Analysis

  • max time kernel
    151s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-en-20211104
  • submitted
    26-11-2021 09:30

General

  • Target

    a784e2fdd1ab991dc8e8be58fd5d6c8f5c1403f92d49661f29309268738cdd8f.dll

  • Size

    1.3MB

  • MD5

    3e98bb4d39b7a7b9750ba84ec892f61d

  • SHA1

    a0fd28e7af024c4a1a7ecf10777744407eb306f7

  • SHA256

    a784e2fdd1ab991dc8e8be58fd5d6c8f5c1403f92d49661f29309268738cdd8f

  • SHA512

    b2aa963b1d3c7240eab67bc1908fcc82d1be5741e97566a59be353c20e41092eda6c9529899980d432190256f016248a09ebf0c5ec1dd37f2e11359f301d4ba9

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\a784e2fdd1ab991dc8e8be58fd5d6c8f5c1403f92d49661f29309268738cdd8f.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    PID:856
  • C:\Windows\system32\notepad.exe
    C:\Windows\system32\notepad.exe
    1⤵
      PID:2008
    • C:\Users\Admin\AppData\Local\MQMyVN\notepad.exe
      C:\Users\Admin\AppData\Local\MQMyVN\notepad.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: GetForegroundWindowSpam
      PID:1100
    • C:\Windows\system32\BdeUISrv.exe
      C:\Windows\system32\BdeUISrv.exe
      1⤵
        PID:988
      • C:\Users\Admin\AppData\Local\IKSPooG\BdeUISrv.exe
        C:\Users\Admin\AppData\Local\IKSPooG\BdeUISrv.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Suspicious behavior: GetForegroundWindowSpam
        PID:984
      • C:\Windows\system32\recdisc.exe
        C:\Windows\system32\recdisc.exe
        1⤵
          PID:1340
        • C:\Users\Admin\AppData\Local\eDh\recdisc.exe
          C:\Users\Admin\AppData\Local\eDh\recdisc.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          • Suspicious behavior: GetForegroundWindowSpam
          PID:1420

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Defense Evasion

        Modify Registry

        1
        T1112

        Discovery

        System Information Discovery

        1
        T1082

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\IKSPooG\BdeUISrv.exe
          MD5

          1da6b19be5d4949c868a264bc5e74206

          SHA1

          d5ee86ba03a03ef8c93d93accafe40461084c839

          SHA256

          00330a0e0eb1dbb6ee84997963f8e15c7c15c1df787f1c7f109609d7b31bd35c

          SHA512

          9cee858c55eb0852e5bad53a675a094ae591b46b07afe9fb4224cac32e0be577fe36c1ed3e9f6bda4d4eb0c924a773d00e3181cd97f07e24c6c68c70f2b002c6

        • C:\Users\Admin\AppData\Local\IKSPooG\WTSAPI32.dll
          MD5

          69731b58c1aa2a8d423899f2121aa8d2

          SHA1

          d0821e1da98a0309d8e59c375b1b5203278628a9

          SHA256

          70f6dbf63b65b38f92ff2858046a036d2ea0806291c0714b2e5d227d3c7b5860

          SHA512

          2fb3e91b889b801932de0cbfdbe3d4197cec3e5d940e68a8602f463da8b6ade735cdd035ec4f3bf44c0354ad4c739a9f02b46581e67eeaccc91f82182b7c17c4

        • C:\Users\Admin\AppData\Local\MQMyVN\VERSION.dll
          MD5

          30a7e37488482df645276e1ca2ab2367

          SHA1

          65c74c8aa5153c8eb32347b69ee64e6311a10867

          SHA256

          f32c65e13141f3e9c76fd9a1aa16ee507abb85a0052530e982116b3af2b12734

          SHA512

          3e71ea24c1ecff223b273623d775c1e4ac4226d415ed00221e0a9d1663e8bbf3b507823346fba5469da7927f73518606a5558ae35ec0335bca03fb1a1c7954c2

        • C:\Users\Admin\AppData\Local\MQMyVN\notepad.exe
          MD5

          f2c7bb8acc97f92e987a2d4087d021b1

          SHA1

          7eb0139d2175739b3ccb0d1110067820be6abd29

          SHA256

          142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2

          SHA512

          2f37a2e503cffbd7c05c7d8a125b55368ce11aad5b62f17aaac7aaf3391a6886fa6a0fd73223e9f30072419bf5762a8af7958e805a52d788ba41f61eb084bfe8

        • C:\Users\Admin\AppData\Local\eDh\SPP.dll
          MD5

          83650e8639f305f3a54692261e6b998d

          SHA1

          436d12063037fdd8850807162cb590a694d88008

          SHA256

          1d3a54a9e072a296000fe2b1377583816a33e48a6ca3575f9c14bb7af80f2bd9

          SHA512

          7a8e39ddad6be457818538e1f6c4649ee098177eeb518cd111422878023a1b04420e69d6ae52dd8db03a9ccb7d80b80edfc230455cf5e8b24d391fb06a72d9d4

        • C:\Users\Admin\AppData\Local\eDh\recdisc.exe
          MD5

          f3b306179f1840c0813dc6771b018358

          SHA1

          dec7ce3c13f7a684cb52ae6007c99cf03afef005

          SHA256

          dcaeb590394b42d180e23e3cef4dd135513395b026e0ed489aec49848b85b8f0

          SHA512

          9f9ec4c2ca6373bd738bf415d059f3536390e46e5b0a560e9ee1b190407a6d0f481c38664c51b834a9e72d8878f71c3c19e427e3a6b5ca4ec6b02d1156eb9ef4

        • \Users\Admin\AppData\Local\IKSPooG\BdeUISrv.exe
          MD5

          1da6b19be5d4949c868a264bc5e74206

          SHA1

          d5ee86ba03a03ef8c93d93accafe40461084c839

          SHA256

          00330a0e0eb1dbb6ee84997963f8e15c7c15c1df787f1c7f109609d7b31bd35c

          SHA512

          9cee858c55eb0852e5bad53a675a094ae591b46b07afe9fb4224cac32e0be577fe36c1ed3e9f6bda4d4eb0c924a773d00e3181cd97f07e24c6c68c70f2b002c6

        • \Users\Admin\AppData\Local\IKSPooG\WTSAPI32.dll
          MD5

          69731b58c1aa2a8d423899f2121aa8d2

          SHA1

          d0821e1da98a0309d8e59c375b1b5203278628a9

          SHA256

          70f6dbf63b65b38f92ff2858046a036d2ea0806291c0714b2e5d227d3c7b5860

          SHA512

          2fb3e91b889b801932de0cbfdbe3d4197cec3e5d940e68a8602f463da8b6ade735cdd035ec4f3bf44c0354ad4c739a9f02b46581e67eeaccc91f82182b7c17c4

        • \Users\Admin\AppData\Local\MQMyVN\VERSION.dll
          MD5

          30a7e37488482df645276e1ca2ab2367

          SHA1

          65c74c8aa5153c8eb32347b69ee64e6311a10867

          SHA256

          f32c65e13141f3e9c76fd9a1aa16ee507abb85a0052530e982116b3af2b12734

          SHA512

          3e71ea24c1ecff223b273623d775c1e4ac4226d415ed00221e0a9d1663e8bbf3b507823346fba5469da7927f73518606a5558ae35ec0335bca03fb1a1c7954c2

        • \Users\Admin\AppData\Local\MQMyVN\notepad.exe
          MD5

          f2c7bb8acc97f92e987a2d4087d021b1

          SHA1

          7eb0139d2175739b3ccb0d1110067820be6abd29

          SHA256

          142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2

          SHA512

          2f37a2e503cffbd7c05c7d8a125b55368ce11aad5b62f17aaac7aaf3391a6886fa6a0fd73223e9f30072419bf5762a8af7958e805a52d788ba41f61eb084bfe8

        • \Users\Admin\AppData\Local\eDh\SPP.dll
          MD5

          83650e8639f305f3a54692261e6b998d

          SHA1

          436d12063037fdd8850807162cb590a694d88008

          SHA256

          1d3a54a9e072a296000fe2b1377583816a33e48a6ca3575f9c14bb7af80f2bd9

          SHA512

          7a8e39ddad6be457818538e1f6c4649ee098177eeb518cd111422878023a1b04420e69d6ae52dd8db03a9ccb7d80b80edfc230455cf5e8b24d391fb06a72d9d4

        • \Users\Admin\AppData\Local\eDh\recdisc.exe
          MD5

          f3b306179f1840c0813dc6771b018358

          SHA1

          dec7ce3c13f7a684cb52ae6007c99cf03afef005

          SHA256

          dcaeb590394b42d180e23e3cef4dd135513395b026e0ed489aec49848b85b8f0

          SHA512

          9f9ec4c2ca6373bd738bf415d059f3536390e46e5b0a560e9ee1b190407a6d0f481c38664c51b834a9e72d8878f71c3c19e427e3a6b5ca4ec6b02d1156eb9ef4

        • \Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\9PFDwF\recdisc.exe
          MD5

          f3b306179f1840c0813dc6771b018358

          SHA1

          dec7ce3c13f7a684cb52ae6007c99cf03afef005

          SHA256

          dcaeb590394b42d180e23e3cef4dd135513395b026e0ed489aec49848b85b8f0

          SHA512

          9f9ec4c2ca6373bd738bf415d059f3536390e46e5b0a560e9ee1b190407a6d0f481c38664c51b834a9e72d8878f71c3c19e427e3a6b5ca4ec6b02d1156eb9ef4

        • memory/856-58-0x0000000000100000-0x0000000000107000-memory.dmp
          Filesize

          28KB

        • memory/856-55-0x0000000140000000-0x0000000140145000-memory.dmp
          Filesize

          1.3MB

        • memory/984-90-0x0000000000000000-mapping.dmp
        • memory/1100-81-0x0000000000000000-mapping.dmp
        • memory/1100-86-0x0000000140000000-0x0000000140146000-memory.dmp
          Filesize

          1.3MB

        • memory/1100-83-0x000007FEFB761000-0x000007FEFB763000-memory.dmp
          Filesize

          8KB

        • memory/1248-65-0x0000000140000000-0x0000000140145000-memory.dmp
          Filesize

          1.3MB

        • memory/1248-63-0x0000000140000000-0x0000000140145000-memory.dmp
          Filesize

          1.3MB

        • memory/1248-79-0x0000000077090000-0x0000000077092000-memory.dmp
          Filesize

          8KB

        • memory/1248-67-0x0000000140000000-0x0000000140145000-memory.dmp
          Filesize

          1.3MB

        • memory/1248-66-0x0000000140000000-0x0000000140145000-memory.dmp
          Filesize

          1.3MB

        • memory/1248-73-0x0000000140000000-0x0000000140145000-memory.dmp
          Filesize

          1.3MB

        • memory/1248-64-0x0000000140000000-0x0000000140145000-memory.dmp
          Filesize

          1.3MB

        • memory/1248-72-0x0000000140000000-0x0000000140145000-memory.dmp
          Filesize

          1.3MB

        • memory/1248-62-0x0000000140000000-0x0000000140145000-memory.dmp
          Filesize

          1.3MB

        • memory/1248-68-0x0000000140000000-0x0000000140145000-memory.dmp
          Filesize

          1.3MB

        • memory/1248-61-0x0000000140000000-0x0000000140145000-memory.dmp
          Filesize

          1.3MB

        • memory/1248-71-0x0000000140000000-0x0000000140145000-memory.dmp
          Filesize

          1.3MB

        • memory/1248-69-0x0000000140000000-0x0000000140145000-memory.dmp
          Filesize

          1.3MB

        • memory/1248-59-0x00000000029E0000-0x00000000029E1000-memory.dmp
          Filesize

          4KB

        • memory/1248-70-0x0000000140000000-0x0000000140145000-memory.dmp
          Filesize

          1.3MB

        • memory/1248-60-0x0000000140000000-0x0000000140145000-memory.dmp
          Filesize

          1.3MB

        • memory/1420-98-0x0000000000000000-mapping.dmp