Overview

overview

10

Static

static

202a5ee7d2...25.dll

windows7_x64

10

202a5ee7d2...25.dll

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    30-09-2021 10:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    202a5ee7d2833ecaae0120d63636567895cfcc9ea1cdae12debf6b9131147225.dll

  • Size

    836KB

  • MD5

    dc4936a8b1123fcb1ce8334adeff0f65

  • SHA1

    966b336176a72d29e98c6aeaaa211f790df79427

  • SHA256

    202a5ee7d2833ecaae0120d63636567895cfcc9ea1cdae12debf6b9131147225

  • SHA512

    8f2b2e51dc553188a4626c85dc44368fd6b28c6eb1688ed3af61454d36c79191f234ae4dba306b32eb6e37540ef2a2f1844eeabfd73b5998328459e39f852ba0

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Payload 4 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\202a5ee7d2833ecaae0120d63636567895cfcc9ea1cdae12debf6b9131147225.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2068
  • C:\Windows\system32\SystemPropertiesComputerName.exe
    C:\Windows\system32\SystemPropertiesComputerName.exe
    1⤵
      PID:3600
    • C:\Users\Admin\AppData\Local\q3ub\SystemPropertiesComputerName.exe
      C:\Users\Admin\AppData\Local\q3ub\SystemPropertiesComputerName.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3612
    • C:\Windows\system32\DmNotificationBroker.exe
      C:\Windows\system32\DmNotificationBroker.exe
      1⤵
        PID:940
      • C:\Users\Admin\AppData\Local\0Arqp0L\DmNotificationBroker.exe
        C:\Users\Admin\AppData\Local\0Arqp0L\DmNotificationBroker.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:340
      • C:\Windows\system32\rdpinput.exe
        C:\Windows\system32\rdpinput.exe
        1⤵
          PID:1288
        • C:\Users\Admin\AppData\Local\z5dotW\rdpinput.exe
          C:\Users\Admin\AppData\Local\z5dotW\rdpinput.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:992

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\0Arqp0L\DUI70.dll
          MD5

          6f0028edc08ee92299d952dfe5bd69ff

          SHA1

          491e5076cff4119ef8bc0f6e04a4e4b061f5fd61

          SHA256

          f113272d659cd8145916b690406c8a8d3c70f01c2ef7ec9e2b5d6c8f5d1b9c20

          SHA512

          99747f5a6498081a06ea38b693528fa745e4225dc8e20d5b1008e3b6dd03c2eecd5ce0f1705242a9b4bc2dc67df6f0270f1f7d154bf682e67639eaf9941de858

          Download Submit
        • C:\Users\Admin\AppData\Local\0Arqp0L\DmNotificationBroker.exe
          MD5

          80650482bacf349d2d4aadc99e916da7

          SHA1

          7c3d6eb2fc82cfa2122f115b80d49a9887d089de

          SHA256

          1cb2fe49a4d07375b6216bc51c372a3c78a96443765672ded3624d279c37c715

          SHA512

          d3bf9501b25ffe7145dda9cf3aa521854949ed11ebb5dd48aba7aab16d3b0d75dfe8976d3c3b932cc4eb2f77cf185a0b2d81965e055fdb3c5606400d77824a56

          Download Submit
        • C:\Users\Admin\AppData\Local\q3ub\SYSDM.CPL
          MD5

          9fb2a59303eb7e12588dffc56c0bd8ba

          SHA1

          cb67b26946fb2dd09b720c25a8b0fb0980ffab8c

          SHA256

          583220a5e565cfd7245187123f2a7d1ee68a588a6f1f4e10ad7a4e2f1cc437cc

          SHA512

          6053a74d31661c7941995741e83ff8d687903cad3426b5c1f22b214068d976234d8eec34fe1c2b9983772869d9713d2db7b8d1f6b9564d4b5bcc320a1ebbee03

          Download Submit
        • C:\Users\Admin\AppData\Local\q3ub\SystemPropertiesComputerName.exe
          MD5

          d2d62d055f517f71b0fd9a649727ff6c

          SHA1

          43f627215d57e0396ad74e9b0ed4bd29f60fca33

          SHA256

          222d3d4f7c8f64beb0a0007120b4411c2040c50e1d376420228151bdd230fe7d

          SHA512

          f46e02a465425a148fcd4be5fda0889c412eeab4c50abf9874b3ee02af83c96403167c99aa57961e1c631a5a7a5070e8a1c363688581ff83ed176b4206564cd0

          Download Submit
        • C:\Users\Admin\AppData\Local\z5dotW\WINSTA.dll
          MD5

          db1ad05870c2abd8874ba4df2e0a7d3d

          SHA1

          a3f36cecf67a7714a8df407d7bf15168b8911999

          SHA256

          4e9f1cbdb2fe43380a92d3a293bf29b23ca33db67314dc925399473ccaebbdd4

          SHA512

          e7b4f2d9da51335f4ef957725dfda6100d9f813db799b07fcbf7fe3f0e1102f7bae957e48409cca207f6ad6aad1f80ed8d8af3d29078cd321f6fcb2b7e912ad7

          Download Submit
        • C:\Users\Admin\AppData\Local\z5dotW\rdpinput.exe
          MD5

          431364c49991ebfea19b468020368e08

          SHA1

          c36c8a01ccd17b8ec754fe92d1e03558bb3f05ac

          SHA256

          6c59ea8b7807d9cc9de5c67cf679a1fb1bed4629da1f0a071e03af775de8e4fc

          SHA512

          6b2baeb9abc1277fef874ead7d0c4b2b5c5953b8f9db5ae056a14a0af6edb6482b303e7f4ba5237a22e62919f09cd8334692dd58053754ed18837ace14565d8f

          Download Submit
        • \Users\Admin\AppData\Local\0Arqp0L\DUI70.dll
          MD5

          6f0028edc08ee92299d952dfe5bd69ff

          SHA1

          491e5076cff4119ef8bc0f6e04a4e4b061f5fd61

          SHA256

          f113272d659cd8145916b690406c8a8d3c70f01c2ef7ec9e2b5d6c8f5d1b9c20

          SHA512

          99747f5a6498081a06ea38b693528fa745e4225dc8e20d5b1008e3b6dd03c2eecd5ce0f1705242a9b4bc2dc67df6f0270f1f7d154bf682e67639eaf9941de858

          Download Submit
        • \Users\Admin\AppData\Local\q3ub\SYSDM.CPL
          MD5

          9fb2a59303eb7e12588dffc56c0bd8ba

          SHA1

          cb67b26946fb2dd09b720c25a8b0fb0980ffab8c

          SHA256

          583220a5e565cfd7245187123f2a7d1ee68a588a6f1f4e10ad7a4e2f1cc437cc

          SHA512

          6053a74d31661c7941995741e83ff8d687903cad3426b5c1f22b214068d976234d8eec34fe1c2b9983772869d9713d2db7b8d1f6b9564d4b5bcc320a1ebbee03

          Download Submit
        • \Users\Admin\AppData\Local\z5dotW\WINSTA.dll
          MD5

          db1ad05870c2abd8874ba4df2e0a7d3d

          SHA1

          a3f36cecf67a7714a8df407d7bf15168b8911999

          SHA256

          4e9f1cbdb2fe43380a92d3a293bf29b23ca33db67314dc925399473ccaebbdd4

          SHA512

          e7b4f2d9da51335f4ef957725dfda6100d9f813db799b07fcbf7fe3f0e1102f7bae957e48409cca207f6ad6aad1f80ed8d8af3d29078cd321f6fcb2b7e912ad7

          Download Submit
        • memory/340-174-0x0000000140000000-0x0000000140117000-memory.dmp
          Filesize

          1.1MB

          Download
        • memory/340-170-0x0000000000000000-mapping.dmp
          Download
        • memory/992-179-0x0000000000000000-mapping.dmp
          Download
        • memory/992-183-0x0000000140000000-0x00000001400D3000-memory.dmp
          Filesize

          844KB

          Download
        • memory/2068-115-0x0000000140000000-0x00000001400D1000-memory.dmp
          Filesize

          836KB

          Download
        • memory/2068-120-0x000001604E290000-0x000001604E297000-memory.dmp
          Filesize

          28KB

          Download
        • memory/2648-131-0x0000000140000000-0x00000001400D1000-memory.dmp
          Filesize

          836KB

          Download
        • memory/2648-159-0x00007FFE19694320-0x00007FFE19695320-memory.dmp
          Filesize

          4KB

          Download
        • memory/2648-136-0x0000000140000000-0x00000001400D1000-memory.dmp
          Filesize

          836KB

          Download
        • memory/2648-137-0x0000000140000000-0x00000001400D1000-memory.dmp
          Filesize

          836KB

          Download
        • memory/2648-138-0x0000000140000000-0x00000001400D1000-memory.dmp
          Filesize

          836KB

          Download
        • memory/2648-139-0x0000000140000000-0x00000001400D1000-memory.dmp
          Filesize

          836KB

          Download
        • memory/2648-140-0x0000000140000000-0x00000001400D1000-memory.dmp
          Filesize

          836KB

          Download
        • memory/2648-142-0x0000000140000000-0x00000001400D1000-memory.dmp
          Filesize

          836KB

          Download
        • memory/2648-141-0x0000000140000000-0x00000001400D1000-memory.dmp
          Filesize

          836KB

          Download
        • memory/2648-143-0x0000000140000000-0x00000001400D1000-memory.dmp
          Filesize

          836KB

          Download
        • memory/2648-144-0x0000000140000000-0x00000001400D1000-memory.dmp
          Filesize

          836KB

          Download
        • memory/2648-145-0x0000000140000000-0x00000001400D1000-memory.dmp
          Filesize

          836KB

          Download
        • memory/2648-147-0x0000000140000000-0x00000001400D1000-memory.dmp
          Filesize

          836KB

          Download
        • memory/2648-148-0x0000000140000000-0x00000001400D1000-memory.dmp
          Filesize

          836KB

          Download
        • memory/2648-149-0x0000000140000000-0x00000001400D1000-memory.dmp
          Filesize

          836KB

          Download
        • memory/2648-150-0x0000000140000000-0x00000001400D1000-memory.dmp
          Filesize

          836KB

          Download
        • memory/2648-146-0x0000000140000000-0x00000001400D1000-memory.dmp
          Filesize

          836KB

          Download
        • memory/2648-135-0x0000000140000000-0x00000001400D1000-memory.dmp
          Filesize

          836KB

          Download
        • memory/2648-160-0x00007FFE19664320-0x00007FFE19665320-memory.dmp
          Filesize

          4KB

          Download
        • memory/2648-121-0x0000000000B80000-0x0000000000B81000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2648-134-0x0000000140000000-0x00000001400D1000-memory.dmp
          Filesize

          836KB

          Download
        • memory/2648-133-0x0000000140000000-0x00000001400D1000-memory.dmp
          Filesize

          836KB

          Download
        • memory/2648-132-0x0000000140000000-0x00000001400D1000-memory.dmp
          Filesize

          836KB

          Download
        • memory/2648-123-0x0000000140000000-0x00000001400D1000-memory.dmp
          Filesize

          836KB

          Download
        • memory/2648-130-0x0000000140000000-0x00000001400D1000-memory.dmp
          Filesize

          836KB

          Download
        • memory/2648-129-0x0000000140000000-0x00000001400D1000-memory.dmp
          Filesize

          836KB

          Download
        • memory/2648-128-0x0000000140000000-0x00000001400D1000-memory.dmp
          Filesize

          836KB

          Download
        • memory/2648-126-0x0000000140000000-0x00000001400D1000-memory.dmp
          Filesize

          836KB

          Download
        • memory/2648-127-0x0000000140000000-0x00000001400D1000-memory.dmp
          Filesize

          836KB

          Download
        • memory/2648-125-0x0000000140000000-0x00000001400D1000-memory.dmp
          Filesize

          836KB

          Download
        • memory/2648-124-0x0000000140000000-0x00000001400D1000-memory.dmp
          Filesize

          836KB

          Download
        • memory/2648-122-0x0000000140000000-0x00000001400D1000-memory.dmp
          Filesize

          836KB

          Download
        • memory/3612-165-0x0000000140000000-0x00000001400D2000-memory.dmp
          Filesize

          840KB

          Download
        • memory/3612-161-0x0000000000000000-mapping.dmp
          Download