Overview

overview

10

Static

static

DUI70.dll

windows7_x64

10

DUI70.dll

windows10_x64

10

Resubmissions

Analysis

  • max time kernel
    149s
  • max time network
    133s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    14-07-2020 05:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DUI70.dll

  • Size

    1.2MB

  • MD5

    ca7f847ac49ea5ec058b9455bacbb326

  • SHA1

    9ea5760c8d7b2f1a479901677338e487e62aaad0

  • SHA256

    1bc4755b2828092f30c53c4099d2a1b118d1a68686a82b7c11ef12c6ae93f8d4

  • SHA512

    5e57d36b700f030c977213899b2d5e4421abcaf54a41ccb336067e52f779066916b58ff1c81441be8c4e69240106569d40371b6ba862e6d89cbeda1cc65d6818

Score
10/10
dridexbotnetevasionloaderpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Loader 1 IoCs

    Detects Dridex both x86 and x64 loader in memory.

    botnetloader
  • Dridex Loader 'dmod' strings 1 IoCs

    Detects 'dmod' strings in Dridex loader.

    botnetloader
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 638 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\DUI70.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4012
  • C:\Windows\system32\msinfo32.exe
    C:\Windows\system32\msinfo32.exe
    1⤵
      PID:2816
    • C:\Users\Admin\AppData\Local\SbOCQ4r\msinfo32.exe
      C:\Users\Admin\AppData\Local\SbOCQ4r\msinfo32.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2868
    • C:\Windows\system32\raserver.exe
      C:\Windows\system32\raserver.exe
      1⤵
        PID:3696
      • C:\Users\Admin\AppData\Local\Wx98eXbam\raserver.exe
        C:\Users\Admin\AppData\Local\Wx98eXbam\raserver.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3752
      • C:\Windows\system32\psr.exe
        C:\Windows\system32\psr.exe
        1⤵
          PID:3180
        • C:\Users\Admin\AppData\Local\m0bstPc\psr.exe
          C:\Users\Admin\AppData\Local\m0bstPc\psr.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3024

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\SbOCQ4r\MFC42u.dll
          MD5

          e7fb505ab151e7fdace791d4b705bcc4

          SHA1

          cc531c276b302d28b02d01cdb69c77c6dabecf28

          SHA256

          e4355fb8dab0a9bc06e065c630cca18c2bf49e6f12023eb636d239519c6bacdc

          SHA512

          3a05cec485fdb451f1621f7c93543c8154bf34bc7b16e552562375739e4de274e9ef6bdc4081922215341a5192e42187a2376c6679cde79ac9010d8f2eb738bd

          Download Submit

        • C:\Users\Admin\AppData\Local\SbOCQ4r\msinfo32.exe
          MD5

          255861c59cdfbf86c03560d39a92932a

          SHA1

          18353cb8a58d25ab62687b69fee44d007b994f19

          SHA256

          57aeba5f7f9de579f3c334e7e013114f6b2257b810b2fc8c1f96331ad1c4909c

          SHA512

          f695394f344f07036684dc4ba4ba011bc0b5b0b27898c82714cbd072c6218870234deb18044c00bf3fda618480e4e517cba50d577c228a63ee3e2676029e430b

          Download Submit

        • C:\Users\Admin\AppData\Local\Wx98eXbam\WTSAPI32.dll
          MD5

          6cabaa4d174403f6aa901099fe744bab

          SHA1

          e2978a65e1e6ddcd782d64fec79e81081da199d1

          SHA256

          7e66abc19b37370f0c4b56844c92dfc406f03d794dad260889ab38afacb3da20

          SHA512

          6e7b8f6bb92c93127fec41c4d6eea99ff70587e7c89cceec3d877ff412a14892d8ab0bac632ec2e2183d85a5994fc67a5330e22ac83aaf642c5d65fd1e889fee

          Download Submit

        • C:\Users\Admin\AppData\Local\Wx98eXbam\raserver.exe
          MD5

          71cacb0f5b7b70055fbba02055e503b1

          SHA1

          49e247edcc721fc7329045a8587877b645b7531f

          SHA256

          7a4aa698ea00d4347a1b85a2510c2502fdf23cc5d487079097999be9780f8eb1

          SHA512

          3cce7df2ab1ece95baf888982a0664fb53c1378029dc2aee1c583fc6e9065968074a9f8135988f1b9f50937e3eb69edc118976b61067c3461fe8351535295a18

          Download Submit

        • C:\Users\Admin\AppData\Local\m0bstPc\XmlLite.dll
          MD5

          2483ea4ac2d5de6dd987c36f16bb6cc4

          SHA1

          2b117b4e5dcd315a16b4838fe7462340eebbc359

          SHA256

          b96c71d922274c6e47c6956840e7338e7b8b40719819c0cdcf9375186969cbdd

          SHA512

          59e2548e9d9e20fa0a348dd52bdfac8ec3b6a5a958691a50814b88efc0ab3715a3b7312d3342b8c53e900d45d406e246768cf523d4fd4dd37a493bf6779eee08

          Download Submit

        • C:\Users\Admin\AppData\Local\m0bstPc\psr.exe
          MD5

          264a61b365dd314f3c82d1efba60fe17

          SHA1

          9a778a13f5e85d7c5bf2e21ceb398ae0a4300ffa

          SHA256

          880fafbd4087442964a7780331a0e8dd43b78e2106e9df545f0432d4aa15ce93

          SHA512

          9b26021b49ed0f8cfb05d9c8f5e0cec7beaebe9ee14acfc3237cec1255bb9e6a4f5f7a6b902f3d561bbbac7489f64e5a39f498261eef7e93178be97f9cc15e3c

          Download Submit

        • \Users\Admin\AppData\Local\SbOCQ4r\MFC42u.dll
          MD5

          e7fb505ab151e7fdace791d4b705bcc4

          SHA1

          cc531c276b302d28b02d01cdb69c77c6dabecf28

          SHA256

          e4355fb8dab0a9bc06e065c630cca18c2bf49e6f12023eb636d239519c6bacdc

          SHA512

          3a05cec485fdb451f1621f7c93543c8154bf34bc7b16e552562375739e4de274e9ef6bdc4081922215341a5192e42187a2376c6679cde79ac9010d8f2eb738bd

          Download Submit

        • \Users\Admin\AppData\Local\Wx98eXbam\WTSAPI32.dll
          MD5

          6cabaa4d174403f6aa901099fe744bab

          SHA1

          e2978a65e1e6ddcd782d64fec79e81081da199d1

          SHA256

          7e66abc19b37370f0c4b56844c92dfc406f03d794dad260889ab38afacb3da20

          SHA512

          6e7b8f6bb92c93127fec41c4d6eea99ff70587e7c89cceec3d877ff412a14892d8ab0bac632ec2e2183d85a5994fc67a5330e22ac83aaf642c5d65fd1e889fee

          Download Submit

        • \Users\Admin\AppData\Local\m0bstPc\XmlLite.dll
          MD5

          2483ea4ac2d5de6dd987c36f16bb6cc4

          SHA1

          2b117b4e5dcd315a16b4838fe7462340eebbc359

          SHA256

          b96c71d922274c6e47c6956840e7338e7b8b40719819c0cdcf9375186969cbdd

          SHA512

          59e2548e9d9e20fa0a348dd52bdfac8ec3b6a5a958691a50814b88efc0ab3715a3b7312d3342b8c53e900d45d406e246768cf523d4fd4dd37a493bf6779eee08

          Download Submit

        • memory/2868-3-0x0000000000000000-mapping.dmp

          Download

        • memory/3008-0-0x0000000000C20000-0x0000000000C21000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3008-2-0x0000000140000000-0x0000000140138000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3008-1-0x0000000140000000-0x0000000140138000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3024-11-0x0000000000000000-mapping.dmp

          Download

        • memory/3752-7-0x0000000000000000-mapping.dmp

          Download