Analysis

  • max time kernel
    158s
  • max time network
    132s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    26-11-2021 09:31

General

  • Target

    551ffee108503aaa811686e21a22388d509a652f7f4876a12de86092e19c596c.dll

  • Size

    1.2MB

  • MD5

    0cea842b15be5b2e537ddfed28706abe

  • SHA1

    510fd4fba4122a2d5cea810cb8d90493ef9570e4

  • SHA256

    551ffee108503aaa811686e21a22388d509a652f7f4876a12de86092e19c596c

  • SHA512

    3aa534022e692349519019fdce5fd1b74aeea0f22e627627c795970deded152881d3ac3cab391e85fd0330b1cd91ed216c80a0a9b08a464ce59ac8a6dfea9960

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\551ffee108503aaa811686e21a22388d509a652f7f4876a12de86092e19c596c.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    PID:2604
  • C:\Windows\system32\mfpmp.exe
    C:\Windows\system32\mfpmp.exe
    1⤵
      PID:656
    • C:\Users\Admin\AppData\Local\BHTP\mfpmp.exe
      C:\Users\Admin\AppData\Local\BHTP\mfpmp.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: GetForegroundWindowSpam
      PID:860
    • C:\Windows\system32\DWWIN.EXE
      C:\Windows\system32\DWWIN.EXE
      1⤵
        PID:596
      • C:\Users\Admin\AppData\Local\kuq1MBdV\DWWIN.EXE
        C:\Users\Admin\AppData\Local\kuq1MBdV\DWWIN.EXE
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Suspicious behavior: GetForegroundWindowSpam
        PID:532
      • C:\Windows\system32\AgentService.exe
        C:\Windows\system32\AgentService.exe
        1⤵
          PID:1076
        • C:\Users\Admin\AppData\Local\beCOQSGa\AgentService.exe
          C:\Users\Admin\AppData\Local\beCOQSGa\AgentService.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          • Suspicious behavior: GetForegroundWindowSpam
          PID:3872

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Defense Evasion

        Modify Registry

        1
        T1112

        Discovery

        System Information Discovery

        1
        T1082

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\BHTP\MFPlat.DLL
          MD5

          0ca7570843bc237a8959c5a059f6145e

          SHA1

          899a5b10c91eeecd1a00e9e71999960f4e4115d0

          SHA256

          40e2dd935dcaec6afe2815cfd401abeca812f915ee9c75864f5513360466c7bc

          SHA512

          557b9f8c53488aa392fb9ec423f9c7426f42138578108b39dd2dcaa93c727919d1c65bfa8162e30b44cba59b102703d9eb5cfab39431597e2415d2479beafc86

        • C:\Users\Admin\AppData\Local\BHTP\mfpmp.exe
          MD5

          0a51780965f4a75557ac6b1a710a7c7b

          SHA1

          30e7be939ada607cbafd07261da463396878f4f5

          SHA256

          45b8b316c617f703af064aafab9a35c465d5f7835b758995e82ac0dedbaad037

          SHA512

          e62c2252b66809cca9e7f625392ef09891eba1eec3c210798684a9c71a9c5315598ca259c8ebd09af5d8aaf94261fca91f30bd0dd22a917d5287e9443ae18326

        • C:\Users\Admin\AppData\Local\beCOQSGa\AgentService.exe
          MD5

          5f1da3635c2f6b74ebfdebfc747b63b5

          SHA1

          8c26309d2bad1b97195a408d9a742c61942a09d1

          SHA256

          1b456b777c5099a67e405fef20b5cbcb24c6fce9ed7a5a421c6574618364fd47

          SHA512

          9d122a0388484844a6646a27d359532b437e10fa412b075597183b7bc8cbb4e3593eb193c25e0b81dc62b3098d340d6bdc53733e08ee6657c82d11ba32fe2d32

        • C:\Users\Admin\AppData\Local\beCOQSGa\VERSION.dll
          MD5

          2b3cf115827008b47e11dae21b8df733

          SHA1

          c9a2957a907c4f93d2ec08691ba6496e8396f8ac

          SHA256

          cc11c4b670ae403c3600e10ebf295f10debec5a38cb076bb10d32005adfba707

          SHA512

          e7244aee872ae5044dac550dc344b2cc88eeb349518655fb3631884f96fc50592a98dc2cffca64ef244f8421393ad0ea039ee16c994641b76ef2851bf3250f31

        • C:\Users\Admin\AppData\Local\kuq1MBdV\DWWIN.EXE
          MD5

          d23ce8aaa23b042a66a876009d0c4514

          SHA1

          ff34a8e53b55acb18c2b87ab34d5adfb8d1e60f1

          SHA256

          611a508b865b3f2d29d5f60794e786929a89f2befb99be99d745238428f8a29a

          SHA512

          13c311d081dcddbd6bbd0ee2782045a273b8f881af11f5bc2bf2c7efb4d7d4361f239a5eedfdeaab9c5e23a7f51c7ac4e8571f6f48bc225368355c3104a6c09d

        • C:\Users\Admin\AppData\Local\kuq1MBdV\VERSION.dll
          MD5

          2ab5646ee2281b1aba93cb03f5ad70a5

          SHA1

          0236b18ba6ae68f239c224027267adae68d14e72

          SHA256

          faa2146c0862421c7f758307b8cf421abaf0827db6b96c41e6bb4c12d3a4c3a8

          SHA512

          b159b878b94d519c34e71181fcf864f632b0f078d1d45c99d2b4c9ad23dbc91a9f98f2522d834659edce0576b7c42e64c07efb416f7cb8bf10ac7b4dcb28c604

        • \Users\Admin\AppData\Local\BHTP\MFPlat.DLL
          MD5

          0ca7570843bc237a8959c5a059f6145e

          SHA1

          899a5b10c91eeecd1a00e9e71999960f4e4115d0

          SHA256

          40e2dd935dcaec6afe2815cfd401abeca812f915ee9c75864f5513360466c7bc

          SHA512

          557b9f8c53488aa392fb9ec423f9c7426f42138578108b39dd2dcaa93c727919d1c65bfa8162e30b44cba59b102703d9eb5cfab39431597e2415d2479beafc86

        • \Users\Admin\AppData\Local\beCOQSGa\VERSION.dll
          MD5

          2b3cf115827008b47e11dae21b8df733

          SHA1

          c9a2957a907c4f93d2ec08691ba6496e8396f8ac

          SHA256

          cc11c4b670ae403c3600e10ebf295f10debec5a38cb076bb10d32005adfba707

          SHA512

          e7244aee872ae5044dac550dc344b2cc88eeb349518655fb3631884f96fc50592a98dc2cffca64ef244f8421393ad0ea039ee16c994641b76ef2851bf3250f31

        • \Users\Admin\AppData\Local\kuq1MBdV\VERSION.dll
          MD5

          2ab5646ee2281b1aba93cb03f5ad70a5

          SHA1

          0236b18ba6ae68f239c224027267adae68d14e72

          SHA256

          faa2146c0862421c7f758307b8cf421abaf0827db6b96c41e6bb4c12d3a4c3a8

          SHA512

          b159b878b94d519c34e71181fcf864f632b0f078d1d45c99d2b4c9ad23dbc91a9f98f2522d834659edce0576b7c42e64c07efb416f7cb8bf10ac7b4dcb28c604

        • memory/532-164-0x0000000000000000-mapping.dmp
        • memory/532-172-0x0000021B29660000-0x0000021B29662000-memory.dmp
          Filesize

          8KB

        • memory/532-173-0x0000021B29660000-0x0000021B29662000-memory.dmp
          Filesize

          8KB

        • memory/532-171-0x0000021B29660000-0x0000021B29662000-memory.dmp
          Filesize

          8KB

        • memory/532-168-0x0000000140000000-0x0000000140131000-memory.dmp
          Filesize

          1.2MB

        • memory/860-159-0x0000000140000000-0x0000000140132000-memory.dmp
          Filesize

          1.2MB

        • memory/860-163-0x000001A281250000-0x000001A281252000-memory.dmp
          Filesize

          8KB

        • memory/860-162-0x000001A281250000-0x000001A281252000-memory.dmp
          Filesize

          8KB

        • memory/860-158-0x000001A281250000-0x000001A281252000-memory.dmp
          Filesize

          8KB

        • memory/860-157-0x000001A281250000-0x000001A281252000-memory.dmp
          Filesize

          8KB

        • memory/860-153-0x0000000000000000-mapping.dmp
        • memory/2604-123-0x000001CA30BB0000-0x000001CA30BB7000-memory.dmp
          Filesize

          28KB

        • memory/2604-118-0x0000000140000000-0x0000000140130000-memory.dmp
          Filesize

          1.2MB

        • memory/2604-122-0x000001CA30BC0000-0x000001CA30BC2000-memory.dmp
          Filesize

          8KB

        • memory/2604-121-0x000001CA30BC0000-0x000001CA30BC2000-memory.dmp
          Filesize

          8KB

        • memory/3040-133-0x0000000140000000-0x0000000140130000-memory.dmp
          Filesize

          1.2MB

        • memory/3040-132-0x0000000140000000-0x0000000140130000-memory.dmp
          Filesize

          1.2MB

        • memory/3040-151-0x0000000000AF0000-0x0000000000AF2000-memory.dmp
          Filesize

          8KB

        • memory/3040-152-0x00007FFF20BB0000-0x00007FFF20BB2000-memory.dmp
          Filesize

          8KB

        • memory/3040-149-0x0000000000AF0000-0x0000000000AF2000-memory.dmp
          Filesize

          8KB

        • memory/3040-148-0x0000000000AF0000-0x0000000000AF2000-memory.dmp
          Filesize

          8KB

        • memory/3040-142-0x0000000140000000-0x0000000140130000-memory.dmp
          Filesize

          1.2MB

        • memory/3040-141-0x0000000140000000-0x0000000140130000-memory.dmp
          Filesize

          1.2MB

        • memory/3040-140-0x0000000140000000-0x0000000140130000-memory.dmp
          Filesize

          1.2MB

        • memory/3040-139-0x0000000140000000-0x0000000140130000-memory.dmp
          Filesize

          1.2MB

        • memory/3040-135-0x0000000140000000-0x0000000140130000-memory.dmp
          Filesize

          1.2MB

        • memory/3040-137-0x0000000140000000-0x0000000140130000-memory.dmp
          Filesize

          1.2MB

        • memory/3040-138-0x0000000140000000-0x0000000140130000-memory.dmp
          Filesize

          1.2MB

        • memory/3040-136-0x0000000140000000-0x0000000140130000-memory.dmp
          Filesize

          1.2MB

        • memory/3040-134-0x0000000140000000-0x0000000140130000-memory.dmp
          Filesize

          1.2MB

        • memory/3040-150-0x00007FFF20A75000-0x00007FFF20A76000-memory.dmp
          Filesize

          4KB

        • memory/3040-131-0x0000000140000000-0x0000000140130000-memory.dmp
          Filesize

          1.2MB

        • memory/3040-130-0x0000000140000000-0x0000000140130000-memory.dmp
          Filesize

          1.2MB

        • memory/3040-129-0x0000000140000000-0x0000000140130000-memory.dmp
          Filesize

          1.2MB

        • memory/3040-128-0x0000000140000000-0x0000000140130000-memory.dmp
          Filesize

          1.2MB

        • memory/3040-127-0x0000000140000000-0x0000000140130000-memory.dmp
          Filesize

          1.2MB

        • memory/3040-184-0x0000000000AF0000-0x0000000000AF2000-memory.dmp
          Filesize

          8KB

        • memory/3040-126-0x0000000140000000-0x0000000140130000-memory.dmp
          Filesize

          1.2MB

        • memory/3040-125-0x0000000140000000-0x0000000140130000-memory.dmp
          Filesize

          1.2MB

        • memory/3040-124-0x00000000009B0000-0x00000000009B1000-memory.dmp
          Filesize

          4KB

        • memory/3872-181-0x000002AA98310000-0x000002AA98312000-memory.dmp
          Filesize

          8KB

        • memory/3872-182-0x000002AA98310000-0x000002AA98312000-memory.dmp
          Filesize

          8KB

        • memory/3872-183-0x000002AA98310000-0x000002AA98312000-memory.dmp
          Filesize

          8KB

        • memory/3872-174-0x0000000000000000-mapping.dmp