aa13ee7937305e18ac2da00c90a73476f802ba0ae72863a811dd7bcb29eff095

General
Target

aa13ee7937305e18ac2da00c90a73476f802ba0ae72863a811dd7bcb29eff095.dll

Filesize

1MB

Completed

26-11-2021 09:32

Score
10/10
MD5

29534b5fb245c4b5ff146d14d9da9c54

SHA1

fbaa21729651810b5db05e4c421b4bd269ea3825

SHA256

aa13ee7937305e18ac2da00c90a73476f802ba0ae72863a811dd7bcb29eff095

Malware Config
Signatures 9

Filter: none

Defense Evasion
Discovery
Persistence
  • Dridex

    Description

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode

    Description

    Detects Dridex Payload shellcode injected in Explorer process.

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1400-60-0x00000000029D0000-0x00000000029D1000-memory.dmpdridex_stager_shellcode
  • Executes dropped EXE
    BitLockerWizard.exesigverif.exemsra.exe

    Reported IOCs

    pidprocess
    1056BitLockerWizard.exe
    1232sigverif.exe
    1792msra.exe
  • Loads dropped DLL
    BitLockerWizard.exesigverif.exemsra.exe

    Reported IOCs

    pidprocess
    1400
    1056BitLockerWizard.exe
    1400
    1232sigverif.exe
    1400
    1792msra.exe
    1400
  • Adds Run key to start application

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run\Myzdcwow = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\#SHARE~1\\MFWXZM~1\\sigverif.exe"
  • Checks whether UAC is enabled
    rundll32.exeBitLockerWizard.exesigverif.exemsra.exe

    TTPs

    System Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUArundll32.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUABitLockerWizard.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAsigverif.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAmsra.exe
  • Suspicious behavior: EnumeratesProcesses
    rundll32.exeBitLockerWizard.exesigverif.exe

    Reported IOCs

    pidprocess
    860rundll32.exe
    860rundll32.exe
    860rundll32.exe
    1400
    1400
    1400
    1400
    1400
    1400
    1400
    1400
    1400
    1400
    1400
    1400
    1400
    1400
    1400
    1400
    1400
    1400
    1400
    1400
    1400
    1400
    1400
    1400
    1400
    1400
    1056BitLockerWizard.exe
    1056BitLockerWizard.exe
    1400
    1400
    1400
    1400
    1400
    1400
    1400
    1400
    1400
    1400
    1400
    1400
    1400
    1400
    1400
    1400
    1400
    1400
    1400
    1400
    1400
    1400
    1400
    1400
    1400
    1400
    1400
    1232sigverif.exe
    1232sigverif.exe
    1400
    1400
    1400
    1400
  • Suspicious behavior: GetForegroundWindowSpam

    Reported IOCs

    pidprocess
    1400
  • Suspicious use of WriteProcessMemory

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1400 wrote to memory of 11921400BitLockerWizard.exe
    PID 1400 wrote to memory of 11921400BitLockerWizard.exe
    PID 1400 wrote to memory of 11921400BitLockerWizard.exe
    PID 1400 wrote to memory of 10561400BitLockerWizard.exe
    PID 1400 wrote to memory of 10561400BitLockerWizard.exe
    PID 1400 wrote to memory of 10561400BitLockerWizard.exe
    PID 1400 wrote to memory of 16521400sigverif.exe
    PID 1400 wrote to memory of 16521400sigverif.exe
    PID 1400 wrote to memory of 16521400sigverif.exe
    PID 1400 wrote to memory of 12321400sigverif.exe
    PID 1400 wrote to memory of 12321400sigverif.exe
    PID 1400 wrote to memory of 12321400sigverif.exe
    PID 1400 wrote to memory of 9961400msra.exe
    PID 1400 wrote to memory of 9961400msra.exe
    PID 1400 wrote to memory of 9961400msra.exe
    PID 1400 wrote to memory of 17921400msra.exe
    PID 1400 wrote to memory of 17921400msra.exe
    PID 1400 wrote to memory of 17921400msra.exe
Processes 7
  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\aa13ee7937305e18ac2da00c90a73476f802ba0ae72863a811dd7bcb29eff095.dll,#1
    Checks whether UAC is enabled
    Suspicious behavior: EnumeratesProcesses
    PID:860
  • C:\Windows\system32\BitLockerWizard.exe
    C:\Windows\system32\BitLockerWizard.exe
    PID:1192
  • C:\Users\Admin\AppData\Local\v8KH\BitLockerWizard.exe
    C:\Users\Admin\AppData\Local\v8KH\BitLockerWizard.exe
    Executes dropped EXE
    Loads dropped DLL
    Checks whether UAC is enabled
    Suspicious behavior: EnumeratesProcesses
    PID:1056
  • C:\Windows\system32\sigverif.exe
    C:\Windows\system32\sigverif.exe
    PID:1652
  • C:\Users\Admin\AppData\Local\4CNOY\sigverif.exe
    C:\Users\Admin\AppData\Local\4CNOY\sigverif.exe
    Executes dropped EXE
    Loads dropped DLL
    Checks whether UAC is enabled
    Suspicious behavior: EnumeratesProcesses
    PID:1232
  • C:\Windows\system32\msra.exe
    C:\Windows\system32\msra.exe
    PID:996
  • C:\Users\Admin\AppData\Local\CamZ2q\msra.exe
    C:\Users\Admin\AppData\Local\CamZ2q\msra.exe
    Executes dropped EXE
    Loads dropped DLL
    Checks whether UAC is enabled
    PID:1792
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Local\4CNOY\VERSION.dll

                      MD5

                      5a2f5e3a29b9293b8e1e8e2579700c7c

                      SHA1

                      4fe35a53da55cdc65a0a638e81144d374d1620ec

                      SHA256

                      99db4d45c48313415daaa723b4f8a834b0222434169d8a7d974adb134b516170

                      SHA512

                      f56a3bd860f713df487bf3f1fd9440129fc2cfd8644592c319b323fef47bb1325a5e4baeef790b04a4b93567a1474cff6f2a25e8b367fe75523d3a34ed6b0036

                    • C:\Users\Admin\AppData\Local\4CNOY\sigverif.exe

                      MD5

                      e8e95ae5534553fc055051cee99a7f55

                      SHA1

                      4e0f668849fd546edd083d5981ed685d02a68df4

                      SHA256

                      9e107fd99892d08b15c223ac17c49af75a4cbca41b5e939bb91c9dca9f0d0bec

                      SHA512

                      5d3c32d136a264b6d2cfba4602e4d8f75e55ba0e199e0e81d7a515c34d8b9237db29647c10ab79081173010ff8e2c6a59b652c0a9cfa796433aed2d200f02da6

                    • C:\Users\Admin\AppData\Local\CamZ2q\NDFAPI.DLL

                      MD5

                      e11d74926cefed9e27d115b5eb723e08

                      SHA1

                      0cc12f4f94e7e627ed4ecf1df849e3eeb1395d11

                      SHA256

                      dde36be42dc196582998e211975e36ab9f8a1a4840821e266887a3fe9e0d6bbf

                      SHA512

                      8422bcdaaf7699cdb8bdf20a6fe77dd30fc7ef580850f9c4cc693cb96ff5370d604141cbe076667e2b4306e301ae0143887d45fc02ea1e909e18fb0a0dc6433e

                    • C:\Users\Admin\AppData\Local\CamZ2q\msra.exe

                      MD5

                      e79df53bad587e24b3cf965a5746c7b6

                      SHA1

                      87a97ec159a3fc1db211f3c2c62e4d60810e7a70

                      SHA256

                      4e7c22648acf664ab13dfeb2dc062ae90af1e6c621186981f395fb279bbc9b9d

                      SHA512

                      9a329c39ce0bc5aede01e96c4190cc7ccd17729fbc3a2b6df73057be8efaa3fa92cfef6e26a25bde6f7f94f64f6d6d0e4c5459aef2aead367e43178dd275acfb

                    • C:\Users\Admin\AppData\Local\v8KH\BitLockerWizard.exe

                      MD5

                      08a761595ad21d152db2417d6fdb239a

                      SHA1

                      d84c1bc2e8c9afce9fb79916df9bca169f93a936

                      SHA256

                      ec0b9e5f29a43f9db44fa76b85701058f26776ab974044c1d4741591b74d0620

                      SHA512

                      8b07828e9c0edf09277f89294b8e1a54816f6f3d1fe132b3eb70370b81feb82d056ec31566793bd6f451725f79c3b4aeedb15a83216115e00943e0c19cab37c9

                    • C:\Users\Admin\AppData\Local\v8KH\FVEWIZ.dll

                      MD5

                      c525cea0097e06727f4f95fe070ec242

                      SHA1

                      8bc2dab6eaef3476bc43378f20125d912fbb87af

                      SHA256

                      b68e5ce6b0363bc6cbe7167af733d89c125544bc6a2330c04e012ee65a0ecaf8

                      SHA512

                      e5cb93d2240186820ad4ea89c659b841b52cee47100914d3370127c20b315b1b390992ff8b3535a265a21dc986184673fc209af65775abf3f2726a3c96292f99

                    • \Users\Admin\AppData\Local\4CNOY\VERSION.dll

                      MD5

                      5a2f5e3a29b9293b8e1e8e2579700c7c

                      SHA1

                      4fe35a53da55cdc65a0a638e81144d374d1620ec

                      SHA256

                      99db4d45c48313415daaa723b4f8a834b0222434169d8a7d974adb134b516170

                      SHA512

                      f56a3bd860f713df487bf3f1fd9440129fc2cfd8644592c319b323fef47bb1325a5e4baeef790b04a4b93567a1474cff6f2a25e8b367fe75523d3a34ed6b0036

                    • \Users\Admin\AppData\Local\4CNOY\sigverif.exe

                      MD5

                      e8e95ae5534553fc055051cee99a7f55

                      SHA1

                      4e0f668849fd546edd083d5981ed685d02a68df4

                      SHA256

                      9e107fd99892d08b15c223ac17c49af75a4cbca41b5e939bb91c9dca9f0d0bec

                      SHA512

                      5d3c32d136a264b6d2cfba4602e4d8f75e55ba0e199e0e81d7a515c34d8b9237db29647c10ab79081173010ff8e2c6a59b652c0a9cfa796433aed2d200f02da6

                    • \Users\Admin\AppData\Local\CamZ2q\NDFAPI.DLL

                      MD5

                      e11d74926cefed9e27d115b5eb723e08

                      SHA1

                      0cc12f4f94e7e627ed4ecf1df849e3eeb1395d11

                      SHA256

                      dde36be42dc196582998e211975e36ab9f8a1a4840821e266887a3fe9e0d6bbf

                      SHA512

                      8422bcdaaf7699cdb8bdf20a6fe77dd30fc7ef580850f9c4cc693cb96ff5370d604141cbe076667e2b4306e301ae0143887d45fc02ea1e909e18fb0a0dc6433e

                    • \Users\Admin\AppData\Local\CamZ2q\msra.exe

                      MD5

                      e79df53bad587e24b3cf965a5746c7b6

                      SHA1

                      87a97ec159a3fc1db211f3c2c62e4d60810e7a70

                      SHA256

                      4e7c22648acf664ab13dfeb2dc062ae90af1e6c621186981f395fb279bbc9b9d

                      SHA512

                      9a329c39ce0bc5aede01e96c4190cc7ccd17729fbc3a2b6df73057be8efaa3fa92cfef6e26a25bde6f7f94f64f6d6d0e4c5459aef2aead367e43178dd275acfb

                    • \Users\Admin\AppData\Local\v8KH\BitLockerWizard.exe

                      MD5

                      08a761595ad21d152db2417d6fdb239a

                      SHA1

                      d84c1bc2e8c9afce9fb79916df9bca169f93a936

                      SHA256

                      ec0b9e5f29a43f9db44fa76b85701058f26776ab974044c1d4741591b74d0620

                      SHA512

                      8b07828e9c0edf09277f89294b8e1a54816f6f3d1fe132b3eb70370b81feb82d056ec31566793bd6f451725f79c3b4aeedb15a83216115e00943e0c19cab37c9

                    • \Users\Admin\AppData\Local\v8KH\FVEWIZ.dll

                      MD5

                      c525cea0097e06727f4f95fe070ec242

                      SHA1

                      8bc2dab6eaef3476bc43378f20125d912fbb87af

                      SHA256

                      b68e5ce6b0363bc6cbe7167af733d89c125544bc6a2330c04e012ee65a0ecaf8

                      SHA512

                      e5cb93d2240186820ad4ea89c659b841b52cee47100914d3370127c20b315b1b390992ff8b3535a265a21dc986184673fc209af65775abf3f2726a3c96292f99

                    • \Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\G3\msra.exe

                      MD5

                      e79df53bad587e24b3cf965a5746c7b6

                      SHA1

                      87a97ec159a3fc1db211f3c2c62e4d60810e7a70

                      SHA256

                      4e7c22648acf664ab13dfeb2dc062ae90af1e6c621186981f395fb279bbc9b9d

                      SHA512

                      9a329c39ce0bc5aede01e96c4190cc7ccd17729fbc3a2b6df73057be8efaa3fa92cfef6e26a25bde6f7f94f64f6d6d0e4c5459aef2aead367e43178dd275acfb

                    • memory/860-58-0x0000000000180000-0x0000000000187000-memory.dmp

                    • memory/860-55-0x000007FEF6730000-0x000007FEF6878000-memory.dmp

                    • memory/1056-84-0x0000000000000000-mapping.dmp

                    • memory/1056-88-0x000007FEF69B0000-0x000007FEF6AF9000-memory.dmp

                    • memory/1232-98-0x000007FEF6730000-0x000007FEF6879000-memory.dmp

                    • memory/1232-95-0x000007FEFBC61000-0x000007FEFBC63000-memory.dmp

                    • memory/1232-93-0x0000000000000000-mapping.dmp

                    • memory/1400-66-0x0000000140000000-0x0000000140148000-memory.dmp

                    • memory/1400-77-0x0000000140000000-0x0000000140148000-memory.dmp

                    • memory/1400-69-0x0000000140000000-0x0000000140148000-memory.dmp

                    • memory/1400-71-0x0000000140000000-0x0000000140148000-memory.dmp

                    • memory/1400-73-0x0000000140000000-0x0000000140148000-memory.dmp

                    • memory/1400-75-0x0000000140000000-0x0000000140148000-memory.dmp

                    • memory/1400-61-0x0000000140000000-0x0000000140148000-memory.dmp

                    • memory/1400-76-0x0000000140000000-0x0000000140148000-memory.dmp

                    • memory/1400-62-0x0000000140000000-0x0000000140148000-memory.dmp

                    • memory/1400-74-0x0000000140000000-0x0000000140148000-memory.dmp

                    • memory/1400-63-0x0000000140000000-0x0000000140148000-memory.dmp

                    • memory/1400-72-0x0000000140000000-0x0000000140148000-memory.dmp

                    • memory/1400-68-0x0000000140000000-0x0000000140148000-memory.dmp

                    • memory/1400-65-0x0000000140000000-0x0000000140148000-memory.dmp

                    • memory/1400-70-0x0000000140000000-0x0000000140148000-memory.dmp

                    • memory/1400-60-0x00000000029D0000-0x00000000029D1000-memory.dmp

                    • memory/1400-67-0x0000000140000000-0x0000000140148000-memory.dmp

                    • memory/1400-64-0x0000000140000000-0x0000000140148000-memory.dmp

                    • memory/1400-82-0x0000000077590000-0x0000000077592000-memory.dmp

                    • memory/1792-103-0x0000000000000000-mapping.dmp