Analysis
-
max time kernel
154s -
max time network
137s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
26-11-2021 09:29
General
-
Target
6e90088bb8cc71fcebb71469a7e5668a0b6aacfa21fb274febbb523a427d8e40.dll
-
Size
1.3MB
-
MD5
95a8147f694adad1655a2a158ba6d369
-
SHA1
2911097d1da2ab8d364309a339f0f9afc78375ee
-
SHA256
6e90088bb8cc71fcebb71469a7e5668a0b6aacfa21fb274febbb523a427d8e40
-
SHA512
e7a184b61894a1ea414bc362fc6a37f7941d0ac91e07681dbaa2604930c126a88993c0562abcc579112554eb1fbb23f592d4cb5ebafb88724f5f9e921fbaf93f
Malware Config
Signatures
-
Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
-
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 5 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6e90088bb8cc71fcebb71469a7e5668a0b6aacfa21fb274febbb523a427d8e40.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\system32\DevicePairingWizard.exeC:\Windows\system32\DevicePairingWizard.exe1⤵
-
C:\Users\Admin\AppData\Local\SaN\DevicePairingWizard.exeC:\Users\Admin\AppData\Local\SaN\DevicePairingWizard.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\system32\BitLockerWizard.exeC:\Windows\system32\BitLockerWizard.exe1⤵
-
C:\Users\Admin\AppData\Local\RfSS6G0Bt\BitLockerWizard.exeC:\Users\Admin\AppData\Local\RfSS6G0Bt\BitLockerWizard.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\system32\sethc.exeC:\Windows\system32\sethc.exe1⤵
-
C:\Users\Admin\AppData\Local\TN6Dz\sethc.exeC:\Users\Admin\AppData\Local\TN6Dz\sethc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\RfSS6G0Bt\BitLockerWizard.exeMD5
c213e950a565d1fbe302961f029dddc8
SHA1edeaf01a3dbfdfca54a5e25c121d9645dd75bf86
SHA256f90e755a99ce576c643b751d4f87f4b301d0bf7264f74023225b9b8b7f2e302d
SHA512081f5ee07b6ffae41e494a13c720a8fb92a05c68b1f72c0bc6422050fabc2a433b84f6a3991defa4bfc9d5a721fb8cd83927613d4423f918cf8e57427e825fb0
-
C:\Users\Admin\AppData\Local\RfSS6G0Bt\FVEWIZ.dllMD5
5497cb23c03fb1521ddbf1b732f512d3
SHA1f7669ad3a40cef8829aa3ac21575c61283ac4596
SHA256ac576898cdc3783ba8af5e4bd5c16d8649c674eac4a4be8d5fd3feba0c0e9183
SHA51205b008796ac81e3c92d90040ec418848dca487a26689cdc5b63c48f0da30a88871acbb1b798d7a4e2dd088d690a86763fcaf6789ba525ac99b7e8041c737e005
-
C:\Users\Admin\AppData\Local\SaN\DevicePairingWizard.exeMD5
50d2e0183f1a3f4eb6897158ac6c6dc9
SHA139da481fb5ae670a4334652fefce7f5ea8842863
SHA2569d9dadbf467fd2174356b82712fbcc691f643d5d8ec3d245145c2dc1f281e597
SHA5121664661cbb271bd808ad0612ac1c5be521dd624bad9bc0a954f76237d82f3685566d76d928374afccc867b3b237e98c42ac600af8183f68ee1826294781053cd
-
C:\Users\Admin\AppData\Local\SaN\MFC42u.dllMD5
897e3b869a3929b0a3fbc6e4953a33a6
SHA1427df54ef62c28674fd80fdc8c1091b8f7cb6370
SHA256bf6125906878537984282be6188235ba18fc7b514017c266cf8d62e8b3a34115
SHA5124fa4f8929be17d405db731f2f50969c3432d266f364763a1ca6c4d8faedaf2526b4d09af1897c2c4a5878e94cb7a3a0598c063ba4f3cf61deb129f386b92deb4
-
C:\Users\Admin\AppData\Local\TN6Dz\OLEACC.dllMD5
967ccb93128061429edab4e857d13996
SHA1a1f25c70cf4922651dfa6eae93fe5fa03b9efe9e
SHA25655a7b6b7665a564333cb067da80ffdffbe9553cb14834a8d13a1a0f223e399ab
SHA5120c82d6641d4fca05101354127df3761137ad70e0dfd41a54fc1a3e8725c302d6d9a05d99f7898140b15b56aad5a5db8e1f4f1e6f92eac350b49e217098baf703
-
C:\Users\Admin\AppData\Local\TN6Dz\sethc.exeMD5
acf1ee51ad73afb0faba2e10304df15a
SHA103ade95bbe89143d89a0c09c405610921e5046b3
SHA256e0bf9845f79c1b4fa09e334f460b6ef70f418eb46cd61b696dec772c6ff3839d
SHA512a399d58f9ce6b36a5851ef7955509a6c45764e1fa246f93900744f7a288bf3ff3f3513a5c201c4f8c7025daaec62fb0fb62aaf56cb9f6c79ffce203961fd0618
-
\Users\Admin\AppData\Local\RfSS6G0Bt\FVEWIZ.dllMD5
5497cb23c03fb1521ddbf1b732f512d3
SHA1f7669ad3a40cef8829aa3ac21575c61283ac4596
SHA256ac576898cdc3783ba8af5e4bd5c16d8649c674eac4a4be8d5fd3feba0c0e9183
SHA51205b008796ac81e3c92d90040ec418848dca487a26689cdc5b63c48f0da30a88871acbb1b798d7a4e2dd088d690a86763fcaf6789ba525ac99b7e8041c737e005
-
\Users\Admin\AppData\Local\SaN\MFC42u.dllMD5
897e3b869a3929b0a3fbc6e4953a33a6
SHA1427df54ef62c28674fd80fdc8c1091b8f7cb6370
SHA256bf6125906878537984282be6188235ba18fc7b514017c266cf8d62e8b3a34115
SHA5124fa4f8929be17d405db731f2f50969c3432d266f364763a1ca6c4d8faedaf2526b4d09af1897c2c4a5878e94cb7a3a0598c063ba4f3cf61deb129f386b92deb4
-
\Users\Admin\AppData\Local\TN6Dz\OLEACC.dllMD5
967ccb93128061429edab4e857d13996
SHA1a1f25c70cf4922651dfa6eae93fe5fa03b9efe9e
SHA25655a7b6b7665a564333cb067da80ffdffbe9553cb14834a8d13a1a0f223e399ab
SHA5120c82d6641d4fca05101354127df3761137ad70e0dfd41a54fc1a3e8725c302d6d9a05d99f7898140b15b56aad5a5db8e1f4f1e6f92eac350b49e217098baf703
-
memory/1488-146-0x0000000000000000-mapping.dmp
-
memory/1488-155-0x0000020011DE0000-0x0000020011DE2000-memory.dmpFilesize
8KB
-
memory/1488-154-0x0000020011DE0000-0x0000020011DE2000-memory.dmpFilesize
8KB
-
memory/1488-153-0x0000020011DE0000-0x0000020011DE2000-memory.dmpFilesize
8KB
-
memory/1488-150-0x0000000140000000-0x000000014014C000-memory.dmpFilesize
1.3MB
-
memory/2036-156-0x0000000000000000-mapping.dmp
-
memory/2036-163-0x0000022A00230000-0x0000022A00232000-memory.dmpFilesize
8KB
-
memory/2036-160-0x0000000140000000-0x0000000140146000-memory.dmpFilesize
1.3MB
-
memory/2036-164-0x0000022A00230000-0x0000022A00232000-memory.dmpFilesize
8KB
-
memory/2036-165-0x0000022A00230000-0x0000022A00232000-memory.dmpFilesize
8KB
-
memory/2276-166-0x0000000000000000-mapping.dmp
-
memory/2276-174-0x000001DDB3630000-0x000001DDB3632000-memory.dmpFilesize
8KB
-
memory/2276-173-0x000001DDB3630000-0x000001DDB3632000-memory.dmpFilesize
8KB
-
memory/2276-175-0x000001DDB3630000-0x000001DDB3632000-memory.dmpFilesize
8KB
-
memory/2460-115-0x0000000140000000-0x0000000140145000-memory.dmpFilesize
1.3MB
-
memory/2460-120-0x00000206AEEC0000-0x00000206AEEC7000-memory.dmpFilesize
28KB
-
memory/2460-119-0x00000206AEED0000-0x00000206AEED2000-memory.dmpFilesize
8KB
-
memory/2460-118-0x00000206AEED0000-0x00000206AEED2000-memory.dmpFilesize
8KB
-
memory/3008-128-0x0000000140000000-0x0000000140145000-memory.dmpFilesize
1.3MB
-
memory/3008-145-0x00007FFBC8740000-0x00007FFBC8750000-memory.dmpFilesize
64KB
-
memory/3008-144-0x0000000001390000-0x0000000001392000-memory.dmpFilesize
8KB
-
memory/3008-143-0x00007FFBC87F5000-0x00007FFBC87F6000-memory.dmpFilesize
4KB
-
memory/3008-141-0x0000000001390000-0x0000000001392000-memory.dmpFilesize
8KB
-
memory/3008-142-0x0000000001390000-0x0000000001392000-memory.dmpFilesize
8KB
-
memory/3008-135-0x0000000140000000-0x0000000140145000-memory.dmpFilesize
1.3MB
-
memory/3008-134-0x0000000140000000-0x0000000140145000-memory.dmpFilesize
1.3MB
-
memory/3008-133-0x0000000140000000-0x0000000140145000-memory.dmpFilesize
1.3MB
-
memory/3008-132-0x0000000140000000-0x0000000140145000-memory.dmpFilesize
1.3MB
-
memory/3008-131-0x0000000140000000-0x0000000140145000-memory.dmpFilesize
1.3MB
-
memory/3008-130-0x0000000140000000-0x0000000140145000-memory.dmpFilesize
1.3MB
-
memory/3008-129-0x0000000140000000-0x0000000140145000-memory.dmpFilesize
1.3MB
-
memory/3008-127-0x0000000140000000-0x0000000140145000-memory.dmpFilesize
1.3MB
-
memory/3008-126-0x0000000140000000-0x0000000140145000-memory.dmpFilesize
1.3MB
-
memory/3008-125-0x0000000140000000-0x0000000140145000-memory.dmpFilesize
1.3MB
-
memory/3008-124-0x0000000140000000-0x0000000140145000-memory.dmpFilesize
1.3MB
-
memory/3008-123-0x0000000140000000-0x0000000140145000-memory.dmpFilesize
1.3MB
-
memory/3008-122-0x0000000140000000-0x0000000140145000-memory.dmpFilesize
1.3MB
-
memory/3008-121-0x0000000001340000-0x0000000001341000-memory.dmpFilesize
4KB