VERSION.dll

General
Target

VERSION.dll

Filesize

972KB

Completed

14-07-2020 11:21

Score
10 /10
MD5

07b6339df2acddd30de436999071fc4b

SHA1

2550d842be80b811afa930384c0db06908bc1011

SHA256

4ed7566f8b70e42f52615a3c06512b10c6b3feef33627a82cdef1f054aa4cc75

Malware Config
Signatures 12

Filter: none

Defense Evasion
Discovery
Persistence
  • Dridex

    Description

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Loader

    Description

    Detects Dridex both x86 and x64 loader in memory.

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1236-2-0x0000000140000000-0x00000001400F3000-memory.dmpdridex_ldr
  • Dridex Loader 'dmod' strings

    Description

    Detects 'dmod' strings in Dridex loader.

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1236-2-0x0000000140000000-0x00000001400F3000-memory.dmpdridex_ldr_dmod
  • Executes dropped EXE
    Utilman.exePresentationSettings.exemsinfo32.exe

    Reported IOCs

    pidprocess
    1544Utilman.exe
    1880PresentationSettings.exe
    692msinfo32.exe
  • Loads dropped DLL
    Utilman.exePresentationSettings.exemsinfo32.exe

    Reported IOCs

    pidprocess
    1236
    1544Utilman.exe
    1236
    1880PresentationSettings.exe
    1236
    692msinfo32.exe
    1236
  • Adds Run key to start application

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\Qdicbnnwois = "C:\\Users\\Admin\\AppData\\Roaming\\Identities\\6Y8X\\PresentationSettings.exe"
  • Checks whether UAC is enabled
    msinfo32.exerundll32.exeUtilman.exePresentationSettings.exe

    TTPs

    System Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAmsinfo32.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUArundll32.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAUtilman.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAPresentationSettings.exe
  • Suspicious behavior: EnumeratesProcesses
    rundll32.exe

    Reported IOCs

    pidprocess
    1520rundll32.exe
    1520rundll32.exe
    1520rundll32.exe
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
  • Suspicious behavior: GetForegroundWindowSpam

    Reported IOCs

    pidprocess
    1236
  • Suspicious use of FindShellTrayWindow

    Reported IOCs

    pidprocess
    1236
    1236
    1236
    1236
    1236
    1236
    1236
  • Suspicious use of SendNotifyMessage

    Reported IOCs

    pidprocess
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
    1236
  • Suspicious use of WriteProcessMemory

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1236 wrote to memory of 10361236Utilman.exe
    PID 1236 wrote to memory of 10361236Utilman.exe
    PID 1236 wrote to memory of 10361236Utilman.exe
    PID 1236 wrote to memory of 15441236Utilman.exe
    PID 1236 wrote to memory of 15441236Utilman.exe
    PID 1236 wrote to memory of 15441236Utilman.exe
    PID 1236 wrote to memory of 18641236PresentationSettings.exe
    PID 1236 wrote to memory of 18641236PresentationSettings.exe
    PID 1236 wrote to memory of 18641236PresentationSettings.exe
    PID 1236 wrote to memory of 18801236PresentationSettings.exe
    PID 1236 wrote to memory of 18801236PresentationSettings.exe
    PID 1236 wrote to memory of 18801236PresentationSettings.exe
    PID 1236 wrote to memory of 5561236msinfo32.exe
    PID 1236 wrote to memory of 5561236msinfo32.exe
    PID 1236 wrote to memory of 5561236msinfo32.exe
    PID 1236 wrote to memory of 6921236msinfo32.exe
    PID 1236 wrote to memory of 6921236msinfo32.exe
    PID 1236 wrote to memory of 6921236msinfo32.exe
Processes 7
  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\VERSION.dll,#1
    Checks whether UAC is enabled
    Suspicious behavior: EnumeratesProcesses
    PID:1520
  • C:\Windows\system32\Utilman.exe
    C:\Windows\system32\Utilman.exe
    PID:1036
  • C:\Users\Admin\AppData\Local\tnICCSYI\Utilman.exe
    C:\Users\Admin\AppData\Local\tnICCSYI\Utilman.exe
    Executes dropped EXE
    Loads dropped DLL
    Checks whether UAC is enabled
    PID:1544
  • C:\Windows\system32\PresentationSettings.exe
    C:\Windows\system32\PresentationSettings.exe
    PID:1864
  • C:\Users\Admin\AppData\Local\AtQK\PresentationSettings.exe
    C:\Users\Admin\AppData\Local\AtQK\PresentationSettings.exe
    Executes dropped EXE
    Loads dropped DLL
    Checks whether UAC is enabled
    PID:1880
  • C:\Windows\system32\msinfo32.exe
    C:\Windows\system32\msinfo32.exe
    PID:556
  • C:\Users\Admin\AppData\Local\8HgqZ5O\msinfo32.exe
    C:\Users\Admin\AppData\Local\8HgqZ5O\msinfo32.exe
    Executes dropped EXE
    Loads dropped DLL
    Checks whether UAC is enabled
    PID:692
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Local\8HgqZ5O\MFC42u.dll

                      MD5

                      322adec77ecb08bb9e7fc4552301cfb1

                      SHA1

                      c1b1c085fdcd3f6cf6e6800d9d235b9afccc51c7

                      SHA256

                      a3d0cd3f3467825e730c7e3c46f25c4c093818b4a98245446658f326afd04edd

                      SHA512

                      7f3c122749d9b550c0733e16291dae808d8d4fe2a199db4925fae1a3fe5804c045247e981cee20a6d637d23b724f05dbd831310b9aa33e815da58576413b6a2d

                    • C:\Users\Admin\AppData\Local\8HgqZ5O\msinfo32.exe

                      MD5

                      d291620d4c51c5f5ffa62ccdc52c5c13

                      SHA1

                      2081c97f15b1c2a2eadce366baf3c510da553cc7

                      SHA256

                      76e959dd7db31726c040d46cfa86b681479967aea36db5f625e80bd36422e8ae

                      SHA512

                      75f9bcce4c596dae1f4d78e13d9d53b0c31988d2170c3d9f5db352b8c8a1c8ca58f4a002b30a4b328b8f4769008b750b8a1c9fda44a582e11c3adc38345c334b

                    • C:\Users\Admin\AppData\Local\AtQK\PresentationSettings.exe

                      MD5

                      a6f8d318f6041334889481b472000081

                      SHA1

                      b8cf08ec17b30c8811f2514246fcdff62731dd58

                      SHA256

                      208b94fd66a6ce266c3195f87029a41a0622fff47f2a5112552cb087adbb1258

                      SHA512

                      60f70fa8a19e6ea6f08f4907dd7fede3665ad3f2e013d49f6649442ea5871a967b9a53ec4d3328a06cb83b69be1b7af1bb14bf122b568bd1f8432ee1d0bfee69

                    • C:\Users\Admin\AppData\Local\AtQK\WINMM.dll

                      MD5

                      6b2655c7a6d2e1e09a05d60c62e67175

                      SHA1

                      6e8f9719a089c0994b5c9880c9ece19c11cfbfef

                      SHA256

                      b725cb69f63d3f3f63ed9bd84ed39ec09e0a1a9561f6d507e2fded2fd12709e4

                      SHA512

                      854d7878b1684da20bc96cced1669028902e92a01fc7917e0efec35e7284a3d565129dc3d13037028c6155aba5018b9f5e0b98236f91a6fbd93fdf2e2d9763a4

                    • C:\Users\Admin\AppData\Local\tnICCSYI\DUI70.dll

                      MD5

                      612ce0ed64f024e66171b8e65f61b99c

                      SHA1

                      1655922f39c8bd9d22e98619524b353ed8c41ad2

                      SHA256

                      b2a16ca4eaf41a87e4f7312068a93814fa2611470aa433b19f33250827500f22

                      SHA512

                      8581817bba753a4d392f37b431079b860c8dd5d6df47d3c48b1bdb9f789e4c35ee0887f0a4d42795025afcf55be1ed9876b756e928551a23549f0994e306e6f9

                    • C:\Users\Admin\AppData\Local\tnICCSYI\Utilman.exe

                      MD5

                      32c5ee55eadfc071e57851e26ac98477

                      SHA1

                      8f8d0aee344e152424143da49ce2c7badabb8f9d

                      SHA256

                      7ca90616e68bc851f14658a366d80f21ddb7a7dd8a866049e54651158784a9ea

                      SHA512

                      e0943efa81f3087c84a5909c72a436671ee8cc3cc80154901430e83ec7966aac800ad4b26f4a174a0071da617c0982ceda584686c6e2056e1a83e864aca6c975

                    • \Users\Admin\AppData\Local\8HgqZ5O\MFC42u.dll

                      MD5

                      322adec77ecb08bb9e7fc4552301cfb1

                      SHA1

                      c1b1c085fdcd3f6cf6e6800d9d235b9afccc51c7

                      SHA256

                      a3d0cd3f3467825e730c7e3c46f25c4c093818b4a98245446658f326afd04edd

                      SHA512

                      7f3c122749d9b550c0733e16291dae808d8d4fe2a199db4925fae1a3fe5804c045247e981cee20a6d637d23b724f05dbd831310b9aa33e815da58576413b6a2d

                    • \Users\Admin\AppData\Local\8HgqZ5O\msinfo32.exe

                      MD5

                      d291620d4c51c5f5ffa62ccdc52c5c13

                      SHA1

                      2081c97f15b1c2a2eadce366baf3c510da553cc7

                      SHA256

                      76e959dd7db31726c040d46cfa86b681479967aea36db5f625e80bd36422e8ae

                      SHA512

                      75f9bcce4c596dae1f4d78e13d9d53b0c31988d2170c3d9f5db352b8c8a1c8ca58f4a002b30a4b328b8f4769008b750b8a1c9fda44a582e11c3adc38345c334b

                    • \Users\Admin\AppData\Local\AtQK\PresentationSettings.exe

                      MD5

                      a6f8d318f6041334889481b472000081

                      SHA1

                      b8cf08ec17b30c8811f2514246fcdff62731dd58

                      SHA256

                      208b94fd66a6ce266c3195f87029a41a0622fff47f2a5112552cb087adbb1258

                      SHA512

                      60f70fa8a19e6ea6f08f4907dd7fede3665ad3f2e013d49f6649442ea5871a967b9a53ec4d3328a06cb83b69be1b7af1bb14bf122b568bd1f8432ee1d0bfee69

                    • \Users\Admin\AppData\Local\AtQK\WINMM.dll

                      MD5

                      6b2655c7a6d2e1e09a05d60c62e67175

                      SHA1

                      6e8f9719a089c0994b5c9880c9ece19c11cfbfef

                      SHA256

                      b725cb69f63d3f3f63ed9bd84ed39ec09e0a1a9561f6d507e2fded2fd12709e4

                      SHA512

                      854d7878b1684da20bc96cced1669028902e92a01fc7917e0efec35e7284a3d565129dc3d13037028c6155aba5018b9f5e0b98236f91a6fbd93fdf2e2d9763a4

                    • \Users\Admin\AppData\Local\tnICCSYI\DUI70.dll

                      MD5

                      612ce0ed64f024e66171b8e65f61b99c

                      SHA1

                      1655922f39c8bd9d22e98619524b353ed8c41ad2

                      SHA256

                      b2a16ca4eaf41a87e4f7312068a93814fa2611470aa433b19f33250827500f22

                      SHA512

                      8581817bba753a4d392f37b431079b860c8dd5d6df47d3c48b1bdb9f789e4c35ee0887f0a4d42795025afcf55be1ed9876b756e928551a23549f0994e306e6f9

                    • \Users\Admin\AppData\Local\tnICCSYI\Utilman.exe

                      MD5

                      32c5ee55eadfc071e57851e26ac98477

                      SHA1

                      8f8d0aee344e152424143da49ce2c7badabb8f9d

                      SHA256

                      7ca90616e68bc851f14658a366d80f21ddb7a7dd8a866049e54651158784a9ea

                      SHA512

                      e0943efa81f3087c84a5909c72a436671ee8cc3cc80154901430e83ec7966aac800ad4b26f4a174a0071da617c0982ceda584686c6e2056e1a83e864aca6c975

                    • \Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\P81qeUh\msinfo32.exe

                      MD5

                      d291620d4c51c5f5ffa62ccdc52c5c13

                      SHA1

                      2081c97f15b1c2a2eadce366baf3c510da553cc7

                      SHA256

                      76e959dd7db31726c040d46cfa86b681479967aea36db5f625e80bd36422e8ae

                      SHA512

                      75f9bcce4c596dae1f4d78e13d9d53b0c31988d2170c3d9f5db352b8c8a1c8ca58f4a002b30a4b328b8f4769008b750b8a1c9fda44a582e11c3adc38345c334b

                    • memory/692-14-0x0000000000000000-mapping.dmp

                    • memory/1236-0-0x0000000003B10000-0x0000000003B11000-memory.dmp

                    • memory/1236-2-0x0000000140000000-0x00000001400F3000-memory.dmp

                    • memory/1236-1-0x0000000140000000-0x00000001400F3000-memory.dmp

                    • memory/1544-4-0x0000000000000000-mapping.dmp

                    • memory/1880-9-0x0000000000000000-mapping.dmp