b00840048749257957b81d41979187a60a83d52fbe57998630873729a94ffd79

max time kernel151s
max time network150s
platformwindows10_x64
resourcewin10-en-20211014
submitted26-11-2021 09:32

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

b00840048749257957b81d41979187a60a83d52fbe57998630873729a94ffd79.dll

Filesize

1MB

Completed

26-11-2021 09:35

Score

10^/10

MD5

12a2429bc9990f1631ce12341895db8c

SHA1

0ee8f6d9b2ce34403e841a39a5f92c6d8138dc42

SHA256

b00840048749257957b81d41979187a60a83d52fbe57998630873729a94ffd79

Defense Evasion

Discovery

Persistence

Dridex

Description

Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

Tags

botnet dridex
Dridex Shellcode

Description

Detects Dridex Payload shellcode injected in Explorer process.

Tags

botnet payload

Reported IOCs

resource yara_rule

behavioral2/memory/3024-122-0x0000000000790000-0x0000000000791000-memory.dmp dridex_stager_shellcode
Executes dropped EXE
msinfo32.exeFileHistory.exeBitLockerWizardElev.exeWFS.exe

Reported IOCs

pid process

2088 msinfo32.exe
1780 FileHistory.exe
780 BitLockerWizardElev.exe
2012 WFS.exe
Loads dropped DLL
msinfo32.exeFileHistory.exeBitLockerWizardElev.exeWFS.exe

Reported IOCs

pid process

2088 msinfo32.exe
1780 FileHistory.exe
780 BitLockerWizardElev.exe
2012 WFS.exe

resource	yara_rule
behavioral2/memory/3024-122-0x0000000000790000-0x0000000000791000-memory.dmp	dridex_stager_shellcode

pid	process
2088	msinfo32.exe
1780	FileHistory.exe
780	BitLockerWizardElev.exe
2012	WFS.exe

pid	process
2088	msinfo32.exe
1780	FileHistory.exe
780	BitLockerWizardElev.exe
2012	WFS.exe

Adds Run key to start application

TTPs

Registry Run Keys / Startup FolderModify Registry

Reported IOCs

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\Slqggwbvaxk = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\NETWOR~1\\hzKDvlss\\BITLOC~1.EXE"

Checks whether UAC is enabled

BitLockerWizardElev.exeWFS.exerundll32.exemsinfo32.exeFileHistory.exe

TTPs

System Information Discovery

Reported IOCs

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BitLockerWizardElev.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WFS.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	FileHistory.exe

Suspicious behavior: EnumeratesProcesses

rundll32.exemsinfo32.exe

Reported IOCs

pid	process
3168	rundll32.exe
3168	rundll32.exe
3168	rundll32.exe
3168	rundll32.exe
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
2088	msinfo32.exe
2088	msinfo32.exe
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024

Suspicious behavior: GetForegroundWindowSpam

Reported IOCs

pid process

3024

pid	process
3024

Suspicious use of WriteProcessMemory

Reported IOCs

description	pid	target process
PID 3024 wrote to memory of 2904	3024	msinfo32.exe
PID 3024 wrote to memory of 2904	3024	msinfo32.exe
PID 3024 wrote to memory of 2088	3024	msinfo32.exe
PID 3024 wrote to memory of 2088	3024	msinfo32.exe
PID 3024 wrote to memory of 3960	3024	FileHistory.exe
PID 3024 wrote to memory of 3960	3024	FileHistory.exe
PID 3024 wrote to memory of 1780	3024	FileHistory.exe
PID 3024 wrote to memory of 1780	3024	FileHistory.exe
PID 3024 wrote to memory of 3776	3024	BitLockerWizardElev.exe
PID 3024 wrote to memory of 3776	3024	BitLockerWizardElev.exe
PID 3024 wrote to memory of 780	3024	BitLockerWizardElev.exe
PID 3024 wrote to memory of 780	3024	BitLockerWizardElev.exe
PID 3024 wrote to memory of 2444	3024	WFS.exe
PID 3024 wrote to memory of 2444	3024	WFS.exe
PID 3024 wrote to memory of 2012	3024	WFS.exe
PID 3024 wrote to memory of 2012	3024	WFS.exe

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\b00840048749257957b81d41979187a60a83d52fbe57998630873729a94ffd79.dll,#1

Checks whether UAC is enabled
Suspicious behavior: EnumeratesProcesses

PID:3168

C:\Windows\system32\msinfo32.exe

C:\Windows\system32\msinfo32.exe

PID:2904

C:\Users\Admin\AppData\Local\6uzQag\msinfo32.exe

C:\Users\Admin\AppData\Local\6uzQag\msinfo32.exe

Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled
Suspicious behavior: EnumeratesProcesses

PID:2088

C:\Windows\system32\FileHistory.exe

C:\Windows\system32\FileHistory.exe

PID:3960

C:\Users\Admin\AppData\Local\zO0KSEV\FileHistory.exe

C:\Users\Admin\AppData\Local\zO0KSEV\FileHistory.exe

Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled

PID:1780

C:\Windows\system32\BitLockerWizardElev.exe

C:\Windows\system32\BitLockerWizardElev.exe

PID:3776

C:\Users\Admin\AppData\Local\uvFf\BitLockerWizardElev.exe

C:\Users\Admin\AppData\Local\uvFf\BitLockerWizardElev.exe

Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled

PID:780

C:\Windows\system32\WFS.exe

C:\Windows\system32\WFS.exe

PID:2444

C:\Users\Admin\AppData\Local\hEVS\WFS.exe

C:\Users\Admin\AppData\Local\hEVS\WFS.exe

Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled

PID:2012

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

Discovery

System Information Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

00:00 00:00

C:\Users\Admin\AppData\Local\6uzQag\SLC.dll
MD5
7309d634d88be93d2cb6a99b81892bf5

SHA1
8a5a2a0e3e713eb7979e4972b6adb0c895360629

SHA256
9fd28169ff934cf4c9c0b9452d1d0179cbcab15c66056d8bfe1fbc6b029e432f

SHA512
8cd3885aec475879316a4ebeda039109b39ab65dadfed6632d80f6bc1549b1c87707d6ae2a4a96109e937b61feec4861aaf2f65f7413c14c20dcc03b7d1af755

Download Submit
C:\Users\Admin\AppData\Local\6uzQag\msinfo32.exe
MD5
255861c59cdfbf86c03560d39a92932a

SHA1
18353cb8a58d25ab62687b69fee44d007b994f19

SHA256
57aeba5f7f9de579f3c334e7e013114f6b2257b810b2fc8c1f96331ad1c4909c

SHA512
f695394f344f07036684dc4ba4ba011bc0b5b0b27898c82714cbd072c6218870234deb18044c00bf3fda618480e4e517cba50d577c228a63ee3e2676029e430b

Download Submit
C:\Users\Admin\AppData\Local\hEVS\MFC42u.dll
MD5
15d96b08ac21db48ff9f23e97ea68629

SHA1
55197b57cb93da95c8f2a78ee29349fa1acba517

SHA256
e16f470dfc66ef23c62174d3cd07e994670577d2d7d6bc8577dfcf20e4e402fa

SHA512
6340808d958f2ddee72e2b1fadfee9cad7858653266a433f875bcd5552c7184cff7acf7b3f11bbcaa8cc6fb75b97e4463579d9b2ad0f2d48ec1d3b64d7c2088b

Download Submit
C:\Users\Admin\AppData\Local\hEVS\WFS.exe
MD5
f5c1b5e7334f4a7fa393cc68f16eab93

SHA1
d17180a8f7be23ebdf04162a8c66a9c3bb18d9c1

SHA256
68b593b074f7501cee6a7af0d006a611f413a0d4f22b43c041fcec3815112208

SHA512
3656d43322e9ed1da68ff58deeb458c3633c693b1e9b79fc7c557166db6af8cb7d155341742510cf803aeb985dd825c64ecfaa7eda7ccf0952dcb06249a92fc0

Download Submit
C:\Users\Admin\AppData\Local\uvFf\BitLockerWizardElev.exe
MD5
43d63950e411885e21eeb33a7f33dc85

SHA1
aa5489c400ae898ba8590e7198846ca51d4ae872

SHA256
82f381697c3ea8df147de184892751a5c99475617c245b3caece870bb0a5418a

SHA512
65b87ecb21289f3ce72f8ea00e877f6023551d4ba5f62e27ac00df7376c1f1d3d612419fac54211a91383b016e03a7f82ac8bc0beaa10262767538dba09423ca

Download Submit
C:\Users\Admin\AppData\Local\uvFf\FVEWIZ.dll
MD5
4b0e19b3f92927f6a7d4432ab1007833

SHA1
5355f8d17dfeb87f2d8856206cec84f4d49f39b8

SHA256
c5a7060ab70b69fb24ae599bb349d38383f1c3093048ebd350348eca1f6abf26

SHA512
ac2b5f11987e842d16d33a5b28bff15796c604dca8952419c2d8c2e3c4a2795b829df6ec2bc0c3c47205fef26dd4eb39f69a2d66799ccdd060ed36a0984feae3

Download Submit
C:\Users\Admin\AppData\Local\zO0KSEV\FileHistory.exe
MD5
2735b1264f7cb991b3f0d8b5c98b456f

SHA1
2e26a23c047632e985ea9bc64e92687930828156

SHA256
ca54111e88b368c117fe3168dddb5f383b17beac9290ee35d19cd307060d46e9

SHA512
e869426232e2f2bfab72d041423703d293674fd9b3519a0254bee6eacccecb9626398f7eeaeefbcf887a1524d0fb53c6209038b0faeab800b00a766f39e4a816

Download Submit
C:\Users\Admin\AppData\Local\zO0KSEV\FileHistory.exe
MD5
2735b1264f7cb991b3f0d8b5c98b456f

SHA1
2e26a23c047632e985ea9bc64e92687930828156

SHA256
ca54111e88b368c117fe3168dddb5f383b17beac9290ee35d19cd307060d46e9

SHA512
e869426232e2f2bfab72d041423703d293674fd9b3519a0254bee6eacccecb9626398f7eeaeefbcf887a1524d0fb53c6209038b0faeab800b00a766f39e4a816

Download Submit
C:\Users\Admin\AppData\Local\zO0KSEV\UxTheme.dll
MD5
71d3dbd1842319a35e096b0cd4469e13

SHA1
7c78872c86b8862840fc9a2ac0e9971f3927b17b

SHA256
2e8785619ba2372e71fbaf1a041d39039a14e4e34e69ae18b82a41c5e8ea6dce

SHA512
570ee41cedcbe5404aea29e62d8377f6e44e341633a4589c7a57c76278c0b9522e76a9ce19564b11538661d1651abbbef939c7a83c2a90fd5366eed131048d36

Download Submit
\Users\Admin\AppData\Local\6uzQag\SLC.dll
MD5
7309d634d88be93d2cb6a99b81892bf5

SHA1
8a5a2a0e3e713eb7979e4972b6adb0c895360629

SHA256
9fd28169ff934cf4c9c0b9452d1d0179cbcab15c66056d8bfe1fbc6b029e432f

SHA512
8cd3885aec475879316a4ebeda039109b39ab65dadfed6632d80f6bc1549b1c87707d6ae2a4a96109e937b61feec4861aaf2f65f7413c14c20dcc03b7d1af755

Download Submit
\Users\Admin\AppData\Local\hEVS\MFC42u.dll
MD5
15d96b08ac21db48ff9f23e97ea68629

SHA1
55197b57cb93da95c8f2a78ee29349fa1acba517

SHA256
e16f470dfc66ef23c62174d3cd07e994670577d2d7d6bc8577dfcf20e4e402fa

SHA512
6340808d958f2ddee72e2b1fadfee9cad7858653266a433f875bcd5552c7184cff7acf7b3f11bbcaa8cc6fb75b97e4463579d9b2ad0f2d48ec1d3b64d7c2088b

Download Submit
\Users\Admin\AppData\Local\uvFf\FVEWIZ.dll
MD5
4b0e19b3f92927f6a7d4432ab1007833

SHA1
5355f8d17dfeb87f2d8856206cec84f4d49f39b8

SHA256
c5a7060ab70b69fb24ae599bb349d38383f1c3093048ebd350348eca1f6abf26

SHA512
ac2b5f11987e842d16d33a5b28bff15796c604dca8952419c2d8c2e3c4a2795b829df6ec2bc0c3c47205fef26dd4eb39f69a2d66799ccdd060ed36a0984feae3

Download Submit
\Users\Admin\AppData\Local\zO0KSEV\UxTheme.dll
MD5
71d3dbd1842319a35e096b0cd4469e13

SHA1
7c78872c86b8862840fc9a2ac0e9971f3927b17b

SHA256
2e8785619ba2372e71fbaf1a041d39039a14e4e34e69ae18b82a41c5e8ea6dce

SHA512
570ee41cedcbe5404aea29e62d8377f6e44e341633a4589c7a57c76278c0b9522e76a9ce19564b11538661d1651abbbef939c7a83c2a90fd5366eed131048d36

Download Submit
memory/780-181-0x00007FFA8B310000-0x00007FFA8B43C000-memory.dmp

Download
memory/780-186-0x0000016CB6EF0000-0x0000016CB6EF2000-memory.dmp

Download
memory/780-185-0x0000016CB6EF0000-0x0000016CB6EF2000-memory.dmp

Download
memory/780-187-0x0000016CB6EF0000-0x0000016CB6EF2000-memory.dmp

Download
memory/780-177-0x0000000000000000-mapping.dmp

Download
memory/1780-176-0x00007FF7F74C0000-0x00007FF7F74C1000-memory.dmp

Download
memory/1780-171-0x00007FFA8B2A0000-0x00007FFA8B3CC000-memory.dmp

Download
memory/1780-167-0x0000000000000000-mapping.dmp

Download
memory/2012-188-0x0000000000000000-mapping.dmp

Download
memory/2012-197-0x000001D5B5E60000-0x000001D5B5E62000-memory.dmp

Download
memory/2012-196-0x000001D5B5E60000-0x000001D5B5E62000-memory.dmp

Download
memory/2012-192-0x00007FFA8B180000-0x00007FFA8B2B2000-memory.dmp

Download
memory/2088-165-0x0000027B59860000-0x0000027B59862000-memory.dmp

Download
memory/2088-160-0x00007FFA8B1A0000-0x00007FFA8B2CC000-memory.dmp

Download
memory/2088-166-0x0000027B59860000-0x0000027B59862000-memory.dmp

Download
memory/2088-155-0x0000000000000000-mapping.dmp

Download
memory/2088-164-0x0000027B59860000-0x0000027B59862000-memory.dmp

Download
memory/3024-140-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/3024-153-0x00007FFA99115000-0x00007FFA99116000-memory.dmp

Download
memory/3024-152-0x00000000007B0000-0x00000000007B2000-memory.dmp

Download
memory/3024-146-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/3024-145-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/3024-144-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/3024-151-0x00000000007B0000-0x00000000007B2000-memory.dmp

Download
memory/3024-159-0x00007FFA99030000-0x00007FFA99040000-memory.dmp

Download
memory/3024-143-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/3024-141-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/3024-154-0x00000000007B0000-0x00000000007B2000-memory.dmp

Download
memory/3024-139-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/3024-138-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/3024-137-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/3024-136-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/3024-135-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/3024-133-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/3024-132-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/3024-131-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/3024-130-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/3024-129-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/3024-128-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/3024-127-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/3024-126-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/3024-123-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/3024-124-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/3024-122-0x0000000000790000-0x0000000000791000-memory.dmp

Download
memory/3024-125-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/3024-142-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/3024-134-0x0000000140000000-0x000000014012B000-memory.dmp

Download
memory/3168-121-0x0000020F69F80000-0x0000020F69F87000-memory.dmp

Download
memory/3168-120-0x0000020F69F90000-0x0000020F69F92000-memory.dmp

Download
memory/3168-119-0x0000020F69F90000-0x0000020F69F92000-memory.dmp

Download
memory/3168-115-0x00007FFA8B310000-0x00007FFA8B43B000-memory.dmp

Download

b00840048749257957b81d41979187a60a83d52fbe57998630873729a94ffd79

Filter: none

Description

Tags

Description

Tags

Reported IOCs

Reported IOCs

Reported IOCs

Tags

TTPs

Reported IOCs

Tags

TTPs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Title