77869beb8d5f5f603adcfb5e43d8e0255d5f23da1eca88f3f9623018f95acfcf

General
Target

77869beb8d5f5f603adcfb5e43d8e0255d5f23da1eca88f3f9623018f95acfcf.dll

Filesize

1MB

Completed

26-11-2021 09:34

Score
10/10
MD5

ead4d749d5722a1c662bce029828c556

SHA1

acb3bd23f749a53eb8c7ce63eae97cc7d613142c

SHA256

77869beb8d5f5f603adcfb5e43d8e0255d5f23da1eca88f3f9623018f95acfcf

Malware Config
Signatures 9

Filter: none

Defense Evasion
Discovery
Persistence
  • Dridex

    Description

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode

    Description

    Detects Dridex Payload shellcode injected in Explorer process.

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1412-59-0x00000000029A0000-0x00000000029A1000-memory.dmpdridex_stager_shellcode
  • Executes dropped EXE
    SystemPropertiesDataExecutionPrevention.exemspaint.exeMpSigStub.exe

    Reported IOCs

    pidprocess
    1768SystemPropertiesDataExecutionPrevention.exe
    1556mspaint.exe
    1712MpSigStub.exe
  • Loads dropped DLL
    SystemPropertiesDataExecutionPrevention.exemspaint.exeMpSigStub.exe

    Reported IOCs

    pidprocess
    1412
    1768SystemPropertiesDataExecutionPrevention.exe
    1412
    1556mspaint.exe
    1412
    1712MpSigStub.exe
    1412
  • Adds Run key to start application

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gpavvclvseucyal = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\xu4\\mspaint.exe"
  • Checks whether UAC is enabled
    rundll32.exeSystemPropertiesDataExecutionPrevention.exemspaint.exeMpSigStub.exe

    TTPs

    System Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUArundll32.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUASystemPropertiesDataExecutionPrevention.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAmspaint.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAMpSigStub.exe
  • Suspicious behavior: EnumeratesProcesses
    rundll32.exe

    Reported IOCs

    pidprocess
    1668rundll32.exe
    1668rundll32.exe
    1668rundll32.exe
    1412
    1412
    1412
    1412
    1412
    1412
    1412
    1412
    1412
    1412
    1412
    1412
    1412
    1412
    1412
    1412
    1412
    1412
    1412
    1412
    1412
    1412
    1412
    1412
    1412
    1412
    1412
    1412
    1412
    1412
    1412
    1412
    1412
    1412
    1412
    1412
    1412
    1412
    1412
    1412
    1412
    1412
    1412
    1412
    1412
    1412
    1412
    1412
    1412
    1412
    1412
    1412
    1412
    1412
    1412
    1412
    1412
    1412
    1412
    1412
    1412
  • Suspicious behavior: GetForegroundWindowSpam
    rundll32.exeSystemPropertiesDataExecutionPrevention.exemspaint.exeMpSigStub.exe

    Reported IOCs

    pidprocess
    1668rundll32.exe
    1412
    1768SystemPropertiesDataExecutionPrevention.exe
    1556mspaint.exe
    1712MpSigStub.exe
  • Suspicious use of WriteProcessMemory

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1412 wrote to memory of 15001412SystemPropertiesDataExecutionPrevention.exe
    PID 1412 wrote to memory of 15001412SystemPropertiesDataExecutionPrevention.exe
    PID 1412 wrote to memory of 15001412SystemPropertiesDataExecutionPrevention.exe
    PID 1412 wrote to memory of 17681412SystemPropertiesDataExecutionPrevention.exe
    PID 1412 wrote to memory of 17681412SystemPropertiesDataExecutionPrevention.exe
    PID 1412 wrote to memory of 17681412SystemPropertiesDataExecutionPrevention.exe
    PID 1412 wrote to memory of 10081412mspaint.exe
    PID 1412 wrote to memory of 10081412mspaint.exe
    PID 1412 wrote to memory of 10081412mspaint.exe
    PID 1412 wrote to memory of 15561412mspaint.exe
    PID 1412 wrote to memory of 15561412mspaint.exe
    PID 1412 wrote to memory of 15561412mspaint.exe
    PID 1412 wrote to memory of 19121412MpSigStub.exe
    PID 1412 wrote to memory of 19121412MpSigStub.exe
    PID 1412 wrote to memory of 19121412MpSigStub.exe
    PID 1412 wrote to memory of 17121412MpSigStub.exe
    PID 1412 wrote to memory of 17121412MpSigStub.exe
    PID 1412 wrote to memory of 17121412MpSigStub.exe
Processes 7
  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\77869beb8d5f5f603adcfb5e43d8e0255d5f23da1eca88f3f9623018f95acfcf.dll,#1
    Checks whether UAC is enabled
    Suspicious behavior: EnumeratesProcesses
    Suspicious behavior: GetForegroundWindowSpam
    PID:1668
  • C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
    C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
    PID:1500
  • C:\Users\Admin\AppData\Local\Wbj\SystemPropertiesDataExecutionPrevention.exe
    C:\Users\Admin\AppData\Local\Wbj\SystemPropertiesDataExecutionPrevention.exe
    Executes dropped EXE
    Loads dropped DLL
    Checks whether UAC is enabled
    Suspicious behavior: GetForegroundWindowSpam
    PID:1768
  • C:\Windows\system32\mspaint.exe
    C:\Windows\system32\mspaint.exe
    PID:1008
  • C:\Users\Admin\AppData\Local\uBA4ZYa\mspaint.exe
    C:\Users\Admin\AppData\Local\uBA4ZYa\mspaint.exe
    Executes dropped EXE
    Loads dropped DLL
    Checks whether UAC is enabled
    Suspicious behavior: GetForegroundWindowSpam
    PID:1556
  • C:\Windows\system32\MpSigStub.exe
    C:\Windows\system32\MpSigStub.exe
    PID:1912
  • C:\Users\Admin\AppData\Local\QLA7K6M8y\MpSigStub.exe
    C:\Users\Admin\AppData\Local\QLA7K6M8y\MpSigStub.exe
    Executes dropped EXE
    Loads dropped DLL
    Checks whether UAC is enabled
    Suspicious behavior: GetForegroundWindowSpam
    PID:1712
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Local\QLA7K6M8y\MpSigStub.exe

                      MD5

                      2e6bd16aa62e5e95c7b256b10d637f8f

                      SHA1

                      350be084477b1fe581af83ca79eb58d4defe260f

                      SHA256

                      d795968b8067bb610033fa4a5b21eb2f96cef61513aba62912b8eb5c6a5ff7b3

                      SHA512

                      1f37150f6bcbe0df54bb85a5ad585824cea9332baa9be1649a95c1dfb41723de85c09d98fb2ca8261a49c2184d3bda638b84b2b7b60b97fe42a15ab1620a2542

                    • C:\Users\Admin\AppData\Local\QLA7K6M8y\VERSION.dll

                      MD5

                      18f7718c1b76c5fa8d385fdade443dcf

                      SHA1

                      ca7c878ffa521e0c3e1a7f37e7e3b160ee530201

                      SHA256

                      2280b9bc02ed9123a647d053261a35a9ad424b00c043454fec130ee3d75b3501

                      SHA512

                      ac7a39a9ba689bb2efbe8b4d8eda32ed8e372ff61fe24cccc3ba3d6af00dd206daacd543052adcea15e603de40197d5d7f1633e8918a2aea93883bb6a23fcf16

                    • C:\Users\Admin\AppData\Local\Wbj\SYSDM.CPL

                      MD5

                      ca5451433bc6cf8b2e8ddae31282425f

                      SHA1

                      577fd1e4b413ed85579dec39c3e26429a4c6c32d

                      SHA256

                      46c470fdc688c03e5903af07caf1acea9a92c3b075ff283f380e578a008fdb77

                      SHA512

                      98b67bd9b9b3511795f57c2104b0c62318e26ccbffd4ae9a4af2938af3491a204ba587aa85af23f516334a08ca402f9dc6d0d8d7c2e958c5bade5bf44444626c

                    • C:\Users\Admin\AppData\Local\Wbj\SystemPropertiesDataExecutionPrevention.exe

                      MD5

                      e43ff7785fac643093b3b16a9300e133

                      SHA1

                      a30688e84c0b0a22669148fe87680b34fcca2fba

                      SHA256

                      c8e1b3ecce673035a934d65b25c43ec23416f5bbf52d772e24e48e6fd3e77e9b

                      SHA512

                      61260999bb57817dea2d404bcf093820679e597298c752d38db181fe9963b5fa47e070d6a3c7c970905035b396389bb02946b44869dc8b9560acc419b065999a

                    • C:\Users\Admin\AppData\Local\uBA4ZYa\MFC42u.dll

                      MD5

                      1b0bee5c679cafaad18f092810e3e0f1

                      SHA1

                      366b8bc2f807d99ee4e8cf9f32d649f0b8d875c3

                      SHA256

                      928de95e8a04b07c3f7a141f1481dd38c8d7970a0778be618637ad3624a009cd

                      SHA512

                      d98c68b52d0797f3e8c9a0f55fcb95a30dc26c78e936ef13840fc06dbcf06331a000b224806b8ff4bd2807fd7020ed55d956e0aad241ccf6f2c016fb7755bf05

                    • C:\Users\Admin\AppData\Local\uBA4ZYa\mspaint.exe

                      MD5

                      458f4590f80563eb2a0a72709bfc2bd9

                      SHA1

                      3f97dc3bd1467c710c6a8d26b97bb6cf47deb4c6

                      SHA256

                      ff923c051ae380bf30d749ebe9cf310ccab6572d84eb81b76fb1012bcbdf557f

                      SHA512

                      e34500658dbe105a704fff6988b75d13aa9931adfd585b8ce1f023c61abd573d58067ee1f43e80076729ba99c9a00c17eb8cfcfac9c3d271d76bd251ccab1681

                    • \Users\Admin\AppData\Local\QLA7K6M8y\MpSigStub.exe

                      MD5

                      2e6bd16aa62e5e95c7b256b10d637f8f

                      SHA1

                      350be084477b1fe581af83ca79eb58d4defe260f

                      SHA256

                      d795968b8067bb610033fa4a5b21eb2f96cef61513aba62912b8eb5c6a5ff7b3

                      SHA512

                      1f37150f6bcbe0df54bb85a5ad585824cea9332baa9be1649a95c1dfb41723de85c09d98fb2ca8261a49c2184d3bda638b84b2b7b60b97fe42a15ab1620a2542

                    • \Users\Admin\AppData\Local\QLA7K6M8y\VERSION.dll

                      MD5

                      18f7718c1b76c5fa8d385fdade443dcf

                      SHA1

                      ca7c878ffa521e0c3e1a7f37e7e3b160ee530201

                      SHA256

                      2280b9bc02ed9123a647d053261a35a9ad424b00c043454fec130ee3d75b3501

                      SHA512

                      ac7a39a9ba689bb2efbe8b4d8eda32ed8e372ff61fe24cccc3ba3d6af00dd206daacd543052adcea15e603de40197d5d7f1633e8918a2aea93883bb6a23fcf16

                    • \Users\Admin\AppData\Local\Wbj\SYSDM.CPL

                      MD5

                      ca5451433bc6cf8b2e8ddae31282425f

                      SHA1

                      577fd1e4b413ed85579dec39c3e26429a4c6c32d

                      SHA256

                      46c470fdc688c03e5903af07caf1acea9a92c3b075ff283f380e578a008fdb77

                      SHA512

                      98b67bd9b9b3511795f57c2104b0c62318e26ccbffd4ae9a4af2938af3491a204ba587aa85af23f516334a08ca402f9dc6d0d8d7c2e958c5bade5bf44444626c

                    • \Users\Admin\AppData\Local\Wbj\SystemPropertiesDataExecutionPrevention.exe

                      MD5

                      e43ff7785fac643093b3b16a9300e133

                      SHA1

                      a30688e84c0b0a22669148fe87680b34fcca2fba

                      SHA256

                      c8e1b3ecce673035a934d65b25c43ec23416f5bbf52d772e24e48e6fd3e77e9b

                      SHA512

                      61260999bb57817dea2d404bcf093820679e597298c752d38db181fe9963b5fa47e070d6a3c7c970905035b396389bb02946b44869dc8b9560acc419b065999a

                    • \Users\Admin\AppData\Local\uBA4ZYa\MFC42u.dll

                      MD5

                      1b0bee5c679cafaad18f092810e3e0f1

                      SHA1

                      366b8bc2f807d99ee4e8cf9f32d649f0b8d875c3

                      SHA256

                      928de95e8a04b07c3f7a141f1481dd38c8d7970a0778be618637ad3624a009cd

                      SHA512

                      d98c68b52d0797f3e8c9a0f55fcb95a30dc26c78e936ef13840fc06dbcf06331a000b224806b8ff4bd2807fd7020ed55d956e0aad241ccf6f2c016fb7755bf05

                    • \Users\Admin\AppData\Local\uBA4ZYa\mspaint.exe

                      MD5

                      458f4590f80563eb2a0a72709bfc2bd9

                      SHA1

                      3f97dc3bd1467c710c6a8d26b97bb6cf47deb4c6

                      SHA256

                      ff923c051ae380bf30d749ebe9cf310ccab6572d84eb81b76fb1012bcbdf557f

                      SHA512

                      e34500658dbe105a704fff6988b75d13aa9931adfd585b8ce1f023c61abd573d58067ee1f43e80076729ba99c9a00c17eb8cfcfac9c3d271d76bd251ccab1681

                    • \Users\Admin\AppData\Roaming\Microsoft\Protect\6kz2YxUn\MpSigStub.exe

                      MD5

                      2e6bd16aa62e5e95c7b256b10d637f8f

                      SHA1

                      350be084477b1fe581af83ca79eb58d4defe260f

                      SHA256

                      d795968b8067bb610033fa4a5b21eb2f96cef61513aba62912b8eb5c6a5ff7b3

                      SHA512

                      1f37150f6bcbe0df54bb85a5ad585824cea9332baa9be1649a95c1dfb41723de85c09d98fb2ca8261a49c2184d3bda638b84b2b7b60b97fe42a15ab1620a2542

                    • memory/1412-68-0x0000000140000000-0x000000014012D000-memory.dmp

                    • memory/1412-72-0x0000000140000000-0x000000014012D000-memory.dmp

                    • memory/1412-73-0x0000000140000000-0x000000014012D000-memory.dmp

                    • memory/1412-71-0x0000000140000000-0x000000014012D000-memory.dmp

                    • memory/1412-74-0x0000000140000000-0x000000014012D000-memory.dmp

                    • memory/1412-66-0x0000000140000000-0x000000014012D000-memory.dmp

                    • memory/1412-75-0x0000000140000000-0x000000014012D000-memory.dmp

                    • memory/1412-77-0x0000000140000000-0x000000014012D000-memory.dmp

                    • memory/1412-78-0x0000000140000000-0x000000014012D000-memory.dmp

                    • memory/1412-79-0x0000000140000000-0x000000014012D000-memory.dmp

                    • memory/1412-70-0x0000000140000000-0x000000014012D000-memory.dmp

                    • memory/1412-81-0x0000000140000000-0x000000014012D000-memory.dmp

                    • memory/1412-82-0x0000000140000000-0x000000014012D000-memory.dmp

                    • memory/1412-88-0x00000000771F0000-0x00000000771F2000-memory.dmp

                    • memory/1412-65-0x0000000140000000-0x000000014012D000-memory.dmp

                    • memory/1412-64-0x0000000140000000-0x000000014012D000-memory.dmp

                    • memory/1412-60-0x0000000140000000-0x000000014012D000-memory.dmp

                    • memory/1412-63-0x0000000140000000-0x000000014012D000-memory.dmp

                    • memory/1412-62-0x0000000140000000-0x000000014012D000-memory.dmp

                    • memory/1412-61-0x0000000140000000-0x000000014012D000-memory.dmp

                    • memory/1412-69-0x0000000140000000-0x000000014012D000-memory.dmp

                    • memory/1412-59-0x00000000029A0000-0x00000000029A1000-memory.dmp

                    • memory/1412-76-0x0000000140000000-0x000000014012D000-memory.dmp

                    • memory/1412-80-0x0000000140000000-0x000000014012D000-memory.dmp

                    • memory/1412-67-0x0000000140000000-0x000000014012D000-memory.dmp

                    • memory/1556-102-0x000007FEFB8C1000-0x000007FEFB8C3000-memory.dmp

                    • memory/1556-103-0x0000000140000000-0x0000000140134000-memory.dmp

                    • memory/1556-98-0x0000000000000000-mapping.dmp

                    • memory/1668-55-0x0000000140000000-0x000000014012D000-memory.dmp

                    • memory/1668-58-0x0000000000110000-0x0000000000117000-memory.dmp

                    • memory/1712-107-0x0000000000000000-mapping.dmp

                    • memory/1768-94-0x0000000140000000-0x000000014012E000-memory.dmp

                    • memory/1768-90-0x0000000000000000-mapping.dmp