\Local\xfp\sigverif.exe
        C:\Users\Admin\AppData\Local\xfp\sigverif.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2232
      • C:\Windows\system32\RecoveryDrive.exe
        C:\Windows\system32\RecoveryDrive.exe
        1⤵
          PID:3228
        • C:\Users\Admin\AppData\Local\GxkBE1a\RecoveryDrive.exe
          C:\Users\Admin\AppData\Local\GxkBE1a\RecoveryDrive.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1756

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\GxkBE1a\RecoveryDrive.exe

          Filesize

          911KB

          MD5

          b9b3dc6f2eb89e41ff27400952602c74

          SHA1

          24ae07e0db3ace0809d08bbd039db3a9d533e81b

          SHA256

          630518cb2e4636f889d12c98fb2e6be4e579c5eeb86f88695d3f7fff3f5515c4

          SHA512

          7906954b881f1051a0c7f098e096bc28eddcc48643b8bf3134dd57b8c18d8beba4f9a0ac5d348de2f9b8ea607c3e9cb0e61d91e4f3ba1fefb02839f928e3e3fe

        • C:\Users\Admin\AppData\Local\GxkBE1a\UxTheme.dll

          Filesize

          2.0MB

          MD5

          a7187e1b01918bdf95ebec459e683e77

          SHA1

          b8771c819a730929bc9dfc29939c4ed94fc665a5

          SHA256

          9c8d0ca9065004ee29451ae723c400bb6de7981d255a1e2b3e25bb9b0da63f11

          SHA512

          180c8acdf15cf575e766eaebcb3c96abe524e6282a32a3b6760359383775c2d01bad24357e154ce43953cfe23e91f4dda5534e778e27290ed475f1e2fcaa44a9

        • C:\Users\Admin\AppData\Local\LktVSnhJ\ReAgent.dll

          Filesize

          2.0MB

          MD5

          1fc3dab81aeebf591611ed194b253474

          SHA1

          acf6e6675e2eae91e1f2a2af5cc072041096e191

          SHA256

          ff6d0d7c75c5a24c55c1b66d8b2a57bb0e9a02bda73bf25cfcf3de878fec2999

          SHA512

          68671b46e86a18928b81617fc6340842a8b955377a2c4878b81ad31278de5a7ea6aafe50a41b5c7f85b602e2675f72d097e3450106e77489cc5ad4a18a941fab

        • C:\Users\Admin\AppData\Local\LktVSnhJ\recdisc.exe

          Filesize

          193KB

          MD5

          18afee6824c84bf5115bada75ff0a3e7

          SHA1

          d10f287a7176f57b3b2b315a5310d25b449795aa

          SHA256

          0787b37cf197595b8149ffe3784f9c59eacde3616011f185513ff5c075a5ac4e

          SHA512

          517356165b401dbebf15437d3b17746aef5a6a4cc62a0afe45966abc92b4cf377eee4514a36ee28b1e88e55a22a2f8a6c997df45971e7f354b66ac7d9e141845

        • C:\Users\Admin\AppData\Local\xfp\VERSION.dll

          Filesize

          2.0MB

          MD5

          7c913b1bdd914f5095423d140cfdb629

          SHA1

          f5ad9fc8c9ca0c0cc64948a50c7bd211de27c7bf

          SHA256

          65fadb8fc3668ab38b06e9023936e1ef21d1dbffb297405f40f28ac0046bcd55

          SHA512

          5a0dfce14dabd72d6ec81f1efdf73923421be552d2c44bd12eca2529054b698a45f4c64d19dfa3e0115ae0f24485550bb54139d4f85159d0a00a94a959abc96c

        • C:\Users\Admin\AppData\Local\xfp\sigverif.exe

          Filesize

          77KB

          MD5

          2151a535274b53ba8a728e542cbc07a8

          SHA1

          a2304c0f2616a7d12298540dce459dd9ccf07443

          SHA256

          064de47877b00dc35886e829a697e4adb3d3cfdf294ddba13b6009a0f415b1bd

          SHA512

          e6fd520ee1bd80a5fe8a7c2ae6446dcaabd4e335a602c36356f85305abef751b7dffa7eaac1ec13c105ccd8c3e9070bd32ed4b14bc8a9e52dc5f47b936d69a9f

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk

          Filesize

          1KB

          MD5

          7882f51af209ebc104f8a198599e7841

          SHA1

          3bc43e7f92aa7aea9f8e5eee81b4d157fbf6b7e5

          SHA256

          2a32c2a6814b97c911cf1a48a4719106178bc128edda4f5442035d3e04ed7252

          SHA512

          e5bb24d8dd73002bdc991a726d2ce3f4b95ecbcc4b69bf0167be9910665549be9c435d21681c7d0cd461de63ca4ba14dd5ec91a3474949f7fba1911e5ef4b820

        • memory/1756-110-0x0000028AA7AD0000-0x0000028AA7AD7000-memory.dmp

          Filesize

          28KB

        • memory/2232-92-0x000001F8DD560000-0x000001F8DD567000-memory.dmp

          Filesize

          28KB

        • memory/3512-36-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/3512-40-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/3512-17-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/3512-18-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/3512-19-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/3512-20-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/3512-21-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/3512-23-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/3512-24-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/3512-25-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/3512-26-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/3512-27-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/3512-28-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/3512-22-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/3512-29-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/3512-30-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/3512-31-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/3512-32-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/3512-33-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/3512-34-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/3512-35-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/3512-4-0x00000000021C0000-0x00000000021C1000-memory.dmp

          Filesize

          4KB

        • memory/3512-37-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/3512-38-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/3512-39-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/3512-16-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/3512-41-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/3512-42-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/3512-43-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/3512-44-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/3512-45-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/3512-46-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/3512-47-0x00000000006F0000-0x00000000006F7000-memory.dmp

          Filesize

          28KB

        • memory/3512-54-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/3512-57-0x00007FF9D5180000-0x00007FF9D5190000-memory.dmp

          Filesize

          64KB

        • memory/3512-64-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/3512-66-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/3512-15-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/3512-14-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/3512-6-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/3512-8-0x00007FF9D3F0A000-0x00007FF9D3F0B000-memory.dmp

          Filesize

          4KB

        • memory/3512-7-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/3512-13-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/3512-11-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/3512-10-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/3512-9-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/3916-81-0x0000000140000000-0x0000000140205000-memory.dmp

          Filesize

          2.0MB

        • memory/3916-75-0x0000000140000000-0x0000000140205000-memory.dmp

          Filesize

          2.0MB

        • memory/3916-76-0x00000167698D0000-0x00000167698D7000-memory.dmp

          Filesize

          28KB

        • memory/4528-1-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB

        • memory/4528-0-0x0000025B2A520000-0x0000025B2A527000-memory.dmp

          Filesize

          28KB

        • memory/4528-12-0x0000000140000000-0x0000000140204000-memory.dmp

          Filesize

          2.0MB