aa13ee7937305e18ac2da00c90a73476f802ba0ae72863a811dd7bcb29eff095

General
Target

aa13ee7937305e18ac2da00c90a73476f802ba0ae72863a811dd7bcb29eff095.dll

Filesize

1MB

Completed

26-11-2021 09:32

Score
10/10
MD5

29534b5fb245c4b5ff146d14d9da9c54

SHA1

fbaa21729651810b5db05e4c421b4bd269ea3825

SHA256

aa13ee7937305e18ac2da00c90a73476f802ba0ae72863a811dd7bcb29eff095

Malware Config
Signatures 9

Filter: none

Defense Evasion
Discovery
Persistence
  • Dridex

    Description

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode

    Description

    Detects Dridex Payload shellcode injected in Explorer process.

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/3032-122-0x0000000000FD0000-0x0000000000FD1000-memory.dmpdridex_stager_shellcode
  • Executes dropped EXE
    SystemPropertiesRemote.exeWMPDMC.exeisoburn.exe

    Reported IOCs

    pidprocess
    1300SystemPropertiesRemote.exe
    1832WMPDMC.exe
    1612isoburn.exe
  • Loads dropped DLL
    SystemPropertiesRemote.exeWMPDMC.exeisoburn.exe

    Reported IOCs

    pidprocess
    1300SystemPropertiesRemote.exe
    1832WMPDMC.exe
    1612isoburn.exe
  • Adds Run key to start application

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\Slqggwbvaxk = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ADMINI~1\\cVtC3\\WMPDMC.exe"
  • Checks whether UAC is enabled
    rundll32.exeSystemPropertiesRemote.exeWMPDMC.exeisoburn.exe

    TTPs

    System Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUArundll32.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUASystemPropertiesRemote.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAWMPDMC.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAisoburn.exe
  • Suspicious behavior: EnumeratesProcesses
    rundll32.exeSystemPropertiesRemote.exe

    Reported IOCs

    pidprocess
    3704rundll32.exe
    3704rundll32.exe
    3704rundll32.exe
    3704rundll32.exe
    3032
    3032
    3032
    3032
    3032
    3032
    3032
    3032
    3032
    3032
    3032
    3032
    3032
    3032
    3032
    3032
    3032
    3032
    3032
    3032
    3032
    3032
    3032
    3032
    3032
    3032
    3032
    3032
    3032
    3032
    3032
    3032
    3032
    3032
    3032
    3032
    3032
    3032
    3032
    3032
    3032
    3032
    1300SystemPropertiesRemote.exe
    1300SystemPropertiesRemote.exe
    3032
    3032
    3032
    3032
    3032
    3032
    3032
    3032
    3032
    3032
    3032
    3032
    3032
    3032
    3032
    3032
  • Suspicious behavior: GetForegroundWindowSpam

    Reported IOCs

    pidprocess
    3032
  • Suspicious use of WriteProcessMemory

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3032 wrote to memory of 11723032SystemPropertiesRemote.exe
    PID 3032 wrote to memory of 11723032SystemPropertiesRemote.exe
    PID 3032 wrote to memory of 13003032SystemPropertiesRemote.exe
    PID 3032 wrote to memory of 13003032SystemPropertiesRemote.exe
    PID 3032 wrote to memory of 18483032WMPDMC.exe
    PID 3032 wrote to memory of 18483032WMPDMC.exe
    PID 3032 wrote to memory of 18323032WMPDMC.exe
    PID 3032 wrote to memory of 18323032WMPDMC.exe
    PID 3032 wrote to memory of 4043032isoburn.exe
    PID 3032 wrote to memory of 4043032isoburn.exe
    PID 3032 wrote to memory of 16123032isoburn.exe
    PID 3032 wrote to memory of 16123032isoburn.exe
Processes 7
  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\aa13ee7937305e18ac2da00c90a73476f802ba0ae72863a811dd7bcb29eff095.dll,#1
    Checks whether UAC is enabled
    Suspicious behavior: EnumeratesProcesses
    PID:3704
  • C:\Windows\system32\SystemPropertiesRemote.exe
    C:\Windows\system32\SystemPropertiesRemote.exe
    PID:1172
  • C:\Users\Admin\AppData\Local\vMk\SystemPropertiesRemote.exe
    C:\Users\Admin\AppData\Local\vMk\SystemPropertiesRemote.exe
    Executes dropped EXE
    Loads dropped DLL
    Checks whether UAC is enabled
    Suspicious behavior: EnumeratesProcesses
    PID:1300
  • C:\Windows\system32\WMPDMC.exe
    C:\Windows\system32\WMPDMC.exe
    PID:1848
  • C:\Users\Admin\AppData\Local\SMgTf\WMPDMC.exe
    C:\Users\Admin\AppData\Local\SMgTf\WMPDMC.exe
    Executes dropped EXE
    Loads dropped DLL
    Checks whether UAC is enabled
    PID:1832
  • C:\Windows\system32\isoburn.exe
    C:\Windows\system32\isoburn.exe
    PID:404
  • C:\Users\Admin\AppData\Local\9PbaYLPFg\isoburn.exe
    C:\Users\Admin\AppData\Local\9PbaYLPFg\isoburn.exe
    Executes dropped EXE
    Loads dropped DLL
    Checks whether UAC is enabled
    PID:1612
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Local\9PbaYLPFg\UxTheme.dll

                      MD5

                      d4ba00564401284d7989b69b7e222a09

                      SHA1

                      366b80b74389e28780adda3e5ba1edd6738b9899

                      SHA256

                      04294d70786e86d648fb47cf266cb51ef06b64d14b795c04499d7967e29c6b03

                      SHA512

                      634bf71882852918c8a126f5c4d3f543245b6bf1e4faa8567035ce97874340dc0b1efa3bace8489845b00f6557d0488e81f411dceca85c0be0335d45a0f87f06

                    • C:\Users\Admin\AppData\Local\9PbaYLPFg\isoburn.exe

                      MD5

                      2a356c5abe7b39d61fbf6a4e641130b5

                      SHA1

                      4223fa610b04482b7ef5d3c50b539d4e0edc47e9

                      SHA256

                      802edb5e8ff7a46b6d3fa9cf692f1933cfdf4b1a0bc24bb99e3e165ae478fdd9

                      SHA512

                      7f4966ab65f96d5bb07d66ab62f0f8cf550153183d26c490fc0975ba4061360eb46b5609ea734464201333a6879a6201b4cab32731e10e29c7302bcb9144749d

                    • C:\Users\Admin\AppData\Local\SMgTf\OLEACC.dll

                      MD5

                      1c430d5599bbde0522cd8294a9993c49

                      SHA1

                      2516bc15326ecd486e4e3552ca162b9be179cb3c

                      SHA256

                      6407377f86c07764f631709af302f538f0934482f81442d102b01e08fc54c62a

                      SHA512

                      0b7e35eb3b92ea75c957c4f3a94f0203ce02d1c9c875a13871eb816e7394103ad1f3cbf40525bfe43a2029a5ebd56acd08a12d487d5d3cb1cc99781debbf54ac

                    • C:\Users\Admin\AppData\Local\SMgTf\WMPDMC.exe

                      MD5

                      0632f00532261c963595b8cbb5e8ebe6

                      SHA1

                      545792bc47d20f561770406b37c0e999a1d84fe1

                      SHA256

                      2d1e7220672aba2d404b6ae2e2f44b80d2fbc1ff73a4fb27b3a3b11f1b06dfbb

                      SHA512

                      6a8df7d6057d8da7fb28ad0a573f39cc990c21e138c28150661fdb74f6fd9778b3abb16bfc4d20489ce168fec7503c84397fdf6c2f1b88f8ca9c2d193fdca472

                    • C:\Users\Admin\AppData\Local\vMk\SYSDM.CPL

                      MD5

                      e854a04bec5648c492354e14102b3d1f

                      SHA1

                      3f3b2c5000b0381c44af466cc848e102c7d8afc8

                      SHA256

                      885486e9ddfb4e53f4314ed8e5eee591221e95114893eeed802ee1a21804f3a6

                      SHA512

                      448198ba9d7a4c4d80483250c77b5f5e902e38cbc6b1e64e154b199363a6dfcd58a78c10b1d4e65bd806e4ed9aac094429e43b850c6cb124c20d228cbdb5385b

                    • C:\Users\Admin\AppData\Local\vMk\SystemPropertiesRemote.exe

                      MD5

                      274c1b0f3436f2030089f456389e2231

                      SHA1

                      e341c9b6961d4956e48e2b89933e7a8f22faadf5

                      SHA256

                      8f6116c500f4a778725b753501fc095da4dfda36cf5ddd9bafca881c99b3e6b3

                      SHA512

                      249a77e4bc4294ba68a5bca073c574c0436306a17aec34c8c2d14149bd81417acab81a68257788ebafbd225873f7b1c7437ed6d8bb8d854b14d2c56ef214a2e5

                    • \Users\Admin\AppData\Local\9PbaYLPFg\UxTheme.dll

                      MD5

                      d4ba00564401284d7989b69b7e222a09

                      SHA1

                      366b80b74389e28780adda3e5ba1edd6738b9899

                      SHA256

                      04294d70786e86d648fb47cf266cb51ef06b64d14b795c04499d7967e29c6b03

                      SHA512

                      634bf71882852918c8a126f5c4d3f543245b6bf1e4faa8567035ce97874340dc0b1efa3bace8489845b00f6557d0488e81f411dceca85c0be0335d45a0f87f06

                    • \Users\Admin\AppData\Local\SMgTf\OLEACC.dll

                      MD5

                      1c430d5599bbde0522cd8294a9993c49

                      SHA1

                      2516bc15326ecd486e4e3552ca162b9be179cb3c

                      SHA256

                      6407377f86c07764f631709af302f538f0934482f81442d102b01e08fc54c62a

                      SHA512

                      0b7e35eb3b92ea75c957c4f3a94f0203ce02d1c9c875a13871eb816e7394103ad1f3cbf40525bfe43a2029a5ebd56acd08a12d487d5d3cb1cc99781debbf54ac

                    • \Users\Admin\AppData\Local\vMk\SYSDM.CPL

                      MD5

                      e854a04bec5648c492354e14102b3d1f

                      SHA1

                      3f3b2c5000b0381c44af466cc848e102c7d8afc8

                      SHA256

                      885486e9ddfb4e53f4314ed8e5eee591221e95114893eeed802ee1a21804f3a6

                      SHA512

                      448198ba9d7a4c4d80483250c77b5f5e902e38cbc6b1e64e154b199363a6dfcd58a78c10b1d4e65bd806e4ed9aac094429e43b850c6cb124c20d228cbdb5385b

                    • memory/1300-159-0x000001799FF10000-0x000001799FF12000-memory.dmp

                    • memory/1300-148-0x0000000000000000-mapping.dmp

                    • memory/1300-152-0x00007FFF23A70000-0x00007FFF23BB9000-memory.dmp

                    • memory/1300-157-0x000001799FF10000-0x000001799FF12000-memory.dmp

                    • memory/1300-156-0x000001799FF10000-0x000001799FF12000-memory.dmp

                    • memory/1612-180-0x000001F7E90D0000-0x000001F7E90D2000-memory.dmp

                    • memory/1612-179-0x000001F7E90D0000-0x000001F7E90D2000-memory.dmp

                    • memory/1612-181-0x000001F7E90D0000-0x000001F7E90D2000-memory.dmp

                    • memory/1612-171-0x0000000000000000-mapping.dmp

                    • memory/1832-160-0x0000000000000000-mapping.dmp

                    • memory/1832-170-0x000001CEB6580000-0x000001CEB6582000-memory.dmp

                    • memory/1832-169-0x000001CEB6580000-0x000001CEB6582000-memory.dmp

                    • memory/1832-168-0x000001CEB6580000-0x000001CEB6582000-memory.dmp

                    • memory/1832-164-0x00007FFF161A0000-0x00007FFF162E9000-memory.dmp

                    • memory/3032-135-0x0000000140000000-0x0000000140148000-memory.dmp

                    • memory/3032-146-0x00007FFF314C5000-0x00007FFF314C6000-memory.dmp

                    • memory/3032-145-0x0000000001140000-0x0000000001142000-memory.dmp

                    • memory/3032-139-0x0000000140000000-0x0000000140148000-memory.dmp

                    • memory/3032-144-0x0000000001140000-0x0000000001142000-memory.dmp

                    • memory/3032-138-0x0000000140000000-0x0000000140148000-memory.dmp

                    • memory/3032-136-0x0000000140000000-0x0000000140148000-memory.dmp

                    • memory/3032-134-0x0000000140000000-0x0000000140148000-memory.dmp

                    • memory/3032-147-0x0000000001140000-0x0000000001142000-memory.dmp

                    • memory/3032-133-0x0000000140000000-0x0000000140148000-memory.dmp

                    • memory/3032-158-0x00007FFF31380000-0x00007FFF31390000-memory.dmp

                    • memory/3032-132-0x0000000140000000-0x0000000140148000-memory.dmp

                    • memory/3032-131-0x0000000140000000-0x0000000140148000-memory.dmp

                    • memory/3032-129-0x0000000140000000-0x0000000140148000-memory.dmp

                    • memory/3032-128-0x0000000140000000-0x0000000140148000-memory.dmp

                    • memory/3032-127-0x0000000140000000-0x0000000140148000-memory.dmp

                    • memory/3032-126-0x0000000140000000-0x0000000140148000-memory.dmp

                    • memory/3032-124-0x0000000140000000-0x0000000140148000-memory.dmp

                    • memory/3032-125-0x0000000140000000-0x0000000140148000-memory.dmp

                    • memory/3032-122-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

                    • memory/3032-123-0x0000000140000000-0x0000000140148000-memory.dmp

                    • memory/3032-137-0x0000000140000000-0x0000000140148000-memory.dmp

                    • memory/3032-130-0x0000000140000000-0x0000000140148000-memory.dmp

                    • memory/3704-121-0x000001F80C160000-0x000001F80C162000-memory.dmp

                    • memory/3704-120-0x000001F80C160000-0x000001F80C162000-memory.dmp

                    • memory/3704-119-0x000001F80C150000-0x000001F80C157000-memory.dmp

                    • memory/3704-115-0x00007FFF23A70000-0x00007FFF23BB8000-memory.dmp