a784e2fdd1ab991dc8e8be58fd5d6c8f5c1403f92d49661f29309268738cdd8f

max time kernel151s
max time network122s
platformwindows10_x64
resourcewin10-en-20211104
submitted26-11-2021 09:30

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

a784e2fdd1ab991dc8e8be58fd5d6c8f5c1403f92d49661f29309268738cdd8f.dll

Filesize

1MB

Completed

26-11-2021 09:33

Score

10^/10

MD5

3e98bb4d39b7a7b9750ba84ec892f61d

SHA1

a0fd28e7af024c4a1a7ecf10777744407eb306f7

SHA256

a784e2fdd1ab991dc8e8be58fd5d6c8f5c1403f92d49661f29309268738cdd8f

Defense Evasion

Discovery

Persistence

Dridex

Description

Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

Tags

botnet dridex
Dridex Shellcode

Description

Detects Dridex Payload shellcode injected in Explorer process.

Tags

botnet payload

Reported IOCs

resource yara_rule

behavioral2/memory/3024-124-0x0000000001340000-0x0000000001341000-memory.dmp dridex_stager_shellcode
Executes dropped EXE
MDMAppInstaller.exebdechangepin.exepsr.exe

Reported IOCs

pid process

916 MDMAppInstaller.exe
3944 bdechangepin.exe
396 psr.exe
Loads dropped DLL
MDMAppInstaller.exebdechangepin.exepsr.exe

Reported IOCs

pid process

916 MDMAppInstaller.exe
3944 bdechangepin.exe
396 psr.exe

resource	yara_rule
behavioral2/memory/3024-124-0x0000000001340000-0x0000000001341000-memory.dmp	dridex_stager_shellcode

pid	process
916	MDMAppInstaller.exe
3944	bdechangepin.exe
396	psr.exe

pid	process
916	MDMAppInstaller.exe
3944	bdechangepin.exe
396	psr.exe

Adds Run key to start application

TTPs

Registry Run Keys / Startup FolderModify Registry

Reported IOCs

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ziekmjidk = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\WINDOW~1\\bwVze\\BDECHA~1.EXE"

Checks whether UAC is enabled

rundll32.exeMDMAppInstaller.exebdechangepin.exepsr.exe

TTPs

System Information Discovery

Reported IOCs

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MDMAppInstaller.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bdechangepin.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	psr.exe

Modifies registry class

Reported IOCs

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance

Suspicious behavior: EnumeratesProcesses

rundll32.exe

Reported IOCs

pid	process
3348	rundll32.exe
3348	rundll32.exe
3348	rundll32.exe
3348	rundll32.exe
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024

Suspicious behavior: GetForegroundWindowSpam
rundll32.exeMDMAppInstaller.exebdechangepin.exepsr.exe

Reported IOCs

pid process

3348 rundll32.exe
3024
916 MDMAppInstaller.exe
3944 bdechangepin.exe
396 psr.exe

Suspicious use of AdjustPrivilegeToken

Reported IOCs

description	pid	process
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024

Suspicious use of WriteProcessMemory

Reported IOCs

description	pid	target process
PID 3024 wrote to memory of 1012	3024	MDMAppInstaller.exe
PID 3024 wrote to memory of 1012	3024	MDMAppInstaller.exe
PID 3024 wrote to memory of 916	3024	MDMAppInstaller.exe
PID 3024 wrote to memory of 916	3024	MDMAppInstaller.exe
PID 3024 wrote to memory of 3628	3024	bdechangepin.exe
PID 3024 wrote to memory of 3628	3024	bdechangepin.exe
PID 3024 wrote to memory of 3944	3024	bdechangepin.exe
PID 3024 wrote to memory of 3944	3024	bdechangepin.exe
PID 3024 wrote to memory of 1208	3024	psr.exe
PID 3024 wrote to memory of 1208	3024	psr.exe
PID 3024 wrote to memory of 396	3024	psr.exe
PID 3024 wrote to memory of 396	3024	psr.exe

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\a784e2fdd1ab991dc8e8be58fd5d6c8f5c1403f92d49661f29309268738cdd8f.dll,#1

Checks whether UAC is enabled
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam

PID:3348

C:\Windows\system32\MDMAppInstaller.exe

C:\Windows\system32\MDMAppInstaller.exe

PID:1012

C:\Users\Admin\AppData\Local\FBschVc39\MDMAppInstaller.exe

C:\Users\Admin\AppData\Local\FBschVc39\MDMAppInstaller.exe

Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled
Suspicious behavior: GetForegroundWindowSpam

PID:916

C:\Windows\system32\bdechangepin.exe

C:\Windows\system32\bdechangepin.exe

PID:3628

C:\Users\Admin\AppData\Local\wdEhlsCq\bdechangepin.exe

C:\Users\Admin\AppData\Local\wdEhlsCq\bdechangepin.exe

Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled
Suspicious behavior: GetForegroundWindowSpam

PID:3944

C:\Windows\system32\psr.exe

C:\Windows\system32\psr.exe

PID:1208

C:\Users\Admin\AppData\Local\TPSJ619ng\psr.exe

C:\Users\Admin\AppData\Local\TPSJ619ng\psr.exe

Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled
Suspicious behavior: GetForegroundWindowSpam

PID:396

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

Discovery

System Information Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

00:00 00:00

C:\Users\Admin\AppData\Local\FBschVc39\MDMAppInstaller.exe
MD5
4dd62f5c80e61f360e4178e64bdd9eb2

SHA1
0bb999e6fcf480e135f0c2f548beac45bf8388f9

SHA256
9487e1da940889f7144de063e6999d1a76a1b93be195ea4f9d32be765e5eba99

SHA512
a3bb8133a23680f44e06f7b8c3bcb3630103cde12e21cae3a1292633ffc51cc07f1a220774b85fc8021424e668f2518c6b8ddc0df3a5e4dd10d21e16c7a7091e

Download Submit
C:\Users\Admin\AppData\Local\FBschVc39\WTSAPI32.dll
MD5
029b2b785ebbb208753b231cf32b20e7

SHA1
b88ae32074501f3354b25a4ab5909718bb1e82cd

SHA256
f77a07c9489f2c9e610c4f456a1799f0c542dbba56d60a0c6f3ca0cb0157cf06

SHA512
21ad628158962a950bb16d3ef0094708faa4cf626b19b4ddb627a81b9e6b9a99cab536e54e68d5ccae0b6318fbb0b5289d286a792b0e234d8e284ff7c0631a73

Download Submit
C:\Users\Admin\AppData\Local\TPSJ619ng\VERSION.dll
MD5
7bd9e6d69092ca3b87aebf998043901f

SHA1
d5ba8647b03a42dbebd7941cb858f3b72f28d581

SHA256
85dbf9020e1c663aa52060a11ea3d3286eeab993f6591c14991c3a67564b3fb3

SHA512
4ac1a91ad32fd6a373a3d6074a29db0f0926caacdf924323dfad685d93aef769e88243ab8a6c0a44cea4ed3d3683fe49df7e394be17710ac4b2259c17ad357bf

Download Submit
C:\Users\Admin\AppData\Local\TPSJ619ng\psr.exe
MD5
264a61b365dd314f3c82d1efba60fe17

SHA1
9a778a13f5e85d7c5bf2e21ceb398ae0a4300ffa

SHA256
880fafbd4087442964a7780331a0e8dd43b78e2106e9df545f0432d4aa15ce93

SHA512
9b26021b49ed0f8cfb05d9c8f5e0cec7beaebe9ee14acfc3237cec1255bb9e6a4f5f7a6b902f3d561bbbac7489f64e5a39f498261eef7e93178be97f9cc15e3c

Download Submit
C:\Users\Admin\AppData\Local\wdEhlsCq\DUI70.dll
MD5
afa79bb703e5c0992a8a764cbce22f78

SHA1
beec4b3eefd78b377d8d9b400564d2f3c6c47a2c

SHA256
54783f162850fe847d417e6b0d53534134c3e5540585833679da792b4930bb61

SHA512
c13952c1d5fa658e0f331b46381b450aa1262a20e3ea54ad1001535f9d221f78a1060ff85ae72342e4019581257353d2c5a82c5c8b425a14c777203072fbfce1

Download Submit
C:\Users\Admin\AppData\Local\wdEhlsCq\bdechangepin.exe
MD5
c1c59d7307da404788e5a4294f671213

SHA1
d7d7d2b898c072ecd1fa1207dfa6277b1b328af8

SHA256
dc5078956ac057a7560285440fbb315db6f2718c1fc6bd88d50b1e49f8f8ad1b

SHA512
d138e672a81f9b957c96d9c236bb6dc5141ebb1c19b1446c7ace1a10bc6522c527a27d969a990fafdae04c03bfe5c664b955d9ac2aa3c8dfc3e282ad81693989

Download Submit
\Users\Admin\AppData\Local\FBschVc39\WTSAPI32.dll
MD5
029b2b785ebbb208753b231cf32b20e7

SHA1
b88ae32074501f3354b25a4ab5909718bb1e82cd

SHA256
f77a07c9489f2c9e610c4f456a1799f0c542dbba56d60a0c6f3ca0cb0157cf06

SHA512
21ad628158962a950bb16d3ef0094708faa4cf626b19b4ddb627a81b9e6b9a99cab536e54e68d5ccae0b6318fbb0b5289d286a792b0e234d8e284ff7c0631a73

Download Submit
\Users\Admin\AppData\Local\TPSJ619ng\VERSION.dll
MD5
7bd9e6d69092ca3b87aebf998043901f

SHA1
d5ba8647b03a42dbebd7941cb858f3b72f28d581

SHA256
85dbf9020e1c663aa52060a11ea3d3286eeab993f6591c14991c3a67564b3fb3

SHA512
4ac1a91ad32fd6a373a3d6074a29db0f0926caacdf924323dfad685d93aef769e88243ab8a6c0a44cea4ed3d3683fe49df7e394be17710ac4b2259c17ad357bf

Download Submit
\Users\Admin\AppData\Local\wdEhlsCq\DUI70.dll
MD5
afa79bb703e5c0992a8a764cbce22f78

SHA1
beec4b3eefd78b377d8d9b400564d2f3c6c47a2c

SHA256
54783f162850fe847d417e6b0d53534134c3e5540585833679da792b4930bb61

SHA512
c13952c1d5fa658e0f331b46381b450aa1262a20e3ea54ad1001535f9d221f78a1060ff85ae72342e4019581257353d2c5a82c5c8b425a14c777203072fbfce1

Download Submit
memory/396-176-0x000001B30A5B0000-0x000001B30A5B2000-memory.dmp

Download
memory/396-177-0x000001B30A5B0000-0x000001B30A5B2000-memory.dmp

Download
memory/396-169-0x0000000000000000-mapping.dmp

Download
memory/396-178-0x000001B30A5B0000-0x000001B30A5B2000-memory.dmp

Download
memory/916-156-0x0000023FEF2D0000-0x0000023FEF2D2000-memory.dmp

Download
memory/916-153-0x0000000140000000-0x0000000140146000-memory.dmp

Download
memory/916-149-0x0000000000000000-mapping.dmp

Download
memory/916-158-0x0000023FEF2D0000-0x0000023FEF2D2000-memory.dmp

Download
memory/916-157-0x0000023FEF2D0000-0x0000023FEF2D2000-memory.dmp

Download
memory/3024-128-0x0000000140000000-0x0000000140145000-memory.dmp

Download
memory/3024-144-0x0000000001350000-0x0000000001352000-memory.dmp

Download
memory/3024-145-0x0000000001350000-0x0000000001352000-memory.dmp

Download
memory/3024-146-0x00007FF838C25000-0x00007FF838C26000-memory.dmp

Download
memory/3024-147-0x0000000001350000-0x0000000001352000-memory.dmp

Download
memory/3024-148-0x00007FF838D60000-0x00007FF838D62000-memory.dmp

Download
memory/3024-136-0x0000000140000000-0x0000000140145000-memory.dmp

Download
memory/3024-135-0x0000000140000000-0x0000000140145000-memory.dmp

Download
memory/3024-133-0x0000000140000000-0x0000000140145000-memory.dmp

Download
memory/3024-134-0x0000000140000000-0x0000000140145000-memory.dmp

Download
memory/3024-124-0x0000000001340000-0x0000000001341000-memory.dmp

Download
memory/3024-131-0x0000000140000000-0x0000000140145000-memory.dmp

Download
memory/3024-138-0x0000000140000000-0x0000000140145000-memory.dmp

Download
memory/3024-130-0x0000000140000000-0x0000000140145000-memory.dmp

Download
memory/3024-125-0x0000000140000000-0x0000000140145000-memory.dmp

Download
memory/3024-127-0x0000000140000000-0x0000000140145000-memory.dmp

Download
memory/3024-129-0x0000000140000000-0x0000000140145000-memory.dmp

Download
memory/3024-179-0x0000000001350000-0x0000000001352000-memory.dmp

Download
memory/3024-126-0x0000000140000000-0x0000000140145000-memory.dmp

Download
memory/3024-137-0x0000000140000000-0x0000000140145000-memory.dmp

Download
memory/3024-132-0x0000000140000000-0x0000000140145000-memory.dmp

Download
memory/3348-123-0x000001DAC70E0000-0x000001DAC70E7000-memory.dmp

Download
memory/3348-122-0x000001DAC70F0000-0x000001DAC70F2000-memory.dmp

Download
memory/3348-121-0x000001DAC70F0000-0x000001DAC70F2000-memory.dmp

Download
memory/3348-118-0x0000000140000000-0x0000000140145000-memory.dmp

Download
memory/3944-159-0x0000000000000000-mapping.dmp

Download
memory/3944-167-0x000001E3E1100000-0x000001E3E1102000-memory.dmp

Download
memory/3944-168-0x000001E3E1100000-0x000001E3E1102000-memory.dmp

Download
memory/3944-166-0x000001E3E1100000-0x000001E3E1102000-memory.dmp

Download
memory/3944-163-0x0000000140000000-0x000000014018B000-memory.dmp

Download

a784e2fdd1ab991dc8e8be58fd5d6c8f5c1403f92d49661f29309268738cdd8f

Filter: none

Description

Tags

Description

Tags

Reported IOCs

Reported IOCs

Reported IOCs

Tags

TTPs

Reported IOCs

Tags

TTPs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Title