Analysis

  • max time kernel
    155s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-en-20211104
  • submitted
    26-11-2021 09:32

General

  • Target

    e3a97ee2fa0ea4dc05340e0778674a93e8c95944c519df7ee5f486c08b1df15a.dll

  • Size

    1.2MB

  • MD5

    ea1bfbc91324c0cbb97f17775e653dab

  • SHA1

    61c6d875774c9cd59ae56e351a291c2cf9e79284

  • SHA256

    e3a97ee2fa0ea4dc05340e0778674a93e8c95944c519df7ee5f486c08b1df15a

  • SHA512

    903a180a93cc7ecd2b6e0fd76fc597456bbd1986d28f63993fc00b57dc47afad779fd05ce734f4070d3b16af08aec5e5da1086aefcf85929ba87c7cd1e27dc75

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e3a97ee2fa0ea4dc05340e0778674a93e8c95944c519df7ee5f486c08b1df15a.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    PID:1584
  • C:\Windows\system32\msinfo32.exe
    C:\Windows\system32\msinfo32.exe
    1⤵
      PID:1136
    • C:\Users\Admin\AppData\Local\j302\msinfo32.exe
      C:\Users\Admin\AppData\Local\j302\msinfo32.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: GetForegroundWindowSpam
      PID:832
    • C:\Windows\system32\sigverif.exe
      C:\Windows\system32\sigverif.exe
      1⤵
        PID:1556
      • C:\Users\Admin\AppData\Local\PtO2FyJx\sigverif.exe
        C:\Users\Admin\AppData\Local\PtO2FyJx\sigverif.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Suspicious behavior: GetForegroundWindowSpam
        PID:1680
      • C:\Windows\system32\isoburn.exe
        C:\Windows\system32\isoburn.exe
        1⤵
          PID:1876
        • C:\Users\Admin\AppData\Local\500mgoORR\isoburn.exe
          C:\Users\Admin\AppData\Local\500mgoORR\isoburn.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          • Suspicious behavior: GetForegroundWindowSpam
          PID:1748

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Defense Evasion

        Modify Registry

        1
        T1112

        Discovery

        System Information Discovery

        1
        T1082

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\500mgoORR\UxTheme.dll
          MD5

          d1a004ace8c91eaac73f278f55be0177

          SHA1

          a7b600740639b055e7d26c82fe2a7295bc5fae43

          SHA256

          6be941aaf599e654ceae81b8f1b5943c9c67cfcb947ae202abf51ec8a151c503

          SHA512

          5a057ac65c494074771459aecd19e15b59849e3c88ab061871a92a8871ea95bcf402b3a25a5719694528e9b2dc4f375df246e569487e345cb8b49e7cf452cdd9

        • C:\Users\Admin\AppData\Local\500mgoORR\isoburn.exe
          MD5

          f8051f06e1c4aa3f2efe4402af5919b1

          SHA1

          bbcf3711501dfb22b04b1a6f356d95a6d5998790

          SHA256

          50dcb4be409f50d26c0fc32dd9cdbf96bff4e19bf624221cb566ebeb3e09ce1a

          SHA512

          5f664d937abe4426ee7e0d8491a395f9ef4ffe7a51dba05b54b7ba27e80c9be37833400911c5878d3dec659f4fa1579ec8ba4cfc485fb2ce24dd37c321006daa

        • C:\Users\Admin\AppData\Local\PtO2FyJx\VERSION.dll
          MD5

          c3c7844fe4c031e816242e1fb0cd7531

          SHA1

          8b2c95caf1aac7d4735353401b6f1704b2db3166

          SHA256

          c84532e2c149c18a6c806f6dc72911a0468852c5684a58ec6d4f3b75c797f0d8

          SHA512

          36152dd0e9f4bdbc0b2cd18cca79cd98c9cfe0e130378bc3a42c6200792d68e7f9e66b994bf07425eba163bf5e6ff276974dbaecb74c1a3804c05bec3f16d1b1

        • C:\Users\Admin\AppData\Local\PtO2FyJx\sigverif.exe
          MD5

          e8e95ae5534553fc055051cee99a7f55

          SHA1

          4e0f668849fd546edd083d5981ed685d02a68df4

          SHA256

          9e107fd99892d08b15c223ac17c49af75a4cbca41b5e939bb91c9dca9f0d0bec

          SHA512

          5d3c32d136a264b6d2cfba4602e4d8f75e55ba0e199e0e81d7a515c34d8b9237db29647c10ab79081173010ff8e2c6a59b652c0a9cfa796433aed2d200f02da6

        • C:\Users\Admin\AppData\Local\j302\MFC42u.dll
          MD5

          224dccf67d219ae76d727b0cf7725d32

          SHA1

          922a210ba35f528433e9cd0dfcfee64dd256162f

          SHA256

          a1659e9531faf1bf6a64f2bf8e150eeff39582af74ed2b6e477ad1861387fbe8

          SHA512

          cca1f29aa30178becf3c2fa9ce42e6029d0277f2fd15a6f20e0a7eccab07df0189dc63b475358f1428facbb91b6cc0ecb0ffa17da248383b540e98f1861eb4b4

        • C:\Users\Admin\AppData\Local\j302\msinfo32.exe
          MD5

          d291620d4c51c5f5ffa62ccdc52c5c13

          SHA1

          2081c97f15b1c2a2eadce366baf3c510da553cc7

          SHA256

          76e959dd7db31726c040d46cfa86b681479967aea36db5f625e80bd36422e8ae

          SHA512

          75f9bcce4c596dae1f4d78e13d9d53b0c31988d2170c3d9f5db352b8c8a1c8ca58f4a002b30a4b328b8f4769008b750b8a1c9fda44a582e11c3adc38345c334b

        • \Users\Admin\AppData\Local\500mgoORR\UxTheme.dll
          MD5

          d1a004ace8c91eaac73f278f55be0177

          SHA1

          a7b600740639b055e7d26c82fe2a7295bc5fae43

          SHA256

          6be941aaf599e654ceae81b8f1b5943c9c67cfcb947ae202abf51ec8a151c503

          SHA512

          5a057ac65c494074771459aecd19e15b59849e3c88ab061871a92a8871ea95bcf402b3a25a5719694528e9b2dc4f375df246e569487e345cb8b49e7cf452cdd9

        • \Users\Admin\AppData\Local\500mgoORR\isoburn.exe
          MD5

          f8051f06e1c4aa3f2efe4402af5919b1

          SHA1

          bbcf3711501dfb22b04b1a6f356d95a6d5998790

          SHA256

          50dcb4be409f50d26c0fc32dd9cdbf96bff4e19bf624221cb566ebeb3e09ce1a

          SHA512

          5f664d937abe4426ee7e0d8491a395f9ef4ffe7a51dba05b54b7ba27e80c9be37833400911c5878d3dec659f4fa1579ec8ba4cfc485fb2ce24dd37c321006daa

        • \Users\Admin\AppData\Local\PtO2FyJx\VERSION.dll
          MD5

          c3c7844fe4c031e816242e1fb0cd7531

          SHA1

          8b2c95caf1aac7d4735353401b6f1704b2db3166

          SHA256

          c84532e2c149c18a6c806f6dc72911a0468852c5684a58ec6d4f3b75c797f0d8

          SHA512

          36152dd0e9f4bdbc0b2cd18cca79cd98c9cfe0e130378bc3a42c6200792d68e7f9e66b994bf07425eba163bf5e6ff276974dbaecb74c1a3804c05bec3f16d1b1

        • \Users\Admin\AppData\Local\PtO2FyJx\sigverif.exe
          MD5

          e8e95ae5534553fc055051cee99a7f55

          SHA1

          4e0f668849fd546edd083d5981ed685d02a68df4

          SHA256

          9e107fd99892d08b15c223ac17c49af75a4cbca41b5e939bb91c9dca9f0d0bec

          SHA512

          5d3c32d136a264b6d2cfba4602e4d8f75e55ba0e199e0e81d7a515c34d8b9237db29647c10ab79081173010ff8e2c6a59b652c0a9cfa796433aed2d200f02da6

        • \Users\Admin\AppData\Local\j302\MFC42u.dll
          MD5

          224dccf67d219ae76d727b0cf7725d32

          SHA1

          922a210ba35f528433e9cd0dfcfee64dd256162f

          SHA256

          a1659e9531faf1bf6a64f2bf8e150eeff39582af74ed2b6e477ad1861387fbe8

          SHA512

          cca1f29aa30178becf3c2fa9ce42e6029d0277f2fd15a6f20e0a7eccab07df0189dc63b475358f1428facbb91b6cc0ecb0ffa17da248383b540e98f1861eb4b4

        • \Users\Admin\AppData\Local\j302\msinfo32.exe
          MD5

          d291620d4c51c5f5ffa62ccdc52c5c13

          SHA1

          2081c97f15b1c2a2eadce366baf3c510da553cc7

          SHA256

          76e959dd7db31726c040d46cfa86b681479967aea36db5f625e80bd36422e8ae

          SHA512

          75f9bcce4c596dae1f4d78e13d9d53b0c31988d2170c3d9f5db352b8c8a1c8ca58f4a002b30a4b328b8f4769008b750b8a1c9fda44a582e11c3adc38345c334b

        • \Users\Admin\AppData\Roaming\Adobe\HGv3Hyhc\isoburn.exe
          MD5

          f8051f06e1c4aa3f2efe4402af5919b1

          SHA1

          bbcf3711501dfb22b04b1a6f356d95a6d5998790

          SHA256

          50dcb4be409f50d26c0fc32dd9cdbf96bff4e19bf624221cb566ebeb3e09ce1a

          SHA512

          5f664d937abe4426ee7e0d8491a395f9ef4ffe7a51dba05b54b7ba27e80c9be37833400911c5878d3dec659f4fa1579ec8ba4cfc485fb2ce24dd37c321006daa

        • memory/832-92-0x0000000140000000-0x0000000140134000-memory.dmp
          Filesize

          1.2MB

        • memory/832-91-0x000007FEFBBE1000-0x000007FEFBBE3000-memory.dmp
          Filesize

          8KB

        • memory/832-87-0x0000000000000000-mapping.dmp
        • memory/1212-69-0x0000000140000000-0x000000014012D000-memory.dmp
          Filesize

          1.2MB

        • memory/1212-68-0x0000000140000000-0x000000014012D000-memory.dmp
          Filesize

          1.2MB

        • memory/1212-71-0x0000000140000000-0x000000014012D000-memory.dmp
          Filesize

          1.2MB

        • memory/1212-79-0x0000000140000000-0x000000014012D000-memory.dmp
          Filesize

          1.2MB

        • memory/1212-78-0x0000000140000000-0x000000014012D000-memory.dmp
          Filesize

          1.2MB

        • memory/1212-77-0x0000000140000000-0x000000014012D000-memory.dmp
          Filesize

          1.2MB

        • memory/1212-76-0x0000000140000000-0x000000014012D000-memory.dmp
          Filesize

          1.2MB

        • memory/1212-85-0x0000000077370000-0x0000000077372000-memory.dmp
          Filesize

          8KB

        • memory/1212-73-0x0000000140000000-0x000000014012D000-memory.dmp
          Filesize

          1.2MB

        • memory/1212-74-0x0000000140000000-0x000000014012D000-memory.dmp
          Filesize

          1.2MB

        • memory/1212-75-0x0000000140000000-0x000000014012D000-memory.dmp
          Filesize

          1.2MB

        • memory/1212-70-0x0000000140000000-0x000000014012D000-memory.dmp
          Filesize

          1.2MB

        • memory/1212-67-0x0000000140000000-0x000000014012D000-memory.dmp
          Filesize

          1.2MB

        • memory/1212-72-0x0000000140000000-0x000000014012D000-memory.dmp
          Filesize

          1.2MB

        • memory/1212-59-0x0000000002990000-0x0000000002991000-memory.dmp
          Filesize

          4KB

        • memory/1212-66-0x0000000140000000-0x000000014012D000-memory.dmp
          Filesize

          1.2MB

        • memory/1212-60-0x0000000140000000-0x000000014012D000-memory.dmp
          Filesize

          1.2MB

        • memory/1212-65-0x0000000140000000-0x000000014012D000-memory.dmp
          Filesize

          1.2MB

        • memory/1212-63-0x0000000140000000-0x000000014012D000-memory.dmp
          Filesize

          1.2MB

        • memory/1212-64-0x0000000140000000-0x000000014012D000-memory.dmp
          Filesize

          1.2MB

        • memory/1212-61-0x0000000140000000-0x000000014012D000-memory.dmp
          Filesize

          1.2MB

        • memory/1212-62-0x0000000140000000-0x000000014012D000-memory.dmp
          Filesize

          1.2MB

        • memory/1584-55-0x0000000140000000-0x000000014012D000-memory.dmp
          Filesize

          1.2MB

        • memory/1584-58-0x0000000000090000-0x0000000000097000-memory.dmp
          Filesize

          28KB

        • memory/1680-101-0x0000000140000000-0x000000014012E000-memory.dmp
          Filesize

          1.2MB

        • memory/1680-96-0x0000000000000000-mapping.dmp
        • memory/1748-105-0x0000000000000000-mapping.dmp