d6b765e0c278fe4383427e864d9baf366cd2ce7895cf9d038aa29c15174e2caa

General
Target

d6b765e0c278fe4383427e864d9baf366cd2ce7895cf9d038aa29c15174e2caa.dll

Filesize

1MB

Completed

26-11-2021 09:30

Score
10/10
MD5

596b0cac5ca82de0f301f5ae4f72ec31

SHA1

ef280c3f84f2aa68dac81b7c511a55d18035c644

SHA256

d6b765e0c278fe4383427e864d9baf366cd2ce7895cf9d038aa29c15174e2caa

Malware Config
Signatures 9

Filter: none

Defense Evasion
Discovery
Persistence
  • Dridex

    Description

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode

    Description

    Detects Dridex Payload shellcode injected in Explorer process.

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/2056-124-0x0000000001350000-0x0000000001351000-memory.dmpdridex_stager_shellcode
  • Executes dropped EXE
    wermgr.exeRdpSa.exewextract.exe

    Reported IOCs

    pidprocess
    2472wermgr.exe
    3820RdpSa.exe
    4024wextract.exe
  • Loads dropped DLL
    wermgr.exeRdpSa.exewextract.exe

    Reported IOCs

    pidprocess
    2472wermgr.exe
    3820RdpSa.exe
    4024wextract.exe
  • Adds Run key to start application

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ziekmjidk = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Extensions\\9A7XKA3eix\\RdpSa.exe"
  • Checks whether UAC is enabled
    rundll32.exewermgr.exeRdpSa.exewextract.exe

    TTPs

    System Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUArundll32.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAwermgr.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUARdpSa.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAwextract.exe
  • Suspicious behavior: EnumeratesProcesses
    rundll32.exe

    Reported IOCs

    pidprocess
    3592rundll32.exe
    3592rundll32.exe
    3592rundll32.exe
    3592rundll32.exe
    2056
    2056
    2056
    2056
    2056
    2056
    2056
    2056
    2056
    2056
    2056
    2056
    2056
    2056
    2056
    2056
    2056
    2056
    2056
    2056
    2056
    2056
    2056
    2056
    2056
    2056
    2056
    2056
    2056
    2056
    2056
    2056
    2056
    2056
    2056
    2056
    2056
    2056
    2056
    2056
    2056
    2056
    2056
    2056
    2056
    2056
    2056
    2056
    2056
    2056
    2056
    2056
    2056
    2056
    2056
    2056
    2056
    2056
    2056
    2056
  • Suspicious behavior: GetForegroundWindowSpam
    rundll32.exewermgr.exeRdpSa.exewextract.exe

    Reported IOCs

    pidprocess
    3592rundll32.exe
    2056
    2472wermgr.exe
    3820RdpSa.exe
    4024wextract.exe
  • Suspicious use of WriteProcessMemory

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2056 wrote to memory of 22762056wermgr.exe
    PID 2056 wrote to memory of 22762056wermgr.exe
    PID 2056 wrote to memory of 24722056wermgr.exe
    PID 2056 wrote to memory of 24722056wermgr.exe
    PID 2056 wrote to memory of 4242056RdpSa.exe
    PID 2056 wrote to memory of 4242056RdpSa.exe
    PID 2056 wrote to memory of 38202056RdpSa.exe
    PID 2056 wrote to memory of 38202056RdpSa.exe
    PID 2056 wrote to memory of 22042056wextract.exe
    PID 2056 wrote to memory of 22042056wextract.exe
    PID 2056 wrote to memory of 40242056wextract.exe
    PID 2056 wrote to memory of 40242056wextract.exe
Processes 7
  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\d6b765e0c278fe4383427e864d9baf366cd2ce7895cf9d038aa29c15174e2caa.dll,#1
    Checks whether UAC is enabled
    Suspicious behavior: EnumeratesProcesses
    Suspicious behavior: GetForegroundWindowSpam
    PID:3592
  • C:\Windows\system32\wermgr.exe
    C:\Windows\system32\wermgr.exe
    PID:2276
  • C:\Users\Admin\AppData\Local\rBs9p8Ae\wermgr.exe
    C:\Users\Admin\AppData\Local\rBs9p8Ae\wermgr.exe
    Executes dropped EXE
    Loads dropped DLL
    Checks whether UAC is enabled
    Suspicious behavior: GetForegroundWindowSpam
    PID:2472
  • C:\Windows\system32\RdpSa.exe
    C:\Windows\system32\RdpSa.exe
    PID:424
  • C:\Users\Admin\AppData\Local\Lw0\RdpSa.exe
    C:\Users\Admin\AppData\Local\Lw0\RdpSa.exe
    Executes dropped EXE
    Loads dropped DLL
    Checks whether UAC is enabled
    Suspicious behavior: GetForegroundWindowSpam
    PID:3820
  • C:\Windows\system32\wextract.exe
    C:\Windows\system32\wextract.exe
    PID:2204
  • C:\Users\Admin\AppData\Local\uRyvqYs\wextract.exe
    C:\Users\Admin\AppData\Local\uRyvqYs\wextract.exe
    Executes dropped EXE
    Loads dropped DLL
    Checks whether UAC is enabled
    Suspicious behavior: GetForegroundWindowSpam
    PID:4024
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Local\Lw0\RdpSa.exe

                      MD5

                      f1c2442f3ec5188998bf290c4cbd562a

                      SHA1

                      73fa6d853a92bfcc7671f82d3ab87ea3133bd9ad

                      SHA256

                      f6ff99a61cf82ef5889b3dd359a3bb55772439b66c710a9899eb8768c73a0a72

                      SHA512

                      310315718d7c684916f16754a1bceb9eb334c2dc8cb70634bf253b7b3d2fc8702e6ce7db52da0122a55fe53cadef1a6ec158d0056ebdbc2bcdc4832033e5d3f4

                    • C:\Users\Admin\AppData\Local\Lw0\WINSTA.dll

                      MD5

                      fe826d758f4935250fda52b502759d88

                      SHA1

                      bf03ae4825c392286892ab323e3c62f259ff98ef

                      SHA256

                      98e1563768fabee13b409ad2bf045417436c01830ce25428260f035a0ad356eb

                      SHA512

                      5db5aae4b328f318b885b734466de778c65dd6a07a079a0f969e3bd2686a74500162db5f1f7cb29c423894fe3219c9dca3fe2acfcb3e828bd314590d8e9d0c27

                    • C:\Users\Admin\AppData\Local\rBs9p8Ae\wer.dll

                      MD5

                      78be8742b2d9b5701e752e4dd840920f

                      SHA1

                      73868d630bab3438e876db5e4f2fcbe41103febc

                      SHA256

                      ba73ff3db6a9252b45d0ee6ea0cd7e18589397e1aa7ae5b730b3a68d190fe9fb

                      SHA512

                      1cdde53f8976554eff3b28239604e659d0e0bd210a37d3bbd5596f954e76a98cbadf843a764b3567eaf4c622a9cfa1509b00814ac2af279b7ba249b2abe53ebb

                    • C:\Users\Admin\AppData\Local\rBs9p8Ae\wermgr.exe

                      MD5

                      b6b07bd48ece5e19f8fbbe3b9d4dee8b

                      SHA1

                      a9d344ae382ffaf64d7977f632d98a422b4e09fd

                      SHA256

                      ab6443218f56d9743fa4605a7696c82b016f621ddefcb3207a9aa77666a7bca1

                      SHA512

                      a0092bb7fca2160e1a9bf6db4399bfde9a15d6a885932e58152b80bfb3fb5f4d67836b1c31c261550bb5cea71f74bd985911daf624ad02f4938db2d23b76fdd4

                    • C:\Users\Admin\AppData\Local\uRyvqYs\VERSION.dll

                      MD5

                      49f47433a7bb55cc616e4d8ada296b86

                      SHA1

                      27e5de766876b59b8d715ebc3370062789f4a449

                      SHA256

                      0b1dd64fbc783ab0d2c9001fcddf8d6411ee37634cdebb9dc9b0a756549f167d

                      SHA512

                      e18062d25596451a0e5c77b36118ac2fe3676c440f44e75d77c6dd4eb84043b7f2a1ace09267cf119a10aee713639b0488de5bc9a43a2aa8121e44cdb6d792fa

                    • C:\Users\Admin\AppData\Local\uRyvqYs\wextract.exe

                      MD5

                      e78764b49f5806ce029cd547004493c9

                      SHA1

                      8c1f3f989913bebf827a707c04754047507a8cf3

                      SHA256

                      ab519b1c2711219a9f262b23bf72343eec3c0df4c7ddd135d30d05e700ec302e

                      SHA512

                      71040e5f0d2d409efaba70a7daaebe7a4675cb19009436a826a679671cc0d7c960498364ec7a29fb163ce8dada65218b75bebb973e6c8b194734e01970fd3a6b

                    • \Users\Admin\AppData\Local\Lw0\WINSTA.dll

                      MD5

                      fe826d758f4935250fda52b502759d88

                      SHA1

                      bf03ae4825c392286892ab323e3c62f259ff98ef

                      SHA256

                      98e1563768fabee13b409ad2bf045417436c01830ce25428260f035a0ad356eb

                      SHA512

                      5db5aae4b328f318b885b734466de778c65dd6a07a079a0f969e3bd2686a74500162db5f1f7cb29c423894fe3219c9dca3fe2acfcb3e828bd314590d8e9d0c27

                    • \Users\Admin\AppData\Local\rBs9p8Ae\wer.dll

                      MD5

                      78be8742b2d9b5701e752e4dd840920f

                      SHA1

                      73868d630bab3438e876db5e4f2fcbe41103febc

                      SHA256

                      ba73ff3db6a9252b45d0ee6ea0cd7e18589397e1aa7ae5b730b3a68d190fe9fb

                      SHA512

                      1cdde53f8976554eff3b28239604e659d0e0bd210a37d3bbd5596f954e76a98cbadf843a764b3567eaf4c622a9cfa1509b00814ac2af279b7ba249b2abe53ebb

                    • \Users\Admin\AppData\Local\uRyvqYs\VERSION.dll

                      MD5

                      49f47433a7bb55cc616e4d8ada296b86

                      SHA1

                      27e5de766876b59b8d715ebc3370062789f4a449

                      SHA256

                      0b1dd64fbc783ab0d2c9001fcddf8d6411ee37634cdebb9dc9b0a756549f167d

                      SHA512

                      e18062d25596451a0e5c77b36118ac2fe3676c440f44e75d77c6dd4eb84043b7f2a1ace09267cf119a10aee713639b0488de5bc9a43a2aa8121e44cdb6d792fa

                    • memory/2056-132-0x0000000140000000-0x000000014015B000-memory.dmp

                    • memory/2056-130-0x0000000140000000-0x000000014015B000-memory.dmp

                    • memory/2056-131-0x0000000140000000-0x000000014015B000-memory.dmp

                    • memory/2056-128-0x0000000140000000-0x000000014015B000-memory.dmp

                    • memory/2056-134-0x0000000140000000-0x000000014015B000-memory.dmp

                    • memory/2056-135-0x0000000140000000-0x000000014015B000-memory.dmp

                    • memory/2056-136-0x0000000140000000-0x000000014015B000-memory.dmp

                    • memory/2056-129-0x0000000140000000-0x000000014015B000-memory.dmp

                    • memory/2056-137-0x0000000140000000-0x000000014015B000-memory.dmp

                    • memory/2056-138-0x0000000140000000-0x000000014015B000-memory.dmp

                    • memory/2056-139-0x0000000140000000-0x000000014015B000-memory.dmp

                    • memory/2056-125-0x0000000140000000-0x000000014015B000-memory.dmp

                    • memory/2056-141-0x0000000140000000-0x000000014015B000-memory.dmp

                    • memory/2056-143-0x0000000140000000-0x000000014015B000-memory.dmp

                    • memory/2056-142-0x0000000140000000-0x000000014015B000-memory.dmp

                    • memory/2056-149-0x0000000001400000-0x0000000001402000-memory.dmp

                    • memory/2056-150-0x0000000001400000-0x0000000001402000-memory.dmp

                    • memory/2056-127-0x0000000140000000-0x000000014015B000-memory.dmp

                    • memory/2056-152-0x0000000001400000-0x0000000001402000-memory.dmp

                    • memory/2056-153-0x00007FFA00F70000-0x00007FFA00F72000-memory.dmp

                    • memory/2056-126-0x0000000140000000-0x000000014015B000-memory.dmp

                    • memory/2056-124-0x0000000001350000-0x0000000001351000-memory.dmp

                    • memory/2056-151-0x00007FFA00E35000-0x00007FFA00E36000-memory.dmp

                    • memory/2056-140-0x0000000140000000-0x000000014015B000-memory.dmp

                    • memory/2056-133-0x0000000140000000-0x000000014015B000-memory.dmp

                    • memory/2472-154-0x0000000000000000-mapping.dmp

                    • memory/2472-162-0x000001DDB89C0000-0x000001DDB89C2000-memory.dmp

                    • memory/2472-161-0x000001DDB89C0000-0x000001DDB89C2000-memory.dmp

                    • memory/2472-163-0x000001DDB89C0000-0x000001DDB89C2000-memory.dmp

                    • memory/2472-158-0x0000000140000000-0x000000014015D000-memory.dmp

                    • memory/3592-122-0x0000019756D80000-0x0000019756D82000-memory.dmp

                    • memory/3592-118-0x0000000140000000-0x000000014015B000-memory.dmp

                    • memory/3592-121-0x0000019756D80000-0x0000019756D82000-memory.dmp

                    • memory/3592-123-0x0000019756D70000-0x0000019756D77000-memory.dmp

                    • memory/3820-171-0x000001C2BD290000-0x000001C2BD292000-memory.dmp

                    • memory/3820-164-0x0000000000000000-mapping.dmp

                    • memory/3820-173-0x000001C2BD290000-0x000001C2BD292000-memory.dmp

                    • memory/3820-172-0x000001C2BD290000-0x000001C2BD292000-memory.dmp

                    • memory/4024-174-0x0000000000000000-mapping.dmp

                    • memory/4024-178-0x0000000140000000-0x000000014015C000-memory.dmp

                    • memory/4024-181-0x000001E961170000-0x000001E961172000-memory.dmp

                    • memory/4024-182-0x000001E961170000-0x000001E961172000-memory.dmp

                    • memory/4024-183-0x000001E961170000-0x000001E961172000-memory.dmp