Overview

overview

10

Static

static

c876113220...94.dll

windows7_x64

10

c876113220...94.dll

windows10_x64

10

Analysis

  • max time kernel
    163s
  • max time network
    143s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    26-11-2021 09:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c876113220b534ba1da612f3ca0eb30a735548a20e6b70b5bf547bc7ce3e1794.dll

  • Size

    1.5MB

  • MD5

    9b7b23ecfe0f8461fd0d9a7e5e590e31

  • SHA1

    616a00949db4ce3fb3e13ddfda0f288ad39d2877

  • SHA256

    c876113220b534ba1da612f3ca0eb30a735548a20e6b70b5bf547bc7ce3e1794

  • SHA512

    1f715cf068481951a697caa17ed94ddf3afec21186de5674d4d138a2ae8635e8f5879053fca0ec99bf33169737d8298146f000702a900487a8c5f45d5bc53875

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\c876113220b534ba1da612f3ca0eb30a735548a20e6b70b5bf547bc7ce3e1794.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    PID:3764
  • C:\Windows\system32\Magnify.exe
    C:\Windows\system32\Magnify.exe
    1⤵
      PID:1276
    • C:\Users\Admin\AppData\Local\HWS\Magnify.exe
      C:\Users\Admin\AppData\Local\HWS\Magnify.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: GetForegroundWindowSpam
      PID:1272
    • C:\Windows\system32\RdpSaUacHelper.exe
      C:\Windows\system32\RdpSaUacHelper.exe
      1⤵
        PID:1500
      • C:\Users\Admin\AppData\Local\bczZecb\RdpSaUacHelper.exe
        C:\Users\Admin\AppData\Local\bczZecb\RdpSaUacHelper.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Suspicious behavior: GetForegroundWindowSpam
        PID:1660
      • C:\Windows\system32\Magnify.exe
        C:\Windows\system32\Magnify.exe
        1⤵
          PID:720
        • C:\Users\Admin\AppData\Local\CXmBroCG\Magnify.exe
          C:\Users\Admin\AppData\Local\CXmBroCG\Magnify.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          • Suspicious behavior: GetForegroundWindowSpam
          PID:1104

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\CXmBroCG\Magnify.exe
          MD5

          0c3925b9a284f0dd02571d0d2bca19ee

          SHA1

          a73451bb2ddd09397cb7737d36a75c0cdfdf9d51

          SHA256

          41e91d736995628275261aa1adb14158e0783b36c913ef5fc681da105a4272cc

          SHA512

          db02a3211b1b2cf7b10cd70148404106be6cb4a63c7c0c0526256f983c3ad756c157a67848173208e7c0d88a8f34b73c42d37b24f5cc1f9da66731731a534a72

          Download Submit

        • C:\Users\Admin\AppData\Local\CXmBroCG\OLEACC.dll
          MD5

          be2b908ea709252a7d6e48826c6f4eb9

          SHA1

          b1adcae7e16bd74848f568d58ea4bc601c8f8ed3

          SHA256

          dc55fcd4f459e056ca687ee8a78589ff88d3160f5bdfc14b59f80f585a466b5f

          SHA512

          fad070839dce8a7255f39134c147e2fb9c39e924735dc32fa001815b5705223eae9a842e4ca0a38f0cbf442651d7b8d567007b6b4e4bdb507cd616816a6b440d

          Download Submit

        • C:\Users\Admin\AppData\Local\HWS\DUI70.dll
          MD5

          b19279254e270cfd7b785a7b53f930ff

          SHA1

          2736eadf5bdbb4a38519243ebb460d60148a00b0

          SHA256

          5392b39662e0885caff964317938470a876a092158474527a35cd1f95d9c9ada

          SHA512

          3268c310d2f6213861e72ad751a1cb832eaf54b7f2d834c1302dfd0f927789c7b0f7d2da379d15f7e011037107ddb5cd7a83d12c6e899dd27a6cf64c7d035cd5

          Download Submit

        • C:\Users\Admin\AppData\Local\HWS\Magnify.exe
          MD5

          0c3925b9a284f0dd02571d0d2bca19ee

          SHA1

          a73451bb2ddd09397cb7737d36a75c0cdfdf9d51

          SHA256

          41e91d736995628275261aa1adb14158e0783b36c913ef5fc681da105a4272cc

          SHA512

          db02a3211b1b2cf7b10cd70148404106be6cb4a63c7c0c0526256f983c3ad756c157a67848173208e7c0d88a8f34b73c42d37b24f5cc1f9da66731731a534a72

          Download Submit

        • C:\Users\Admin\AppData\Local\bczZecb\RdpSaUacHelper.exe
          MD5

          0e8c26287144226d1e9db0d3fd02102f

          SHA1

          2c800a7226c1e6f29c26899525c7c2d1eb850943

          SHA256

          4e190c57b28faba314b89b0504c82f578bd988478807ba5b1ada1cd238f8aac0

          SHA512

          673559d1c321950187625b04a04f8708ed50f13f84f0f7470b55552374b32ae4a382bd30671029513077f65cd32f50577653e87bf272c706476d20785f976236

          Download Submit

        • C:\Users\Admin\AppData\Local\bczZecb\WINSTA.dll
          MD5

          dd34f3feea11bc5f25976eb42549118e

          SHA1

          2f3e6f083dbe439c6e364fa20f4d5fd2d84eb413

          SHA256

          4b396ec3d314f581d0e7d3bc1a4e78e4162410901ca5773467db23f3bdc39763

          SHA512

          0cb2eb6635cbe128f3c1fcdf9c483ebfaa4e61159e63a0f87fc251a061911b746280822b9f9d6aff597e543febf1a92a506855ca0c66d800d5a17b018ac486f3

          Download Submit

        • \Users\Admin\AppData\Local\CXmBroCG\OLEACC.dll
          MD5

          be2b908ea709252a7d6e48826c6f4eb9

          SHA1

          b1adcae7e16bd74848f568d58ea4bc601c8f8ed3

          SHA256

          dc55fcd4f459e056ca687ee8a78589ff88d3160f5bdfc14b59f80f585a466b5f

          SHA512

          fad070839dce8a7255f39134c147e2fb9c39e924735dc32fa001815b5705223eae9a842e4ca0a38f0cbf442651d7b8d567007b6b4e4bdb507cd616816a6b440d

          Download Submit

        • \Users\Admin\AppData\Local\HWS\DUI70.dll
          MD5

          b19279254e270cfd7b785a7b53f930ff

          SHA1

          2736eadf5bdbb4a38519243ebb460d60148a00b0

          SHA256

          5392b39662e0885caff964317938470a876a092158474527a35cd1f95d9c9ada

          SHA512

          3268c310d2f6213861e72ad751a1cb832eaf54b7f2d834c1302dfd0f927789c7b0f7d2da379d15f7e011037107ddb5cd7a83d12c6e899dd27a6cf64c7d035cd5

          Download Submit

        • \Users\Admin\AppData\Local\bczZecb\WINSTA.dll
          MD5

          dd34f3feea11bc5f25976eb42549118e

          SHA1

          2f3e6f083dbe439c6e364fa20f4d5fd2d84eb413

          SHA256

          4b396ec3d314f581d0e7d3bc1a4e78e4162410901ca5773467db23f3bdc39763

          SHA512

          0cb2eb6635cbe128f3c1fcdf9c483ebfaa4e61159e63a0f87fc251a061911b746280822b9f9d6aff597e543febf1a92a506855ca0c66d800d5a17b018ac486f3

          Download Submit

        • memory/1104-177-0x0000000140000000-0x0000000140176000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/1104-180-0x0000025FD8140000-0x0000025FD8142000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1104-181-0x0000025FD8140000-0x0000025FD8142000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1104-173-0x0000000000000000-mapping.dmp

          Download

        • memory/1104-182-0x0000025FD8140000-0x0000025FD8142000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1272-161-0x0000020A64AB0000-0x0000020A64AB2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1272-162-0x0000020A64AB0000-0x0000020A64AB2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1272-153-0x0000000000000000-mapping.dmp

          Download

        • memory/1272-160-0x0000020A64AB0000-0x0000020A64AB2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1272-157-0x0000000140000000-0x00000001401BB000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/1660-167-0x0000000140000000-0x0000000140177000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/1660-163-0x0000000000000000-mapping.dmp

          Download

        • memory/1660-170-0x000001D29C980000-0x000001D29C982000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1660-171-0x000001D29C980000-0x000001D29C982000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1660-172-0x000001D29C980000-0x000001D29C982000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3056-136-0x0000000140000000-0x0000000140175000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3056-134-0x0000000140000000-0x0000000140175000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3056-151-0x0000000000670000-0x0000000000672000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3056-152-0x00007FFDD47D0000-0x00007FFDD47D2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3056-149-0x0000000000670000-0x0000000000672000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3056-148-0x0000000000670000-0x0000000000672000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3056-142-0x0000000140000000-0x0000000140175000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3056-141-0x0000000140000000-0x0000000140175000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3056-127-0x0000000140000000-0x0000000140175000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3056-140-0x0000000140000000-0x0000000140175000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3056-129-0x0000000140000000-0x0000000140175000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3056-138-0x0000000140000000-0x0000000140175000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3056-139-0x0000000140000000-0x0000000140175000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3056-150-0x00007FFDD4695000-0x00007FFDD4696000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3056-137-0x0000000140000000-0x0000000140175000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3056-124-0x0000000000660000-0x0000000000661000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3056-135-0x0000000140000000-0x0000000140175000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3056-133-0x0000000140000000-0x0000000140175000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3056-132-0x0000000140000000-0x0000000140175000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3056-130-0x0000000140000000-0x0000000140175000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3056-131-0x0000000140000000-0x0000000140175000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3056-128-0x0000000140000000-0x0000000140175000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3056-126-0x0000000140000000-0x0000000140175000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3056-125-0x0000000140000000-0x0000000140175000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3764-118-0x0000000140000000-0x0000000140175000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3764-123-0x000001E2BA3F0000-0x000001E2BA3F7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3764-122-0x000001E2BA400000-0x000001E2BA402000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3764-121-0x000001E2BA400000-0x000001E2BA402000-memory.dmp

          Filesize

          8KB

          Download