Overview

overview

10

Static

static

XmlLite.dll

windows7_x64

10

XmlLite.dll

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    112s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    24-11-2020 17:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XmlLite.dll

  • Size

    1.2MB

  • MD5

    1a72ddab7ae064892517b65c138b6078

  • SHA1

    428521bc64f6ca137f31cc382e97c7619b33169c

  • SHA256

    d594d6c6cd43b07dd9a683a089d03db2c396e2c4472a16a9c89d12c0225d605b

  • SHA512

    39b12f7cc153a19f4f8084614f1ff3023276dc01b1cf88eb4a95eb2210e3e3a378a9aad3cbb7ddc911592e1e9513da954aa1ff9f88a160612b3d6d66012e68e0

Score
10/10
dridexbotnetevasionloaderpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Loader 2 IoCs

    Detects Dridex both x86 and x64 loader in memory.

    botnetloader
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 585 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\XmlLite.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3988
  • C:\Windows\system32\bdechangepin.exe
    C:\Windows\system32\bdechangepin.exe
    1⤵
      PID:996
    • C:\Users\Admin\AppData\Local\LhGGTd\bdechangepin.exe
      C:\Users\Admin\AppData\Local\LhGGTd\bdechangepin.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4056
    • C:\Windows\system32\Dxpserver.exe
      C:\Windows\system32\Dxpserver.exe
      1⤵
        PID:3592
      • C:\Users\Admin\AppData\Local\l3P3iE69\Dxpserver.exe
        C:\Users\Admin\AppData\Local\l3P3iE69\Dxpserver.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2124
      • C:\Windows\system32\consent.exe
        C:\Windows\system32\consent.exe
        1⤵
          PID:1668
        • C:\Users\Admin\AppData\Local\Ziz0WEDP\consent.exe
          C:\Users\Admin\AppData\Local\Ziz0WEDP\consent.exe
          1⤵
          • Executes dropped EXE
          PID:2324
        • C:\Windows\system32\FXSCOVER.exe
          C:\Windows\system32\FXSCOVER.exe
          1⤵
            PID:3864
          • C:\Users\Admin\AppData\Local\8Uu4TQC\FXSCOVER.exe
            C:\Users\Admin\AppData\Local\8Uu4TQC\FXSCOVER.exe
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks whether UAC is enabled
            PID:3840

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Registry Run Keys / Startup Folder

          1
          T1060

          Privilege Escalation

          Defense Evasion

          Modify Registry

          1
          T1112

          Credential Access

          Discovery

          System Information Discovery

          1
          T1082

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\8Uu4TQC\FXSCOVER.exe
            MD5

            fd8a15f70619a553acd265264c3e435d

            SHA1

            394f6a1db57b502eb5196d9276d1c00afc791663

            SHA256

            b9eec80e92a71b7405db190ac0d1fc177ba3d1f97411c43328a340d30a9d71a4

            SHA512

            af30027401e97a69aa57847c00c73ccafd4113e58349efd9addf5e7c3a5809f5ff35430d181844c5acd0abba947ff9acb450ff3e0383ef7c187bd9b7808a8799

            Download Submit
          • C:\Users\Admin\AppData\Local\8Uu4TQC\MFC42u.dll
            MD5

            8a59276d9531d90ff4a1841121bc9831

            SHA1

            93c86b4e43e58fc76cedbc63d7f9e9b5be8af964

            SHA256

            b02b53af1ab91ddc32d4d5f8facfb45d1a3980c3b668105078983a0fd8da9694

            SHA512

            fa4df7d5b7408e139aa4051471bb41f9165a2f7da0f2cca63d1a8c5db31e9abb12475d7460a23a0768b17066d5c603ec78d1ba4b0e9177350efbc26a928bb3b0

            Download Submit
          • C:\Users\Admin\AppData\Local\LhGGTd\DUI70.dll
            MD5

            cdc85803f04da5dd0f011fc9ee2a20ed

            SHA1

            86d42d2b13d822971cbfef6638c5aeefc14a8fda

            SHA256

            88bd6705154e45c52a43b60b65a12f28e6b123dcab679fdda78ee9058a9a4384

            SHA512

            97089744094e5087c4613d2e87f244f286c632df3999c7e3ccc7f71d195c531ffb3d7b00bd84fd2ff7fa85996039e1ad9c0b021b7548470b540a308acf431ba7

            Download Submit
          • C:\Users\Admin\AppData\Local\LhGGTd\bdechangepin.exe
            MD5

            c1c59d7307da404788e5a4294f671213

            SHA1

            d7d7d2b898c072ecd1fa1207dfa6277b1b328af8

            SHA256

            dc5078956ac057a7560285440fbb315db6f2718c1fc6bd88d50b1e49f8f8ad1b

            SHA512

            d138e672a81f9b957c96d9c236bb6dc5141ebb1c19b1446c7ace1a10bc6522c527a27d969a990fafdae04c03bfe5c664b955d9ac2aa3c8dfc3e282ad81693989

            Download Submit
          • C:\Users\Admin\AppData\Local\Ziz0WEDP\consent.exe
            MD5

            6d7e9c7bad50da67b1f23c6b4a9e1f7f

            SHA1

            b02648a975909e63d93e3531c1250f89ba676f9f

            SHA256

            b9711ed459bdbf39679f731ab67221068e0b6b8d8be88f22f4e89467ebac223b

            SHA512

            3e1aeb0ed4bc63319d7720356d8d7f01a9f5a28906f818941d41e434ca7a2ede0b26f63ea8275c2bc244621e88c017050f6c6118140108c35fe7b6e2371e7d12

            Download Submit
          • C:\Users\Admin\AppData\Local\l3P3iE69\Dxpserver.exe
            MD5

            110511ba5a11541db9fc1d7fab136599

            SHA1

            87db2d6c14f8f4e45f0ca17aedb1803638b07feb

            SHA256

            fdbe91686b9e869b34e78f7cc976d5e709d86298450a3653ad2dd23cd61315a0

            SHA512

            b47b491a687c65a599e7108eeea831ccc7e868a189b67003823efba6b525b044621e4c4ed8ce7b555b41a027e6200ef198681ba3eb2b66be7ad4581dde586a06

            Download Submit
          • C:\Users\Admin\AppData\Local\l3P3iE69\dwmapi.dll
            MD5

            fa53b39aa2692b06724473a8cb8f5a74

            SHA1

            0d261a9cdf45949e94fbde50f5236f1b5107225b

            SHA256

            075115413d764e3ae8745fc8f8da624313e58e52e5eb24888764aedd282c38d1

            SHA512

            f454920bf29a13c25085b2e0e9cb58eced8f3cc325fef130e651879f840914194c1ac7b106f654cde59c95ec4c395fef95e807f918f0766d371590b1da887479

            Download Submit
          • \Users\Admin\AppData\Local\8Uu4TQC\MFC42u.dll
            MD5

            8a59276d9531d90ff4a1841121bc9831

            SHA1

            93c86b4e43e58fc76cedbc63d7f9e9b5be8af964

            SHA256

            b02b53af1ab91ddc32d4d5f8facfb45d1a3980c3b668105078983a0fd8da9694

            SHA512

            fa4df7d5b7408e139aa4051471bb41f9165a2f7da0f2cca63d1a8c5db31e9abb12475d7460a23a0768b17066d5c603ec78d1ba4b0e9177350efbc26a928bb3b0

            Download Submit
          • \Users\Admin\AppData\Local\LhGGTd\DUI70.dll
            MD5

            cdc85803f04da5dd0f011fc9ee2a20ed

            SHA1

            86d42d2b13d822971cbfef6638c5aeefc14a8fda

            SHA256

            88bd6705154e45c52a43b60b65a12f28e6b123dcab679fdda78ee9058a9a4384

            SHA512

            97089744094e5087c4613d2e87f244f286c632df3999c7e3ccc7f71d195c531ffb3d7b00bd84fd2ff7fa85996039e1ad9c0b021b7548470b540a308acf431ba7

            Download Submit
          • \Users\Admin\AppData\Local\l3P3iE69\dwmapi.dll
            MD5

            fa53b39aa2692b06724473a8cb8f5a74

            SHA1

            0d261a9cdf45949e94fbde50f5236f1b5107225b

            SHA256

            075115413d764e3ae8745fc8f8da624313e58e52e5eb24888764aedd282c38d1

            SHA512

            f454920bf29a13c25085b2e0e9cb58eced8f3cc325fef130e651879f840914194c1ac7b106f654cde59c95ec4c395fef95e807f918f0766d371590b1da887479

            Download Submit
          • memory/2124-9-0x0000000000000000-mapping.dmp
            Download
          • memory/2324-14-0x0000000000000000-mapping.dmp
            Download
          • memory/3036-3-0x0000000140000000-0x0000000140131000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/3036-2-0x0000000140000000-0x0000000140131000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/3036-1-0x0000000000ED0000-0x0000000000ED1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3840-16-0x0000000000000000-mapping.dmp
            Download
          • memory/3988-0-0x0000000140000000-0x0000000140086000-memory.dmp
            Filesize

            536KB

            Download
          • memory/4056-4-0x0000000000000000-mapping.dmp
            Download