c595d93c190e487562ee3edb78b351567be676fa2fe73625c3e61985f656e204

max time kernel150s
max time network126s
platformwindows10_x64
resourcewin10-en-20211014
submitted26-11-2021 09:27

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

c595d93c190e487562ee3edb78b351567be676fa2fe73625c3e61985f656e204.dll

Filesize

1MB

Completed

26-11-2021 09:30

Score

10^/10

MD5

b10d7d1c405f81de7d52bff6a6feb9ab

SHA1

14c1d523e1e0a7fad2016534ef731c546f365fe9

SHA256

c595d93c190e487562ee3edb78b351567be676fa2fe73625c3e61985f656e204

Defense Evasion

Discovery

Persistence

Dridex

Description

Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

Tags

botnet dridex
Dridex Shellcode

Description

Detects Dridex Payload shellcode injected in Explorer process.

Tags

botnet payload

Reported IOCs

resource yara_rule

behavioral2/memory/3020-121-0x0000000000ED0000-0x0000000000ED1000-memory.dmp dridex_stager_shellcode
Executes dropped EXE
Taskmgr.exeNarrator.exeDevicePairingWizard.exerdpclip.exe

Reported IOCs

pid process

4004 Taskmgr.exe
2252 Narrator.exe
1108 DevicePairingWizard.exe
404 rdpclip.exe
Loads dropped DLL
Taskmgr.exeDevicePairingWizard.exerdpclip.exe

Reported IOCs

pid process

4004 Taskmgr.exe
1108 DevicePairingWizard.exe
404 rdpclip.exe

resource	yara_rule
behavioral2/memory/3020-121-0x0000000000ED0000-0x0000000000ED1000-memory.dmp	dridex_stager_shellcode

pid	process
4004	Taskmgr.exe
2252	Narrator.exe
1108	DevicePairingWizard.exe
404	rdpclip.exe

pid	process
4004	Taskmgr.exe
1108	DevicePairingWizard.exe
404	rdpclip.exe

Adds Run key to start application

TTPs

Registry Run Keys / Startup FolderModify Registry

Reported IOCs

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\Slqggwbvaxk = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\SystemExtensionsDev\\fPPGnoa04\\DevicePairingWizard.exe"

Checks whether UAC is enabled

Taskmgr.exeDevicePairingWizard.exerdpclip.exe

TTPs

System Information Discovery

Reported IOCs

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DevicePairingWizard.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpclip.exe

Modifies registry class

Reported IOCs

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance

Suspicious behavior: EnumeratesProcesses

regsvr32.exe

Reported IOCs

pid	process
2108	regsvr32.exe
2108	regsvr32.exe
2108	regsvr32.exe
2108	regsvr32.exe
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020

Suspicious behavior: GetForegroundWindowSpam
regsvr32.exeTaskmgr.exeDevicePairingWizard.exerdpclip.exe

Reported IOCs

pid process

2108 regsvr32.exe
3020
4004 Taskmgr.exe
1108 DevicePairingWizard.exe
404 rdpclip.exe

Suspicious use of AdjustPrivilegeToken

Reported IOCs

description	pid	process
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020

Suspicious use of WriteProcessMemory

Reported IOCs

description	pid	target process
PID 3020 wrote to memory of 1488	3020	Taskmgr.exe
PID 3020 wrote to memory of 1488	3020	Taskmgr.exe
PID 3020 wrote to memory of 4004	3020	Taskmgr.exe
PID 3020 wrote to memory of 4004	3020	Taskmgr.exe
PID 3020 wrote to memory of 2116	3020	Narrator.exe
PID 3020 wrote to memory of 2116	3020	Narrator.exe
PID 3020 wrote to memory of 3772	3020	DevicePairingWizard.exe
PID 3020 wrote to memory of 3772	3020	DevicePairingWizard.exe
PID 3020 wrote to memory of 1108	3020	DevicePairingWizard.exe
PID 3020 wrote to memory of 1108	3020	DevicePairingWizard.exe
PID 3020 wrote to memory of 3672	3020	rdpclip.exe
PID 3020 wrote to memory of 3672	3020	rdpclip.exe
PID 3020 wrote to memory of 404	3020	rdpclip.exe
PID 3020 wrote to memory of 404	3020	rdpclip.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\c595d93c190e487562ee3edb78b351567be676fa2fe73625c3e61985f656e204.dll

Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam

PID:2108

C:\Windows\system32\Taskmgr.exe

C:\Windows\system32\Taskmgr.exe

PID:1488

C:\Users\Admin\AppData\Local\rM4\Taskmgr.exe

C:\Users\Admin\AppData\Local\rM4\Taskmgr.exe

Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled
Suspicious behavior: GetForegroundWindowSpam

PID:4004

C:\Windows\system32\Narrator.exe

C:\Windows\system32\Narrator.exe

PID:2116

C:\Users\Admin\AppData\Local\BPu\Narrator.exe

C:\Users\Admin\AppData\Local\BPu\Narrator.exe

Executes dropped EXE

PID:2252

C:\Windows\system32\DevicePairingWizard.exe

C:\Windows\system32\DevicePairingWizard.exe

PID:3772

C:\Users\Admin\AppData\Local\8kfB\DevicePairingWizard.exe

C:\Users\Admin\AppData\Local\8kfB\DevicePairingWizard.exe

Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled
Suspicious behavior: GetForegroundWindowSpam

PID:1108

C:\Windows\system32\rdpclip.exe

C:\Windows\system32\rdpclip.exe

PID:3672

C:\Users\Admin\AppData\Local\N6bwNYy\rdpclip.exe

C:\Users\Admin\AppData\Local\N6bwNYy\rdpclip.exe

Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled
Suspicious behavior: GetForegroundWindowSpam

PID:404

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

Discovery

System Information Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

00:00 00:00

C:\Users\Admin\AppData\Local\8kfB\DevicePairingWizard.exe
MD5
50d2e0183f1a3f4eb6897158ac6c6dc9

SHA1
39da481fb5ae670a4334652fefce7f5ea8842863

SHA256
9d9dadbf467fd2174356b82712fbcc691f643d5d8ec3d245145c2dc1f281e597

SHA512
1664661cbb271bd808ad0612ac1c5be521dd624bad9bc0a954f76237d82f3685566d76d928374afccc867b3b237e98c42ac600af8183f68ee1826294781053cd

Download Submit
C:\Users\Admin\AppData\Local\8kfB\MFC42u.dll
MD5
79479712c2728940f7e69a64cea85543

SHA1
415130e52c0ee15bdc4228519990472005e0ae54

SHA256
7e81fcdf573c38d4a7f8e353a48819107b0743c7252d09b82713388718e384f2

SHA512
3af2bf66ac0020a42e50d31e134997cc8a483cb9073e9375ff0bf7c6e0b18db5c92763dafcfc88054db97f558762e98dc90105d740c96ae8f1b78f6c628cf49f

Download Submit
C:\Users\Admin\AppData\Local\BPu\Narrator.exe
MD5
856e08496a86552ad918c634a21fc2fb

SHA1
b826d7d1a657bc9cec0326ad6847b6cadbbd0bd8

SHA256
2d3b80aea1c704b6e5ceec22723e70dcbd0dd901562a0b6e584b9e6ccb120bc8

SHA512
d3e7c69427ea54d5cb0e97febf93f47233bb31b21df49fd8994d07ed7af25a1d0c189b0e2dba86c50ae46a50d9663e99dff7ac789d0f7ebd054d3cf4bfbe4793

Download Submit
C:\Users\Admin\AppData\Local\N6bwNYy\dwmapi.dll
MD5
3cbb2ff8ab8cd912d964411bfa1fb73b

SHA1
0615a245bf0aa79fe51aea6033a1f55b7897fecd

SHA256
ce383bc0cd433869b1c36d9d890305b14f1a4574630ad28fc2c97b9b348e876b

SHA512
153b569141004c9e87afb17dc65ed86de663cd851dfcf562740bbcc3c68e0bb83657189b8e1bcf29be356e693bc1e92b4fafa3aadb17f4647e3798644b6e8bcc

Download Submit
C:\Users\Admin\AppData\Local\N6bwNYy\rdpclip.exe
MD5
5c727d909ff96820509e726ab9d74c53

SHA1
3bb99d4cf331df624150559eaee54d435b32b24d

SHA256
378c8d7a051370d4580e57584522ad987af202015ec8ff786b3392b92cd273bb

SHA512
290c14ad8526c0687b5a4855366ef748acfe1cd0bb97a2cb4a876dab8489c0a12a92fe8bc8b8e346c0c71c2cb21e7fdd7cf344fea465d3534eb3d012c5249977

Download Submit
C:\Users\Admin\AppData\Local\rM4\DUI70.dll
MD5
c4211bce7d6c5a8d8ae044aa45b1e624

SHA1
4b2af2c6818929b6854225e93bfafd69532da76d

SHA256
7a52abd49c6e9a300985786007f9554a6b5a83ecb522db8e83030bbfce50b69b

SHA512
c81ff858fd398b8302a82198f2311dcd698ecea5e6b83b3d1b3ebf77adbd81a246b679414949df17eeb170b579272afa967ed7e9afedad3d55e4cb9adf6d6a27

Download Submit
C:\Users\Admin\AppData\Local\rM4\Taskmgr.exe
MD5
d3ef2efc7232674315e0573e464e8aa7

SHA1
237ee3acc4743d05858056e09147a071b6e956e7

SHA256
feecaba50bc95bd6540e5a075693d6dc961a9d5ef86f1bfb38f7bcde6e757472

SHA512
1e03b1ad8059c28bfaa42f63626f2025cf1659266323255871a90b5ef2db9ab754ba4ffe9abe37bf3f5d92e494231c5fb81ba4d893f3a9833c2a5edf23825cc5

Download Submit
\Users\Admin\AppData\Local\8kfB\MFC42u.dll
MD5
79479712c2728940f7e69a64cea85543

SHA1
415130e52c0ee15bdc4228519990472005e0ae54

SHA256
7e81fcdf573c38d4a7f8e353a48819107b0743c7252d09b82713388718e384f2

SHA512
3af2bf66ac0020a42e50d31e134997cc8a483cb9073e9375ff0bf7c6e0b18db5c92763dafcfc88054db97f558762e98dc90105d740c96ae8f1b78f6c628cf49f

Download Submit
\Users\Admin\AppData\Local\N6bwNYy\dwmapi.dll
MD5
3cbb2ff8ab8cd912d964411bfa1fb73b

SHA1
0615a245bf0aa79fe51aea6033a1f55b7897fecd

SHA256
ce383bc0cd433869b1c36d9d890305b14f1a4574630ad28fc2c97b9b348e876b

SHA512
153b569141004c9e87afb17dc65ed86de663cd851dfcf562740bbcc3c68e0bb83657189b8e1bcf29be356e693bc1e92b4fafa3aadb17f4647e3798644b6e8bcc

Download Submit
\Users\Admin\AppData\Local\rM4\DUI70.dll
MD5
c4211bce7d6c5a8d8ae044aa45b1e624

SHA1
4b2af2c6818929b6854225e93bfafd69532da76d

SHA256
7a52abd49c6e9a300985786007f9554a6b5a83ecb522db8e83030bbfce50b69b

SHA512
c81ff858fd398b8302a82198f2311dcd698ecea5e6b83b3d1b3ebf77adbd81a246b679414949df17eeb170b579272afa967ed7e9afedad3d55e4cb9adf6d6a27

Download Submit
memory/404-182-0x0000025F72820000-0x0000025F72822000-memory.dmp

Download
memory/404-180-0x0000025F72820000-0x0000025F72822000-memory.dmp

Download
memory/404-173-0x0000000000000000-mapping.dmp

Download
memory/404-177-0x0000000140000000-0x0000000140161000-memory.dmp

Download
memory/404-181-0x0000025F72820000-0x0000025F72822000-memory.dmp

Download
memory/1108-172-0x0000013B0DAE0000-0x0000013B0DAE2000-memory.dmp

Download
memory/1108-163-0x0000000000000000-mapping.dmp

Download
memory/1108-167-0x0000000140000000-0x0000000140167000-memory.dmp

Download
memory/1108-170-0x0000013B0DAE0000-0x0000013B0DAE2000-memory.dmp

Download
memory/1108-171-0x0000013B0DAE0000-0x0000013B0DAE2000-memory.dmp

Download
memory/2108-119-0x00000000011F0000-0x00000000011F2000-memory.dmp

Download
memory/2108-120-0x00000000011E0000-0x00000000011E7000-memory.dmp

Download
memory/2108-115-0x0000000140000000-0x0000000140160000-memory.dmp

Download
memory/2108-118-0x00000000011F0000-0x00000000011F2000-memory.dmp

Download
memory/3020-135-0x0000000140000000-0x0000000140160000-memory.dmp

Download
memory/3020-147-0x0000000000D00000-0x0000000000D02000-memory.dmp

Download
memory/3020-148-0x0000000000D00000-0x0000000000D02000-memory.dmp

Download
memory/3020-149-0x00007FFF14D55000-0x00007FFF14D56000-memory.dmp

Download
memory/3020-140-0x0000000140000000-0x0000000140160000-memory.dmp

Download
memory/3020-151-0x00007FFF14E90000-0x00007FFF14E92000-memory.dmp

Download
memory/3020-141-0x0000000140000000-0x0000000140160000-memory.dmp

Download
memory/3020-139-0x0000000140000000-0x0000000140160000-memory.dmp

Download
memory/3020-138-0x0000000140000000-0x0000000140160000-memory.dmp

Download
memory/3020-137-0x0000000140000000-0x0000000140160000-memory.dmp

Download
memory/3020-136-0x0000000140000000-0x0000000140160000-memory.dmp

Download
memory/3020-134-0x0000000140000000-0x0000000140160000-memory.dmp

Download
memory/3020-133-0x0000000140000000-0x0000000140160000-memory.dmp

Download
memory/3020-132-0x0000000140000000-0x0000000140160000-memory.dmp

Download
memory/3020-131-0x0000000140000000-0x0000000140160000-memory.dmp

Download
memory/3020-130-0x0000000140000000-0x0000000140160000-memory.dmp

Download
memory/3020-129-0x0000000140000000-0x0000000140160000-memory.dmp

Download
memory/3020-183-0x0000000000D00000-0x0000000000D02000-memory.dmp

Download
memory/3020-128-0x0000000140000000-0x0000000140160000-memory.dmp

Download
memory/3020-127-0x0000000140000000-0x0000000140160000-memory.dmp

Download
memory/3020-126-0x0000000140000000-0x0000000140160000-memory.dmp

Download
memory/3020-125-0x0000000140000000-0x0000000140160000-memory.dmp

Download
memory/3020-123-0x0000000140000000-0x0000000140160000-memory.dmp

Download
memory/3020-121-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Download
memory/3020-122-0x0000000140000000-0x0000000140160000-memory.dmp

Download
memory/3020-150-0x0000000000D00000-0x0000000000D02000-memory.dmp

Download
memory/3020-124-0x0000000140000000-0x0000000140160000-memory.dmp

Download
memory/4004-160-0x000001D6D6890000-0x000001D6D6892000-memory.dmp

Download
memory/4004-159-0x000001D6D6890000-0x000001D6D6892000-memory.dmp

Download
memory/4004-156-0x0000000140000000-0x00000001401A6000-memory.dmp

Download
memory/4004-152-0x0000000000000000-mapping.dmp

Download
memory/4004-161-0x000001D6D6890000-0x000001D6D6892000-memory.dmp

Download

c595d93c190e487562ee3edb78b351567be676fa2fe73625c3e61985f656e204

Filter: none

Description

Tags

Description

Tags

Reported IOCs

Reported IOCs

Reported IOCs

Tags

TTPs

Reported IOCs

Tags

TTPs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Title