Analysis

  • max time kernel
    155s
  • max time network
    127s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    26-11-2021 09:32

General

  • Target

    3e01cc84e691f32494b07ecb3468cbb5d9c085488fe0a5b8110f80071fcaf180.dll

  • Size

    1.2MB

  • MD5

    93c7117d555fe4e4790b02958ddcee41

  • SHA1

    d7eaacfdc572f9bcdb295eae11881fffe72b0a43

  • SHA256

    3e01cc84e691f32494b07ecb3468cbb5d9c085488fe0a5b8110f80071fcaf180

  • SHA512

    9cd85e1eebbed1adfd5f56a9b72dd719f506b7dfbba798581776b1a310d8bd140441c345006d4792467616cb7b4c94ada7689bf3e10de72dac9a1bac1047226c

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\3e01cc84e691f32494b07ecb3468cbb5d9c085488fe0a5b8110f80071fcaf180.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:3480
  • C:\Windows\system32\psr.exe
    C:\Windows\system32\psr.exe
    1⤵
      PID:376
    • C:\Users\Admin\AppData\Local\G6zs3\psr.exe
      C:\Users\Admin\AppData\Local\G6zs3\psr.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      PID:872
    • C:\Windows\system32\Magnify.exe
      C:\Windows\system32\Magnify.exe
      1⤵
        PID:3304
      • C:\Users\Admin\AppData\Local\SRqb\Magnify.exe
        C:\Users\Admin\AppData\Local\SRqb\Magnify.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:388
      • C:\Windows\system32\SystemPropertiesComputerName.exe
        C:\Windows\system32\SystemPropertiesComputerName.exe
        1⤵
          PID:3188
        • C:\Users\Admin\AppData\Local\nfyi\SystemPropertiesComputerName.exe
          C:\Users\Admin\AppData\Local\nfyi\SystemPropertiesComputerName.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2396

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Defense Evasion

        Modify Registry

        1
        T1112

        Discovery

        System Information Discovery

        1
        T1082

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\G6zs3\XmlLite.dll
          MD5

          7c998611b3befed5882bf18a7d83b89f

          SHA1

          2c16ae5e277c81bf1ed89db28d0c6595c152df84

          SHA256

          1f448d0de6e46631a038bbe3d052878b428a49a0cedc803ba2478044e19c018b

          SHA512

          9f38210bb55ceffe0bd8a5b9ce8e186fc2dc83c274cb869dcbfa6f3fffa38e21df4cd5ab2bae73fa7ec5afd741c664d7fa2d15e8e80fe2be677105866fd9e69e

        • C:\Users\Admin\AppData\Local\G6zs3\psr.exe
          MD5

          264a61b365dd314f3c82d1efba60fe17

          SHA1

          9a778a13f5e85d7c5bf2e21ceb398ae0a4300ffa

          SHA256

          880fafbd4087442964a7780331a0e8dd43b78e2106e9df545f0432d4aa15ce93

          SHA512

          9b26021b49ed0f8cfb05d9c8f5e0cec7beaebe9ee14acfc3237cec1255bb9e6a4f5f7a6b902f3d561bbbac7489f64e5a39f498261eef7e93178be97f9cc15e3c

        • C:\Users\Admin\AppData\Local\SRqb\DUI70.dll
          MD5

          ea382dbff2b82303573d3202aef27e6f

          SHA1

          f037860f1295395ea6426581017d6524bd5348d4

          SHA256

          0c31073f7770365c1a423311089e35b07a62bca14fe137c557c2c6aff2a0b34f

          SHA512

          7a6d921a48a5652a6aa2d5012a2db349ad938414c7bfc155d6b3e920c03c92bf87a4bda3f5119a199177372487c885f91ba9e92fbac80b2bcb5f130ccc326b47

        • C:\Users\Admin\AppData\Local\SRqb\Magnify.exe
          MD5

          0c3925b9a284f0dd02571d0d2bca19ee

          SHA1

          a73451bb2ddd09397cb7737d36a75c0cdfdf9d51

          SHA256

          41e91d736995628275261aa1adb14158e0783b36c913ef5fc681da105a4272cc

          SHA512

          db02a3211b1b2cf7b10cd70148404106be6cb4a63c7c0c0526256f983c3ad756c157a67848173208e7c0d88a8f34b73c42d37b24f5cc1f9da66731731a534a72

        • C:\Users\Admin\AppData\Local\SRqb\Magnify.exe
          MD5

          0c3925b9a284f0dd02571d0d2bca19ee

          SHA1

          a73451bb2ddd09397cb7737d36a75c0cdfdf9d51

          SHA256

          41e91d736995628275261aa1adb14158e0783b36c913ef5fc681da105a4272cc

          SHA512

          db02a3211b1b2cf7b10cd70148404106be6cb4a63c7c0c0526256f983c3ad756c157a67848173208e7c0d88a8f34b73c42d37b24f5cc1f9da66731731a534a72

        • C:\Users\Admin\AppData\Local\nfyi\SYSDM.CPL
          MD5

          1123f9cbd30301f28e5cf8ca8e7a8480

          SHA1

          a6f8c9827e609762632f26b6243333c92104347b

          SHA256

          4fb58d3f0bf1e09d8af8c81708bbbf2b4488c633276abc0e679c208c091e02e4

          SHA512

          35abd3090f4e4941908b0bc991b62441e9ba9e0faf2f1eee6e540313752d8ff6aa750d7f1ebca2967682d40786dcda363ea3bb11c3bd7327f51bd11b60014070

        • C:\Users\Admin\AppData\Local\nfyi\SystemPropertiesComputerName.exe
          MD5

          d2d62d055f517f71b0fd9a649727ff6c

          SHA1

          43f627215d57e0396ad74e9b0ed4bd29f60fca33

          SHA256

          222d3d4f7c8f64beb0a0007120b4411c2040c50e1d376420228151bdd230fe7d

          SHA512

          f46e02a465425a148fcd4be5fda0889c412eeab4c50abf9874b3ee02af83c96403167c99aa57961e1c631a5a7a5070e8a1c363688581ff83ed176b4206564cd0

        • \Users\Admin\AppData\Local\G6zs3\XmlLite.dll
          MD5

          7c998611b3befed5882bf18a7d83b89f

          SHA1

          2c16ae5e277c81bf1ed89db28d0c6595c152df84

          SHA256

          1f448d0de6e46631a038bbe3d052878b428a49a0cedc803ba2478044e19c018b

          SHA512

          9f38210bb55ceffe0bd8a5b9ce8e186fc2dc83c274cb869dcbfa6f3fffa38e21df4cd5ab2bae73fa7ec5afd741c664d7fa2d15e8e80fe2be677105866fd9e69e

        • \Users\Admin\AppData\Local\SRqb\DUI70.dll
          MD5

          ea382dbff2b82303573d3202aef27e6f

          SHA1

          f037860f1295395ea6426581017d6524bd5348d4

          SHA256

          0c31073f7770365c1a423311089e35b07a62bca14fe137c557c2c6aff2a0b34f

          SHA512

          7a6d921a48a5652a6aa2d5012a2db349ad938414c7bfc155d6b3e920c03c92bf87a4bda3f5119a199177372487c885f91ba9e92fbac80b2bcb5f130ccc326b47

        • \Users\Admin\AppData\Local\nfyi\SYSDM.CPL
          MD5

          1123f9cbd30301f28e5cf8ca8e7a8480

          SHA1

          a6f8c9827e609762632f26b6243333c92104347b

          SHA256

          4fb58d3f0bf1e09d8af8c81708bbbf2b4488c633276abc0e679c208c091e02e4

          SHA512

          35abd3090f4e4941908b0bc991b62441e9ba9e0faf2f1eee6e540313752d8ff6aa750d7f1ebca2967682d40786dcda363ea3bb11c3bd7327f51bd11b60014070

        • memory/388-174-0x00007FF82B260000-0x00007FF82B3D0000-memory.dmp
          Filesize

          1.4MB

        • memory/388-170-0x0000000000000000-mapping.dmp
        • memory/388-178-0x0000020E29280000-0x0000020E29282000-memory.dmp
          Filesize

          8KB

        • memory/388-179-0x0000020E29280000-0x0000020E29282000-memory.dmp
          Filesize

          8KB

        • memory/388-180-0x0000020E29280000-0x0000020E29282000-memory.dmp
          Filesize

          8KB

        • memory/872-169-0x000001E456190000-0x000001E456192000-memory.dmp
          Filesize

          8KB

        • memory/872-159-0x0000000000000000-mapping.dmp
        • memory/872-168-0x000001E456190000-0x000001E456192000-memory.dmp
          Filesize

          8KB

        • memory/872-167-0x000001E456190000-0x000001E456192000-memory.dmp
          Filesize

          8KB

        • memory/872-163-0x00007FF82C440000-0x00007FF82C56B000-memory.dmp
          Filesize

          1.2MB

        • memory/2396-182-0x0000000000000000-mapping.dmp
        • memory/2396-190-0x000001BB83CB0000-0x000001BB83CB2000-memory.dmp
          Filesize

          8KB

        • memory/2396-191-0x000001BB83CB0000-0x000001BB83CB2000-memory.dmp
          Filesize

          8KB

        • memory/2396-192-0x000001BB83CB0000-0x000001BB83CB2000-memory.dmp
          Filesize

          8KB

        • memory/3024-134-0x0000000140000000-0x000000014012A000-memory.dmp
          Filesize

          1.2MB

        • memory/3024-138-0x0000000140000000-0x000000014012A000-memory.dmp
          Filesize

          1.2MB

        • memory/3024-147-0x0000000140000000-0x000000014012A000-memory.dmp
          Filesize

          1.2MB

        • memory/3024-148-0x0000000140000000-0x000000014012A000-memory.dmp
          Filesize

          1.2MB

        • memory/3024-149-0x0000000140000000-0x000000014012A000-memory.dmp
          Filesize

          1.2MB

        • memory/3024-154-0x00000000012E0000-0x00000000012E2000-memory.dmp
          Filesize

          8KB

        • memory/3024-155-0x00000000012E0000-0x00000000012E2000-memory.dmp
          Filesize

          8KB

        • memory/3024-156-0x00007FF838C25000-0x00007FF838C26000-memory.dmp
          Filesize

          4KB

        • memory/3024-157-0x00000000012E0000-0x00000000012E2000-memory.dmp
          Filesize

          8KB

        • memory/3024-158-0x00007FF838D60000-0x00007FF838D62000-memory.dmp
          Filesize

          8KB

        • memory/3024-145-0x0000000140000000-0x000000014012A000-memory.dmp
          Filesize

          1.2MB

        • memory/3024-144-0x0000000140000000-0x000000014012A000-memory.dmp
          Filesize

          1.2MB

        • memory/3024-143-0x0000000140000000-0x000000014012A000-memory.dmp
          Filesize

          1.2MB

        • memory/3024-142-0x0000000140000000-0x000000014012A000-memory.dmp
          Filesize

          1.2MB

        • memory/3024-141-0x0000000140000000-0x000000014012A000-memory.dmp
          Filesize

          1.2MB

        • memory/3024-140-0x0000000140000000-0x000000014012A000-memory.dmp
          Filesize

          1.2MB

        • memory/3024-139-0x0000000140000000-0x000000014012A000-memory.dmp
          Filesize

          1.2MB

        • memory/3024-146-0x0000000140000000-0x000000014012A000-memory.dmp
          Filesize

          1.2MB

        • memory/3024-137-0x0000000140000000-0x000000014012A000-memory.dmp
          Filesize

          1.2MB

        • memory/3024-136-0x0000000140000000-0x000000014012A000-memory.dmp
          Filesize

          1.2MB

        • memory/3024-193-0x00000000012E0000-0x00000000012E2000-memory.dmp
          Filesize

          8KB

        • memory/3024-135-0x0000000140000000-0x000000014012A000-memory.dmp
          Filesize

          1.2MB

        • memory/3024-133-0x0000000140000000-0x000000014012A000-memory.dmp
          Filesize

          1.2MB

        • memory/3024-132-0x0000000140000000-0x000000014012A000-memory.dmp
          Filesize

          1.2MB

        • memory/3024-131-0x0000000140000000-0x000000014012A000-memory.dmp
          Filesize

          1.2MB

        • memory/3024-130-0x0000000140000000-0x000000014012A000-memory.dmp
          Filesize

          1.2MB

        • memory/3024-129-0x0000000140000000-0x000000014012A000-memory.dmp
          Filesize

          1.2MB

        • memory/3024-128-0x0000000140000000-0x000000014012A000-memory.dmp
          Filesize

          1.2MB

        • memory/3024-127-0x0000000140000000-0x000000014012A000-memory.dmp
          Filesize

          1.2MB

        • memory/3024-126-0x0000000140000000-0x000000014012A000-memory.dmp
          Filesize

          1.2MB

        • memory/3024-125-0x0000000001340000-0x0000000001341000-memory.dmp
          Filesize

          4KB

        • memory/3480-124-0x00000000011B0000-0x00000000011B7000-memory.dmp
          Filesize

          28KB

        • memory/3480-122-0x00000000011C0000-0x00000000011C2000-memory.dmp
          Filesize

          8KB

        • memory/3480-123-0x00000000011C0000-0x00000000011C2000-memory.dmp
          Filesize

          8KB

        • memory/3480-118-0x00007FF82C440000-0x00007FF82C56A000-memory.dmp
          Filesize

          1.2MB