Overview

overview

10

Static

static

236e749601...e3.dll

windows7_x64

10

236e749601...e3.dll

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    138s
  • platform
    windows10_x64
  • resource
    win10-en
  • submitted
    15-09-2021 08:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    236e749601b76cf6364ab17d337e7dff0ac592006b89c1cbfe711cc8e718c7e3.dll

  • Size

    1.4MB

  • MD5

    26e1e972b9847ae521995ce31119e1d6

  • SHA1

    e1fc1d82f2462496bb1c18d575c0d5b2275ba21a

  • SHA256

    236e749601b76cf6364ab17d337e7dff0ac592006b89c1cbfe711cc8e718c7e3

  • SHA512

    27b7903ada4de94b181ed65275cd0afa92e5cde0235dd64014d582446db2348ebfe9c659056360a4aa59b9e4eef998e11dbed8ee2c9c76a583db92d0b264ae4f

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 9 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\236e749601b76cf6364ab17d337e7dff0ac592006b89c1cbfe711cc8e718c7e3.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4080
  • C:\Windows\system32\omadmclient.exe
    C:\Windows\system32\omadmclient.exe
    1⤵
      PID:1076
    • C:\Users\Admin\AppData\Local\32ekyRlom\omadmclient.exe
      C:\Users\Admin\AppData\Local\32ekyRlom\omadmclient.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1148
    • C:\Windows\system32\SystemPropertiesAdvanced.exe
      C:\Windows\system32\SystemPropertiesAdvanced.exe
      1⤵
        PID:1444
      • C:\Users\Admin\AppData\Local\DYLyeI7\SystemPropertiesAdvanced.exe
        C:\Users\Admin\AppData\Local\DYLyeI7\SystemPropertiesAdvanced.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1556
      • C:\Windows\system32\BitLockerWizardElev.exe
        C:\Windows\system32\BitLockerWizardElev.exe
        1⤵
          PID:1784
        • C:\Users\Admin\AppData\Local\egEmfbNiQ\BitLockerWizardElev.exe
          C:\Users\Admin\AppData\Local\egEmfbNiQ\BitLockerWizardElev.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1860

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\32ekyRlom\XmlLite.dll
          MD5

          ee5c4869a68330ba49fe94c465c6e492

          SHA1

          64c5ce6c27404036209005af2cca757cf9559157

          SHA256

          b18fea435a4547c16800bb3745c882876e27e16e608f1c3b8abcf01a7ca3554f

          SHA512

          ca4ff6eb982d8b8894e7654db2f79a5fc23ce3cf1c8b73373e677c251fc17a634076707c094752554ac2be31f125b9ab2e9d259e7588f8a1ecba07c4d04a267f

          Download Submit
        • C:\Users\Admin\AppData\Local\32ekyRlom\omadmclient.exe
          MD5

          0f8c6315c9458cab5b3aae2df853edb6

          SHA1

          ff59734b75896b422e8d7a642c4ea59bf6dab759

          SHA256

          76eb6879858ab42089e369984f6e0e775b32b6756a605ed5f2fb1a06c1151498

          SHA512

          966045c25685a0f01bcd49f6e9ec5bbdaa8a3e261129c03db85031fb1d8705bfba967894d2530c2691e16fdbed11a9df9122d9093db2b46c6ce1b641db36bb3c

          Download Submit
        • C:\Users\Admin\AppData\Local\DYLyeI7\SYSDM.CPL
          MD5

          32a1db4c9ea1c60bc2e5f29704edc2d5

          SHA1

          2459c7331d1abd05c18317bca5055ddc44dec174

          SHA256

          1bbc274d5a964f1a295e23b906b53174bd3ff75e152f09ccf838a8b84e7d385e

          SHA512

          3486a376ff7a7b6ed7538766824da72418bfb694f18b261c0662402a0305ca0a7c028f8f4aae2c00deac52cf3502306e2614c17ff81f4d703ca5e2f30849247e

          Download Submit
        • C:\Users\Admin\AppData\Local\DYLyeI7\SystemPropertiesAdvanced.exe
          MD5

          375b58f4fced878a37108c3e5ad9b20c

          SHA1

          8a05b43085e2ccf4ad1b041cabb4fe91498e98e5

          SHA256

          480aa5e419e066e1dd84ae98f07cca9e21e6b72e82f6fbc9b54bbbefbe2f79b9

          SHA512

          e803d80e72c17cde65190678389182188dd3035465598fd2a89c31f80518a6eda07be06373e133403dbcdb5f076ee4204c5d702524b12ccb6a2ba21e4c815441

          Download Submit
        • C:\Users\Admin\AppData\Local\egEmfbNiQ\BitLockerWizardElev.exe
          MD5

          43d63950e411885e21eeb33a7f33dc85

          SHA1

          aa5489c400ae898ba8590e7198846ca51d4ae872

          SHA256

          82f381697c3ea8df147de184892751a5c99475617c245b3caece870bb0a5418a

          SHA512

          65b87ecb21289f3ce72f8ea00e877f6023551d4ba5f62e27ac00df7376c1f1d3d612419fac54211a91383b016e03a7f82ac8bc0beaa10262767538dba09423ca

          Download Submit
        • C:\Users\Admin\AppData\Local\egEmfbNiQ\FVEWIZ.dll
          MD5

          4db5d0ee9d5fe83abcf7cc1cb9905067

          SHA1

          599763a1af56700211f81f62598c08889fd42843

          SHA256

          c4e6b15c43abda0a4af628a2fd269f1169178cef707fe57897b69c3796f18209

          SHA512

          e6df33f4e5f10c48144f17326182bd6b530410fbf33693192aaa1e78fec7255f8b3404e8ed4ef5d2b6d2883c0f26dc05e3fee3ff0aca729470f263b1bcc658bf

          Download Submit
        • \Users\Admin\AppData\Local\32ekyRlom\XmlLite.dll
          MD5

          ee5c4869a68330ba49fe94c465c6e492

          SHA1

          64c5ce6c27404036209005af2cca757cf9559157

          SHA256

          b18fea435a4547c16800bb3745c882876e27e16e608f1c3b8abcf01a7ca3554f

          SHA512

          ca4ff6eb982d8b8894e7654db2f79a5fc23ce3cf1c8b73373e677c251fc17a634076707c094752554ac2be31f125b9ab2e9d259e7588f8a1ecba07c4d04a267f

          Download Submit
        • \Users\Admin\AppData\Local\DYLyeI7\SYSDM.CPL
          MD5

          32a1db4c9ea1c60bc2e5f29704edc2d5

          SHA1

          2459c7331d1abd05c18317bca5055ddc44dec174

          SHA256

          1bbc274d5a964f1a295e23b906b53174bd3ff75e152f09ccf838a8b84e7d385e

          SHA512

          3486a376ff7a7b6ed7538766824da72418bfb694f18b261c0662402a0305ca0a7c028f8f4aae2c00deac52cf3502306e2614c17ff81f4d703ca5e2f30849247e

          Download Submit
        • \Users\Admin\AppData\Local\egEmfbNiQ\FVEWIZ.dll
          MD5

          4db5d0ee9d5fe83abcf7cc1cb9905067

          SHA1

          599763a1af56700211f81f62598c08889fd42843

          SHA256

          c4e6b15c43abda0a4af628a2fd269f1169178cef707fe57897b69c3796f18209

          SHA512

          e6df33f4e5f10c48144f17326182bd6b530410fbf33693192aaa1e78fec7255f8b3404e8ed4ef5d2b6d2883c0f26dc05e3fee3ff0aca729470f263b1bcc658bf

          Download Submit
        • memory/1148-163-0x0000000000000000-mapping.dmp
          Download
        • memory/1148-168-0x0000000140000000-0x0000000140173000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1512-142-0x0000000140000000-0x0000000140172000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1512-148-0x0000000140000000-0x0000000140172000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1512-131-0x0000000140000000-0x0000000140172000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1512-132-0x0000000140000000-0x0000000140172000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1512-133-0x0000000140000000-0x0000000140172000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1512-134-0x0000000140000000-0x0000000140172000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1512-135-0x0000000140000000-0x0000000140172000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1512-136-0x0000000140000000-0x0000000140172000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1512-137-0x0000000140000000-0x0000000140172000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1512-138-0x0000000140000000-0x0000000140172000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1512-139-0x0000000140000000-0x0000000140172000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1512-140-0x0000000140000000-0x0000000140172000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1512-141-0x0000000140000000-0x0000000140172000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1512-120-0x0000000002910000-0x0000000002911000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1512-144-0x0000000140000000-0x0000000140172000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1512-143-0x0000000140000000-0x0000000140172000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1512-145-0x0000000140000000-0x0000000140172000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1512-146-0x0000000140000000-0x0000000140172000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1512-147-0x0000000140000000-0x0000000140172000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1512-130-0x0000000140000000-0x0000000140172000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1512-149-0x0000000140000000-0x0000000140172000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1512-150-0x0000000140000000-0x0000000140172000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1512-151-0x0000000140000000-0x0000000140172000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1512-152-0x0000000140000000-0x0000000140172000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1512-153-0x0000000140000000-0x0000000140172000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1512-161-0x00007FFFE85F4560-0x00007FFFE85F5560-memory.dmp
          Filesize

          4KB

          Download
        • memory/1512-129-0x0000000140000000-0x0000000140172000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1512-128-0x0000000140000000-0x0000000140172000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1512-127-0x0000000140000000-0x0000000140172000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1512-126-0x0000000140000000-0x0000000140172000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1512-167-0x00007FFFE8730000-0x00007FFFE8732000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1512-125-0x0000000140000000-0x0000000140172000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1512-121-0x0000000140000000-0x0000000140172000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1512-124-0x0000000140000000-0x0000000140172000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1512-123-0x0000000140000000-0x0000000140172000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1512-122-0x0000000140000000-0x0000000140172000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1556-173-0x0000000000000000-mapping.dmp
          Download
        • memory/1860-182-0x0000000000000000-mapping.dmp
          Download
        • memory/4080-115-0x0000000140000000-0x0000000140172000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/4080-119-0x000002CC0CC60000-0x000002CC0CC67000-memory.dmp
          Filesize

          28KB

          Download