Overview

overview

10

Static

static

97058d4465...70.dll

windows7_x64

10

97058d4465...70.dll

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    44s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    28-09-2021 09:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    97058d4465daae2446886d425d9a8215df518e6845e8a4bedb30acea4e8d2070.dll

  • Size

    1.2MB

  • MD5

    2955d4759afce09a41c1df5b108f0287

  • SHA1

    11e277c3c987b4119909dd099a5f901e074698e3

  • SHA256

    97058d4465daae2446886d425d9a8215df518e6845e8a4bedb30acea4e8d2070

  • SHA512

    1cb1adb483d7652ac7c41fc471612d9ee14415763c753e269645a97917050cf1e144daa679f09714a29b9d00d6234606eed407c9735c0d4bb3bfe12ca9b74a80

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\97058d4465daae2446886d425d9a8215df518e6845e8a4bedb30acea4e8d2070.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1432
  • C:\Windows\system32\wextract.exe
    C:\Windows\system32\wextract.exe
    1⤵
      PID:608
    • C:\Users\Admin\AppData\Local\hmM\wextract.exe
      C:\Users\Admin\AppData\Local\hmM\wextract.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1796
    • C:\Windows\system32\msdtc.exe
      C:\Windows\system32\msdtc.exe
      1⤵
        PID:1124
      • C:\Users\Admin\AppData\Local\CXfb2EeHw\msdtc.exe
        C:\Users\Admin\AppData\Local\CXfb2EeHw\msdtc.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1472
      • C:\Windows\system32\SystemPropertiesComputerName.exe
        C:\Windows\system32\SystemPropertiesComputerName.exe
        1⤵
          PID:1808
        • C:\Users\Admin\AppData\Local\A9ExTAy\SystemPropertiesComputerName.exe
          C:\Users\Admin\AppData\Local\A9ExTAy\SystemPropertiesComputerName.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1812

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\A9ExTAy\SYSDM.CPL
          MD5

          636986fc3205e5038698e54d38d086c9

          SHA1

          74de62503bd924ecee2c29273e4f1d19343c47e0

          SHA256

          5c7f33a5ccf4b0e333226925b5bdcdb656e19d63456ce2bba1ebe5c8903c88a8

          SHA512

          047d882667a68676ab93e76ee68d5c1476c4e538205b04fa737f5bef1f0bc05203102ab41dc0402408155d586144e95200136bbe39304d2f40bb50dfd9f080eb

          Download Submit
        • C:\Users\Admin\AppData\Local\A9ExTAy\SystemPropertiesComputerName.exe
          MD5

          bd889683916aa93e84e1a75802918acf

          SHA1

          5ee66571359178613a4256a7470c2c3e6dd93cfa

          SHA256

          0e22894595891a9ff9706e03b3db31a751541c4a773f82420fce57237d6c47cf

          SHA512

          9d76de848b319f44657fb7fbe5a3b927774ae999362ff811a199002ffa77ad9e1638a65a271388e605ab5e5a7cb6ce5aa7fcabc3ed583ade00eaa4c265552026

          Download Submit
        • C:\Users\Admin\AppData\Local\CXfb2EeHw\VERSION.dll
          MD5

          c5db4ce74fc22b5aae27f2dccbc6a422

          SHA1

          10b6128bb46078378fe3389e179eae506e23e8ff

          SHA256

          fea1bdd1156049f64d91815bb14cfea1f2dc801ff1d8005c1043c28c841ff083

          SHA512

          3180f7e0ed59e932ea2843e538bfef3679965533ceaae63764c9d42b4d0b0665d5c7bee34e3301676b1acb8bc342e5f601e896f122baf289c31293f139991647

          Download Submit
        • C:\Users\Admin\AppData\Local\CXfb2EeHw\msdtc.exe
          MD5

          de0ece52236cfa3ed2dbfc03f28253a8

          SHA1

          84bbd2495c1809fcd19b535d41114e4fb101466c

          SHA256

          2fbbec4cacb5161f68d7c2935852a5888945ca0f107cf8a1c01f4528ce407de3

          SHA512

          69386134667626c60c99d941c8ab52f8e5235e3897b5af76965572287afd5dcd42b8207a520587844a57a268e4decb3f3c550e5b7a06230ee677dc5e40c50bb3

          Download Submit
        • C:\Users\Admin\AppData\Local\hmM\VERSION.dll
          MD5

          676e2db931d2c79597632b55b3a7e4e2

          SHA1

          81074e3503557e67d4408547824969f16ba17ae7

          SHA256

          d3641fbd788057afc08ccbc4eff63dd85131a61de8fe4ecf87136f6dc66ca8d6

          SHA512

          c491eed674af70b8b50c9c094b78137327b429f5768afa78fd52084061911d4b383c43024ac404f084057aab3d6cbf229f17b545c43e01b45b8648a3d82bb3ea

          Download Submit
        • C:\Users\Admin\AppData\Local\hmM\wextract.exe
          MD5

          1ea6500c25a80e8bdb65099c509af993

          SHA1

          6a090ef561feb4ae1c6794de5b19c5e893c4aafc

          SHA256

          99123d4e7bf93aa7f3315a432307c8b0cbaf24ad2cfb46edc149edbe24de4ca2

          SHA512

          b8f9f1ab48671e382d1385c34f0f19fc52fc0061e00db53bbbc2cdaee6d8a3f245707329f98e9167c53721aeaddcebfe66632729b6bcc98892031fd9914fb1fb

          Download Submit
        • \Users\Admin\AppData\Local\A9ExTAy\SYSDM.CPL
          MD5

          636986fc3205e5038698e54d38d086c9

          SHA1

          74de62503bd924ecee2c29273e4f1d19343c47e0

          SHA256

          5c7f33a5ccf4b0e333226925b5bdcdb656e19d63456ce2bba1ebe5c8903c88a8

          SHA512

          047d882667a68676ab93e76ee68d5c1476c4e538205b04fa737f5bef1f0bc05203102ab41dc0402408155d586144e95200136bbe39304d2f40bb50dfd9f080eb

          Download Submit
        • \Users\Admin\AppData\Local\A9ExTAy\SystemPropertiesComputerName.exe
          MD5

          bd889683916aa93e84e1a75802918acf

          SHA1

          5ee66571359178613a4256a7470c2c3e6dd93cfa

          SHA256

          0e22894595891a9ff9706e03b3db31a751541c4a773f82420fce57237d6c47cf

          SHA512

          9d76de848b319f44657fb7fbe5a3b927774ae999362ff811a199002ffa77ad9e1638a65a271388e605ab5e5a7cb6ce5aa7fcabc3ed583ade00eaa4c265552026

          Download Submit
        • \Users\Admin\AppData\Local\CXfb2EeHw\VERSION.dll
          MD5

          c5db4ce74fc22b5aae27f2dccbc6a422

          SHA1

          10b6128bb46078378fe3389e179eae506e23e8ff

          SHA256

          fea1bdd1156049f64d91815bb14cfea1f2dc801ff1d8005c1043c28c841ff083

          SHA512

          3180f7e0ed59e932ea2843e538bfef3679965533ceaae63764c9d42b4d0b0665d5c7bee34e3301676b1acb8bc342e5f601e896f122baf289c31293f139991647

          Download Submit
        • \Users\Admin\AppData\Local\CXfb2EeHw\msdtc.exe
          MD5

          de0ece52236cfa3ed2dbfc03f28253a8

          SHA1

          84bbd2495c1809fcd19b535d41114e4fb101466c

          SHA256

          2fbbec4cacb5161f68d7c2935852a5888945ca0f107cf8a1c01f4528ce407de3

          SHA512

          69386134667626c60c99d941c8ab52f8e5235e3897b5af76965572287afd5dcd42b8207a520587844a57a268e4decb3f3c550e5b7a06230ee677dc5e40c50bb3

          Download Submit
        • \Users\Admin\AppData\Local\hmM\VERSION.dll
          MD5

          676e2db931d2c79597632b55b3a7e4e2

          SHA1

          81074e3503557e67d4408547824969f16ba17ae7

          SHA256

          d3641fbd788057afc08ccbc4eff63dd85131a61de8fe4ecf87136f6dc66ca8d6

          SHA512

          c491eed674af70b8b50c9c094b78137327b429f5768afa78fd52084061911d4b383c43024ac404f084057aab3d6cbf229f17b545c43e01b45b8648a3d82bb3ea

          Download Submit
        • \Users\Admin\AppData\Local\hmM\wextract.exe
          MD5

          1ea6500c25a80e8bdb65099c509af993

          SHA1

          6a090ef561feb4ae1c6794de5b19c5e893c4aafc

          SHA256

          99123d4e7bf93aa7f3315a432307c8b0cbaf24ad2cfb46edc149edbe24de4ca2

          SHA512

          b8f9f1ab48671e382d1385c34f0f19fc52fc0061e00db53bbbc2cdaee6d8a3f245707329f98e9167c53721aeaddcebfe66632729b6bcc98892031fd9914fb1fb

          Download Submit
        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\iSQaq1cAl\SystemPropertiesComputerName.exe
          MD5

          bd889683916aa93e84e1a75802918acf

          SHA1

          5ee66571359178613a4256a7470c2c3e6dd93cfa

          SHA256

          0e22894595891a9ff9706e03b3db31a751541c4a773f82420fce57237d6c47cf

          SHA512

          9d76de848b319f44657fb7fbe5a3b927774ae999362ff811a199002ffa77ad9e1638a65a271388e605ab5e5a7cb6ce5aa7fcabc3ed583ade00eaa4c265552026

          Download Submit
        • memory/1204-68-0x0000000140000000-0x000000014012B000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1204-91-0x0000000140000000-0x000000014012B000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1204-70-0x0000000140000000-0x000000014012B000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1204-71-0x0000000140000000-0x000000014012B000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1204-72-0x0000000140000000-0x000000014012B000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1204-73-0x0000000140000000-0x000000014012B000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1204-82-0x0000000140000000-0x000000014012B000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1204-86-0x0000000140000000-0x000000014012B000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1204-87-0x0000000140000000-0x000000014012B000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1204-85-0x0000000140000000-0x000000014012B000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1204-84-0x0000000140000000-0x000000014012B000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1204-83-0x0000000140000000-0x000000014012B000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1204-81-0x0000000140000000-0x000000014012B000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1204-80-0x0000000140000000-0x000000014012B000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1204-79-0x0000000140000000-0x000000014012B000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1204-78-0x0000000140000000-0x000000014012B000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1204-77-0x0000000140000000-0x000000014012B000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1204-76-0x0000000140000000-0x000000014012B000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1204-75-0x0000000140000000-0x000000014012B000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1204-88-0x0000000140000000-0x000000014012B000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1204-74-0x0000000140000000-0x000000014012B000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1204-57-0x0000000002930000-0x0000000002931000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1204-90-0x0000000140000000-0x000000014012B000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1204-89-0x0000000140000000-0x000000014012B000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1204-97-0x0000000077900000-0x0000000077902000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1204-69-0x0000000140000000-0x000000014012B000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1204-58-0x0000000140000000-0x000000014012B000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1204-67-0x0000000140000000-0x000000014012B000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1204-59-0x0000000140000000-0x000000014012B000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1204-64-0x0000000140000000-0x000000014012B000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1204-66-0x0000000140000000-0x000000014012B000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1204-60-0x0000000140000000-0x000000014012B000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1204-65-0x0000000140000000-0x000000014012B000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1204-63-0x0000000140000000-0x000000014012B000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1204-61-0x0000000140000000-0x000000014012B000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1204-62-0x0000000140000000-0x000000014012B000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1432-54-0x0000000140000000-0x000000014012B000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1432-56-0x00000000002A0000-0x00000000002A7000-memory.dmp
          Filesize

          28KB

          Download
        • memory/1472-107-0x0000000000000000-mapping.dmp
          Download
        • memory/1796-104-0x0000000140000000-0x000000014012C000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1796-101-0x000007FEFBFD1000-0x000007FEFBFD3000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1796-99-0x0000000000000000-mapping.dmp
          Download
        • memory/1812-114-0x0000000000000000-mapping.dmp
          Download