Analysis
-
max time kernel
163s -
max time network
143s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
26-11-2021 09:26
General
-
Target
c876113220b534ba1da612f3ca0eb30a735548a20e6b70b5bf547bc7ce3e1794.dll
-
Size
1.5MB
-
MD5
9b7b23ecfe0f8461fd0d9a7e5e590e31
-
SHA1
616a00949db4ce3fb3e13ddfda0f288ad39d2877
-
SHA256
c876113220b534ba1da612f3ca0eb30a735548a20e6b70b5bf547bc7ce3e1794
-
SHA512
1f715cf068481951a697caa17ed94ddf3afec21186de5674d4d138a2ae8635e8f5879053fca0ec99bf33169737d8298146f000702a900487a8c5f45d5bc53875
Malware Config
Signatures
-
Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
-
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 5 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c876113220b534ba1da612f3ca0eb30a735548a20e6b70b5bf547bc7ce3e1794.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\system32\Magnify.exeC:\Windows\system32\Magnify.exe1⤵
-
C:\Users\Admin\AppData\Local\HWS\Magnify.exeC:\Users\Admin\AppData\Local\HWS\Magnify.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\system32\RdpSaUacHelper.exeC:\Windows\system32\RdpSaUacHelper.exe1⤵
-
C:\Users\Admin\AppData\Local\bczZecb\RdpSaUacHelper.exeC:\Users\Admin\AppData\Local\bczZecb\RdpSaUacHelper.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\system32\Magnify.exeC:\Windows\system32\Magnify.exe1⤵
-
C:\Users\Admin\AppData\Local\CXmBroCG\Magnify.exeC:\Users\Admin\AppData\Local\CXmBroCG\Magnify.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\CXmBroCG\Magnify.exeMD5
0c3925b9a284f0dd02571d0d2bca19ee
SHA1a73451bb2ddd09397cb7737d36a75c0cdfdf9d51
SHA25641e91d736995628275261aa1adb14158e0783b36c913ef5fc681da105a4272cc
SHA512db02a3211b1b2cf7b10cd70148404106be6cb4a63c7c0c0526256f983c3ad756c157a67848173208e7c0d88a8f34b73c42d37b24f5cc1f9da66731731a534a72
-
C:\Users\Admin\AppData\Local\CXmBroCG\OLEACC.dllMD5
be2b908ea709252a7d6e48826c6f4eb9
SHA1b1adcae7e16bd74848f568d58ea4bc601c8f8ed3
SHA256dc55fcd4f459e056ca687ee8a78589ff88d3160f5bdfc14b59f80f585a466b5f
SHA512fad070839dce8a7255f39134c147e2fb9c39e924735dc32fa001815b5705223eae9a842e4ca0a38f0cbf442651d7b8d567007b6b4e4bdb507cd616816a6b440d
-
C:\Users\Admin\AppData\Local\HWS\DUI70.dllMD5
b19279254e270cfd7b785a7b53f930ff
SHA12736eadf5bdbb4a38519243ebb460d60148a00b0
SHA2565392b39662e0885caff964317938470a876a092158474527a35cd1f95d9c9ada
SHA5123268c310d2f6213861e72ad751a1cb832eaf54b7f2d834c1302dfd0f927789c7b0f7d2da379d15f7e011037107ddb5cd7a83d12c6e899dd27a6cf64c7d035cd5
-
C:\Users\Admin\AppData\Local\HWS\Magnify.exeMD5
0c3925b9a284f0dd02571d0d2bca19ee
SHA1a73451bb2ddd09397cb7737d36a75c0cdfdf9d51
SHA25641e91d736995628275261aa1adb14158e0783b36c913ef5fc681da105a4272cc
SHA512db02a3211b1b2cf7b10cd70148404106be6cb4a63c7c0c0526256f983c3ad756c157a67848173208e7c0d88a8f34b73c42d37b24f5cc1f9da66731731a534a72
-
C:\Users\Admin\AppData\Local\bczZecb\RdpSaUacHelper.exeMD5
0e8c26287144226d1e9db0d3fd02102f
SHA12c800a7226c1e6f29c26899525c7c2d1eb850943
SHA2564e190c57b28faba314b89b0504c82f578bd988478807ba5b1ada1cd238f8aac0
SHA512673559d1c321950187625b04a04f8708ed50f13f84f0f7470b55552374b32ae4a382bd30671029513077f65cd32f50577653e87bf272c706476d20785f976236
-
C:\Users\Admin\AppData\Local\bczZecb\WINSTA.dllMD5
dd34f3feea11bc5f25976eb42549118e
SHA12f3e6f083dbe439c6e364fa20f4d5fd2d84eb413
SHA2564b396ec3d314f581d0e7d3bc1a4e78e4162410901ca5773467db23f3bdc39763
SHA5120cb2eb6635cbe128f3c1fcdf9c483ebfaa4e61159e63a0f87fc251a061911b746280822b9f9d6aff597e543febf1a92a506855ca0c66d800d5a17b018ac486f3
-
\Users\Admin\AppData\Local\CXmBroCG\OLEACC.dllMD5
be2b908ea709252a7d6e48826c6f4eb9
SHA1b1adcae7e16bd74848f568d58ea4bc601c8f8ed3
SHA256dc55fcd4f459e056ca687ee8a78589ff88d3160f5bdfc14b59f80f585a466b5f
SHA512fad070839dce8a7255f39134c147e2fb9c39e924735dc32fa001815b5705223eae9a842e4ca0a38f0cbf442651d7b8d567007b6b4e4bdb507cd616816a6b440d
-
\Users\Admin\AppData\Local\HWS\DUI70.dllMD5
b19279254e270cfd7b785a7b53f930ff
SHA12736eadf5bdbb4a38519243ebb460d60148a00b0
SHA2565392b39662e0885caff964317938470a876a092158474527a35cd1f95d9c9ada
SHA5123268c310d2f6213861e72ad751a1cb832eaf54b7f2d834c1302dfd0f927789c7b0f7d2da379d15f7e011037107ddb5cd7a83d12c6e899dd27a6cf64c7d035cd5
-
\Users\Admin\AppData\Local\bczZecb\WINSTA.dllMD5
dd34f3feea11bc5f25976eb42549118e
SHA12f3e6f083dbe439c6e364fa20f4d5fd2d84eb413
SHA2564b396ec3d314f581d0e7d3bc1a4e78e4162410901ca5773467db23f3bdc39763
SHA5120cb2eb6635cbe128f3c1fcdf9c483ebfaa4e61159e63a0f87fc251a061911b746280822b9f9d6aff597e543febf1a92a506855ca0c66d800d5a17b018ac486f3
-
memory/1104-177-0x0000000140000000-0x0000000140176000-memory.dmpFilesize
1.5MB
-
memory/1104-180-0x0000025FD8140000-0x0000025FD8142000-memory.dmpFilesize
8KB
-
memory/1104-181-0x0000025FD8140000-0x0000025FD8142000-memory.dmpFilesize
8KB
-
memory/1104-173-0x0000000000000000-mapping.dmp
-
memory/1104-182-0x0000025FD8140000-0x0000025FD8142000-memory.dmpFilesize
8KB
-
memory/1272-161-0x0000020A64AB0000-0x0000020A64AB2000-memory.dmpFilesize
8KB
-
memory/1272-162-0x0000020A64AB0000-0x0000020A64AB2000-memory.dmpFilesize
8KB
-
memory/1272-153-0x0000000000000000-mapping.dmp
-
memory/1272-160-0x0000020A64AB0000-0x0000020A64AB2000-memory.dmpFilesize
8KB
-
memory/1272-157-0x0000000140000000-0x00000001401BB000-memory.dmpFilesize
1.7MB
-
memory/1660-167-0x0000000140000000-0x0000000140177000-memory.dmpFilesize
1.5MB
-
memory/1660-163-0x0000000000000000-mapping.dmp
-
memory/1660-170-0x000001D29C980000-0x000001D29C982000-memory.dmpFilesize
8KB
-
memory/1660-171-0x000001D29C980000-0x000001D29C982000-memory.dmpFilesize
8KB
-
memory/1660-172-0x000001D29C980000-0x000001D29C982000-memory.dmpFilesize
8KB
-
memory/3056-136-0x0000000140000000-0x0000000140175000-memory.dmpFilesize
1.5MB
-
memory/3056-134-0x0000000140000000-0x0000000140175000-memory.dmpFilesize
1.5MB
-
memory/3056-151-0x0000000000670000-0x0000000000672000-memory.dmpFilesize
8KB
-
memory/3056-152-0x00007FFDD47D0000-0x00007FFDD47D2000-memory.dmpFilesize
8KB
-
memory/3056-149-0x0000000000670000-0x0000000000672000-memory.dmpFilesize
8KB
-
memory/3056-148-0x0000000000670000-0x0000000000672000-memory.dmpFilesize
8KB
-
memory/3056-142-0x0000000140000000-0x0000000140175000-memory.dmpFilesize
1.5MB
-
memory/3056-141-0x0000000140000000-0x0000000140175000-memory.dmpFilesize
1.5MB
-
memory/3056-127-0x0000000140000000-0x0000000140175000-memory.dmpFilesize
1.5MB
-
memory/3056-140-0x0000000140000000-0x0000000140175000-memory.dmpFilesize
1.5MB
-
memory/3056-129-0x0000000140000000-0x0000000140175000-memory.dmpFilesize
1.5MB
-
memory/3056-138-0x0000000140000000-0x0000000140175000-memory.dmpFilesize
1.5MB
-
memory/3056-139-0x0000000140000000-0x0000000140175000-memory.dmpFilesize
1.5MB
-
memory/3056-150-0x00007FFDD4695000-0x00007FFDD4696000-memory.dmpFilesize
4KB
-
memory/3056-137-0x0000000140000000-0x0000000140175000-memory.dmpFilesize
1.5MB
-
memory/3056-124-0x0000000000660000-0x0000000000661000-memory.dmpFilesize
4KB
-
memory/3056-135-0x0000000140000000-0x0000000140175000-memory.dmpFilesize
1.5MB
-
memory/3056-133-0x0000000140000000-0x0000000140175000-memory.dmpFilesize
1.5MB
-
memory/3056-132-0x0000000140000000-0x0000000140175000-memory.dmpFilesize
1.5MB
-
memory/3056-130-0x0000000140000000-0x0000000140175000-memory.dmpFilesize
1.5MB
-
memory/3056-131-0x0000000140000000-0x0000000140175000-memory.dmpFilesize
1.5MB
-
memory/3056-128-0x0000000140000000-0x0000000140175000-memory.dmpFilesize
1.5MB
-
memory/3056-126-0x0000000140000000-0x0000000140175000-memory.dmpFilesize
1.5MB
-
memory/3056-125-0x0000000140000000-0x0000000140175000-memory.dmpFilesize
1.5MB
-
memory/3764-118-0x0000000140000000-0x0000000140175000-memory.dmpFilesize
1.5MB
-
memory/3764-123-0x000001E2BA3F0000-0x000001E2BA3F7000-memory.dmpFilesize
28KB
-
memory/3764-122-0x000001E2BA400000-0x000001E2BA402000-memory.dmpFilesize
8KB
-
memory/3764-121-0x000001E2BA400000-0x000001E2BA402000-memory.dmpFilesize
8KB