899cac1d02beb489b43a5aad1ef87609f3783d891def8f5fd122d848c71da5fb

General
Target

899cac1d02beb489b43a5aad1ef87609f3783d891def8f5fd122d848c71da5fb.dll

Filesize

1MB

Completed

26-11-2021 09:32

Score
10/10
MD5

cd87697a9e2bdfac82d9b7154c3105ce

SHA1

963e78487647a3b7199211154b8fe7f6babe6bbb

SHA256

899cac1d02beb489b43a5aad1ef87609f3783d891def8f5fd122d848c71da5fb

Malware Config
Signatures 9

Filter: none

Defense Evasion
Discovery
Persistence
  • Dridex

    Description

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode

    Description

    Detects Dridex Payload shellcode injected in Explorer process.

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1200-60-0x0000000002210000-0x0000000002211000-memory.dmpdridex_stager_shellcode
  • Executes dropped EXE
    icardagt.exewscript.exeDWWIN.EXE

    Reported IOCs

    pidprocess
    612icardagt.exe
    1160wscript.exe
    860DWWIN.EXE
  • Loads dropped DLL
    icardagt.exewscript.exeDWWIN.EXE

    Reported IOCs

    pidprocess
    1200
    612icardagt.exe
    1200
    1200
    1160wscript.exe
    1200
    860DWWIN.EXE
    1200
  • Adds Run key to start application

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gpavvclvseucyal = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\ASSETC~1\\eeJZI7uw\\wscript.exe"
  • Checks whether UAC is enabled
    rundll32.exeicardagt.exewscript.exeDWWIN.EXE

    TTPs

    System Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUArundll32.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAicardagt.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAwscript.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUADWWIN.EXE
  • Suspicious behavior: EnumeratesProcesses
    rundll32.exeicardagt.exewscript.exe

    Reported IOCs

    pidprocess
    1140rundll32.exe
    1140rundll32.exe
    1140rundll32.exe
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    612icardagt.exe
    612icardagt.exe
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1160wscript.exe
    1160wscript.exe
    1200
    1200
    1200
    1200
    1200
    1200
    1200
    1200
  • Suspicious behavior: GetForegroundWindowSpam

    Reported IOCs

    pidprocess
    1200
  • Suspicious use of WriteProcessMemory

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1200 wrote to memory of 15641200icardagt.exe
    PID 1200 wrote to memory of 15641200icardagt.exe
    PID 1200 wrote to memory of 15641200icardagt.exe
    PID 1200 wrote to memory of 6121200icardagt.exe
    PID 1200 wrote to memory of 6121200icardagt.exe
    PID 1200 wrote to memory of 6121200icardagt.exe
    PID 1200 wrote to memory of 18001200wscript.exe
    PID 1200 wrote to memory of 18001200wscript.exe
    PID 1200 wrote to memory of 18001200wscript.exe
    PID 1200 wrote to memory of 11601200wscript.exe
    PID 1200 wrote to memory of 11601200wscript.exe
    PID 1200 wrote to memory of 11601200wscript.exe
    PID 1200 wrote to memory of 9761200DWWIN.EXE
    PID 1200 wrote to memory of 9761200DWWIN.EXE
    PID 1200 wrote to memory of 9761200DWWIN.EXE
    PID 1200 wrote to memory of 8601200DWWIN.EXE
    PID 1200 wrote to memory of 8601200DWWIN.EXE
    PID 1200 wrote to memory of 8601200DWWIN.EXE
Processes 7
  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\899cac1d02beb489b43a5aad1ef87609f3783d891def8f5fd122d848c71da5fb.dll,#1
    Checks whether UAC is enabled
    Suspicious behavior: EnumeratesProcesses
    PID:1140
  • C:\Windows\system32\icardagt.exe
    C:\Windows\system32\icardagt.exe
    PID:1564
  • C:\Users\Admin\AppData\Local\iwIrhp\icardagt.exe
    C:\Users\Admin\AppData\Local\iwIrhp\icardagt.exe
    Executes dropped EXE
    Loads dropped DLL
    Checks whether UAC is enabled
    Suspicious behavior: EnumeratesProcesses
    PID:612
  • C:\Windows\system32\wscript.exe
    C:\Windows\system32\wscript.exe
    PID:1800
  • C:\Users\Admin\AppData\Local\TjJ\wscript.exe
    C:\Users\Admin\AppData\Local\TjJ\wscript.exe
    Executes dropped EXE
    Loads dropped DLL
    Checks whether UAC is enabled
    Suspicious behavior: EnumeratesProcesses
    PID:1160
  • C:\Windows\system32\DWWIN.EXE
    C:\Windows\system32\DWWIN.EXE
    PID:976
  • C:\Users\Admin\AppData\Local\jpWt\DWWIN.EXE
    C:\Users\Admin\AppData\Local\jpWt\DWWIN.EXE
    Executes dropped EXE
    Loads dropped DLL
    Checks whether UAC is enabled
    PID:860
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Local\TjJ\VERSION.dll

                      MD5

                      7f3cde32f11a21d15919638f11689f32

                      SHA1

                      e210f27e9c4811869d380b7913361994152caca2

                      SHA256

                      14995291974e5ef14de89d6c4910e83ffc0d54dd0417550f54612d5fbc145650

                      SHA512

                      713c5e14f9e710287b876521d2da665ac74d385be4ecaa6b006e63f02f6ad7a2a04b333ddf13044452a0a6605e9e140a43b872550df58110daa4117efcaf259b

                    • C:\Users\Admin\AppData\Local\TjJ\wscript.exe

                      MD5

                      8886e0697b0a93c521f99099ef643450

                      SHA1

                      851bd390bf559e702b8323062dbeb251d9f2f6f7

                      SHA256

                      d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f

                      SHA512

                      fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

                    • C:\Users\Admin\AppData\Local\iwIrhp\UxTheme.dll

                      MD5

                      e16a9076b37ad78588c7b6e24a58d014

                      SHA1

                      0f3a17f2583d819e0407eb81e90a7986942aa0ec

                      SHA256

                      8cf560eb905d8d12b0f77237f0e450956a77de8314444d462ceb51ccbe6a1b10

                      SHA512

                      8a218e795365ed05234ef01b96db2fed658198af11d44f3a3ce75cf0360e18e7e18d2df202884922c17f6546494d56dff1370928a283953a4c70c1564ee870cb

                    • C:\Users\Admin\AppData\Local\iwIrhp\icardagt.exe

                      MD5

                      2fe97a3052e847190a9775431292a3a3

                      SHA1

                      43edc451ac97365600391fa4af15476a30423ff6

                      SHA256

                      473d17e571d6947ce93103454f1e9fe27136403125152b97acb6cad5cc2a9ac7

                      SHA512

                      93ed1f9ef6fb256b53df9c6f2ce03301c0d3a0ef49c3f0604872653e4ba3fce369256f50604dd8386f543e1ea9231f5700213e683d3ea9af9e4d6c427a19117a

                    • C:\Users\Admin\AppData\Local\jpWt\DWWIN.EXE

                      MD5

                      25247e3c4e7a7a73baeea6c0008952b1

                      SHA1

                      8087adb7a71a696139ddc5c5abc1a84f817ab688

                      SHA256

                      c740497a7e58f7678e25b68b03573b4136a364464ee97c02ce5e0fe00cec7050

                      SHA512

                      bc27946894e7775f772ac882740430c8b9d3f37a573e2524207f7bb32f44d4a227cb1e9a555e118d68af7f1e129abd2ac5cabbcd8bbf3551c485bae05108324b

                    • C:\Users\Admin\AppData\Local\jpWt\VERSION.dll

                      MD5

                      50a8500d333f65818de2eb896c7241a0

                      SHA1

                      c07b934431102393f4be87fb6724515856946106

                      SHA256

                      83987196448922a190ad2fe2f4d1eb4c40038476186349530031419662e8e096

                      SHA512

                      163d2e3bd82d473f07cda36c3ba31c294092101d29591f9c43f997601c04f313e694a73878914f4ee9788a0a0f574f86e66a698f9d6ec958471298e1948dbd3e

                    • \Users\Admin\AppData\Local\TjJ\VERSION.dll

                      MD5

                      7f3cde32f11a21d15919638f11689f32

                      SHA1

                      e210f27e9c4811869d380b7913361994152caca2

                      SHA256

                      14995291974e5ef14de89d6c4910e83ffc0d54dd0417550f54612d5fbc145650

                      SHA512

                      713c5e14f9e710287b876521d2da665ac74d385be4ecaa6b006e63f02f6ad7a2a04b333ddf13044452a0a6605e9e140a43b872550df58110daa4117efcaf259b

                    • \Users\Admin\AppData\Local\TjJ\wscript.exe

                      MD5

                      8886e0697b0a93c521f99099ef643450

                      SHA1

                      851bd390bf559e702b8323062dbeb251d9f2f6f7

                      SHA256

                      d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f

                      SHA512

                      fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

                    • \Users\Admin\AppData\Local\TjJ\wscript.exe

                      MD5

                      8886e0697b0a93c521f99099ef643450

                      SHA1

                      851bd390bf559e702b8323062dbeb251d9f2f6f7

                      SHA256

                      d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f

                      SHA512

                      fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

                    • \Users\Admin\AppData\Local\iwIrhp\UxTheme.dll

                      MD5

                      e16a9076b37ad78588c7b6e24a58d014

                      SHA1

                      0f3a17f2583d819e0407eb81e90a7986942aa0ec

                      SHA256

                      8cf560eb905d8d12b0f77237f0e450956a77de8314444d462ceb51ccbe6a1b10

                      SHA512

                      8a218e795365ed05234ef01b96db2fed658198af11d44f3a3ce75cf0360e18e7e18d2df202884922c17f6546494d56dff1370928a283953a4c70c1564ee870cb

                    • \Users\Admin\AppData\Local\iwIrhp\icardagt.exe

                      MD5

                      2fe97a3052e847190a9775431292a3a3

                      SHA1

                      43edc451ac97365600391fa4af15476a30423ff6

                      SHA256

                      473d17e571d6947ce93103454f1e9fe27136403125152b97acb6cad5cc2a9ac7

                      SHA512

                      93ed1f9ef6fb256b53df9c6f2ce03301c0d3a0ef49c3f0604872653e4ba3fce369256f50604dd8386f543e1ea9231f5700213e683d3ea9af9e4d6c427a19117a

                    • \Users\Admin\AppData\Local\jpWt\DWWIN.EXE

                      MD5

                      25247e3c4e7a7a73baeea6c0008952b1

                      SHA1

                      8087adb7a71a696139ddc5c5abc1a84f817ab688

                      SHA256

                      c740497a7e58f7678e25b68b03573b4136a364464ee97c02ce5e0fe00cec7050

                      SHA512

                      bc27946894e7775f772ac882740430c8b9d3f37a573e2524207f7bb32f44d4a227cb1e9a555e118d68af7f1e129abd2ac5cabbcd8bbf3551c485bae05108324b

                    • \Users\Admin\AppData\Local\jpWt\VERSION.dll

                      MD5

                      50a8500d333f65818de2eb896c7241a0

                      SHA1

                      c07b934431102393f4be87fb6724515856946106

                      SHA256

                      83987196448922a190ad2fe2f4d1eb4c40038476186349530031419662e8e096

                      SHA512

                      163d2e3bd82d473f07cda36c3ba31c294092101d29591f9c43f997601c04f313e694a73878914f4ee9788a0a0f574f86e66a698f9d6ec958471298e1948dbd3e

                    • \Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\Hk\DWWIN.EXE

                      MD5

                      25247e3c4e7a7a73baeea6c0008952b1

                      SHA1

                      8087adb7a71a696139ddc5c5abc1a84f817ab688

                      SHA256

                      c740497a7e58f7678e25b68b03573b4136a364464ee97c02ce5e0fe00cec7050

                      SHA512

                      bc27946894e7775f772ac882740430c8b9d3f37a573e2524207f7bb32f44d4a227cb1e9a555e118d68af7f1e129abd2ac5cabbcd8bbf3551c485bae05108324b

                    • memory/612-84-0x0000000000000000-mapping.dmp

                    • memory/612-86-0x000007FEFBA61000-0x000007FEFBA63000-memory.dmp

                    • memory/612-89-0x000007FEF6790000-0x000007FEF68D9000-memory.dmp

                    • memory/860-104-0x0000000000000000-mapping.dmp

                    • memory/1140-59-0x00000000000A0000-0x00000000000A7000-memory.dmp

                    • memory/1140-55-0x000007FEF6510000-0x000007FEF6658000-memory.dmp

                    • memory/1160-95-0x0000000000000000-mapping.dmp

                    • memory/1160-99-0x000007FEF6510000-0x000007FEF6659000-memory.dmp

                    • memory/1200-73-0x0000000140000000-0x0000000140148000-memory.dmp

                    • memory/1200-77-0x0000000140000000-0x0000000140148000-memory.dmp

                    • memory/1200-76-0x0000000140000000-0x0000000140148000-memory.dmp

                    • memory/1200-82-0x0000000077390000-0x0000000077392000-memory.dmp

                    • memory/1200-75-0x0000000140000000-0x0000000140148000-memory.dmp

                    • memory/1200-74-0x0000000140000000-0x0000000140148000-memory.dmp

                    • memory/1200-72-0x0000000140000000-0x0000000140148000-memory.dmp

                    • memory/1200-71-0x0000000140000000-0x0000000140148000-memory.dmp

                    • memory/1200-70-0x0000000140000000-0x0000000140148000-memory.dmp

                    • memory/1200-69-0x0000000140000000-0x0000000140148000-memory.dmp

                    • memory/1200-68-0x0000000140000000-0x0000000140148000-memory.dmp

                    • memory/1200-67-0x0000000140000000-0x0000000140148000-memory.dmp

                    • memory/1200-66-0x0000000140000000-0x0000000140148000-memory.dmp

                    • memory/1200-65-0x0000000140000000-0x0000000140148000-memory.dmp

                    • memory/1200-64-0x0000000140000000-0x0000000140148000-memory.dmp

                    • memory/1200-62-0x0000000140000000-0x0000000140148000-memory.dmp

                    • memory/1200-61-0x0000000140000000-0x0000000140148000-memory.dmp

                    • memory/1200-60-0x0000000002210000-0x0000000002211000-memory.dmp

                    • memory/1200-63-0x0000000140000000-0x0000000140148000-memory.dmp