02a28f4bc46d29f2ae0c82813839b3f5661a26937bef1a5c2d9fc8f05406da26.dll

General
Target

02a28f4bc46d29f2ae0c82813839b3f5661a26937bef1a5c2d9fc8f05406da26.dll

Filesize

1MB

Completed

03-12-2021 10:31

Score
10/10
MD5

6f35fe576a7c7bc71651a0ee2e76cb85

SHA1

b240f9008cfca0bc90865363a8fd5a56ed051435

SHA256

02a28f4bc46d29f2ae0c82813839b3f5661a26937bef1a5c2d9fc8f05406da26

Malware Config
Signatures 9

Filter: none

Defense Evasion
Discovery
Persistence
  • Dridex

    Description

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode

    Description

    Detects Dridex Payload shellcode injected in Explorer process.

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1204-59-0x0000000001DE0000-0x0000000001DE1000-memory.dmpdridex_stager_shellcode
  • Executes dropped EXE
    taskmgr.exeSnippingTool.exemsinfo32.exeMagnify.exe

    Reported IOCs

    pidprocess
    1508taskmgr.exe
    1200SnippingTool.exe
    916msinfo32.exe
    1824Magnify.exe
  • Loads dropped DLL
    taskmgr.exeSnippingTool.exemsinfo32.exeMagnify.exe

    Reported IOCs

    pidprocess
    1204
    1508taskmgr.exe
    1204
    1200SnippingTool.exe
    1204
    916msinfo32.exe
    1204
    1824Magnify.exe
    1204
  • Adds Run key to start application

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gpavvclvseucyal = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\EXO1OD~1\\msinfo32.exe"
  • Checks whether UAC is enabled
    rundll32.exetaskmgr.exeSnippingTool.exemsinfo32.exeMagnify.exe

    TTPs

    System Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUArundll32.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAtaskmgr.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUASnippingTool.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAmsinfo32.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAMagnify.exe
  • Suspicious behavior: EnumeratesProcesses
    rundll32.exe

    Reported IOCs

    pidprocess
    1540rundll32.exe
    1540rundll32.exe
    1540rundll32.exe
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
  • Suspicious behavior: GetForegroundWindowSpam
    rundll32.exetaskmgr.exeSnippingTool.exemsinfo32.exeMagnify.exe

    Reported IOCs

    pidprocess
    1540rundll32.exe
    1204
    1508taskmgr.exe
    1200SnippingTool.exe
    916msinfo32.exe
    1824Magnify.exe
  • Suspicious use of WriteProcessMemory

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1204 wrote to memory of 11401204taskmgr.exe
    PID 1204 wrote to memory of 11401204taskmgr.exe
    PID 1204 wrote to memory of 11401204taskmgr.exe
    PID 1204 wrote to memory of 15081204taskmgr.exe
    PID 1204 wrote to memory of 15081204taskmgr.exe
    PID 1204 wrote to memory of 15081204taskmgr.exe
    PID 1204 wrote to memory of 14121204SnippingTool.exe
    PID 1204 wrote to memory of 14121204SnippingTool.exe
    PID 1204 wrote to memory of 14121204SnippingTool.exe
    PID 1204 wrote to memory of 12001204SnippingTool.exe
    PID 1204 wrote to memory of 12001204SnippingTool.exe
    PID 1204 wrote to memory of 12001204SnippingTool.exe
    PID 1204 wrote to memory of 10361204msinfo32.exe
    PID 1204 wrote to memory of 10361204msinfo32.exe
    PID 1204 wrote to memory of 10361204msinfo32.exe
    PID 1204 wrote to memory of 9161204msinfo32.exe
    PID 1204 wrote to memory of 9161204msinfo32.exe
    PID 1204 wrote to memory of 9161204msinfo32.exe
    PID 1204 wrote to memory of 19161204Magnify.exe
    PID 1204 wrote to memory of 19161204Magnify.exe
    PID 1204 wrote to memory of 19161204Magnify.exe
    PID 1204 wrote to memory of 18241204Magnify.exe
    PID 1204 wrote to memory of 18241204Magnify.exe
    PID 1204 wrote to memory of 18241204Magnify.exe
Processes 9
  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\02a28f4bc46d29f2ae0c82813839b3f5661a26937bef1a5c2d9fc8f05406da26.dll,#1
    Checks whether UAC is enabled
    Suspicious behavior: EnumeratesProcesses
    Suspicious behavior: GetForegroundWindowSpam
    PID:1540
  • C:\Windows\system32\taskmgr.exe
    C:\Windows\system32\taskmgr.exe
    PID:1140
  • C:\Users\Admin\AppData\Local\Idormc5Q\taskmgr.exe
    C:\Users\Admin\AppData\Local\Idormc5Q\taskmgr.exe
    Executes dropped EXE
    Loads dropped DLL
    Checks whether UAC is enabled
    Suspicious behavior: GetForegroundWindowSpam
    PID:1508
  • C:\Windows\system32\SnippingTool.exe
    C:\Windows\system32\SnippingTool.exe
    PID:1412
  • C:\Users\Admin\AppData\Local\Yo75xUuUa\SnippingTool.exe
    C:\Users\Admin\AppData\Local\Yo75xUuUa\SnippingTool.exe
    Executes dropped EXE
    Loads dropped DLL
    Checks whether UAC is enabled
    Suspicious behavior: GetForegroundWindowSpam
    PID:1200
  • C:\Windows\system32\msinfo32.exe
    C:\Windows\system32\msinfo32.exe
    PID:1036
  • C:\Users\Admin\AppData\Local\FEspKuw\msinfo32.exe
    C:\Users\Admin\AppData\Local\FEspKuw\msinfo32.exe
    Executes dropped EXE
    Loads dropped DLL
    Checks whether UAC is enabled
    Suspicious behavior: GetForegroundWindowSpam
    PID:916
  • C:\Windows\system32\Magnify.exe
    C:\Windows\system32\Magnify.exe
    PID:1916
  • C:\Users\Admin\AppData\Local\EDAp\Magnify.exe
    C:\Users\Admin\AppData\Local\EDAp\Magnify.exe
    Executes dropped EXE
    Loads dropped DLL
    Checks whether UAC is enabled
    Suspicious behavior: GetForegroundWindowSpam
    PID:1824
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Local\EDAp\MAGNIFICATION.dll

                      MD5

                      3934c623d6832d85b52588a6f338ef20

                      SHA1

                      0fd4622f804192c1296b4d2d1b20b941e21730b5

                      SHA256

                      24acb6011e487fdcdccc8e5ec2d5aca48a86a5a7c79143c7641db24c922345c9

                      SHA512

                      6c5a6a8da3866d17a07807a92d60c76e9eb784669ffd30027cda5482e9f3824a29e90f341f7061b17bb417a3140fe66d996db58b65c9bbba8783fc776399dbb5

                    • C:\Users\Admin\AppData\Local\EDAp\Magnify.exe

                      MD5

                      233b45ddf77bd45e53872881cff1839b

                      SHA1

                      d4b8cafce4664bb339859a90a9dd1506f831756d

                      SHA256

                      adfd109ec03cd57e44dbd5fd1c4d8c47f8f58f887f690ba3c92f744b670fd75a

                      SHA512

                      6fb5f730633bfb2d063e6bc8cf37a7624bdcde2bd1d0c92b6b9a557484e7acf5d3a2be354808cade751f7ac5c5fe936e765f6494ef54b4fdb2725179f0d0fe39

                    • C:\Users\Admin\AppData\Local\FEspKuw\MFC42u.dll

                      MD5

                      198827532e775299366500bbdcf677ad

                      SHA1

                      eb7ca63c1d152e6df6023d0de95be72ab94a7217

                      SHA256

                      fedf0001d023744d7661df849239b58f3288a0e716372518e027b85d2cbc3d28

                      SHA512

                      3e888430568cc230e4ec81b826093ab764fb332023232937b6a7c00a8161eb92f36c075b29f691248bbbfea6c08d42493164a6425afc01c9f7f98d44c7dabb1e

                    • C:\Users\Admin\AppData\Local\FEspKuw\msinfo32.exe

                      MD5

                      d291620d4c51c5f5ffa62ccdc52c5c13

                      SHA1

                      2081c97f15b1c2a2eadce366baf3c510da553cc7

                      SHA256

                      76e959dd7db31726c040d46cfa86b681479967aea36db5f625e80bd36422e8ae

                      SHA512

                      75f9bcce4c596dae1f4d78e13d9d53b0c31988d2170c3d9f5db352b8c8a1c8ca58f4a002b30a4b328b8f4769008b750b8a1c9fda44a582e11c3adc38345c334b

                    • C:\Users\Admin\AppData\Local\Idormc5Q\credui.dll

                      MD5

                      464ce5f9d99d9642345f11a38dd417aa

                      SHA1

                      14e67865bab57c2bd9cfd1590b6a394c44a79b98

                      SHA256

                      1f7d3ec63d529d262106e36c7d823fcf35779987bc7fe16ffb9ffe9cf19b6cb2

                      SHA512

                      6c26301e6cb84fd7be0ae8231e659aee0703fff5423d8cc4c89231b2992394c758c58b629ea44d980b3cb52cf9130ec5ad9890df85488c1b3352dee198752879

                    • C:\Users\Admin\AppData\Local\Idormc5Q\taskmgr.exe

                      MD5

                      09f7401d56f2393c6ca534ff0241a590

                      SHA1

                      e8b4d84a28e5ea17272416ec45726964fdf25883

                      SHA256

                      6766717b8afafe46b5fd66c7082ccce6b382cbea982c73cb651e35dc8187ace1

                      SHA512

                      7187a27cd32c1b295c74e36e1b6148a31d602962448b18395a44a721d17daa7271d0cd198edb2ed05ace439746517ffb1bcc11c7f682e09b025c950ea7b83192

                    • C:\Users\Admin\AppData\Local\Yo75xUuUa\SnippingTool.exe

                      MD5

                      7633f554eeafde7f144b41c2fcaf5f63

                      SHA1

                      44497c3d6fada0066598a6170b90c53e28ddf96c

                      SHA256

                      890884c7fe7d037e6debd21d1877e9c9c5e7790cdba007ddb219ae6a55667f78

                      SHA512

                      7b61b6736c2c4f49d80f53c839914ad845f86a7d921fee1557e49aa7b4e9713e3483417d6c717eca155229bb6a90fc2253e1543cf05192aaf08262dc761fa203

                    • C:\Users\Admin\AppData\Local\Yo75xUuUa\slc.dll

                      MD5

                      935f28ece50d7eb9220fcd78acd66480

                      SHA1

                      421d4270813113eed243cf58bb314c6877c084a7

                      SHA256

                      30c2efa424dd812c6cdd5453648676fdb682ef598f6662928929bf79e7bd52e7

                      SHA512

                      63ca3d152e1d4348b3012996bd98808e86e97e7643d9cbc680b7bc2ecf4e73c8c4c1c4baa92c5cb1f8ca684f4b21dab85529ac3f45dbfeb8af9e3f2c9e3a4fc2

                    • \Users\Admin\AppData\Local\EDAp\MAGNIFICATION.dll

                      MD5

                      3934c623d6832d85b52588a6f338ef20

                      SHA1

                      0fd4622f804192c1296b4d2d1b20b941e21730b5

                      SHA256

                      24acb6011e487fdcdccc8e5ec2d5aca48a86a5a7c79143c7641db24c922345c9

                      SHA512

                      6c5a6a8da3866d17a07807a92d60c76e9eb784669ffd30027cda5482e9f3824a29e90f341f7061b17bb417a3140fe66d996db58b65c9bbba8783fc776399dbb5

                    • \Users\Admin\AppData\Local\EDAp\Magnify.exe

                      MD5

                      233b45ddf77bd45e53872881cff1839b

                      SHA1

                      d4b8cafce4664bb339859a90a9dd1506f831756d

                      SHA256

                      adfd109ec03cd57e44dbd5fd1c4d8c47f8f58f887f690ba3c92f744b670fd75a

                      SHA512

                      6fb5f730633bfb2d063e6bc8cf37a7624bdcde2bd1d0c92b6b9a557484e7acf5d3a2be354808cade751f7ac5c5fe936e765f6494ef54b4fdb2725179f0d0fe39

                    • \Users\Admin\AppData\Local\FEspKuw\MFC42u.dll

                      MD5

                      198827532e775299366500bbdcf677ad

                      SHA1

                      eb7ca63c1d152e6df6023d0de95be72ab94a7217

                      SHA256

                      fedf0001d023744d7661df849239b58f3288a0e716372518e027b85d2cbc3d28

                      SHA512

                      3e888430568cc230e4ec81b826093ab764fb332023232937b6a7c00a8161eb92f36c075b29f691248bbbfea6c08d42493164a6425afc01c9f7f98d44c7dabb1e

                    • \Users\Admin\AppData\Local\FEspKuw\msinfo32.exe

                      MD5

                      d291620d4c51c5f5ffa62ccdc52c5c13

                      SHA1

                      2081c97f15b1c2a2eadce366baf3c510da553cc7

                      SHA256

                      76e959dd7db31726c040d46cfa86b681479967aea36db5f625e80bd36422e8ae

                      SHA512

                      75f9bcce4c596dae1f4d78e13d9d53b0c31988d2170c3d9f5db352b8c8a1c8ca58f4a002b30a4b328b8f4769008b750b8a1c9fda44a582e11c3adc38345c334b

                    • \Users\Admin\AppData\Local\Idormc5Q\credui.dll

                      MD5

                      464ce5f9d99d9642345f11a38dd417aa

                      SHA1

                      14e67865bab57c2bd9cfd1590b6a394c44a79b98

                      SHA256

                      1f7d3ec63d529d262106e36c7d823fcf35779987bc7fe16ffb9ffe9cf19b6cb2

                      SHA512

                      6c26301e6cb84fd7be0ae8231e659aee0703fff5423d8cc4c89231b2992394c758c58b629ea44d980b3cb52cf9130ec5ad9890df85488c1b3352dee198752879

                    • \Users\Admin\AppData\Local\Idormc5Q\taskmgr.exe

                      MD5

                      09f7401d56f2393c6ca534ff0241a590

                      SHA1

                      e8b4d84a28e5ea17272416ec45726964fdf25883

                      SHA256

                      6766717b8afafe46b5fd66c7082ccce6b382cbea982c73cb651e35dc8187ace1

                      SHA512

                      7187a27cd32c1b295c74e36e1b6148a31d602962448b18395a44a721d17daa7271d0cd198edb2ed05ace439746517ffb1bcc11c7f682e09b025c950ea7b83192

                    • \Users\Admin\AppData\Local\Yo75xUuUa\SnippingTool.exe

                      MD5

                      7633f554eeafde7f144b41c2fcaf5f63

                      SHA1

                      44497c3d6fada0066598a6170b90c53e28ddf96c

                      SHA256

                      890884c7fe7d037e6debd21d1877e9c9c5e7790cdba007ddb219ae6a55667f78

                      SHA512

                      7b61b6736c2c4f49d80f53c839914ad845f86a7d921fee1557e49aa7b4e9713e3483417d6c717eca155229bb6a90fc2253e1543cf05192aaf08262dc761fa203

                    • \Users\Admin\AppData\Local\Yo75xUuUa\slc.dll

                      MD5

                      935f28ece50d7eb9220fcd78acd66480

                      SHA1

                      421d4270813113eed243cf58bb314c6877c084a7

                      SHA256

                      30c2efa424dd812c6cdd5453648676fdb682ef598f6662928929bf79e7bd52e7

                      SHA512

                      63ca3d152e1d4348b3012996bd98808e86e97e7643d9cbc680b7bc2ecf4e73c8c4c1c4baa92c5cb1f8ca684f4b21dab85529ac3f45dbfeb8af9e3f2c9e3a4fc2

                    • \Users\Admin\AppData\Roaming\Mozilla\Extensions\T9\Magnify.exe

                      MD5

                      233b45ddf77bd45e53872881cff1839b

                      SHA1

                      d4b8cafce4664bb339859a90a9dd1506f831756d

                      SHA256

                      adfd109ec03cd57e44dbd5fd1c4d8c47f8f58f887f690ba3c92f744b670fd75a

                      SHA512

                      6fb5f730633bfb2d063e6bc8cf37a7624bdcde2bd1d0c92b6b9a557484e7acf5d3a2be354808cade751f7ac5c5fe936e765f6494ef54b4fdb2725179f0d0fe39

                    • memory/916-110-0x0000000140000000-0x0000000140110000-memory.dmp

                    • memory/916-105-0x0000000000000000-mapping.dmp

                    • memory/1200-96-0x0000000000000000-mapping.dmp

                    • memory/1204-68-0x0000000140000000-0x0000000140109000-memory.dmp

                    • memory/1204-75-0x0000000140000000-0x0000000140109000-memory.dmp

                    • memory/1204-74-0x0000000140000000-0x0000000140109000-memory.dmp

                    • memory/1204-85-0x0000000077470000-0x0000000077472000-memory.dmp

                    • memory/1204-66-0x0000000140000000-0x0000000140109000-memory.dmp

                    • memory/1204-65-0x0000000140000000-0x0000000140109000-memory.dmp

                    • memory/1204-64-0x0000000140000000-0x0000000140109000-memory.dmp

                    • memory/1204-62-0x0000000140000000-0x0000000140109000-memory.dmp

                    • memory/1204-63-0x0000000140000000-0x0000000140109000-memory.dmp

                    • memory/1204-77-0x0000000140000000-0x0000000140109000-memory.dmp

                    • memory/1204-79-0x0000000140000000-0x0000000140109000-memory.dmp

                    • memory/1204-72-0x0000000140000000-0x0000000140109000-memory.dmp

                    • memory/1204-61-0x0000000140000000-0x0000000140109000-memory.dmp

                    • memory/1204-73-0x0000000140000000-0x0000000140109000-memory.dmp

                    • memory/1204-60-0x0000000140000000-0x0000000140109000-memory.dmp

                    • memory/1204-71-0x0000000140000000-0x0000000140109000-memory.dmp

                    • memory/1204-70-0x0000000140000000-0x0000000140109000-memory.dmp

                    • memory/1204-67-0x0000000140000000-0x0000000140109000-memory.dmp

                    • memory/1204-59-0x0000000001DE0000-0x0000000001DE1000-memory.dmp

                    • memory/1204-76-0x0000000140000000-0x0000000140109000-memory.dmp

                    • memory/1204-78-0x0000000140000000-0x0000000140109000-memory.dmp

                    • memory/1204-69-0x0000000140000000-0x0000000140109000-memory.dmp

                    • memory/1508-89-0x000007FEFBB41000-0x000007FEFBB43000-memory.dmp

                    • memory/1508-87-0x0000000000000000-mapping.dmp

                    • memory/1508-92-0x0000000140000000-0x000000014010A000-memory.dmp

                    • memory/1540-55-0x0000000140000000-0x0000000140109000-memory.dmp

                    • memory/1540-58-0x0000000000290000-0x0000000000297000-memory.dmp

                    • memory/1824-114-0x0000000000000000-mapping.dmp