Behavioral Report

max time kernel150s
max time network130s
platformwindows7_x64
resourcewin7-en-20210920
submitted28-09-2021 08:47

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

2c1cbd4e7a27c47468c2e806e5559c3680f1cd6497c33a65c0a565fe8bab1add.dll

Filesize

2MB

Completed

28-09-2021 08:50

Task

behavioral1

Score

10^/10

MD5

24628d042b24ccca20dfc18374ee15c1

SHA1

0deb91aa0e4c63080d71db61bfed0c7a5fb967ca

SHA256

2c1cbd4e7a27c47468c2e806e5559c3680f1cd6497c33a65c0a565fe8bab1add

SHA256

dd3c8457810dc1f17d1ea38be7d8884a89fd668a1b8b3d3d41f221e3997ef434e23a716433e7b214503e10649dba4830a1bf648c5a8dd23ff494d49a6d10aa23

dridex botnet evasion payload persistence trojan

Defense Evasion

Discovery

Persistence

Dridex

Description

Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

Tags

botnet dridex
Dridex Shellcode

Description

Detects Dridex Payload shellcode injected in Explorer process.

Tags

botnet payload

Reported IOCs

resource yara_rule

behavioral1/memory/1384-57-0x00000000025B0000-0x00000000025B1000-memory.dmp dridex_stager_shellcode
Executes dropped EXE
fvenotify.exewisptis.exeBitLockerWizard.exe

Reported IOCs

pid process

1604 fvenotify.exe
540 wisptis.exe
1956 BitLockerWizard.exe
Loads dropped DLL
fvenotify.exewisptis.exeBitLockerWizard.exe

Reported IOCs

pid process

1384
1604 fvenotify.exe
1384
540 wisptis.exe
1384
1956 BitLockerWizard.exe
1384

resource	yara_rule
behavioral1/memory/1384-57-0x00000000025B0000-0x00000000025B1000-memory.dmp	dridex_stager_shellcode

pid	process
1604	fvenotify.exe
540	wisptis.exe
1956	BitLockerWizard.exe

pid	process
1384
1604	fvenotify.exe
1384
540	wisptis.exe
1384
1956	BitLockerWizard.exe
1384

Adds Run key to start application

TTPs

Registry Run Keys / Startup FolderModify Registry

Reported IOCs

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wbbdywj = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\UserData\\Low\\AXNNSI~1\\wisptis.exe"

Checks whether UAC is enabled

rundll32.exefvenotify.exewisptis.exeBitLockerWizard.exe

TTPs

System Information Discovery

Reported IOCs

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fvenotify.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wisptis.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BitLockerWizard.exe

Suspicious behavior: EnumeratesProcesses

rundll32.exe

Reported IOCs

pid	process
2012	rundll32.exe
2012	rundll32.exe
2012	rundll32.exe
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384

Suspicious behavior: GetForegroundWindowSpam

Reported IOCs

pid process

1384
Suspicious use of FindShellTrayWindow

Reported IOCs

pid process

1384
1384
1384
1384
Suspicious use of SendNotifyMessage

Reported IOCs

pid process

1384
1384
1384
1384
1384
1384

pid	process
1384

pid	process
1384
1384
1384
1384

pid	process
1384
1384
1384
1384
1384
1384

Suspicious use of WriteProcessMemory

Reported IOCs

description	pid	target process
PID 1384 wrote to memory of 588	1384	fvenotify.exe
PID 1384 wrote to memory of 588	1384	fvenotify.exe
PID 1384 wrote to memory of 588	1384	fvenotify.exe
PID 1384 wrote to memory of 1604	1384	fvenotify.exe
PID 1384 wrote to memory of 1604	1384	fvenotify.exe
PID 1384 wrote to memory of 1604	1384	fvenotify.exe
PID 1384 wrote to memory of 436	1384	wisptis.exe
PID 1384 wrote to memory of 436	1384	wisptis.exe
PID 1384 wrote to memory of 436	1384	wisptis.exe
PID 1384 wrote to memory of 540	1384	wisptis.exe
PID 1384 wrote to memory of 540	1384	wisptis.exe
PID 1384 wrote to memory of 540	1384	wisptis.exe
PID 1384 wrote to memory of 1260	1384	BitLockerWizard.exe
PID 1384 wrote to memory of 1260	1384	BitLockerWizard.exe
PID 1384 wrote to memory of 1260	1384	BitLockerWizard.exe
PID 1384 wrote to memory of 1956	1384	BitLockerWizard.exe
PID 1384 wrote to memory of 1956	1384	BitLockerWizard.exe
PID 1384 wrote to memory of 1956	1384	BitLockerWizard.exe

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2c1cbd4e7a27c47468c2e806e5559c3680f1cd6497c33a65c0a565fe8bab1add.dll,#1

Checks whether UAC is enabled
Suspicious behavior: EnumeratesProcesses

PID:2012

C:\Windows\system32\fvenotify.exe

C:\Windows\system32\fvenotify.exe

PID:588

C:\Users\Admin\AppData\Local\DQ5u66\fvenotify.exe

C:\Users\Admin\AppData\Local\DQ5u66\fvenotify.exe

Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled

PID:1604

C:\Windows\system32\wisptis.exe

C:\Windows\system32\wisptis.exe

PID:436

C:\Users\Admin\AppData\Local\e1Zx7\wisptis.exe

C:\Users\Admin\AppData\Local\e1Zx7\wisptis.exe

Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled

PID:540

C:\Windows\system32\BitLockerWizard.exe

C:\Windows\system32\BitLockerWizard.exe

PID:1260

C:\Users\Admin\AppData\Local\CfOd\BitLockerWizard.exe

C:\Users\Admin\AppData\Local\CfOd\BitLockerWizard.exe

Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled

PID:1956

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

Discovery

System Information Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

00:00 00:00

C:\Users\Admin\AppData\Local\CfOd\BitLockerWizard.exe
MD5
08a761595ad21d152db2417d6fdb239a

SHA1
d84c1bc2e8c9afce9fb79916df9bca169f93a936

SHA256
ec0b9e5f29a43f9db44fa76b85701058f26776ab974044c1d4741591b74d0620

SHA512
8b07828e9c0edf09277f89294b8e1a54816f6f3d1fe132b3eb70370b81feb82d056ec31566793bd6f451725f79c3b4aeedb15a83216115e00943e0c19cab37c9

Download Submit
C:\Users\Admin\AppData\Local\CfOd\FVEWIZ.dll
MD5
b5ecf325ed68ae0d334eef78502b71d3

SHA1
b21324f5adf12da39dcbe9d6b072aa5cdd1d2fef

SHA256
22b2162a1da367b54e84ceefae5ec1843e335a5e0ff0ca1358c4f5f350bcdfd5

SHA512
3e2f296b3319c8aeae637a032a77ce98aab14f33b602a83e51278ee1e37fae0f3663c40985771961badf7028d8a13872e116497855bcad5e13fb7db97b3706c1

Download Submit
C:\Users\Admin\AppData\Local\DQ5u66\fvenotify.exe
MD5
e61d644998e07c02f0999388808ac109

SHA1
183130ad81ff4c7997582a484e759bf7769592d6

SHA256
15a85cd6fbcb1ec57d78f986d6dd8908bd56231ce0cf65775075512303f7e5fa

SHA512
310141b73394ae12a35f8d4f0c097868ee8a8045a62dd402a5dfbe2151980dd4fe18409ae3ca9422e3b88b2fa9afb04c1acbf8ec23a937a0a242b32a9a1e9272

Download Submit
C:\Users\Admin\AppData\Local\DQ5u66\slc.dll
MD5
87cec6cce3ebe35c15a35e1f8fcbf471

SHA1
76068c9a4a5d4afe5a4b422fd65690a24864103b

SHA256
81eeacd372b30933349ec5cbe47ff0540ccfc6ad55aa8deeb284c4b9607ba1fa

SHA512
48889289c04d0293611c94aeaa333c5b72ccbcbb1ffd9f637604a258967817e58ccebbbc6f4323994ac1d2250c32703608afce46cfa8513cc9e9f96896f4983b

Download Submit
C:\Users\Admin\AppData\Local\e1Zx7\MAGNIFICATION.dll
MD5
01610d390b6ba66237577d58187acf17

SHA1
f78042fe07bd01d296daa7a8680ee6e757c1c3bc

SHA256
0bd1922bebbb23fd16958c6f984795b3e7f8516ddfc844600d9b66309c4a4d8e

SHA512
251ea9a540f3fa2d3e8327fbca16111d2f0ad76dc9365deea67f8f32d4647eaa52ac382584c38b6641d22e3fbe8d373ace643a6d905f3275e93bced3cdeb1af9

Download Submit
C:\Users\Admin\AppData\Local\e1Zx7\wisptis.exe
MD5
02e20372d9d6d28e37ba9704edc90b67

SHA1
d7d18ba0df95c3507bf20be8d72e25c5d11ab40c

SHA256
3338129ddf6fb53d6e743c10bc39ec372d9b2c39c607cbe8a71cff929f854144

SHA512
bcad8894614dcfc1429be04829c217e7c8ac3c40ea3927073de3421d96d9815739ee1b84f0200eb18b3b8406b972bd934204b7b31638c9fe7c297fb201ed4200

Download Submit
\Users\Admin\AppData\Local\CfOd\BitLockerWizard.exe
MD5
08a761595ad21d152db2417d6fdb239a

SHA1
d84c1bc2e8c9afce9fb79916df9bca169f93a936

SHA256
ec0b9e5f29a43f9db44fa76b85701058f26776ab974044c1d4741591b74d0620

SHA512
8b07828e9c0edf09277f89294b8e1a54816f6f3d1fe132b3eb70370b81feb82d056ec31566793bd6f451725f79c3b4aeedb15a83216115e00943e0c19cab37c9

Download Submit
\Users\Admin\AppData\Local\CfOd\FVEWIZ.dll
MD5
b5ecf325ed68ae0d334eef78502b71d3

SHA1
b21324f5adf12da39dcbe9d6b072aa5cdd1d2fef

SHA256
22b2162a1da367b54e84ceefae5ec1843e335a5e0ff0ca1358c4f5f350bcdfd5

SHA512
3e2f296b3319c8aeae637a032a77ce98aab14f33b602a83e51278ee1e37fae0f3663c40985771961badf7028d8a13872e116497855bcad5e13fb7db97b3706c1

Download Submit
\Users\Admin\AppData\Local\DQ5u66\fvenotify.exe
MD5
e61d644998e07c02f0999388808ac109

SHA1
183130ad81ff4c7997582a484e759bf7769592d6

SHA256
15a85cd6fbcb1ec57d78f986d6dd8908bd56231ce0cf65775075512303f7e5fa

SHA512
310141b73394ae12a35f8d4f0c097868ee8a8045a62dd402a5dfbe2151980dd4fe18409ae3ca9422e3b88b2fa9afb04c1acbf8ec23a937a0a242b32a9a1e9272

Download Submit
\Users\Admin\AppData\Local\DQ5u66\slc.dll
MD5
87cec6cce3ebe35c15a35e1f8fcbf471

SHA1
76068c9a4a5d4afe5a4b422fd65690a24864103b

SHA256
81eeacd372b30933349ec5cbe47ff0540ccfc6ad55aa8deeb284c4b9607ba1fa

SHA512
48889289c04d0293611c94aeaa333c5b72ccbcbb1ffd9f637604a258967817e58ccebbbc6f4323994ac1d2250c32703608afce46cfa8513cc9e9f96896f4983b

Download Submit
\Users\Admin\AppData\Local\e1Zx7\MAGNIFICATION.dll
MD5
01610d390b6ba66237577d58187acf17

SHA1
f78042fe07bd01d296daa7a8680ee6e757c1c3bc

SHA256
0bd1922bebbb23fd16958c6f984795b3e7f8516ddfc844600d9b66309c4a4d8e

SHA512
251ea9a540f3fa2d3e8327fbca16111d2f0ad76dc9365deea67f8f32d4647eaa52ac382584c38b6641d22e3fbe8d373ace643a6d905f3275e93bced3cdeb1af9

Download Submit
\Users\Admin\AppData\Local\e1Zx7\wisptis.exe
MD5
02e20372d9d6d28e37ba9704edc90b67

SHA1
d7d18ba0df95c3507bf20be8d72e25c5d11ab40c

SHA256
3338129ddf6fb53d6e743c10bc39ec372d9b2c39c607cbe8a71cff929f854144

SHA512
bcad8894614dcfc1429be04829c217e7c8ac3c40ea3927073de3421d96d9815739ee1b84f0200eb18b3b8406b972bd934204b7b31638c9fe7c297fb201ed4200

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\yPzih4ZQZY\BitLockerWizard.exe
MD5
08a761595ad21d152db2417d6fdb239a

SHA1
d84c1bc2e8c9afce9fb79916df9bca169f93a936

SHA256
ec0b9e5f29a43f9db44fa76b85701058f26776ab974044c1d4741591b74d0620

SHA512
8b07828e9c0edf09277f89294b8e1a54816f6f3d1fe132b3eb70370b81feb82d056ec31566793bd6f451725f79c3b4aeedb15a83216115e00943e0c19cab37c9

Download Submit
memory/540-114-0x0000000000000000-mapping.dmp

Download
memory/1384-81-0x0000000140000000-0x000000014020A000-memory.dmp

Download
memory/1384-90-0x0000000140000000-0x000000014020A000-memory.dmp

Download
memory/1384-93-0x0000000140000000-0x000000014020A000-memory.dmp

Download
memory/1384-94-0x0000000140000000-0x000000014020A000-memory.dmp

Download
memory/1384-96-0x0000000140000000-0x000000014020A000-memory.dmp

Download
memory/1384-97-0x0000000140000000-0x000000014020A000-memory.dmp

Download
memory/1384-98-0x0000000140000000-0x000000014020A000-memory.dmp

Download
memory/1384-95-0x0000000140000000-0x000000014020A000-memory.dmp

Download
memory/1384-92-0x0000000140000000-0x000000014020A000-memory.dmp

Download
memory/1384-91-0x0000000140000000-0x000000014020A000-memory.dmp

Download
memory/1384-89-0x0000000140000000-0x000000014020A000-memory.dmp

Download
memory/1384-87-0x0000000140000000-0x000000014020A000-memory.dmp

Download
memory/1384-85-0x0000000140000000-0x000000014020A000-memory.dmp

Download
memory/1384-86-0x0000000140000000-0x000000014020A000-memory.dmp

Download
memory/1384-82-0x0000000140000000-0x000000014020A000-memory.dmp

Download
memory/1384-79-0x0000000140000000-0x000000014020A000-memory.dmp

Download
memory/1384-78-0x0000000140000000-0x000000014020A000-memory.dmp

Download
memory/1384-84-0x0000000140000000-0x000000014020A000-memory.dmp

Download
memory/1384-73-0x0000000140000000-0x000000014020A000-memory.dmp

Download
memory/1384-72-0x0000000140000000-0x000000014020A000-memory.dmp

Download
memory/1384-70-0x0000000140000000-0x000000014020A000-memory.dmp

Download
memory/1384-69-0x0000000140000000-0x000000014020A000-memory.dmp

Download
memory/1384-68-0x0000000140000000-0x000000014020A000-memory.dmp

Download
memory/1384-66-0x0000000140000000-0x000000014020A000-memory.dmp

Download
memory/1384-65-0x0000000140000000-0x000000014020A000-memory.dmp

Download
memory/1384-63-0x0000000140000000-0x000000014020A000-memory.dmp

Download
memory/1384-62-0x0000000140000000-0x000000014020A000-memory.dmp

Download
memory/1384-61-0x0000000140000000-0x000000014020A000-memory.dmp

Download
memory/1384-59-0x0000000140000000-0x000000014020A000-memory.dmp

Download
memory/1384-58-0x0000000140000000-0x000000014020A000-memory.dmp

Download
memory/1384-104-0x00000000773C0000-0x00000000773C2000-memory.dmp

Download
memory/1384-83-0x0000000140000000-0x000000014020A000-memory.dmp

Download
memory/1384-80-0x0000000140000000-0x000000014020A000-memory.dmp

Download
memory/1384-77-0x0000000140000000-0x000000014020A000-memory.dmp

Download
memory/1384-76-0x0000000140000000-0x000000014020A000-memory.dmp

Download
memory/1384-75-0x0000000140000000-0x000000014020A000-memory.dmp

Download
memory/1384-67-0x0000000140000000-0x000000014020A000-memory.dmp

Download
memory/1384-64-0x0000000140000000-0x000000014020A000-memory.dmp

Download
memory/1384-60-0x0000000140000000-0x000000014020A000-memory.dmp

Download
memory/1384-57-0x00000000025B0000-0x00000000025B1000-memory.dmp

Download
memory/1384-71-0x0000000140000000-0x000000014020A000-memory.dmp

Download
memory/1384-74-0x0000000140000000-0x000000014020A000-memory.dmp

Download
memory/1384-88-0x0000000140000000-0x000000014020A000-memory.dmp

Download
memory/1604-108-0x000007FEFBC31000-0x000007FEFBC33000-memory.dmp

Download
memory/1604-106-0x0000000000000000-mapping.dmp

Download
memory/1604-111-0x0000000140000000-0x000000014020B000-memory.dmp

Download
memory/1956-121-0x0000000000000000-mapping.dmp

Download
memory/2012-54-0x0000000140000000-0x000000014020A000-memory.dmp

Download
memory/2012-56-0x00000000002A0000-0x00000000002A7000-memory.dmp

Download

Filter: none

Description

Tags

Description

Tags

Reported IOCs

Reported IOCs

Reported IOCs

Tags

TTPs

Reported IOCs

Tags

TTPs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Title