Analysis

  • max time kernel
    152s
  • max time network
    122s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    03-12-2021 10:48

General

  • Target

    e3a97ee2fa0ea4dc05340e0778674a93e8c95944c519df7ee5f486c08b1df15a.dll

  • Size

    1.2MB

  • MD5

    ea1bfbc91324c0cbb97f17775e653dab

  • SHA1

    61c6d875774c9cd59ae56e351a291c2cf9e79284

  • SHA256

    e3a97ee2fa0ea4dc05340e0778674a93e8c95944c519df7ee5f486c08b1df15a

  • SHA512

    903a180a93cc7ecd2b6e0fd76fc597456bbd1986d28f63993fc00b57dc47afad779fd05ce734f4070d3b16af08aec5e5da1086aefcf85929ba87c7cd1e27dc75

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Drops startup file 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e3a97ee2fa0ea4dc05340e0778674a93e8c95944c519df7ee5f486c08b1df15a.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    PID:2816
  • C:\Windows\system32\FXSCOVER.exe
    C:\Windows\system32\FXSCOVER.exe
    1⤵
      PID:1412
    • C:\Users\Admin\AppData\Local\hZNqp\FXSCOVER.exe
      C:\Users\Admin\AppData\Local\hZNqp\FXSCOVER.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: GetForegroundWindowSpam
      PID:2324
    • C:\Windows\system32\sdclt.exe
      C:\Windows\system32\sdclt.exe
      1⤵
        PID:836
      • C:\Users\Admin\AppData\Local\5tgk5LL1\sdclt.exe
        C:\Users\Admin\AppData\Local\5tgk5LL1\sdclt.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Suspicious behavior: GetForegroundWindowSpam
        PID:924
      • C:\Windows\system32\LockScreenContentServer.exe
        C:\Windows\system32\LockScreenContentServer.exe
        1⤵
          PID:3204
        • C:\Users\Admin\AppData\Local\iHYBPf\LockScreenContentServer.exe
          C:\Users\Admin\AppData\Local\iHYBPf\LockScreenContentServer.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          • Suspicious behavior: GetForegroundWindowSpam
          PID:1376

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Defense Evasion

        Modify Registry

        1
        T1112

        Discovery

        System Information Discovery

        1
        T1082

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\5tgk5LL1\WTSAPI32.dll
          MD5

          6426e34204b6ed0fe26afc3dc0191d5c

          SHA1

          5623d188b27649ace2b7181fb11d38125539abe5

          SHA256

          6b5e2a16cfc6624932d193654db556fe110a4dc6837a438d9ba74499562cf108

          SHA512

          5a9184c80b3f0ed7cd8056779866cfbc92288484decf3e34d6737e8c1a2d831a6e5dffeac5a11ae12dc515a393372b187f10f90c149ccd7f7c4daca2b8c3abea

        • C:\Users\Admin\AppData\Local\5tgk5LL1\sdclt.exe
          MD5

          d583261d1da3e49fa34d0ed9fc550173

          SHA1

          64d55723f6fec895c7e8b50f42a815b125ce0b29

          SHA256

          8577ef50c0dd969617fa313ebd927d6e4ca2faae24fa4516f643328a967c5e6a

          SHA512

          77aceaf9992b40c859c95d6ee6d6b31c06add7a1227f8e2d1fc49245163a8ffdbf347bfdb0cffb400a9550b715cede3941e4c3f0499d0942dc5f7853db5cd0b5

        • C:\Users\Admin\AppData\Local\hZNqp\FXSCOVER.exe
          MD5

          fd8a15f70619a553acd265264c3e435d

          SHA1

          394f6a1db57b502eb5196d9276d1c00afc791663

          SHA256

          b9eec80e92a71b7405db190ac0d1fc177ba3d1f97411c43328a340d30a9d71a4

          SHA512

          af30027401e97a69aa57847c00c73ccafd4113e58349efd9addf5e7c3a5809f5ff35430d181844c5acd0abba947ff9acb450ff3e0383ef7c187bd9b7808a8799

        • C:\Users\Admin\AppData\Local\hZNqp\MFC42u.dll
          MD5

          dce22d7d9020f440ea70a89d74735619

          SHA1

          0c19eb54e930d836c5e3d822ce8bfd078ad53ec7

          SHA256

          8617114eef94480d0f92b60e0b4e7c4069d3f7d705b8fa0d11fb121787481dd1

          SHA512

          5ada9a713bba37e4fb0e45df2029d32e2950ea8d17643f8c58f72769428e142a77afe4f197cc13f508112b085ab7a377135792d23626bf6737750a8d5b379534

        • C:\Users\Admin\AppData\Local\iHYBPf\DUI70.dll
          MD5

          ef5f8a1cefa217f16dc3d65292e5c170

          SHA1

          8cc92795f85e55d16c2254347149006537ca4470

          SHA256

          7ec86ab23b3fbd555e37bb2403bc8d64416e486eb640d24c37bc42bbb8de176e

          SHA512

          2c33acd9be161b2e745c91c1c81e7fc605451c33a6d6982870a8d12e4550d69192cee490c81022eea07769f338b538cbdfe8cad8d97848a2ccb7252c31efad50

        • C:\Users\Admin\AppData\Local\iHYBPf\LockScreenContentServer.exe
          MD5

          583914a93db0413668eadd743fd5fb1c

          SHA1

          8b95be0ad348f0aabfcceac3148109ef12e8a978

          SHA256

          ec09ee1b2bb981335ea9db3ac031fbbc3ed74f9294d734a5799fb0d75e423583

          SHA512

          2f5c22cc3f557c65c876e8a943c7b3dec92d5c0b5219ab2410a334f42e442ef08d0c7b1c5c0797b83a17578a25ce70aa631a15be7ec6a6ea8a8d865dca0b9cd4

        • \Users\Admin\AppData\Local\5tgk5LL1\WTSAPI32.dll
          MD5

          6426e34204b6ed0fe26afc3dc0191d5c

          SHA1

          5623d188b27649ace2b7181fb11d38125539abe5

          SHA256

          6b5e2a16cfc6624932d193654db556fe110a4dc6837a438d9ba74499562cf108

          SHA512

          5a9184c80b3f0ed7cd8056779866cfbc92288484decf3e34d6737e8c1a2d831a6e5dffeac5a11ae12dc515a393372b187f10f90c149ccd7f7c4daca2b8c3abea

        • \Users\Admin\AppData\Local\hZNqp\MFC42u.dll
          MD5

          dce22d7d9020f440ea70a89d74735619

          SHA1

          0c19eb54e930d836c5e3d822ce8bfd078ad53ec7

          SHA256

          8617114eef94480d0f92b60e0b4e7c4069d3f7d705b8fa0d11fb121787481dd1

          SHA512

          5ada9a713bba37e4fb0e45df2029d32e2950ea8d17643f8c58f72769428e142a77afe4f197cc13f508112b085ab7a377135792d23626bf6737750a8d5b379534

        • \Users\Admin\AppData\Local\iHYBPf\DUI70.dll
          MD5

          ef5f8a1cefa217f16dc3d65292e5c170

          SHA1

          8cc92795f85e55d16c2254347149006537ca4470

          SHA256

          7ec86ab23b3fbd555e37bb2403bc8d64416e486eb640d24c37bc42bbb8de176e

          SHA512

          2c33acd9be161b2e745c91c1c81e7fc605451c33a6d6982870a8d12e4550d69192cee490c81022eea07769f338b538cbdfe8cad8d97848a2ccb7252c31efad50

        • memory/924-162-0x0000000000000000-mapping.dmp
        • memory/924-170-0x0000016C4DD30000-0x0000016C4DD32000-memory.dmp
          Filesize

          8KB

        • memory/924-166-0x0000000140000000-0x000000014012E000-memory.dmp
          Filesize

          1.2MB

        • memory/924-171-0x0000016C4DD30000-0x0000016C4DD32000-memory.dmp
          Filesize

          8KB

        • memory/924-169-0x0000016C4DD30000-0x0000016C4DD32000-memory.dmp
          Filesize

          8KB

        • memory/1376-176-0x0000000140000000-0x0000000140173000-memory.dmp
          Filesize

          1.4MB

        • memory/1376-180-0x0000026CA8090000-0x0000026CA8092000-memory.dmp
          Filesize

          8KB

        • memory/1376-172-0x0000000000000000-mapping.dmp
        • memory/1376-181-0x0000026CA8090000-0x0000026CA8092000-memory.dmp
          Filesize

          8KB

        • memory/1376-179-0x0000026CA8090000-0x0000026CA8092000-memory.dmp
          Filesize

          8KB

        • memory/2324-161-0x0000017527570000-0x0000017527572000-memory.dmp
          Filesize

          8KB

        • memory/2324-152-0x0000000000000000-mapping.dmp
        • memory/2324-160-0x0000017527570000-0x0000017527572000-memory.dmp
          Filesize

          8KB

        • memory/2324-159-0x0000017527570000-0x0000017527572000-memory.dmp
          Filesize

          8KB

        • memory/2324-156-0x0000000140000000-0x0000000140134000-memory.dmp
          Filesize

          1.2MB

        • memory/2816-115-0x0000000140000000-0x000000014012D000-memory.dmp
          Filesize

          1.2MB

        • memory/2816-120-0x000001E0787C0000-0x000001E0787C7000-memory.dmp
          Filesize

          28KB

        • memory/2816-119-0x000001E0787D0000-0x000001E0787D2000-memory.dmp
          Filesize

          8KB

        • memory/2816-118-0x000001E0787D0000-0x000001E0787D2000-memory.dmp
          Filesize

          8KB

        • memory/3024-130-0x0000000140000000-0x000000014012D000-memory.dmp
          Filesize

          1.2MB

        • memory/3024-151-0x00007FFAAB050000-0x00007FFAAB052000-memory.dmp
          Filesize

          8KB

        • memory/3024-150-0x00000000010C0000-0x00000000010C2000-memory.dmp
          Filesize

          8KB

        • memory/3024-149-0x00007FFAAAF15000-0x00007FFAAAF16000-memory.dmp
          Filesize

          4KB

        • memory/3024-148-0x00000000010C0000-0x00000000010C2000-memory.dmp
          Filesize

          8KB

        • memory/3024-147-0x00000000010C0000-0x00000000010C2000-memory.dmp
          Filesize

          8KB

        • memory/3024-141-0x0000000140000000-0x000000014012D000-memory.dmp
          Filesize

          1.2MB

        • memory/3024-140-0x0000000140000000-0x000000014012D000-memory.dmp
          Filesize

          1.2MB

        • memory/3024-139-0x0000000140000000-0x000000014012D000-memory.dmp
          Filesize

          1.2MB

        • memory/3024-138-0x0000000140000000-0x000000014012D000-memory.dmp
          Filesize

          1.2MB

        • memory/3024-137-0x0000000140000000-0x000000014012D000-memory.dmp
          Filesize

          1.2MB

        • memory/3024-136-0x0000000140000000-0x000000014012D000-memory.dmp
          Filesize

          1.2MB

        • memory/3024-135-0x0000000140000000-0x000000014012D000-memory.dmp
          Filesize

          1.2MB

        • memory/3024-134-0x0000000140000000-0x000000014012D000-memory.dmp
          Filesize

          1.2MB

        • memory/3024-133-0x0000000140000000-0x000000014012D000-memory.dmp
          Filesize

          1.2MB

        • memory/3024-132-0x0000000140000000-0x000000014012D000-memory.dmp
          Filesize

          1.2MB

        • memory/3024-131-0x0000000140000000-0x000000014012D000-memory.dmp
          Filesize

          1.2MB

        • memory/3024-129-0x0000000140000000-0x000000014012D000-memory.dmp
          Filesize

          1.2MB

        • memory/3024-128-0x0000000140000000-0x000000014012D000-memory.dmp
          Filesize

          1.2MB

        • memory/3024-127-0x0000000140000000-0x000000014012D000-memory.dmp
          Filesize

          1.2MB

        • memory/3024-126-0x0000000140000000-0x000000014012D000-memory.dmp
          Filesize

          1.2MB

        • memory/3024-125-0x0000000140000000-0x000000014012D000-memory.dmp
          Filesize

          1.2MB

        • memory/3024-124-0x0000000140000000-0x000000014012D000-memory.dmp
          Filesize

          1.2MB

        • memory/3024-123-0x0000000140000000-0x000000014012D000-memory.dmp
          Filesize

          1.2MB

        • memory/3024-122-0x0000000140000000-0x000000014012D000-memory.dmp
          Filesize

          1.2MB

        • memory/3024-121-0x0000000001070000-0x0000000001071000-memory.dmp
          Filesize

          4KB