d6b765e0c278fe4383427e864d9baf366cd2ce7895cf9d038aa29c15174e2caa

max time kernel155s
max time network126s
platformwindows10_x64
resourcewin10-en-20211104
submitted26-11-2021 09:27

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

d6b765e0c278fe4383427e864d9baf366cd2ce7895cf9d038aa29c15174e2caa.dll

Filesize

1MB

Completed

26-11-2021 09:30

Score

10^/10

MD5

596b0cac5ca82de0f301f5ae4f72ec31

SHA1

ef280c3f84f2aa68dac81b7c511a55d18035c644

SHA256

d6b765e0c278fe4383427e864d9baf366cd2ce7895cf9d038aa29c15174e2caa

Defense Evasion

Discovery

Persistence

Dridex

Description

Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

Tags

botnet dridex
Dridex Shellcode

Description

Detects Dridex Payload shellcode injected in Explorer process.

Tags

botnet payload

Reported IOCs

resource yara_rule

behavioral2/memory/2056-124-0x0000000001350000-0x0000000001351000-memory.dmp dridex_stager_shellcode
Executes dropped EXE
wermgr.exeRdpSa.exewextract.exe

Reported IOCs

pid process

2472 wermgr.exe
3820 RdpSa.exe
4024 wextract.exe
Loads dropped DLL
wermgr.exeRdpSa.exewextract.exe

Reported IOCs

pid process

2472 wermgr.exe
3820 RdpSa.exe
4024 wextract.exe

resource	yara_rule
behavioral2/memory/2056-124-0x0000000001350000-0x0000000001351000-memory.dmp	dridex_stager_shellcode

pid	process
2472	wermgr.exe
3820	RdpSa.exe
4024	wextract.exe

pid	process
2472	wermgr.exe
3820	RdpSa.exe
4024	wextract.exe

Adds Run key to start application

TTPs

Registry Run Keys / Startup FolderModify Registry

Reported IOCs

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ziekmjidk = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Extensions\\9A7XKA3eix\\RdpSa.exe"

Checks whether UAC is enabled

rundll32.exewermgr.exeRdpSa.exewextract.exe

TTPs

System Information Discovery

Reported IOCs

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wermgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RdpSa.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wextract.exe

Suspicious behavior: EnumeratesProcesses

rundll32.exe

Reported IOCs

pid	process
3592	rundll32.exe
3592	rundll32.exe
3592	rundll32.exe
3592	rundll32.exe
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056

Suspicious behavior: GetForegroundWindowSpam
rundll32.exewermgr.exeRdpSa.exewextract.exe

Reported IOCs

pid process

3592 rundll32.exe
2056
2472 wermgr.exe
3820 RdpSa.exe
4024 wextract.exe

Suspicious use of WriteProcessMemory

Reported IOCs

description	pid	target process
PID 2056 wrote to memory of 2276	2056	wermgr.exe
PID 2056 wrote to memory of 2276	2056	wermgr.exe
PID 2056 wrote to memory of 2472	2056	wermgr.exe
PID 2056 wrote to memory of 2472	2056	wermgr.exe
PID 2056 wrote to memory of 424	2056	RdpSa.exe
PID 2056 wrote to memory of 424	2056	RdpSa.exe
PID 2056 wrote to memory of 3820	2056	RdpSa.exe
PID 2056 wrote to memory of 3820	2056	RdpSa.exe
PID 2056 wrote to memory of 2204	2056	wextract.exe
PID 2056 wrote to memory of 2204	2056	wextract.exe
PID 2056 wrote to memory of 4024	2056	wextract.exe
PID 2056 wrote to memory of 4024	2056	wextract.exe

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d6b765e0c278fe4383427e864d9baf366cd2ce7895cf9d038aa29c15174e2caa.dll,#1

Checks whether UAC is enabled
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam

PID:3592

C:\Windows\system32\wermgr.exe

C:\Windows\system32\wermgr.exe

PID:2276

C:\Users\Admin\AppData\Local\rBs9p8Ae\wermgr.exe

C:\Users\Admin\AppData\Local\rBs9p8Ae\wermgr.exe

Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled
Suspicious behavior: GetForegroundWindowSpam

PID:2472

C:\Windows\system32\RdpSa.exe

C:\Windows\system32\RdpSa.exe

PID:424

C:\Users\Admin\AppData\Local\Lw0\RdpSa.exe

C:\Users\Admin\AppData\Local\Lw0\RdpSa.exe

Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled
Suspicious behavior: GetForegroundWindowSpam

PID:3820

C:\Windows\system32\wextract.exe

C:\Windows\system32\wextract.exe

PID:2204

C:\Users\Admin\AppData\Local\uRyvqYs\wextract.exe

C:\Users\Admin\AppData\Local\uRyvqYs\wextract.exe

Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled
Suspicious behavior: GetForegroundWindowSpam

PID:4024

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

Discovery

System Information Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

00:00 00:00

C:\Users\Admin\AppData\Local\Lw0\RdpSa.exe
MD5
f1c2442f3ec5188998bf290c4cbd562a

SHA1
73fa6d853a92bfcc7671f82d3ab87ea3133bd9ad

SHA256
f6ff99a61cf82ef5889b3dd359a3bb55772439b66c710a9899eb8768c73a0a72

SHA512
310315718d7c684916f16754a1bceb9eb334c2dc8cb70634bf253b7b3d2fc8702e6ce7db52da0122a55fe53cadef1a6ec158d0056ebdbc2bcdc4832033e5d3f4

Download Submit
C:\Users\Admin\AppData\Local\Lw0\WINSTA.dll
MD5
fe826d758f4935250fda52b502759d88

SHA1
bf03ae4825c392286892ab323e3c62f259ff98ef

SHA256
98e1563768fabee13b409ad2bf045417436c01830ce25428260f035a0ad356eb

SHA512
5db5aae4b328f318b885b734466de778c65dd6a07a079a0f969e3bd2686a74500162db5f1f7cb29c423894fe3219c9dca3fe2acfcb3e828bd314590d8e9d0c27

Download Submit
C:\Users\Admin\AppData\Local\rBs9p8Ae\wer.dll
MD5
78be8742b2d9b5701e752e4dd840920f

SHA1
73868d630bab3438e876db5e4f2fcbe41103febc

SHA256
ba73ff3db6a9252b45d0ee6ea0cd7e18589397e1aa7ae5b730b3a68d190fe9fb

SHA512
1cdde53f8976554eff3b28239604e659d0e0bd210a37d3bbd5596f954e76a98cbadf843a764b3567eaf4c622a9cfa1509b00814ac2af279b7ba249b2abe53ebb

Download Submit
C:\Users\Admin\AppData\Local\rBs9p8Ae\wermgr.exe
MD5
b6b07bd48ece5e19f8fbbe3b9d4dee8b

SHA1
a9d344ae382ffaf64d7977f632d98a422b4e09fd

SHA256
ab6443218f56d9743fa4605a7696c82b016f621ddefcb3207a9aa77666a7bca1

SHA512
a0092bb7fca2160e1a9bf6db4399bfde9a15d6a885932e58152b80bfb3fb5f4d67836b1c31c261550bb5cea71f74bd985911daf624ad02f4938db2d23b76fdd4

Download Submit
C:\Users\Admin\AppData\Local\uRyvqYs\VERSION.dll
MD5
49f47433a7bb55cc616e4d8ada296b86

SHA1
27e5de766876b59b8d715ebc3370062789f4a449

SHA256
0b1dd64fbc783ab0d2c9001fcddf8d6411ee37634cdebb9dc9b0a756549f167d

SHA512
e18062d25596451a0e5c77b36118ac2fe3676c440f44e75d77c6dd4eb84043b7f2a1ace09267cf119a10aee713639b0488de5bc9a43a2aa8121e44cdb6d792fa

Download Submit
C:\Users\Admin\AppData\Local\uRyvqYs\wextract.exe
MD5
e78764b49f5806ce029cd547004493c9

SHA1
8c1f3f989913bebf827a707c04754047507a8cf3

SHA256
ab519b1c2711219a9f262b23bf72343eec3c0df4c7ddd135d30d05e700ec302e

SHA512
71040e5f0d2d409efaba70a7daaebe7a4675cb19009436a826a679671cc0d7c960498364ec7a29fb163ce8dada65218b75bebb973e6c8b194734e01970fd3a6b

Download Submit
\Users\Admin\AppData\Local\Lw0\WINSTA.dll
MD5
fe826d758f4935250fda52b502759d88

SHA1
bf03ae4825c392286892ab323e3c62f259ff98ef

SHA256
98e1563768fabee13b409ad2bf045417436c01830ce25428260f035a0ad356eb

SHA512
5db5aae4b328f318b885b734466de778c65dd6a07a079a0f969e3bd2686a74500162db5f1f7cb29c423894fe3219c9dca3fe2acfcb3e828bd314590d8e9d0c27

Download Submit
\Users\Admin\AppData\Local\rBs9p8Ae\wer.dll
MD5
78be8742b2d9b5701e752e4dd840920f

SHA1
73868d630bab3438e876db5e4f2fcbe41103febc

SHA256
ba73ff3db6a9252b45d0ee6ea0cd7e18589397e1aa7ae5b730b3a68d190fe9fb

SHA512
1cdde53f8976554eff3b28239604e659d0e0bd210a37d3bbd5596f954e76a98cbadf843a764b3567eaf4c622a9cfa1509b00814ac2af279b7ba249b2abe53ebb

Download Submit
\Users\Admin\AppData\Local\uRyvqYs\VERSION.dll
MD5
49f47433a7bb55cc616e4d8ada296b86

SHA1
27e5de766876b59b8d715ebc3370062789f4a449

SHA256
0b1dd64fbc783ab0d2c9001fcddf8d6411ee37634cdebb9dc9b0a756549f167d

SHA512
e18062d25596451a0e5c77b36118ac2fe3676c440f44e75d77c6dd4eb84043b7f2a1ace09267cf119a10aee713639b0488de5bc9a43a2aa8121e44cdb6d792fa

Download Submit
memory/2056-132-0x0000000140000000-0x000000014015B000-memory.dmp

Download
memory/2056-130-0x0000000140000000-0x000000014015B000-memory.dmp

Download
memory/2056-131-0x0000000140000000-0x000000014015B000-memory.dmp

Download
memory/2056-128-0x0000000140000000-0x000000014015B000-memory.dmp

Download
memory/2056-134-0x0000000140000000-0x000000014015B000-memory.dmp

Download
memory/2056-135-0x0000000140000000-0x000000014015B000-memory.dmp

Download
memory/2056-136-0x0000000140000000-0x000000014015B000-memory.dmp

Download
memory/2056-129-0x0000000140000000-0x000000014015B000-memory.dmp

Download
memory/2056-137-0x0000000140000000-0x000000014015B000-memory.dmp

Download
memory/2056-138-0x0000000140000000-0x000000014015B000-memory.dmp

Download
memory/2056-139-0x0000000140000000-0x000000014015B000-memory.dmp

Download
memory/2056-125-0x0000000140000000-0x000000014015B000-memory.dmp

Download
memory/2056-141-0x0000000140000000-0x000000014015B000-memory.dmp

Download
memory/2056-143-0x0000000140000000-0x000000014015B000-memory.dmp

Download
memory/2056-142-0x0000000140000000-0x000000014015B000-memory.dmp

Download
memory/2056-149-0x0000000001400000-0x0000000001402000-memory.dmp

Download
memory/2056-150-0x0000000001400000-0x0000000001402000-memory.dmp

Download
memory/2056-127-0x0000000140000000-0x000000014015B000-memory.dmp

Download
memory/2056-152-0x0000000001400000-0x0000000001402000-memory.dmp

Download
memory/2056-153-0x00007FFA00F70000-0x00007FFA00F72000-memory.dmp

Download
memory/2056-126-0x0000000140000000-0x000000014015B000-memory.dmp

Download
memory/2056-124-0x0000000001350000-0x0000000001351000-memory.dmp

Download
memory/2056-151-0x00007FFA00E35000-0x00007FFA00E36000-memory.dmp

Download
memory/2056-140-0x0000000140000000-0x000000014015B000-memory.dmp

Download
memory/2056-133-0x0000000140000000-0x000000014015B000-memory.dmp

Download
memory/2472-154-0x0000000000000000-mapping.dmp

Download
memory/2472-162-0x000001DDB89C0000-0x000001DDB89C2000-memory.dmp

Download
memory/2472-161-0x000001DDB89C0000-0x000001DDB89C2000-memory.dmp

Download
memory/2472-163-0x000001DDB89C0000-0x000001DDB89C2000-memory.dmp

Download
memory/2472-158-0x0000000140000000-0x000000014015D000-memory.dmp

Download
memory/3592-122-0x0000019756D80000-0x0000019756D82000-memory.dmp

Download
memory/3592-118-0x0000000140000000-0x000000014015B000-memory.dmp

Download
memory/3592-121-0x0000019756D80000-0x0000019756D82000-memory.dmp

Download
memory/3592-123-0x0000019756D70000-0x0000019756D77000-memory.dmp

Download
memory/3820-171-0x000001C2BD290000-0x000001C2BD292000-memory.dmp

Download
memory/3820-164-0x0000000000000000-mapping.dmp

Download
memory/3820-173-0x000001C2BD290000-0x000001C2BD292000-memory.dmp

Download
memory/3820-172-0x000001C2BD290000-0x000001C2BD292000-memory.dmp

Download
memory/4024-174-0x0000000000000000-mapping.dmp

Download
memory/4024-178-0x0000000140000000-0x000000014015C000-memory.dmp

Download
memory/4024-181-0x000001E961170000-0x000001E961172000-memory.dmp

Download
memory/4024-182-0x000001E961170000-0x000001E961172000-memory.dmp

Download
memory/4024-183-0x000001E961170000-0x000001E961172000-memory.dmp

Download

d6b765e0c278fe4383427e864d9baf366cd2ce7895cf9d038aa29c15174e2caa

Filter: none

Description

Tags

Description

Tags

Reported IOCs

Reported IOCs

Reported IOCs

Tags

TTPs

Reported IOCs

Tags

TTPs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Title