Resubmissions
Analysis
-
max time kernel
150s -
max time network
117s -
platform
windows10_x64 -
resource
win10 -
submitted
14-07-2020 11:19
General
-
Target
VERSION.dll
-
Size
972KB
-
MD5
07b6339df2acddd30de436999071fc4b
-
SHA1
2550d842be80b811afa930384c0db06908bc1011
-
SHA256
4ed7566f8b70e42f52615a3c06512b10c6b3feef33627a82cdef1f054aa4cc75
-
SHA512
ef2b54af64064f6fdd4224b3b283e9e6b76d8d92a01d6e9044d016bbf2b2b295f4ed66a48d389a08ed4fc3d72a843f7ed32f43f91280658f897b2ad078324586
Malware Config
Signatures
-
Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
-
Dridex Loader 1 IoCs
Detects Dridex both x86 and x64 loader in memory.
-
Dridex Loader 'dmod' strings 1 IoCs
Detects 'dmod' strings in Dridex loader.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 624 IoCs
-
Suspicious use of AdjustPrivilegeToken 18 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\VERSION.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\sigverif.exeC:\Windows\system32\sigverif.exe1⤵
-
C:\Users\Admin\AppData\Local\mIrV\sigverif.exeC:\Users\Admin\AppData\Local\mIrV\sigverif.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\dpapimig.exeC:\Windows\system32\dpapimig.exe1⤵
-
C:\Users\Admin\AppData\Local\3vnbBUA\dpapimig.exeC:\Users\Admin\AppData\Local\3vnbBUA\dpapimig.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\wscript.exeC:\Windows\system32\wscript.exe1⤵
-
C:\Users\Admin\AppData\Local\K4r\wscript.exeC:\Users\Admin\AppData\Local\K4r\wscript.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\3vnbBUA\DUI70.dllMD5
8dcd51d39e1e8eb13c43a55adb7932d0
SHA1b7d3b5044b0fcd365869636a246b7389824224f4
SHA25637c852ee26bc053589210bbb6c2d380542f3a8416e50146eb62f465075392816
SHA51224fbeb8b03c6f3a4e03b053494bdd447a10dbe416bd8c9b92ceb5ba12bdc1baac7005ee536bd1b2125e5ce3db0345e95848541df15855f3cb00a2676f44d11e6
-
C:\Users\Admin\AppData\Local\3vnbBUA\dpapimig.exeMD5
a210dd05d1e941a1ec04b134f39ef036
SHA186b5493ecf8f456ae56ede4b013b934b892572e0
SHA2563912f380049e362ca875ccb4fe064621197f0df999b35c593de382cf0c852988
SHA5129648ed1088af13717479f4739ecdfd604b463582fe3a9db43761b446c61e93856309fd1f8c993962d426af566497b9c8f7eaa3a5af069a7a0f8fde8424111bf8
-
C:\Users\Admin\AppData\Local\K4r\VERSION.dllMD5
361bc948f0eb18dee414e15d42992fe7
SHA11062e9d15b5987c35bcd4f326718e06196c0e0af
SHA2562852c721b87dbe336768c0104b33370655494e8cdf8b26361eaecb4957f021f5
SHA512da127c419012c3c33b5d5caac80088eb0e9623e0af193f44e831052234dfac5f7e318e53881ff1e4d2da0654d85c008c674851e5da5165331b504830692527b1
-
C:\Users\Admin\AppData\Local\K4r\wscript.exeMD5
dd97f7527d1536afbff5bced8508661f
SHA1c7e44c13ec4ca775630932c54afe1d5c9a0fe631
SHA256c08432dc60c9ef7b12a41b0c73e6d716c220b4e9a4eda45c9072d1c81d910c55
SHA512f06127f72fb5daae836644beb61e9d800db4a1915be9bebf8a6de7b3221135fe759d51b0ffddc5783acb50ca71d08996174fb4983c207727265ee63dd4487f37
-
C:\Users\Admin\AppData\Local\mIrV\VERSION.dllMD5
ed193499d18da02ba6f85f8ec91ecc16
SHA160f82bd68b104c0ac6b1fcfbed4b9e5d9ff46b76
SHA2560bbe5ee1fbdccfefe422bed09085694f734346f9492039b8ffbbff4e11f1ffaa
SHA512815f602a851a098ad500abc0dc6842e0e8941a8dbd0a8ef007a0fcb30529ecc7631d59e582b9c513930b8d9683d1767f2634ea926d027b8608eb8226453b91dc
-
C:\Users\Admin\AppData\Local\mIrV\sigverif.exeMD5
92f7917624a4349f7b6041d08ae29714
SHA1eac68bc72ed4d8634a59a1a37faefa4f8327bd2f
SHA256a57403e41c7178403981cd384f6096f12092dee68d3dfbd92f94661f613dfcab
SHA51220eb8366a8285a7d19a8d860038364a625b9b7de5e9d87ed59d2580ab4d5658b6d09d9220f6b0a6291151145373f3e0ff8ac46609c6b4a4aafecc8f2670ac56d
-
\Users\Admin\AppData\Local\3vnbBUA\DUI70.dllMD5
8dcd51d39e1e8eb13c43a55adb7932d0
SHA1b7d3b5044b0fcd365869636a246b7389824224f4
SHA25637c852ee26bc053589210bbb6c2d380542f3a8416e50146eb62f465075392816
SHA51224fbeb8b03c6f3a4e03b053494bdd447a10dbe416bd8c9b92ceb5ba12bdc1baac7005ee536bd1b2125e5ce3db0345e95848541df15855f3cb00a2676f44d11e6
-
\Users\Admin\AppData\Local\K4r\VERSION.dllMD5
361bc948f0eb18dee414e15d42992fe7
SHA11062e9d15b5987c35bcd4f326718e06196c0e0af
SHA2562852c721b87dbe336768c0104b33370655494e8cdf8b26361eaecb4957f021f5
SHA512da127c419012c3c33b5d5caac80088eb0e9623e0af193f44e831052234dfac5f7e318e53881ff1e4d2da0654d85c008c674851e5da5165331b504830692527b1
-
\Users\Admin\AppData\Local\mIrV\VERSION.dllMD5
ed193499d18da02ba6f85f8ec91ecc16
SHA160f82bd68b104c0ac6b1fcfbed4b9e5d9ff46b76
SHA2560bbe5ee1fbdccfefe422bed09085694f734346f9492039b8ffbbff4e11f1ffaa
SHA512815f602a851a098ad500abc0dc6842e0e8941a8dbd0a8ef007a0fcb30529ecc7631d59e582b9c513930b8d9683d1767f2634ea926d027b8608eb8226453b91dc
-
memory/1708-7-0x0000000000000000-mapping.dmp
-
memory/2980-11-0x0000000000000000-mapping.dmp
-
memory/2988-0-0x0000000002CD0000-0x0000000002CD1000-memory.dmpFilesize
4KB
-
memory/2988-2-0x0000000140000000-0x00000001400F3000-memory.dmpFilesize
972KB
-
memory/2988-1-0x0000000140000000-0x00000001400F3000-memory.dmpFilesize
972KB
-
memory/3188-3-0x0000000000000000-mapping.dmp