Analysis

  • max time kernel
    155s
  • max time network
    137s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    26-11-2021 09:30

General

  • Target

    559ea4cd5ccedae2401361426823b4c92046f9f997e78b9cf9a1c1e31f9b79c9.dll

  • Size

    1.2MB

  • MD5

    366013530a4b95379a78c2fdb73c57bc

  • SHA1

    ef3d3ab238a9c130efde5d42a25d6da283fb32b4

  • SHA256

    559ea4cd5ccedae2401361426823b4c92046f9f997e78b9cf9a1c1e31f9b79c9

  • SHA512

    d069b330242c8ec15975e4ff601b6c4a6cadf43a3ea36193c3e616e0f13602d51a4ef72a8af59a7989eb4d3e126b87436280f5457787bddfe430899600113ead

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\559ea4cd5ccedae2401361426823b4c92046f9f997e78b9cf9a1c1e31f9b79c9.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    PID:2176
  • C:\Windows\system32\lpksetup.exe
    C:\Windows\system32\lpksetup.exe
    1⤵
      PID:800
    • C:\Users\Admin\AppData\Local\2Js\lpksetup.exe
      C:\Users\Admin\AppData\Local\2Js\lpksetup.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: GetForegroundWindowSpam
      PID:880
    • C:\Windows\system32\wermgr.exe
      C:\Windows\system32\wermgr.exe
      1⤵
        PID:520
      • C:\Users\Admin\AppData\Local\GouTesF\wermgr.exe
        C:\Users\Admin\AppData\Local\GouTesF\wermgr.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Suspicious behavior: GetForegroundWindowSpam
        PID:512
      • C:\Windows\system32\osk.exe
        C:\Windows\system32\osk.exe
        1⤵
          PID:3560
        • C:\Users\Admin\AppData\Local\N5I6\osk.exe
          C:\Users\Admin\AppData\Local\N5I6\osk.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          • Suspicious behavior: GetForegroundWindowSpam
          PID:1732

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Defense Evasion

        Modify Registry

        1
        T1112

        Discovery

        System Information Discovery

        1
        T1082

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\2Js\dpx.dll
          MD5

          08a2c1668c9d47a84bf07f1ef92702ef

          SHA1

          43c8f2c02aa4426d092220fcd2314ae03a26f18f

          SHA256

          e454219e43c257e5b22cbfc6c7b7e1c8efda15e3f139cb84592612b6c8dd7554

          SHA512

          98888efe2a15bd74dd391f4c88b696c94f449cf4c2d08a4958f11d1b60a676ea7f006b2497ce7bc3402c719d145a21bcd5d76be061356e310620f27ffa19d5bd

        • C:\Users\Admin\AppData\Local\2Js\lpksetup.exe
          MD5

          e96f815f1f58a65c47ed4657668d40ac

          SHA1

          ad6bbf9c08aae0d5b3a219e192a1974dc7cb1e59

          SHA256

          edccb2f297de76763c0298829a5c5726942c0c4d7df4265639c1728b5028c79f

          SHA512

          1ab1d5ea644b7569c75d75fc39cbb64804f8f019ca2f50efb74a1b77055d6b897c3f4207be72f5b7c63b93c49b75d3b150b9fb40b21453a69f86ad93287390fd

        • C:\Users\Admin\AppData\Local\GouTesF\wer.dll
          MD5

          cb3aff75459707d71b55feda9ebe8f85

          SHA1

          888d10d70a30a18df1340115810d52fa8bc5e0d2

          SHA256

          d6545cbc430a63ddfb4d71059a9d3d4e97590e6d01a45ca970c31e5fe57b14cb

          SHA512

          8b3fd2503281d3063951ff8c287342144be5e6b059ec97b79096df8e8e0eb0d4825f740c7a01347731a0a7d6c2021c9a0e55babcb1ce7be04d9f451d0932a39e

        • C:\Users\Admin\AppData\Local\GouTesF\wermgr.exe
          MD5

          b6b07bd48ece5e19f8fbbe3b9d4dee8b

          SHA1

          a9d344ae382ffaf64d7977f632d98a422b4e09fd

          SHA256

          ab6443218f56d9743fa4605a7696c82b016f621ddefcb3207a9aa77666a7bca1

          SHA512

          a0092bb7fca2160e1a9bf6db4399bfde9a15d6a885932e58152b80bfb3fb5f4d67836b1c31c261550bb5cea71f74bd985911daf624ad02f4938db2d23b76fdd4

        • C:\Users\Admin\AppData\Local\N5I6\WMsgAPI.dll
          MD5

          8b2e8832684b468704465bad8bb75033

          SHA1

          f02e2a84c915c5d9e0b22cd9c852aa51982c584b

          SHA256

          980d0649b8a956f269c5aa5ee828133401cb5814b4ac82a8d84f3b25ef34b200

          SHA512

          02d5f8f06fbe8743df9a54d09a66bb59fee2629d8ce701537193745b6fb79879e709241cd2de39fdab1554e6e62a7ae3aa692ed2a4e502a7ac4cbc1aae537e35

        • C:\Users\Admin\AppData\Local\N5I6\osk.exe
          MD5

          4a614350289f2f92c6d7c5caccc09eff

          SHA1

          55e6807f31f66120e4798e37a8fb26e583ce1c81

          SHA256

          f259aa7bfb7f18f981d0a08888942f5027766cdcf4d4d60d2540d5eda048fd68

          SHA512

          ddf8fdc5b186ab9a15fa15310356d48cfbe1948fda0f0e624b1a429be11f406e5e3ce1924f48bbb9a9d14ede34a20c55c3e88f1f640e9d7d21f39bfad3c21dfc

        • \Users\Admin\AppData\Local\2Js\dpx.dll
          MD5

          08a2c1668c9d47a84bf07f1ef92702ef

          SHA1

          43c8f2c02aa4426d092220fcd2314ae03a26f18f

          SHA256

          e454219e43c257e5b22cbfc6c7b7e1c8efda15e3f139cb84592612b6c8dd7554

          SHA512

          98888efe2a15bd74dd391f4c88b696c94f449cf4c2d08a4958f11d1b60a676ea7f006b2497ce7bc3402c719d145a21bcd5d76be061356e310620f27ffa19d5bd

        • \Users\Admin\AppData\Local\GouTesF\wer.dll
          MD5

          cb3aff75459707d71b55feda9ebe8f85

          SHA1

          888d10d70a30a18df1340115810d52fa8bc5e0d2

          SHA256

          d6545cbc430a63ddfb4d71059a9d3d4e97590e6d01a45ca970c31e5fe57b14cb

          SHA512

          8b3fd2503281d3063951ff8c287342144be5e6b059ec97b79096df8e8e0eb0d4825f740c7a01347731a0a7d6c2021c9a0e55babcb1ce7be04d9f451d0932a39e

        • \Users\Admin\AppData\Local\N5I6\WMsgAPI.dll
          MD5

          8b2e8832684b468704465bad8bb75033

          SHA1

          f02e2a84c915c5d9e0b22cd9c852aa51982c584b

          SHA256

          980d0649b8a956f269c5aa5ee828133401cb5814b4ac82a8d84f3b25ef34b200

          SHA512

          02d5f8f06fbe8743df9a54d09a66bb59fee2629d8ce701537193745b6fb79879e709241cd2de39fdab1554e6e62a7ae3aa692ed2a4e502a7ac4cbc1aae537e35

        • memory/512-174-0x00000255AAD00000-0x00000255AAD02000-memory.dmp
          Filesize

          8KB

        • memory/512-173-0x00000255AAD00000-0x00000255AAD02000-memory.dmp
          Filesize

          8KB

        • memory/512-175-0x00000255AAD00000-0x00000255AAD02000-memory.dmp
          Filesize

          8KB

        • memory/512-166-0x0000000000000000-mapping.dmp
        • memory/512-170-0x0000000140000000-0x0000000140135000-memory.dmp
          Filesize

          1.2MB

        • memory/880-164-0x000001C2D2F40000-0x000001C2D2F42000-memory.dmp
          Filesize

          8KB

        • memory/880-165-0x000001C2D2F40000-0x000001C2D2F42000-memory.dmp
          Filesize

          8KB

        • memory/880-163-0x000001C2D2F40000-0x000001C2D2F42000-memory.dmp
          Filesize

          8KB

        • memory/880-160-0x0000000140000000-0x0000000140134000-memory.dmp
          Filesize

          1.2MB

        • memory/880-155-0x0000000000000000-mapping.dmp
        • memory/1732-184-0x000001D1DACB0000-0x000001D1DACB2000-memory.dmp
          Filesize

          8KB

        • memory/1732-185-0x000001D1DACB0000-0x000001D1DACB2000-memory.dmp
          Filesize

          8KB

        • memory/1732-183-0x000001D1DACB0000-0x000001D1DACB2000-memory.dmp
          Filesize

          8KB

        • memory/1732-176-0x0000000000000000-mapping.dmp
        • memory/2176-118-0x0000000140000000-0x0000000140133000-memory.dmp
          Filesize

          1.2MB

        • memory/2176-123-0x000002AEC6D60000-0x000002AEC6D67000-memory.dmp
          Filesize

          28KB

        • memory/2176-122-0x000002AEC6D70000-0x000002AEC6D72000-memory.dmp
          Filesize

          8KB

        • memory/2176-121-0x000002AEC6D70000-0x000002AEC6D72000-memory.dmp
          Filesize

          8KB

        • memory/3028-133-0x0000000140000000-0x0000000140133000-memory.dmp
          Filesize

          1.2MB

        • memory/3028-138-0x0000000140000000-0x0000000140133000-memory.dmp
          Filesize

          1.2MB

        • memory/3028-154-0x0000000000870000-0x0000000000872000-memory.dmp
          Filesize

          8KB

        • memory/3028-152-0x0000000000870000-0x0000000000872000-memory.dmp
          Filesize

          8KB

        • memory/3028-151-0x0000000000870000-0x0000000000872000-memory.dmp
          Filesize

          8KB

        • memory/3028-145-0x0000000140000000-0x0000000140133000-memory.dmp
          Filesize

          1.2MB

        • memory/3028-158-0x00007FF97D0F0000-0x00007FF97D100000-memory.dmp
          Filesize

          64KB

        • memory/3028-144-0x0000000140000000-0x0000000140133000-memory.dmp
          Filesize

          1.2MB

        • memory/3028-143-0x0000000140000000-0x0000000140133000-memory.dmp
          Filesize

          1.2MB

        • memory/3028-142-0x0000000140000000-0x0000000140133000-memory.dmp
          Filesize

          1.2MB

        • memory/3028-141-0x0000000140000000-0x0000000140133000-memory.dmp
          Filesize

          1.2MB

        • memory/3028-140-0x0000000140000000-0x0000000140133000-memory.dmp
          Filesize

          1.2MB

        • memory/3028-139-0x0000000140000000-0x0000000140133000-memory.dmp
          Filesize

          1.2MB

        • memory/3028-153-0x00007FF97D1E5000-0x00007FF97D1E6000-memory.dmp
          Filesize

          4KB

        • memory/3028-137-0x0000000140000000-0x0000000140133000-memory.dmp
          Filesize

          1.2MB

        • memory/3028-136-0x0000000140000000-0x0000000140133000-memory.dmp
          Filesize

          1.2MB

        • memory/3028-135-0x0000000140000000-0x0000000140133000-memory.dmp
          Filesize

          1.2MB

        • memory/3028-134-0x0000000140000000-0x0000000140133000-memory.dmp
          Filesize

          1.2MB

        • memory/3028-132-0x0000000140000000-0x0000000140133000-memory.dmp
          Filesize

          1.2MB

        • memory/3028-130-0x0000000140000000-0x0000000140133000-memory.dmp
          Filesize

          1.2MB

        • memory/3028-131-0x0000000140000000-0x0000000140133000-memory.dmp
          Filesize

          1.2MB

        • memory/3028-129-0x0000000140000000-0x0000000140133000-memory.dmp
          Filesize

          1.2MB

        • memory/3028-128-0x0000000140000000-0x0000000140133000-memory.dmp
          Filesize

          1.2MB

        • memory/3028-127-0x0000000140000000-0x0000000140133000-memory.dmp
          Filesize

          1.2MB

        • memory/3028-125-0x0000000140000000-0x0000000140133000-memory.dmp
          Filesize

          1.2MB

        • memory/3028-126-0x0000000140000000-0x0000000140133000-memory.dmp
          Filesize

          1.2MB

        • memory/3028-124-0x0000000000860000-0x0000000000861000-memory.dmp
          Filesize

          4KB

        • memory/3028-186-0x0000000000870000-0x0000000000872000-memory.dmp
          Filesize

          8KB