Overview

overview

10

Static

static

1424567126...16.dll

windows7_x64

10

1424567126...16.dll

windows10_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-en-20211104
  • submitted
    26-11-2021 09:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1424567126d25f416f5368a61891158af6cd71fcf72a337affedbaa0360db816.dll

  • Size

    1.4MB

  • MD5

    68e9d541c4cd375f03051c96191ba135

  • SHA1

    8174c682609623084c550515d95dc25aca40db33

  • SHA256

    1424567126d25f416f5368a61891158af6cd71fcf72a337affedbaa0360db816

  • SHA512

    1b35f41092842370b49b46066c5e3325f51f24f00f96be2379c1107e1faf9620a3cfdf86d23511ddae9eb2d91e4171835cdc374d697ac4e32fa5d058bca03a86

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\1424567126d25f416f5368a61891158af6cd71fcf72a337affedbaa0360db816.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    PID:1664
  • C:\Windows\system32\SystemPropertiesHardware.exe
    C:\Windows\system32\SystemPropertiesHardware.exe
    1⤵
      PID:960
    • C:\Users\Admin\AppData\Local\zQGK\SystemPropertiesHardware.exe
      C:\Users\Admin\AppData\Local\zQGK\SystemPropertiesHardware.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: GetForegroundWindowSpam
      PID:800
    • C:\Windows\system32\rekeywiz.exe
      C:\Windows\system32\rekeywiz.exe
      1⤵
        PID:1788
      • C:\Users\Admin\AppData\Local\UiRbrXa7\rekeywiz.exe
        C:\Users\Admin\AppData\Local\UiRbrXa7\rekeywiz.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Suspicious behavior: GetForegroundWindowSpam
        PID:1916
      • C:\Windows\system32\winlogon.exe
        C:\Windows\system32\winlogon.exe
        1⤵
          PID:1164
        • C:\Users\Admin\AppData\Local\NFe9tnl\winlogon.exe
          C:\Users\Admin\AppData\Local\NFe9tnl\winlogon.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          • Suspicious behavior: GetForegroundWindowSpam
          PID:856

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\NFe9tnl\WINSTA.dll
          MD5

          caced8d26e8dfddaaab86be9cb912dbb

          SHA1

          b6323b78d562654104cf21637809d62deeebe0c3

          SHA256

          160af40f1c235a8a783194bf77cfd8152da9df68a913d7c64fe7aa08ed5debc8

          SHA512

          c43868905b8dbbf94ac8d3464fdec0f7c4bb652a9be54e7c75a02f70059a04b20d3a53a62bcd9a712c69a97d3fd32d7817223377ae9992fc6e57d25582043054

          Download Submit
        • C:\Users\Admin\AppData\Local\NFe9tnl\winlogon.exe
          MD5

          1151b1baa6f350b1db6598e0fea7c457

          SHA1

          434856b834baf163c5ea4d26434eeae775a507fb

          SHA256

          b1506e0a7e826eff0f5252ef5026070c46e2235438403a9a24d73ee69c0b8a49

          SHA512

          df728d06238da1dece96f8b8d67a2423ed4dcb344b42d5958768d23bd570a79e7189e7c5ba783c1628fe8ddd1deaebeacb1b471c59c8a7c9beb21b4f1eb9edab

          Download Submit
        • C:\Users\Admin\AppData\Local\UiRbrXa7\rekeywiz.exe
          MD5

          767c75767b00ccfd41a547bb7b2adfff

          SHA1

          91890853a5476def402910e6507417d400c0d3cb

          SHA256

          bd70e504871a2ac1c883d19b87970c8d1b8b251c784bf777ba77ed764f5f2395

          SHA512

          f096043452a1aa213a5e4d62638de3ee4b0b3ad3d12b7ee0372d8c79e00e2e13b4fd0ebc4206bbdb5124bed292dd5b30ef1641288046ef835f89c332985154f9

          Download Submit
        • C:\Users\Admin\AppData\Local\UiRbrXa7\slc.dll
          MD5

          d3b2c3a62fcdb3b5cffe945f09257d28

          SHA1

          0e86cd9fb8a28d193a027a65da1ef8d2c44d0446

          SHA256

          67c1dc9ff0ff016408dce7a2bdf007af73b4ca1ebfc99cecfd9b93e5586ea86a

          SHA512

          c0c82e1b3a47a0693770af4d2a5b31c916c36f96c38d69035f7c421f35a6cd027fbfaa9f5f0352242979e0152bb8e917d8c48f86d0411e3a86982a725a6decd4

          Download Submit
        • C:\Users\Admin\AppData\Local\zQGK\SYSDM.CPL
          MD5

          97f7156522c9682d41c0f7412b0871d8

          SHA1

          ea0366b3837eb571204423e238c484ce0b7fd746

          SHA256

          4e41d1bf2afde3c87e99b0de89b526917ba9256cabe7fe3de0a18f9d4275b4d6

          SHA512

          a027a3784b1339fe7f29e5b7ab0f7d9eaf509d828cb005ff2ceebdcdfe259eb9b0c1e7a296894711360a54fff75a036fffc2170fe958c8b608d961d37f96b40b

          Download Submit
        • C:\Users\Admin\AppData\Local\zQGK\SystemPropertiesHardware.exe
          MD5

          c63d722641c417764247f683f9fb43be

          SHA1

          948ec61ebf241c4d80efca3efdfc33fe746e3b98

          SHA256

          4759296b421d60c80db0bb112a30425e04883900374602e13ed97f7c03a49df2

          SHA512

          7223d1c81a4785ed790ec2303d5d9d7ebcae9404d7bf173b3145e51202564de9977e94ac10ab80c6fe49b5f697af3ec70dfd922a891915e8951b5a1b5841c8be

          Download Submit
        • \Users\Admin\AppData\Local\NFe9tnl\WINSTA.dll
          MD5

          caced8d26e8dfddaaab86be9cb912dbb

          SHA1

          b6323b78d562654104cf21637809d62deeebe0c3

          SHA256

          160af40f1c235a8a783194bf77cfd8152da9df68a913d7c64fe7aa08ed5debc8

          SHA512

          c43868905b8dbbf94ac8d3464fdec0f7c4bb652a9be54e7c75a02f70059a04b20d3a53a62bcd9a712c69a97d3fd32d7817223377ae9992fc6e57d25582043054

          Download Submit
        • \Users\Admin\AppData\Local\NFe9tnl\winlogon.exe
          MD5

          1151b1baa6f350b1db6598e0fea7c457

          SHA1

          434856b834baf163c5ea4d26434eeae775a507fb

          SHA256

          b1506e0a7e826eff0f5252ef5026070c46e2235438403a9a24d73ee69c0b8a49

          SHA512

          df728d06238da1dece96f8b8d67a2423ed4dcb344b42d5958768d23bd570a79e7189e7c5ba783c1628fe8ddd1deaebeacb1b471c59c8a7c9beb21b4f1eb9edab

          Download Submit
        • \Users\Admin\AppData\Local\UiRbrXa7\rekeywiz.exe
          MD5

          767c75767b00ccfd41a547bb7b2adfff

          SHA1

          91890853a5476def402910e6507417d400c0d3cb

          SHA256

          bd70e504871a2ac1c883d19b87970c8d1b8b251c784bf777ba77ed764f5f2395

          SHA512

          f096043452a1aa213a5e4d62638de3ee4b0b3ad3d12b7ee0372d8c79e00e2e13b4fd0ebc4206bbdb5124bed292dd5b30ef1641288046ef835f89c332985154f9

          Download Submit
        • \Users\Admin\AppData\Local\UiRbrXa7\slc.dll
          MD5

          d3b2c3a62fcdb3b5cffe945f09257d28

          SHA1

          0e86cd9fb8a28d193a027a65da1ef8d2c44d0446

          SHA256

          67c1dc9ff0ff016408dce7a2bdf007af73b4ca1ebfc99cecfd9b93e5586ea86a

          SHA512

          c0c82e1b3a47a0693770af4d2a5b31c916c36f96c38d69035f7c421f35a6cd027fbfaa9f5f0352242979e0152bb8e917d8c48f86d0411e3a86982a725a6decd4

          Download Submit
        • \Users\Admin\AppData\Local\zQGK\SYSDM.CPL
          MD5

          97f7156522c9682d41c0f7412b0871d8

          SHA1

          ea0366b3837eb571204423e238c484ce0b7fd746

          SHA256

          4e41d1bf2afde3c87e99b0de89b526917ba9256cabe7fe3de0a18f9d4275b4d6

          SHA512

          a027a3784b1339fe7f29e5b7ab0f7d9eaf509d828cb005ff2ceebdcdfe259eb9b0c1e7a296894711360a54fff75a036fffc2170fe958c8b608d961d37f96b40b

          Download Submit
        • \Users\Admin\AppData\Local\zQGK\SystemPropertiesHardware.exe
          MD5

          c63d722641c417764247f683f9fb43be

          SHA1

          948ec61ebf241c4d80efca3efdfc33fe746e3b98

          SHA256

          4759296b421d60c80db0bb112a30425e04883900374602e13ed97f7c03a49df2

          SHA512

          7223d1c81a4785ed790ec2303d5d9d7ebcae9404d7bf173b3145e51202564de9977e94ac10ab80c6fe49b5f697af3ec70dfd922a891915e8951b5a1b5841c8be

          Download Submit
        • \Users\Admin\AppData\Roaming\Adobe\Flash Player\AssetCache\V2KDBBRB\pCpTbgEYZF\winlogon.exe
          MD5

          1151b1baa6f350b1db6598e0fea7c457

          SHA1

          434856b834baf163c5ea4d26434eeae775a507fb

          SHA256

          b1506e0a7e826eff0f5252ef5026070c46e2235438403a9a24d73ee69c0b8a49

          SHA512

          df728d06238da1dece96f8b8d67a2423ed4dcb344b42d5958768d23bd570a79e7189e7c5ba783c1628fe8ddd1deaebeacb1b471c59c8a7c9beb21b4f1eb9edab

          Download Submit
        • memory/800-89-0x0000000140000000-0x0000000140162000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/800-85-0x0000000000000000-mapping.dmp
          Download
        • memory/856-102-0x0000000000000000-mapping.dmp
          Download
        • memory/856-106-0x0000000140000000-0x0000000140163000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1380-73-0x0000000140000000-0x0000000140161000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1380-70-0x0000000140000000-0x0000000140161000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1380-61-0x0000000140000000-0x0000000140161000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1380-60-0x0000000140000000-0x0000000140161000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1380-83-0x0000000077A70000-0x0000000077A72000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1380-64-0x0000000140000000-0x0000000140161000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1380-65-0x0000000140000000-0x0000000140161000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1380-66-0x0000000140000000-0x0000000140161000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1380-68-0x0000000140000000-0x0000000140161000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1380-69-0x0000000140000000-0x0000000140161000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1380-71-0x0000000140000000-0x0000000140161000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1380-62-0x0000000140000000-0x0000000140161000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1380-59-0x0000000002660000-0x0000000002661000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1380-63-0x0000000140000000-0x0000000140161000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1380-67-0x0000000140000000-0x0000000140161000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1380-74-0x0000000140000000-0x0000000140161000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1380-75-0x0000000140000000-0x0000000140161000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1380-76-0x0000000140000000-0x0000000140161000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1380-77-0x0000000140000000-0x0000000140161000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1380-72-0x0000000140000000-0x0000000140161000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1664-55-0x0000000140000000-0x0000000140161000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1664-58-0x0000000000100000-0x0000000000107000-memory.dmp
          Filesize

          28KB

          Download
        • memory/1916-95-0x000007FEFC141000-0x000007FEFC143000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1916-93-0x0000000000000000-mapping.dmp
          Download