02a28f4bc46d29f2ae0c82813839b3f5661a26937bef1a5c2d9fc8f05406da26.dll

General
Target

02a28f4bc46d29f2ae0c82813839b3f5661a26937bef1a5c2d9fc8f05406da26.dll

Filesize

1MB

Completed

03-12-2021 10:31

Score
10/10
MD5

6f35fe576a7c7bc71651a0ee2e76cb85

SHA1

b240f9008cfca0bc90865363a8fd5a56ed051435

SHA256

02a28f4bc46d29f2ae0c82813839b3f5661a26937bef1a5c2d9fc8f05406da26

Malware Config
Signatures 11

Filter: none

Defense Evasion
Discovery
Persistence
  • Dridex

    Description

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode

    Description

    Detects Dridex Payload shellcode injected in Explorer process.

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/3020-121-0x00000000005E0000-0x00000000005E1000-memory.dmpdridex_stager_shellcode
  • Executes dropped EXE
    perfmon.exeeudcedit.exeSystemPropertiesProtection.exe

    Reported IOCs

    pidprocess
    2276perfmon.exe
    3760eudcedit.exe
    3488SystemPropertiesProtection.exe
  • Loads dropped DLL
    perfmon.exeeudcedit.exeSystemPropertiesProtection.exe

    Reported IOCs

    pidprocess
    2276perfmon.exe
    3760eudcedit.exe
    3488SystemPropertiesProtection.exe
  • Adds Run key to start application

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\Slqggwbvaxk = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\CloudStore\\pFW0lV9\\eudcedit.exe"
  • Checks whether UAC is enabled
    rundll32.exeperfmon.exeeudcedit.exeSystemPropertiesProtection.exe

    TTPs

    System Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUArundll32.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAperfmon.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAeudcedit.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUASystemPropertiesProtection.exe
  • Modifies registry class

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
    Key created\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance
  • Suspicious behavior: EnumeratesProcesses
    rundll32.exe

    Reported IOCs

    pidprocess
    2716rundll32.exe
    2716rundll32.exe
    2716rundll32.exe
    2716rundll32.exe
    3020
    3020
    3020
    3020
    3020
    3020
    3020
    3020
    3020
    3020
    3020
    3020
    3020
    3020
    3020
    3020
    3020
    3020
    3020
    3020
    3020
    3020
    3020
    3020
    3020
    3020
    3020
    3020
    3020
    3020
    3020
    3020
    3020
    3020
    3020
    3020
    3020
    3020
    3020
    3020
    3020
    3020
    3020
    3020
    3020
    3020
    3020
    3020
    3020
    3020
    3020
    3020
    3020
    3020
    3020
    3020
    3020
    3020
    3020
    3020
  • Suspicious behavior: GetForegroundWindowSpam
    rundll32.exeperfmon.exeeudcedit.exeSystemPropertiesProtection.exe

    Reported IOCs

    pidprocess
    2716rundll32.exe
    3020
    2276perfmon.exe
    3760eudcedit.exe
    3488SystemPropertiesProtection.exe
  • Suspicious use of AdjustPrivilegeToken

    Reported IOCs

    descriptionpidprocess
    Token: SeShutdownPrivilege3020
    Token: SeCreatePagefilePrivilege3020
    Token: SeShutdownPrivilege3020
    Token: SeCreatePagefilePrivilege3020
  • Suspicious use of WriteProcessMemory

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3020 wrote to memory of 19483020perfmon.exe
    PID 3020 wrote to memory of 19483020perfmon.exe
    PID 3020 wrote to memory of 22763020perfmon.exe
    PID 3020 wrote to memory of 22763020perfmon.exe
    PID 3020 wrote to memory of 15283020eudcedit.exe
    PID 3020 wrote to memory of 15283020eudcedit.exe
    PID 3020 wrote to memory of 37603020eudcedit.exe
    PID 3020 wrote to memory of 37603020eudcedit.exe
    PID 3020 wrote to memory of 35003020SystemPropertiesProtection.exe
    PID 3020 wrote to memory of 35003020SystemPropertiesProtection.exe
    PID 3020 wrote to memory of 34883020SystemPropertiesProtection.exe
    PID 3020 wrote to memory of 34883020SystemPropertiesProtection.exe
Processes 7
  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\02a28f4bc46d29f2ae0c82813839b3f5661a26937bef1a5c2d9fc8f05406da26.dll,#1
    Checks whether UAC is enabled
    Suspicious behavior: EnumeratesProcesses
    Suspicious behavior: GetForegroundWindowSpam
    PID:2716
  • C:\Windows\system32\perfmon.exe
    C:\Windows\system32\perfmon.exe
    PID:1948
  • C:\Users\Admin\AppData\Local\hjrx9kuC\perfmon.exe
    C:\Users\Admin\AppData\Local\hjrx9kuC\perfmon.exe
    Executes dropped EXE
    Loads dropped DLL
    Checks whether UAC is enabled
    Suspicious behavior: GetForegroundWindowSpam
    PID:2276
  • C:\Windows\system32\eudcedit.exe
    C:\Windows\system32\eudcedit.exe
    PID:1528
  • C:\Users\Admin\AppData\Local\KiPgnYWi\eudcedit.exe
    C:\Users\Admin\AppData\Local\KiPgnYWi\eudcedit.exe
    Executes dropped EXE
    Loads dropped DLL
    Checks whether UAC is enabled
    Suspicious behavior: GetForegroundWindowSpam
    PID:3760
  • C:\Windows\system32\SystemPropertiesProtection.exe
    C:\Windows\system32\SystemPropertiesProtection.exe
    PID:3500
  • C:\Users\Admin\AppData\Local\egtlNW\SystemPropertiesProtection.exe
    C:\Users\Admin\AppData\Local\egtlNW\SystemPropertiesProtection.exe
    Executes dropped EXE
    Loads dropped DLL
    Checks whether UAC is enabled
    Suspicious behavior: GetForegroundWindowSpam
    PID:3488
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Local\KiPgnYWi\MFC42u.dll

                      MD5

                      33fef8f6ca2637a2ea3a83a5770c6bc0

                      SHA1

                      b9f349fe396e74ff9f143382c6f18be38ff54b4e

                      SHA256

                      0a401b7e55529b5faa8d1d1d10b49fea4dadf31280ac706d73d6826c441f6285

                      SHA512

                      db6a157bd8b5fbdf24f1138737af4b9e3fdab25e50cb5befc048978cc96c0ae9b4504caa426f0c6235a07755a34aff4a490d54891b130f975069f6a8e6b89dde

                    • C:\Users\Admin\AppData\Local\KiPgnYWi\eudcedit.exe

                      MD5

                      91d59a7cad942eacccc0788bde9d69da

                      SHA1

                      62987649e35257a4230abc5081acdcf3049b0c4c

                      SHA256

                      ca4c171a40af34d3dc0b21e0206054f002b340359403f393d7c8616220c22416

                      SHA512

                      e3b5fe3c5a959e3fe3760af4dc7bf2af4af3bb1df23ba622296cd09d32c3ebfec6f60648346a5f38537af1e88fce424888b6d4f2ba530c578989f7c3e02c80a0

                    • C:\Users\Admin\AppData\Local\egtlNW\SYSDM.CPL

                      MD5

                      dad65d5746e5f2eb5a0aefc2c76e442a

                      SHA1

                      a349373af21b131a2bbc489f97aad408a64b2518

                      SHA256

                      0b5e918d3b4ecfb01e933925b7022650186119ebd656982f988dc7dfd43c64e9

                      SHA512

                      d8364b62d9c8b97cd58c2e3f777b8a53c525d452ce2780447114d456560b76f040e7fe3649088c3d1a4a45f44f592465652327d4a1eac689833310e6ab0c7cd2

                    • C:\Users\Admin\AppData\Local\egtlNW\SystemPropertiesProtection.exe

                      MD5

                      37cc1b52d2032ec2546dc917a94167b4

                      SHA1

                      b5d0c21df373f323d5c9459a937a2aeaa66150ef

                      SHA256

                      d4b843ae6d94dfe8835925c4ec9ff42529bbb8fe3552cd5e819d8f332c24a884

                      SHA512

                      53f793900085e8e5c879876bd99043178cdf8f943df3d5c7faf9560abc6ae016bd208e393d7b66d7283a1d2363bf24e894c31b205db1065f900b8552cc809b2e

                    • C:\Users\Admin\AppData\Local\hjrx9kuC\credui.dll

                      MD5

                      a3b2a3cf5677081f905d0479309d52f9

                      SHA1

                      ce2b224919bca63ff034eabcb77762d43b8725f0

                      SHA256

                      053279af997ec02814a1732cd1258ddb9f83f217ed1d7be61636e82a7db7cb09

                      SHA512

                      1ea6509a9485ecf8ebfef042d8ecc6d66c96cf84318b005fa32044378033337d45c3906879cf044b85f5e446f5b10b000ab5ef3aadbd829683e201f9be9dc549

                    • C:\Users\Admin\AppData\Local\hjrx9kuC\perfmon.exe

                      MD5

                      5b619c07379e411fd60ceb0aecc2bfbd

                      SHA1

                      bea9cd0602a2100902f5454557dd804698f13d35

                      SHA256

                      85b315c8293f61e9462d832d2fb2d61dc1e900a36965d9a15b6f7c86cdadf7aa

                      SHA512

                      63e3d7c6f4dc483f7eb0675b8c43bb2dfb64c8fdf8a9e48044959b893e5bb3d5f4a9b6d4b884206ac8bf262322ba18507d725cdbf3268c86537f562b3936e796

                    • \Users\Admin\AppData\Local\KiPgnYWi\MFC42u.dll

                      MD5

                      33fef8f6ca2637a2ea3a83a5770c6bc0

                      SHA1

                      b9f349fe396e74ff9f143382c6f18be38ff54b4e

                      SHA256

                      0a401b7e55529b5faa8d1d1d10b49fea4dadf31280ac706d73d6826c441f6285

                      SHA512

                      db6a157bd8b5fbdf24f1138737af4b9e3fdab25e50cb5befc048978cc96c0ae9b4504caa426f0c6235a07755a34aff4a490d54891b130f975069f6a8e6b89dde

                    • \Users\Admin\AppData\Local\egtlNW\SYSDM.CPL

                      MD5

                      dad65d5746e5f2eb5a0aefc2c76e442a

                      SHA1

                      a349373af21b131a2bbc489f97aad408a64b2518

                      SHA256

                      0b5e918d3b4ecfb01e933925b7022650186119ebd656982f988dc7dfd43c64e9

                      SHA512

                      d8364b62d9c8b97cd58c2e3f777b8a53c525d452ce2780447114d456560b76f040e7fe3649088c3d1a4a45f44f592465652327d4a1eac689833310e6ab0c7cd2

                    • \Users\Admin\AppData\Local\hjrx9kuC\credui.dll

                      MD5

                      a3b2a3cf5677081f905d0479309d52f9

                      SHA1

                      ce2b224919bca63ff034eabcb77762d43b8725f0

                      SHA256

                      053279af997ec02814a1732cd1258ddb9f83f217ed1d7be61636e82a7db7cb09

                      SHA512

                      1ea6509a9485ecf8ebfef042d8ecc6d66c96cf84318b005fa32044378033337d45c3906879cf044b85f5e446f5b10b000ab5ef3aadbd829683e201f9be9dc549

                    • memory/2276-159-0x00000247AD4A0000-0x00000247AD4A2000-memory.dmp

                    • memory/2276-160-0x00000247AD4A0000-0x00000247AD4A2000-memory.dmp

                    • memory/2276-152-0x0000000000000000-mapping.dmp

                    • memory/2276-156-0x0000000140000000-0x000000014010A000-memory.dmp

                    • memory/2276-161-0x00000247AD4A0000-0x00000247AD4A2000-memory.dmp

                    • memory/2716-118-0x00000202748F0000-0x00000202748F2000-memory.dmp

                    • memory/2716-119-0x00000202748F0000-0x00000202748F2000-memory.dmp

                    • memory/2716-115-0x0000000140000000-0x0000000140109000-memory.dmp

                    • memory/2716-120-0x00000202748E0000-0x00000202748E7000-memory.dmp

                    • memory/3020-133-0x0000000140000000-0x0000000140109000-memory.dmp

                    • memory/3020-136-0x0000000140000000-0x0000000140109000-memory.dmp

                    • memory/3020-137-0x0000000140000000-0x0000000140109000-memory.dmp

                    • memory/3020-135-0x0000000140000000-0x0000000140109000-memory.dmp

                    • memory/3020-139-0x0000000140000000-0x0000000140109000-memory.dmp

                    • memory/3020-140-0x0000000140000000-0x0000000140109000-memory.dmp

                    • memory/3020-141-0x0000000140000000-0x0000000140109000-memory.dmp

                    • memory/3020-148-0x0000000000820000-0x0000000000822000-memory.dmp

                    • memory/3020-147-0x0000000000820000-0x0000000000822000-memory.dmp

                    • memory/3020-134-0x0000000140000000-0x0000000140109000-memory.dmp

                    • memory/3020-150-0x0000000000820000-0x0000000000822000-memory.dmp

                    • memory/3020-151-0x00007FFDD2430000-0x00007FFDD2432000-memory.dmp

                    • memory/3020-132-0x0000000140000000-0x0000000140109000-memory.dmp

                    • memory/3020-129-0x0000000140000000-0x0000000140109000-memory.dmp

                    • memory/3020-131-0x0000000140000000-0x0000000140109000-memory.dmp

                    • memory/3020-149-0x00007FFDD22F5000-0x00007FFDD22F6000-memory.dmp

                    • memory/3020-130-0x0000000140000000-0x0000000140109000-memory.dmp

                    • memory/3020-122-0x0000000140000000-0x0000000140109000-memory.dmp

                    • memory/3020-128-0x0000000140000000-0x0000000140109000-memory.dmp

                    • memory/3020-127-0x0000000140000000-0x0000000140109000-memory.dmp

                    • memory/3020-126-0x0000000140000000-0x0000000140109000-memory.dmp

                    • memory/3020-125-0x0000000140000000-0x0000000140109000-memory.dmp

                    • memory/3020-121-0x00000000005E0000-0x00000000005E1000-memory.dmp

                    • memory/3020-182-0x0000000000820000-0x0000000000822000-memory.dmp

                    • memory/3020-123-0x0000000140000000-0x0000000140109000-memory.dmp

                    • memory/3020-138-0x0000000140000000-0x0000000140109000-memory.dmp

                    • memory/3020-124-0x0000000140000000-0x0000000140109000-memory.dmp

                    • memory/3488-180-0x00000244D9630000-0x00000244D9632000-memory.dmp

                    • memory/3488-172-0x0000000000000000-mapping.dmp

                    • memory/3488-179-0x00000244D9630000-0x00000244D9632000-memory.dmp

                    • memory/3488-181-0x00000244D9630000-0x00000244D9632000-memory.dmp

                    • memory/3760-169-0x000001B4E46E0000-0x000001B4E46E2000-memory.dmp

                    • memory/3760-166-0x0000000140000000-0x0000000140110000-memory.dmp

                    • memory/3760-162-0x0000000000000000-mapping.dmp

                    • memory/3760-171-0x000001B4E46E0000-0x000001B4E46E2000-memory.dmp

                    • memory/3760-170-0x000001B4E46E0000-0x000001B4E46E2000-memory.dmp