a5282ab1f03b543c5876030240e56ada6e64c2d94f0acea8819d133a5d653d5d

General
Target

a5282ab1f03b543c5876030240e56ada6e64c2d94f0acea8819d133a5d653d5d.dll

Filesize

1MB

Completed

26-11-2021 09:34

Score
10/10
MD5

0d2d32a9d4d31d4448df2902ef9590e2

SHA1

eb31c27903cc0d4bb2a9a4a6760bd0e60416a276

SHA256

a5282ab1f03b543c5876030240e56ada6e64c2d94f0acea8819d133a5d653d5d

Malware Config
Signatures 9

Filter: none

Defense Evasion
Discovery
Persistence
  • Dridex

    Description

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode

    Description

    Detects Dridex Payload shellcode injected in Explorer process.

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/3064-124-0x0000000000F20000-0x0000000000F21000-memory.dmpdridex_stager_shellcode
  • Executes dropped EXE
    UI0Detect.exerecdisc.exeMagnify.exe

    Reported IOCs

    pidprocess
    648UI0Detect.exe
    3304recdisc.exe
    2740Magnify.exe
  • Loads dropped DLL
    UI0Detect.exerecdisc.exeMagnify.exe

    Reported IOCs

    pidprocess
    648UI0Detect.exe
    3304recdisc.exe
    2740Magnify.exe
  • Adds Run key to start application

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ziekmjidk = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Proof\\MKE5ecpr\\recdisc.exe"
  • Checks whether UAC is enabled
    UI0Detect.exerecdisc.exeMagnify.exe

    TTPs

    System Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAUI0Detect.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUArecdisc.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAMagnify.exe
  • Suspicious behavior: EnumeratesProcesses
    regsvr32.exe

    Reported IOCs

    pidprocess
    3708regsvr32.exe
    3708regsvr32.exe
    3708regsvr32.exe
    3708regsvr32.exe
    3064
    3064
    3064
    3064
    3064
    3064
    3064
    3064
    3064
    3064
    3064
    3064
    3064
    3064
    3064
    3064
    3064
    3064
    3064
    3064
    3064
    3064
    3064
    3064
    3064
    3064
    3064
    3064
    3064
    3064
    3064
    3064
    3064
    3064
    3064
    3064
    3064
    3064
    3064
    3064
    3064
    3064
    3064
    3064
    3064
    3064
    3064
    3064
    3064
    3064
    3064
    3064
    3064
    3064
    3064
    3064
    3064
    3064
    3064
    3064
  • Suspicious behavior: GetForegroundWindowSpam
    regsvr32.exeUI0Detect.exerecdisc.exeMagnify.exe

    Reported IOCs

    pidprocess
    3708regsvr32.exe
    3064
    648UI0Detect.exe
    3304recdisc.exe
    2740Magnify.exe
  • Suspicious use of WriteProcessMemory

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3064 wrote to memory of 27323064UI0Detect.exe
    PID 3064 wrote to memory of 27323064UI0Detect.exe
    PID 3064 wrote to memory of 6483064UI0Detect.exe
    PID 3064 wrote to memory of 6483064UI0Detect.exe
    PID 3064 wrote to memory of 34443064recdisc.exe
    PID 3064 wrote to memory of 34443064recdisc.exe
    PID 3064 wrote to memory of 33043064recdisc.exe
    PID 3064 wrote to memory of 33043064recdisc.exe
    PID 3064 wrote to memory of 8643064Magnify.exe
    PID 3064 wrote to memory of 8643064Magnify.exe
    PID 3064 wrote to memory of 27403064Magnify.exe
    PID 3064 wrote to memory of 27403064Magnify.exe
Processes 7
  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\a5282ab1f03b543c5876030240e56ada6e64c2d94f0acea8819d133a5d653d5d.dll
    Suspicious behavior: EnumeratesProcesses
    Suspicious behavior: GetForegroundWindowSpam
    PID:3708
  • C:\Windows\system32\UI0Detect.exe
    C:\Windows\system32\UI0Detect.exe
    PID:2732
  • C:\Users\Admin\AppData\Local\3yE\UI0Detect.exe
    C:\Users\Admin\AppData\Local\3yE\UI0Detect.exe
    Executes dropped EXE
    Loads dropped DLL
    Checks whether UAC is enabled
    Suspicious behavior: GetForegroundWindowSpam
    PID:648
  • C:\Windows\system32\recdisc.exe
    C:\Windows\system32\recdisc.exe
    PID:3444
  • C:\Users\Admin\AppData\Local\2fP\recdisc.exe
    C:\Users\Admin\AppData\Local\2fP\recdisc.exe
    Executes dropped EXE
    Loads dropped DLL
    Checks whether UAC is enabled
    Suspicious behavior: GetForegroundWindowSpam
    PID:3304
  • C:\Windows\system32\Magnify.exe
    C:\Windows\system32\Magnify.exe
    PID:864
  • C:\Users\Admin\AppData\Local\lpgDzQW\Magnify.exe
    C:\Users\Admin\AppData\Local\lpgDzQW\Magnify.exe
    Executes dropped EXE
    Loads dropped DLL
    Checks whether UAC is enabled
    Suspicious behavior: GetForegroundWindowSpam
    PID:2740
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Local\2fP\ReAgent.dll

                      MD5

                      2333006e32cd1191d27e49d11d57c057

                      SHA1

                      0991119b8f69413abca789b6378b572eede97831

                      SHA256

                      64d3a6bf8908f754849c61ef201a27be9165fa8d510708dc1152b02b6091bdc9

                      SHA512

                      3e4bdec31da1a12f9d2eb055402fd9cd90a3ace97b7da75bc21c9529279fbf0d2042d107bd2cf71cafdbf55c8351d58bb4b1a4363aaec5d7b98a50d3d20b1723

                    • C:\Users\Admin\AppData\Local\2fP\recdisc.exe

                      MD5

                      d1028c10d2c261d3470df8ff6347981b

                      SHA1

                      04a99956e99b8dbed380df60e0812e92685b6ca9

                      SHA256

                      063e57b52257fda4cfa15c98a84f3461a9fb1c9d39e6ab55eae41a793a4d852b

                      SHA512

                      80922e37cdfe69d5390f8a5bf8f0aab98407d40549c8972c33c6b9ef15b38962887ef4637c81c248ba7ee649bfe20f318358359140d879f7e2820e135e11a9c3

                    • C:\Users\Admin\AppData\Local\3yE\UI0Detect.exe

                      MD5

                      5a2f610b31cc3fd23d3e20c1d5f1ef52

                      SHA1

                      2e01843e8c6de9eb2f716b894dd9992296a1bab5

                      SHA256

                      d470b7c1cae066c2dcdba47001913fb1a7c9cc5b200fb8324db896b641c1a132

                      SHA512

                      937995e7ca70e523a965348efd72e6e9e8c7d478d4b9050aa87b1d45dcaff6d580da27f6b53800b5bf94c3a51e248ffd89d9056615f000781d6ac005cf9a302e

                    • C:\Users\Admin\AppData\Local\3yE\WTSAPI32.dll

                      MD5

                      c931e98c3e97d244879a6c5f1bfae34d

                      SHA1

                      4f56096b53c191a4287e4b16e42db54c0dcd4cc9

                      SHA256

                      037e04e226a10acbdcc356a33be9ac0e9aff4c463fc7873101bbd774f7ee80a4

                      SHA512

                      cd4d16708164cb82413036fc7f10ca920d6dbb8322207dba933aa2f5b624f7d5305ac628686141aa97ddb381992262054918a6b6e5ba3a059d53c92559277950

                    • C:\Users\Admin\AppData\Local\lpgDzQW\Magnify.exe

                      MD5

                      0c3925b9a284f0dd02571d0d2bca19ee

                      SHA1

                      a73451bb2ddd09397cb7737d36a75c0cdfdf9d51

                      SHA256

                      41e91d736995628275261aa1adb14158e0783b36c913ef5fc681da105a4272cc

                      SHA512

                      db02a3211b1b2cf7b10cd70148404106be6cb4a63c7c0c0526256f983c3ad756c157a67848173208e7c0d88a8f34b73c42d37b24f5cc1f9da66731731a534a72

                    • C:\Users\Admin\AppData\Local\lpgDzQW\dwmapi.dll

                      MD5

                      656e78df37284f3aca21505d04898b9f

                      SHA1

                      d7892325133b4ed4a828a4d0cc4dec28bc9cd407

                      SHA256

                      160125000ea124bd5741ff65ee1cc0263dd34ed25996f1f009182e3e73748c38

                      SHA512

                      d40e339766553df6c5995e3a24830d7125a25093d6521fb31c7b0a12c4570c08265fd617cb1ef392d6c5a63b5898067b56d2247a252ccef88aa4728be7f05e18

                    • \Users\Admin\AppData\Local\2fP\ReAgent.dll

                      MD5

                      2333006e32cd1191d27e49d11d57c057

                      SHA1

                      0991119b8f69413abca789b6378b572eede97831

                      SHA256

                      64d3a6bf8908f754849c61ef201a27be9165fa8d510708dc1152b02b6091bdc9

                      SHA512

                      3e4bdec31da1a12f9d2eb055402fd9cd90a3ace97b7da75bc21c9529279fbf0d2042d107bd2cf71cafdbf55c8351d58bb4b1a4363aaec5d7b98a50d3d20b1723

                    • \Users\Admin\AppData\Local\3yE\WTSAPI32.dll

                      MD5

                      c931e98c3e97d244879a6c5f1bfae34d

                      SHA1

                      4f56096b53c191a4287e4b16e42db54c0dcd4cc9

                      SHA256

                      037e04e226a10acbdcc356a33be9ac0e9aff4c463fc7873101bbd774f7ee80a4

                      SHA512

                      cd4d16708164cb82413036fc7f10ca920d6dbb8322207dba933aa2f5b624f7d5305ac628686141aa97ddb381992262054918a6b6e5ba3a059d53c92559277950

                    • \Users\Admin\AppData\Local\lpgDzQW\dwmapi.dll

                      MD5

                      656e78df37284f3aca21505d04898b9f

                      SHA1

                      d7892325133b4ed4a828a4d0cc4dec28bc9cd407

                      SHA256

                      160125000ea124bd5741ff65ee1cc0263dd34ed25996f1f009182e3e73748c38

                      SHA512

                      d40e339766553df6c5995e3a24830d7125a25093d6521fb31c7b0a12c4570c08265fd617cb1ef392d6c5a63b5898067b56d2247a252ccef88aa4728be7f05e18

                    • memory/648-161-0x000001CEE52E0000-0x000001CEE52E2000-memory.dmp

                    • memory/648-163-0x000001CEE52E0000-0x000001CEE52E2000-memory.dmp

                    • memory/648-162-0x000001CEE52E0000-0x000001CEE52E2000-memory.dmp

                    • memory/648-154-0x0000000000000000-mapping.dmp

                    • memory/648-158-0x0000000140000000-0x0000000140130000-memory.dmp

                    • memory/2740-182-0x000001E697CC0000-0x000001E697CC2000-memory.dmp

                    • memory/2740-181-0x000001E697CC0000-0x000001E697CC2000-memory.dmp

                    • memory/2740-174-0x0000000000000000-mapping.dmp

                    • memory/2740-183-0x000001E697CC0000-0x000001E697CC2000-memory.dmp

                    • memory/3064-135-0x0000000140000000-0x000000014012F000-memory.dmp

                    • memory/3064-138-0x0000000140000000-0x000000014012F000-memory.dmp

                    • memory/3064-137-0x0000000140000000-0x000000014012F000-memory.dmp

                    • memory/3064-141-0x0000000140000000-0x000000014012F000-memory.dmp

                    • memory/3064-142-0x0000000140000000-0x000000014012F000-memory.dmp

                    • memory/3064-143-0x0000000140000000-0x000000014012F000-memory.dmp

                    • memory/3064-149-0x0000000000F00000-0x0000000000F02000-memory.dmp

                    • memory/3064-140-0x0000000140000000-0x000000014012F000-memory.dmp

                    • memory/3064-151-0x00007FF9C5065000-0x00007FF9C5066000-memory.dmp

                    • memory/3064-152-0x0000000000F00000-0x0000000000F02000-memory.dmp

                    • memory/3064-153-0x00007FF9C4FB0000-0x00007FF9C4FC0000-memory.dmp

                    • memory/3064-136-0x0000000140000000-0x000000014012F000-memory.dmp

                    • memory/3064-134-0x0000000140000000-0x000000014012F000-memory.dmp

                    • memory/3064-150-0x0000000000F00000-0x0000000000F02000-memory.dmp

                    • memory/3064-133-0x0000000140000000-0x000000014012F000-memory.dmp

                    • memory/3064-130-0x0000000140000000-0x000000014012F000-memory.dmp

                    • memory/3064-131-0x0000000140000000-0x000000014012F000-memory.dmp

                    • memory/3064-129-0x0000000140000000-0x000000014012F000-memory.dmp

                    • memory/3064-128-0x0000000140000000-0x000000014012F000-memory.dmp

                    • memory/3064-127-0x0000000140000000-0x000000014012F000-memory.dmp

                    • memory/3064-126-0x0000000140000000-0x000000014012F000-memory.dmp

                    • memory/3064-124-0x0000000000F20000-0x0000000000F21000-memory.dmp

                    • memory/3064-125-0x0000000140000000-0x000000014012F000-memory.dmp

                    • memory/3064-139-0x0000000140000000-0x000000014012F000-memory.dmp

                    • memory/3064-132-0x0000000140000000-0x000000014012F000-memory.dmp

                    • memory/3304-173-0x00000208E4300000-0x00000208E4302000-memory.dmp

                    • memory/3304-171-0x00000208E4300000-0x00000208E4302000-memory.dmp

                    • memory/3304-164-0x0000000000000000-mapping.dmp

                    • memory/3304-172-0x00000208E4300000-0x00000208E4302000-memory.dmp

                    • memory/3708-118-0x0000000140000000-0x000000014012F000-memory.dmp

                    • memory/3708-123-0x0000000000650000-0x0000000000657000-memory.dmp

                    • memory/3708-122-0x0000000000670000-0x0000000000672000-memory.dmp

                    • memory/3708-121-0x0000000000670000-0x0000000000672000-memory.dmp