Overview

overview

10

Static

static

96de5810e9...af.dll

windows7_x64

10

96de5810e9...af.dll

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    128s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    26-11-2021 09:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    96de5810e971a8db608ef7932e4fe14a7fd9c48cf630df5b46f75ab9d60cedaf.dll

  • Size

    1.4MB

  • MD5

    310ff2d4c32854b9bdbcc78fbcb58bcc

  • SHA1

    b85029ce9032492b65d29e10e8686b17b23eda8b

  • SHA256

    96de5810e971a8db608ef7932e4fe14a7fd9c48cf630df5b46f75ab9d60cedaf

  • SHA512

    8d755fd88063723b3dffbe35d997b9fffe8768e4d9e631da2175c36944704d11ccdda04211a14bb84f2b86a40a97d15272fcbef1c233d3e13cb9a55d3a199667

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\96de5810e971a8db608ef7932e4fe14a7fd9c48cf630df5b46f75ab9d60cedaf.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3652
  • C:\Windows\system32\SystemPropertiesComputerName.exe
    C:\Windows\system32\SystemPropertiesComputerName.exe
    1⤵
      PID:4340
    • C:\Users\Admin\AppData\Local\IPEf\SystemPropertiesComputerName.exe
      C:\Users\Admin\AppData\Local\IPEf\SystemPropertiesComputerName.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      PID:4328
    • C:\Windows\system32\slui.exe
      C:\Windows\system32\slui.exe
      1⤵
        PID:4432
      • C:\Users\Admin\AppData\Local\JaQf\slui.exe
        C:\Users\Admin\AppData\Local\JaQf\slui.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4416
      • C:\Windows\system32\MDMAppInstaller.exe
        C:\Windows\system32\MDMAppInstaller.exe
        1⤵
          PID:4588
        • C:\Users\Admin\AppData\Local\15TTOLu2\MDMAppInstaller.exe
          C:\Users\Admin\AppData\Local\15TTOLu2\MDMAppInstaller.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1000

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\15TTOLu2\MDMAppInstaller.exe
          MD5

          4dd62f5c80e61f360e4178e64bdd9eb2

          SHA1

          0bb999e6fcf480e135f0c2f548beac45bf8388f9

          SHA256

          9487e1da940889f7144de063e6999d1a76a1b93be195ea4f9d32be765e5eba99

          SHA512

          a3bb8133a23680f44e06f7b8c3bcb3630103cde12e21cae3a1292633ffc51cc07f1a220774b85fc8021424e668f2518c6b8ddc0df3a5e4dd10d21e16c7a7091e

          Download Submit
        • C:\Users\Admin\AppData\Local\15TTOLu2\WTSAPI32.dll
          MD5

          fc4642335a6a936b110afb92d7ba54b9

          SHA1

          aa16b747e20c3404e894c293e891134f42b8550b

          SHA256

          ea79e4c66f847a63108e42439b9a86bad76175187fccb612b9684fa35757268d

          SHA512

          0d2124721e220deb0a1d8db011dd5c7e8c7aa13f98eee2fef53b22fe2a2500b669b38ef5997b2af2d3b9e09568c5115ef02ec5ce46f595ec473e0ba6f7072730

          Download Submit
        • C:\Users\Admin\AppData\Local\IPEf\SYSDM.CPL
          MD5

          574ec9b0901f4cabddb2e5dd64b884e7

          SHA1

          e3b7c2d9c517fcb7816880b8796e7e8a3695001c

          SHA256

          70fe97f531d442563706e09cf0b2366999eef05ec6c2e5f8d585088040a7c3f4

          SHA512

          4d3da4ed224be0de7516261aecb9d64c163dd2fe529f1936948fdd4ef1047ddf908d933c8a20e99c929bc68230c0e8ad291258cad28ceeea93f18706b5274df3

          Download Submit
        • C:\Users\Admin\AppData\Local\IPEf\SystemPropertiesComputerName.exe
          MD5

          d2d62d055f517f71b0fd9a649727ff6c

          SHA1

          43f627215d57e0396ad74e9b0ed4bd29f60fca33

          SHA256

          222d3d4f7c8f64beb0a0007120b4411c2040c50e1d376420228151bdd230fe7d

          SHA512

          f46e02a465425a148fcd4be5fda0889c412eeab4c50abf9874b3ee02af83c96403167c99aa57961e1c631a5a7a5070e8a1c363688581ff83ed176b4206564cd0

          Download Submit
        • C:\Users\Admin\AppData\Local\JaQf\WTSAPI32.dll
          MD5

          fb5c3c493d5bd6910a2ff6afb00dd734

          SHA1

          c7118fd687ada564f8ff1dacd11108f4eed35a88

          SHA256

          7264e66339cb54175057b21969c01974297f394c18d20f1dd218e9d1c8dd38f7

          SHA512

          c5687802cfa0337c640238d0c99a004793e7df7902a54c7c4544083237371e0d77333b881db20591fcaf0a5cfb3e43eb97106a315d3a2aeebba275640d4058b4

          Download Submit
        • C:\Users\Admin\AppData\Local\JaQf\slui.exe
          MD5

          f162f859fb38a39f83c049f5480c11eb

          SHA1

          4090dacb56dbff6a5306e13ff5fa157eca4714a9

          SHA256

          67daef4a468f00305a44e41b369890fc0d6ed41c509432c6b1402caa1b09b7c5

          SHA512

          73a7ba851b560caf0a4150ff192c02bcac5475de2f265430e079ce1a20dc25b0f86873bc1dc4db0fc660031aa7c32d03a941ada8afc0bc91c63fb2e9ed8e0d80

          Download Submit
        • \Users\Admin\AppData\Local\15TTOLu2\WTSAPI32.dll
          MD5

          fc4642335a6a936b110afb92d7ba54b9

          SHA1

          aa16b747e20c3404e894c293e891134f42b8550b

          SHA256

          ea79e4c66f847a63108e42439b9a86bad76175187fccb612b9684fa35757268d

          SHA512

          0d2124721e220deb0a1d8db011dd5c7e8c7aa13f98eee2fef53b22fe2a2500b669b38ef5997b2af2d3b9e09568c5115ef02ec5ce46f595ec473e0ba6f7072730

          Download Submit
        • \Users\Admin\AppData\Local\IPEf\SYSDM.CPL
          MD5

          574ec9b0901f4cabddb2e5dd64b884e7

          SHA1

          e3b7c2d9c517fcb7816880b8796e7e8a3695001c

          SHA256

          70fe97f531d442563706e09cf0b2366999eef05ec6c2e5f8d585088040a7c3f4

          SHA512

          4d3da4ed224be0de7516261aecb9d64c163dd2fe529f1936948fdd4ef1047ddf908d933c8a20e99c929bc68230c0e8ad291258cad28ceeea93f18706b5274df3

          Download Submit
        • \Users\Admin\AppData\Local\JaQf\WTSAPI32.dll
          MD5

          fb5c3c493d5bd6910a2ff6afb00dd734

          SHA1

          c7118fd687ada564f8ff1dacd11108f4eed35a88

          SHA256

          7264e66339cb54175057b21969c01974297f394c18d20f1dd218e9d1c8dd38f7

          SHA512

          c5687802cfa0337c640238d0c99a004793e7df7902a54c7c4544083237371e0d77333b881db20591fcaf0a5cfb3e43eb97106a315d3a2aeebba275640d4058b4

          Download Submit
        • memory/1000-184-0x0000000000000000-mapping.dmp
          Download
        • memory/1000-188-0x00007FFAA75F0000-0x00007FFAA774B000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1000-192-0x000001E1E6A50000-0x000001E1E6A52000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1000-193-0x000001E1E6A50000-0x000001E1E6A52000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1000-194-0x000001E1E6A50000-0x000001E1E6A52000-memory.dmp
          Filesize

          8KB

          Download
        • memory/3032-151-0x0000000140000000-0x000000014015A000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/3032-135-0x0000000140000000-0x000000014015A000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/3032-137-0x0000000140000000-0x000000014015A000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/3032-138-0x0000000140000000-0x000000014015A000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/3032-139-0x0000000140000000-0x000000014015A000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/3032-140-0x0000000140000000-0x000000014015A000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/3032-141-0x0000000140000000-0x000000014015A000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/3032-142-0x0000000140000000-0x000000014015A000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/3032-143-0x0000000140000000-0x000000014015A000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/3032-144-0x0000000140000000-0x000000014015A000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/3032-145-0x0000000140000000-0x000000014015A000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/3032-146-0x0000000140000000-0x000000014015A000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/3032-147-0x0000000140000000-0x000000014015A000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/3032-148-0x0000000140000000-0x000000014015A000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/3032-149-0x0000000140000000-0x000000014015A000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/3032-150-0x0000000140000000-0x000000014015A000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/3032-125-0x00000000009B0000-0x00000000009B1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3032-152-0x0000000140000000-0x000000014015A000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/3032-157-0x00000000009E0000-0x00000000009E2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/3032-158-0x00000000009E0000-0x00000000009E2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/3032-159-0x00007FFABC125000-0x00007FFABC126000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3032-160-0x00000000009E0000-0x00000000009E2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/3032-161-0x00007FFABC260000-0x00007FFABC262000-memory.dmp
          Filesize

          8KB

          Download
        • memory/3032-136-0x0000000140000000-0x000000014015A000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/3032-133-0x0000000140000000-0x000000014015A000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/3032-127-0x0000000140000000-0x000000014015A000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/3032-134-0x0000000140000000-0x000000014015A000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/3032-126-0x0000000140000000-0x000000014015A000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/3032-128-0x0000000140000000-0x000000014015A000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/3032-129-0x0000000140000000-0x000000014015A000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/3032-130-0x0000000140000000-0x000000014015A000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/3032-131-0x0000000140000000-0x000000014015A000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/3032-132-0x0000000140000000-0x000000014015A000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/3652-118-0x00007FFAAE310000-0x00007FFAAE46A000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/3652-122-0x000002C81C190000-0x000002C81C192000-memory.dmp
          Filesize

          8KB

          Download
        • memory/3652-123-0x000002C81C190000-0x000002C81C192000-memory.dmp
          Filesize

          8KB

          Download
        • memory/3652-124-0x000002C81C180000-0x000002C81C187000-memory.dmp
          Filesize

          28KB

          Download
        • memory/4328-171-0x0000029026F30000-0x0000029026F32000-memory.dmp
          Filesize

          8KB

          Download
        • memory/4328-172-0x0000029026F30000-0x0000029026F32000-memory.dmp
          Filesize

          8KB

          Download
        • memory/4328-166-0x00007FFAAE310000-0x00007FFAAE46B000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/4328-162-0x0000000000000000-mapping.dmp
          Download
        • memory/4328-170-0x0000029026F30000-0x0000029026F32000-memory.dmp
          Filesize

          8KB

          Download
        • memory/4416-173-0x0000000000000000-mapping.dmp
          Download
        • memory/4416-182-0x0000016EFD5F0000-0x0000016EFD5F2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/4416-183-0x0000016EFD5F0000-0x0000016EFD5F2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/4416-181-0x0000016EFD5F0000-0x0000016EFD5F2000-memory.dmp
          Filesize

          8KB

          Download