Overview

overview

10

Static

static

2c1cbd4e7a...dd.dll

windows7_x64

10

2c1cbd4e7a...dd.dll

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    130s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    28-09-2021 08:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2c1cbd4e7a27c47468c2e806e5559c3680f1cd6497c33a65c0a565fe8bab1add.dll

  • Size

    2.0MB

  • MD5

    24628d042b24ccca20dfc18374ee15c1

  • SHA1

    0deb91aa0e4c63080d71db61bfed0c7a5fb967ca

  • SHA256

    2c1cbd4e7a27c47468c2e806e5559c3680f1cd6497c33a65c0a565fe8bab1add

  • SHA512

    dd3c8457810dc1f17d1ea38be7d8884a89fd668a1b8b3d3d41f221e3997ef434e23a716433e7b214503e10649dba4830a1bf648c5a8dd23ff494d49a6d10aa23

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\2c1cbd4e7a27c47468c2e806e5559c3680f1cd6497c33a65c0a565fe8bab1add.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2012
  • C:\Windows\system32\fvenotify.exe
    C:\Windows\system32\fvenotify.exe
    1⤵
      PID:588
    • C:\Users\Admin\AppData\Local\DQ5u66\fvenotify.exe
      C:\Users\Admin\AppData\Local\DQ5u66\fvenotify.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1604
    • C:\Windows\system32\wisptis.exe
      C:\Windows\system32\wisptis.exe
      1⤵
        PID:436
      • C:\Users\Admin\AppData\Local\e1Zx7\wisptis.exe
        C:\Users\Admin\AppData\Local\e1Zx7\wisptis.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:540
      • C:\Windows\system32\BitLockerWizard.exe
        C:\Windows\system32\BitLockerWizard.exe
        1⤵
          PID:1260
        • C:\Users\Admin\AppData\Local\CfOd\BitLockerWizard.exe
          C:\Users\Admin\AppData\Local\CfOd\BitLockerWizard.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1956

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\CfOd\BitLockerWizard.exe
          MD5

          08a761595ad21d152db2417d6fdb239a

          SHA1

          d84c1bc2e8c9afce9fb79916df9bca169f93a936

          SHA256

          ec0b9e5f29a43f9db44fa76b85701058f26776ab974044c1d4741591b74d0620

          SHA512

          8b07828e9c0edf09277f89294b8e1a54816f6f3d1fe132b3eb70370b81feb82d056ec31566793bd6f451725f79c3b4aeedb15a83216115e00943e0c19cab37c9

          Download Submit
        • C:\Users\Admin\AppData\Local\CfOd\FVEWIZ.dll
          MD5

          b5ecf325ed68ae0d334eef78502b71d3

          SHA1

          b21324f5adf12da39dcbe9d6b072aa5cdd1d2fef

          SHA256

          22b2162a1da367b54e84ceefae5ec1843e335a5e0ff0ca1358c4f5f350bcdfd5

          SHA512

          3e2f296b3319c8aeae637a032a77ce98aab14f33b602a83e51278ee1e37fae0f3663c40985771961badf7028d8a13872e116497855bcad5e13fb7db97b3706c1

          Download Submit
        • C:\Users\Admin\AppData\Local\DQ5u66\fvenotify.exe
          MD5

          e61d644998e07c02f0999388808ac109

          SHA1

          183130ad81ff4c7997582a484e759bf7769592d6

          SHA256

          15a85cd6fbcb1ec57d78f986d6dd8908bd56231ce0cf65775075512303f7e5fa

          SHA512

          310141b73394ae12a35f8d4f0c097868ee8a8045a62dd402a5dfbe2151980dd4fe18409ae3ca9422e3b88b2fa9afb04c1acbf8ec23a937a0a242b32a9a1e9272

          Download Submit
        • C:\Users\Admin\AppData\Local\DQ5u66\slc.dll
          MD5

          87cec6cce3ebe35c15a35e1f8fcbf471

          SHA1

          76068c9a4a5d4afe5a4b422fd65690a24864103b

          SHA256

          81eeacd372b30933349ec5cbe47ff0540ccfc6ad55aa8deeb284c4b9607ba1fa

          SHA512

          48889289c04d0293611c94aeaa333c5b72ccbcbb1ffd9f637604a258967817e58ccebbbc6f4323994ac1d2250c32703608afce46cfa8513cc9e9f96896f4983b

          Download Submit
        • C:\Users\Admin\AppData\Local\e1Zx7\MAGNIFICATION.dll
          MD5

          01610d390b6ba66237577d58187acf17

          SHA1

          f78042fe07bd01d296daa7a8680ee6e757c1c3bc

          SHA256

          0bd1922bebbb23fd16958c6f984795b3e7f8516ddfc844600d9b66309c4a4d8e

          SHA512

          251ea9a540f3fa2d3e8327fbca16111d2f0ad76dc9365deea67f8f32d4647eaa52ac382584c38b6641d22e3fbe8d373ace643a6d905f3275e93bced3cdeb1af9

          Download Submit
        • C:\Users\Admin\AppData\Local\e1Zx7\wisptis.exe
          MD5

          02e20372d9d6d28e37ba9704edc90b67

          SHA1

          d7d18ba0df95c3507bf20be8d72e25c5d11ab40c

          SHA256

          3338129ddf6fb53d6e743c10bc39ec372d9b2c39c607cbe8a71cff929f854144

          SHA512

          bcad8894614dcfc1429be04829c217e7c8ac3c40ea3927073de3421d96d9815739ee1b84f0200eb18b3b8406b972bd934204b7b31638c9fe7c297fb201ed4200

          Download Submit
        • \Users\Admin\AppData\Local\CfOd\BitLockerWizard.exe
          MD5

          08a761595ad21d152db2417d6fdb239a

          SHA1

          d84c1bc2e8c9afce9fb79916df9bca169f93a936

          SHA256

          ec0b9e5f29a43f9db44fa76b85701058f26776ab974044c1d4741591b74d0620

          SHA512

          8b07828e9c0edf09277f89294b8e1a54816f6f3d1fe132b3eb70370b81feb82d056ec31566793bd6f451725f79c3b4aeedb15a83216115e00943e0c19cab37c9

          Download Submit
        • \Users\Admin\AppData\Local\CfOd\FVEWIZ.dll
          MD5

          b5ecf325ed68ae0d334eef78502b71d3

          SHA1

          b21324f5adf12da39dcbe9d6b072aa5cdd1d2fef

          SHA256

          22b2162a1da367b54e84ceefae5ec1843e335a5e0ff0ca1358c4f5f350bcdfd5

          SHA512

          3e2f296b3319c8aeae637a032a77ce98aab14f33b602a83e51278ee1e37fae0f3663c40985771961badf7028d8a13872e116497855bcad5e13fb7db97b3706c1

          Download Submit
        • \Users\Admin\AppData\Local\DQ5u66\fvenotify.exe
          MD5

          e61d644998e07c02f0999388808ac109

          SHA1

          183130ad81ff4c7997582a484e759bf7769592d6

          SHA256

          15a85cd6fbcb1ec57d78f986d6dd8908bd56231ce0cf65775075512303f7e5fa

          SHA512

          310141b73394ae12a35f8d4f0c097868ee8a8045a62dd402a5dfbe2151980dd4fe18409ae3ca9422e3b88b2fa9afb04c1acbf8ec23a937a0a242b32a9a1e9272

          Download Submit
        • \Users\Admin\AppData\Local\DQ5u66\slc.dll
          MD5

          87cec6cce3ebe35c15a35e1f8fcbf471

          SHA1

          76068c9a4a5d4afe5a4b422fd65690a24864103b

          SHA256

          81eeacd372b30933349ec5cbe47ff0540ccfc6ad55aa8deeb284c4b9607ba1fa

          SHA512

          48889289c04d0293611c94aeaa333c5b72ccbcbb1ffd9f637604a258967817e58ccebbbc6f4323994ac1d2250c32703608afce46cfa8513cc9e9f96896f4983b

          Download Submit
        • \Users\Admin\AppData\Local\e1Zx7\MAGNIFICATION.dll
          MD5

          01610d390b6ba66237577d58187acf17

          SHA1

          f78042fe07bd01d296daa7a8680ee6e757c1c3bc

          SHA256

          0bd1922bebbb23fd16958c6f984795b3e7f8516ddfc844600d9b66309c4a4d8e

          SHA512

          251ea9a540f3fa2d3e8327fbca16111d2f0ad76dc9365deea67f8f32d4647eaa52ac382584c38b6641d22e3fbe8d373ace643a6d905f3275e93bced3cdeb1af9

          Download Submit
        • \Users\Admin\AppData\Local\e1Zx7\wisptis.exe
          MD5

          02e20372d9d6d28e37ba9704edc90b67

          SHA1

          d7d18ba0df95c3507bf20be8d72e25c5d11ab40c

          SHA256

          3338129ddf6fb53d6e743c10bc39ec372d9b2c39c607cbe8a71cff929f854144

          SHA512

          bcad8894614dcfc1429be04829c217e7c8ac3c40ea3927073de3421d96d9815739ee1b84f0200eb18b3b8406b972bd934204b7b31638c9fe7c297fb201ed4200

          Download Submit
        • \Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\yPzih4ZQZY\BitLockerWizard.exe
          MD5

          08a761595ad21d152db2417d6fdb239a

          SHA1

          d84c1bc2e8c9afce9fb79916df9bca169f93a936

          SHA256

          ec0b9e5f29a43f9db44fa76b85701058f26776ab974044c1d4741591b74d0620

          SHA512

          8b07828e9c0edf09277f89294b8e1a54816f6f3d1fe132b3eb70370b81feb82d056ec31566793bd6f451725f79c3b4aeedb15a83216115e00943e0c19cab37c9

          Download Submit
        • memory/540-114-0x0000000000000000-mapping.dmp
          Download
        • memory/1384-78-0x0000000140000000-0x000000014020A000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/1384-63-0x0000000140000000-0x000000014020A000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/1384-93-0x0000000140000000-0x000000014020A000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/1384-94-0x0000000140000000-0x000000014020A000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/1384-96-0x0000000140000000-0x000000014020A000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/1384-97-0x0000000140000000-0x000000014020A000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/1384-98-0x0000000140000000-0x000000014020A000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/1384-95-0x0000000140000000-0x000000014020A000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/1384-92-0x0000000140000000-0x000000014020A000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/1384-91-0x0000000140000000-0x000000014020A000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/1384-89-0x0000000140000000-0x000000014020A000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/1384-87-0x0000000140000000-0x000000014020A000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/1384-85-0x0000000140000000-0x000000014020A000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/1384-81-0x0000000140000000-0x000000014020A000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/1384-82-0x0000000140000000-0x000000014020A000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/1384-79-0x0000000140000000-0x000000014020A000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/1384-57-0x00000000025B0000-0x00000000025B1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1384-74-0x0000000140000000-0x000000014020A000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/1384-73-0x0000000140000000-0x000000014020A000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/1384-72-0x0000000140000000-0x000000014020A000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/1384-70-0x0000000140000000-0x000000014020A000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/1384-69-0x0000000140000000-0x000000014020A000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/1384-68-0x0000000140000000-0x000000014020A000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/1384-66-0x0000000140000000-0x000000014020A000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/1384-65-0x0000000140000000-0x000000014020A000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/1384-90-0x0000000140000000-0x000000014020A000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/1384-62-0x0000000140000000-0x000000014020A000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/1384-61-0x0000000140000000-0x000000014020A000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/1384-59-0x0000000140000000-0x000000014020A000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/1384-58-0x0000000140000000-0x000000014020A000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/1384-104-0x00000000773C0000-0x00000000773C2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1384-88-0x0000000140000000-0x000000014020A000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/1384-60-0x0000000140000000-0x000000014020A000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/1384-86-0x0000000140000000-0x000000014020A000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/1384-64-0x0000000140000000-0x000000014020A000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/1384-84-0x0000000140000000-0x000000014020A000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/1384-83-0x0000000140000000-0x000000014020A000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/1384-67-0x0000000140000000-0x000000014020A000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/1384-80-0x0000000140000000-0x000000014020A000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/1384-77-0x0000000140000000-0x000000014020A000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/1384-76-0x0000000140000000-0x000000014020A000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/1384-75-0x0000000140000000-0x000000014020A000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/1384-71-0x0000000140000000-0x000000014020A000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/1604-111-0x0000000140000000-0x000000014020B000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/1604-108-0x000007FEFBC31000-0x000007FEFBC33000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1604-106-0x0000000000000000-mapping.dmp
          Download
        • memory/1956-121-0x0000000000000000-mapping.dmp
          Download
        • memory/2012-54-0x0000000140000000-0x000000014020A000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/2012-56-0x00000000002A0000-0x00000000002A7000-memory.dmp
          Filesize

          28KB

          Download