02a28f4bc46d29f2ae0c82813839b3f5661a26937bef1a5c2d9fc8f05406da26.dll

max time kernel62s
max time network26s
platformwindows10_x64
resourcewin10-en-20211014
submitted03-12-2021 10:30

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

Filesize

1MB

Completed

03-12-2021 10:31

Score

10^/10

MD5

6f35fe576a7c7bc71651a0ee2e76cb85

SHA1

b240f9008cfca0bc90865363a8fd5a56ed051435

SHA256

02a28f4bc46d29f2ae0c82813839b3f5661a26937bef1a5c2d9fc8f05406da26

Defense Evasion

Discovery

Persistence

Dridex

Description

Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

Tags

botnet dridex
Dridex Shellcode

Description

Detects Dridex Payload shellcode injected in Explorer process.

Tags

botnet payload

Reported IOCs

resource yara_rule

behavioral4/memory/3064-121-0x0000000000840000-0x0000000000841000-memory.dmp dridex_stager_shellcode
Executes dropped EXE
embeddedapplauncher.exerdpinput.exeDmNotificationBroker.exe

Reported IOCs

pid process

2972 embeddedapplauncher.exe
2852 rdpinput.exe
612 DmNotificationBroker.exe
Loads dropped DLL
embeddedapplauncher.exerdpinput.exeDmNotificationBroker.exe

Reported IOCs

pid process

2972 embeddedapplauncher.exe
2852 rdpinput.exe
612 DmNotificationBroker.exe

resource	yara_rule
behavioral4/memory/3064-121-0x0000000000840000-0x0000000000841000-memory.dmp	dridex_stager_shellcode

pid	process
2972	embeddedapplauncher.exe
2852	rdpinput.exe
612	DmNotificationBroker.exe

pid	process
2972	embeddedapplauncher.exe
2852	rdpinput.exe
612	DmNotificationBroker.exe

Adds Run key to start application

TTPs

Registry Run Keys / Startup FolderModify Registry

Reported IOCs

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\Slqggwbvaxk = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~2\\WtmPz\\rdpinput.exe"

Checks whether UAC is enabled

rundll32.exeembeddedapplauncher.exerdpinput.exeDmNotificationBroker.exe

TTPs

System Information Discovery

Reported IOCs

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	embeddedapplauncher.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpinput.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DmNotificationBroker.exe

Suspicious behavior: EnumeratesProcesses

rundll32.exe

Reported IOCs

pid	process
2220	rundll32.exe
2220	rundll32.exe
2220	rundll32.exe
2220	rundll32.exe
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064

Suspicious behavior: GetForegroundWindowSpam
rundll32.exeembeddedapplauncher.exerdpinput.exeDmNotificationBroker.exe

Reported IOCs

pid process

2220 rundll32.exe
3064
2972 embeddedapplauncher.exe
2852 rdpinput.exe
612 DmNotificationBroker.exe

Suspicious use of WriteProcessMemory

Reported IOCs

description	pid	target process
PID 3064 wrote to memory of 2320	3064	embeddedapplauncher.exe
PID 3064 wrote to memory of 2320	3064	embeddedapplauncher.exe
PID 3064 wrote to memory of 2972	3064	embeddedapplauncher.exe
PID 3064 wrote to memory of 2972	3064	embeddedapplauncher.exe
PID 3064 wrote to memory of 2856	3064	rdpinput.exe
PID 3064 wrote to memory of 2856	3064	rdpinput.exe
PID 3064 wrote to memory of 2852	3064	rdpinput.exe
PID 3064 wrote to memory of 2852	3064	rdpinput.exe
PID 3064 wrote to memory of 1072	3064	DmNotificationBroker.exe
PID 3064 wrote to memory of 1072	3064	DmNotificationBroker.exe
PID 3064 wrote to memory of 612	3064	DmNotificationBroker.exe
PID 3064 wrote to memory of 612	3064	DmNotificationBroker.exe

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\02a28f4bc46d29f2ae0c82813839b3f5661a26937bef1a5c2d9fc8f05406da26.dll,#1

Checks whether UAC is enabled
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam

PID:2220

C:\Windows\system32\embeddedapplauncher.exe

C:\Windows\system32\embeddedapplauncher.exe

PID:2320

C:\Users\Admin\AppData\Local\KZGR\embeddedapplauncher.exe

C:\Users\Admin\AppData\Local\KZGR\embeddedapplauncher.exe

Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled
Suspicious behavior: GetForegroundWindowSpam

PID:2972

C:\Windows\system32\rdpinput.exe

C:\Windows\system32\rdpinput.exe

PID:2856

C:\Users\Admin\AppData\Local\FnAP\rdpinput.exe

C:\Users\Admin\AppData\Local\FnAP\rdpinput.exe

Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled
Suspicious behavior: GetForegroundWindowSpam

PID:2852

C:\Windows\system32\DmNotificationBroker.exe

C:\Windows\system32\DmNotificationBroker.exe

PID:1072

C:\Users\Admin\AppData\Local\4RxOe\DmNotificationBroker.exe

C:\Users\Admin\AppData\Local\4RxOe\DmNotificationBroker.exe

Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled
Suspicious behavior: GetForegroundWindowSpam

PID:612

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

Discovery

System Information Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

00:00 00:00

C:\Users\Admin\AppData\Local\4RxOe\DUI70.dll
MD5
49f07c4a74d9c4b7d583deef3ec97492

SHA1
fec91ba959ba7546d307573abf5a7c739f3fc7ac

SHA256
d29eff953eef14c75e2d5f98604481370b8b0b8c343c991f89e9f5d9a87f535c

SHA512
fb7a0c659316d782b64c4e973d5cf6eac951bb1f7faabcd10f760f52c0c3e8104fd05eeabd023f9341660f6e5f125903b475c474f8dc0ce9128075122cbc5aa0

Download Submit
C:\Users\Admin\AppData\Local\4RxOe\DmNotificationBroker.exe
MD5
80650482bacf349d2d4aadc99e916da7

SHA1
7c3d6eb2fc82cfa2122f115b80d49a9887d089de

SHA256
1cb2fe49a4d07375b6216bc51c372a3c78a96443765672ded3624d279c37c715

SHA512
d3bf9501b25ffe7145dda9cf3aa521854949ed11ebb5dd48aba7aab16d3b0d75dfe8976d3c3b932cc4eb2f77cf185a0b2d81965e055fdb3c5606400d77824a56

Download Submit
C:\Users\Admin\AppData\Local\FnAP\WTSAPI32.dll
MD5
c6da71bc09c9844dda3116d0a08f0808

SHA1
2e5b50e8f8e5d405382a55d3f1391f5623a670ef

SHA256
c65b72021af9bf7c0e5264bc1d944f85cd3ac2c97321fe87c10e585509656a34

SHA512
87fedaf56371c52d859225b99a924c96106903d5281cc3da2e8ea6fa32e3320ab4823bb418830b68fda69b4f95e29e9001f272acf852c7916f96dcf15d4321ac

Download Submit
C:\Users\Admin\AppData\Local\FnAP\rdpinput.exe
MD5
431364c49991ebfea19b468020368e08

SHA1
c36c8a01ccd17b8ec754fe92d1e03558bb3f05ac

SHA256
6c59ea8b7807d9cc9de5c67cf679a1fb1bed4629da1f0a071e03af775de8e4fc

SHA512
6b2baeb9abc1277fef874ead7d0c4b2b5c5953b8f9db5ae056a14a0af6edb6482b303e7f4ba5237a22e62919f09cd8334692dd58053754ed18837ace14565d8f

Download Submit
C:\Users\Admin\AppData\Local\KZGR\WTSAPI32.dll
MD5
0edc32c63665cedbcd0aef04d49b8bbb

SHA1
afa6a817df83147ebb273e7c246c391f8c56f088

SHA256
d6144e2d05bdde07e79abc2c8a5ff74f67273ba120124ee6aae7e5f1e502a9f9

SHA512
044c0cf4dc07aec2137f3f902366ed17dd3450a31c142b51bd79d2b1e160f1275757f67cb496f5ebd6dbc2e5f23a842fee2c8ccedbadd3cf371aa071b6ffdbfe

Download Submit
C:\Users\Admin\AppData\Local\KZGR\embeddedapplauncher.exe
MD5
372475cd2d5658a529c83cbe159dd4ce

SHA1
be8496491da2bbb3f06bfdf4ffe80285a7f891d9

SHA256
708d78211be2333cab7658a99b02ae81014475973dea05d92115a8bc91965024

SHA512
88f138678d8f8aae8bc0ac429744f8aad4a76187c0dd4367c03d9ed21ae132edae0109849570d49b47918ccac6fe671a896f64ef723e4e275a723b2c6e050028

Download Submit
\Users\Admin\AppData\Local\4RxOe\DUI70.dll
MD5
49f07c4a74d9c4b7d583deef3ec97492

SHA1
fec91ba959ba7546d307573abf5a7c739f3fc7ac

SHA256
d29eff953eef14c75e2d5f98604481370b8b0b8c343c991f89e9f5d9a87f535c

SHA512
fb7a0c659316d782b64c4e973d5cf6eac951bb1f7faabcd10f760f52c0c3e8104fd05eeabd023f9341660f6e5f125903b475c474f8dc0ce9128075122cbc5aa0

Download Submit
\Users\Admin\AppData\Local\FnAP\WTSAPI32.dll
MD5
c6da71bc09c9844dda3116d0a08f0808

SHA1
2e5b50e8f8e5d405382a55d3f1391f5623a670ef

SHA256
c65b72021af9bf7c0e5264bc1d944f85cd3ac2c97321fe87c10e585509656a34

SHA512
87fedaf56371c52d859225b99a924c96106903d5281cc3da2e8ea6fa32e3320ab4823bb418830b68fda69b4f95e29e9001f272acf852c7916f96dcf15d4321ac

Download Submit
\Users\Admin\AppData\Local\KZGR\WTSAPI32.dll
MD5
0edc32c63665cedbcd0aef04d49b8bbb

SHA1
afa6a817df83147ebb273e7c246c391f8c56f088

SHA256
d6144e2d05bdde07e79abc2c8a5ff74f67273ba120124ee6aae7e5f1e502a9f9

SHA512
044c0cf4dc07aec2137f3f902366ed17dd3450a31c142b51bd79d2b1e160f1275757f67cb496f5ebd6dbc2e5f23a842fee2c8ccedbadd3cf371aa071b6ffdbfe

Download Submit
memory/612-176-0x0000000140000000-0x000000014014F000-memory.dmp

Download
memory/612-180-0x000001F5BC480000-0x000001F5BC482000-memory.dmp

Download
memory/612-181-0x000001F5BC480000-0x000001F5BC482000-memory.dmp

Download
memory/612-172-0x0000000000000000-mapping.dmp

Download
memory/612-179-0x000001F5BC480000-0x000001F5BC482000-memory.dmp

Download
memory/2220-118-0x000002C6024B0000-0x000002C6024B2000-memory.dmp

Download
memory/2220-120-0x000002C6024A0000-0x000002C6024A7000-memory.dmp

Download
memory/2220-119-0x000002C6024B0000-0x000002C6024B2000-memory.dmp

Download
memory/2220-115-0x0000000140000000-0x0000000140109000-memory.dmp

Download
memory/2852-171-0x00000168C7AC0000-0x00000168C7AC2000-memory.dmp

Download
memory/2852-162-0x0000000000000000-mapping.dmp

Download
memory/2852-169-0x00000168C7AC0000-0x00000168C7AC2000-memory.dmp

Download
memory/2852-170-0x00000168C7AC0000-0x00000168C7AC2000-memory.dmp

Download
memory/2972-159-0x0000016DC60A0000-0x0000016DC60A2000-memory.dmp

Download
memory/2972-156-0x0000000140000000-0x000000014010A000-memory.dmp

Download
memory/2972-160-0x0000016DC60A0000-0x0000016DC60A2000-memory.dmp

Download
memory/2972-161-0x0000016DC60A0000-0x0000016DC60A2000-memory.dmp

Download
memory/2972-151-0x0000000000000000-mapping.dmp

Download
memory/3064-136-0x0000000140000000-0x0000000140109000-memory.dmp

Download
memory/3064-150-0x00000000009E0000-0x00000000009E2000-memory.dmp

Download
memory/3064-149-0x00007FFB361D5000-0x00007FFB361D6000-memory.dmp

Download
memory/3064-147-0x00000000009E0000-0x00000000009E2000-memory.dmp

Download
memory/3064-141-0x0000000140000000-0x0000000140109000-memory.dmp

Download
memory/3064-148-0x00000000009E0000-0x00000000009E2000-memory.dmp

Download
memory/3064-155-0x00007FFB36310000-0x00007FFB36312000-memory.dmp

Download
memory/3064-140-0x0000000140000000-0x0000000140109000-memory.dmp

Download
memory/3064-139-0x0000000140000000-0x0000000140109000-memory.dmp

Download
memory/3064-138-0x0000000140000000-0x0000000140109000-memory.dmp

Download
memory/3064-137-0x0000000140000000-0x0000000140109000-memory.dmp

Download
memory/3064-135-0x0000000140000000-0x0000000140109000-memory.dmp

Download
memory/3064-134-0x0000000140000000-0x0000000140109000-memory.dmp

Download
memory/3064-133-0x0000000140000000-0x0000000140109000-memory.dmp

Download
memory/3064-132-0x0000000140000000-0x0000000140109000-memory.dmp

Download
memory/3064-131-0x0000000140000000-0x0000000140109000-memory.dmp

Download
memory/3064-130-0x0000000140000000-0x0000000140109000-memory.dmp

Download
memory/3064-129-0x0000000140000000-0x0000000140109000-memory.dmp

Download
memory/3064-128-0x0000000140000000-0x0000000140109000-memory.dmp

Download
memory/3064-127-0x0000000140000000-0x0000000140109000-memory.dmp

Download
memory/3064-126-0x0000000140000000-0x0000000140109000-memory.dmp

Download
memory/3064-125-0x0000000140000000-0x0000000140109000-memory.dmp

Download
memory/3064-124-0x0000000140000000-0x0000000140109000-memory.dmp

Download
memory/3064-122-0x0000000140000000-0x0000000140109000-memory.dmp

Download
memory/3064-121-0x0000000000840000-0x0000000000841000-memory.dmp

Download
memory/3064-123-0x0000000140000000-0x0000000140109000-memory.dmp

Download

02a28f4bc46d29f2ae0c82813839b3f5661a26937bef1a5c2d9fc8f05406da26.dll

Filter: none

Description

Tags

Description

Tags

Reported IOCs

Reported IOCs

Reported IOCs

Tags

TTPs

Reported IOCs

Tags

TTPs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Title