Overview

overview

10

Static

static

XmlLite.dll

windows7_x64

10

XmlLite.dll

windows10_x64

10

Resubmissions

Analysis

  • max time kernel
    149s
  • max time network
    71s
  • platform
    windows10_x64
  • resource
    win10v200722
  • submitted
    06-08-2020 16:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XmlLite.dll

  • Size

    972KB

  • MD5

    a55f44aacfb66d6494db7b94f6a170e4

  • SHA1

    f181f65e6c147b046ba6dfaffa89d7ec45ce674d

  • SHA256

    c08e237f028ef67db6139e16aa4084c8cbada6ce15406819110bb22db01b406e

  • SHA512

    0133d75cbffb9ed1127f70c86dfef7544a5e2d731d0f60030e1578e73025aa155415e23d32f0755c421059056f9030de2af8240b338008c7fcccc6c28ecaa3d4

Score
10/10
dridexbotnetevasionloaderpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Loader 2 IoCs

    Detects Dridex both x86 and x64 loader in memory.

    botnetloader
  • Dridex Loader 'dmod' strings 2 IoCs

    Detects 'dmod' strings in Dridex loader.

    botnetloader
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 632 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\XmlLite.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3816
  • C:\Windows\system32\raserver.exe
    C:\Windows\system32\raserver.exe
    1⤵
      PID:1016
    • C:\Users\Admin\AppData\Local\VMocxs7\raserver.exe
      C:\Users\Admin\AppData\Local\VMocxs7\raserver.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:348
    • C:\Windows\system32\eudcedit.exe
      C:\Windows\system32\eudcedit.exe
      1⤵
        PID:1208
      • C:\Users\Admin\AppData\Local\G0L5Vj1Wz\eudcedit.exe
        C:\Users\Admin\AppData\Local\G0L5Vj1Wz\eudcedit.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1268
      • C:\Windows\system32\pwcreator.exe
        C:\Windows\system32\pwcreator.exe
        1⤵
          PID:1452
        • C:\Users\Admin\AppData\Local\yMby8\pwcreator.exe
          C:\Users\Admin\AppData\Local\yMby8\pwcreator.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1524

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\G0L5Vj1Wz\MFC42u.dll
          MD5

          c993144bfbd0eba45301b72cf67caad9

          SHA1

          5d2427fc223bb2679b6a6a44c14706eb22fd7791

          SHA256

          be33f6ea61a9a01855a3a5f917f6fb4fe345c278e40ff6e8924bc2c2cd829844

          SHA512

          2f998dcf0b465567d937505e28dfb0989a05a98b30ab8b02c6c869bb04b254778b0b17afe05105db82cbe048739c608db184e50b8175e69ce8a651d6322840d3

          Download Submit
        • C:\Users\Admin\AppData\Local\G0L5Vj1Wz\eudcedit.exe
          MD5

          91d59a7cad942eacccc0788bde9d69da

          SHA1

          62987649e35257a4230abc5081acdcf3049b0c4c

          SHA256

          ca4c171a40af34d3dc0b21e0206054f002b340359403f393d7c8616220c22416

          SHA512

          e3b5fe3c5a959e3fe3760af4dc7bf2af4af3bb1df23ba622296cd09d32c3ebfec6f60648346a5f38537af1e88fce424888b6d4f2ba530c578989f7c3e02c80a0

          Download Submit
        • C:\Users\Admin\AppData\Local\VMocxs7\WTSAPI32.dll
          MD5

          f649873456ac2923c371bc39e318568d

          SHA1

          dc1a19fcd721360e3d1a816f71bc41bac4a84fe9

          SHA256

          fca1238f895315f30e2718eead7ad35f500e7e804c5f664a9fb1c62d5525a7ef

          SHA512

          da975858ee92b16e67f1ca5b0c2ea57a9d8baf77ad3fa34f637cce53d67ed00b57122657129cac6b61b97665da0fbce7319caadd060c85929df1e0aaa6f4c206

          Download Submit
        • C:\Users\Admin\AppData\Local\VMocxs7\raserver.exe
          MD5

          71cacb0f5b7b70055fbba02055e503b1

          SHA1

          49e247edcc721fc7329045a8587877b645b7531f

          SHA256

          7a4aa698ea00d4347a1b85a2510c2502fdf23cc5d487079097999be9780f8eb1

          SHA512

          3cce7df2ab1ece95baf888982a0664fb53c1378029dc2aee1c583fc6e9065968074a9f8135988f1b9f50937e3eb69edc118976b61067c3461fe8351535295a18

          Download Submit
        • C:\Users\Admin\AppData\Local\yMby8\WINBRAND.dll
          MD5

          7ce72413c5117c831321659cfae03df0

          SHA1

          4877109e359a4326d8d67853402ddd46225a61c3

          SHA256

          367667d13e0b7012b94f98c7f2027f8515fb5eaa2b2a9687bf58c6c73d1e5e7e

          SHA512

          24c4dd7f8298b19a29ec34cbdc3a634220d6147bc73cb6b2cb3a0cc2a74a28480cce6fa001bcce788a433da8c0ead4c1cf69f23223e647b8fab8be153ef6406d

          Download Submit
        • C:\Users\Admin\AppData\Local\yMby8\pwcreator.exe
          MD5

          5a9ef500a0436e893542fca5e8876c9c

          SHA1

          bf8f802f67cf5f42ad6375b5159b4b2d8c5759a4

          SHA256

          a0af92d50e18376d996a3bfeb9e43cc8d2ea8385646542ea850c777850d588df

          SHA512

          ffda4df212242e87d399ddcd72fa99b14f0d18abcfdb6c69df65ce345e8c94f2c1fccb323252af5cb18a28abeef0b148c106631ec778a522f82b392c0547fdc8

          Download Submit
        • \Users\Admin\AppData\Local\G0L5Vj1Wz\MFC42u.dll
          MD5

          c993144bfbd0eba45301b72cf67caad9

          SHA1

          5d2427fc223bb2679b6a6a44c14706eb22fd7791

          SHA256

          be33f6ea61a9a01855a3a5f917f6fb4fe345c278e40ff6e8924bc2c2cd829844

          SHA512

          2f998dcf0b465567d937505e28dfb0989a05a98b30ab8b02c6c869bb04b254778b0b17afe05105db82cbe048739c608db184e50b8175e69ce8a651d6322840d3

          Download Submit
        • \Users\Admin\AppData\Local\VMocxs7\WTSAPI32.dll
          MD5

          f649873456ac2923c371bc39e318568d

          SHA1

          dc1a19fcd721360e3d1a816f71bc41bac4a84fe9

          SHA256

          fca1238f895315f30e2718eead7ad35f500e7e804c5f664a9fb1c62d5525a7ef

          SHA512

          da975858ee92b16e67f1ca5b0c2ea57a9d8baf77ad3fa34f637cce53d67ed00b57122657129cac6b61b97665da0fbce7319caadd060c85929df1e0aaa6f4c206

          Download Submit
        • \Users\Admin\AppData\Local\yMby8\WINBRAND.dll
          MD5

          7ce72413c5117c831321659cfae03df0

          SHA1

          4877109e359a4326d8d67853402ddd46225a61c3

          SHA256

          367667d13e0b7012b94f98c7f2027f8515fb5eaa2b2a9687bf58c6c73d1e5e7e

          SHA512

          24c4dd7f8298b19a29ec34cbdc3a634220d6147bc73cb6b2cb3a0cc2a74a28480cce6fa001bcce788a433da8c0ead4c1cf69f23223e647b8fab8be153ef6406d

          Download Submit
        • memory/348-4-0x0000000000000000-mapping.dmp
          Download
        • memory/1268-9-0x0000000000000000-mapping.dmp
          Download
        • memory/1524-14-0x0000000000000000-mapping.dmp
          Download
        • memory/3016-3-0x0000000140000000-0x00000001400F3000-memory.dmp
          Filesize

          972KB

          Download
        • memory/3016-2-0x0000000140000000-0x00000001400F3000-memory.dmp
          Filesize

          972KB

          Download
        • memory/3016-1-0x0000000001490000-0x0000000001491000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3816-0-0x0000000140000000-0x000000014008D000-memory.dmp
          Filesize

          564KB

          Download