VERSION.dll

General
Target

VERSION.dll

Filesize

972KB

Completed

14-07-2020 11:21

Score
10 /10
MD5

07b6339df2acddd30de436999071fc4b

SHA1

2550d842be80b811afa930384c0db06908bc1011

SHA256

4ed7566f8b70e42f52615a3c06512b10c6b3feef33627a82cdef1f054aa4cc75

Malware Config
Signatures 13

Filter: none

Defense Evasion
Discovery
Persistence
  • Dridex

    Description

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Loader

    Description

    Detects Dridex both x86 and x64 loader in memory.

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/2988-2-0x0000000140000000-0x00000001400F3000-memory.dmpdridex_ldr
  • Dridex Loader 'dmod' strings

    Description

    Detects 'dmod' strings in Dridex loader.

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/2988-2-0x0000000140000000-0x00000001400F3000-memory.dmpdridex_ldr_dmod
  • Executes dropped EXE
    sigverif.exedpapimig.exewscript.exe

    Reported IOCs

    pidprocess
    3188sigverif.exe
    1708dpapimig.exe
    2980wscript.exe
  • Loads dropped DLL
    sigverif.exedpapimig.exewscript.exe

    Reported IOCs

    pidprocess
    3188sigverif.exe
    1708dpapimig.exe
    2980wscript.exe
  • Adds Run key to start application

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\Jqhowtig = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\aZYfS9\\dpapimig.exe"
  • Checks whether UAC is enabled
    rundll32.exesigverif.exedpapimig.exewscript.exe

    TTPs

    System Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUArundll32.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAsigverif.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAdpapimig.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAwscript.exe
  • Modifies registry class

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
    Key created\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance
  • Suspicious behavior: EnumeratesProcesses
    rundll32.exe

    Reported IOCs

    pidprocess
    3612rundll32.exe
    3612rundll32.exe
    3612rundll32.exe
    3612rundll32.exe
    2988
    2988
    2988
    2988
    2988
    2988
    2988
    2988
    2988
    2988
    2988
    2988
    2988
    2988
    2988
    2988
    2988
    2988
    2988
    2988
    2988
    2988
    2988
    2988
    2988
    2988
    2988
    2988
    2988
    2988
    2988
    2988
    2988
    2988
    2988
    2988
    2988
    2988
    2988
    2988
    2988
    2988
    2988
    2988
    2988
    2988
    2988
    2988
    2988
    2988
    2988
    2988
    2988
    2988
    2988
    2988
    2988
    2988
    2988
    2988
  • Suspicious use of AdjustPrivilegeToken

    Reported IOCs

    descriptionpidprocess
    Token: SeShutdownPrivilege2988
    Token: SeCreatePagefilePrivilege2988
    Token: SeShutdownPrivilege2988
    Token: SeCreatePagefilePrivilege2988
    Token: SeShutdownPrivilege2988
    Token: SeCreatePagefilePrivilege2988
    Token: SeShutdownPrivilege2988
    Token: SeCreatePagefilePrivilege2988
    Token: SeShutdownPrivilege2988
    Token: SeCreatePagefilePrivilege2988
    Token: SeShutdownPrivilege2988
    Token: SeCreatePagefilePrivilege2988
    Token: SeShutdownPrivilege2988
    Token: SeCreatePagefilePrivilege2988
    Token: SeShutdownPrivilege2988
    Token: SeCreatePagefilePrivilege2988
    Token: SeShutdownPrivilege2988
    Token: SeCreatePagefilePrivilege2988
  • Suspicious use of FindShellTrayWindow

    Reported IOCs

    pidprocess
    2988
  • Suspicious use of SendNotifyMessage

    Reported IOCs

    pidprocess
    2988
  • Suspicious use of WriteProcessMemory

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2988 wrote to memory of 33522988sigverif.exe
    PID 2988 wrote to memory of 33522988sigverif.exe
    PID 2988 wrote to memory of 31882988sigverif.exe
    PID 2988 wrote to memory of 31882988sigverif.exe
    PID 2988 wrote to memory of 3442988dpapimig.exe
    PID 2988 wrote to memory of 3442988dpapimig.exe
    PID 2988 wrote to memory of 17082988dpapimig.exe
    PID 2988 wrote to memory of 17082988dpapimig.exe
    PID 2988 wrote to memory of 10042988wscript.exe
    PID 2988 wrote to memory of 10042988wscript.exe
    PID 2988 wrote to memory of 29802988wscript.exe
    PID 2988 wrote to memory of 29802988wscript.exe
Processes 7
  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\VERSION.dll,#1
    Checks whether UAC is enabled
    Suspicious behavior: EnumeratesProcesses
    PID:3612
  • C:\Windows\system32\sigverif.exe
    C:\Windows\system32\sigverif.exe
    PID:3352
  • C:\Users\Admin\AppData\Local\mIrV\sigverif.exe
    C:\Users\Admin\AppData\Local\mIrV\sigverif.exe
    Executes dropped EXE
    Loads dropped DLL
    Checks whether UAC is enabled
    PID:3188
  • C:\Windows\system32\dpapimig.exe
    C:\Windows\system32\dpapimig.exe
    PID:344
  • C:\Users\Admin\AppData\Local\3vnbBUA\dpapimig.exe
    C:\Users\Admin\AppData\Local\3vnbBUA\dpapimig.exe
    Executes dropped EXE
    Loads dropped DLL
    Checks whether UAC is enabled
    PID:1708
  • C:\Windows\system32\wscript.exe
    C:\Windows\system32\wscript.exe
    PID:1004
  • C:\Users\Admin\AppData\Local\K4r\wscript.exe
    C:\Users\Admin\AppData\Local\K4r\wscript.exe
    Executes dropped EXE
    Loads dropped DLL
    Checks whether UAC is enabled
    PID:2980
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Local\3vnbBUA\DUI70.dll

                      MD5

                      8dcd51d39e1e8eb13c43a55adb7932d0

                      SHA1

                      b7d3b5044b0fcd365869636a246b7389824224f4

                      SHA256

                      37c852ee26bc053589210bbb6c2d380542f3a8416e50146eb62f465075392816

                      SHA512

                      24fbeb8b03c6f3a4e03b053494bdd447a10dbe416bd8c9b92ceb5ba12bdc1baac7005ee536bd1b2125e5ce3db0345e95848541df15855f3cb00a2676f44d11e6

                    • C:\Users\Admin\AppData\Local\3vnbBUA\dpapimig.exe

                      MD5

                      a210dd05d1e941a1ec04b134f39ef036

                      SHA1

                      86b5493ecf8f456ae56ede4b013b934b892572e0

                      SHA256

                      3912f380049e362ca875ccb4fe064621197f0df999b35c593de382cf0c852988

                      SHA512

                      9648ed1088af13717479f4739ecdfd604b463582fe3a9db43761b446c61e93856309fd1f8c993962d426af566497b9c8f7eaa3a5af069a7a0f8fde8424111bf8

                    • C:\Users\Admin\AppData\Local\K4r\VERSION.dll

                      MD5

                      361bc948f0eb18dee414e15d42992fe7

                      SHA1

                      1062e9d15b5987c35bcd4f326718e06196c0e0af

                      SHA256

                      2852c721b87dbe336768c0104b33370655494e8cdf8b26361eaecb4957f021f5

                      SHA512

                      da127c419012c3c33b5d5caac80088eb0e9623e0af193f44e831052234dfac5f7e318e53881ff1e4d2da0654d85c008c674851e5da5165331b504830692527b1

                    • C:\Users\Admin\AppData\Local\K4r\wscript.exe

                      MD5

                      dd97f7527d1536afbff5bced8508661f

                      SHA1

                      c7e44c13ec4ca775630932c54afe1d5c9a0fe631

                      SHA256

                      c08432dc60c9ef7b12a41b0c73e6d716c220b4e9a4eda45c9072d1c81d910c55

                      SHA512

                      f06127f72fb5daae836644beb61e9d800db4a1915be9bebf8a6de7b3221135fe759d51b0ffddc5783acb50ca71d08996174fb4983c207727265ee63dd4487f37

                    • C:\Users\Admin\AppData\Local\mIrV\VERSION.dll

                      MD5

                      ed193499d18da02ba6f85f8ec91ecc16

                      SHA1

                      60f82bd68b104c0ac6b1fcfbed4b9e5d9ff46b76

                      SHA256

                      0bbe5ee1fbdccfefe422bed09085694f734346f9492039b8ffbbff4e11f1ffaa

                      SHA512

                      815f602a851a098ad500abc0dc6842e0e8941a8dbd0a8ef007a0fcb30529ecc7631d59e582b9c513930b8d9683d1767f2634ea926d027b8608eb8226453b91dc

                    • C:\Users\Admin\AppData\Local\mIrV\sigverif.exe

                      MD5

                      92f7917624a4349f7b6041d08ae29714

                      SHA1

                      eac68bc72ed4d8634a59a1a37faefa4f8327bd2f

                      SHA256

                      a57403e41c7178403981cd384f6096f12092dee68d3dfbd92f94661f613dfcab

                      SHA512

                      20eb8366a8285a7d19a8d860038364a625b9b7de5e9d87ed59d2580ab4d5658b6d09d9220f6b0a6291151145373f3e0ff8ac46609c6b4a4aafecc8f2670ac56d

                    • \Users\Admin\AppData\Local\3vnbBUA\DUI70.dll

                      MD5

                      8dcd51d39e1e8eb13c43a55adb7932d0

                      SHA1

                      b7d3b5044b0fcd365869636a246b7389824224f4

                      SHA256

                      37c852ee26bc053589210bbb6c2d380542f3a8416e50146eb62f465075392816

                      SHA512

                      24fbeb8b03c6f3a4e03b053494bdd447a10dbe416bd8c9b92ceb5ba12bdc1baac7005ee536bd1b2125e5ce3db0345e95848541df15855f3cb00a2676f44d11e6

                    • \Users\Admin\AppData\Local\K4r\VERSION.dll

                      MD5

                      361bc948f0eb18dee414e15d42992fe7

                      SHA1

                      1062e9d15b5987c35bcd4f326718e06196c0e0af

                      SHA256

                      2852c721b87dbe336768c0104b33370655494e8cdf8b26361eaecb4957f021f5

                      SHA512

                      da127c419012c3c33b5d5caac80088eb0e9623e0af193f44e831052234dfac5f7e318e53881ff1e4d2da0654d85c008c674851e5da5165331b504830692527b1

                    • \Users\Admin\AppData\Local\mIrV\VERSION.dll

                      MD5

                      ed193499d18da02ba6f85f8ec91ecc16

                      SHA1

                      60f82bd68b104c0ac6b1fcfbed4b9e5d9ff46b76

                      SHA256

                      0bbe5ee1fbdccfefe422bed09085694f734346f9492039b8ffbbff4e11f1ffaa

                      SHA512

                      815f602a851a098ad500abc0dc6842e0e8941a8dbd0a8ef007a0fcb30529ecc7631d59e582b9c513930b8d9683d1767f2634ea926d027b8608eb8226453b91dc

                    • memory/1708-7-0x0000000000000000-mapping.dmp

                    • memory/2980-11-0x0000000000000000-mapping.dmp

                    • memory/2988-2-0x0000000140000000-0x00000001400F3000-memory.dmp

                    • memory/2988-1-0x0000000140000000-0x00000001400F3000-memory.dmp

                    • memory/2988-0-0x0000000002CD0000-0x0000000002CD1000-memory.dmp

                    • memory/3188-3-0x0000000000000000-mapping.dmp