Analysis

  • max time kernel
    155s
  • max time network
    134s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    26-11-2021 09:28

General

  • Target

    17f1c7f8add9b69cb52bee6eb8c572c2a482078a91f9cc52710e60c43efbb7d3.dll

  • Size

    1MB

  • MD5

    5f5c07488e5abf8dfc6e7fe4186c3560

  • SHA1

    736fbf758cc7b79f7c67fb6df47ed96fcd5a641d

  • SHA256

    17f1c7f8add9b69cb52bee6eb8c572c2a482078a91f9cc52710e60c43efbb7d3

  • SHA512

    053d5770731ad4b585dc0efb6251109f4c96e216f9c225780c7c33c46514c748e1fe3b4045cce0dbc6ffb6943662fcb4515fa800fcd9e906675ccb8030f5df4a

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\17f1c7f8add9b69cb52bee6eb8c572c2a482078a91f9cc52710e60c43efbb7d3.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3308
  • C:\Windows\system32\BitLockerWizardElev.exe
    C:\Windows\system32\BitLockerWizardElev.exe
    1⤵
      PID:3980
    • C:\Users\Admin\AppData\Local\1Q0MoMnvL\BitLockerWizardElev.exe
      C:\Users\Admin\AppData\Local\1Q0MoMnvL\BitLockerWizardElev.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      PID:3944
    • C:\Windows\system32\CloudStorageWizard.exe
      C:\Windows\system32\CloudStorageWizard.exe
      1⤵
        PID:592
      • C:\Users\Admin\AppData\Local\Rlq\CloudStorageWizard.exe
        C:\Users\Admin\AppData\Local\Rlq\CloudStorageWizard.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1224
      • C:\Windows\system32\sigverif.exe
        C:\Windows\system32\sigverif.exe
        1⤵
          PID:1888
        • C:\Users\Admin\AppData\Local\zok\sigverif.exe
          C:\Users\Admin\AppData\Local\zok\sigverif.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1908

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Defense Evasion

        Modify Registry

        1
        T1112

        Discovery

        System Information Discovery

        1
        T1082

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\1Q0MoMnvL\BitLockerWizardElev.exe
          MD5

          43d63950e411885e21eeb33a7f33dc85

          SHA1

          aa5489c400ae898ba8590e7198846ca51d4ae872

          SHA256

          82f381697c3ea8df147de184892751a5c99475617c245b3caece870bb0a5418a

          SHA512

          65b87ecb21289f3ce72f8ea00e877f6023551d4ba5f62e27ac00df7376c1f1d3d612419fac54211a91383b016e03a7f82ac8bc0beaa10262767538dba09423ca

        • C:\Users\Admin\AppData\Local\1Q0MoMnvL\FVEWIZ.dll
          MD5

          91a4f815d8434820258973109ad1b1d8

          SHA1

          16986a178590c680b11c408060a6072e2a24e147

          SHA256

          069e068cb913e2134463c99550e4b1bd7e74ad3251adc4536ad254e5efe6f923

          SHA512

          2c69d496e4ac51a1af2b75d0c36e4a371c0c2c323b566b66bad88092dd0bbc58ec8f8adfff4ecf452cfef5825dfd01b99ab32394d523acea1068f449f102365d

        • C:\Users\Admin\AppData\Local\Rlq\CloudStorageWizard.exe
          MD5

          b11d2d85645265e5fcb9e5a18a775ba6

          SHA1

          cd7f2899a6c23d63724cb89db0eb3cd09a879240

          SHA256

          be0e80ed36b0b257cf1aebb083934bd8a468ad2535fe5fb3e70c1b7e258143a9

          SHA512

          96835dfab6e2142b21eca1b4ce5744a9aec3b751ca56932a029c54dab5a3099678440100e6b66dcd0b35a56742a59ee0b1b40a46bf8ce22e3d34482cc66ad08a

        • C:\Users\Admin\AppData\Local\Rlq\DUI70.dll
          MD5

          48eec21e99f1de2a2426234ff8707662

          SHA1

          4795af2f2425f90b2c5db550d034b651a0d57cf6

          SHA256

          44901828d201f856b0581c7dff7a0a4c9ab3eb18d9ef504e6f4b8c73ca1d8ba7

          SHA512

          56bba3f42863ecb28c7329ecdae986433911dd3225429f903da2e2abaa7fe8201224659cd911f5b9e5918a15030e9d5fb1b0bf03a8ee512256ead5bc728ab52e

        • C:\Users\Admin\AppData\Local\zok\VERSION.dll
          MD5

          50dd1d9592319354a84d1ce93cd915d5

          SHA1

          6e342ecb9ae86015eaf3be7aa58ad96dee462f05

          SHA256

          9718eb0651cf334482f3008d2fc79f7f760f93317acc7cbcba47b5dfcb2b7bef

          SHA512

          f2cb0208e885c96a9ff566a9d6259459ee4392b9f3f7f542e40ccbd10658c021568a6ffdfa8f3a7218690588952de2766175f76879c00f8528765ca5d7c31f01

        • C:\Users\Admin\AppData\Local\zok\sigverif.exe
          MD5

          92f7917624a4349f7b6041d08ae29714

          SHA1

          eac68bc72ed4d8634a59a1a37faefa4f8327bd2f

          SHA256

          a57403e41c7178403981cd384f6096f12092dee68d3dfbd92f94661f613dfcab

          SHA512

          20eb8366a8285a7d19a8d860038364a625b9b7de5e9d87ed59d2580ab4d5658b6d09d9220f6b0a6291151145373f3e0ff8ac46609c6b4a4aafecc8f2670ac56d

        • \Users\Admin\AppData\Local\1Q0MoMnvL\FVEWIZ.dll
          MD5

          91a4f815d8434820258973109ad1b1d8

          SHA1

          16986a178590c680b11c408060a6072e2a24e147

          SHA256

          069e068cb913e2134463c99550e4b1bd7e74ad3251adc4536ad254e5efe6f923

          SHA512

          2c69d496e4ac51a1af2b75d0c36e4a371c0c2c323b566b66bad88092dd0bbc58ec8f8adfff4ecf452cfef5825dfd01b99ab32394d523acea1068f449f102365d

        • \Users\Admin\AppData\Local\Rlq\DUI70.dll
          MD5

          48eec21e99f1de2a2426234ff8707662

          SHA1

          4795af2f2425f90b2c5db550d034b651a0d57cf6

          SHA256

          44901828d201f856b0581c7dff7a0a4c9ab3eb18d9ef504e6f4b8c73ca1d8ba7

          SHA512

          56bba3f42863ecb28c7329ecdae986433911dd3225429f903da2e2abaa7fe8201224659cd911f5b9e5918a15030e9d5fb1b0bf03a8ee512256ead5bc728ab52e

        • \Users\Admin\AppData\Local\zok\VERSION.dll
          MD5

          50dd1d9592319354a84d1ce93cd915d5

          SHA1

          6e342ecb9ae86015eaf3be7aa58ad96dee462f05

          SHA256

          9718eb0651cf334482f3008d2fc79f7f760f93317acc7cbcba47b5dfcb2b7bef

          SHA512

          f2cb0208e885c96a9ff566a9d6259459ee4392b9f3f7f542e40ccbd10658c021568a6ffdfa8f3a7218690588952de2766175f76879c00f8528765ca5d7c31f01

        • memory/1224-173-0x0000026B9CD90000-0x0000026B9CD92000-memory.dmp
          Filesize

          8KB

        • memory/1224-172-0x0000026B9CD90000-0x0000026B9CD92000-memory.dmp
          Filesize

          8KB

        • memory/1224-168-0x00007FFD5D440000-0x00007FFD5D5D5000-memory.dmp
          Filesize

          1MB

        • memory/1224-174-0x0000026B9CD90000-0x0000026B9CD92000-memory.dmp
          Filesize

          8KB

        • memory/1224-164-0x0000000000000000-mapping.dmp
        • memory/1908-175-0x0000000000000000-mapping.dmp
        • memory/1908-184-0x000001D1EE7A0000-0x000001D1EE7A2000-memory.dmp
          Filesize

          8KB

        • memory/1908-183-0x000001D1EE7A0000-0x000001D1EE7A2000-memory.dmp
          Filesize

          8KB

        • memory/1908-185-0x000001D1EE7A0000-0x000001D1EE7A2000-memory.dmp
          Filesize

          8KB

        • memory/3040-131-0x0000000140000000-0x000000014014F000-memory.dmp
          Filesize

          1MB

        • memory/3040-129-0x0000000140000000-0x000000014014F000-memory.dmp
          Filesize

          1MB

        • memory/3040-138-0x0000000140000000-0x000000014014F000-memory.dmp
          Filesize

          1MB

        • memory/3040-139-0x0000000140000000-0x000000014014F000-memory.dmp
          Filesize

          1MB

        • memory/3040-140-0x0000000140000000-0x000000014014F000-memory.dmp
          Filesize

          1MB

        • memory/3040-141-0x0000000140000000-0x000000014014F000-memory.dmp
          Filesize

          1MB

        • memory/3040-142-0x0000000140000000-0x000000014014F000-memory.dmp
          Filesize

          1MB

        • memory/3040-143-0x0000000140000000-0x000000014014F000-memory.dmp
          Filesize

          1MB

        • memory/3040-148-0x0000000000940000-0x0000000000942000-memory.dmp
          Filesize

          8KB

        • memory/3040-149-0x0000000000940000-0x0000000000942000-memory.dmp
          Filesize

          8KB

        • memory/3040-150-0x00007FFD6B605000-0x00007FFD6B606000-memory.dmp
          Filesize

          4KB

        • memory/3040-151-0x0000000000940000-0x0000000000942000-memory.dmp
          Filesize

          8KB

        • memory/3040-152-0x00007FFD6B740000-0x00007FFD6B742000-memory.dmp
          Filesize

          8KB

        • memory/3040-122-0x0000000000930000-0x0000000000931000-memory.dmp
          Filesize

          4KB

        • memory/3040-136-0x0000000140000000-0x000000014014F000-memory.dmp
          Filesize

          1MB

        • memory/3040-135-0x0000000140000000-0x000000014014F000-memory.dmp
          Filesize

          1MB

        • memory/3040-134-0x0000000140000000-0x000000014014F000-memory.dmp
          Filesize

          1MB

        • memory/3040-123-0x0000000140000000-0x000000014014F000-memory.dmp
          Filesize

          1MB

        • memory/3040-124-0x0000000140000000-0x000000014014F000-memory.dmp
          Filesize

          1MB

        • memory/3040-125-0x0000000140000000-0x000000014014F000-memory.dmp
          Filesize

          1MB

        • memory/3040-126-0x0000000140000000-0x000000014014F000-memory.dmp
          Filesize

          1MB

        • memory/3040-133-0x0000000140000000-0x000000014014F000-memory.dmp
          Filesize

          1MB

        • memory/3040-132-0x0000000140000000-0x000000014014F000-memory.dmp
          Filesize

          1MB

        • memory/3040-127-0x0000000140000000-0x000000014014F000-memory.dmp
          Filesize

          1MB

        • memory/3040-130-0x0000000140000000-0x000000014014F000-memory.dmp
          Filesize

          1MB

        • memory/3040-137-0x0000000140000000-0x000000014014F000-memory.dmp
          Filesize

          1MB

        • memory/3040-128-0x0000000140000000-0x000000014014F000-memory.dmp
          Filesize

          1MB

        • memory/3308-115-0x00007FFD5D490000-0x00007FFD5D5DF000-memory.dmp
          Filesize

          1MB

        • memory/3308-121-0x000002DF52720000-0x000002DF52727000-memory.dmp
          Filesize

          28KB

        • memory/3308-120-0x000002DF52730000-0x000002DF52732000-memory.dmp
          Filesize

          8KB

        • memory/3308-119-0x000002DF52730000-0x000002DF52732000-memory.dmp
          Filesize

          8KB

        • memory/3944-163-0x000001DEA6740000-0x000001DEA6742000-memory.dmp
          Filesize

          8KB

        • memory/3944-162-0x000001DEA6740000-0x000001DEA6742000-memory.dmp
          Filesize

          8KB

        • memory/3944-161-0x000001DEA6740000-0x000001DEA6742000-memory.dmp
          Filesize

          8KB

        • memory/3944-157-0x00007FFD5D490000-0x00007FFD5D5E0000-memory.dmp
          Filesize

          1MB

        • memory/3944-153-0x0000000000000000-mapping.dmp