77869beb8d5f5f603adcfb5e43d8e0255d5f23da1eca88f3f9623018f95acfcf

General
Target

77869beb8d5f5f603adcfb5e43d8e0255d5f23da1eca88f3f9623018f95acfcf.dll

Filesize

1MB

Completed

26-11-2021 09:34

Score
10/10
MD5

ead4d749d5722a1c662bce029828c556

SHA1

acb3bd23f749a53eb8c7ce63eae97cc7d613142c

SHA256

77869beb8d5f5f603adcfb5e43d8e0255d5f23da1eca88f3f9623018f95acfcf

Malware Config
Signatures 10

Filter: none

Defense Evasion
Discovery
Persistence
  • Dridex

    Description

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode

    Description

    Detects Dridex Payload shellcode injected in Explorer process.

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/3040-124-0x0000000000CE0000-0x0000000000CE1000-memory.dmpdridex_stager_shellcode
  • Executes dropped EXE
    rstrui.exerstrui.exebdeunlock.exe

    Reported IOCs

    pidprocess
    416rstrui.exe
    860rstrui.exe
    3020bdeunlock.exe
  • Loads dropped DLL
    rstrui.exerstrui.exebdeunlock.exe

    Reported IOCs

    pidprocess
    416rstrui.exe
    860rstrui.exe
    860rstrui.exe
    3020bdeunlock.exe
  • Adds Run key to start application

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ziekmjidk = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\SYSTEM~1\\e7Ys\\rstrui.exe"
  • Checks whether UAC is enabled
    rstrui.exerstrui.exebdeunlock.exerundll32.exe

    TTPs

    System Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUArstrui.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUArstrui.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAbdeunlock.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUArundll32.exe
  • Modifies registry class

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
  • Suspicious behavior: EnumeratesProcesses
    rundll32.exe

    Reported IOCs

    pidprocess
    2636rundll32.exe
    2636rundll32.exe
    2636rundll32.exe
    2636rundll32.exe
    3040
    3040
    3040
    3040
    3040
    3040
    3040
    3040
    3040
    3040
    3040
    3040
    3040
    3040
    3040
    3040
    3040
    3040
    3040
    3040
    3040
    3040
    3040
    3040
    3040
    3040
    3040
    3040
    3040
    3040
    3040
    3040
    3040
    3040
    3040
    3040
    3040
    3040
    3040
    3040
    3040
    3040
    3040
    3040
    3040
    3040
    3040
    3040
    3040
    3040
    3040
    3040
    3040
    3040
    3040
    3040
    3040
    3040
    3040
    3040
  • Suspicious behavior: GetForegroundWindowSpam
    rundll32.exerstrui.exerstrui.exebdeunlock.exe

    Reported IOCs

    pidprocess
    2636rundll32.exe
    3040
    416rstrui.exe
    860rstrui.exe
    3020bdeunlock.exe
  • Suspicious use of WriteProcessMemory

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3040 wrote to memory of 2923040rstrui.exe
    PID 3040 wrote to memory of 2923040rstrui.exe
    PID 3040 wrote to memory of 4163040rstrui.exe
    PID 3040 wrote to memory of 4163040rstrui.exe
    PID 3040 wrote to memory of 6403040rstrui.exe
    PID 3040 wrote to memory of 6403040rstrui.exe
    PID 3040 wrote to memory of 8603040rstrui.exe
    PID 3040 wrote to memory of 8603040rstrui.exe
    PID 3040 wrote to memory of 35683040bdeunlock.exe
    PID 3040 wrote to memory of 35683040bdeunlock.exe
    PID 3040 wrote to memory of 30203040bdeunlock.exe
    PID 3040 wrote to memory of 30203040bdeunlock.exe
Processes 7
  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\77869beb8d5f5f603adcfb5e43d8e0255d5f23da1eca88f3f9623018f95acfcf.dll,#1
    Checks whether UAC is enabled
    Suspicious behavior: EnumeratesProcesses
    Suspicious behavior: GetForegroundWindowSpam
    PID:2636
  • C:\Windows\system32\rstrui.exe
    C:\Windows\system32\rstrui.exe
    PID:292
  • C:\Users\Admin\AppData\Local\xD2c\rstrui.exe
    C:\Users\Admin\AppData\Local\xD2c\rstrui.exe
    Executes dropped EXE
    Loads dropped DLL
    Checks whether UAC is enabled
    Suspicious behavior: GetForegroundWindowSpam
    PID:416
  • C:\Windows\system32\rstrui.exe
    C:\Windows\system32\rstrui.exe
    PID:640
  • C:\Users\Admin\AppData\Local\eq7PhSwg\rstrui.exe
    C:\Users\Admin\AppData\Local\eq7PhSwg\rstrui.exe
    Executes dropped EXE
    Loads dropped DLL
    Checks whether UAC is enabled
    Suspicious behavior: GetForegroundWindowSpam
    PID:860
  • C:\Windows\system32\bdeunlock.exe
    C:\Windows\system32\bdeunlock.exe
    PID:3568
  • C:\Users\Admin\AppData\Local\X4yEq\bdeunlock.exe
    C:\Users\Admin\AppData\Local\X4yEq\bdeunlock.exe
    Executes dropped EXE
    Loads dropped DLL
    Checks whether UAC is enabled
    Suspicious behavior: GetForegroundWindowSpam
    PID:3020
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Local\X4yEq\DUser.dll

                      MD5

                      0d4e23efe54925a8c08526f36d212f1b

                      SHA1

                      a3e0eb2a008726fa287f1ebd2cd9444abcbc90d1

                      SHA256

                      04dfdf46d35c807f4fcd061067f8fe64533beee765570f654feafbef83e514ee

                      SHA512

                      743899e3af24b9e576396db26b173fa462dcc559b6bff7d41c80ec4c83123dea88fa1a9a72fed072a8249b7a08e8be53279e9db50b7b03c2005ba31c98b9ad56

                    • C:\Users\Admin\AppData\Local\X4yEq\bdeunlock.exe

                      MD5

                      99aff8e54d3b41aee863a8256d31fb83

                      SHA1

                      b2f48c802a43e3e420cbc12c16d2277769631159

                      SHA256

                      c1d9fd2a52ccf1cc1e587fc598c2848778107b902d492749e1ec1a7b777bead6

                      SHA512

                      616179c5b4e94a05c101ab4d3a227f80789966c9e18c56ad5587dfe0f96c0e36b522512b126ffefedab585e85ea90ba61726f4e585dca0e894adb1bf8a742127

                    • C:\Users\Admin\AppData\Local\eq7PhSwg\SPP.dll

                      MD5

                      bf3a4b052263754cbc24985c331e8149

                      SHA1

                      c9c85c2e33d469b375b815c1c1f30cfc61ea11ba

                      SHA256

                      1a7b3c2e65a9b884cc2450e88f0589610ad04e8178c4451670556502030d35b2

                      SHA512

                      53285c19f48f6a2596dfe6d9cff779968c75528bca1c38a41acdc2d7e71fce1e1db8e65b986d9d6e5ec001e23a84a542757c87b0c97b41fe4aa093f450a8ae53

                    • C:\Users\Admin\AppData\Local\eq7PhSwg\rstrui.exe

                      MD5

                      c0167cf19678a97a78a675ef18b7fc85

                      SHA1

                      f7589dcdff216ca879dba1d68764b2cf69652d3b

                      SHA256

                      b1aacd2735f524f8460c031a4f66e78fb09cffbc7350fac5695d448a287fb7cb

                      SHA512

                      f71ca6d233784312dce0e5867d2710de40c738bb567aac212ccd78804176ac51b9ae82bc2ba0498cdd24893f3d3fa6cfddd0d7a9d2c1bd9148916961d6ee0c44

                    • C:\Users\Admin\AppData\Local\xD2c\SRCORE.dll

                      MD5

                      bd9e93dcd8ef67407ad807d36f62dad7

                      SHA1

                      acb902267b1e3b8687193ce574ea0ad25484475e

                      SHA256

                      b65f8c5145fba4c8f15547cbb121c6cf421891984627986815e26103f8b295aa

                      SHA512

                      384f04da0c85fa2d96835bb42354aec737a9fc4823eced054e097bbd7478f9184aab19583ae249c0af4c12146211ccb011bbe43ee4e96edd0f82ce48822ff9f6

                    • C:\Users\Admin\AppData\Local\xD2c\rstrui.exe

                      MD5

                      c0167cf19678a97a78a675ef18b7fc85

                      SHA1

                      f7589dcdff216ca879dba1d68764b2cf69652d3b

                      SHA256

                      b1aacd2735f524f8460c031a4f66e78fb09cffbc7350fac5695d448a287fb7cb

                      SHA512

                      f71ca6d233784312dce0e5867d2710de40c738bb567aac212ccd78804176ac51b9ae82bc2ba0498cdd24893f3d3fa6cfddd0d7a9d2c1bd9148916961d6ee0c44

                    • \Users\Admin\AppData\Local\X4yEq\DUser.dll

                      MD5

                      0d4e23efe54925a8c08526f36d212f1b

                      SHA1

                      a3e0eb2a008726fa287f1ebd2cd9444abcbc90d1

                      SHA256

                      04dfdf46d35c807f4fcd061067f8fe64533beee765570f654feafbef83e514ee

                      SHA512

                      743899e3af24b9e576396db26b173fa462dcc559b6bff7d41c80ec4c83123dea88fa1a9a72fed072a8249b7a08e8be53279e9db50b7b03c2005ba31c98b9ad56

                    • \Users\Admin\AppData\Local\eq7PhSwg\SPP.dll

                      MD5

                      bf3a4b052263754cbc24985c331e8149

                      SHA1

                      c9c85c2e33d469b375b815c1c1f30cfc61ea11ba

                      SHA256

                      1a7b3c2e65a9b884cc2450e88f0589610ad04e8178c4451670556502030d35b2

                      SHA512

                      53285c19f48f6a2596dfe6d9cff779968c75528bca1c38a41acdc2d7e71fce1e1db8e65b986d9d6e5ec001e23a84a542757c87b0c97b41fe4aa093f450a8ae53

                    • \Users\Admin\AppData\Local\eq7PhSwg\SPP.dll

                      MD5

                      bf3a4b052263754cbc24985c331e8149

                      SHA1

                      c9c85c2e33d469b375b815c1c1f30cfc61ea11ba

                      SHA256

                      1a7b3c2e65a9b884cc2450e88f0589610ad04e8178c4451670556502030d35b2

                      SHA512

                      53285c19f48f6a2596dfe6d9cff779968c75528bca1c38a41acdc2d7e71fce1e1db8e65b986d9d6e5ec001e23a84a542757c87b0c97b41fe4aa093f450a8ae53

                    • \Users\Admin\AppData\Local\xD2c\SRCORE.dll

                      MD5

                      bd9e93dcd8ef67407ad807d36f62dad7

                      SHA1

                      acb902267b1e3b8687193ce574ea0ad25484475e

                      SHA256

                      b65f8c5145fba4c8f15547cbb121c6cf421891984627986815e26103f8b295aa

                      SHA512

                      384f04da0c85fa2d96835bb42354aec737a9fc4823eced054e097bbd7478f9184aab19583ae249c0af4c12146211ccb011bbe43ee4e96edd0f82ce48822ff9f6

                    • memory/416-165-0x000001E39C420000-0x000001E39C422000-memory.dmp

                    • memory/416-166-0x000001E39C420000-0x000001E39C422000-memory.dmp

                    • memory/416-162-0x0000000140000000-0x000000014012E000-memory.dmp

                    • memory/416-167-0x000001E39C420000-0x000001E39C422000-memory.dmp

                    • memory/416-158-0x0000000000000000-mapping.dmp

                    • memory/860-168-0x0000000000000000-mapping.dmp

                    • memory/860-176-0x000001A4825C0000-0x000001A4825C2000-memory.dmp

                    • memory/860-179-0x000001A480D20000-0x000001A480E4E000-memory.dmp

                    • memory/860-177-0x000001A4825C0000-0x000001A4825C2000-memory.dmp

                    • memory/860-178-0x000001A4825C0000-0x000001A4825C2000-memory.dmp

                    • memory/2636-122-0x000001E39C870000-0x000001E39C872000-memory.dmp

                    • memory/2636-118-0x0000000140000000-0x000000014012D000-memory.dmp

                    • memory/2636-123-0x000001E39C6C0000-0x000001E39C6C7000-memory.dmp

                    • memory/2636-121-0x000001E39C870000-0x000001E39C872000-memory.dmp

                    • memory/3020-180-0x0000000000000000-mapping.dmp

                    • memory/3020-187-0x0000021A04490000-0x0000021A04492000-memory.dmp

                    • memory/3020-189-0x0000021A04490000-0x0000021A04492000-memory.dmp

                    • memory/3020-184-0x0000000140000000-0x000000014012F000-memory.dmp

                    • memory/3020-188-0x0000021A04490000-0x0000021A04492000-memory.dmp

                    • memory/3040-143-0x0000000140000000-0x000000014012D000-memory.dmp

                    • memory/3040-155-0x00007FFF05135000-0x00007FFF05136000-memory.dmp

                    • memory/3040-156-0x0000000000D90000-0x0000000000D92000-memory.dmp

                    • memory/3040-157-0x00007FFF05270000-0x00007FFF05272000-memory.dmp

                    • memory/3040-153-0x0000000000D90000-0x0000000000D92000-memory.dmp

                    • memory/3040-147-0x0000000140000000-0x000000014012D000-memory.dmp

                    • memory/3040-145-0x0000000140000000-0x000000014012D000-memory.dmp

                    • memory/3040-154-0x0000000000D90000-0x0000000000D92000-memory.dmp

                    • memory/3040-146-0x0000000140000000-0x000000014012D000-memory.dmp

                    • memory/3040-144-0x0000000140000000-0x000000014012D000-memory.dmp

                    • memory/3040-141-0x0000000140000000-0x000000014012D000-memory.dmp

                    • memory/3040-142-0x0000000140000000-0x000000014012D000-memory.dmp

                    • memory/3040-140-0x0000000140000000-0x000000014012D000-memory.dmp

                    • memory/3040-138-0x0000000140000000-0x000000014012D000-memory.dmp

                    • memory/3040-139-0x0000000140000000-0x000000014012D000-memory.dmp

                    • memory/3040-190-0x0000000000D90000-0x0000000000D92000-memory.dmp

                    • memory/3040-137-0x0000000140000000-0x000000014012D000-memory.dmp

                    • memory/3040-136-0x0000000140000000-0x000000014012D000-memory.dmp

                    • memory/3040-135-0x0000000140000000-0x000000014012D000-memory.dmp

                    • memory/3040-134-0x0000000140000000-0x000000014012D000-memory.dmp

                    • memory/3040-133-0x0000000140000000-0x000000014012D000-memory.dmp

                    • memory/3040-132-0x0000000140000000-0x000000014012D000-memory.dmp

                    • memory/3040-131-0x0000000140000000-0x000000014012D000-memory.dmp

                    • memory/3040-128-0x0000000140000000-0x000000014012D000-memory.dmp

                    • memory/3040-130-0x0000000140000000-0x000000014012D000-memory.dmp

                    • memory/3040-129-0x0000000140000000-0x000000014012D000-memory.dmp

                    • memory/3040-127-0x0000000140000000-0x000000014012D000-memory.dmp

                    • memory/3040-126-0x0000000140000000-0x000000014012D000-memory.dmp

                    • memory/3040-124-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

                    • memory/3040-125-0x0000000140000000-0x000000014012D000-memory.dmp