Overview

overview

10

Static

static

8bcde17829...c8.dll

windows7_x64

10

8bcde17829...c8.dll

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    134s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    28-09-2021 09:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8bcde178298b0263ce7cb8e4c6a5ef4d0fcea9729a21e2cef4eaec3f2ad27bc8.dll

  • Size

    1.2MB

  • MD5

    cbaf988697e5794257533479c39ed20a

  • SHA1

    02d31d47c4bcb4285e847634be7483a31986b29e

  • SHA256

    8bcde178298b0263ce7cb8e4c6a5ef4d0fcea9729a21e2cef4eaec3f2ad27bc8

  • SHA512

    1fe2bf0286729b423da12dd20e81b80bc781d994afd3b9e3379f620e8ece49cb975b4fbaebe15108e9fb7b7e013c29080b9aa84e83ff562c6c8a190ae046678b

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 10 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\8bcde178298b0263ce7cb8e4c6a5ef4d0fcea9729a21e2cef4eaec3f2ad27bc8.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1500
  • C:\Windows\system32\FXSCOVER.exe
    C:\Windows\system32\FXSCOVER.exe
    1⤵
      PID:1640
    • C:\Users\Admin\AppData\Local\zH8ARe7\FXSCOVER.exe
      C:\Users\Admin\AppData\Local\zH8ARe7\FXSCOVER.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1660
    • C:\Windows\system32\UI0Detect.exe
      C:\Windows\system32\UI0Detect.exe
      1⤵
        PID:1680
      • C:\Users\Admin\AppData\Local\ION\UI0Detect.exe
        C:\Users\Admin\AppData\Local\ION\UI0Detect.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:112
      • C:\Windows\system32\rekeywiz.exe
        C:\Windows\system32\rekeywiz.exe
        1⤵
          PID:432
        • C:\Users\Admin\AppData\Local\hZZY\rekeywiz.exe
          C:\Users\Admin\AppData\Local\hZZY\rekeywiz.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1616

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\ION\UI0Detect.exe
          MD5

          3cbdec8d06b9968aba702eba076364a1

          SHA1

          6e0fcaccadbdb5e3293aa3523ec1006d92191c58

          SHA256

          b8dab8aa804fc23021bfebd7ae4d40fbe648d6c6ba21cc008e26d1c084972f9b

          SHA512

          a8e434c925ef849ecef0efcb4873dbb95eea2821c967b05afbbe5733071cc2293fc94e7fdf1fdaee51cbcf9885b3b72bfd4d690f23af34558b056920263e465d

          Download Submit
        • C:\Users\Admin\AppData\Local\ION\WTSAPI32.dll
          MD5

          f820965a0c43908ef32bd8de959fb0f0

          SHA1

          9d98f3e43e1655e32e21211d03fd5885ff3af017

          SHA256

          fd13219b4e3c71d6449031f1e5483bd9fa810789f18463ef1f0b0844bbe0d753

          SHA512

          01218b890a13958fba72f6234092892afe0fd41499f4fd81440ae3eef0bb8d07d74c050bc315a07a56f4de756ef5ed2ab5144b053dde18d31d6a60b004d13950

          Download Submit
        • C:\Users\Admin\AppData\Local\hZZY\rekeywiz.exe
          MD5

          767c75767b00ccfd41a547bb7b2adfff

          SHA1

          91890853a5476def402910e6507417d400c0d3cb

          SHA256

          bd70e504871a2ac1c883d19b87970c8d1b8b251c784bf777ba77ed764f5f2395

          SHA512

          f096043452a1aa213a5e4d62638de3ee4b0b3ad3d12b7ee0372d8c79e00e2e13b4fd0ebc4206bbdb5124bed292dd5b30ef1641288046ef835f89c332985154f9

          Download Submit
        • C:\Users\Admin\AppData\Local\hZZY\slc.dll
          MD5

          8e27abf5c321587182ecf2041da8157e

          SHA1

          3876c82c6691da718c0921cf4f0e81ede0440ba6

          SHA256

          fba2ca959c2fe2205fc46422cedb5659f0d78ea76c2c422be9d201bb35ea507a

          SHA512

          98d5fe26ab2da57b27660c6ea1985a0a025436ed2fbc6eb0c527cff271b88e1517b1dfbe2ad6de8fc18736f22fbe17a0c47fb32b1eb856c9d0affb1bf5610d9f

          Download Submit
        • C:\Users\Admin\AppData\Local\zH8ARe7\FXSCOVER.exe
          MD5

          5e2c61be8e093dbfe7fc37585be42869

          SHA1

          ed46cda4ece3ef187b0cf29ca843a6c6735af6c0

          SHA256

          3d1719c1caa5d6b0358830a30713c43a9710fbf7bcedca20815be54d24aa9121

          SHA512

          90bf180c8f6e3d0286a19fcd4727f23925a39c90113db979e1b4bbf8f0491471ad26c877a6e2cf49638b14050d952a9ee02a3c1293129843ec6bba01bc325d0b

          Download Submit
        • C:\Users\Admin\AppData\Local\zH8ARe7\MFC42u.dll
          MD5

          47ed7e6f9ed7691a6540fdb1aaefb7a2

          SHA1

          a87bc29d089dbdb5d2ebd6bfaaa4c9ca04a8d6d2

          SHA256

          8a8ef5b7d4380ab9ca83e7cd6cc684b94032b594305e9ca8abf64b11d2a96887

          SHA512

          3cbfa441f338d8977eea8af0e9f2821afa51c95dc22018d7f753af18e55ca9f647341dbc59df5cb05dc33bea8bb67f17066fc6ac4c1775eb633c9c879cd2e9de

          Download Submit
        • \Users\Admin\AppData\Local\ION\UI0Detect.exe
          MD5

          3cbdec8d06b9968aba702eba076364a1

          SHA1

          6e0fcaccadbdb5e3293aa3523ec1006d92191c58

          SHA256

          b8dab8aa804fc23021bfebd7ae4d40fbe648d6c6ba21cc008e26d1c084972f9b

          SHA512

          a8e434c925ef849ecef0efcb4873dbb95eea2821c967b05afbbe5733071cc2293fc94e7fdf1fdaee51cbcf9885b3b72bfd4d690f23af34558b056920263e465d

          Download Submit
        • \Users\Admin\AppData\Local\ION\WTSAPI32.dll
          MD5

          f820965a0c43908ef32bd8de959fb0f0

          SHA1

          9d98f3e43e1655e32e21211d03fd5885ff3af017

          SHA256

          fd13219b4e3c71d6449031f1e5483bd9fa810789f18463ef1f0b0844bbe0d753

          SHA512

          01218b890a13958fba72f6234092892afe0fd41499f4fd81440ae3eef0bb8d07d74c050bc315a07a56f4de756ef5ed2ab5144b053dde18d31d6a60b004d13950

          Download Submit
        • \Users\Admin\AppData\Local\hZZY\rekeywiz.exe
          MD5

          767c75767b00ccfd41a547bb7b2adfff

          SHA1

          91890853a5476def402910e6507417d400c0d3cb

          SHA256

          bd70e504871a2ac1c883d19b87970c8d1b8b251c784bf777ba77ed764f5f2395

          SHA512

          f096043452a1aa213a5e4d62638de3ee4b0b3ad3d12b7ee0372d8c79e00e2e13b4fd0ebc4206bbdb5124bed292dd5b30ef1641288046ef835f89c332985154f9

          Download Submit
        • \Users\Admin\AppData\Local\hZZY\slc.dll
          MD5

          8e27abf5c321587182ecf2041da8157e

          SHA1

          3876c82c6691da718c0921cf4f0e81ede0440ba6

          SHA256

          fba2ca959c2fe2205fc46422cedb5659f0d78ea76c2c422be9d201bb35ea507a

          SHA512

          98d5fe26ab2da57b27660c6ea1985a0a025436ed2fbc6eb0c527cff271b88e1517b1dfbe2ad6de8fc18736f22fbe17a0c47fb32b1eb856c9d0affb1bf5610d9f

          Download Submit
        • \Users\Admin\AppData\Local\zH8ARe7\FXSCOVER.exe
          MD5

          5e2c61be8e093dbfe7fc37585be42869

          SHA1

          ed46cda4ece3ef187b0cf29ca843a6c6735af6c0

          SHA256

          3d1719c1caa5d6b0358830a30713c43a9710fbf7bcedca20815be54d24aa9121

          SHA512

          90bf180c8f6e3d0286a19fcd4727f23925a39c90113db979e1b4bbf8f0491471ad26c877a6e2cf49638b14050d952a9ee02a3c1293129843ec6bba01bc325d0b

          Download Submit
        • \Users\Admin\AppData\Local\zH8ARe7\MFC42u.dll
          MD5

          47ed7e6f9ed7691a6540fdb1aaefb7a2

          SHA1

          a87bc29d089dbdb5d2ebd6bfaaa4c9ca04a8d6d2

          SHA256

          8a8ef5b7d4380ab9ca83e7cd6cc684b94032b594305e9ca8abf64b11d2a96887

          SHA512

          3cbfa441f338d8977eea8af0e9f2821afa51c95dc22018d7f753af18e55ca9f647341dbc59df5cb05dc33bea8bb67f17066fc6ac4c1775eb633c9c879cd2e9de

          Download Submit
        • \Users\Admin\AppData\Roaming\Adobe\Flash Player\AssetCache\Rx1LaRttpBS\rekeywiz.exe
          MD5

          767c75767b00ccfd41a547bb7b2adfff

          SHA1

          91890853a5476def402910e6507417d400c0d3cb

          SHA256

          bd70e504871a2ac1c883d19b87970c8d1b8b251c784bf777ba77ed764f5f2395

          SHA512

          f096043452a1aa213a5e4d62638de3ee4b0b3ad3d12b7ee0372d8c79e00e2e13b4fd0ebc4206bbdb5124bed292dd5b30ef1641288046ef835f89c332985154f9

          Download Submit
        • memory/112-115-0x0000000140000000-0x0000000140132000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/112-111-0x0000000000000000-mapping.dmp
          Download
        • memory/1288-62-0x0000000140000000-0x0000000140131000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1288-91-0x0000000140000000-0x0000000140131000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1288-60-0x0000000140000000-0x0000000140131000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1288-59-0x0000000140000000-0x0000000140131000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1288-58-0x0000000140000000-0x0000000140131000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1288-80-0x0000000140000000-0x0000000140131000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1288-79-0x0000000140000000-0x0000000140131000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1288-78-0x0000000140000000-0x0000000140131000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1288-77-0x0000000140000000-0x0000000140131000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1288-76-0x0000000140000000-0x0000000140131000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1288-75-0x0000000140000000-0x0000000140131000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1288-81-0x0000000140000000-0x0000000140131000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1288-82-0x0000000140000000-0x0000000140131000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1288-83-0x0000000140000000-0x0000000140131000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1288-84-0x0000000140000000-0x0000000140131000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1288-85-0x0000000140000000-0x0000000140131000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1288-86-0x0000000140000000-0x0000000140131000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1288-87-0x0000000140000000-0x0000000140131000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1288-88-0x0000000140000000-0x0000000140131000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1288-89-0x0000000140000000-0x0000000140131000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1288-94-0x0000000140000000-0x0000000140131000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1288-93-0x0000000140000000-0x0000000140131000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1288-92-0x0000000140000000-0x0000000140131000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1288-61-0x0000000140000000-0x0000000140131000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1288-90-0x0000000140000000-0x0000000140131000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1288-100-0x0000000077BF0000-0x0000000077BF2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1288-57-0x0000000002A90000-0x0000000002A91000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1288-65-0x0000000140000000-0x0000000140131000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1288-63-0x0000000140000000-0x0000000140131000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1288-64-0x0000000140000000-0x0000000140131000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1288-66-0x0000000140000000-0x0000000140131000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1288-73-0x0000000140000000-0x0000000140131000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1288-74-0x0000000140000000-0x0000000140131000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1288-72-0x0000000140000000-0x0000000140131000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1288-67-0x0000000140000000-0x0000000140131000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1288-68-0x0000000140000000-0x0000000140131000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1288-69-0x0000000140000000-0x0000000140131000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1288-70-0x0000000140000000-0x0000000140131000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1288-71-0x0000000140000000-0x0000000140131000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1500-54-0x0000000140000000-0x0000000140131000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1500-56-0x0000000001AC0000-0x0000000001AC7000-memory.dmp
          Filesize

          28KB

          Download
        • memory/1616-118-0x0000000000000000-mapping.dmp
          Download
        • memory/1660-108-0x0000000140000000-0x0000000140138000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1660-107-0x000000013FA51000-0x000000013FA53000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1660-106-0x000007FEFC2C1000-0x000007FEFC2C3000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1660-102-0x0000000000000000-mapping.dmp
          Download