34b87ca49b68d8e9f165cba7fbdd47c091619ea7f81eef67464419367a63e7a6

max time kernel153s
max time network121s
platformwindows10_x64
resourcewin10-en-20211014
submitted26-11-2021 09:32

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

34b87ca49b68d8e9f165cba7fbdd47c091619ea7f81eef67464419367a63e7a6.dll

Filesize

1MB

Completed

26-11-2021 09:35

Score

10^/10

MD5

4a053f11069bec3a06df7a99d9869728

SHA1

57eae9d729bd6b6d1f838a3cbbcbd89e8d1bc325

SHA256

34b87ca49b68d8e9f165cba7fbdd47c091619ea7f81eef67464419367a63e7a6

Defense Evasion

Discovery

Persistence

Dridex

Description

Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

Tags

botnet dridex
Dridex Shellcode

Description

Detects Dridex Payload shellcode injected in Explorer process.

Tags

botnet payload

Reported IOCs

resource yara_rule

behavioral2/memory/2808-122-0x0000000000670000-0x0000000000671000-memory.dmp dridex_stager_shellcode
Executes dropped EXE
LockScreenContentServer.exeCameraSettingsUIHost.exesessionmsg.exe

Reported IOCs

pid process

1004 LockScreenContentServer.exe
2684 CameraSettingsUIHost.exe
1132 sessionmsg.exe
Loads dropped DLL
LockScreenContentServer.exeCameraSettingsUIHost.exesessionmsg.exe

Reported IOCs

pid process

1004 LockScreenContentServer.exe
2684 CameraSettingsUIHost.exe
1132 sessionmsg.exe

resource	yara_rule
behavioral2/memory/2808-122-0x0000000000670000-0x0000000000671000-memory.dmp	dridex_stager_shellcode

pid	process
1004	LockScreenContentServer.exe
2684	CameraSettingsUIHost.exe
1132	sessionmsg.exe

pid	process
1004	LockScreenContentServer.exe
2684	CameraSettingsUIHost.exe
1132	sessionmsg.exe

Adds Run key to start application

TTPs

Registry Run Keys / Startup FolderModify Registry

Reported IOCs

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\Slqggwbvaxk = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\kuT\\CameraSettingsUIHost.exe"

Checks whether UAC is enabled

rundll32.exeLockScreenContentServer.exeCameraSettingsUIHost.exesessionmsg.exe

TTPs

System Information Discovery

Reported IOCs

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	LockScreenContentServer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CameraSettingsUIHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sessionmsg.exe

Suspicious behavior: EnumeratesProcesses

rundll32.exeLockScreenContentServer.exe

Reported IOCs

pid	process
3760	rundll32.exe
3760	rundll32.exe
3760	rundll32.exe
3760	rundll32.exe
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
1004	LockScreenContentServer.exe
1004	LockScreenContentServer.exe
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808
2808

Suspicious behavior: GetForegroundWindowSpam

Reported IOCs

pid process

2808

pid	process
2808

Suspicious use of WriteProcessMemory

Reported IOCs

description	pid	target process
PID 2808 wrote to memory of 1252	2808	LockScreenContentServer.exe
PID 2808 wrote to memory of 1252	2808	LockScreenContentServer.exe
PID 2808 wrote to memory of 1004	2808	LockScreenContentServer.exe
PID 2808 wrote to memory of 1004	2808	LockScreenContentServer.exe
PID 2808 wrote to memory of 784	2808	CameraSettingsUIHost.exe
PID 2808 wrote to memory of 784	2808	CameraSettingsUIHost.exe
PID 2808 wrote to memory of 2684	2808	CameraSettingsUIHost.exe
PID 2808 wrote to memory of 2684	2808	CameraSettingsUIHost.exe
PID 2808 wrote to memory of 1268	2808	sessionmsg.exe
PID 2808 wrote to memory of 1268	2808	sessionmsg.exe
PID 2808 wrote to memory of 1132	2808	sessionmsg.exe
PID 2808 wrote to memory of 1132	2808	sessionmsg.exe

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\34b87ca49b68d8e9f165cba7fbdd47c091619ea7f81eef67464419367a63e7a6.dll,#1

Checks whether UAC is enabled
Suspicious behavior: EnumeratesProcesses

PID:3760

C:\Windows\system32\LockScreenContentServer.exe

C:\Windows\system32\LockScreenContentServer.exe

PID:1252

C:\Users\Admin\AppData\Local\qzSK\LockScreenContentServer.exe

C:\Users\Admin\AppData\Local\qzSK\LockScreenContentServer.exe

Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled
Suspicious behavior: EnumeratesProcesses

PID:1004

C:\Windows\system32\CameraSettingsUIHost.exe

C:\Windows\system32\CameraSettingsUIHost.exe

PID:784

C:\Users\Admin\AppData\Local\SBuGQT46p\CameraSettingsUIHost.exe

C:\Users\Admin\AppData\Local\SBuGQT46p\CameraSettingsUIHost.exe

Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled

PID:2684

C:\Windows\system32\sessionmsg.exe

C:\Windows\system32\sessionmsg.exe

PID:1268

C:\Users\Admin\AppData\Local\9exBDrG9\sessionmsg.exe

C:\Users\Admin\AppData\Local\9exBDrG9\sessionmsg.exe

Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled

PID:1132

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

Discovery

System Information Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

00:00 00:00

C:\Users\Admin\AppData\Local\9exBDrG9\DUI70.dll
MD5
c5ad02e75292bf87e987ac7058c5fbf5

SHA1
cfb3e2f088755289f9714d5aba01c69705a448c8

SHA256
a5095256983e9388755bb563ccd117c246d7ab40e6bc8e42eeba73a8c97577ae

SHA512
93336183f19965e244c9449db3fe484244f709f67f988d4d25261df7112f1eeedd5b77df5968c99bd7bdf66f57af3088313fc974ca295ef5abb41b890710b2f6

Download Submit
C:\Users\Admin\AppData\Local\9exBDrG9\sessionmsg.exe
MD5
c9a3d374ad75f5d9ee720412c96b6f94

SHA1
5cec5ea0e5f5a6ed7e4726fe39e50563a351c9c8

SHA256
4b54ea036af8b81b91bd4fbb04b4405d4c788f178a177201e66a7bc6fb778a0d

SHA512
a63730ef7ade9dcfa5afecefe92eb897f9bb4284049b49445f95f44228173ccd5890e65e2b6257f8c4431b468b9b1d664c5cc1b836240413a20fb7b46e49b0ec

Download Submit
C:\Users\Admin\AppData\Local\SBuGQT46p\CameraSettingsUIHost.exe
MD5
a2f3bedc6124ad9d582ebd5086be2aa2

SHA1
5586e7796ea73cfb4aac094905b334b12de8a151

SHA256
dd3ceee2dcd4884fbd46676045ab4a02ce4c0a0a4ad13ab54364c6e136c259a0

SHA512
9dc1909e07326c55c2eff881b31d0146a595010a8ae78ae9afd64093b2b691c75f68de873acee27d2093a34c0431ee81e693d24d8241c2f4805590a11be9d07b

Download Submit
C:\Users\Admin\AppData\Local\SBuGQT46p\DUI70.dll
MD5
303890d0d058472a36e41c0ecb9a48b5

SHA1
ab3af59fc10c2e86f3559ec81259826970f63047

SHA256
e0118fe6f1d0a8b38d7fe691795e4afd06878f0b18851bbd78fa8ea6ac4c49dd

SHA512
6524893b1cb27117f273f04f07a4e3cb5379d11652ef57791a3f408b4807422e11490800384f309409da08de878a3f85c802285292aae48fa25900a9c111b09b

Download Submit
C:\Users\Admin\AppData\Local\qzSK\DUser.dll
MD5
a4c06c207f30c71063afd1069d214e3e

SHA1
f7a4ab64014e7135d1bc510f7f40209a7b3859ac

SHA256
1ee594383192b842f6e872f78edd150c1f3fda21d103ff6e4923e07ad6845fc7

SHA512
7f8eb5fb0ee40af2610631021321400105063cbfee6c12cfe8d6e01251ef1aafefe07306d2e42a19393987be742587f03dbacf096f6837d082d053bdbc5badb4

Download Submit
C:\Users\Admin\AppData\Local\qzSK\LockScreenContentServer.exe
MD5
583914a93db0413668eadd743fd5fb1c

SHA1
8b95be0ad348f0aabfcceac3148109ef12e8a978

SHA256
ec09ee1b2bb981335ea9db3ac031fbbc3ed74f9294d734a5799fb0d75e423583

SHA512
2f5c22cc3f557c65c876e8a943c7b3dec92d5c0b5219ab2410a334f42e442ef08d0c7b1c5c0797b83a17578a25ce70aa631a15be7ec6a6ea8a8d865dca0b9cd4

Download Submit
\Users\Admin\AppData\Local\9exBDrG9\DUI70.dll
MD5
c5ad02e75292bf87e987ac7058c5fbf5

SHA1
cfb3e2f088755289f9714d5aba01c69705a448c8

SHA256
a5095256983e9388755bb563ccd117c246d7ab40e6bc8e42eeba73a8c97577ae

SHA512
93336183f19965e244c9449db3fe484244f709f67f988d4d25261df7112f1eeedd5b77df5968c99bd7bdf66f57af3088313fc974ca295ef5abb41b890710b2f6

Download Submit
\Users\Admin\AppData\Local\SBuGQT46p\DUI70.dll
MD5
303890d0d058472a36e41c0ecb9a48b5

SHA1
ab3af59fc10c2e86f3559ec81259826970f63047

SHA256
e0118fe6f1d0a8b38d7fe691795e4afd06878f0b18851bbd78fa8ea6ac4c49dd

SHA512
6524893b1cb27117f273f04f07a4e3cb5379d11652ef57791a3f408b4807422e11490800384f309409da08de878a3f85c802285292aae48fa25900a9c111b09b

Download Submit
\Users\Admin\AppData\Local\qzSK\DUser.dll
MD5
a4c06c207f30c71063afd1069d214e3e

SHA1
f7a4ab64014e7135d1bc510f7f40209a7b3859ac

SHA256
1ee594383192b842f6e872f78edd150c1f3fda21d103ff6e4923e07ad6845fc7

SHA512
7f8eb5fb0ee40af2610631021321400105063cbfee6c12cfe8d6e01251ef1aafefe07306d2e42a19393987be742587f03dbacf096f6837d082d053bdbc5badb4

Download Submit
memory/1004-156-0x0000000000000000-mapping.dmp

Download
memory/1004-164-0x0000021B8BF10000-0x0000021B8BF12000-memory.dmp

Download
memory/1004-165-0x0000021B8BF10000-0x0000021B8BF12000-memory.dmp

Download
memory/1004-166-0x0000021B8BF10000-0x0000021B8BF12000-memory.dmp

Download
memory/1004-160-0x00007FFC20720000-0x00007FFC2084D000-memory.dmp

Download
memory/1132-186-0x000001DC85FD0000-0x000001DC85FD2000-memory.dmp

Download
memory/1132-187-0x000001DC85FD0000-0x000001DC85FD2000-memory.dmp

Download
memory/1132-178-0x0000000000000000-mapping.dmp

Download
memory/1132-188-0x000001DC85FD0000-0x000001DC85FD2000-memory.dmp

Download
memory/2684-175-0x000002221B660000-0x000002221B662000-memory.dmp

Download
memory/2684-176-0x000002221B660000-0x000002221B662000-memory.dmp

Download
memory/2684-167-0x0000000000000000-mapping.dmp

Download
memory/2684-171-0x00007FFC2DBB0000-0x00007FFC2DD21000-memory.dmp

Download
memory/2684-177-0x000002221B660000-0x000002221B662000-memory.dmp

Download
memory/2808-143-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/2808-142-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/2808-141-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/2808-144-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/2808-145-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/2808-140-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/2808-151-0x00000000007D0000-0x00000000007D2000-memory.dmp

Download
memory/2808-152-0x00000000007D0000-0x00000000007D2000-memory.dmp

Download
memory/2808-153-0x00007FFC3BA05000-0x00007FFC3BA06000-memory.dmp

Download
memory/2808-154-0x00000000007D0000-0x00000000007D2000-memory.dmp

Download
memory/2808-155-0x00007FFC3BB40000-0x00007FFC3BB42000-memory.dmp

Download
memory/2808-138-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/2808-146-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/2808-137-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/2808-136-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/2808-135-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/2808-134-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/2808-133-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/2808-131-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/2808-130-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/2808-127-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/2808-129-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/2808-128-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/2808-126-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/2808-125-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/2808-123-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/2808-122-0x0000000000670000-0x0000000000671000-memory.dmp

Download
memory/2808-124-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/2808-139-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/2808-132-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/3760-121-0x0000022B8B9F0000-0x0000022B8B9F7000-memory.dmp

Download
memory/3760-120-0x0000022B8BA00000-0x0000022B8BA02000-memory.dmp

Download
memory/3760-119-0x0000022B8BA00000-0x0000022B8BA02000-memory.dmp

Download
memory/3760-115-0x00007FFC2DC00000-0x00007FFC2DD2B000-memory.dmp

Download

34b87ca49b68d8e9f165cba7fbdd47c091619ea7f81eef67464419367a63e7a6

Filter: none

Description

Tags

Description

Tags

Reported IOCs

Reported IOCs

Reported IOCs

Tags

TTPs

Reported IOCs

Tags

TTPs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Title