a5282ab1f03b543c5876030240e56ada6e64c2d94f0acea8819d133a5d653d5d

max time kernel153s
max time network119s
platformwindows7_x64
resourcewin7-en-20211014
submitted26-11-2021 09:31

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

a5282ab1f03b543c5876030240e56ada6e64c2d94f0acea8819d133a5d653d5d.dll

Filesize

1MB

Completed

26-11-2021 09:34

Score

10^/10

MD5

0d2d32a9d4d31d4448df2902ef9590e2

SHA1

eb31c27903cc0d4bb2a9a4a6760bd0e60416a276

SHA256

a5282ab1f03b543c5876030240e56ada6e64c2d94f0acea8819d133a5d653d5d

Defense Evasion

Discovery

Persistence

Dridex

Description

Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

Tags

botnet dridex
Dridex Shellcode

Description

Detects Dridex Payload shellcode injected in Explorer process.

Tags

botnet payload

Reported IOCs

resource yara_rule

behavioral1/memory/1216-60-0x0000000002B10000-0x0000000002B11000-memory.dmp dridex_stager_shellcode
Executes dropped EXE
Netplwiz.exeddodiag.exemsra.exe

Reported IOCs

pid process

1844 Netplwiz.exe
992 ddodiag.exe
1880 msra.exe
Loads dropped DLL
Netplwiz.exeddodiag.exemsra.exe

Reported IOCs

pid process

1216
1844 Netplwiz.exe
1216
992 ddodiag.exe
1216
1880 msra.exe
1216

resource	yara_rule
behavioral1/memory/1216-60-0x0000000002B10000-0x0000000002B11000-memory.dmp	dridex_stager_shellcode

pid	process
1844	Netplwiz.exe
992	ddodiag.exe
1880	msra.exe

pid	process
1216
1844	Netplwiz.exe
1216
992	ddodiag.exe
1216
1880	msra.exe
1216

Adds Run key to start application

TTPs

Registry Run Keys / Startup FolderModify Registry

Reported IOCs

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gpavvclvseucyal = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\wh\\ddodiag.exe"

Checks whether UAC is enabled

Netplwiz.exeddodiag.exemsra.exe

TTPs

System Information Discovery

Reported IOCs

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Netplwiz.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ddodiag.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msra.exe

Suspicious behavior: EnumeratesProcesses

regsvr32.exe

Reported IOCs

pid	process
1060	regsvr32.exe
1060	regsvr32.exe
1060	regsvr32.exe
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216

Suspicious behavior: GetForegroundWindowSpam
regsvr32.exeNetplwiz.exeddodiag.exemsra.exe

Reported IOCs

pid process

1060 regsvr32.exe
1216
1844 Netplwiz.exe
992 ddodiag.exe
1880 msra.exe

Suspicious use of WriteProcessMemory

Reported IOCs

description	pid	target process
PID 1216 wrote to memory of 2044	1216	Netplwiz.exe
PID 1216 wrote to memory of 2044	1216	Netplwiz.exe
PID 1216 wrote to memory of 2044	1216	Netplwiz.exe
PID 1216 wrote to memory of 1844	1216	Netplwiz.exe
PID 1216 wrote to memory of 1844	1216	Netplwiz.exe
PID 1216 wrote to memory of 1844	1216	Netplwiz.exe
PID 1216 wrote to memory of 644	1216	ddodiag.exe
PID 1216 wrote to memory of 644	1216	ddodiag.exe
PID 1216 wrote to memory of 644	1216	ddodiag.exe
PID 1216 wrote to memory of 992	1216	ddodiag.exe
PID 1216 wrote to memory of 992	1216	ddodiag.exe
PID 1216 wrote to memory of 992	1216	ddodiag.exe
PID 1216 wrote to memory of 924	1216	msra.exe
PID 1216 wrote to memory of 924	1216	msra.exe
PID 1216 wrote to memory of 924	1216	msra.exe
PID 1216 wrote to memory of 1880	1216	msra.exe
PID 1216 wrote to memory of 1880	1216	msra.exe
PID 1216 wrote to memory of 1880	1216	msra.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\a5282ab1f03b543c5876030240e56ada6e64c2d94f0acea8819d133a5d653d5d.dll

Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam

PID:1060

C:\Windows\system32\Netplwiz.exe

C:\Windows\system32\Netplwiz.exe

PID:2044

C:\Users\Admin\AppData\Local\JEgvbAoF\Netplwiz.exe

C:\Users\Admin\AppData\Local\JEgvbAoF\Netplwiz.exe

Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled
Suspicious behavior: GetForegroundWindowSpam

PID:1844

C:\Windows\system32\ddodiag.exe

C:\Windows\system32\ddodiag.exe

PID:644

C:\Users\Admin\AppData\Local\mhaN\ddodiag.exe

C:\Users\Admin\AppData\Local\mhaN\ddodiag.exe

Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled
Suspicious behavior: GetForegroundWindowSpam

PID:992

C:\Windows\system32\msra.exe

C:\Windows\system32\msra.exe

PID:924

C:\Users\Admin\AppData\Local\myytdmx\msra.exe

C:\Users\Admin\AppData\Local\myytdmx\msra.exe

Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled
Suspicious behavior: GetForegroundWindowSpam

PID:1880

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

Discovery

System Information Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

00:00 00:00

C:\Users\Admin\AppData\Local\JEgvbAoF\NETPLWIZ.dll
MD5
18b67d616d8185c8083fa333ae4518e7

SHA1
0e40d4929fa7e5d0c2b3bc57b7bb32d571cfc1fc

SHA256
395c86cc6c5ac8daf56b4f76848398395b25166b7a40f20457b11dfb3a68251f

SHA512
6d7bfda07a0010f23948fe40929ca9a60a2b86b779a1c28cd9f8294d5223c5b618e77a47d309e2a8ecccaa99ca53eebcbc872a00710388edefb4626be08e97a5

Download Submit
C:\Users\Admin\AppData\Local\JEgvbAoF\Netplwiz.exe
MD5
e43ec3c800d4c0716613392e81fba1d9

SHA1
37de6a235e978ecf3bb0fc2c864016c5b0134348

SHA256
636606415a85a16a7e6c5c8fcbdf35494991bce1c37dfc19c75ecb7ce12dc65c

SHA512
176c6d8b87bc5a9ca06698e2542ff34d474bcbbf21278390127981366eda89769bd9dd712f3b34f4dd8332a0b40ee0e609276400f16b51999471c8ff24522a08

Download Submit
C:\Users\Admin\AppData\Local\mhaN\XmlLite.dll
MD5
bfba66eb2fb168d846a557cd3fd0aa03

SHA1
1b8ce3a61a3b53d53ea79ca559d8e5fbb83add05

SHA256
0c01926ec9b152f78d4993fd0da8ddc7c59dd7998852ceddd49e4145e7a0db86

SHA512
c0e7c4dec50f3f505fb473ab08ba547a1ba3d4ac8f9159478399347cb20693f54f67bdfb82bcc4e0c8d8776c16cc7c41fbbf2f17227238983b1d7e9dd8e5a104

Download Submit
C:\Users\Admin\AppData\Local\mhaN\ddodiag.exe
MD5
509f9513ca16ba2f2047f5227a05d1a8

SHA1
fe8d63259cb9afa17da7b7b8ede4e75081071b1a

SHA256
ddf48c333e45c56c9e3f16e492c023bf138629f4c093b8aaab8ea60310c8c96e

SHA512
ad3168767e5eba575ae766e1e2923b1db4571bbeb302d7c58e8023612e33913dcd9e5f4a4c1bc7b1556442a0807117066f17c62b38fe2ae0dfaa3817b7318862

Download Submit
C:\Users\Admin\AppData\Local\myytdmx\NDFAPI.DLL
MD5
e854adf400f3d3243dc325fd0e295cad

SHA1
ae38d3e4c92dca3280ace82798690096caf36758

SHA256
3b7748990a24390ba983a5298c3ca4904785161dc4cbc3c7fd2aa7cd8255491d

SHA512
a6c99efff62ed85f83014ac56bf8dfbcc2a90dae62aeaec74521d632f990db1ce5a24291206d1060a6aabdafdf20569182640371438906708495e9bcaa530836

Download Submit
C:\Users\Admin\AppData\Local\myytdmx\msra.exe
MD5
e79df53bad587e24b3cf965a5746c7b6

SHA1
87a97ec159a3fc1db211f3c2c62e4d60810e7a70

SHA256
4e7c22648acf664ab13dfeb2dc062ae90af1e6c621186981f395fb279bbc9b9d

SHA512
9a329c39ce0bc5aede01e96c4190cc7ccd17729fbc3a2b6df73057be8efaa3fa92cfef6e26a25bde6f7f94f64f6d6d0e4c5459aef2aead367e43178dd275acfb

Download Submit
\Users\Admin\AppData\Local\JEgvbAoF\NETPLWIZ.dll
MD5
18b67d616d8185c8083fa333ae4518e7

SHA1
0e40d4929fa7e5d0c2b3bc57b7bb32d571cfc1fc

SHA256
395c86cc6c5ac8daf56b4f76848398395b25166b7a40f20457b11dfb3a68251f

SHA512
6d7bfda07a0010f23948fe40929ca9a60a2b86b779a1c28cd9f8294d5223c5b618e77a47d309e2a8ecccaa99ca53eebcbc872a00710388edefb4626be08e97a5

Download Submit
\Users\Admin\AppData\Local\JEgvbAoF\Netplwiz.exe
MD5
e43ec3c800d4c0716613392e81fba1d9

SHA1
37de6a235e978ecf3bb0fc2c864016c5b0134348

SHA256
636606415a85a16a7e6c5c8fcbdf35494991bce1c37dfc19c75ecb7ce12dc65c

SHA512
176c6d8b87bc5a9ca06698e2542ff34d474bcbbf21278390127981366eda89769bd9dd712f3b34f4dd8332a0b40ee0e609276400f16b51999471c8ff24522a08

Download Submit
\Users\Admin\AppData\Local\mhaN\XmlLite.dll
MD5
bfba66eb2fb168d846a557cd3fd0aa03

SHA1
1b8ce3a61a3b53d53ea79ca559d8e5fbb83add05

SHA256
0c01926ec9b152f78d4993fd0da8ddc7c59dd7998852ceddd49e4145e7a0db86

SHA512
c0e7c4dec50f3f505fb473ab08ba547a1ba3d4ac8f9159478399347cb20693f54f67bdfb82bcc4e0c8d8776c16cc7c41fbbf2f17227238983b1d7e9dd8e5a104

Download Submit
\Users\Admin\AppData\Local\mhaN\ddodiag.exe
MD5
509f9513ca16ba2f2047f5227a05d1a8

SHA1
fe8d63259cb9afa17da7b7b8ede4e75081071b1a

SHA256
ddf48c333e45c56c9e3f16e492c023bf138629f4c093b8aaab8ea60310c8c96e

SHA512
ad3168767e5eba575ae766e1e2923b1db4571bbeb302d7c58e8023612e33913dcd9e5f4a4c1bc7b1556442a0807117066f17c62b38fe2ae0dfaa3817b7318862

Download Submit
\Users\Admin\AppData\Local\myytdmx\NDFAPI.DLL
MD5
e854adf400f3d3243dc325fd0e295cad

SHA1
ae38d3e4c92dca3280ace82798690096caf36758

SHA256
3b7748990a24390ba983a5298c3ca4904785161dc4cbc3c7fd2aa7cd8255491d

SHA512
a6c99efff62ed85f83014ac56bf8dfbcc2a90dae62aeaec74521d632f990db1ce5a24291206d1060a6aabdafdf20569182640371438906708495e9bcaa530836

Download Submit
\Users\Admin\AppData\Local\myytdmx\msra.exe
MD5
e79df53bad587e24b3cf965a5746c7b6

SHA1
87a97ec159a3fc1db211f3c2c62e4d60810e7a70

SHA256
4e7c22648acf664ab13dfeb2dc062ae90af1e6c621186981f395fb279bbc9b9d

SHA512
9a329c39ce0bc5aede01e96c4190cc7ccd17729fbc3a2b6df73057be8efaa3fa92cfef6e26a25bde6f7f94f64f6d6d0e4c5459aef2aead367e43178dd275acfb

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\mt\msra.exe
MD5
e79df53bad587e24b3cf965a5746c7b6

SHA1
87a97ec159a3fc1db211f3c2c62e4d60810e7a70

SHA256
4e7c22648acf664ab13dfeb2dc062ae90af1e6c621186981f395fb279bbc9b9d

SHA512
9a329c39ce0bc5aede01e96c4190cc7ccd17729fbc3a2b6df73057be8efaa3fa92cfef6e26a25bde6f7f94f64f6d6d0e4c5459aef2aead367e43178dd275acfb

Download Submit
memory/992-95-0x0000000000000000-mapping.dmp

Download
memory/1060-59-0x0000000000110000-0x0000000000117000-memory.dmp

Download
memory/1060-56-0x0000000140000000-0x000000014012F000-memory.dmp

Download
memory/1060-55-0x000007FEFBA71000-0x000007FEFBA73000-memory.dmp

Download
memory/1216-66-0x0000000140000000-0x000000014012F000-memory.dmp

Download
memory/1216-68-0x0000000140000000-0x000000014012F000-memory.dmp

Download
memory/1216-67-0x0000000140000000-0x000000014012F000-memory.dmp

Download
memory/1216-69-0x0000000140000000-0x000000014012F000-memory.dmp

Download
memory/1216-65-0x0000000140000000-0x000000014012F000-memory.dmp

Download
memory/1216-64-0x0000000140000000-0x000000014012F000-memory.dmp

Download
memory/1216-85-0x00000000773A0000-0x00000000773A2000-memory.dmp

Download
memory/1216-70-0x0000000140000000-0x000000014012F000-memory.dmp

Download
memory/1216-71-0x0000000140000000-0x000000014012F000-memory.dmp

Download
memory/1216-72-0x0000000140000000-0x000000014012F000-memory.dmp

Download
memory/1216-73-0x0000000140000000-0x000000014012F000-memory.dmp

Download
memory/1216-74-0x0000000140000000-0x000000014012F000-memory.dmp

Download
memory/1216-75-0x0000000140000000-0x000000014012F000-memory.dmp

Download
memory/1216-76-0x0000000140000000-0x000000014012F000-memory.dmp

Download
memory/1216-77-0x0000000140000000-0x000000014012F000-memory.dmp

Download
memory/1216-78-0x0000000140000000-0x000000014012F000-memory.dmp

Download
memory/1216-79-0x0000000140000000-0x000000014012F000-memory.dmp

Download
memory/1216-62-0x0000000140000000-0x000000014012F000-memory.dmp

Download
memory/1216-61-0x0000000140000000-0x000000014012F000-memory.dmp

Download
memory/1216-60-0x0000000002B10000-0x0000000002B11000-memory.dmp

Download
memory/1216-63-0x0000000140000000-0x000000014012F000-memory.dmp

Download
memory/1844-87-0x0000000000000000-mapping.dmp

Download
memory/1880-103-0x0000000000000000-mapping.dmp

Download
memory/1880-108-0x0000000140000000-0x0000000140130000-memory.dmp

Download

a5282ab1f03b543c5876030240e56ada6e64c2d94f0acea8819d133a5d653d5d

Filter: none

Description

Tags

Description

Tags

Reported IOCs

Reported IOCs

Reported IOCs

Tags

TTPs

Reported IOCs

Tags

TTPs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Title