2c1cbd4e7a27c47468c2e806e5559c3680f1cd6497c33a65c0a565fe8bab1add

General
Target

2c1cbd4e7a27c47468c2e806e5559c3680f1cd6497c33a65c0a565fe8bab1add.dll

Filesize

2MB

Completed

28-09-2021 08:50

Score
10/10
MD5

24628d042b24ccca20dfc18374ee15c1

SHA1

0deb91aa0e4c63080d71db61bfed0c7a5fb967ca

SHA256

2c1cbd4e7a27c47468c2e806e5559c3680f1cd6497c33a65c0a565fe8bab1add

Malware Config
Signatures 11

Filter: none

Defense Evasion
Discovery
Persistence
  • Dridex

    Description

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode

    Description

    Detects Dridex Payload shellcode injected in Explorer process.

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1384-57-0x00000000025B0000-0x00000000025B1000-memory.dmpdridex_stager_shellcode
  • Executes dropped EXE
    fvenotify.exewisptis.exeBitLockerWizard.exe

    Reported IOCs

    pidprocess
    1604fvenotify.exe
    540wisptis.exe
    1956BitLockerWizard.exe
  • Loads dropped DLL
    fvenotify.exewisptis.exeBitLockerWizard.exe

    Reported IOCs

    pidprocess
    1384
    1604fvenotify.exe
    1384
    540wisptis.exe
    1384
    1956BitLockerWizard.exe
    1384
  • Adds Run key to start application

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wbbdywj = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\UserData\\Low\\AXNNSI~1\\wisptis.exe"
  • Checks whether UAC is enabled
    rundll32.exefvenotify.exewisptis.exeBitLockerWizard.exe

    TTPs

    System Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUArundll32.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAfvenotify.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAwisptis.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUABitLockerWizard.exe
  • Suspicious behavior: EnumeratesProcesses
    rundll32.exe

    Reported IOCs

    pidprocess
    2012rundll32.exe
    2012rundll32.exe
    2012rundll32.exe
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
  • Suspicious behavior: GetForegroundWindowSpam

    Reported IOCs

    pidprocess
    1384
  • Suspicious use of FindShellTrayWindow

    Reported IOCs

    pidprocess
    1384
    1384
    1384
    1384
  • Suspicious use of SendNotifyMessage

    Reported IOCs

    pidprocess
    1384
    1384
    1384
    1384
    1384
    1384
  • Suspicious use of WriteProcessMemory

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1384 wrote to memory of 5881384fvenotify.exe
    PID 1384 wrote to memory of 5881384fvenotify.exe
    PID 1384 wrote to memory of 5881384fvenotify.exe
    PID 1384 wrote to memory of 16041384fvenotify.exe
    PID 1384 wrote to memory of 16041384fvenotify.exe
    PID 1384 wrote to memory of 16041384fvenotify.exe
    PID 1384 wrote to memory of 4361384wisptis.exe
    PID 1384 wrote to memory of 4361384wisptis.exe
    PID 1384 wrote to memory of 4361384wisptis.exe
    PID 1384 wrote to memory of 5401384wisptis.exe
    PID 1384 wrote to memory of 5401384wisptis.exe
    PID 1384 wrote to memory of 5401384wisptis.exe
    PID 1384 wrote to memory of 12601384BitLockerWizard.exe
    PID 1384 wrote to memory of 12601384BitLockerWizard.exe
    PID 1384 wrote to memory of 12601384BitLockerWizard.exe
    PID 1384 wrote to memory of 19561384BitLockerWizard.exe
    PID 1384 wrote to memory of 19561384BitLockerWizard.exe
    PID 1384 wrote to memory of 19561384BitLockerWizard.exe
Processes 7
  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\2c1cbd4e7a27c47468c2e806e5559c3680f1cd6497c33a65c0a565fe8bab1add.dll,#1
    Checks whether UAC is enabled
    Suspicious behavior: EnumeratesProcesses
    PID:2012
  • C:\Windows\system32\fvenotify.exe
    C:\Windows\system32\fvenotify.exe
    PID:588
  • C:\Users\Admin\AppData\Local\DQ5u66\fvenotify.exe
    C:\Users\Admin\AppData\Local\DQ5u66\fvenotify.exe
    Executes dropped EXE
    Loads dropped DLL
    Checks whether UAC is enabled
    PID:1604
  • C:\Windows\system32\wisptis.exe
    C:\Windows\system32\wisptis.exe
    PID:436
  • C:\Users\Admin\AppData\Local\e1Zx7\wisptis.exe
    C:\Users\Admin\AppData\Local\e1Zx7\wisptis.exe
    Executes dropped EXE
    Loads dropped DLL
    Checks whether UAC is enabled
    PID:540
  • C:\Windows\system32\BitLockerWizard.exe
    C:\Windows\system32\BitLockerWizard.exe
    PID:1260
  • C:\Users\Admin\AppData\Local\CfOd\BitLockerWizard.exe
    C:\Users\Admin\AppData\Local\CfOd\BitLockerWizard.exe
    Executes dropped EXE
    Loads dropped DLL
    Checks whether UAC is enabled
    PID:1956
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Local\CfOd\BitLockerWizard.exe

                      MD5

                      08a761595ad21d152db2417d6fdb239a

                      SHA1

                      d84c1bc2e8c9afce9fb79916df9bca169f93a936

                      SHA256

                      ec0b9e5f29a43f9db44fa76b85701058f26776ab974044c1d4741591b74d0620

                      SHA512

                      8b07828e9c0edf09277f89294b8e1a54816f6f3d1fe132b3eb70370b81feb82d056ec31566793bd6f451725f79c3b4aeedb15a83216115e00943e0c19cab37c9

                    • C:\Users\Admin\AppData\Local\CfOd\FVEWIZ.dll

                      MD5

                      b5ecf325ed68ae0d334eef78502b71d3

                      SHA1

                      b21324f5adf12da39dcbe9d6b072aa5cdd1d2fef

                      SHA256

                      22b2162a1da367b54e84ceefae5ec1843e335a5e0ff0ca1358c4f5f350bcdfd5

                      SHA512

                      3e2f296b3319c8aeae637a032a77ce98aab14f33b602a83e51278ee1e37fae0f3663c40985771961badf7028d8a13872e116497855bcad5e13fb7db97b3706c1

                    • C:\Users\Admin\AppData\Local\DQ5u66\fvenotify.exe

                      MD5

                      e61d644998e07c02f0999388808ac109

                      SHA1

                      183130ad81ff4c7997582a484e759bf7769592d6

                      SHA256

                      15a85cd6fbcb1ec57d78f986d6dd8908bd56231ce0cf65775075512303f7e5fa

                      SHA512

                      310141b73394ae12a35f8d4f0c097868ee8a8045a62dd402a5dfbe2151980dd4fe18409ae3ca9422e3b88b2fa9afb04c1acbf8ec23a937a0a242b32a9a1e9272

                    • C:\Users\Admin\AppData\Local\DQ5u66\slc.dll

                      MD5

                      87cec6cce3ebe35c15a35e1f8fcbf471

                      SHA1

                      76068c9a4a5d4afe5a4b422fd65690a24864103b

                      SHA256

                      81eeacd372b30933349ec5cbe47ff0540ccfc6ad55aa8deeb284c4b9607ba1fa

                      SHA512

                      48889289c04d0293611c94aeaa333c5b72ccbcbb1ffd9f637604a258967817e58ccebbbc6f4323994ac1d2250c32703608afce46cfa8513cc9e9f96896f4983b

                    • C:\Users\Admin\AppData\Local\e1Zx7\MAGNIFICATION.dll

                      MD5

                      01610d390b6ba66237577d58187acf17

                      SHA1

                      f78042fe07bd01d296daa7a8680ee6e757c1c3bc

                      SHA256

                      0bd1922bebbb23fd16958c6f984795b3e7f8516ddfc844600d9b66309c4a4d8e

                      SHA512

                      251ea9a540f3fa2d3e8327fbca16111d2f0ad76dc9365deea67f8f32d4647eaa52ac382584c38b6641d22e3fbe8d373ace643a6d905f3275e93bced3cdeb1af9

                    • C:\Users\Admin\AppData\Local\e1Zx7\wisptis.exe

                      MD5

                      02e20372d9d6d28e37ba9704edc90b67

                      SHA1

                      d7d18ba0df95c3507bf20be8d72e25c5d11ab40c

                      SHA256

                      3338129ddf6fb53d6e743c10bc39ec372d9b2c39c607cbe8a71cff929f854144

                      SHA512

                      bcad8894614dcfc1429be04829c217e7c8ac3c40ea3927073de3421d96d9815739ee1b84f0200eb18b3b8406b972bd934204b7b31638c9fe7c297fb201ed4200

                    • \Users\Admin\AppData\Local\CfOd\BitLockerWizard.exe

                      MD5

                      08a761595ad21d152db2417d6fdb239a

                      SHA1

                      d84c1bc2e8c9afce9fb79916df9bca169f93a936

                      SHA256

                      ec0b9e5f29a43f9db44fa76b85701058f26776ab974044c1d4741591b74d0620

                      SHA512

                      8b07828e9c0edf09277f89294b8e1a54816f6f3d1fe132b3eb70370b81feb82d056ec31566793bd6f451725f79c3b4aeedb15a83216115e00943e0c19cab37c9

                    • \Users\Admin\AppData\Local\CfOd\FVEWIZ.dll

                      MD5

                      b5ecf325ed68ae0d334eef78502b71d3

                      SHA1

                      b21324f5adf12da39dcbe9d6b072aa5cdd1d2fef

                      SHA256

                      22b2162a1da367b54e84ceefae5ec1843e335a5e0ff0ca1358c4f5f350bcdfd5

                      SHA512

                      3e2f296b3319c8aeae637a032a77ce98aab14f33b602a83e51278ee1e37fae0f3663c40985771961badf7028d8a13872e116497855bcad5e13fb7db97b3706c1

                    • \Users\Admin\AppData\Local\DQ5u66\fvenotify.exe

                      MD5

                      e61d644998e07c02f0999388808ac109

                      SHA1

                      183130ad81ff4c7997582a484e759bf7769592d6

                      SHA256

                      15a85cd6fbcb1ec57d78f986d6dd8908bd56231ce0cf65775075512303f7e5fa

                      SHA512

                      310141b73394ae12a35f8d4f0c097868ee8a8045a62dd402a5dfbe2151980dd4fe18409ae3ca9422e3b88b2fa9afb04c1acbf8ec23a937a0a242b32a9a1e9272

                    • \Users\Admin\AppData\Local\DQ5u66\slc.dll

                      MD5

                      87cec6cce3ebe35c15a35e1f8fcbf471

                      SHA1

                      76068c9a4a5d4afe5a4b422fd65690a24864103b

                      SHA256

                      81eeacd372b30933349ec5cbe47ff0540ccfc6ad55aa8deeb284c4b9607ba1fa

                      SHA512

                      48889289c04d0293611c94aeaa333c5b72ccbcbb1ffd9f637604a258967817e58ccebbbc6f4323994ac1d2250c32703608afce46cfa8513cc9e9f96896f4983b

                    • \Users\Admin\AppData\Local\e1Zx7\MAGNIFICATION.dll

                      MD5

                      01610d390b6ba66237577d58187acf17

                      SHA1

                      f78042fe07bd01d296daa7a8680ee6e757c1c3bc

                      SHA256

                      0bd1922bebbb23fd16958c6f984795b3e7f8516ddfc844600d9b66309c4a4d8e

                      SHA512

                      251ea9a540f3fa2d3e8327fbca16111d2f0ad76dc9365deea67f8f32d4647eaa52ac382584c38b6641d22e3fbe8d373ace643a6d905f3275e93bced3cdeb1af9

                    • \Users\Admin\AppData\Local\e1Zx7\wisptis.exe

                      MD5

                      02e20372d9d6d28e37ba9704edc90b67

                      SHA1

                      d7d18ba0df95c3507bf20be8d72e25c5d11ab40c

                      SHA256

                      3338129ddf6fb53d6e743c10bc39ec372d9b2c39c607cbe8a71cff929f854144

                      SHA512

                      bcad8894614dcfc1429be04829c217e7c8ac3c40ea3927073de3421d96d9815739ee1b84f0200eb18b3b8406b972bd934204b7b31638c9fe7c297fb201ed4200

                    • \Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\yPzih4ZQZY\BitLockerWizard.exe

                      MD5

                      08a761595ad21d152db2417d6fdb239a

                      SHA1

                      d84c1bc2e8c9afce9fb79916df9bca169f93a936

                      SHA256

                      ec0b9e5f29a43f9db44fa76b85701058f26776ab974044c1d4741591b74d0620

                      SHA512

                      8b07828e9c0edf09277f89294b8e1a54816f6f3d1fe132b3eb70370b81feb82d056ec31566793bd6f451725f79c3b4aeedb15a83216115e00943e0c19cab37c9

                    • memory/540-114-0x0000000000000000-mapping.dmp

                    • memory/1384-81-0x0000000140000000-0x000000014020A000-memory.dmp

                    • memory/1384-90-0x0000000140000000-0x000000014020A000-memory.dmp

                    • memory/1384-93-0x0000000140000000-0x000000014020A000-memory.dmp

                    • memory/1384-94-0x0000000140000000-0x000000014020A000-memory.dmp

                    • memory/1384-96-0x0000000140000000-0x000000014020A000-memory.dmp

                    • memory/1384-97-0x0000000140000000-0x000000014020A000-memory.dmp

                    • memory/1384-98-0x0000000140000000-0x000000014020A000-memory.dmp

                    • memory/1384-95-0x0000000140000000-0x000000014020A000-memory.dmp

                    • memory/1384-92-0x0000000140000000-0x000000014020A000-memory.dmp

                    • memory/1384-91-0x0000000140000000-0x000000014020A000-memory.dmp

                    • memory/1384-89-0x0000000140000000-0x000000014020A000-memory.dmp

                    • memory/1384-87-0x0000000140000000-0x000000014020A000-memory.dmp

                    • memory/1384-85-0x0000000140000000-0x000000014020A000-memory.dmp

                    • memory/1384-86-0x0000000140000000-0x000000014020A000-memory.dmp

                    • memory/1384-82-0x0000000140000000-0x000000014020A000-memory.dmp

                    • memory/1384-79-0x0000000140000000-0x000000014020A000-memory.dmp

                    • memory/1384-78-0x0000000140000000-0x000000014020A000-memory.dmp

                    • memory/1384-84-0x0000000140000000-0x000000014020A000-memory.dmp

                    • memory/1384-73-0x0000000140000000-0x000000014020A000-memory.dmp

                    • memory/1384-72-0x0000000140000000-0x000000014020A000-memory.dmp

                    • memory/1384-70-0x0000000140000000-0x000000014020A000-memory.dmp

                    • memory/1384-69-0x0000000140000000-0x000000014020A000-memory.dmp

                    • memory/1384-68-0x0000000140000000-0x000000014020A000-memory.dmp

                    • memory/1384-66-0x0000000140000000-0x000000014020A000-memory.dmp

                    • memory/1384-65-0x0000000140000000-0x000000014020A000-memory.dmp

                    • memory/1384-63-0x0000000140000000-0x000000014020A000-memory.dmp

                    • memory/1384-62-0x0000000140000000-0x000000014020A000-memory.dmp

                    • memory/1384-61-0x0000000140000000-0x000000014020A000-memory.dmp

                    • memory/1384-59-0x0000000140000000-0x000000014020A000-memory.dmp

                    • memory/1384-58-0x0000000140000000-0x000000014020A000-memory.dmp

                    • memory/1384-104-0x00000000773C0000-0x00000000773C2000-memory.dmp

                    • memory/1384-83-0x0000000140000000-0x000000014020A000-memory.dmp

                    • memory/1384-80-0x0000000140000000-0x000000014020A000-memory.dmp

                    • memory/1384-77-0x0000000140000000-0x000000014020A000-memory.dmp

                    • memory/1384-76-0x0000000140000000-0x000000014020A000-memory.dmp

                    • memory/1384-75-0x0000000140000000-0x000000014020A000-memory.dmp

                    • memory/1384-67-0x0000000140000000-0x000000014020A000-memory.dmp

                    • memory/1384-64-0x0000000140000000-0x000000014020A000-memory.dmp

                    • memory/1384-60-0x0000000140000000-0x000000014020A000-memory.dmp

                    • memory/1384-57-0x00000000025B0000-0x00000000025B1000-memory.dmp

                    • memory/1384-71-0x0000000140000000-0x000000014020A000-memory.dmp

                    • memory/1384-74-0x0000000140000000-0x000000014020A000-memory.dmp

                    • memory/1384-88-0x0000000140000000-0x000000014020A000-memory.dmp

                    • memory/1604-108-0x000007FEFBC31000-0x000007FEFBC33000-memory.dmp

                    • memory/1604-106-0x0000000000000000-mapping.dmp

                    • memory/1604-111-0x0000000140000000-0x000000014020B000-memory.dmp

                    • memory/1956-121-0x0000000000000000-mapping.dmp

                    • memory/2012-54-0x0000000140000000-0x000000014020A000-memory.dmp

                    • memory/2012-56-0x00000000002A0000-0x00000000002A7000-memory.dmp