Resubmissions

Analysis

  • max time kernel
    150s
  • max time network
    6s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    14-07-2020 11:19

General

  • Target

    VERSION.dll

  • Size

    972KB

  • MD5

    07b6339df2acddd30de436999071fc4b

  • SHA1

    2550d842be80b811afa930384c0db06908bc1011

  • SHA256

    4ed7566f8b70e42f52615a3c06512b10c6b3feef33627a82cdef1f054aa4cc75

  • SHA512

    ef2b54af64064f6fdd4224b3b283e9e6b76d8d92a01d6e9044d016bbf2b2b295f4ed66a48d389a08ed4fc3d72a843f7ed32f43f91280658f897b2ad078324586

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Loader 1 IoCs

    Detects Dridex both x86 and x64 loader in memory.

  • Dridex Loader 'dmod' strings 1 IoCs

    Detects 'dmod' strings in Dridex loader.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 599 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SendNotifyMessage 33 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\VERSION.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1520
  • C:\Windows\system32\Utilman.exe
    C:\Windows\system32\Utilman.exe
    1⤵
      PID:1036
    • C:\Users\Admin\AppData\Local\tnICCSYI\Utilman.exe
      C:\Users\Admin\AppData\Local\tnICCSYI\Utilman.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1544
    • C:\Windows\system32\PresentationSettings.exe
      C:\Windows\system32\PresentationSettings.exe
      1⤵
        PID:1864
      • C:\Users\Admin\AppData\Local\AtQK\PresentationSettings.exe
        C:\Users\Admin\AppData\Local\AtQK\PresentationSettings.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1880
      • C:\Windows\system32\msinfo32.exe
        C:\Windows\system32\msinfo32.exe
        1⤵
          PID:556
        • C:\Users\Admin\AppData\Local\8HgqZ5O\msinfo32.exe
          C:\Users\Admin\AppData\Local\8HgqZ5O\msinfo32.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:692

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Defense Evasion

        Modify Registry

        1
        T1112

        Discovery

        System Information Discovery

        1
        T1082

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\8HgqZ5O\MFC42u.dll
          MD5

          322adec77ecb08bb9e7fc4552301cfb1

          SHA1

          c1b1c085fdcd3f6cf6e6800d9d235b9afccc51c7

          SHA256

          a3d0cd3f3467825e730c7e3c46f25c4c093818b4a98245446658f326afd04edd

          SHA512

          7f3c122749d9b550c0733e16291dae808d8d4fe2a199db4925fae1a3fe5804c045247e981cee20a6d637d23b724f05dbd831310b9aa33e815da58576413b6a2d

        • C:\Users\Admin\AppData\Local\8HgqZ5O\msinfo32.exe
          MD5

          d291620d4c51c5f5ffa62ccdc52c5c13

          SHA1

          2081c97f15b1c2a2eadce366baf3c510da553cc7

          SHA256

          76e959dd7db31726c040d46cfa86b681479967aea36db5f625e80bd36422e8ae

          SHA512

          75f9bcce4c596dae1f4d78e13d9d53b0c31988d2170c3d9f5db352b8c8a1c8ca58f4a002b30a4b328b8f4769008b750b8a1c9fda44a582e11c3adc38345c334b

        • C:\Users\Admin\AppData\Local\AtQK\PresentationSettings.exe
          MD5

          a6f8d318f6041334889481b472000081

          SHA1

          b8cf08ec17b30c8811f2514246fcdff62731dd58

          SHA256

          208b94fd66a6ce266c3195f87029a41a0622fff47f2a5112552cb087adbb1258

          SHA512

          60f70fa8a19e6ea6f08f4907dd7fede3665ad3f2e013d49f6649442ea5871a967b9a53ec4d3328a06cb83b69be1b7af1bb14bf122b568bd1f8432ee1d0bfee69

        • C:\Users\Admin\AppData\Local\AtQK\WINMM.dll
          MD5

          6b2655c7a6d2e1e09a05d60c62e67175

          SHA1

          6e8f9719a089c0994b5c9880c9ece19c11cfbfef

          SHA256

          b725cb69f63d3f3f63ed9bd84ed39ec09e0a1a9561f6d507e2fded2fd12709e4

          SHA512

          854d7878b1684da20bc96cced1669028902e92a01fc7917e0efec35e7284a3d565129dc3d13037028c6155aba5018b9f5e0b98236f91a6fbd93fdf2e2d9763a4

        • C:\Users\Admin\AppData\Local\tnICCSYI\DUI70.dll
          MD5

          612ce0ed64f024e66171b8e65f61b99c

          SHA1

          1655922f39c8bd9d22e98619524b353ed8c41ad2

          SHA256

          b2a16ca4eaf41a87e4f7312068a93814fa2611470aa433b19f33250827500f22

          SHA512

          8581817bba753a4d392f37b431079b860c8dd5d6df47d3c48b1bdb9f789e4c35ee0887f0a4d42795025afcf55be1ed9876b756e928551a23549f0994e306e6f9

        • C:\Users\Admin\AppData\Local\tnICCSYI\Utilman.exe
          MD5

          32c5ee55eadfc071e57851e26ac98477

          SHA1

          8f8d0aee344e152424143da49ce2c7badabb8f9d

          SHA256

          7ca90616e68bc851f14658a366d80f21ddb7a7dd8a866049e54651158784a9ea

          SHA512

          e0943efa81f3087c84a5909c72a436671ee8cc3cc80154901430e83ec7966aac800ad4b26f4a174a0071da617c0982ceda584686c6e2056e1a83e864aca6c975

        • \Users\Admin\AppData\Local\8HgqZ5O\MFC42u.dll
          MD5

          322adec77ecb08bb9e7fc4552301cfb1

          SHA1

          c1b1c085fdcd3f6cf6e6800d9d235b9afccc51c7

          SHA256

          a3d0cd3f3467825e730c7e3c46f25c4c093818b4a98245446658f326afd04edd

          SHA512

          7f3c122749d9b550c0733e16291dae808d8d4fe2a199db4925fae1a3fe5804c045247e981cee20a6d637d23b724f05dbd831310b9aa33e815da58576413b6a2d

        • \Users\Admin\AppData\Local\8HgqZ5O\msinfo32.exe
          MD5

          d291620d4c51c5f5ffa62ccdc52c5c13

          SHA1

          2081c97f15b1c2a2eadce366baf3c510da553cc7

          SHA256

          76e959dd7db31726c040d46cfa86b681479967aea36db5f625e80bd36422e8ae

          SHA512

          75f9bcce4c596dae1f4d78e13d9d53b0c31988d2170c3d9f5db352b8c8a1c8ca58f4a002b30a4b328b8f4769008b750b8a1c9fda44a582e11c3adc38345c334b

        • \Users\Admin\AppData\Local\AtQK\PresentationSettings.exe
          MD5

          a6f8d318f6041334889481b472000081

          SHA1

          b8cf08ec17b30c8811f2514246fcdff62731dd58

          SHA256

          208b94fd66a6ce266c3195f87029a41a0622fff47f2a5112552cb087adbb1258

          SHA512

          60f70fa8a19e6ea6f08f4907dd7fede3665ad3f2e013d49f6649442ea5871a967b9a53ec4d3328a06cb83b69be1b7af1bb14bf122b568bd1f8432ee1d0bfee69

        • \Users\Admin\AppData\Local\AtQK\WINMM.dll
          MD5

          6b2655c7a6d2e1e09a05d60c62e67175

          SHA1

          6e8f9719a089c0994b5c9880c9ece19c11cfbfef

          SHA256

          b725cb69f63d3f3f63ed9bd84ed39ec09e0a1a9561f6d507e2fded2fd12709e4

          SHA512

          854d7878b1684da20bc96cced1669028902e92a01fc7917e0efec35e7284a3d565129dc3d13037028c6155aba5018b9f5e0b98236f91a6fbd93fdf2e2d9763a4

        • \Users\Admin\AppData\Local\tnICCSYI\DUI70.dll
          MD5

          612ce0ed64f024e66171b8e65f61b99c

          SHA1

          1655922f39c8bd9d22e98619524b353ed8c41ad2

          SHA256

          b2a16ca4eaf41a87e4f7312068a93814fa2611470aa433b19f33250827500f22

          SHA512

          8581817bba753a4d392f37b431079b860c8dd5d6df47d3c48b1bdb9f789e4c35ee0887f0a4d42795025afcf55be1ed9876b756e928551a23549f0994e306e6f9

        • \Users\Admin\AppData\Local\tnICCSYI\Utilman.exe
          MD5

          32c5ee55eadfc071e57851e26ac98477

          SHA1

          8f8d0aee344e152424143da49ce2c7badabb8f9d

          SHA256

          7ca90616e68bc851f14658a366d80f21ddb7a7dd8a866049e54651158784a9ea

          SHA512

          e0943efa81f3087c84a5909c72a436671ee8cc3cc80154901430e83ec7966aac800ad4b26f4a174a0071da617c0982ceda584686c6e2056e1a83e864aca6c975

        • \Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\P81qeUh\msinfo32.exe
          MD5

          d291620d4c51c5f5ffa62ccdc52c5c13

          SHA1

          2081c97f15b1c2a2eadce366baf3c510da553cc7

          SHA256

          76e959dd7db31726c040d46cfa86b681479967aea36db5f625e80bd36422e8ae

          SHA512

          75f9bcce4c596dae1f4d78e13d9d53b0c31988d2170c3d9f5db352b8c8a1c8ca58f4a002b30a4b328b8f4769008b750b8a1c9fda44a582e11c3adc38345c334b

        • memory/692-14-0x0000000000000000-mapping.dmp
        • memory/1236-0-0x0000000003B10000-0x0000000003B11000-memory.dmp
          Filesize

          4KB

        • memory/1236-2-0x0000000140000000-0x00000001400F3000-memory.dmp
          Filesize

          972KB

        • memory/1236-1-0x0000000140000000-0x00000001400F3000-memory.dmp
          Filesize

          972KB

        • memory/1544-4-0x0000000000000000-mapping.dmp
        • memory/1880-9-0x0000000000000000-mapping.dmp