c595d93c190e487562ee3edb78b351567be676fa2fe73625c3e61985f656e204

General
Target

c595d93c190e487562ee3edb78b351567be676fa2fe73625c3e61985f656e204.dll

Filesize

1MB

Completed

26-11-2021 09:29

Score
10/10
MD5

b10d7d1c405f81de7d52bff6a6feb9ab

SHA1

14c1d523e1e0a7fad2016534ef731c546f365fe9

SHA256

c595d93c190e487562ee3edb78b351567be676fa2fe73625c3e61985f656e204

Malware Config
Signatures 9

Filter: none

Defense Evasion
Discovery
Persistence
  • Dridex

    Description

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode

    Description

    Detects Dridex Payload shellcode injected in Explorer process.

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1200-60-0x0000000002220000-0x0000000002221000-memory.dmpdridex_stager_shellcode
  • Executes dropped EXE
    SystemPropertiesComputerName.exepsr.exewbengine.exe

    Reported IOCs

    pidprocess
    1136SystemPropertiesComputerName.exe
    1756psr.exe
    1156wbengine.exe
  • Loads dropped DLL
    SystemPropertiesComputerName.exepsr.exewbengine.exe

    Reported IOCs

    pidprocess
    1200
    1136SystemPropertiesComputerName.exe
    1200
    1756psr.exe
    1200
    1156wbengine.exe
    1200
  • Adds Run key to start application

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run\Myzdcwow = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\u0Ki8JEBJ\\psr.exe"
  • Checks whether UAC is enabled
    SystemPropertiesComputerName.exepsr.exewbengine.exe

    TTPs

    System Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUASystemPropertiesComputerName.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUApsr.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAwbengine.exe
  • Suspicious behavior: EnumeratesProcesses
    regsvr32.exe

    Reported IOCs

    pidprocess
    1392regsvr32.exe
    1392regsvr32.exe
    1392regsvr32.exe
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
  • Suspicious behavior: GetForegroundWindowSpam
    regsvr32.exeSystemPropertiesComputerName.exepsr.exewbengine.exe

    Reported IOCs

    pidprocess
    1392regsvr32.exe
    1200
    1136SystemPropertiesComputerName.exe
    1756psr.exe
    1156wbengine.exe
  • Suspicious use of WriteProcessMemory

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1200 wrote to memory of 10521200SystemPropertiesComputerName.exe
    PID 1200 wrote to memory of 10521200SystemPropertiesComputerName.exe
    PID 1200 wrote to memory of 10521200SystemPropertiesComputerName.exe
    PID 1200 wrote to memory of 11361200SystemPropertiesComputerName.exe
    PID 1200 wrote to memory of 11361200SystemPropertiesComputerName.exe
    PID 1200 wrote to memory of 11361200SystemPropertiesComputerName.exe
    PID 1200 wrote to memory of 18081200psr.exe
    PID 1200 wrote to memory of 18081200psr.exe
    PID 1200 wrote to memory of 18081200psr.exe
    PID 1200 wrote to memory of 17561200psr.exe
    PID 1200 wrote to memory of 17561200psr.exe
    PID 1200 wrote to memory of 17561200psr.exe
    PID 1200 wrote to memory of 9761200wbengine.exe
    PID 1200 wrote to memory of 9761200wbengine.exe
    PID 1200 wrote to memory of 9761200wbengine.exe
    PID 1200 wrote to memory of 11561200wbengine.exe
    PID 1200 wrote to memory of 11561200wbengine.exe
    PID 1200 wrote to memory of 11561200wbengine.exe
Processes 7
  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\c595d93c190e487562ee3edb78b351567be676fa2fe73625c3e61985f656e204.dll
    Suspicious behavior: EnumeratesProcesses
    Suspicious behavior: GetForegroundWindowSpam
    PID:1392
  • C:\Windows\system32\SystemPropertiesComputerName.exe
    C:\Windows\system32\SystemPropertiesComputerName.exe
    PID:1052
  • C:\Users\Admin\AppData\Local\oIBeRx0Mu\SystemPropertiesComputerName.exe
    C:\Users\Admin\AppData\Local\oIBeRx0Mu\SystemPropertiesComputerName.exe
    Executes dropped EXE
    Loads dropped DLL
    Checks whether UAC is enabled
    Suspicious behavior: GetForegroundWindowSpam
    PID:1136
  • C:\Windows\system32\psr.exe
    C:\Windows\system32\psr.exe
    PID:1808
  • C:\Users\Admin\AppData\Local\BQvES72y\psr.exe
    C:\Users\Admin\AppData\Local\BQvES72y\psr.exe
    Executes dropped EXE
    Loads dropped DLL
    Checks whether UAC is enabled
    Suspicious behavior: GetForegroundWindowSpam
    PID:1756
  • C:\Windows\system32\wbengine.exe
    C:\Windows\system32\wbengine.exe
    PID:976
  • C:\Users\Admin\AppData\Local\YoHSkDZ\wbengine.exe
    C:\Users\Admin\AppData\Local\YoHSkDZ\wbengine.exe
    Executes dropped EXE
    Loads dropped DLL
    Checks whether UAC is enabled
    Suspicious behavior: GetForegroundWindowSpam
    PID:1156
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Local\BQvES72y\VERSION.dll

                      MD5

                      4340f8e46fa3b58c7acc4c3235fb3e45

                      SHA1

                      4908587c5bcced9d2e82198159d80fb8b25bc32e

                      SHA256

                      20646cf77b4a0ac6619a97e34d573861b4f3628a63a0ea8fe3c712ef36d7a713

                      SHA512

                      5878db16e103d93fdb353d2ebd57a70b13fe8c8db3d6449752e01fad7c5e3ad187e1e2932dd35b8593d4417de4d12c7e9d6ac03d5afc646f6efe90c564f98b77

                    • C:\Users\Admin\AppData\Local\BQvES72y\psr.exe

                      MD5

                      a80527109d75cba125d940b007eea151

                      SHA1

                      facf32a9ede6abfaa09368bfdfcfec8554107272

                      SHA256

                      68910f8aae867e938b6a3b76cdf176898ba275d9ade85b4ce00b03232de4c495

                      SHA512

                      77b86a597c33af8d3fbd9711f4abe6e0ca33b86279b1d28a25dcf3545a34b221be1ad7d11004d016203809cead1ebfd4b7e889ee9df2efc100eabf77963c1774

                    • C:\Users\Admin\AppData\Local\YoHSkDZ\XmlLite.dll

                      MD5

                      8d31fd1921ad589f6f4e2942f00a6903

                      SHA1

                      209902b833ca9a5bc7098c0bff80c0cb8af097a1

                      SHA256

                      4e6b80050097c7be83a1e0c72222ad54ad0935d8ab14e964e0f57ecbc35beb18

                      SHA512

                      dda6eafbaae075959bc834678d0e5960021bde87843123c6081fc6c773ed4db9c55d230e708cf4eb1016cccdade2196d5e6122562962115a77beb76df66c32f2

                    • C:\Users\Admin\AppData\Local\YoHSkDZ\wbengine.exe

                      MD5

                      78f4e7f5c56cb9716238eb57da4b6a75

                      SHA1

                      98b0b9db6ec5961dbb274eff433a8bc21f7e557b

                      SHA256

                      46a4e78ce5f2a4b26f4e9c3ff04a99d9b727a82ac2e390a82a1611c3f6e0c9af

                      SHA512

                      1a24ea71624dbbca188ee3b4812e09bc42e7d38ceac02b69940d7693475c792685a23141c8faa85a87ab6aace3f951c1a81facb610d757ac6df37cf2aa65ccd2

                    • C:\Users\Admin\AppData\Local\oIBeRx0Mu\SYSDM.CPL

                      MD5

                      e0eec80b7df3d653dd07c70b9e9949dd

                      SHA1

                      4e54179cb009dc611a4d08fac3c54967323e75f7

                      SHA256

                      ba0511aff57c912c744ced32c0a7fde00cdaad5105e5905191cebdb88ee9dff7

                      SHA512

                      ffbe7147c2e3917ca1d9fc0917e5b5906c1a6de3e44b27c95c0d22a1c2d7df5196c14dd5b64d586ff2b921e801c52c14712cd2e0fbf138eaadb3d3ed13eae10e

                    • C:\Users\Admin\AppData\Local\oIBeRx0Mu\SystemPropertiesComputerName.exe

                      MD5

                      bd889683916aa93e84e1a75802918acf

                      SHA1

                      5ee66571359178613a4256a7470c2c3e6dd93cfa

                      SHA256

                      0e22894595891a9ff9706e03b3db31a751541c4a773f82420fce57237d6c47cf

                      SHA512

                      9d76de848b319f44657fb7fbe5a3b927774ae999362ff811a199002ffa77ad9e1638a65a271388e605ab5e5a7cb6ce5aa7fcabc3ed583ade00eaa4c265552026

                    • \Users\Admin\AppData\Local\BQvES72y\VERSION.dll

                      MD5

                      4340f8e46fa3b58c7acc4c3235fb3e45

                      SHA1

                      4908587c5bcced9d2e82198159d80fb8b25bc32e

                      SHA256

                      20646cf77b4a0ac6619a97e34d573861b4f3628a63a0ea8fe3c712ef36d7a713

                      SHA512

                      5878db16e103d93fdb353d2ebd57a70b13fe8c8db3d6449752e01fad7c5e3ad187e1e2932dd35b8593d4417de4d12c7e9d6ac03d5afc646f6efe90c564f98b77

                    • \Users\Admin\AppData\Local\BQvES72y\psr.exe

                      MD5

                      a80527109d75cba125d940b007eea151

                      SHA1

                      facf32a9ede6abfaa09368bfdfcfec8554107272

                      SHA256

                      68910f8aae867e938b6a3b76cdf176898ba275d9ade85b4ce00b03232de4c495

                      SHA512

                      77b86a597c33af8d3fbd9711f4abe6e0ca33b86279b1d28a25dcf3545a34b221be1ad7d11004d016203809cead1ebfd4b7e889ee9df2efc100eabf77963c1774

                    • \Users\Admin\AppData\Local\YoHSkDZ\XmlLite.dll

                      MD5

                      8d31fd1921ad589f6f4e2942f00a6903

                      SHA1

                      209902b833ca9a5bc7098c0bff80c0cb8af097a1

                      SHA256

                      4e6b80050097c7be83a1e0c72222ad54ad0935d8ab14e964e0f57ecbc35beb18

                      SHA512

                      dda6eafbaae075959bc834678d0e5960021bde87843123c6081fc6c773ed4db9c55d230e708cf4eb1016cccdade2196d5e6122562962115a77beb76df66c32f2

                    • \Users\Admin\AppData\Local\YoHSkDZ\wbengine.exe

                      MD5

                      78f4e7f5c56cb9716238eb57da4b6a75

                      SHA1

                      98b0b9db6ec5961dbb274eff433a8bc21f7e557b

                      SHA256

                      46a4e78ce5f2a4b26f4e9c3ff04a99d9b727a82ac2e390a82a1611c3f6e0c9af

                      SHA512

                      1a24ea71624dbbca188ee3b4812e09bc42e7d38ceac02b69940d7693475c792685a23141c8faa85a87ab6aace3f951c1a81facb610d757ac6df37cf2aa65ccd2

                    • \Users\Admin\AppData\Local\oIBeRx0Mu\SYSDM.CPL

                      MD5

                      e0eec80b7df3d653dd07c70b9e9949dd

                      SHA1

                      4e54179cb009dc611a4d08fac3c54967323e75f7

                      SHA256

                      ba0511aff57c912c744ced32c0a7fde00cdaad5105e5905191cebdb88ee9dff7

                      SHA512

                      ffbe7147c2e3917ca1d9fc0917e5b5906c1a6de3e44b27c95c0d22a1c2d7df5196c14dd5b64d586ff2b921e801c52c14712cd2e0fbf138eaadb3d3ed13eae10e

                    • \Users\Admin\AppData\Local\oIBeRx0Mu\SystemPropertiesComputerName.exe

                      MD5

                      bd889683916aa93e84e1a75802918acf

                      SHA1

                      5ee66571359178613a4256a7470c2c3e6dd93cfa

                      SHA256

                      0e22894595891a9ff9706e03b3db31a751541c4a773f82420fce57237d6c47cf

                      SHA512

                      9d76de848b319f44657fb7fbe5a3b927774ae999362ff811a199002ffa77ad9e1638a65a271388e605ab5e5a7cb6ce5aa7fcabc3ed583ade00eaa4c265552026

                    • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\WLJP\wbengine.exe

                      MD5

                      78f4e7f5c56cb9716238eb57da4b6a75

                      SHA1

                      98b0b9db6ec5961dbb274eff433a8bc21f7e557b

                      SHA256

                      46a4e78ce5f2a4b26f4e9c3ff04a99d9b727a82ac2e390a82a1611c3f6e0c9af

                      SHA512

                      1a24ea71624dbbca188ee3b4812e09bc42e7d38ceac02b69940d7693475c792685a23141c8faa85a87ab6aace3f951c1a81facb610d757ac6df37cf2aa65ccd2

                    • memory/1136-92-0x0000000140000000-0x0000000140161000-memory.dmp

                    • memory/1136-88-0x0000000000000000-mapping.dmp

                    • memory/1156-105-0x0000000000000000-mapping.dmp

                    • memory/1200-61-0x0000000140000000-0x0000000140160000-memory.dmp

                    • memory/1200-72-0x0000000140000000-0x0000000140160000-memory.dmp

                    • memory/1200-62-0x0000000140000000-0x0000000140160000-memory.dmp

                    • memory/1200-70-0x0000000140000000-0x0000000140160000-memory.dmp

                    • memory/1200-69-0x0000000140000000-0x0000000140160000-memory.dmp

                    • memory/1200-75-0x0000000140000000-0x0000000140160000-memory.dmp

                    • memory/1200-67-0x0000000140000000-0x0000000140160000-memory.dmp

                    • memory/1200-66-0x0000000140000000-0x0000000140160000-memory.dmp

                    • memory/1200-86-0x0000000077E40000-0x0000000077E42000-memory.dmp

                    • memory/1200-76-0x0000000140000000-0x0000000140160000-memory.dmp

                    • memory/1200-68-0x0000000140000000-0x0000000140160000-memory.dmp

                    • memory/1200-63-0x0000000140000000-0x0000000140160000-memory.dmp

                    • memory/1200-64-0x0000000140000000-0x0000000140160000-memory.dmp

                    • memory/1200-77-0x0000000140000000-0x0000000140160000-memory.dmp

                    • memory/1200-78-0x0000000140000000-0x0000000140160000-memory.dmp

                    • memory/1200-79-0x0000000140000000-0x0000000140160000-memory.dmp

                    • memory/1200-65-0x0000000140000000-0x0000000140160000-memory.dmp

                    • memory/1200-60-0x0000000002220000-0x0000000002221000-memory.dmp

                    • memory/1200-73-0x0000000140000000-0x0000000140160000-memory.dmp

                    • memory/1200-71-0x0000000140000000-0x0000000140160000-memory.dmp

                    • memory/1200-74-0x0000000140000000-0x0000000140160000-memory.dmp

                    • memory/1200-80-0x0000000140000000-0x0000000140160000-memory.dmp

                    • memory/1392-55-0x000007FEFC511000-0x000007FEFC513000-memory.dmp

                    • memory/1392-59-0x0000000000110000-0x0000000000117000-memory.dmp

                    • memory/1392-56-0x0000000140000000-0x0000000140160000-memory.dmp

                    • memory/1756-96-0x0000000000000000-mapping.dmp