Analysis

  • max time kernel
    155s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-en-20211104
  • submitted
    26-11-2021 09:30

General

  • Target

    402d6617014b320ae65709f7029fd2cf3661f5d69932abfa2e2e770236718d65.dll

  • Size

    1.2MB

  • MD5

    156ccf8324c479a229603a59485b1b68

  • SHA1

    bd071acdbd27c66fa091ab07c1a079c57475f9a7

  • SHA256

    402d6617014b320ae65709f7029fd2cf3661f5d69932abfa2e2e770236718d65

  • SHA512

    b5f138f7e609f461f155e9059cb2dd9852582fcd01145bf85f92e17809a86fe767d3d5b37ddb7789f38bcc9897da2f482152ccf0621ec967dbb613d54c9e86de

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\402d6617014b320ae65709f7029fd2cf3661f5d69932abfa2e2e770236718d65.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:584
  • C:\Windows\system32\taskmgr.exe
    C:\Windows\system32\taskmgr.exe
    1⤵
      PID:964
    • C:\Users\Admin\AppData\Local\leWMn\taskmgr.exe
      C:\Users\Admin\AppData\Local\leWMn\taskmgr.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      PID:680
    • C:\Windows\system32\eudcedit.exe
      C:\Windows\system32\eudcedit.exe
      1⤵
        PID:2044
      • C:\Users\Admin\AppData\Local\7GPsk8xB6\eudcedit.exe
        C:\Users\Admin\AppData\Local\7GPsk8xB6\eudcedit.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Suspicious behavior: EnumeratesProcesses
        PID:1548
      • C:\Windows\system32\spreview.exe
        C:\Windows\system32\spreview.exe
        1⤵
          PID:1912
        • C:\Users\Admin\AppData\Local\aU7m\spreview.exe
          C:\Users\Admin\AppData\Local\aU7m\spreview.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1728

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Defense Evasion

        Modify Registry

        1
        T1112

        Discovery

        System Information Discovery

        1
        T1082

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\7GPsk8xB6\MFC42u.dll
          MD5

          b53ac1421fbcf172ddee77811c786570

          SHA1

          b16e4dc3932f36da01fcde11e476433132a06ec4

          SHA256

          4c287df13bc733c780c97cda558ad0d1b3dafd7688b501ca2aac0433510d2c25

          SHA512

          0e38298aa8bdaebab0c0d568b7a53d9636cc7ed03f68f282920ec43d42268f24efe638a7fd8c836e3df21e3fe67a99a67f4a4fd993a38c4ff500369b43071494

        • C:\Users\Admin\AppData\Local\7GPsk8xB6\eudcedit.exe
          MD5

          35e397d6ca8407b86d8a7972f0c90711

          SHA1

          6b39830003906ef82442522d22b80460c03f6082

          SHA256

          1f64118bdc3515e8e9fce6ad182f6d0c8a6528d638fedb4901a6152cde4c7cde

          SHA512

          71b0c4ac120e5841308b0c19718bdc28366b0d79c8177091328ef5421392b9ee5e4758816ffb8c0977f178e1b33ed064f64781eaf7d6952878dc8aea402f035e

        • C:\Users\Admin\AppData\Local\aU7m\WINBRAND.dll
          MD5

          a4d7242ee0f56c32115b913d19f7d7d0

          SHA1

          45b989ebff27fd52e4405c088f8eb90adb0ea460

          SHA256

          3b1643903bb598e623a0de55c536aacd7e3033a7fb8173c179d9d441d05986f4

          SHA512

          9cad1cb1d228846c99c1f85cbb28ee9f44719bf1a5182e5d246bbdc81f382fd3b19d7314580858647760b312d2e12324663919dfa61c022e7a8469cd447c11df

        • C:\Users\Admin\AppData\Local\aU7m\spreview.exe
          MD5

          704cd4cac010e8e6d8de9b778ed17773

          SHA1

          81856abf70640f102b8b3defe2cf65669fe8e165

          SHA256

          4307f21d3ec3b51cba6a905a80045314ffccb4c60c11d99a3d77cc8103014208

          SHA512

          b380264276bad01d619a5f1f112791d6bf73dc52cdd5cca0cc1f726a6f66eefc5a78a37646792987c508f9cb5049f0eb86c71fb4c7a2d3e670c0c8623f0522ee

        • C:\Users\Admin\AppData\Local\leWMn\Secur32.dll
          MD5

          2e3a6d73a949713e68c510905bd46361

          SHA1

          060694dd45671127a91cbad593bbebce8e11736d

          SHA256

          247db98202f8989948664f80648a8a0757c4ff1ce2c0a13ca976faa41bf9f038

          SHA512

          e4da197aa5ccfd5c065e53a1270d38f82b0e51d3322cf6fd56ade1b42a0b3cf45305cebe98f5d8d6063cabdfda516139d685a2231f607d972fa989c5473f16e1

        • C:\Users\Admin\AppData\Local\leWMn\taskmgr.exe
          MD5

          09f7401d56f2393c6ca534ff0241a590

          SHA1

          e8b4d84a28e5ea17272416ec45726964fdf25883

          SHA256

          6766717b8afafe46b5fd66c7082ccce6b382cbea982c73cb651e35dc8187ace1

          SHA512

          7187a27cd32c1b295c74e36e1b6148a31d602962448b18395a44a721d17daa7271d0cd198edb2ed05ace439746517ffb1bcc11c7f682e09b025c950ea7b83192

        • \Users\Admin\AppData\Local\7GPsk8xB6\MFC42u.dll
          MD5

          b53ac1421fbcf172ddee77811c786570

          SHA1

          b16e4dc3932f36da01fcde11e476433132a06ec4

          SHA256

          4c287df13bc733c780c97cda558ad0d1b3dafd7688b501ca2aac0433510d2c25

          SHA512

          0e38298aa8bdaebab0c0d568b7a53d9636cc7ed03f68f282920ec43d42268f24efe638a7fd8c836e3df21e3fe67a99a67f4a4fd993a38c4ff500369b43071494

        • \Users\Admin\AppData\Local\7GPsk8xB6\eudcedit.exe
          MD5

          35e397d6ca8407b86d8a7972f0c90711

          SHA1

          6b39830003906ef82442522d22b80460c03f6082

          SHA256

          1f64118bdc3515e8e9fce6ad182f6d0c8a6528d638fedb4901a6152cde4c7cde

          SHA512

          71b0c4ac120e5841308b0c19718bdc28366b0d79c8177091328ef5421392b9ee5e4758816ffb8c0977f178e1b33ed064f64781eaf7d6952878dc8aea402f035e

        • \Users\Admin\AppData\Local\aU7m\WINBRAND.dll
          MD5

          a4d7242ee0f56c32115b913d19f7d7d0

          SHA1

          45b989ebff27fd52e4405c088f8eb90adb0ea460

          SHA256

          3b1643903bb598e623a0de55c536aacd7e3033a7fb8173c179d9d441d05986f4

          SHA512

          9cad1cb1d228846c99c1f85cbb28ee9f44719bf1a5182e5d246bbdc81f382fd3b19d7314580858647760b312d2e12324663919dfa61c022e7a8469cd447c11df

        • \Users\Admin\AppData\Local\aU7m\spreview.exe
          MD5

          704cd4cac010e8e6d8de9b778ed17773

          SHA1

          81856abf70640f102b8b3defe2cf65669fe8e165

          SHA256

          4307f21d3ec3b51cba6a905a80045314ffccb4c60c11d99a3d77cc8103014208

          SHA512

          b380264276bad01d619a5f1f112791d6bf73dc52cdd5cca0cc1f726a6f66eefc5a78a37646792987c508f9cb5049f0eb86c71fb4c7a2d3e670c0c8623f0522ee

        • \Users\Admin\AppData\Local\leWMn\Secur32.dll
          MD5

          2e3a6d73a949713e68c510905bd46361

          SHA1

          060694dd45671127a91cbad593bbebce8e11736d

          SHA256

          247db98202f8989948664f80648a8a0757c4ff1ce2c0a13ca976faa41bf9f038

          SHA512

          e4da197aa5ccfd5c065e53a1270d38f82b0e51d3322cf6fd56ade1b42a0b3cf45305cebe98f5d8d6063cabdfda516139d685a2231f607d972fa989c5473f16e1

        • \Users\Admin\AppData\Local\leWMn\taskmgr.exe
          MD5

          09f7401d56f2393c6ca534ff0241a590

          SHA1

          e8b4d84a28e5ea17272416ec45726964fdf25883

          SHA256

          6766717b8afafe46b5fd66c7082ccce6b382cbea982c73cb651e35dc8187ace1

          SHA512

          7187a27cd32c1b295c74e36e1b6148a31d602962448b18395a44a721d17daa7271d0cd198edb2ed05ace439746517ffb1bcc11c7f682e09b025c950ea7b83192

        • \Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\0bp76f\spreview.exe
          MD5

          704cd4cac010e8e6d8de9b778ed17773

          SHA1

          81856abf70640f102b8b3defe2cf65669fe8e165

          SHA256

          4307f21d3ec3b51cba6a905a80045314ffccb4c60c11d99a3d77cc8103014208

          SHA512

          b380264276bad01d619a5f1f112791d6bf73dc52cdd5cca0cc1f726a6f66eefc5a78a37646792987c508f9cb5049f0eb86c71fb4c7a2d3e670c0c8623f0522ee

        • memory/584-55-0x000007FEF6740000-0x000007FEF6873000-memory.dmp
          Filesize

          1.2MB

        • memory/584-59-0x0000000000100000-0x0000000000107000-memory.dmp
          Filesize

          28KB

        • memory/680-88-0x000007FEFAC10000-0x000007FEFAD44000-memory.dmp
          Filesize

          1.2MB

        • memory/680-85-0x000007FEFB9A1000-0x000007FEFB9A3000-memory.dmp
          Filesize

          8KB

        • memory/680-83-0x0000000000000000-mapping.dmp
        • memory/1372-81-0x00000000772D0000-0x00000000772D2000-memory.dmp
          Filesize

          8KB

        • memory/1372-72-0x0000000140000000-0x0000000140133000-memory.dmp
          Filesize

          1.2MB

        • memory/1372-61-0x0000000140000000-0x0000000140133000-memory.dmp
          Filesize

          1.2MB

        • memory/1372-76-0x0000000140000000-0x0000000140133000-memory.dmp
          Filesize

          1.2MB

        • memory/1372-63-0x0000000140000000-0x0000000140133000-memory.dmp
          Filesize

          1.2MB

        • memory/1372-65-0x0000000140000000-0x0000000140133000-memory.dmp
          Filesize

          1.2MB

        • memory/1372-75-0x0000000140000000-0x0000000140133000-memory.dmp
          Filesize

          1.2MB

        • memory/1372-73-0x0000000140000000-0x0000000140133000-memory.dmp
          Filesize

          1.2MB

        • memory/1372-66-0x0000000140000000-0x0000000140133000-memory.dmp
          Filesize

          1.2MB

        • memory/1372-74-0x0000000140000000-0x0000000140133000-memory.dmp
          Filesize

          1.2MB

        • memory/1372-68-0x0000000140000000-0x0000000140133000-memory.dmp
          Filesize

          1.2MB

        • memory/1372-70-0x0000000140000000-0x0000000140133000-memory.dmp
          Filesize

          1.2MB

        • memory/1372-71-0x0000000140000000-0x0000000140133000-memory.dmp
          Filesize

          1.2MB

        • memory/1372-67-0x0000000140000000-0x0000000140133000-memory.dmp
          Filesize

          1.2MB

        • memory/1372-69-0x0000000140000000-0x0000000140133000-memory.dmp
          Filesize

          1.2MB

        • memory/1372-60-0x0000000002200000-0x0000000002201000-memory.dmp
          Filesize

          4KB

        • memory/1372-64-0x0000000140000000-0x0000000140133000-memory.dmp
          Filesize

          1.2MB

        • memory/1372-62-0x0000000140000000-0x0000000140133000-memory.dmp
          Filesize

          1.2MB

        • memory/1548-99-0x000007FEF6740000-0x000007FEF687A000-memory.dmp
          Filesize

          1.2MB

        • memory/1548-98-0x00000000FF7C1000-0x00000000FF7C3000-memory.dmp
          Filesize

          8KB

        • memory/1548-93-0x0000000000000000-mapping.dmp
        • memory/1728-104-0x0000000000000000-mapping.dmp
        • memory/1728-109-0x000007FEF6740000-0x000007FEF6874000-memory.dmp
          Filesize

          1.2MB