Analysis
-
max time kernel
158s -
max time network
132s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
26-11-2021 09:31
Static task
static1
Behavioral task
behavioral1
Sample
551ffee108503aaa811686e21a22388d509a652f7f4876a12de86092e19c596c.dll
Resource
win7-en-20211014
General
-
Target
551ffee108503aaa811686e21a22388d509a652f7f4876a12de86092e19c596c.dll
-
Size
1.2MB
-
MD5
0cea842b15be5b2e537ddfed28706abe
-
SHA1
510fd4fba4122a2d5cea810cb8d90493ef9570e4
-
SHA256
551ffee108503aaa811686e21a22388d509a652f7f4876a12de86092e19c596c
-
SHA512
3aa534022e692349519019fdce5fd1b74aeea0f22e627627c795970deded152881d3ac3cab391e85fd0330b1cd91ed216c80a0a9b08a464ce59ac8a6dfea9960
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3040-124-0x00000000009B0000-0x00000000009B1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
mfpmp.exeDWWIN.EXEAgentService.exepid process 860 mfpmp.exe 532 DWWIN.EXE 3872 AgentService.exe -
Loads dropped DLL 3 IoCs
Processes:
mfpmp.exeDWWIN.EXEAgentService.exepid process 860 mfpmp.exe 532 DWWIN.EXE 3872 AgentService.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ziekmjidk = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\SYSTEM~1\\3qH0TIkY\\DWWIN.EXE" -
Processes:
mfpmp.exeDWWIN.EXEAgentService.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mfpmp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DWWIN.EXE Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA AgentService.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Modifies registry class 2 IoCs
Processes:
description ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2604 rundll32.exe 2604 rundll32.exe 2604 rundll32.exe 2604 rundll32.exe 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 -
Suspicious behavior: GetForegroundWindowSpam 5 IoCs
Processes:
rundll32.exemfpmp.exeDWWIN.EXEAgentService.exepid process 2604 rundll32.exe 3040 860 mfpmp.exe 532 DWWIN.EXE 3872 AgentService.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3040 Token: SeCreatePagefilePrivilege 3040 Token: SeShutdownPrivilege 3040 Token: SeCreatePagefilePrivilege 3040 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3040 wrote to memory of 656 3040 mfpmp.exe PID 3040 wrote to memory of 656 3040 mfpmp.exe PID 3040 wrote to memory of 860 3040 mfpmp.exe PID 3040 wrote to memory of 860 3040 mfpmp.exe PID 3040 wrote to memory of 596 3040 DWWIN.EXE PID 3040 wrote to memory of 596 3040 DWWIN.EXE PID 3040 wrote to memory of 532 3040 DWWIN.EXE PID 3040 wrote to memory of 532 3040 DWWIN.EXE PID 3040 wrote to memory of 1076 3040 AgentService.exe PID 3040 wrote to memory of 1076 3040 AgentService.exe PID 3040 wrote to memory of 3872 3040 AgentService.exe PID 3040 wrote to memory of 3872 3040 AgentService.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\551ffee108503aaa811686e21a22388d509a652f7f4876a12de86092e19c596c.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\system32\mfpmp.exeC:\Windows\system32\mfpmp.exe1⤵
-
C:\Users\Admin\AppData\Local\BHTP\mfpmp.exeC:\Users\Admin\AppData\Local\BHTP\mfpmp.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\system32\DWWIN.EXEC:\Windows\system32\DWWIN.EXE1⤵
-
C:\Users\Admin\AppData\Local\kuq1MBdV\DWWIN.EXEC:\Users\Admin\AppData\Local\kuq1MBdV\DWWIN.EXE1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
-
C:\Users\Admin\AppData\Local\beCOQSGa\AgentService.exeC:\Users\Admin\AppData\Local\beCOQSGa\AgentService.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\BHTP\MFPlat.DLLMD5
0ca7570843bc237a8959c5a059f6145e
SHA1899a5b10c91eeecd1a00e9e71999960f4e4115d0
SHA25640e2dd935dcaec6afe2815cfd401abeca812f915ee9c75864f5513360466c7bc
SHA512557b9f8c53488aa392fb9ec423f9c7426f42138578108b39dd2dcaa93c727919d1c65bfa8162e30b44cba59b102703d9eb5cfab39431597e2415d2479beafc86
-
C:\Users\Admin\AppData\Local\BHTP\mfpmp.exeMD5
0a51780965f4a75557ac6b1a710a7c7b
SHA130e7be939ada607cbafd07261da463396878f4f5
SHA25645b8b316c617f703af064aafab9a35c465d5f7835b758995e82ac0dedbaad037
SHA512e62c2252b66809cca9e7f625392ef09891eba1eec3c210798684a9c71a9c5315598ca259c8ebd09af5d8aaf94261fca91f30bd0dd22a917d5287e9443ae18326
-
C:\Users\Admin\AppData\Local\beCOQSGa\AgentService.exeMD5
5f1da3635c2f6b74ebfdebfc747b63b5
SHA18c26309d2bad1b97195a408d9a742c61942a09d1
SHA2561b456b777c5099a67e405fef20b5cbcb24c6fce9ed7a5a421c6574618364fd47
SHA5129d122a0388484844a6646a27d359532b437e10fa412b075597183b7bc8cbb4e3593eb193c25e0b81dc62b3098d340d6bdc53733e08ee6657c82d11ba32fe2d32
-
C:\Users\Admin\AppData\Local\beCOQSGa\VERSION.dllMD5
2b3cf115827008b47e11dae21b8df733
SHA1c9a2957a907c4f93d2ec08691ba6496e8396f8ac
SHA256cc11c4b670ae403c3600e10ebf295f10debec5a38cb076bb10d32005adfba707
SHA512e7244aee872ae5044dac550dc344b2cc88eeb349518655fb3631884f96fc50592a98dc2cffca64ef244f8421393ad0ea039ee16c994641b76ef2851bf3250f31
-
C:\Users\Admin\AppData\Local\kuq1MBdV\DWWIN.EXEMD5
d23ce8aaa23b042a66a876009d0c4514
SHA1ff34a8e53b55acb18c2b87ab34d5adfb8d1e60f1
SHA256611a508b865b3f2d29d5f60794e786929a89f2befb99be99d745238428f8a29a
SHA51213c311d081dcddbd6bbd0ee2782045a273b8f881af11f5bc2bf2c7efb4d7d4361f239a5eedfdeaab9c5e23a7f51c7ac4e8571f6f48bc225368355c3104a6c09d
-
C:\Users\Admin\AppData\Local\kuq1MBdV\VERSION.dllMD5
2ab5646ee2281b1aba93cb03f5ad70a5
SHA10236b18ba6ae68f239c224027267adae68d14e72
SHA256faa2146c0862421c7f758307b8cf421abaf0827db6b96c41e6bb4c12d3a4c3a8
SHA512b159b878b94d519c34e71181fcf864f632b0f078d1d45c99d2b4c9ad23dbc91a9f98f2522d834659edce0576b7c42e64c07efb416f7cb8bf10ac7b4dcb28c604
-
\Users\Admin\AppData\Local\BHTP\MFPlat.DLLMD5
0ca7570843bc237a8959c5a059f6145e
SHA1899a5b10c91eeecd1a00e9e71999960f4e4115d0
SHA25640e2dd935dcaec6afe2815cfd401abeca812f915ee9c75864f5513360466c7bc
SHA512557b9f8c53488aa392fb9ec423f9c7426f42138578108b39dd2dcaa93c727919d1c65bfa8162e30b44cba59b102703d9eb5cfab39431597e2415d2479beafc86
-
\Users\Admin\AppData\Local\beCOQSGa\VERSION.dllMD5
2b3cf115827008b47e11dae21b8df733
SHA1c9a2957a907c4f93d2ec08691ba6496e8396f8ac
SHA256cc11c4b670ae403c3600e10ebf295f10debec5a38cb076bb10d32005adfba707
SHA512e7244aee872ae5044dac550dc344b2cc88eeb349518655fb3631884f96fc50592a98dc2cffca64ef244f8421393ad0ea039ee16c994641b76ef2851bf3250f31
-
\Users\Admin\AppData\Local\kuq1MBdV\VERSION.dllMD5
2ab5646ee2281b1aba93cb03f5ad70a5
SHA10236b18ba6ae68f239c224027267adae68d14e72
SHA256faa2146c0862421c7f758307b8cf421abaf0827db6b96c41e6bb4c12d3a4c3a8
SHA512b159b878b94d519c34e71181fcf864f632b0f078d1d45c99d2b4c9ad23dbc91a9f98f2522d834659edce0576b7c42e64c07efb416f7cb8bf10ac7b4dcb28c604
-
memory/532-164-0x0000000000000000-mapping.dmp
-
memory/532-172-0x0000021B29660000-0x0000021B29662000-memory.dmpFilesize
8KB
-
memory/532-173-0x0000021B29660000-0x0000021B29662000-memory.dmpFilesize
8KB
-
memory/532-171-0x0000021B29660000-0x0000021B29662000-memory.dmpFilesize
8KB
-
memory/532-168-0x0000000140000000-0x0000000140131000-memory.dmpFilesize
1.2MB
-
memory/860-159-0x0000000140000000-0x0000000140132000-memory.dmpFilesize
1.2MB
-
memory/860-163-0x000001A281250000-0x000001A281252000-memory.dmpFilesize
8KB
-
memory/860-162-0x000001A281250000-0x000001A281252000-memory.dmpFilesize
8KB
-
memory/860-158-0x000001A281250000-0x000001A281252000-memory.dmpFilesize
8KB
-
memory/860-157-0x000001A281250000-0x000001A281252000-memory.dmpFilesize
8KB
-
memory/860-153-0x0000000000000000-mapping.dmp
-
memory/2604-123-0x000001CA30BB0000-0x000001CA30BB7000-memory.dmpFilesize
28KB
-
memory/2604-118-0x0000000140000000-0x0000000140130000-memory.dmpFilesize
1.2MB
-
memory/2604-122-0x000001CA30BC0000-0x000001CA30BC2000-memory.dmpFilesize
8KB
-
memory/2604-121-0x000001CA30BC0000-0x000001CA30BC2000-memory.dmpFilesize
8KB
-
memory/3040-133-0x0000000140000000-0x0000000140130000-memory.dmpFilesize
1.2MB
-
memory/3040-132-0x0000000140000000-0x0000000140130000-memory.dmpFilesize
1.2MB
-
memory/3040-151-0x0000000000AF0000-0x0000000000AF2000-memory.dmpFilesize
8KB
-
memory/3040-152-0x00007FFF20BB0000-0x00007FFF20BB2000-memory.dmpFilesize
8KB
-
memory/3040-149-0x0000000000AF0000-0x0000000000AF2000-memory.dmpFilesize
8KB
-
memory/3040-148-0x0000000000AF0000-0x0000000000AF2000-memory.dmpFilesize
8KB
-
memory/3040-142-0x0000000140000000-0x0000000140130000-memory.dmpFilesize
1.2MB
-
memory/3040-141-0x0000000140000000-0x0000000140130000-memory.dmpFilesize
1.2MB
-
memory/3040-140-0x0000000140000000-0x0000000140130000-memory.dmpFilesize
1.2MB
-
memory/3040-139-0x0000000140000000-0x0000000140130000-memory.dmpFilesize
1.2MB
-
memory/3040-135-0x0000000140000000-0x0000000140130000-memory.dmpFilesize
1.2MB
-
memory/3040-137-0x0000000140000000-0x0000000140130000-memory.dmpFilesize
1.2MB
-
memory/3040-138-0x0000000140000000-0x0000000140130000-memory.dmpFilesize
1.2MB
-
memory/3040-136-0x0000000140000000-0x0000000140130000-memory.dmpFilesize
1.2MB
-
memory/3040-134-0x0000000140000000-0x0000000140130000-memory.dmpFilesize
1.2MB
-
memory/3040-150-0x00007FFF20A75000-0x00007FFF20A76000-memory.dmpFilesize
4KB
-
memory/3040-131-0x0000000140000000-0x0000000140130000-memory.dmpFilesize
1.2MB
-
memory/3040-130-0x0000000140000000-0x0000000140130000-memory.dmpFilesize
1.2MB
-
memory/3040-129-0x0000000140000000-0x0000000140130000-memory.dmpFilesize
1.2MB
-
memory/3040-128-0x0000000140000000-0x0000000140130000-memory.dmpFilesize
1.2MB
-
memory/3040-127-0x0000000140000000-0x0000000140130000-memory.dmpFilesize
1.2MB
-
memory/3040-184-0x0000000000AF0000-0x0000000000AF2000-memory.dmpFilesize
8KB
-
memory/3040-126-0x0000000140000000-0x0000000140130000-memory.dmpFilesize
1.2MB
-
memory/3040-125-0x0000000140000000-0x0000000140130000-memory.dmpFilesize
1.2MB
-
memory/3040-124-0x00000000009B0000-0x00000000009B1000-memory.dmpFilesize
4KB
-
memory/3872-181-0x000002AA98310000-0x000002AA98312000-memory.dmpFilesize
8KB
-
memory/3872-182-0x000002AA98310000-0x000002AA98312000-memory.dmpFilesize
8KB
-
memory/3872-183-0x000002AA98310000-0x000002AA98312000-memory.dmpFilesize
8KB
-
memory/3872-174-0x0000000000000000-mapping.dmp