34b87ca49b68d8e9f165cba7fbdd47c091619ea7f81eef67464419367a63e7a6

General
Target

34b87ca49b68d8e9f165cba7fbdd47c091619ea7f81eef67464419367a63e7a6.dll

Filesize

1MB

Completed

26-11-2021 09:35

Score
10/10
MD5

4a053f11069bec3a06df7a99d9869728

SHA1

57eae9d729bd6b6d1f838a3cbbcbd89e8d1bc325

SHA256

34b87ca49b68d8e9f165cba7fbdd47c091619ea7f81eef67464419367a63e7a6

Malware Config
Signatures 9

Filter: none

Defense Evasion
Discovery
Persistence
  • Dridex

    Description

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode

    Description

    Detects Dridex Payload shellcode injected in Explorer process.

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1384-60-0x0000000002690000-0x0000000002691000-memory.dmpdridex_stager_shellcode
  • Executes dropped EXE
    DWWIN.EXErrinstaller.exeSnippingTool.exe

    Reported IOCs

    pidprocess
    1652DWWIN.EXE
    1560rrinstaller.exe
    1780SnippingTool.exe
  • Loads dropped DLL
    DWWIN.EXErrinstaller.exeSnippingTool.exe

    Reported IOCs

    pidprocess
    1384
    1652DWWIN.EXE
    1384
    1560rrinstaller.exe
    1384
    1780SnippingTool.exe
    1384
  • Adds Run key to start application

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run\Myzdcwow = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\5WD7\\RRINST~1.EXE"
  • Checks whether UAC is enabled
    rundll32.exeDWWIN.EXErrinstaller.exeSnippingTool.exe

    TTPs

    System Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUArundll32.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUADWWIN.EXE
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUArrinstaller.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUASnippingTool.exe
  • Suspicious behavior: EnumeratesProcesses
    rundll32.exeDWWIN.EXErrinstaller.exe

    Reported IOCs

    pidprocess
    760rundll32.exe
    760rundll32.exe
    760rundll32.exe
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1652DWWIN.EXE
    1652DWWIN.EXE
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1384
    1560rrinstaller.exe
    1560rrinstaller.exe
    1384
    1384
    1384
    1384
    1384
    1384
  • Suspicious behavior: GetForegroundWindowSpam

    Reported IOCs

    pidprocess
    1384
  • Suspicious use of WriteProcessMemory

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1384 wrote to memory of 12161384DWWIN.EXE
    PID 1384 wrote to memory of 12161384DWWIN.EXE
    PID 1384 wrote to memory of 12161384DWWIN.EXE
    PID 1384 wrote to memory of 16521384DWWIN.EXE
    PID 1384 wrote to memory of 16521384DWWIN.EXE
    PID 1384 wrote to memory of 16521384DWWIN.EXE
    PID 1384 wrote to memory of 16921384rrinstaller.exe
    PID 1384 wrote to memory of 16921384rrinstaller.exe
    PID 1384 wrote to memory of 16921384rrinstaller.exe
    PID 1384 wrote to memory of 15601384rrinstaller.exe
    PID 1384 wrote to memory of 15601384rrinstaller.exe
    PID 1384 wrote to memory of 15601384rrinstaller.exe
    PID 1384 wrote to memory of 15041384SnippingTool.exe
    PID 1384 wrote to memory of 15041384SnippingTool.exe
    PID 1384 wrote to memory of 15041384SnippingTool.exe
    PID 1384 wrote to memory of 17801384SnippingTool.exe
    PID 1384 wrote to memory of 17801384SnippingTool.exe
    PID 1384 wrote to memory of 17801384SnippingTool.exe
Processes 7
  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\34b87ca49b68d8e9f165cba7fbdd47c091619ea7f81eef67464419367a63e7a6.dll,#1
    Checks whether UAC is enabled
    Suspicious behavior: EnumeratesProcesses
    PID:760
  • C:\Windows\system32\DWWIN.EXE
    C:\Windows\system32\DWWIN.EXE
    PID:1216
  • C:\Users\Admin\AppData\Local\AX7\DWWIN.EXE
    C:\Users\Admin\AppData\Local\AX7\DWWIN.EXE
    Executes dropped EXE
    Loads dropped DLL
    Checks whether UAC is enabled
    Suspicious behavior: EnumeratesProcesses
    PID:1652
  • C:\Windows\system32\rrinstaller.exe
    C:\Windows\system32\rrinstaller.exe
    PID:1692
  • C:\Users\Admin\AppData\Local\Fh3\rrinstaller.exe
    C:\Users\Admin\AppData\Local\Fh3\rrinstaller.exe
    Executes dropped EXE
    Loads dropped DLL
    Checks whether UAC is enabled
    Suspicious behavior: EnumeratesProcesses
    PID:1560
  • C:\Windows\system32\SnippingTool.exe
    C:\Windows\system32\SnippingTool.exe
    PID:1504
  • C:\Users\Admin\AppData\Local\tiHBR\SnippingTool.exe
    C:\Users\Admin\AppData\Local\tiHBR\SnippingTool.exe
    Executes dropped EXE
    Loads dropped DLL
    Checks whether UAC is enabled
    PID:1780
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Local\AX7\DWWIN.EXE

                      MD5

                      25247e3c4e7a7a73baeea6c0008952b1

                      SHA1

                      8087adb7a71a696139ddc5c5abc1a84f817ab688

                      SHA256

                      c740497a7e58f7678e25b68b03573b4136a364464ee97c02ce5e0fe00cec7050

                      SHA512

                      bc27946894e7775f772ac882740430c8b9d3f37a573e2524207f7bb32f44d4a227cb1e9a555e118d68af7f1e129abd2ac5cabbcd8bbf3551c485bae05108324b

                    • C:\Users\Admin\AppData\Local\AX7\wer.dll

                      MD5

                      dc521d9130565ade477dd6f2a9b0bde7

                      SHA1

                      16dcc34314c98c03f88fb724a74572f35ff3ae65

                      SHA256

                      3ef230dae3412b22b97bd483b3c21369c167232d78bdf695c67a5c6bc23cc693

                      SHA512

                      77f4f071a80489f85422b92d9e071d2cc77c345b2e5a8a359ccc760a7dcde833b7e38269062b20ab104c7d11557fc88d9c305f4de5b3b85fe2204ddac10b61ea

                    • C:\Users\Admin\AppData\Local\Fh3\MFPlat.DLL

                      MD5

                      ccca1e98ffd79525f6d9319ab2b9b512

                      SHA1

                      3b2f150e1cb8b424e82596014f3286c81567f538

                      SHA256

                      a87a3a8cb84ac8a1c79f2402e40e3d612032e169f734a1b8715bb4bc32837f2e

                      SHA512

                      b855e83d13912de2856703ba51ae4d972e9e0536cbde924e512520b6ecd30685ecb56d72e439261d310a64a1096e310c763450872e99e61ce77174a235e24f03

                    • C:\Users\Admin\AppData\Local\Fh3\rrinstaller.exe

                      MD5

                      0d3a73b0b30252680b383532f1758649

                      SHA1

                      9f098d2037e4dd94eca6d04c37b3d4ad8b0cc931

                      SHA256

                      fc8a992b6ac311e1b1491ec3e31e273a41f7fdf3f68176321307b68489a03fbc

                      SHA512

                      a7961f4d8d0e07959d1501d721c7751b01af6704c7da5c1f31e40de5372ee6a1fce2f3e0077c8e6a1bed017e11ce4be9b0d17c04e30b222fb3f0df67b870b2d4

                    • C:\Users\Admin\AppData\Local\tiHBR\SnippingTool.exe

                      MD5

                      7633f554eeafde7f144b41c2fcaf5f63

                      SHA1

                      44497c3d6fada0066598a6170b90c53e28ddf96c

                      SHA256

                      890884c7fe7d037e6debd21d1877e9c9c5e7790cdba007ddb219ae6a55667f78

                      SHA512

                      7b61b6736c2c4f49d80f53c839914ad845f86a7d921fee1557e49aa7b4e9713e3483417d6c717eca155229bb6a90fc2253e1543cf05192aaf08262dc761fa203

                    • C:\Users\Admin\AppData\Local\tiHBR\slc.dll

                      MD5

                      ddefada0bdce8cc3766dedd17cf76550

                      SHA1

                      0dfba4960055674319ee5447b27a2fc67f61d3d2

                      SHA256

                      dd2dd325cd43d03d73c2e6386e3ca2569e88362a5cda3a6b0b2a747cedc277f0

                      SHA512

                      618759324d456313c320a12f9e1c444124ff086e803c244224d874ef8fc5be7e2bb81724eca4ead68f2c9489b429768268827d674322f2daded40f6bf17ece40

                    • \Users\Admin\AppData\Local\AX7\DWWIN.EXE

                      MD5

                      25247e3c4e7a7a73baeea6c0008952b1

                      SHA1

                      8087adb7a71a696139ddc5c5abc1a84f817ab688

                      SHA256

                      c740497a7e58f7678e25b68b03573b4136a364464ee97c02ce5e0fe00cec7050

                      SHA512

                      bc27946894e7775f772ac882740430c8b9d3f37a573e2524207f7bb32f44d4a227cb1e9a555e118d68af7f1e129abd2ac5cabbcd8bbf3551c485bae05108324b

                    • \Users\Admin\AppData\Local\AX7\wer.dll

                      MD5

                      dc521d9130565ade477dd6f2a9b0bde7

                      SHA1

                      16dcc34314c98c03f88fb724a74572f35ff3ae65

                      SHA256

                      3ef230dae3412b22b97bd483b3c21369c167232d78bdf695c67a5c6bc23cc693

                      SHA512

                      77f4f071a80489f85422b92d9e071d2cc77c345b2e5a8a359ccc760a7dcde833b7e38269062b20ab104c7d11557fc88d9c305f4de5b3b85fe2204ddac10b61ea

                    • \Users\Admin\AppData\Local\Fh3\MFPlat.DLL

                      MD5

                      ccca1e98ffd79525f6d9319ab2b9b512

                      SHA1

                      3b2f150e1cb8b424e82596014f3286c81567f538

                      SHA256

                      a87a3a8cb84ac8a1c79f2402e40e3d612032e169f734a1b8715bb4bc32837f2e

                      SHA512

                      b855e83d13912de2856703ba51ae4d972e9e0536cbde924e512520b6ecd30685ecb56d72e439261d310a64a1096e310c763450872e99e61ce77174a235e24f03

                    • \Users\Admin\AppData\Local\Fh3\rrinstaller.exe

                      MD5

                      0d3a73b0b30252680b383532f1758649

                      SHA1

                      9f098d2037e4dd94eca6d04c37b3d4ad8b0cc931

                      SHA256

                      fc8a992b6ac311e1b1491ec3e31e273a41f7fdf3f68176321307b68489a03fbc

                      SHA512

                      a7961f4d8d0e07959d1501d721c7751b01af6704c7da5c1f31e40de5372ee6a1fce2f3e0077c8e6a1bed017e11ce4be9b0d17c04e30b222fb3f0df67b870b2d4

                    • \Users\Admin\AppData\Local\tiHBR\SnippingTool.exe

                      MD5

                      7633f554eeafde7f144b41c2fcaf5f63

                      SHA1

                      44497c3d6fada0066598a6170b90c53e28ddf96c

                      SHA256

                      890884c7fe7d037e6debd21d1877e9c9c5e7790cdba007ddb219ae6a55667f78

                      SHA512

                      7b61b6736c2c4f49d80f53c839914ad845f86a7d921fee1557e49aa7b4e9713e3483417d6c717eca155229bb6a90fc2253e1543cf05192aaf08262dc761fa203

                    • \Users\Admin\AppData\Local\tiHBR\slc.dll

                      MD5

                      ddefada0bdce8cc3766dedd17cf76550

                      SHA1

                      0dfba4960055674319ee5447b27a2fc67f61d3d2

                      SHA256

                      dd2dd325cd43d03d73c2e6386e3ca2569e88362a5cda3a6b0b2a747cedc277f0

                      SHA512

                      618759324d456313c320a12f9e1c444124ff086e803c244224d874ef8fc5be7e2bb81724eca4ead68f2c9489b429768268827d674322f2daded40f6bf17ece40

                    • \Users\Admin\AppData\Roaming\Microsoft\Credentials\PJmrItuZ\SnippingTool.exe

                      MD5

                      7633f554eeafde7f144b41c2fcaf5f63

                      SHA1

                      44497c3d6fada0066598a6170b90c53e28ddf96c

                      SHA256

                      890884c7fe7d037e6debd21d1877e9c9c5e7790cdba007ddb219ae6a55667f78

                      SHA512

                      7b61b6736c2c4f49d80f53c839914ad845f86a7d921fee1557e49aa7b4e9713e3483417d6c717eca155229bb6a90fc2253e1543cf05192aaf08262dc761fa203

                    • memory/760-59-0x0000000000090000-0x0000000000097000-memory.dmp

                    • memory/760-55-0x000007FEF6D80000-0x000007FEF6EAB000-memory.dmp

                    • memory/1384-71-0x0000000140000000-0x000000014012B000-memory.dmp

                    • memory/1384-75-0x0000000140000000-0x000000014012B000-memory.dmp

                    • memory/1384-78-0x0000000140000000-0x000000014012B000-memory.dmp

                    • memory/1384-70-0x0000000140000000-0x000000014012B000-memory.dmp

                    • memory/1384-69-0x0000000140000000-0x000000014012B000-memory.dmp

                    • memory/1384-81-0x0000000140000000-0x000000014012B000-memory.dmp

                    • memory/1384-82-0x0000000140000000-0x000000014012B000-memory.dmp

                    • memory/1384-83-0x0000000140000000-0x000000014012B000-memory.dmp

                    • memory/1384-76-0x0000000140000000-0x000000014012B000-memory.dmp

                    • memory/1384-74-0x0000000140000000-0x000000014012B000-memory.dmp

                    • memory/1384-77-0x0000000140000000-0x000000014012B000-memory.dmp

                    • memory/1384-61-0x0000000140000000-0x000000014012B000-memory.dmp

                    • memory/1384-89-0x0000000077BC0000-0x0000000077BC2000-memory.dmp

                    • memory/1384-63-0x0000000140000000-0x000000014012B000-memory.dmp

                    • memory/1384-73-0x0000000140000000-0x000000014012B000-memory.dmp

                    • memory/1384-84-0x0000000140000000-0x000000014012B000-memory.dmp

                    • memory/1384-64-0x0000000140000000-0x000000014012B000-memory.dmp

                    • memory/1384-72-0x0000000140000000-0x000000014012B000-memory.dmp

                    • memory/1384-66-0x0000000140000000-0x000000014012B000-memory.dmp

                    • memory/1384-67-0x0000000140000000-0x000000014012B000-memory.dmp

                    • memory/1384-65-0x0000000140000000-0x000000014012B000-memory.dmp

                    • memory/1384-60-0x0000000002690000-0x0000000002691000-memory.dmp

                    • memory/1384-62-0x0000000140000000-0x000000014012B000-memory.dmp

                    • memory/1384-79-0x0000000140000000-0x000000014012B000-memory.dmp

                    • memory/1384-80-0x0000000140000000-0x000000014012B000-memory.dmp

                    • memory/1384-68-0x0000000140000000-0x000000014012B000-memory.dmp

                    • memory/1560-104-0x000007FEF6CE0000-0x000007FEF6E0D000-memory.dmp

                    • memory/1560-100-0x0000000000000000-mapping.dmp

                    • memory/1652-95-0x000007FEF7020000-0x000007FEF714C000-memory.dmp

                    • memory/1652-91-0x0000000000000000-mapping.dmp

                    • memory/1780-111-0x000007FEFC291000-0x000007FEFC293000-memory.dmp

                    • memory/1780-114-0x000007FEF6D20000-0x000007FEF6E4C000-memory.dmp

                    • memory/1780-109-0x0000000000000000-mapping.dmp