Overview

overview

10

Static

static

VERSION.dll

windows7_x64

10

VERSION.dll

windows10_x64

10

Resubmissions

Analysis

  • max time kernel
    150s
  • max time network
    117s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    14-07-2020 11:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    VERSION.dll

  • Size

    972KB

  • MD5

    07b6339df2acddd30de436999071fc4b

  • SHA1

    2550d842be80b811afa930384c0db06908bc1011

  • SHA256

    4ed7566f8b70e42f52615a3c06512b10c6b3feef33627a82cdef1f054aa4cc75

  • SHA512

    ef2b54af64064f6fdd4224b3b283e9e6b76d8d92a01d6e9044d016bbf2b2b295f4ed66a48d389a08ed4fc3d72a843f7ed32f43f91280658f897b2ad078324586

Score
10/10
dridexbotnetevasionloaderpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Loader 1 IoCs

    Detects Dridex both x86 and x64 loader in memory.

    botnetloader
  • Dridex Loader 'dmod' strings 1 IoCs

    Detects 'dmod' strings in Dridex loader.

    botnetloader
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 624 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\VERSION.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3612
  • C:\Windows\system32\sigverif.exe
    C:\Windows\system32\sigverif.exe
    1⤵
      PID:3352
    • C:\Users\Admin\AppData\Local\mIrV\sigverif.exe
      C:\Users\Admin\AppData\Local\mIrV\sigverif.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3188
    • C:\Windows\system32\dpapimig.exe
      C:\Windows\system32\dpapimig.exe
      1⤵
        PID:344
      • C:\Users\Admin\AppData\Local\3vnbBUA\dpapimig.exe
        C:\Users\Admin\AppData\Local\3vnbBUA\dpapimig.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1708
      • C:\Windows\system32\wscript.exe
        C:\Windows\system32\wscript.exe
        1⤵
          PID:1004
        • C:\Users\Admin\AppData\Local\K4r\wscript.exe
          C:\Users\Admin\AppData\Local\K4r\wscript.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2980

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\3vnbBUA\DUI70.dll
          MD5

          8dcd51d39e1e8eb13c43a55adb7932d0

          SHA1

          b7d3b5044b0fcd365869636a246b7389824224f4

          SHA256

          37c852ee26bc053589210bbb6c2d380542f3a8416e50146eb62f465075392816

          SHA512

          24fbeb8b03c6f3a4e03b053494bdd447a10dbe416bd8c9b92ceb5ba12bdc1baac7005ee536bd1b2125e5ce3db0345e95848541df15855f3cb00a2676f44d11e6

          Download Submit

        • C:\Users\Admin\AppData\Local\3vnbBUA\dpapimig.exe
          MD5

          a210dd05d1e941a1ec04b134f39ef036

          SHA1

          86b5493ecf8f456ae56ede4b013b934b892572e0

          SHA256

          3912f380049e362ca875ccb4fe064621197f0df999b35c593de382cf0c852988

          SHA512

          9648ed1088af13717479f4739ecdfd604b463582fe3a9db43761b446c61e93856309fd1f8c993962d426af566497b9c8f7eaa3a5af069a7a0f8fde8424111bf8

          Download Submit

        • C:\Users\Admin\AppData\Local\K4r\VERSION.dll
          MD5

          361bc948f0eb18dee414e15d42992fe7

          SHA1

          1062e9d15b5987c35bcd4f326718e06196c0e0af

          SHA256

          2852c721b87dbe336768c0104b33370655494e8cdf8b26361eaecb4957f021f5

          SHA512

          da127c419012c3c33b5d5caac80088eb0e9623e0af193f44e831052234dfac5f7e318e53881ff1e4d2da0654d85c008c674851e5da5165331b504830692527b1

          Download Submit

        • C:\Users\Admin\AppData\Local\K4r\wscript.exe
          MD5

          dd97f7527d1536afbff5bced8508661f

          SHA1

          c7e44c13ec4ca775630932c54afe1d5c9a0fe631

          SHA256

          c08432dc60c9ef7b12a41b0c73e6d716c220b4e9a4eda45c9072d1c81d910c55

          SHA512

          f06127f72fb5daae836644beb61e9d800db4a1915be9bebf8a6de7b3221135fe759d51b0ffddc5783acb50ca71d08996174fb4983c207727265ee63dd4487f37

          Download Submit

        • C:\Users\Admin\AppData\Local\mIrV\VERSION.dll
          MD5

          ed193499d18da02ba6f85f8ec91ecc16

          SHA1

          60f82bd68b104c0ac6b1fcfbed4b9e5d9ff46b76

          SHA256

          0bbe5ee1fbdccfefe422bed09085694f734346f9492039b8ffbbff4e11f1ffaa

          SHA512

          815f602a851a098ad500abc0dc6842e0e8941a8dbd0a8ef007a0fcb30529ecc7631d59e582b9c513930b8d9683d1767f2634ea926d027b8608eb8226453b91dc

          Download Submit

        • C:\Users\Admin\AppData\Local\mIrV\sigverif.exe
          MD5

          92f7917624a4349f7b6041d08ae29714

          SHA1

          eac68bc72ed4d8634a59a1a37faefa4f8327bd2f

          SHA256

          a57403e41c7178403981cd384f6096f12092dee68d3dfbd92f94661f613dfcab

          SHA512

          20eb8366a8285a7d19a8d860038364a625b9b7de5e9d87ed59d2580ab4d5658b6d09d9220f6b0a6291151145373f3e0ff8ac46609c6b4a4aafecc8f2670ac56d

          Download Submit

        • \Users\Admin\AppData\Local\3vnbBUA\DUI70.dll
          MD5

          8dcd51d39e1e8eb13c43a55adb7932d0

          SHA1

          b7d3b5044b0fcd365869636a246b7389824224f4

          SHA256

          37c852ee26bc053589210bbb6c2d380542f3a8416e50146eb62f465075392816

          SHA512

          24fbeb8b03c6f3a4e03b053494bdd447a10dbe416bd8c9b92ceb5ba12bdc1baac7005ee536bd1b2125e5ce3db0345e95848541df15855f3cb00a2676f44d11e6

          Download Submit

        • \Users\Admin\AppData\Local\K4r\VERSION.dll
          MD5

          361bc948f0eb18dee414e15d42992fe7

          SHA1

          1062e9d15b5987c35bcd4f326718e06196c0e0af

          SHA256

          2852c721b87dbe336768c0104b33370655494e8cdf8b26361eaecb4957f021f5

          SHA512

          da127c419012c3c33b5d5caac80088eb0e9623e0af193f44e831052234dfac5f7e318e53881ff1e4d2da0654d85c008c674851e5da5165331b504830692527b1

          Download Submit

        • \Users\Admin\AppData\Local\mIrV\VERSION.dll
          MD5

          ed193499d18da02ba6f85f8ec91ecc16

          SHA1

          60f82bd68b104c0ac6b1fcfbed4b9e5d9ff46b76

          SHA256

          0bbe5ee1fbdccfefe422bed09085694f734346f9492039b8ffbbff4e11f1ffaa

          SHA512

          815f602a851a098ad500abc0dc6842e0e8941a8dbd0a8ef007a0fcb30529ecc7631d59e582b9c513930b8d9683d1767f2634ea926d027b8608eb8226453b91dc

          Download Submit

        • memory/1708-7-0x0000000000000000-mapping.dmp

          Download

        • memory/2980-11-0x0000000000000000-mapping.dmp

          Download

        • memory/2988-0-0x0000000002CD0000-0x0000000002CD1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2988-2-0x0000000140000000-0x00000001400F3000-memory.dmp

          Filesize

          972KB

          Download

        • memory/2988-1-0x0000000140000000-0x00000001400F3000-memory.dmp

          Filesize

          972KB

          Download

        • memory/3188-3-0x0000000000000000-mapping.dmp

          Download