Analysis

  • max time kernel
    156s
  • max time network
    131s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    26-11-2021 09:29

General

  • Target

    a7e4a244a0c2c589c237ed8ee1870017ee62e84809d589cb0824db74ca64ec99.dll

  • Size

    1MB

  • MD5

    7bdaee4bb6adf9e4b601e6d577759dac

  • SHA1

    887a4784967fa269affaa90866bb5c2527b66474

  • SHA256

    a7e4a244a0c2c589c237ed8ee1870017ee62e84809d589cb0824db74ca64ec99

  • SHA512

    947aca10d1aeb83b275bcdd844cb3019e91e198838ba15b054d04fe1bba42017284e5b14a871dfc08fd6a8c0f7f919c14d0e3375f0c3ea2cf7c2f872d8e90a49

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\a7e4a244a0c2c589c237ed8ee1870017ee62e84809d589cb0824db74ca64ec99.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3636
  • C:\Windows\system32\rdpinput.exe
    C:\Windows\system32\rdpinput.exe
    1⤵
      PID:4272
    • C:\Users\Admin\AppData\Local\yWX\rdpinput.exe
      C:\Users\Admin\AppData\Local\yWX\rdpinput.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      PID:4220
    • C:\Windows\system32\SystemPropertiesPerformance.exe
      C:\Windows\system32\SystemPropertiesPerformance.exe
      1⤵
        PID:4308
      • C:\Users\Admin\AppData\Local\HGo\SystemPropertiesPerformance.exe
        C:\Users\Admin\AppData\Local\HGo\SystemPropertiesPerformance.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3140
      • C:\Windows\system32\SystemSettingsAdminFlows.exe
        C:\Windows\system32\SystemSettingsAdminFlows.exe
        1⤵
          PID:1096
        • C:\Users\Admin\AppData\Local\58lm8oTJ\SystemSettingsAdminFlows.exe
          C:\Users\Admin\AppData\Local\58lm8oTJ\SystemSettingsAdminFlows.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1144

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Defense Evasion

        Modify Registry

        1
        T1112

        Discovery

        System Information Discovery

        1
        T1082

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\58lm8oTJ\DUI70.dll
          MD5

          54e1537f6dae1b821b4c0af6e96f6577

          SHA1

          ae82e38019d3df8bc38c015c2250e19b7d59255c

          SHA256

          2509493f357a313e2bb731fab9b1ff8353fa1fa008098733dda6103fc5777322

          SHA512

          cedebd34e2f6a7c18190a06da485a4884e0c1c2195c73261cf2722aa6d5c82a039e2f9fde425124c45292865d67f419ecd80cda04880fdee21a0bf2030c7b101

        • C:\Users\Admin\AppData\Local\58lm8oTJ\SystemSettingsAdminFlows.exe
          MD5

          ed20a50080dc6977c774b42810f6c94c

          SHA1

          a3a6fbf9a10b67b7b5bf6ef1fb0912483ff68ba4

          SHA256

          fd537b9a6dd9349a98d19d2023fb6de8a0cb6e7e2e230dcc3fc2621eca024f5d

          SHA512

          0cdd7b145567c78a6800e47819d6d2c370fdac1fdb92cf726cad6c588a38b44a69f101dc470eb64745938fb47615d28c0d1215755eef7d3a739c9f39a24d7d8e

        • C:\Users\Admin\AppData\Local\HGo\SYSDM.CPL
          MD5

          36bb0a8f06cc4ec55fd41a056192ebda

          SHA1

          9f9b66fb4d5b1ea8f8c17f7c55688eea7618bc10

          SHA256

          031ae5a8a1e717a59852bb322f18c409f7aa7cff5128bb10e4b7113cd07dbebb

          SHA512

          c2821b92c1d02e38383488233f6de02ffbb0e5bf2bac1bee1cd9c8289d9d5fedcde9d25c1ff5d921d3eddcdef85b8948927a1741f28fef9b8018b1e6a2a22f63

        • C:\Users\Admin\AppData\Local\HGo\SystemPropertiesPerformance.exe
          MD5

          0a23dbe5f3926280d0eeef6e35b8e603

          SHA1

          3023d1eaef3944a8487c18672af1d562114b9f5f

          SHA256

          24482d0a1972e7424e50de2aeb37d6f0d8a05e3f09afe4a0c7354817193a2d40

          SHA512

          ef7c1f4fe4d20f47f4d8576df86cdd14f89e35a88e1253f27a0432e4963885acede7622e350116135f0f90eb2eaea60cba5f0612c127cb495e5e4f54333126f4

        • C:\Users\Admin\AppData\Local\yWX\WINSTA.dll
          MD5

          27fb69f60d7278e83baa2c30d50172b2

          SHA1

          2c2a90614b4189a8968a046c1a668f1122b6b922

          SHA256

          24dbc71f69d0a04b7751a109746ad890d243baa2365ce5fe4e3deedcb62ba239

          SHA512

          23e64b0cd59b898eeec306bf05216c4b1c0a5c5299f5c312ee0eb2ac5a7f1c880d17bae02517b7d460f1291a27ecfdbe9f49c2757812a2ead20c027ca83127bb

        • C:\Users\Admin\AppData\Local\yWX\rdpinput.exe
          MD5

          431364c49991ebfea19b468020368e08

          SHA1

          c36c8a01ccd17b8ec754fe92d1e03558bb3f05ac

          SHA256

          6c59ea8b7807d9cc9de5c67cf679a1fb1bed4629da1f0a071e03af775de8e4fc

          SHA512

          6b2baeb9abc1277fef874ead7d0c4b2b5c5953b8f9db5ae056a14a0af6edb6482b303e7f4ba5237a22e62919f09cd8334692dd58053754ed18837ace14565d8f

        • \Users\Admin\AppData\Local\58lm8oTJ\DUI70.dll
          MD5

          54e1537f6dae1b821b4c0af6e96f6577

          SHA1

          ae82e38019d3df8bc38c015c2250e19b7d59255c

          SHA256

          2509493f357a313e2bb731fab9b1ff8353fa1fa008098733dda6103fc5777322

          SHA512

          cedebd34e2f6a7c18190a06da485a4884e0c1c2195c73261cf2722aa6d5c82a039e2f9fde425124c45292865d67f419ecd80cda04880fdee21a0bf2030c7b101

        • \Users\Admin\AppData\Local\HGo\SYSDM.CPL
          MD5

          36bb0a8f06cc4ec55fd41a056192ebda

          SHA1

          9f9b66fb4d5b1ea8f8c17f7c55688eea7618bc10

          SHA256

          031ae5a8a1e717a59852bb322f18c409f7aa7cff5128bb10e4b7113cd07dbebb

          SHA512

          c2821b92c1d02e38383488233f6de02ffbb0e5bf2bac1bee1cd9c8289d9d5fedcde9d25c1ff5d921d3eddcdef85b8948927a1741f28fef9b8018b1e6a2a22f63

        • \Users\Admin\AppData\Local\yWX\WINSTA.dll
          MD5

          27fb69f60d7278e83baa2c30d50172b2

          SHA1

          2c2a90614b4189a8968a046c1a668f1122b6b922

          SHA256

          24dbc71f69d0a04b7751a109746ad890d243baa2365ce5fe4e3deedcb62ba239

          SHA512

          23e64b0cd59b898eeec306bf05216c4b1c0a5c5299f5c312ee0eb2ac5a7f1c880d17bae02517b7d460f1291a27ecfdbe9f49c2757812a2ead20c027ca83127bb

        • memory/396-151-0x00007FF9383D0000-0x00007FF9383D2000-memory.dmp
          Filesize

          8KB

        • memory/396-128-0x0000000140000000-0x0000000140149000-memory.dmp
          Filesize

          1MB

        • memory/396-132-0x0000000140000000-0x0000000140149000-memory.dmp
          Filesize

          1MB

        • memory/396-133-0x0000000140000000-0x0000000140149000-memory.dmp
          Filesize

          1MB

        • memory/396-134-0x0000000140000000-0x0000000140149000-memory.dmp
          Filesize

          1MB

        • memory/396-135-0x0000000140000000-0x0000000140149000-memory.dmp
          Filesize

          1MB

        • memory/396-136-0x0000000140000000-0x0000000140149000-memory.dmp
          Filesize

          1MB

        • memory/396-137-0x0000000140000000-0x0000000140149000-memory.dmp
          Filesize

          1MB

        • memory/396-138-0x0000000140000000-0x0000000140149000-memory.dmp
          Filesize

          1MB

        • memory/396-139-0x0000000140000000-0x0000000140149000-memory.dmp
          Filesize

          1MB

        • memory/396-140-0x0000000140000000-0x0000000140149000-memory.dmp
          Filesize

          1MB

        • memory/396-141-0x0000000140000000-0x0000000140149000-memory.dmp
          Filesize

          1MB

        • memory/396-142-0x0000000140000000-0x0000000140149000-memory.dmp
          Filesize

          1MB

        • memory/396-148-0x0000000000780000-0x0000000000782000-memory.dmp
          Filesize

          8KB

        • memory/396-147-0x0000000000780000-0x0000000000782000-memory.dmp
          Filesize

          8KB

        • memory/396-149-0x00007FF938295000-0x00007FF938296000-memory.dmp
          Filesize

          4KB

        • memory/396-150-0x0000000000780000-0x0000000000782000-memory.dmp
          Filesize

          8KB

        • memory/396-185-0x0000000000780000-0x0000000000782000-memory.dmp
          Filesize

          8KB

        • memory/396-125-0x00000000003D0000-0x00000000003D1000-memory.dmp
          Filesize

          4KB

        • memory/396-130-0x0000000140000000-0x0000000140149000-memory.dmp
          Filesize

          1MB

        • memory/396-129-0x0000000140000000-0x0000000140149000-memory.dmp
          Filesize

          1MB

        • memory/396-131-0x0000000140000000-0x0000000140149000-memory.dmp
          Filesize

          1MB

        • memory/396-126-0x0000000140000000-0x0000000140149000-memory.dmp
          Filesize

          1MB

        • memory/396-127-0x0000000140000000-0x0000000140149000-memory.dmp
          Filesize

          1MB

        • memory/1144-174-0x0000000000000000-mapping.dmp
        • memory/1144-184-0x000001B4224A0000-0x000001B4224A2000-memory.dmp
          Filesize

          8KB

        • memory/1144-183-0x000001B4224A0000-0x000001B4224A2000-memory.dmp
          Filesize

          8KB

        • memory/1144-182-0x000001B4224A0000-0x000001B4224A2000-memory.dmp
          Filesize

          8KB

        • memory/1144-178-0x00007FF92A110000-0x00007FF92A29F000-memory.dmp
          Filesize

          1MB

        • memory/3140-163-0x0000000000000000-mapping.dmp
        • memory/3140-167-0x00007FF92B7E0000-0x00007FF92B92A000-memory.dmp
          Filesize

          1MB

        • memory/3140-171-0x00000231BB0A0000-0x00000231BB0A2000-memory.dmp
          Filesize

          8KB

        • memory/3140-172-0x00000231BB0A0000-0x00000231BB0A2000-memory.dmp
          Filesize

          8KB

        • memory/3140-173-0x00000231BB0A0000-0x00000231BB0A2000-memory.dmp
          Filesize

          8KB

        • memory/3636-123-0x0000023B4BB20000-0x0000023B4BB22000-memory.dmp
          Filesize

          8KB

        • memory/3636-124-0x0000023B4BB10000-0x0000023B4BB17000-memory.dmp
          Filesize

          28KB

        • memory/3636-122-0x0000023B4BB20000-0x0000023B4BB22000-memory.dmp
          Filesize

          8KB

        • memory/3636-118-0x00007FF92B7E0000-0x00007FF92B929000-memory.dmp
          Filesize

          1MB

        • memory/4220-160-0x000001AB75C50000-0x000001AB75C52000-memory.dmp
          Filesize

          8KB

        • memory/4220-152-0x0000000000000000-mapping.dmp
        • memory/4220-156-0x00007FF92B7E0000-0x00007FF92B92B000-memory.dmp
          Filesize

          1MB

        • memory/4220-161-0x000001AB75C50000-0x000001AB75C52000-memory.dmp
          Filesize

          8KB

        • memory/4220-162-0x000001AB75C50000-0x000001AB75C52000-memory.dmp
          Filesize

          8KB