Analysis

  • max time kernel
    151s
  • max time network
    126s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    26-11-2021 09:27

General

  • Target

    494d90eeeb3acbdcf85d81839a17e2cf4843713b12fa03fe3ebaaff3711807b3.dll

  • Size

    1.4MB

  • MD5

    aec8754bce47765e6d1ff6641449f71b

  • SHA1

    00de05368600c975e06c625974489e683177e331

  • SHA256

    494d90eeeb3acbdcf85d81839a17e2cf4843713b12fa03fe3ebaaff3711807b3

  • SHA512

    189971741bb1933c3c306bc423ad2d252bbefe00cc272c9733253afacd8eceb9f0a7efb37d9a742df85df6093b6d4be31475f993972c91fe5d02586063264c84

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\494d90eeeb3acbdcf85d81839a17e2cf4843713b12fa03fe3ebaaff3711807b3.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    PID:2480
  • C:\Windows\system32\SnippingTool.exe
    C:\Windows\system32\SnippingTool.exe
    1⤵
      PID:1188
    • C:\Users\Admin\AppData\Local\lns2\SnippingTool.exe
      C:\Users\Admin\AppData\Local\lns2\SnippingTool.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: GetForegroundWindowSpam
      PID:2660
    • C:\Windows\system32\SysResetErr.exe
      C:\Windows\system32\SysResetErr.exe
      1⤵
        PID:2340
      • C:\Users\Admin\AppData\Local\ysor3L\SysResetErr.exe
        C:\Users\Admin\AppData\Local\ysor3L\SysResetErr.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Suspicious behavior: GetForegroundWindowSpam
        PID:2916
      • C:\Windows\system32\phoneactivate.exe
        C:\Windows\system32\phoneactivate.exe
        1⤵
          PID:2832
        • C:\Users\Admin\AppData\Local\jTfO6wz\phoneactivate.exe
          C:\Users\Admin\AppData\Local\jTfO6wz\phoneactivate.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          • Suspicious behavior: GetForegroundWindowSpam
          PID:1496

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Defense Evasion

        Modify Registry

        1
        T1112

        Discovery

        System Information Discovery

        1
        T1082

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\jTfO6wz\SLC.dll
          MD5

          bcb40c2c284ae6d77cd66dbd7c372b3d

          SHA1

          348fce6496e4bdba941aab6b6099330a8c30200d

          SHA256

          8f8aaf4939e19aa5f3b800a7ee649688690eb5babb3f8d7465e631c75efdd95c

          SHA512

          fcaccd2b7948d3ae847d68031c66ef17b62982826f33a8a814cb33f4550ba18d3238489b34187b5a37cd5106e7b854bd3fc4d10b24b8ad8c356f1b029b7a4dcf

        • C:\Users\Admin\AppData\Local\jTfO6wz\phoneactivate.exe
          MD5

          c2bc59e307f825237dce846049fda140

          SHA1

          30bf767297d2f3a833f57443fbf5dc02c80030bd

          SHA256

          3a373641d048ef5964efa2d80248e8d441cfcd93b47961e0ed586c1609069c41

          SHA512

          f4d9aec2b1c24cc8e8094abf561a181659afd86054422d32a67b7dd0b95e0ec710ea5a43a44e610bf94df3c817fca9fc620032e0dbd88e824766ef0e3e1c3b42

        • C:\Users\Admin\AppData\Local\lns2\SnippingTool.exe
          MD5

          e40c6c256043c143f7b8cdca70f69f4f

          SHA1

          129f4f0257715715d50fd7b7129ce231771ae1ea

          SHA256

          76610fec5aabe77401425bc8a437f58e9307b636197ffd048ece9e02e955f88d

          SHA512

          fb83e4feb112cbee5fb922178795df1f02f29cbe009d8b3b4d9b4f1a62c08d184a64df52e57ee3d4d8be839621f875a5279d15f39b94ff3a987a863fa4d743ba

        • C:\Users\Admin\AppData\Local\lns2\dwmapi.dll
          MD5

          c3ccf6bf67cf648b0f8110591cf5658b

          SHA1

          a22171b90e39fd7f0f1fab60ecf416d6d6523b23

          SHA256

          ab0a2b06ae9e81d96a8520b1107e79c01490d067c512dfa33b1540161ff25ea8

          SHA512

          0a81b808c2ae69757b00f861f32b035621484d865f20c8bb61242b1173b58b18d9805b199743ea689def6d40175aed5d673b763a462c7f5a4c50499110bd3806

        • C:\Users\Admin\AppData\Local\ysor3L\DUI70.dll
          MD5

          3fa695440098e1a7955beb97f49b747e

          SHA1

          fd3217b4d8c3d53e6ed7ec2191e2232730dec17b

          SHA256

          4cde9d22ba0d21ce731833842ced8e719fa87fc826a1206b150b300163583a3b

          SHA512

          1f3253c47669a4a746766d7899f6ff248deec0e8c1473b6e3133e1e93d477b2123a771cf0836f0b586c6f0943e37a55eec02a26104b8a16f1ee0577874a5dec2

        • C:\Users\Admin\AppData\Local\ysor3L\SysResetErr.exe
          MD5

          432557a19cef7e1c23a4dcc7d148b712

          SHA1

          b26c19de3b32108f8ac9307c30027e635615fc65

          SHA256

          f519aba77298a8c04f3e9c8f5f1b40c8de05e41898f13033f337e13e05d4282a

          SHA512

          542e71740094ea810651901ec23f06c495e0c2d57fae09d6dd9730e11650843ade34eeba0b2816df025179c597825129b3a26a0007c75e10f1a8857340452ff7

        • \Users\Admin\AppData\Local\jTfO6wz\SLC.dll
          MD5

          bcb40c2c284ae6d77cd66dbd7c372b3d

          SHA1

          348fce6496e4bdba941aab6b6099330a8c30200d

          SHA256

          8f8aaf4939e19aa5f3b800a7ee649688690eb5babb3f8d7465e631c75efdd95c

          SHA512

          fcaccd2b7948d3ae847d68031c66ef17b62982826f33a8a814cb33f4550ba18d3238489b34187b5a37cd5106e7b854bd3fc4d10b24b8ad8c356f1b029b7a4dcf

        • \Users\Admin\AppData\Local\lns2\dwmapi.dll
          MD5

          c3ccf6bf67cf648b0f8110591cf5658b

          SHA1

          a22171b90e39fd7f0f1fab60ecf416d6d6523b23

          SHA256

          ab0a2b06ae9e81d96a8520b1107e79c01490d067c512dfa33b1540161ff25ea8

          SHA512

          0a81b808c2ae69757b00f861f32b035621484d865f20c8bb61242b1173b58b18d9805b199743ea689def6d40175aed5d673b763a462c7f5a4c50499110bd3806

        • \Users\Admin\AppData\Local\ysor3L\DUI70.dll
          MD5

          3fa695440098e1a7955beb97f49b747e

          SHA1

          fd3217b4d8c3d53e6ed7ec2191e2232730dec17b

          SHA256

          4cde9d22ba0d21ce731833842ced8e719fa87fc826a1206b150b300163583a3b

          SHA512

          1f3253c47669a4a746766d7899f6ff248deec0e8c1473b6e3133e1e93d477b2123a771cf0836f0b586c6f0943e37a55eec02a26104b8a16f1ee0577874a5dec2

        • memory/1496-177-0x0000022A75160000-0x0000022A75162000-memory.dmp
          Filesize

          8KB

        • memory/1496-178-0x0000022A75160000-0x0000022A75162000-memory.dmp
          Filesize

          8KB

        • memory/1496-170-0x0000000000000000-mapping.dmp
        • memory/1496-179-0x0000022A75160000-0x0000022A75162000-memory.dmp
          Filesize

          8KB

        • memory/2480-118-0x00000222B1B80000-0x00000222B1B82000-memory.dmp
          Filesize

          8KB

        • memory/2480-115-0x0000000140000000-0x000000014015C000-memory.dmp
          Filesize

          1.4MB

        • memory/2480-119-0x00000222B1B80000-0x00000222B1B82000-memory.dmp
          Filesize

          8KB

        • memory/2480-120-0x00000222B1A70000-0x00000222B1A77000-memory.dmp
          Filesize

          28KB

        • memory/2660-157-0x000001CCEFDF0000-0x000001CCEFDF2000-memory.dmp
          Filesize

          8KB

        • memory/2660-150-0x0000000000000000-mapping.dmp
        • memory/2660-159-0x000001CCEFDF0000-0x000001CCEFDF2000-memory.dmp
          Filesize

          8KB

        • memory/2660-158-0x000001CCEFDF0000-0x000001CCEFDF2000-memory.dmp
          Filesize

          8KB

        • memory/2660-154-0x0000000140000000-0x000000014015D000-memory.dmp
          Filesize

          1.4MB

        • memory/2916-160-0x0000000000000000-mapping.dmp
        • memory/2916-164-0x0000000140000000-0x00000001401A2000-memory.dmp
          Filesize

          1.6MB

        • memory/2916-167-0x000001DDFE410000-0x000001DDFE412000-memory.dmp
          Filesize

          8KB

        • memory/2916-168-0x000001DDFE410000-0x000001DDFE412000-memory.dmp
          Filesize

          8KB

        • memory/2916-169-0x000001DDFE410000-0x000001DDFE412000-memory.dmp
          Filesize

          8KB

        • memory/2960-129-0x0000000140000000-0x000000014015C000-memory.dmp
          Filesize

          1.4MB

        • memory/2960-149-0x00007FF8576B0000-0x00007FF8576B2000-memory.dmp
          Filesize

          8KB

        • memory/2960-148-0x0000000001300000-0x0000000001302000-memory.dmp
          Filesize

          8KB

        • memory/2960-147-0x00007FF857575000-0x00007FF857576000-memory.dmp
          Filesize

          4KB

        • memory/2960-146-0x0000000001300000-0x0000000001302000-memory.dmp
          Filesize

          8KB

        • memory/2960-145-0x0000000001300000-0x0000000001302000-memory.dmp
          Filesize

          8KB

        • memory/2960-139-0x0000000140000000-0x000000014015C000-memory.dmp
          Filesize

          1.4MB

        • memory/2960-138-0x0000000140000000-0x000000014015C000-memory.dmp
          Filesize

          1.4MB

        • memory/2960-137-0x0000000140000000-0x000000014015C000-memory.dmp
          Filesize

          1.4MB

        • memory/2960-136-0x0000000140000000-0x000000014015C000-memory.dmp
          Filesize

          1.4MB

        • memory/2960-135-0x0000000140000000-0x000000014015C000-memory.dmp
          Filesize

          1.4MB

        • memory/2960-134-0x0000000140000000-0x000000014015C000-memory.dmp
          Filesize

          1.4MB

        • memory/2960-133-0x0000000140000000-0x000000014015C000-memory.dmp
          Filesize

          1.4MB

        • memory/2960-132-0x0000000140000000-0x000000014015C000-memory.dmp
          Filesize

          1.4MB

        • memory/2960-131-0x0000000140000000-0x000000014015C000-memory.dmp
          Filesize

          1.4MB

        • memory/2960-130-0x0000000140000000-0x000000014015C000-memory.dmp
          Filesize

          1.4MB

        • memory/2960-128-0x0000000140000000-0x000000014015C000-memory.dmp
          Filesize

          1.4MB

        • memory/2960-127-0x0000000140000000-0x000000014015C000-memory.dmp
          Filesize

          1.4MB

        • memory/2960-126-0x0000000140000000-0x000000014015C000-memory.dmp
          Filesize

          1.4MB

        • memory/2960-125-0x0000000140000000-0x000000014015C000-memory.dmp
          Filesize

          1.4MB

        • memory/2960-124-0x0000000140000000-0x000000014015C000-memory.dmp
          Filesize

          1.4MB

        • memory/2960-123-0x0000000140000000-0x000000014015C000-memory.dmp
          Filesize

          1.4MB

        • memory/2960-122-0x0000000140000000-0x000000014015C000-memory.dmp
          Filesize

          1.4MB

        • memory/2960-121-0x00000000012F0000-0x00000000012F1000-memory.dmp
          Filesize

          4KB