6e90088bb8cc71fcebb71469a7e5668a0b6aacfa21fb274febbb523a427d8e40

General
Target

6e90088bb8cc71fcebb71469a7e5668a0b6aacfa21fb274febbb523a427d8e40.dll

Filesize

1MB

Completed

26-11-2021 09:33

Score
10/10
MD5

95a8147f694adad1655a2a158ba6d369

SHA1

2911097d1da2ab8d364309a339f0f9afc78375ee

SHA256

6e90088bb8cc71fcebb71469a7e5668a0b6aacfa21fb274febbb523a427d8e40

Malware Config
Signatures 9

Filter: none

Defense Evasion
Discovery
Persistence
  • Dridex

    Description

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode

    Description

    Detects Dridex Payload shellcode injected in Explorer process.

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/3008-121-0x0000000001340000-0x0000000001341000-memory.dmpdridex_stager_shellcode
  • Executes dropped EXE
    DevicePairingWizard.exeBitLockerWizard.exesethc.exe

    Reported IOCs

    pidprocess
    1488DevicePairingWizard.exe
    2036BitLockerWizard.exe
    2276sethc.exe
  • Loads dropped DLL
    DevicePairingWizard.exeBitLockerWizard.exesethc.exe

    Reported IOCs

    pidprocess
    1488DevicePairingWizard.exe
    2036BitLockerWizard.exe
    2276sethc.exe
  • Adds Run key to start application

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\Slqggwbvaxk = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\UJZYJK~1\\BITLOC~1.EXE"
  • Checks whether UAC is enabled
    rundll32.exeDevicePairingWizard.exeBitLockerWizard.exesethc.exe

    TTPs

    System Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUArundll32.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUADevicePairingWizard.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUABitLockerWizard.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAsethc.exe
  • Suspicious behavior: EnumeratesProcesses
    rundll32.exe

    Reported IOCs

    pidprocess
    2460rundll32.exe
    2460rundll32.exe
    2460rundll32.exe
    2460rundll32.exe
    3008
    3008
    3008
    3008
    3008
    3008
    3008
    3008
    3008
    3008
    3008
    3008
    3008
    3008
    3008
    3008
    3008
    3008
    3008
    3008
    3008
    3008
    3008
    3008
    3008
    3008
    3008
    3008
    3008
    3008
    3008
    3008
    3008
    3008
    3008
    3008
    3008
    3008
    3008
    3008
    3008
    3008
    3008
    3008
    3008
    3008
    3008
    3008
    3008
    3008
    3008
    3008
    3008
    3008
    3008
    3008
    3008
    3008
    3008
    3008
  • Suspicious behavior: GetForegroundWindowSpam
    rundll32.exeDevicePairingWizard.exeBitLockerWizard.exesethc.exe

    Reported IOCs

    pidprocess
    2460rundll32.exe
    3008
    1488DevicePairingWizard.exe
    2036BitLockerWizard.exe
    2276sethc.exe
  • Suspicious use of WriteProcessMemory

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3008 wrote to memory of 17843008DevicePairingWizard.exe
    PID 3008 wrote to memory of 17843008DevicePairingWizard.exe
    PID 3008 wrote to memory of 14883008DevicePairingWizard.exe
    PID 3008 wrote to memory of 14883008DevicePairingWizard.exe
    PID 3008 wrote to memory of 13323008BitLockerWizard.exe
    PID 3008 wrote to memory of 13323008BitLockerWizard.exe
    PID 3008 wrote to memory of 20363008BitLockerWizard.exe
    PID 3008 wrote to memory of 20363008BitLockerWizard.exe
    PID 3008 wrote to memory of 35163008sethc.exe
    PID 3008 wrote to memory of 35163008sethc.exe
    PID 3008 wrote to memory of 22763008sethc.exe
    PID 3008 wrote to memory of 22763008sethc.exe
Processes 7
  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\6e90088bb8cc71fcebb71469a7e5668a0b6aacfa21fb274febbb523a427d8e40.dll,#1
    Checks whether UAC is enabled
    Suspicious behavior: EnumeratesProcesses
    Suspicious behavior: GetForegroundWindowSpam
    PID:2460
  • C:\Windows\system32\DevicePairingWizard.exe
    C:\Windows\system32\DevicePairingWizard.exe
    PID:1784
  • C:\Users\Admin\AppData\Local\SaN\DevicePairingWizard.exe
    C:\Users\Admin\AppData\Local\SaN\DevicePairingWizard.exe
    Executes dropped EXE
    Loads dropped DLL
    Checks whether UAC is enabled
    Suspicious behavior: GetForegroundWindowSpam
    PID:1488
  • C:\Windows\system32\BitLockerWizard.exe
    C:\Windows\system32\BitLockerWizard.exe
    PID:1332
  • C:\Users\Admin\AppData\Local\RfSS6G0Bt\BitLockerWizard.exe
    C:\Users\Admin\AppData\Local\RfSS6G0Bt\BitLockerWizard.exe
    Executes dropped EXE
    Loads dropped DLL
    Checks whether UAC is enabled
    Suspicious behavior: GetForegroundWindowSpam
    PID:2036
  • C:\Windows\system32\sethc.exe
    C:\Windows\system32\sethc.exe
    PID:3516
  • C:\Users\Admin\AppData\Local\TN6Dz\sethc.exe
    C:\Users\Admin\AppData\Local\TN6Dz\sethc.exe
    Executes dropped EXE
    Loads dropped DLL
    Checks whether UAC is enabled
    Suspicious behavior: GetForegroundWindowSpam
    PID:2276
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Local\RfSS6G0Bt\BitLockerWizard.exe

                      MD5

                      c213e950a565d1fbe302961f029dddc8

                      SHA1

                      edeaf01a3dbfdfca54a5e25c121d9645dd75bf86

                      SHA256

                      f90e755a99ce576c643b751d4f87f4b301d0bf7264f74023225b9b8b7f2e302d

                      SHA512

                      081f5ee07b6ffae41e494a13c720a8fb92a05c68b1f72c0bc6422050fabc2a433b84f6a3991defa4bfc9d5a721fb8cd83927613d4423f918cf8e57427e825fb0

                    • C:\Users\Admin\AppData\Local\RfSS6G0Bt\FVEWIZ.dll

                      MD5

                      5497cb23c03fb1521ddbf1b732f512d3

                      SHA1

                      f7669ad3a40cef8829aa3ac21575c61283ac4596

                      SHA256

                      ac576898cdc3783ba8af5e4bd5c16d8649c674eac4a4be8d5fd3feba0c0e9183

                      SHA512

                      05b008796ac81e3c92d90040ec418848dca487a26689cdc5b63c48f0da30a88871acbb1b798d7a4e2dd088d690a86763fcaf6789ba525ac99b7e8041c737e005

                    • C:\Users\Admin\AppData\Local\SaN\DevicePairingWizard.exe

                      MD5

                      50d2e0183f1a3f4eb6897158ac6c6dc9

                      SHA1

                      39da481fb5ae670a4334652fefce7f5ea8842863

                      SHA256

                      9d9dadbf467fd2174356b82712fbcc691f643d5d8ec3d245145c2dc1f281e597

                      SHA512

                      1664661cbb271bd808ad0612ac1c5be521dd624bad9bc0a954f76237d82f3685566d76d928374afccc867b3b237e98c42ac600af8183f68ee1826294781053cd

                    • C:\Users\Admin\AppData\Local\SaN\MFC42u.dll

                      MD5

                      897e3b869a3929b0a3fbc6e4953a33a6

                      SHA1

                      427df54ef62c28674fd80fdc8c1091b8f7cb6370

                      SHA256

                      bf6125906878537984282be6188235ba18fc7b514017c266cf8d62e8b3a34115

                      SHA512

                      4fa4f8929be17d405db731f2f50969c3432d266f364763a1ca6c4d8faedaf2526b4d09af1897c2c4a5878e94cb7a3a0598c063ba4f3cf61deb129f386b92deb4

                    • C:\Users\Admin\AppData\Local\TN6Dz\OLEACC.dll

                      MD5

                      967ccb93128061429edab4e857d13996

                      SHA1

                      a1f25c70cf4922651dfa6eae93fe5fa03b9efe9e

                      SHA256

                      55a7b6b7665a564333cb067da80ffdffbe9553cb14834a8d13a1a0f223e399ab

                      SHA512

                      0c82d6641d4fca05101354127df3761137ad70e0dfd41a54fc1a3e8725c302d6d9a05d99f7898140b15b56aad5a5db8e1f4f1e6f92eac350b49e217098baf703

                    • C:\Users\Admin\AppData\Local\TN6Dz\sethc.exe

                      MD5

                      acf1ee51ad73afb0faba2e10304df15a

                      SHA1

                      03ade95bbe89143d89a0c09c405610921e5046b3

                      SHA256

                      e0bf9845f79c1b4fa09e334f460b6ef70f418eb46cd61b696dec772c6ff3839d

                      SHA512

                      a399d58f9ce6b36a5851ef7955509a6c45764e1fa246f93900744f7a288bf3ff3f3513a5c201c4f8c7025daaec62fb0fb62aaf56cb9f6c79ffce203961fd0618

                    • \Users\Admin\AppData\Local\RfSS6G0Bt\FVEWIZ.dll

                      MD5

                      5497cb23c03fb1521ddbf1b732f512d3

                      SHA1

                      f7669ad3a40cef8829aa3ac21575c61283ac4596

                      SHA256

                      ac576898cdc3783ba8af5e4bd5c16d8649c674eac4a4be8d5fd3feba0c0e9183

                      SHA512

                      05b008796ac81e3c92d90040ec418848dca487a26689cdc5b63c48f0da30a88871acbb1b798d7a4e2dd088d690a86763fcaf6789ba525ac99b7e8041c737e005

                    • \Users\Admin\AppData\Local\SaN\MFC42u.dll

                      MD5

                      897e3b869a3929b0a3fbc6e4953a33a6

                      SHA1

                      427df54ef62c28674fd80fdc8c1091b8f7cb6370

                      SHA256

                      bf6125906878537984282be6188235ba18fc7b514017c266cf8d62e8b3a34115

                      SHA512

                      4fa4f8929be17d405db731f2f50969c3432d266f364763a1ca6c4d8faedaf2526b4d09af1897c2c4a5878e94cb7a3a0598c063ba4f3cf61deb129f386b92deb4

                    • \Users\Admin\AppData\Local\TN6Dz\OLEACC.dll

                      MD5

                      967ccb93128061429edab4e857d13996

                      SHA1

                      a1f25c70cf4922651dfa6eae93fe5fa03b9efe9e

                      SHA256

                      55a7b6b7665a564333cb067da80ffdffbe9553cb14834a8d13a1a0f223e399ab

                      SHA512

                      0c82d6641d4fca05101354127df3761137ad70e0dfd41a54fc1a3e8725c302d6d9a05d99f7898140b15b56aad5a5db8e1f4f1e6f92eac350b49e217098baf703

                    • memory/1488-146-0x0000000000000000-mapping.dmp

                    • memory/1488-153-0x0000020011DE0000-0x0000020011DE2000-memory.dmp

                    • memory/1488-154-0x0000020011DE0000-0x0000020011DE2000-memory.dmp

                    • memory/1488-155-0x0000020011DE0000-0x0000020011DE2000-memory.dmp

                    • memory/1488-150-0x0000000140000000-0x000000014014C000-memory.dmp

                    • memory/2036-165-0x0000022A00230000-0x0000022A00232000-memory.dmp

                    • memory/2036-164-0x0000022A00230000-0x0000022A00232000-memory.dmp

                    • memory/2036-160-0x0000000140000000-0x0000000140146000-memory.dmp

                    • memory/2036-156-0x0000000000000000-mapping.dmp

                    • memory/2036-163-0x0000022A00230000-0x0000022A00232000-memory.dmp

                    • memory/2276-173-0x000001DDB3630000-0x000001DDB3632000-memory.dmp

                    • memory/2276-166-0x0000000000000000-mapping.dmp

                    • memory/2276-174-0x000001DDB3630000-0x000001DDB3632000-memory.dmp

                    • memory/2276-175-0x000001DDB3630000-0x000001DDB3632000-memory.dmp

                    • memory/2460-120-0x00000206AEEC0000-0x00000206AEEC7000-memory.dmp

                    • memory/2460-115-0x0000000140000000-0x0000000140145000-memory.dmp

                    • memory/2460-119-0x00000206AEED0000-0x00000206AEED2000-memory.dmp

                    • memory/2460-118-0x00000206AEED0000-0x00000206AEED2000-memory.dmp

                    • memory/3008-135-0x0000000140000000-0x0000000140145000-memory.dmp

                    • memory/3008-145-0x00007FFBC8740000-0x00007FFBC8750000-memory.dmp

                    • memory/3008-144-0x0000000001390000-0x0000000001392000-memory.dmp

                    • memory/3008-143-0x00007FFBC87F5000-0x00007FFBC87F6000-memory.dmp

                    • memory/3008-141-0x0000000001390000-0x0000000001392000-memory.dmp

                    • memory/3008-142-0x0000000001390000-0x0000000001392000-memory.dmp

                    • memory/3008-134-0x0000000140000000-0x0000000140145000-memory.dmp

                    • memory/3008-133-0x0000000140000000-0x0000000140145000-memory.dmp

                    • memory/3008-132-0x0000000140000000-0x0000000140145000-memory.dmp

                    • memory/3008-131-0x0000000140000000-0x0000000140145000-memory.dmp

                    • memory/3008-130-0x0000000140000000-0x0000000140145000-memory.dmp

                    • memory/3008-129-0x0000000140000000-0x0000000140145000-memory.dmp

                    • memory/3008-128-0x0000000140000000-0x0000000140145000-memory.dmp

                    • memory/3008-127-0x0000000140000000-0x0000000140145000-memory.dmp

                    • memory/3008-126-0x0000000140000000-0x0000000140145000-memory.dmp

                    • memory/3008-125-0x0000000140000000-0x0000000140145000-memory.dmp

                    • memory/3008-124-0x0000000140000000-0x0000000140145000-memory.dmp

                    • memory/3008-123-0x0000000140000000-0x0000000140145000-memory.dmp

                    • memory/3008-121-0x0000000001340000-0x0000000001341000-memory.dmp

                    • memory/3008-122-0x0000000140000000-0x0000000140145000-memory.dmp