77869beb8d5f5f603adcfb5e43d8e0255d5f23da1eca88f3f9623018f95acfcf

max time kernel155s
max time network156s
platformwindows10_x64
resourcewin10-en-20211104
submitted26-11-2021 09:31

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

77869beb8d5f5f603adcfb5e43d8e0255d5f23da1eca88f3f9623018f95acfcf.dll

Filesize

1MB

Completed

26-11-2021 09:34

Score

10^/10

MD5

ead4d749d5722a1c662bce029828c556

SHA1

acb3bd23f749a53eb8c7ce63eae97cc7d613142c

SHA256

77869beb8d5f5f603adcfb5e43d8e0255d5f23da1eca88f3f9623018f95acfcf

Defense Evasion

Discovery

Persistence

Dridex

Description

Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

Tags

botnet dridex
Dridex Shellcode

Description

Detects Dridex Payload shellcode injected in Explorer process.

Tags

botnet payload

Reported IOCs

resource yara_rule

behavioral2/memory/3040-124-0x0000000000CE0000-0x0000000000CE1000-memory.dmp dridex_stager_shellcode
Executes dropped EXE
rstrui.exerstrui.exebdeunlock.exe

Reported IOCs

pid process

416 rstrui.exe
860 rstrui.exe
3020 bdeunlock.exe
Loads dropped DLL
rstrui.exerstrui.exebdeunlock.exe

Reported IOCs

pid process

416 rstrui.exe
860 rstrui.exe
860 rstrui.exe
3020 bdeunlock.exe

resource	yara_rule
behavioral2/memory/3040-124-0x0000000000CE0000-0x0000000000CE1000-memory.dmp	dridex_stager_shellcode

pid	process
416	rstrui.exe
860	rstrui.exe
3020	bdeunlock.exe

pid	process
416	rstrui.exe
860	rstrui.exe
860	rstrui.exe
3020	bdeunlock.exe

Adds Run key to start application

TTPs

Registry Run Keys / Startup FolderModify Registry

Reported IOCs

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ziekmjidk = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\SYSTEM~1\\e7Ys\\rstrui.exe"

Checks whether UAC is enabled

rstrui.exerstrui.exebdeunlock.exerundll32.exe

TTPs

System Information Discovery

Reported IOCs

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rstrui.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rstrui.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bdeunlock.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Modifies registry class

Reported IOCs

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance

Suspicious behavior: EnumeratesProcesses

rundll32.exe

Reported IOCs

pid	process
2636	rundll32.exe
2636	rundll32.exe
2636	rundll32.exe
2636	rundll32.exe
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040

Suspicious behavior: GetForegroundWindowSpam
rundll32.exerstrui.exerstrui.exebdeunlock.exe

Reported IOCs

pid process

2636 rundll32.exe
3040
416 rstrui.exe
860 rstrui.exe
3020 bdeunlock.exe

Suspicious use of WriteProcessMemory

Reported IOCs

description	pid	target process
PID 3040 wrote to memory of 292	3040	rstrui.exe
PID 3040 wrote to memory of 292	3040	rstrui.exe
PID 3040 wrote to memory of 416	3040	rstrui.exe
PID 3040 wrote to memory of 416	3040	rstrui.exe
PID 3040 wrote to memory of 640	3040	rstrui.exe
PID 3040 wrote to memory of 640	3040	rstrui.exe
PID 3040 wrote to memory of 860	3040	rstrui.exe
PID 3040 wrote to memory of 860	3040	rstrui.exe
PID 3040 wrote to memory of 3568	3040	bdeunlock.exe
PID 3040 wrote to memory of 3568	3040	bdeunlock.exe
PID 3040 wrote to memory of 3020	3040	bdeunlock.exe
PID 3040 wrote to memory of 3020	3040	bdeunlock.exe

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\77869beb8d5f5f603adcfb5e43d8e0255d5f23da1eca88f3f9623018f95acfcf.dll,#1

Checks whether UAC is enabled
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam

PID:2636

C:\Windows\system32\rstrui.exe

C:\Windows\system32\rstrui.exe

PID:292

C:\Users\Admin\AppData\Local\xD2c\rstrui.exe

C:\Users\Admin\AppData\Local\xD2c\rstrui.exe

Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled
Suspicious behavior: GetForegroundWindowSpam

PID:416

C:\Windows\system32\rstrui.exe

C:\Windows\system32\rstrui.exe

PID:640

C:\Users\Admin\AppData\Local\eq7PhSwg\rstrui.exe

C:\Users\Admin\AppData\Local\eq7PhSwg\rstrui.exe

Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled
Suspicious behavior: GetForegroundWindowSpam

PID:860

C:\Windows\system32\bdeunlock.exe

C:\Windows\system32\bdeunlock.exe

PID:3568

C:\Users\Admin\AppData\Local\X4yEq\bdeunlock.exe

C:\Users\Admin\AppData\Local\X4yEq\bdeunlock.exe

Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled
Suspicious behavior: GetForegroundWindowSpam

PID:3020

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

Discovery

System Information Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

00:00 00:00

C:\Users\Admin\AppData\Local\X4yEq\DUser.dll
MD5
0d4e23efe54925a8c08526f36d212f1b

SHA1
a3e0eb2a008726fa287f1ebd2cd9444abcbc90d1

SHA256
04dfdf46d35c807f4fcd061067f8fe64533beee765570f654feafbef83e514ee

SHA512
743899e3af24b9e576396db26b173fa462dcc559b6bff7d41c80ec4c83123dea88fa1a9a72fed072a8249b7a08e8be53279e9db50b7b03c2005ba31c98b9ad56

Download Submit
C:\Users\Admin\AppData\Local\X4yEq\bdeunlock.exe
MD5
99aff8e54d3b41aee863a8256d31fb83

SHA1
b2f48c802a43e3e420cbc12c16d2277769631159

SHA256
c1d9fd2a52ccf1cc1e587fc598c2848778107b902d492749e1ec1a7b777bead6

SHA512
616179c5b4e94a05c101ab4d3a227f80789966c9e18c56ad5587dfe0f96c0e36b522512b126ffefedab585e85ea90ba61726f4e585dca0e894adb1bf8a742127

Download Submit
C:\Users\Admin\AppData\Local\eq7PhSwg\SPP.dll
MD5
bf3a4b052263754cbc24985c331e8149

SHA1
c9c85c2e33d469b375b815c1c1f30cfc61ea11ba

SHA256
1a7b3c2e65a9b884cc2450e88f0589610ad04e8178c4451670556502030d35b2

SHA512
53285c19f48f6a2596dfe6d9cff779968c75528bca1c38a41acdc2d7e71fce1e1db8e65b986d9d6e5ec001e23a84a542757c87b0c97b41fe4aa093f450a8ae53

Download Submit
C:\Users\Admin\AppData\Local\eq7PhSwg\rstrui.exe
MD5
c0167cf19678a97a78a675ef18b7fc85

SHA1
f7589dcdff216ca879dba1d68764b2cf69652d3b

SHA256
b1aacd2735f524f8460c031a4f66e78fb09cffbc7350fac5695d448a287fb7cb

SHA512
f71ca6d233784312dce0e5867d2710de40c738bb567aac212ccd78804176ac51b9ae82bc2ba0498cdd24893f3d3fa6cfddd0d7a9d2c1bd9148916961d6ee0c44

Download Submit
C:\Users\Admin\AppData\Local\xD2c\SRCORE.dll
MD5
bd9e93dcd8ef67407ad807d36f62dad7

SHA1
acb902267b1e3b8687193ce574ea0ad25484475e

SHA256
b65f8c5145fba4c8f15547cbb121c6cf421891984627986815e26103f8b295aa

SHA512
384f04da0c85fa2d96835bb42354aec737a9fc4823eced054e097bbd7478f9184aab19583ae249c0af4c12146211ccb011bbe43ee4e96edd0f82ce48822ff9f6

Download Submit
C:\Users\Admin\AppData\Local\xD2c\rstrui.exe
MD5
c0167cf19678a97a78a675ef18b7fc85

SHA1
f7589dcdff216ca879dba1d68764b2cf69652d3b

SHA256
b1aacd2735f524f8460c031a4f66e78fb09cffbc7350fac5695d448a287fb7cb

SHA512
f71ca6d233784312dce0e5867d2710de40c738bb567aac212ccd78804176ac51b9ae82bc2ba0498cdd24893f3d3fa6cfddd0d7a9d2c1bd9148916961d6ee0c44

Download Submit
\Users\Admin\AppData\Local\X4yEq\DUser.dll
MD5
0d4e23efe54925a8c08526f36d212f1b

SHA1
a3e0eb2a008726fa287f1ebd2cd9444abcbc90d1

SHA256
04dfdf46d35c807f4fcd061067f8fe64533beee765570f654feafbef83e514ee

SHA512
743899e3af24b9e576396db26b173fa462dcc559b6bff7d41c80ec4c83123dea88fa1a9a72fed072a8249b7a08e8be53279e9db50b7b03c2005ba31c98b9ad56

Download Submit
\Users\Admin\AppData\Local\eq7PhSwg\SPP.dll
MD5
bf3a4b052263754cbc24985c331e8149

SHA1
c9c85c2e33d469b375b815c1c1f30cfc61ea11ba

SHA256
1a7b3c2e65a9b884cc2450e88f0589610ad04e8178c4451670556502030d35b2

SHA512
53285c19f48f6a2596dfe6d9cff779968c75528bca1c38a41acdc2d7e71fce1e1db8e65b986d9d6e5ec001e23a84a542757c87b0c97b41fe4aa093f450a8ae53

Download Submit
\Users\Admin\AppData\Local\eq7PhSwg\SPP.dll
MD5
bf3a4b052263754cbc24985c331e8149

SHA1
c9c85c2e33d469b375b815c1c1f30cfc61ea11ba

SHA256
1a7b3c2e65a9b884cc2450e88f0589610ad04e8178c4451670556502030d35b2

SHA512
53285c19f48f6a2596dfe6d9cff779968c75528bca1c38a41acdc2d7e71fce1e1db8e65b986d9d6e5ec001e23a84a542757c87b0c97b41fe4aa093f450a8ae53

Download Submit
\Users\Admin\AppData\Local\xD2c\SRCORE.dll
MD5
bd9e93dcd8ef67407ad807d36f62dad7

SHA1
acb902267b1e3b8687193ce574ea0ad25484475e

SHA256
b65f8c5145fba4c8f15547cbb121c6cf421891984627986815e26103f8b295aa

SHA512
384f04da0c85fa2d96835bb42354aec737a9fc4823eced054e097bbd7478f9184aab19583ae249c0af4c12146211ccb011bbe43ee4e96edd0f82ce48822ff9f6

Download Submit
memory/416-165-0x000001E39C420000-0x000001E39C422000-memory.dmp

Download
memory/416-166-0x000001E39C420000-0x000001E39C422000-memory.dmp

Download
memory/416-162-0x0000000140000000-0x000000014012E000-memory.dmp

Download
memory/416-167-0x000001E39C420000-0x000001E39C422000-memory.dmp

Download
memory/416-158-0x0000000000000000-mapping.dmp

Download
memory/860-168-0x0000000000000000-mapping.dmp

Download
memory/860-176-0x000001A4825C0000-0x000001A4825C2000-memory.dmp

Download
memory/860-179-0x000001A480D20000-0x000001A480E4E000-memory.dmp

Download
memory/860-177-0x000001A4825C0000-0x000001A4825C2000-memory.dmp

Download
memory/860-178-0x000001A4825C0000-0x000001A4825C2000-memory.dmp

Download
memory/2636-122-0x000001E39C870000-0x000001E39C872000-memory.dmp

Download
memory/2636-118-0x0000000140000000-0x000000014012D000-memory.dmp

Download
memory/2636-123-0x000001E39C6C0000-0x000001E39C6C7000-memory.dmp

Download
memory/2636-121-0x000001E39C870000-0x000001E39C872000-memory.dmp

Download
memory/3020-180-0x0000000000000000-mapping.dmp

Download
memory/3020-187-0x0000021A04490000-0x0000021A04492000-memory.dmp

Download
memory/3020-189-0x0000021A04490000-0x0000021A04492000-memory.dmp

Download
memory/3020-184-0x0000000140000000-0x000000014012F000-memory.dmp

Download
memory/3020-188-0x0000021A04490000-0x0000021A04492000-memory.dmp

Download
memory/3040-143-0x0000000140000000-0x000000014012D000-memory.dmp

Download
memory/3040-155-0x00007FFF05135000-0x00007FFF05136000-memory.dmp

Download
memory/3040-156-0x0000000000D90000-0x0000000000D92000-memory.dmp

Download
memory/3040-157-0x00007FFF05270000-0x00007FFF05272000-memory.dmp

Download
memory/3040-153-0x0000000000D90000-0x0000000000D92000-memory.dmp

Download
memory/3040-147-0x0000000140000000-0x000000014012D000-memory.dmp

Download
memory/3040-145-0x0000000140000000-0x000000014012D000-memory.dmp

Download
memory/3040-154-0x0000000000D90000-0x0000000000D92000-memory.dmp

Download
memory/3040-146-0x0000000140000000-0x000000014012D000-memory.dmp

Download
memory/3040-144-0x0000000140000000-0x000000014012D000-memory.dmp

Download
memory/3040-141-0x0000000140000000-0x000000014012D000-memory.dmp

Download
memory/3040-142-0x0000000140000000-0x000000014012D000-memory.dmp

Download
memory/3040-140-0x0000000140000000-0x000000014012D000-memory.dmp

Download
memory/3040-138-0x0000000140000000-0x000000014012D000-memory.dmp

Download
memory/3040-139-0x0000000140000000-0x000000014012D000-memory.dmp

Download
memory/3040-190-0x0000000000D90000-0x0000000000D92000-memory.dmp

Download
memory/3040-137-0x0000000140000000-0x000000014012D000-memory.dmp

Download
memory/3040-136-0x0000000140000000-0x000000014012D000-memory.dmp

Download
memory/3040-135-0x0000000140000000-0x000000014012D000-memory.dmp

Download
memory/3040-134-0x0000000140000000-0x000000014012D000-memory.dmp

Download
memory/3040-133-0x0000000140000000-0x000000014012D000-memory.dmp

Download
memory/3040-132-0x0000000140000000-0x000000014012D000-memory.dmp

Download
memory/3040-131-0x0000000140000000-0x000000014012D000-memory.dmp

Download
memory/3040-128-0x0000000140000000-0x000000014012D000-memory.dmp

Download
memory/3040-130-0x0000000140000000-0x000000014012D000-memory.dmp

Download
memory/3040-129-0x0000000140000000-0x000000014012D000-memory.dmp

Download
memory/3040-127-0x0000000140000000-0x000000014012D000-memory.dmp

Download
memory/3040-126-0x0000000140000000-0x000000014012D000-memory.dmp

Download
memory/3040-124-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Download
memory/3040-125-0x0000000140000000-0x000000014012D000-memory.dmp

Download

77869beb8d5f5f603adcfb5e43d8e0255d5f23da1eca88f3f9623018f95acfcf

Filter: none

Description

Tags

Description

Tags

Reported IOCs

Reported IOCs

Reported IOCs

Tags

TTPs

Reported IOCs

Tags

TTPs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Title