a5282ab1f03b543c5876030240e56ada6e64c2d94f0acea8819d133a5d653d5d

General
Target

a5282ab1f03b543c5876030240e56ada6e64c2d94f0acea8819d133a5d653d5d.dll

Filesize

1MB

Completed

26-11-2021 09:34

Score
10/10
MD5

0d2d32a9d4d31d4448df2902ef9590e2

SHA1

eb31c27903cc0d4bb2a9a4a6760bd0e60416a276

SHA256

a5282ab1f03b543c5876030240e56ada6e64c2d94f0acea8819d133a5d653d5d

Malware Config
Signatures 9

Filter: none

Defense Evasion
Discovery
Persistence
  • Dridex

    Description

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode

    Description

    Detects Dridex Payload shellcode injected in Explorer process.

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1216-60-0x0000000002B10000-0x0000000002B11000-memory.dmpdridex_stager_shellcode
  • Executes dropped EXE
    Netplwiz.exeddodiag.exemsra.exe

    Reported IOCs

    pidprocess
    1844Netplwiz.exe
    992ddodiag.exe
    1880msra.exe
  • Loads dropped DLL
    Netplwiz.exeddodiag.exemsra.exe

    Reported IOCs

    pidprocess
    1216
    1844Netplwiz.exe
    1216
    992ddodiag.exe
    1216
    1880msra.exe
    1216
  • Adds Run key to start application

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gpavvclvseucyal = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\wh\\ddodiag.exe"
  • Checks whether UAC is enabled
    Netplwiz.exeddodiag.exemsra.exe

    TTPs

    System Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUANetplwiz.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAddodiag.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAmsra.exe
  • Suspicious behavior: EnumeratesProcesses
    regsvr32.exe

    Reported IOCs

    pidprocess
    1060regsvr32.exe
    1060regsvr32.exe
    1060regsvr32.exe
    1216
    1216
    1216
    1216
    1216
    1216
    1216
    1216
    1216
    1216
    1216
    1216
    1216
    1216
    1216
    1216
    1216
    1216
    1216
    1216
    1216
    1216
    1216
    1216
    1216
    1216
    1216
    1216
    1216
    1216
    1216
    1216
    1216
    1216
    1216
    1216
    1216
    1216
    1216
    1216
    1216
    1216
    1216
    1216
    1216
    1216
    1216
    1216
    1216
    1216
    1216
    1216
    1216
    1216
    1216
    1216
    1216
    1216
    1216
    1216
    1216
  • Suspicious behavior: GetForegroundWindowSpam
    regsvr32.exeNetplwiz.exeddodiag.exemsra.exe

    Reported IOCs

    pidprocess
    1060regsvr32.exe
    1216
    1844Netplwiz.exe
    992ddodiag.exe
    1880msra.exe
  • Suspicious use of WriteProcessMemory

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1216 wrote to memory of 20441216Netplwiz.exe
    PID 1216 wrote to memory of 20441216Netplwiz.exe
    PID 1216 wrote to memory of 20441216Netplwiz.exe
    PID 1216 wrote to memory of 18441216Netplwiz.exe
    PID 1216 wrote to memory of 18441216Netplwiz.exe
    PID 1216 wrote to memory of 18441216Netplwiz.exe
    PID 1216 wrote to memory of 6441216ddodiag.exe
    PID 1216 wrote to memory of 6441216ddodiag.exe
    PID 1216 wrote to memory of 6441216ddodiag.exe
    PID 1216 wrote to memory of 9921216ddodiag.exe
    PID 1216 wrote to memory of 9921216ddodiag.exe
    PID 1216 wrote to memory of 9921216ddodiag.exe
    PID 1216 wrote to memory of 9241216msra.exe
    PID 1216 wrote to memory of 9241216msra.exe
    PID 1216 wrote to memory of 9241216msra.exe
    PID 1216 wrote to memory of 18801216msra.exe
    PID 1216 wrote to memory of 18801216msra.exe
    PID 1216 wrote to memory of 18801216msra.exe
Processes 7
  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\a5282ab1f03b543c5876030240e56ada6e64c2d94f0acea8819d133a5d653d5d.dll
    Suspicious behavior: EnumeratesProcesses
    Suspicious behavior: GetForegroundWindowSpam
    PID:1060
  • C:\Windows\system32\Netplwiz.exe
    C:\Windows\system32\Netplwiz.exe
    PID:2044
  • C:\Users\Admin\AppData\Local\JEgvbAoF\Netplwiz.exe
    C:\Users\Admin\AppData\Local\JEgvbAoF\Netplwiz.exe
    Executes dropped EXE
    Loads dropped DLL
    Checks whether UAC is enabled
    Suspicious behavior: GetForegroundWindowSpam
    PID:1844
  • C:\Windows\system32\ddodiag.exe
    C:\Windows\system32\ddodiag.exe
    PID:644
  • C:\Users\Admin\AppData\Local\mhaN\ddodiag.exe
    C:\Users\Admin\AppData\Local\mhaN\ddodiag.exe
    Executes dropped EXE
    Loads dropped DLL
    Checks whether UAC is enabled
    Suspicious behavior: GetForegroundWindowSpam
    PID:992
  • C:\Windows\system32\msra.exe
    C:\Windows\system32\msra.exe
    PID:924
  • C:\Users\Admin\AppData\Local\myytdmx\msra.exe
    C:\Users\Admin\AppData\Local\myytdmx\msra.exe
    Executes dropped EXE
    Loads dropped DLL
    Checks whether UAC is enabled
    Suspicious behavior: GetForegroundWindowSpam
    PID:1880
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Local\JEgvbAoF\NETPLWIZ.dll

                      MD5

                      18b67d616d8185c8083fa333ae4518e7

                      SHA1

                      0e40d4929fa7e5d0c2b3bc57b7bb32d571cfc1fc

                      SHA256

                      395c86cc6c5ac8daf56b4f76848398395b25166b7a40f20457b11dfb3a68251f

                      SHA512

                      6d7bfda07a0010f23948fe40929ca9a60a2b86b779a1c28cd9f8294d5223c5b618e77a47d309e2a8ecccaa99ca53eebcbc872a00710388edefb4626be08e97a5

                    • C:\Users\Admin\AppData\Local\JEgvbAoF\Netplwiz.exe

                      MD5

                      e43ec3c800d4c0716613392e81fba1d9

                      SHA1

                      37de6a235e978ecf3bb0fc2c864016c5b0134348

                      SHA256

                      636606415a85a16a7e6c5c8fcbdf35494991bce1c37dfc19c75ecb7ce12dc65c

                      SHA512

                      176c6d8b87bc5a9ca06698e2542ff34d474bcbbf21278390127981366eda89769bd9dd712f3b34f4dd8332a0b40ee0e609276400f16b51999471c8ff24522a08

                    • C:\Users\Admin\AppData\Local\mhaN\XmlLite.dll

                      MD5

                      bfba66eb2fb168d846a557cd3fd0aa03

                      SHA1

                      1b8ce3a61a3b53d53ea79ca559d8e5fbb83add05

                      SHA256

                      0c01926ec9b152f78d4993fd0da8ddc7c59dd7998852ceddd49e4145e7a0db86

                      SHA512

                      c0e7c4dec50f3f505fb473ab08ba547a1ba3d4ac8f9159478399347cb20693f54f67bdfb82bcc4e0c8d8776c16cc7c41fbbf2f17227238983b1d7e9dd8e5a104

                    • C:\Users\Admin\AppData\Local\mhaN\ddodiag.exe

                      MD5

                      509f9513ca16ba2f2047f5227a05d1a8

                      SHA1

                      fe8d63259cb9afa17da7b7b8ede4e75081071b1a

                      SHA256

                      ddf48c333e45c56c9e3f16e492c023bf138629f4c093b8aaab8ea60310c8c96e

                      SHA512

                      ad3168767e5eba575ae766e1e2923b1db4571bbeb302d7c58e8023612e33913dcd9e5f4a4c1bc7b1556442a0807117066f17c62b38fe2ae0dfaa3817b7318862

                    • C:\Users\Admin\AppData\Local\myytdmx\NDFAPI.DLL

                      MD5

                      e854adf400f3d3243dc325fd0e295cad

                      SHA1

                      ae38d3e4c92dca3280ace82798690096caf36758

                      SHA256

                      3b7748990a24390ba983a5298c3ca4904785161dc4cbc3c7fd2aa7cd8255491d

                      SHA512

                      a6c99efff62ed85f83014ac56bf8dfbcc2a90dae62aeaec74521d632f990db1ce5a24291206d1060a6aabdafdf20569182640371438906708495e9bcaa530836

                    • C:\Users\Admin\AppData\Local\myytdmx\msra.exe

                      MD5

                      e79df53bad587e24b3cf965a5746c7b6

                      SHA1

                      87a97ec159a3fc1db211f3c2c62e4d60810e7a70

                      SHA256

                      4e7c22648acf664ab13dfeb2dc062ae90af1e6c621186981f395fb279bbc9b9d

                      SHA512

                      9a329c39ce0bc5aede01e96c4190cc7ccd17729fbc3a2b6df73057be8efaa3fa92cfef6e26a25bde6f7f94f64f6d6d0e4c5459aef2aead367e43178dd275acfb

                    • \Users\Admin\AppData\Local\JEgvbAoF\NETPLWIZ.dll

                      MD5

                      18b67d616d8185c8083fa333ae4518e7

                      SHA1

                      0e40d4929fa7e5d0c2b3bc57b7bb32d571cfc1fc

                      SHA256

                      395c86cc6c5ac8daf56b4f76848398395b25166b7a40f20457b11dfb3a68251f

                      SHA512

                      6d7bfda07a0010f23948fe40929ca9a60a2b86b779a1c28cd9f8294d5223c5b618e77a47d309e2a8ecccaa99ca53eebcbc872a00710388edefb4626be08e97a5

                    • \Users\Admin\AppData\Local\JEgvbAoF\Netplwiz.exe

                      MD5

                      e43ec3c800d4c0716613392e81fba1d9

                      SHA1

                      37de6a235e978ecf3bb0fc2c864016c5b0134348

                      SHA256

                      636606415a85a16a7e6c5c8fcbdf35494991bce1c37dfc19c75ecb7ce12dc65c

                      SHA512

                      176c6d8b87bc5a9ca06698e2542ff34d474bcbbf21278390127981366eda89769bd9dd712f3b34f4dd8332a0b40ee0e609276400f16b51999471c8ff24522a08

                    • \Users\Admin\AppData\Local\mhaN\XmlLite.dll

                      MD5

                      bfba66eb2fb168d846a557cd3fd0aa03

                      SHA1

                      1b8ce3a61a3b53d53ea79ca559d8e5fbb83add05

                      SHA256

                      0c01926ec9b152f78d4993fd0da8ddc7c59dd7998852ceddd49e4145e7a0db86

                      SHA512

                      c0e7c4dec50f3f505fb473ab08ba547a1ba3d4ac8f9159478399347cb20693f54f67bdfb82bcc4e0c8d8776c16cc7c41fbbf2f17227238983b1d7e9dd8e5a104

                    • \Users\Admin\AppData\Local\mhaN\ddodiag.exe

                      MD5

                      509f9513ca16ba2f2047f5227a05d1a8

                      SHA1

                      fe8d63259cb9afa17da7b7b8ede4e75081071b1a

                      SHA256

                      ddf48c333e45c56c9e3f16e492c023bf138629f4c093b8aaab8ea60310c8c96e

                      SHA512

                      ad3168767e5eba575ae766e1e2923b1db4571bbeb302d7c58e8023612e33913dcd9e5f4a4c1bc7b1556442a0807117066f17c62b38fe2ae0dfaa3817b7318862

                    • \Users\Admin\AppData\Local\myytdmx\NDFAPI.DLL

                      MD5

                      e854adf400f3d3243dc325fd0e295cad

                      SHA1

                      ae38d3e4c92dca3280ace82798690096caf36758

                      SHA256

                      3b7748990a24390ba983a5298c3ca4904785161dc4cbc3c7fd2aa7cd8255491d

                      SHA512

                      a6c99efff62ed85f83014ac56bf8dfbcc2a90dae62aeaec74521d632f990db1ce5a24291206d1060a6aabdafdf20569182640371438906708495e9bcaa530836

                    • \Users\Admin\AppData\Local\myytdmx\msra.exe

                      MD5

                      e79df53bad587e24b3cf965a5746c7b6

                      SHA1

                      87a97ec159a3fc1db211f3c2c62e4d60810e7a70

                      SHA256

                      4e7c22648acf664ab13dfeb2dc062ae90af1e6c621186981f395fb279bbc9b9d

                      SHA512

                      9a329c39ce0bc5aede01e96c4190cc7ccd17729fbc3a2b6df73057be8efaa3fa92cfef6e26a25bde6f7f94f64f6d6d0e4c5459aef2aead367e43178dd275acfb

                    • \Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\mt\msra.exe

                      MD5

                      e79df53bad587e24b3cf965a5746c7b6

                      SHA1

                      87a97ec159a3fc1db211f3c2c62e4d60810e7a70

                      SHA256

                      4e7c22648acf664ab13dfeb2dc062ae90af1e6c621186981f395fb279bbc9b9d

                      SHA512

                      9a329c39ce0bc5aede01e96c4190cc7ccd17729fbc3a2b6df73057be8efaa3fa92cfef6e26a25bde6f7f94f64f6d6d0e4c5459aef2aead367e43178dd275acfb

                    • memory/992-95-0x0000000000000000-mapping.dmp

                    • memory/1060-59-0x0000000000110000-0x0000000000117000-memory.dmp

                    • memory/1060-56-0x0000000140000000-0x000000014012F000-memory.dmp

                    • memory/1060-55-0x000007FEFBA71000-0x000007FEFBA73000-memory.dmp

                    • memory/1216-66-0x0000000140000000-0x000000014012F000-memory.dmp

                    • memory/1216-68-0x0000000140000000-0x000000014012F000-memory.dmp

                    • memory/1216-67-0x0000000140000000-0x000000014012F000-memory.dmp

                    • memory/1216-69-0x0000000140000000-0x000000014012F000-memory.dmp

                    • memory/1216-65-0x0000000140000000-0x000000014012F000-memory.dmp

                    • memory/1216-64-0x0000000140000000-0x000000014012F000-memory.dmp

                    • memory/1216-85-0x00000000773A0000-0x00000000773A2000-memory.dmp

                    • memory/1216-70-0x0000000140000000-0x000000014012F000-memory.dmp

                    • memory/1216-71-0x0000000140000000-0x000000014012F000-memory.dmp

                    • memory/1216-72-0x0000000140000000-0x000000014012F000-memory.dmp

                    • memory/1216-73-0x0000000140000000-0x000000014012F000-memory.dmp

                    • memory/1216-74-0x0000000140000000-0x000000014012F000-memory.dmp

                    • memory/1216-75-0x0000000140000000-0x000000014012F000-memory.dmp

                    • memory/1216-76-0x0000000140000000-0x000000014012F000-memory.dmp

                    • memory/1216-77-0x0000000140000000-0x000000014012F000-memory.dmp

                    • memory/1216-78-0x0000000140000000-0x000000014012F000-memory.dmp

                    • memory/1216-79-0x0000000140000000-0x000000014012F000-memory.dmp

                    • memory/1216-62-0x0000000140000000-0x000000014012F000-memory.dmp

                    • memory/1216-61-0x0000000140000000-0x000000014012F000-memory.dmp

                    • memory/1216-60-0x0000000002B10000-0x0000000002B11000-memory.dmp

                    • memory/1216-63-0x0000000140000000-0x000000014012F000-memory.dmp

                    • memory/1844-87-0x0000000000000000-mapping.dmp

                    • memory/1880-103-0x0000000000000000-mapping.dmp

                    • memory/1880-108-0x0000000140000000-0x0000000140130000-memory.dmp