55eddcd9ad0a30bea19917fb692268f64d0368b82bdd21f978f1ce2232091087

max time kernel154s
max time network122s
platformwindows7_x64
resourcewin7-en-20211104
submitted26-11-2021 09:32

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

55eddcd9ad0a30bea19917fb692268f64d0368b82bdd21f978f1ce2232091087.dll

Filesize

1MB

Completed

26-11-2021 09:35

Score

10^/10

MD5

41ed518bacab22ba8da8b7c5f15ba859

SHA1

1b2212ed3d9261d2517f1239bf1ef19c71e1430f

SHA256

55eddcd9ad0a30bea19917fb692268f64d0368b82bdd21f978f1ce2232091087

Defense Evasion

Discovery

Persistence

Dridex

Description

Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

Tags

botnet dridex
Dridex Shellcode

Description

Detects Dridex Payload shellcode injected in Explorer process.

Tags

botnet payload

Reported IOCs

resource yara_rule

behavioral1/memory/1260-60-0x0000000002BA0000-0x0000000002BA1000-memory.dmp dridex_stager_shellcode
Executes dropped EXE
cttune.exeNetplwiz.exeperfmon.exe

Reported IOCs

pid process

1384 cttune.exe
1780 Netplwiz.exe
1736 perfmon.exe
Loads dropped DLL
cttune.exeNetplwiz.exeperfmon.exe

Reported IOCs

pid process

1260
1384 cttune.exe
1260
1780 Netplwiz.exe
1260
1736 perfmon.exe
1260

resource	yara_rule
behavioral1/memory/1260-60-0x0000000002BA0000-0x0000000002BA1000-memory.dmp	dridex_stager_shellcode

pid	process
1384	cttune.exe
1780	Netplwiz.exe
1736	perfmon.exe

pid	process
1260
1384	cttune.exe
1260
1780	Netplwiz.exe
1260
1736	perfmon.exe
1260

Adds Run key to start application

TTPs

Registry Run Keys / Startup FolderModify Registry

Reported IOCs

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run\Myzdcwow = "C:\\Users\\Admin\\AppData\\Roaming\\MEDIAC~1\\wrGT\\Netplwiz.exe"

Checks whether UAC is enabled

rundll32.execttune.exeNetplwiz.exeperfmon.exe

TTPs

System Information Discovery

Reported IOCs

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cttune.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Netplwiz.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	perfmon.exe

Suspicious behavior: EnumeratesProcesses

rundll32.execttune.exeNetplwiz.exe

Reported IOCs

pid	process
1084	rundll32.exe
1084	rundll32.exe
1084	rundll32.exe
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1384	cttune.exe
1384	cttune.exe
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1780	Netplwiz.exe
1780	Netplwiz.exe
1260
1260
1260
1260

Suspicious behavior: GetForegroundWindowSpam

Reported IOCs

pid process

1260

pid	process
1260

Suspicious use of WriteProcessMemory

Reported IOCs

description	pid	target process
PID 1260 wrote to memory of 1140	1260	cttune.exe
PID 1260 wrote to memory of 1140	1260	cttune.exe
PID 1260 wrote to memory of 1140	1260	cttune.exe
PID 1260 wrote to memory of 1384	1260	cttune.exe
PID 1260 wrote to memory of 1384	1260	cttune.exe
PID 1260 wrote to memory of 1384	1260	cttune.exe
PID 1260 wrote to memory of 1784	1260	Netplwiz.exe
PID 1260 wrote to memory of 1784	1260	Netplwiz.exe
PID 1260 wrote to memory of 1784	1260	Netplwiz.exe
PID 1260 wrote to memory of 1780	1260	Netplwiz.exe
PID 1260 wrote to memory of 1780	1260	Netplwiz.exe
PID 1260 wrote to memory of 1780	1260	Netplwiz.exe
PID 1260 wrote to memory of 1712	1260	perfmon.exe
PID 1260 wrote to memory of 1712	1260	perfmon.exe
PID 1260 wrote to memory of 1712	1260	perfmon.exe
PID 1260 wrote to memory of 1736	1260	perfmon.exe
PID 1260 wrote to memory of 1736	1260	perfmon.exe
PID 1260 wrote to memory of 1736	1260	perfmon.exe

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\55eddcd9ad0a30bea19917fb692268f64d0368b82bdd21f978f1ce2232091087.dll,#1

Checks whether UAC is enabled
Suspicious behavior: EnumeratesProcesses

PID:1084

C:\Windows\system32\cttune.exe

C:\Windows\system32\cttune.exe

PID:1140

C:\Users\Admin\AppData\Local\kTze3UMA\cttune.exe

C:\Users\Admin\AppData\Local\kTze3UMA\cttune.exe

Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled
Suspicious behavior: EnumeratesProcesses

PID:1384

C:\Windows\system32\Netplwiz.exe

C:\Windows\system32\Netplwiz.exe

PID:1784

C:\Users\Admin\AppData\Local\46Qn\Netplwiz.exe

C:\Users\Admin\AppData\Local\46Qn\Netplwiz.exe

Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled
Suspicious behavior: EnumeratesProcesses

PID:1780

C:\Windows\system32\perfmon.exe

C:\Windows\system32\perfmon.exe

PID:1712

C:\Users\Admin\AppData\Local\OoGw8S\perfmon.exe

C:\Users\Admin\AppData\Local\OoGw8S\perfmon.exe

Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled

PID:1736

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

Discovery

System Information Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

00:00 00:00

C:\Users\Admin\AppData\Local\46Qn\NETPLWIZ.dll
MD5
c51d08517ac8192e22b805f4829c3e39

SHA1
22615b0d278457543b54f098ea58f288dd396053

SHA256
1799e90234911d1daf1ee5a598e4b9ac9a65899eb9632be7a36b8e550f8c8bf6

SHA512
59bdeefb2e954a0c5763da4488b4cc7d7a6df25c34886af980098ddf64834b3cd69872c35b10b0e2c4bfb8147310e3cfed7b20226558c9fcafa471a46f06f11f

Download Submit
C:\Users\Admin\AppData\Local\46Qn\Netplwiz.exe
MD5
e43ec3c800d4c0716613392e81fba1d9

SHA1
37de6a235e978ecf3bb0fc2c864016c5b0134348

SHA256
636606415a85a16a7e6c5c8fcbdf35494991bce1c37dfc19c75ecb7ce12dc65c

SHA512
176c6d8b87bc5a9ca06698e2542ff34d474bcbbf21278390127981366eda89769bd9dd712f3b34f4dd8332a0b40ee0e609276400f16b51999471c8ff24522a08

Download Submit
C:\Users\Admin\AppData\Local\OoGw8S\credui.dll
MD5
8486d4d3a5767cfd47281a0ad0805bbd

SHA1
936a368b8f091056a60c2101a1a433d99b87845e

SHA256
3c4c23fadc0a9ddedc4daf1e0e0983f84b3415a701ce21abc3ad1b523a102606

SHA512
b249435c1bef91d8fcddea06ab3e81d7b35b8ada2e858b1ee7fc1677d2230641777c614f5085f393a8bc32edec11aae57353b361d1fb1d8a6e73ce8928abdff2

Download Submit
C:\Users\Admin\AppData\Local\OoGw8S\perfmon.exe
MD5
3eb98cff1c242167df5fdbc6441ce3c5

SHA1
730b27a1c92e8df1e60db5a6fc69ea1b24f68a69

SHA256
6d8d5a244bb5a23c95653853fec3d04d2bdd2df5cff8cffb9848bddeb6adb081

SHA512
f42be2a52d97fd1db2ed5a1a1a81a186a0aab41204980a103df33a4190632ba03f3cbb88fcea8da7ed9a5e15f60732d49a924b025fe6d3e623195ec1d37dfb35

Download Submit
C:\Users\Admin\AppData\Local\kTze3UMA\UxTheme.dll
MD5
73a742b384fb960f9a04e3ca514fe51e

SHA1
68446941eea75e9c75dd1cae88e98b3a571e2d47

SHA256
3f7745f2b3e7d93d6d5538f5906bdbe3236e01627c8b52b884177685855cbb07

SHA512
b6bc4e18f891492a303cb23fd14f347d0b348ba927433590d25d9cc7ded436869edaf7674295ef0ebf1876e49c48970fe1ccf79ea2eacec7fdc9649fdc3897ad

Download Submit
C:\Users\Admin\AppData\Local\kTze3UMA\cttune.exe
MD5
7116848fd23e6195fcbbccdf83ce9af4

SHA1
35fb16a0b68f8a84d5dfac8c110ef5972f1bee93

SHA256
39937665f72725bdb3b82389a5dbd906c63f4c14208312d7f7a59d6067e1cfa6

SHA512
e38bf57eee5836b8598dd88dc3d266f497d911419a8426f73df6dcaa503611a965aabbd746181cb19bc38eebdb48db778a17f781a8f9e706cbd7a6ebec38f894

Download Submit
\Users\Admin\AppData\Local\46Qn\NETPLWIZ.dll
MD5
c51d08517ac8192e22b805f4829c3e39

SHA1
22615b0d278457543b54f098ea58f288dd396053

SHA256
1799e90234911d1daf1ee5a598e4b9ac9a65899eb9632be7a36b8e550f8c8bf6

SHA512
59bdeefb2e954a0c5763da4488b4cc7d7a6df25c34886af980098ddf64834b3cd69872c35b10b0e2c4bfb8147310e3cfed7b20226558c9fcafa471a46f06f11f

Download Submit
\Users\Admin\AppData\Local\46Qn\Netplwiz.exe
MD5
e43ec3c800d4c0716613392e81fba1d9

SHA1
37de6a235e978ecf3bb0fc2c864016c5b0134348

SHA256
636606415a85a16a7e6c5c8fcbdf35494991bce1c37dfc19c75ecb7ce12dc65c

SHA512
176c6d8b87bc5a9ca06698e2542ff34d474bcbbf21278390127981366eda89769bd9dd712f3b34f4dd8332a0b40ee0e609276400f16b51999471c8ff24522a08

Download Submit
\Users\Admin\AppData\Local\OoGw8S\credui.dll
MD5
8486d4d3a5767cfd47281a0ad0805bbd

SHA1
936a368b8f091056a60c2101a1a433d99b87845e

SHA256
3c4c23fadc0a9ddedc4daf1e0e0983f84b3415a701ce21abc3ad1b523a102606

SHA512
b249435c1bef91d8fcddea06ab3e81d7b35b8ada2e858b1ee7fc1677d2230641777c614f5085f393a8bc32edec11aae57353b361d1fb1d8a6e73ce8928abdff2

Download Submit
\Users\Admin\AppData\Local\OoGw8S\perfmon.exe
MD5
3eb98cff1c242167df5fdbc6441ce3c5

SHA1
730b27a1c92e8df1e60db5a6fc69ea1b24f68a69

SHA256
6d8d5a244bb5a23c95653853fec3d04d2bdd2df5cff8cffb9848bddeb6adb081

SHA512
f42be2a52d97fd1db2ed5a1a1a81a186a0aab41204980a103df33a4190632ba03f3cbb88fcea8da7ed9a5e15f60732d49a924b025fe6d3e623195ec1d37dfb35

Download Submit
\Users\Admin\AppData\Local\kTze3UMA\UxTheme.dll
MD5
73a742b384fb960f9a04e3ca514fe51e

SHA1
68446941eea75e9c75dd1cae88e98b3a571e2d47

SHA256
3f7745f2b3e7d93d6d5538f5906bdbe3236e01627c8b52b884177685855cbb07

SHA512
b6bc4e18f891492a303cb23fd14f347d0b348ba927433590d25d9cc7ded436869edaf7674295ef0ebf1876e49c48970fe1ccf79ea2eacec7fdc9649fdc3897ad

Download Submit
\Users\Admin\AppData\Local\kTze3UMA\cttune.exe
MD5
7116848fd23e6195fcbbccdf83ce9af4

SHA1
35fb16a0b68f8a84d5dfac8c110ef5972f1bee93

SHA256
39937665f72725bdb3b82389a5dbd906c63f4c14208312d7f7a59d6067e1cfa6

SHA512
e38bf57eee5836b8598dd88dc3d266f497d911419a8426f73df6dcaa503611a965aabbd746181cb19bc38eebdb48db778a17f781a8f9e706cbd7a6ebec38f894

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\zpsecRb\perfmon.exe
MD5
3eb98cff1c242167df5fdbc6441ce3c5

SHA1
730b27a1c92e8df1e60db5a6fc69ea1b24f68a69

SHA256
6d8d5a244bb5a23c95653853fec3d04d2bdd2df5cff8cffb9848bddeb6adb081

SHA512
f42be2a52d97fd1db2ed5a1a1a81a186a0aab41204980a103df33a4190632ba03f3cbb88fcea8da7ed9a5e15f60732d49a924b025fe6d3e623195ec1d37dfb35

Download Submit
memory/1084-55-0x000007FEF6B30000-0x000007FEF6C5C000-memory.dmp

Download
memory/1084-59-0x0000000000180000-0x0000000000187000-memory.dmp

Download
memory/1260-65-0x0000000140000000-0x000000014012C000-memory.dmp

Download
memory/1260-64-0x0000000140000000-0x000000014012C000-memory.dmp

Download
memory/1260-73-0x0000000140000000-0x000000014012C000-memory.dmp

Download
memory/1260-76-0x0000000140000000-0x000000014012C000-memory.dmp

Download
memory/1260-77-0x0000000140000000-0x000000014012C000-memory.dmp

Download
memory/1260-78-0x0000000140000000-0x000000014012C000-memory.dmp

Download
memory/1260-72-0x0000000140000000-0x000000014012C000-memory.dmp

Download
memory/1260-80-0x0000000140000000-0x000000014012C000-memory.dmp

Download
memory/1260-85-0x0000000077990000-0x0000000077992000-memory.dmp

Download
memory/1260-71-0x0000000140000000-0x000000014012C000-memory.dmp

Download
memory/1260-70-0x0000000140000000-0x000000014012C000-memory.dmp

Download
memory/1260-79-0x0000000140000000-0x000000014012C000-memory.dmp

Download
memory/1260-62-0x0000000140000000-0x000000014012C000-memory.dmp

Download
memory/1260-61-0x0000000140000000-0x000000014012C000-memory.dmp

Download
memory/1260-68-0x0000000140000000-0x000000014012C000-memory.dmp

Download
memory/1260-60-0x0000000002BA0000-0x0000000002BA1000-memory.dmp

Download
memory/1260-69-0x0000000140000000-0x000000014012C000-memory.dmp

Download
memory/1260-67-0x0000000140000000-0x000000014012C000-memory.dmp

Download
memory/1260-66-0x0000000140000000-0x000000014012C000-memory.dmp

Download
memory/1260-75-0x0000000140000000-0x000000014012C000-memory.dmp

Download
memory/1260-63-0x0000000140000000-0x000000014012C000-memory.dmp

Download
memory/1260-74-0x0000000140000000-0x000000014012C000-memory.dmp

Download
memory/1384-92-0x000007FEF6D80000-0x000007FEF6EAD000-memory.dmp

Download
memory/1384-91-0x000007FEFC061000-0x000007FEFC063000-memory.dmp

Download
memory/1384-87-0x0000000000000000-mapping.dmp

Download
memory/1736-106-0x0000000000000000-mapping.dmp

Download
memory/1780-101-0x000007FEF6B30000-0x000007FEF6C5D000-memory.dmp

Download
memory/1780-97-0x0000000000000000-mapping.dmp

Download

55eddcd9ad0a30bea19917fb692268f64d0368b82bdd21f978f1ce2232091087

Filter: none

Description

Tags

Description

Tags

Reported IOCs

Reported IOCs

Reported IOCs

Tags

TTPs

Reported IOCs

Tags

TTPs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Title