Resubmissions

28-05-2021 05:59

210528-mj2qwc9z3x 10

19-05-2021 14:41

210519-khtrssqv6a 10

10-05-2021 18:06

210510-ncy7w9kqte 10

Analysis

  • max time kernel
    150s
  • max time network
    127s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    10-05-2021 18:06

General

  • Target

    93394d6e_by_Libranalysis.dll

  • Size

    588KB

  • MD5

    93394d6e0ea894922267955095fabbc9

  • SHA1

    38ac582b64fb09f212aceddf5e3cc13946c69985

  • SHA256

    7f0f199833687549249b22ec50bbcb234d2ad2b8da993a6cbc86db8a53236530

  • SHA512

    aceecbcccd6fe48586d695b0ef04d7d0b998069dbb6545dc9ca96045f896281663027cf048ce2d0f27d0e2990f03c1f592322bfa9bc9776f153d07c6993cc8e7

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Payload 2 IoCs

    Detects Dridex x64 core DLL in memory.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\93394d6e_by_Libranalysis.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3992
  • C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    1⤵
      PID:1516
    • C:\Users\Admin\AppData\Local\aGi7FNo3\sppsvc.exe
      C:\Users\Admin\AppData\Local\aGi7FNo3\sppsvc.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3776
    • C:\Windows\system32\SppExtComObj.Exe
      C:\Windows\system32\SppExtComObj.Exe
      1⤵
        PID:3464
      • C:\Users\Admin\AppData\Local\ehxOzmz\SppExtComObj.Exe
        C:\Users\Admin\AppData\Local\ehxOzmz\SppExtComObj.Exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3296
      • C:\Windows\system32\CloudNotifications.exe
        C:\Windows\system32\CloudNotifications.exe
        1⤵
          PID:1360
        • C:\Users\Admin\AppData\Local\Qr1qP\CloudNotifications.exe
          C:\Users\Admin\AppData\Local\Qr1qP\CloudNotifications.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1160

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Qr1qP\CloudNotifications.exe

          MD5

          34dd5ef46e0ed1e9e0f0d6407fe1f47d

          SHA1

          3732cf4c4f5d09d583d69df1a27537bb52bf90ff

          SHA256

          b075ef2148d8be0c6116fb8352719ced67bb9a647d358258ae7849ac06b07fae

          SHA512

          ac98fcb9f39209352f01a2257c3bc8995ea2de9ff3aeed317d3710027a5aa7e690776bd3e0170b85ab28331aef578033259e23fb20d008eb974df786f7f179e2

        • C:\Users\Admin\AppData\Local\Qr1qP\UxTheme.dll

          MD5

          0290da202d0b7ddb472d7288e9eab026

          SHA1

          15f81de524d4cf2b698718696c3d787f37f4bbef

          SHA256

          34fd59ee0c5e75c2778273111de6bf486a0a126b31e61fb0f7430682d777630b

          SHA512

          34b2b734273095b992a0b837bec73dc4858edffd21bc94e709cb05b88fef4d4401b63021d7e94161e5cf1bca666512edd09f9672c2ee817825a1fc42d882c9e2

        • C:\Users\Admin\AppData\Local\aGi7FNo3\XmlLite.dll

          MD5

          1db8b8a8bdf4865eb03ebc4f9afc5efb

          SHA1

          2cb05e1b15950757f99af9dad2e67832f905962f

          SHA256

          8110a8962aa78c2a4d271c5e0b3a6bf84d0e706ce347e7ded77f740b39c38dfd

          SHA512

          8f7fdcc95158adea45e06aa8ca7de232cf1224663dbf77146585e58ae32b06bb27830a83fb31de0dafe714a79021648528a8430816c9ed0ac54b38c33254a285

        • C:\Users\Admin\AppData\Local\aGi7FNo3\sppsvc.exe

          MD5

          e910861720de6edfb5cc6158ce3c7e17

          SHA1

          9b5b7c08da7cf36ca302c6e57cbc8bcfa5a69a9d

          SHA256

          526ba8eeb9ee5312fec39753d728e05f49ad81132346a354c95d4d4938001e2b

          SHA512

          e2a34b7e37781072494685ddab68bdb711910ae29f2ee9e05ec514442956047fb5b58ee8606110db48029f40990857184256c53f48910e8e050269f2a7aa0435

        • C:\Users\Admin\AppData\Local\ehxOzmz\ACTIVEDS.dll

          MD5

          e60090210de2279cfb231bbb0f8812ba

          SHA1

          c82abc966aa3e80db6401f4dc6b27d1daf66c41b

          SHA256

          b33f102f5e51a2ae6ae6cd51f49521fcc44b7c86bfe2c36d0352cf04bf3cf3b3

          SHA512

          668cef6ed0b77028dd68678b27c85acb723909b32c44d93dd8eb54111570c51592fc2c68ba9007a2962f232a339c11520fd22c77cf866d9a0973563f5e64e7f7

        • C:\Users\Admin\AppData\Local\ehxOzmz\SppExtComObj.Exe

          MD5

          923824efa9f60f1ef53a467253941553

          SHA1

          6405859f261189d3dc15e6fa8040fc2cb23c6499

          SHA256

          28b704870730b01d31e24a51502fd4bfcf23f15d2f482ea4aadc12da0f5f8065

          SHA512

          8bc7eba28740aa2b569ce8cf57e4a5fc7230efe8251dc7d00b50a1ea7c560266d1970e48a7b1900c75eac3267ff9542fe420abd5a1e2b27380d6c4ab748eb3c3

        • \Users\Admin\AppData\Local\Qr1qP\UxTheme.dll

          MD5

          0290da202d0b7ddb472d7288e9eab026

          SHA1

          15f81de524d4cf2b698718696c3d787f37f4bbef

          SHA256

          34fd59ee0c5e75c2778273111de6bf486a0a126b31e61fb0f7430682d777630b

          SHA512

          34b2b734273095b992a0b837bec73dc4858edffd21bc94e709cb05b88fef4d4401b63021d7e94161e5cf1bca666512edd09f9672c2ee817825a1fc42d882c9e2

        • \Users\Admin\AppData\Local\aGi7FNo3\XmlLite.dll

          MD5

          1db8b8a8bdf4865eb03ebc4f9afc5efb

          SHA1

          2cb05e1b15950757f99af9dad2e67832f905962f

          SHA256

          8110a8962aa78c2a4d271c5e0b3a6bf84d0e706ce347e7ded77f740b39c38dfd

          SHA512

          8f7fdcc95158adea45e06aa8ca7de232cf1224663dbf77146585e58ae32b06bb27830a83fb31de0dafe714a79021648528a8430816c9ed0ac54b38c33254a285

        • \Users\Admin\AppData\Local\ehxOzmz\ACTIVEDS.dll

          MD5

          e60090210de2279cfb231bbb0f8812ba

          SHA1

          c82abc966aa3e80db6401f4dc6b27d1daf66c41b

          SHA256

          b33f102f5e51a2ae6ae6cd51f49521fcc44b7c86bfe2c36d0352cf04bf3cf3b3

          SHA512

          668cef6ed0b77028dd68678b27c85acb723909b32c44d93dd8eb54111570c51592fc2c68ba9007a2962f232a339c11520fd22c77cf866d9a0973563f5e64e7f7

        • memory/1160-155-0x0000000000000000-mapping.dmp

        • memory/3036-120-0x0000000000660000-0x0000000000661000-memory.dmp

          Filesize

          4KB

        • memory/3036-122-0x0000000140000000-0x000000014009D000-memory.dmp

          Filesize

          628KB

        • memory/3036-123-0x0000000140000000-0x000000014009D000-memory.dmp

          Filesize

          628KB

        • memory/3036-133-0x00007FFE0A3D4320-0x00007FFE0A3D5320-memory.dmp

          Filesize

          4KB

        • memory/3036-121-0x0000000140000000-0x000000014009D000-memory.dmp

          Filesize

          628KB

        • memory/3036-124-0x0000000140000000-0x000000014009D000-memory.dmp

          Filesize

          628KB

        • memory/3296-145-0x0000000000000000-mapping.dmp

        • memory/3776-139-0x0000000140000000-0x000000014009E000-memory.dmp

          Filesize

          632KB

        • memory/3776-135-0x0000000000000000-mapping.dmp

        • memory/3992-114-0x0000000140000000-0x000000014009D000-memory.dmp

          Filesize

          628KB

        • memory/3992-119-0x000001B5A9910000-0x000001B5A9917000-memory.dmp

          Filesize

          28KB