34b87ca49b68d8e9f165cba7fbdd47c091619ea7f81eef67464419367a63e7a6

max time kernel150s
max time network121s
platformwindows7_x64
resourcewin7-en-20211104
submitted26-11-2021 09:32

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

34b87ca49b68d8e9f165cba7fbdd47c091619ea7f81eef67464419367a63e7a6.dll

Filesize

1MB

Completed

26-11-2021 09:35

Score

10^/10

MD5

4a053f11069bec3a06df7a99d9869728

SHA1

57eae9d729bd6b6d1f838a3cbbcbd89e8d1bc325

SHA256

34b87ca49b68d8e9f165cba7fbdd47c091619ea7f81eef67464419367a63e7a6

Defense Evasion

Discovery

Persistence

Dridex

Description

Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

Tags

botnet dridex
Dridex Shellcode

Description

Detects Dridex Payload shellcode injected in Explorer process.

Tags

botnet payload

Reported IOCs

resource yara_rule

behavioral1/memory/1384-60-0x0000000002690000-0x0000000002691000-memory.dmp dridex_stager_shellcode
Executes dropped EXE
DWWIN.EXErrinstaller.exeSnippingTool.exe

Reported IOCs

pid process

1652 DWWIN.EXE
1560 rrinstaller.exe
1780 SnippingTool.exe
Loads dropped DLL
DWWIN.EXErrinstaller.exeSnippingTool.exe

Reported IOCs

pid process

1384
1652 DWWIN.EXE
1384
1560 rrinstaller.exe
1384
1780 SnippingTool.exe
1384

resource	yara_rule
behavioral1/memory/1384-60-0x0000000002690000-0x0000000002691000-memory.dmp	dridex_stager_shellcode

pid	process
1652	DWWIN.EXE
1560	rrinstaller.exe
1780	SnippingTool.exe

pid	process
1384
1652	DWWIN.EXE
1384
1560	rrinstaller.exe
1384
1780	SnippingTool.exe
1384

Adds Run key to start application

TTPs

Registry Run Keys / Startup FolderModify Registry

Reported IOCs

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run\Myzdcwow = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\5WD7\\RRINST~1.EXE"

Checks whether UAC is enabled

rundll32.exeDWWIN.EXErrinstaller.exeSnippingTool.exe

TTPs

System Information Discovery

Reported IOCs

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DWWIN.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rrinstaller.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SnippingTool.exe

Suspicious behavior: EnumeratesProcesses

rundll32.exeDWWIN.EXErrinstaller.exe

Reported IOCs

pid	process
760	rundll32.exe
760	rundll32.exe
760	rundll32.exe
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1652	DWWIN.EXE
1652	DWWIN.EXE
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1560	rrinstaller.exe
1560	rrinstaller.exe
1384
1384
1384
1384
1384
1384

Suspicious behavior: GetForegroundWindowSpam

Reported IOCs

pid process

1384

pid	process
1384

Suspicious use of WriteProcessMemory

Reported IOCs

description	pid	target process
PID 1384 wrote to memory of 1216	1384	DWWIN.EXE
PID 1384 wrote to memory of 1216	1384	DWWIN.EXE
PID 1384 wrote to memory of 1216	1384	DWWIN.EXE
PID 1384 wrote to memory of 1652	1384	DWWIN.EXE
PID 1384 wrote to memory of 1652	1384	DWWIN.EXE
PID 1384 wrote to memory of 1652	1384	DWWIN.EXE
PID 1384 wrote to memory of 1692	1384	rrinstaller.exe
PID 1384 wrote to memory of 1692	1384	rrinstaller.exe
PID 1384 wrote to memory of 1692	1384	rrinstaller.exe
PID 1384 wrote to memory of 1560	1384	rrinstaller.exe
PID 1384 wrote to memory of 1560	1384	rrinstaller.exe
PID 1384 wrote to memory of 1560	1384	rrinstaller.exe
PID 1384 wrote to memory of 1504	1384	SnippingTool.exe
PID 1384 wrote to memory of 1504	1384	SnippingTool.exe
PID 1384 wrote to memory of 1504	1384	SnippingTool.exe
PID 1384 wrote to memory of 1780	1384	SnippingTool.exe
PID 1384 wrote to memory of 1780	1384	SnippingTool.exe
PID 1384 wrote to memory of 1780	1384	SnippingTool.exe

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\34b87ca49b68d8e9f165cba7fbdd47c091619ea7f81eef67464419367a63e7a6.dll,#1

Checks whether UAC is enabled
Suspicious behavior: EnumeratesProcesses

PID:760

C:\Windows\system32\DWWIN.EXE

C:\Windows\system32\DWWIN.EXE

PID:1216

C:\Users\Admin\AppData\Local\AX7\DWWIN.EXE

C:\Users\Admin\AppData\Local\AX7\DWWIN.EXE

Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled
Suspicious behavior: EnumeratesProcesses

PID:1652

C:\Windows\system32\rrinstaller.exe

C:\Windows\system32\rrinstaller.exe

PID:1692

C:\Users\Admin\AppData\Local\Fh3\rrinstaller.exe

C:\Users\Admin\AppData\Local\Fh3\rrinstaller.exe

Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled
Suspicious behavior: EnumeratesProcesses

PID:1560

C:\Windows\system32\SnippingTool.exe

C:\Windows\system32\SnippingTool.exe

PID:1504

C:\Users\Admin\AppData\Local\tiHBR\SnippingTool.exe

C:\Users\Admin\AppData\Local\tiHBR\SnippingTool.exe

Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled

PID:1780

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

Discovery

System Information Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

00:00 00:00

C:\Users\Admin\AppData\Local\AX7\DWWIN.EXE
MD5
25247e3c4e7a7a73baeea6c0008952b1

SHA1
8087adb7a71a696139ddc5c5abc1a84f817ab688

SHA256
c740497a7e58f7678e25b68b03573b4136a364464ee97c02ce5e0fe00cec7050

SHA512
bc27946894e7775f772ac882740430c8b9d3f37a573e2524207f7bb32f44d4a227cb1e9a555e118d68af7f1e129abd2ac5cabbcd8bbf3551c485bae05108324b

Download Submit
C:\Users\Admin\AppData\Local\AX7\wer.dll
MD5
dc521d9130565ade477dd6f2a9b0bde7

SHA1
16dcc34314c98c03f88fb724a74572f35ff3ae65

SHA256
3ef230dae3412b22b97bd483b3c21369c167232d78bdf695c67a5c6bc23cc693

SHA512
77f4f071a80489f85422b92d9e071d2cc77c345b2e5a8a359ccc760a7dcde833b7e38269062b20ab104c7d11557fc88d9c305f4de5b3b85fe2204ddac10b61ea

Download Submit
C:\Users\Admin\AppData\Local\Fh3\MFPlat.DLL
MD5
ccca1e98ffd79525f6d9319ab2b9b512

SHA1
3b2f150e1cb8b424e82596014f3286c81567f538

SHA256
a87a3a8cb84ac8a1c79f2402e40e3d612032e169f734a1b8715bb4bc32837f2e

SHA512
b855e83d13912de2856703ba51ae4d972e9e0536cbde924e512520b6ecd30685ecb56d72e439261d310a64a1096e310c763450872e99e61ce77174a235e24f03

Download Submit
C:\Users\Admin\AppData\Local\Fh3\rrinstaller.exe
MD5
0d3a73b0b30252680b383532f1758649

SHA1
9f098d2037e4dd94eca6d04c37b3d4ad8b0cc931

SHA256
fc8a992b6ac311e1b1491ec3e31e273a41f7fdf3f68176321307b68489a03fbc

SHA512
a7961f4d8d0e07959d1501d721c7751b01af6704c7da5c1f31e40de5372ee6a1fce2f3e0077c8e6a1bed017e11ce4be9b0d17c04e30b222fb3f0df67b870b2d4

Download Submit
C:\Users\Admin\AppData\Local\tiHBR\SnippingTool.exe
MD5
7633f554eeafde7f144b41c2fcaf5f63

SHA1
44497c3d6fada0066598a6170b90c53e28ddf96c

SHA256
890884c7fe7d037e6debd21d1877e9c9c5e7790cdba007ddb219ae6a55667f78

SHA512
7b61b6736c2c4f49d80f53c839914ad845f86a7d921fee1557e49aa7b4e9713e3483417d6c717eca155229bb6a90fc2253e1543cf05192aaf08262dc761fa203

Download Submit
C:\Users\Admin\AppData\Local\tiHBR\slc.dll
MD5
ddefada0bdce8cc3766dedd17cf76550

SHA1
0dfba4960055674319ee5447b27a2fc67f61d3d2

SHA256
dd2dd325cd43d03d73c2e6386e3ca2569e88362a5cda3a6b0b2a747cedc277f0

SHA512
618759324d456313c320a12f9e1c444124ff086e803c244224d874ef8fc5be7e2bb81724eca4ead68f2c9489b429768268827d674322f2daded40f6bf17ece40

Download Submit
\Users\Admin\AppData\Local\AX7\DWWIN.EXE
MD5
25247e3c4e7a7a73baeea6c0008952b1

SHA1
8087adb7a71a696139ddc5c5abc1a84f817ab688

SHA256
c740497a7e58f7678e25b68b03573b4136a364464ee97c02ce5e0fe00cec7050

SHA512
bc27946894e7775f772ac882740430c8b9d3f37a573e2524207f7bb32f44d4a227cb1e9a555e118d68af7f1e129abd2ac5cabbcd8bbf3551c485bae05108324b

Download Submit
\Users\Admin\AppData\Local\AX7\wer.dll
MD5
dc521d9130565ade477dd6f2a9b0bde7

SHA1
16dcc34314c98c03f88fb724a74572f35ff3ae65

SHA256
3ef230dae3412b22b97bd483b3c21369c167232d78bdf695c67a5c6bc23cc693

SHA512
77f4f071a80489f85422b92d9e071d2cc77c345b2e5a8a359ccc760a7dcde833b7e38269062b20ab104c7d11557fc88d9c305f4de5b3b85fe2204ddac10b61ea

Download Submit
\Users\Admin\AppData\Local\Fh3\MFPlat.DLL
MD5
ccca1e98ffd79525f6d9319ab2b9b512

SHA1
3b2f150e1cb8b424e82596014f3286c81567f538

SHA256
a87a3a8cb84ac8a1c79f2402e40e3d612032e169f734a1b8715bb4bc32837f2e

SHA512
b855e83d13912de2856703ba51ae4d972e9e0536cbde924e512520b6ecd30685ecb56d72e439261d310a64a1096e310c763450872e99e61ce77174a235e24f03

Download Submit
\Users\Admin\AppData\Local\Fh3\rrinstaller.exe
MD5
0d3a73b0b30252680b383532f1758649

SHA1
9f098d2037e4dd94eca6d04c37b3d4ad8b0cc931

SHA256
fc8a992b6ac311e1b1491ec3e31e273a41f7fdf3f68176321307b68489a03fbc

SHA512
a7961f4d8d0e07959d1501d721c7751b01af6704c7da5c1f31e40de5372ee6a1fce2f3e0077c8e6a1bed017e11ce4be9b0d17c04e30b222fb3f0df67b870b2d4

Download Submit
\Users\Admin\AppData\Local\tiHBR\SnippingTool.exe
MD5
7633f554eeafde7f144b41c2fcaf5f63

SHA1
44497c3d6fada0066598a6170b90c53e28ddf96c

SHA256
890884c7fe7d037e6debd21d1877e9c9c5e7790cdba007ddb219ae6a55667f78

SHA512
7b61b6736c2c4f49d80f53c839914ad845f86a7d921fee1557e49aa7b4e9713e3483417d6c717eca155229bb6a90fc2253e1543cf05192aaf08262dc761fa203

Download Submit
\Users\Admin\AppData\Local\tiHBR\slc.dll
MD5
ddefada0bdce8cc3766dedd17cf76550

SHA1
0dfba4960055674319ee5447b27a2fc67f61d3d2

SHA256
dd2dd325cd43d03d73c2e6386e3ca2569e88362a5cda3a6b0b2a747cedc277f0

SHA512
618759324d456313c320a12f9e1c444124ff086e803c244224d874ef8fc5be7e2bb81724eca4ead68f2c9489b429768268827d674322f2daded40f6bf17ece40

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Credentials\PJmrItuZ\SnippingTool.exe
MD5
7633f554eeafde7f144b41c2fcaf5f63

SHA1
44497c3d6fada0066598a6170b90c53e28ddf96c

SHA256
890884c7fe7d037e6debd21d1877e9c9c5e7790cdba007ddb219ae6a55667f78

SHA512
7b61b6736c2c4f49d80f53c839914ad845f86a7d921fee1557e49aa7b4e9713e3483417d6c717eca155229bb6a90fc2253e1543cf05192aaf08262dc761fa203

Download Submit
memory/760-59-0x0000000000090000-0x0000000000097000-memory.dmp

Download
memory/760-55-0x000007FEF6D80000-0x000007FEF6EAB000-memory.dmp

Download
memory/1384-71-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/1384-75-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/1384-78-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/1384-70-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/1384-69-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/1384-81-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/1384-82-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/1384-83-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/1384-76-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/1384-74-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/1384-77-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/1384-61-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/1384-89-0x0000000077BC0000-0x0000000077BC2000-memory.dmp

Download
memory/1384-63-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/1384-73-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/1384-84-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/1384-64-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/1384-72-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/1384-66-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/1384-67-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/1384-65-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/1384-60-0x0000000002690000-0x0000000002691000-memory.dmp

Download
memory/1384-62-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/1384-79-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/1384-80-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/1384-68-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/1560-104-0x000007FEF6CE0000-0x000007FEF6E0D000-memory.dmp

Download
memory/1560-100-0x0000000000000000-mapping.dmp

Download
memory/1652-95-0x000007FEF7020000-0x000007FEF714C000-memory.dmp

Download
memory/1652-91-0x0000000000000000-mapping.dmp

Download
memory/1780-111-0x000007FEFC291000-0x000007FEFC293000-memory.dmp

Download
memory/1780-114-0x000007FEF6D20000-0x000007FEF6E4C000-memory.dmp

Download
memory/1780-109-0x0000000000000000-mapping.dmp

Download

34b87ca49b68d8e9f165cba7fbdd47c091619ea7f81eef67464419367a63e7a6

Filter: none

Description

Tags

Description

Tags

Reported IOCs

Reported IOCs

Reported IOCs

Tags

TTPs

Reported IOCs

Tags

TTPs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Title