899cac1d02beb489b43a5aad1ef87609f3783d891def8f5fd122d848c71da5fb

max time kernel150s
max time network125s
platformwindows10_x64
resourcewin10-en-20211014
submitted26-11-2021 09:29

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

899cac1d02beb489b43a5aad1ef87609f3783d891def8f5fd122d848c71da5fb.dll

Filesize

1MB

Completed

26-11-2021 09:32

Score

10^/10

MD5

cd87697a9e2bdfac82d9b7154c3105ce

SHA1

963e78487647a3b7199211154b8fe7f6babe6bbb

SHA256

899cac1d02beb489b43a5aad1ef87609f3783d891def8f5fd122d848c71da5fb

Defense Evasion

Discovery

Persistence

Dridex

Description

Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

Tags

botnet dridex
Dridex Shellcode

Description

Detects Dridex Payload shellcode injected in Explorer process.

Tags

botnet payload

Reported IOCs

resource yara_rule

behavioral2/memory/3020-122-0x00000000005E0000-0x00000000005E1000-memory.dmp dridex_stager_shellcode
Executes dropped EXE
osk.exeComputerDefaults.exerecdisc.exe

Reported IOCs

pid process

2276 osk.exe
516 ComputerDefaults.exe
696 recdisc.exe
Loads dropped DLL
osk.exeComputerDefaults.exerecdisc.exe

Reported IOCs

pid process

2276 osk.exe
516 ComputerDefaults.exe
696 recdisc.exe

resource	yara_rule
behavioral2/memory/3020-122-0x00000000005E0000-0x00000000005E1000-memory.dmp	dridex_stager_shellcode

pid	process
2276	osk.exe
516	ComputerDefaults.exe
696	recdisc.exe

pid	process
2276	osk.exe
516	ComputerDefaults.exe
696	recdisc.exe

Adds Run key to start application

TTPs

Registry Run Keys / Startup FolderModify Registry

Reported IOCs

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\Slqggwbvaxk = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Extensions\\65CvtYODB2G\\ComputerDefaults.exe"

Checks whether UAC is enabled

rundll32.exeosk.exeComputerDefaults.exerecdisc.exe

TTPs

System Information Discovery

Reported IOCs

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	osk.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ComputerDefaults.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	recdisc.exe

Modifies registry class

Reported IOCs

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance

Suspicious behavior: EnumeratesProcesses

rundll32.exeosk.exe

Reported IOCs

pid	process
2700	rundll32.exe
2700	rundll32.exe
2700	rundll32.exe
2700	rundll32.exe
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
2276	osk.exe
2276	osk.exe
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020

Suspicious behavior: GetForegroundWindowSpam

Reported IOCs

pid process

3020

pid	process
3020

Suspicious use of AdjustPrivilegeToken

Reported IOCs

description	pid	process
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020

Suspicious use of WriteProcessMemory

Reported IOCs

description	pid	target process
PID 3020 wrote to memory of 588	3020	osk.exe
PID 3020 wrote to memory of 588	3020	osk.exe
PID 3020 wrote to memory of 2276	3020	osk.exe
PID 3020 wrote to memory of 2276	3020	osk.exe
PID 3020 wrote to memory of 3260	3020	ComputerDefaults.exe
PID 3020 wrote to memory of 3260	3020	ComputerDefaults.exe
PID 3020 wrote to memory of 516	3020	ComputerDefaults.exe
PID 3020 wrote to memory of 516	3020	ComputerDefaults.exe
PID 3020 wrote to memory of 1032	3020	recdisc.exe
PID 3020 wrote to memory of 1032	3020	recdisc.exe
PID 3020 wrote to memory of 696	3020	recdisc.exe
PID 3020 wrote to memory of 696	3020	recdisc.exe

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\899cac1d02beb489b43a5aad1ef87609f3783d891def8f5fd122d848c71da5fb.dll,#1

Checks whether UAC is enabled
Suspicious behavior: EnumeratesProcesses

PID:2700

C:\Windows\system32\osk.exe

C:\Windows\system32\osk.exe

PID:588

C:\Users\Admin\AppData\Local\aCPlmDujq\osk.exe

C:\Users\Admin\AppData\Local\aCPlmDujq\osk.exe

Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled
Suspicious behavior: EnumeratesProcesses

PID:2276

C:\Windows\system32\ComputerDefaults.exe

C:\Windows\system32\ComputerDefaults.exe

PID:3260

C:\Users\Admin\AppData\Local\iC8aDOS\ComputerDefaults.exe

C:\Users\Admin\AppData\Local\iC8aDOS\ComputerDefaults.exe

Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled

PID:516

C:\Windows\system32\recdisc.exe

C:\Windows\system32\recdisc.exe

PID:1032

C:\Users\Admin\AppData\Local\uBBYj7ihL\recdisc.exe

C:\Users\Admin\AppData\Local\uBBYj7ihL\recdisc.exe

Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled

PID:696

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

Discovery

System Information Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

00:00 00:00

C:\Users\Admin\AppData\Local\aCPlmDujq\DUI70.dll
MD5
c12ea6d49940d51ddd04ddbeca84e83f

SHA1
a747d144eda80d7e817e8cf7cf5d0e2e29b9bba8

SHA256
e137e95c010bebd7a27f9d0e566b4df9a440f8e21520dbdebd5b0ac9c570e253

SHA512
25b8faf92910db077f460c2900c01065ab02d14ea5302ba1582083ca00aced7206e8bc04fd911c074dee2924cdd520eb01b22cf8fbc03f40066e2a8bfe29b393

Download Submit
C:\Users\Admin\AppData\Local\aCPlmDujq\osk.exe
MD5
4a614350289f2f92c6d7c5caccc09eff

SHA1
55e6807f31f66120e4798e37a8fb26e583ce1c81

SHA256
f259aa7bfb7f18f981d0a08888942f5027766cdcf4d4d60d2540d5eda048fd68

SHA512
ddf8fdc5b186ab9a15fa15310356d48cfbe1948fda0f0e624b1a429be11f406e5e3ce1924f48bbb9a9d14ede34a20c55c3e88f1f640e9d7d21f39bfad3c21dfc

Download Submit
C:\Users\Admin\AppData\Local\iC8aDOS\ComputerDefaults.exe
MD5
56d03e4218082266a9cdd8600537d891

SHA1
c153719f971dcee8f6985d7c79f64fc88dd8663c

SHA256
210d5714497505022aa068167f7ed5bb826abcf53cfe741c9860a2c8dce3f54a

SHA512
f2c64a4dbab789635bf97b3d615fcc96dfe8c4094b67a464eb34bc84501eb7648e7fa692971e917c1ebfac0548187721ecc552aaad35767f8a40846d922613d3

Download Submit
C:\Users\Admin\AppData\Local\iC8aDOS\appwiz.cpl
MD5
d7a03e7e49670fd138157c089cc871c2

SHA1
3b5515538ed900550e160ded4c1e80dbc1527d79

SHA256
c47c0f5f1d167c0655a05a7b8a2c9d93ff81e177dc2d03cdda7a483f60cf44af

SHA512
e302a0d6cb31b272cd7b18ef0e7ca167a270cc1449a6056490b12c6a05ddf8e1fb5fbcd28853fb6fa30b91d51cb4ea5ba7abe8dfb98a890fae8ff5f1a0845ff3

Download Submit
C:\Users\Admin\AppData\Local\uBBYj7ihL\ReAgent.dll
MD5
7a8614608bbb17ef1e75a4bc73e7a37d

SHA1
bea99990d113812d6034b3ab2c2cd6c536b75ddc

SHA256
526445a9fafcca40460fd00989ae8b9b76c79c8d33ade9d0e176b31f699bd3eb

SHA512
f8e236744ab5fc28b01194037e996b0a3fdbf43b07e51370d05de131af4f2dd6c4b92fc319e4b0718112b8e00bccf7d6e2f5a160c82858cd70ffd81d6b25037a

Download Submit
C:\Users\Admin\AppData\Local\uBBYj7ihL\recdisc.exe
MD5
d1028c10d2c261d3470df8ff6347981b

SHA1
04a99956e99b8dbed380df60e0812e92685b6ca9

SHA256
063e57b52257fda4cfa15c98a84f3461a9fb1c9d39e6ab55eae41a793a4d852b

SHA512
80922e37cdfe69d5390f8a5bf8f0aab98407d40549c8972c33c6b9ef15b38962887ef4637c81c248ba7ee649bfe20f318358359140d879f7e2820e135e11a9c3

Download Submit
\Users\Admin\AppData\Local\aCPlmDujq\DUI70.dll
MD5
c12ea6d49940d51ddd04ddbeca84e83f

SHA1
a747d144eda80d7e817e8cf7cf5d0e2e29b9bba8

SHA256
e137e95c010bebd7a27f9d0e566b4df9a440f8e21520dbdebd5b0ac9c570e253

SHA512
25b8faf92910db077f460c2900c01065ab02d14ea5302ba1582083ca00aced7206e8bc04fd911c074dee2924cdd520eb01b22cf8fbc03f40066e2a8bfe29b393

Download Submit
\Users\Admin\AppData\Local\iC8aDOS\appwiz.cpl
MD5
d7a03e7e49670fd138157c089cc871c2

SHA1
3b5515538ed900550e160ded4c1e80dbc1527d79

SHA256
c47c0f5f1d167c0655a05a7b8a2c9d93ff81e177dc2d03cdda7a483f60cf44af

SHA512
e302a0d6cb31b272cd7b18ef0e7ca167a270cc1449a6056490b12c6a05ddf8e1fb5fbcd28853fb6fa30b91d51cb4ea5ba7abe8dfb98a890fae8ff5f1a0845ff3

Download Submit
\Users\Admin\AppData\Local\uBBYj7ihL\ReAgent.dll
MD5
7a8614608bbb17ef1e75a4bc73e7a37d

SHA1
bea99990d113812d6034b3ab2c2cd6c536b75ddc

SHA256
526445a9fafcca40460fd00989ae8b9b76c79c8d33ade9d0e176b31f699bd3eb

SHA512
f8e236744ab5fc28b01194037e996b0a3fdbf43b07e51370d05de131af4f2dd6c4b92fc319e4b0718112b8e00bccf7d6e2f5a160c82858cd70ffd81d6b25037a

Download Submit
memory/516-164-0x00007FFDC40F0000-0x00007FFDC4239000-memory.dmp

Download
memory/516-160-0x0000000000000000-mapping.dmp

Download
memory/516-168-0x000001E81D920000-0x000001E81D922000-memory.dmp

Download
memory/516-170-0x000001E81D920000-0x000001E81D922000-memory.dmp

Download
memory/516-169-0x000001E81D920000-0x000001E81D922000-memory.dmp

Download
memory/696-171-0x0000000000000000-mapping.dmp

Download
memory/696-179-0x0000024CA6290000-0x0000024CA6292000-memory.dmp

Download
memory/696-180-0x0000024CA6290000-0x0000024CA6292000-memory.dmp

Download
memory/696-181-0x0000024CA6290000-0x0000024CA6292000-memory.dmp

Download
memory/2276-157-0x000001ED670F0000-0x000001ED670F2000-memory.dmp

Download
memory/2276-153-0x00007FFDC40B0000-0x00007FFDC423E000-memory.dmp

Download
memory/2276-158-0x000001ED670F0000-0x000001ED670F2000-memory.dmp

Download
memory/2276-159-0x000001ED670F0000-0x000001ED670F2000-memory.dmp

Download
memory/2276-149-0x0000000000000000-mapping.dmp

Download
memory/2700-115-0x00007FFDC40F0000-0x00007FFDC4238000-memory.dmp

Download
memory/2700-121-0x000001A9562F0000-0x000001A9562F7000-memory.dmp

Download
memory/2700-120-0x000001A956300000-0x000001A956302000-memory.dmp

Download
memory/2700-119-0x000001A956300000-0x000001A956302000-memory.dmp

Download
memory/3020-137-0x0000000140000000-0x0000000140148000-memory.dmp

Download
memory/3020-148-0x00007FFDD2430000-0x00007FFDD2432000-memory.dmp

Download
memory/3020-146-0x00007FFDD22F5000-0x00007FFDD22F6000-memory.dmp

Download
memory/3020-145-0x0000000000820000-0x0000000000822000-memory.dmp

Download
memory/3020-147-0x0000000000820000-0x0000000000822000-memory.dmp

Download
memory/3020-144-0x0000000000820000-0x0000000000822000-memory.dmp

Download
memory/3020-139-0x0000000140000000-0x0000000140148000-memory.dmp

Download
memory/3020-138-0x0000000140000000-0x0000000140148000-memory.dmp

Download
memory/3020-136-0x0000000140000000-0x0000000140148000-memory.dmp

Download
memory/3020-135-0x0000000140000000-0x0000000140148000-memory.dmp

Download
memory/3020-134-0x0000000140000000-0x0000000140148000-memory.dmp

Download
memory/3020-182-0x0000000000820000-0x0000000000822000-memory.dmp

Download
memory/3020-133-0x0000000140000000-0x0000000140148000-memory.dmp

Download
memory/3020-132-0x0000000140000000-0x0000000140148000-memory.dmp

Download
memory/3020-131-0x0000000140000000-0x0000000140148000-memory.dmp

Download
memory/3020-130-0x0000000140000000-0x0000000140148000-memory.dmp

Download
memory/3020-129-0x0000000140000000-0x0000000140148000-memory.dmp

Download
memory/3020-128-0x0000000140000000-0x0000000140148000-memory.dmp

Download
memory/3020-127-0x0000000140000000-0x0000000140148000-memory.dmp

Download
memory/3020-126-0x0000000140000000-0x0000000140148000-memory.dmp

Download
memory/3020-125-0x0000000140000000-0x0000000140148000-memory.dmp

Download
memory/3020-123-0x0000000140000000-0x0000000140148000-memory.dmp

Download
memory/3020-122-0x00000000005E0000-0x00000000005E1000-memory.dmp

Download
memory/3020-124-0x0000000140000000-0x0000000140148000-memory.dmp

Download

899cac1d02beb489b43a5aad1ef87609f3783d891def8f5fd122d848c71da5fb

Filter: none

Description

Tags

Description

Tags

Reported IOCs

Reported IOCs

Reported IOCs

Tags

TTPs

Reported IOCs

Tags

TTPs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Title