55eddcd9ad0a30bea19917fb692268f64d0368b82bdd21f978f1ce2232091087

General
Target

55eddcd9ad0a30bea19917fb692268f64d0368b82bdd21f978f1ce2232091087.dll

Filesize

1MB

Completed

26-11-2021 09:35

Score
10/10
MD5

41ed518bacab22ba8da8b7c5f15ba859

SHA1

1b2212ed3d9261d2517f1239bf1ef19c71e1430f

SHA256

55eddcd9ad0a30bea19917fb692268f64d0368b82bdd21f978f1ce2232091087

Malware Config
Signatures 9

Filter: none

Defense Evasion
Discovery
Persistence
  • Dridex

    Description

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode

    Description

    Detects Dridex Payload shellcode injected in Explorer process.

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1260-60-0x0000000002BA0000-0x0000000002BA1000-memory.dmpdridex_stager_shellcode
  • Executes dropped EXE
    cttune.exeNetplwiz.exeperfmon.exe

    Reported IOCs

    pidprocess
    1384cttune.exe
    1780Netplwiz.exe
    1736perfmon.exe
  • Loads dropped DLL
    cttune.exeNetplwiz.exeperfmon.exe

    Reported IOCs

    pidprocess
    1260
    1384cttune.exe
    1260
    1780Netplwiz.exe
    1260
    1736perfmon.exe
    1260
  • Adds Run key to start application

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run\Myzdcwow = "C:\\Users\\Admin\\AppData\\Roaming\\MEDIAC~1\\wrGT\\Netplwiz.exe"
  • Checks whether UAC is enabled
    rundll32.execttune.exeNetplwiz.exeperfmon.exe

    TTPs

    System Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUArundll32.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUActtune.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUANetplwiz.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAperfmon.exe
  • Suspicious behavior: EnumeratesProcesses
    rundll32.execttune.exeNetplwiz.exe

    Reported IOCs

    pidprocess
    1084rundll32.exe
    1084rundll32.exe
    1084rundll32.exe
    1260
    1260
    1260
    1260
    1260
    1260
    1260
    1260
    1260
    1260
    1260
    1260
    1260
    1260
    1260
    1260
    1260
    1260
    1260
    1260
    1260
    1260
    1260
    1260
    1260
    1260
    1384cttune.exe
    1384cttune.exe
    1260
    1260
    1260
    1260
    1260
    1260
    1260
    1260
    1260
    1260
    1260
    1260
    1260
    1260
    1260
    1260
    1260
    1260
    1260
    1260
    1260
    1260
    1260
    1260
    1260
    1260
    1260
    1780Netplwiz.exe
    1780Netplwiz.exe
    1260
    1260
    1260
    1260
  • Suspicious behavior: GetForegroundWindowSpam

    Reported IOCs

    pidprocess
    1260
  • Suspicious use of WriteProcessMemory

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1260 wrote to memory of 11401260cttune.exe
    PID 1260 wrote to memory of 11401260cttune.exe
    PID 1260 wrote to memory of 11401260cttune.exe
    PID 1260 wrote to memory of 13841260cttune.exe
    PID 1260 wrote to memory of 13841260cttune.exe
    PID 1260 wrote to memory of 13841260cttune.exe
    PID 1260 wrote to memory of 17841260Netplwiz.exe
    PID 1260 wrote to memory of 17841260Netplwiz.exe
    PID 1260 wrote to memory of 17841260Netplwiz.exe
    PID 1260 wrote to memory of 17801260Netplwiz.exe
    PID 1260 wrote to memory of 17801260Netplwiz.exe
    PID 1260 wrote to memory of 17801260Netplwiz.exe
    PID 1260 wrote to memory of 17121260perfmon.exe
    PID 1260 wrote to memory of 17121260perfmon.exe
    PID 1260 wrote to memory of 17121260perfmon.exe
    PID 1260 wrote to memory of 17361260perfmon.exe
    PID 1260 wrote to memory of 17361260perfmon.exe
    PID 1260 wrote to memory of 17361260perfmon.exe
Processes 7
  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\55eddcd9ad0a30bea19917fb692268f64d0368b82bdd21f978f1ce2232091087.dll,#1
    Checks whether UAC is enabled
    Suspicious behavior: EnumeratesProcesses
    PID:1084
  • C:\Windows\system32\cttune.exe
    C:\Windows\system32\cttune.exe
    PID:1140
  • C:\Users\Admin\AppData\Local\kTze3UMA\cttune.exe
    C:\Users\Admin\AppData\Local\kTze3UMA\cttune.exe
    Executes dropped EXE
    Loads dropped DLL
    Checks whether UAC is enabled
    Suspicious behavior: EnumeratesProcesses
    PID:1384
  • C:\Windows\system32\Netplwiz.exe
    C:\Windows\system32\Netplwiz.exe
    PID:1784
  • C:\Users\Admin\AppData\Local\46Qn\Netplwiz.exe
    C:\Users\Admin\AppData\Local\46Qn\Netplwiz.exe
    Executes dropped EXE
    Loads dropped DLL
    Checks whether UAC is enabled
    Suspicious behavior: EnumeratesProcesses
    PID:1780
  • C:\Windows\system32\perfmon.exe
    C:\Windows\system32\perfmon.exe
    PID:1712
  • C:\Users\Admin\AppData\Local\OoGw8S\perfmon.exe
    C:\Users\Admin\AppData\Local\OoGw8S\perfmon.exe
    Executes dropped EXE
    Loads dropped DLL
    Checks whether UAC is enabled
    PID:1736
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Local\46Qn\NETPLWIZ.dll

                      MD5

                      c51d08517ac8192e22b805f4829c3e39

                      SHA1

                      22615b0d278457543b54f098ea58f288dd396053

                      SHA256

                      1799e90234911d1daf1ee5a598e4b9ac9a65899eb9632be7a36b8e550f8c8bf6

                      SHA512

                      59bdeefb2e954a0c5763da4488b4cc7d7a6df25c34886af980098ddf64834b3cd69872c35b10b0e2c4bfb8147310e3cfed7b20226558c9fcafa471a46f06f11f

                    • C:\Users\Admin\AppData\Local\46Qn\Netplwiz.exe

                      MD5

                      e43ec3c800d4c0716613392e81fba1d9

                      SHA1

                      37de6a235e978ecf3bb0fc2c864016c5b0134348

                      SHA256

                      636606415a85a16a7e6c5c8fcbdf35494991bce1c37dfc19c75ecb7ce12dc65c

                      SHA512

                      176c6d8b87bc5a9ca06698e2542ff34d474bcbbf21278390127981366eda89769bd9dd712f3b34f4dd8332a0b40ee0e609276400f16b51999471c8ff24522a08

                    • C:\Users\Admin\AppData\Local\OoGw8S\credui.dll

                      MD5

                      8486d4d3a5767cfd47281a0ad0805bbd

                      SHA1

                      936a368b8f091056a60c2101a1a433d99b87845e

                      SHA256

                      3c4c23fadc0a9ddedc4daf1e0e0983f84b3415a701ce21abc3ad1b523a102606

                      SHA512

                      b249435c1bef91d8fcddea06ab3e81d7b35b8ada2e858b1ee7fc1677d2230641777c614f5085f393a8bc32edec11aae57353b361d1fb1d8a6e73ce8928abdff2

                    • C:\Users\Admin\AppData\Local\OoGw8S\perfmon.exe

                      MD5

                      3eb98cff1c242167df5fdbc6441ce3c5

                      SHA1

                      730b27a1c92e8df1e60db5a6fc69ea1b24f68a69

                      SHA256

                      6d8d5a244bb5a23c95653853fec3d04d2bdd2df5cff8cffb9848bddeb6adb081

                      SHA512

                      f42be2a52d97fd1db2ed5a1a1a81a186a0aab41204980a103df33a4190632ba03f3cbb88fcea8da7ed9a5e15f60732d49a924b025fe6d3e623195ec1d37dfb35

                    • C:\Users\Admin\AppData\Local\kTze3UMA\UxTheme.dll

                      MD5

                      73a742b384fb960f9a04e3ca514fe51e

                      SHA1

                      68446941eea75e9c75dd1cae88e98b3a571e2d47

                      SHA256

                      3f7745f2b3e7d93d6d5538f5906bdbe3236e01627c8b52b884177685855cbb07

                      SHA512

                      b6bc4e18f891492a303cb23fd14f347d0b348ba927433590d25d9cc7ded436869edaf7674295ef0ebf1876e49c48970fe1ccf79ea2eacec7fdc9649fdc3897ad

                    • C:\Users\Admin\AppData\Local\kTze3UMA\cttune.exe

                      MD5

                      7116848fd23e6195fcbbccdf83ce9af4

                      SHA1

                      35fb16a0b68f8a84d5dfac8c110ef5972f1bee93

                      SHA256

                      39937665f72725bdb3b82389a5dbd906c63f4c14208312d7f7a59d6067e1cfa6

                      SHA512

                      e38bf57eee5836b8598dd88dc3d266f497d911419a8426f73df6dcaa503611a965aabbd746181cb19bc38eebdb48db778a17f781a8f9e706cbd7a6ebec38f894

                    • \Users\Admin\AppData\Local\46Qn\NETPLWIZ.dll

                      MD5

                      c51d08517ac8192e22b805f4829c3e39

                      SHA1

                      22615b0d278457543b54f098ea58f288dd396053

                      SHA256

                      1799e90234911d1daf1ee5a598e4b9ac9a65899eb9632be7a36b8e550f8c8bf6

                      SHA512

                      59bdeefb2e954a0c5763da4488b4cc7d7a6df25c34886af980098ddf64834b3cd69872c35b10b0e2c4bfb8147310e3cfed7b20226558c9fcafa471a46f06f11f

                    • \Users\Admin\AppData\Local\46Qn\Netplwiz.exe

                      MD5

                      e43ec3c800d4c0716613392e81fba1d9

                      SHA1

                      37de6a235e978ecf3bb0fc2c864016c5b0134348

                      SHA256

                      636606415a85a16a7e6c5c8fcbdf35494991bce1c37dfc19c75ecb7ce12dc65c

                      SHA512

                      176c6d8b87bc5a9ca06698e2542ff34d474bcbbf21278390127981366eda89769bd9dd712f3b34f4dd8332a0b40ee0e609276400f16b51999471c8ff24522a08

                    • \Users\Admin\AppData\Local\OoGw8S\credui.dll

                      MD5

                      8486d4d3a5767cfd47281a0ad0805bbd

                      SHA1

                      936a368b8f091056a60c2101a1a433d99b87845e

                      SHA256

                      3c4c23fadc0a9ddedc4daf1e0e0983f84b3415a701ce21abc3ad1b523a102606

                      SHA512

                      b249435c1bef91d8fcddea06ab3e81d7b35b8ada2e858b1ee7fc1677d2230641777c614f5085f393a8bc32edec11aae57353b361d1fb1d8a6e73ce8928abdff2

                    • \Users\Admin\AppData\Local\OoGw8S\perfmon.exe

                      MD5

                      3eb98cff1c242167df5fdbc6441ce3c5

                      SHA1

                      730b27a1c92e8df1e60db5a6fc69ea1b24f68a69

                      SHA256

                      6d8d5a244bb5a23c95653853fec3d04d2bdd2df5cff8cffb9848bddeb6adb081

                      SHA512

                      f42be2a52d97fd1db2ed5a1a1a81a186a0aab41204980a103df33a4190632ba03f3cbb88fcea8da7ed9a5e15f60732d49a924b025fe6d3e623195ec1d37dfb35

                    • \Users\Admin\AppData\Local\kTze3UMA\UxTheme.dll

                      MD5

                      73a742b384fb960f9a04e3ca514fe51e

                      SHA1

                      68446941eea75e9c75dd1cae88e98b3a571e2d47

                      SHA256

                      3f7745f2b3e7d93d6d5538f5906bdbe3236e01627c8b52b884177685855cbb07

                      SHA512

                      b6bc4e18f891492a303cb23fd14f347d0b348ba927433590d25d9cc7ded436869edaf7674295ef0ebf1876e49c48970fe1ccf79ea2eacec7fdc9649fdc3897ad

                    • \Users\Admin\AppData\Local\kTze3UMA\cttune.exe

                      MD5

                      7116848fd23e6195fcbbccdf83ce9af4

                      SHA1

                      35fb16a0b68f8a84d5dfac8c110ef5972f1bee93

                      SHA256

                      39937665f72725bdb3b82389a5dbd906c63f4c14208312d7f7a59d6067e1cfa6

                      SHA512

                      e38bf57eee5836b8598dd88dc3d266f497d911419a8426f73df6dcaa503611a965aabbd746181cb19bc38eebdb48db778a17f781a8f9e706cbd7a6ebec38f894

                    • \Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\zpsecRb\perfmon.exe

                      MD5

                      3eb98cff1c242167df5fdbc6441ce3c5

                      SHA1

                      730b27a1c92e8df1e60db5a6fc69ea1b24f68a69

                      SHA256

                      6d8d5a244bb5a23c95653853fec3d04d2bdd2df5cff8cffb9848bddeb6adb081

                      SHA512

                      f42be2a52d97fd1db2ed5a1a1a81a186a0aab41204980a103df33a4190632ba03f3cbb88fcea8da7ed9a5e15f60732d49a924b025fe6d3e623195ec1d37dfb35

                    • memory/1084-55-0x000007FEF6B30000-0x000007FEF6C5C000-memory.dmp

                    • memory/1084-59-0x0000000000180000-0x0000000000187000-memory.dmp

                    • memory/1260-65-0x0000000140000000-0x000000014012C000-memory.dmp

                    • memory/1260-64-0x0000000140000000-0x000000014012C000-memory.dmp

                    • memory/1260-73-0x0000000140000000-0x000000014012C000-memory.dmp

                    • memory/1260-76-0x0000000140000000-0x000000014012C000-memory.dmp

                    • memory/1260-77-0x0000000140000000-0x000000014012C000-memory.dmp

                    • memory/1260-78-0x0000000140000000-0x000000014012C000-memory.dmp

                    • memory/1260-72-0x0000000140000000-0x000000014012C000-memory.dmp

                    • memory/1260-80-0x0000000140000000-0x000000014012C000-memory.dmp

                    • memory/1260-85-0x0000000077990000-0x0000000077992000-memory.dmp

                    • memory/1260-71-0x0000000140000000-0x000000014012C000-memory.dmp

                    • memory/1260-70-0x0000000140000000-0x000000014012C000-memory.dmp

                    • memory/1260-79-0x0000000140000000-0x000000014012C000-memory.dmp

                    • memory/1260-62-0x0000000140000000-0x000000014012C000-memory.dmp

                    • memory/1260-61-0x0000000140000000-0x000000014012C000-memory.dmp

                    • memory/1260-68-0x0000000140000000-0x000000014012C000-memory.dmp

                    • memory/1260-60-0x0000000002BA0000-0x0000000002BA1000-memory.dmp

                    • memory/1260-69-0x0000000140000000-0x000000014012C000-memory.dmp

                    • memory/1260-67-0x0000000140000000-0x000000014012C000-memory.dmp

                    • memory/1260-66-0x0000000140000000-0x000000014012C000-memory.dmp

                    • memory/1260-75-0x0000000140000000-0x000000014012C000-memory.dmp

                    • memory/1260-63-0x0000000140000000-0x000000014012C000-memory.dmp

                    • memory/1260-74-0x0000000140000000-0x000000014012C000-memory.dmp

                    • memory/1384-92-0x000007FEF6D80000-0x000007FEF6EAD000-memory.dmp

                    • memory/1384-91-0x000007FEFC061000-0x000007FEFC063000-memory.dmp

                    • memory/1384-87-0x0000000000000000-mapping.dmp

                    • memory/1736-106-0x0000000000000000-mapping.dmp

                    • memory/1780-101-0x000007FEF6B30000-0x000007FEF6C5D000-memory.dmp

                    • memory/1780-97-0x0000000000000000-mapping.dmp