Overview

overview

10

Static

static

dd7c2b5ccd...6e.dll

windows7_x64

10

dd7c2b5ccd...6e.dll

windows10_x64

10

Analysis

  • max time kernel
    154s
  • max time network
    134s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    26-11-2021 09:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dd7c2b5ccd52a609e2ec3dd4d2ff6b83c6f16eb1c5f6fb14a918fdc733b6f76e.dll

  • Size

    1.3MB

  • MD5

    bee8470b921740735b0f08302fdc378f

  • SHA1

    a82e32a58f122d3bca865982febdc8b4e5fda106

  • SHA256

    dd7c2b5ccd52a609e2ec3dd4d2ff6b83c6f16eb1c5f6fb14a918fdc733b6f76e

  • SHA512

    840eb8a269191cfc7b977ca64d3b15d91ab3d5b3bc0a75e1b8d481231f631cfaa36c7c991b5ca3e0d30cdd340bbd71467be8ec076674c092237dcd548011033f

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\dd7c2b5ccd52a609e2ec3dd4d2ff6b83c6f16eb1c5f6fb14a918fdc733b6f76e.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    PID:2648
  • C:\Windows\system32\sigverif.exe
    C:\Windows\system32\sigverif.exe
    1⤵
      PID:2248
    • C:\Users\Admin\AppData\Local\lousy\sigverif.exe
      C:\Users\Admin\AppData\Local\lousy\sigverif.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: GetForegroundWindowSpam
      PID:3716
    • C:\Windows\system32\printfilterpipelinesvc.exe
      C:\Windows\system32\printfilterpipelinesvc.exe
      1⤵
        PID:3160
      • C:\Users\Admin\AppData\Local\YsSwA\printfilterpipelinesvc.exe
        C:\Users\Admin\AppData\Local\YsSwA\printfilterpipelinesvc.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Suspicious behavior: GetForegroundWindowSpam
        PID:3852
      • C:\Windows\system32\PasswordOnWakeSettingFlyout.exe
        C:\Windows\system32\PasswordOnWakeSettingFlyout.exe
        1⤵
          PID:3900
        • C:\Users\Admin\AppData\Local\Qm56\PasswordOnWakeSettingFlyout.exe
          C:\Users\Admin\AppData\Local\Qm56\PasswordOnWakeSettingFlyout.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          • Suspicious behavior: GetForegroundWindowSpam
          PID:2748

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Qm56\PasswordOnWakeSettingFlyout.exe
          MD5

          a81fed73da02db15df427da1cd5f4141

          SHA1

          f831fc6377a6264be621e23635f22b437129b2ce

          SHA256

          1afed5b9302a4a4669ac7f966b7cf9fcaab037e94a0b3cabea3631055c97d3a5

          SHA512

          3c4541160f0f69d1c3a9dc4e67643864493eadb0450426f7f323d87fa7b0c81d96ef2201d33b3421a307171274615e90d4ee8bd07107ff4f75beedec0a2bf156

          Download Submit
        • C:\Users\Admin\AppData\Local\Qm56\UxTheme.dll
          MD5

          5ba7f2c9838c1c3f143ca5c97e6b290c

          SHA1

          a2695649fddfa440c40042df29ced601377a3a47

          SHA256

          8a2731ddcf2b4358d4c0478ed02d34778b0bb0b54bc2d2df7e263a14a590b9d5

          SHA512

          ea83a293ad1523e29c07d22064408d2dc9bfc4a17efd4a42a0ed50706d0052ef28f299494a4f09166538cc4759959be350452ade703034e22d416d0ffb819330

          Download Submit
        • C:\Users\Admin\AppData\Local\YsSwA\XmlLite.dll
          MD5

          d0a4307cb57a64d2e825abad91c1cc25

          SHA1

          309175175d6c83e8c6175a99c472798ef9dbfa45

          SHA256

          5bdd1efc1a7c916c37bc08ca74bde031007c21f74456e1b9d8241557848a7d2c

          SHA512

          c98d7212a7cef142bb49705ecd731a42dd39463bd0992217f5e6741d9869413ced57104c0a9e6f09b2de42c5c70022c64d08ee6775e2a17a1e492bd218a2c50e

          Download Submit
        • C:\Users\Admin\AppData\Local\YsSwA\printfilterpipelinesvc.exe
          MD5

          3f759db69d6016c286bd25f10e4b6e0c

          SHA1

          e2243c1e27b9a0b68e550e1775aa75f3bafd5286

          SHA256

          eeb432af61d3157153cc6683ae4ffbb44b306ed0b980911be2891358048dc7c7

          SHA512

          67f0cf128a048139b5ceb0b6fb88498076b60d5822fe807fe1ab0d1856e74096d3625cb824a80066b6a27ae0929c44164fc6e8e56cfc18b04e25ebcd51d948ac

          Download Submit
        • C:\Users\Admin\AppData\Local\lousy\VERSION.dll
          MD5

          7725f5a782dacf9d7b9c631fe135d7de

          SHA1

          fef88b1d30d6b0a34ed1d8206e1ed627eceba0d8

          SHA256

          f78b2e2aeea2276c31b7bdd6f563e701865c775d0d55dfdb4872cfbdb49db8ef

          SHA512

          46d4deab7e94cba09cd8d14477c1e99828a9c52b93892361df2994fcde6acbb53eb23c513f73b3b4492f9f1c636640a13783105dca74c633a6510e6ed21f3dd5

          Download Submit
        • C:\Users\Admin\AppData\Local\lousy\sigverif.exe
          MD5

          92f7917624a4349f7b6041d08ae29714

          SHA1

          eac68bc72ed4d8634a59a1a37faefa4f8327bd2f

          SHA256

          a57403e41c7178403981cd384f6096f12092dee68d3dfbd92f94661f613dfcab

          SHA512

          20eb8366a8285a7d19a8d860038364a625b9b7de5e9d87ed59d2580ab4d5658b6d09d9220f6b0a6291151145373f3e0ff8ac46609c6b4a4aafecc8f2670ac56d

          Download Submit
        • \Users\Admin\AppData\Local\Qm56\UxTheme.dll
          MD5

          5ba7f2c9838c1c3f143ca5c97e6b290c

          SHA1

          a2695649fddfa440c40042df29ced601377a3a47

          SHA256

          8a2731ddcf2b4358d4c0478ed02d34778b0bb0b54bc2d2df7e263a14a590b9d5

          SHA512

          ea83a293ad1523e29c07d22064408d2dc9bfc4a17efd4a42a0ed50706d0052ef28f299494a4f09166538cc4759959be350452ade703034e22d416d0ffb819330

          Download Submit
        • \Users\Admin\AppData\Local\YsSwA\XmlLite.dll
          MD5

          d0a4307cb57a64d2e825abad91c1cc25

          SHA1

          309175175d6c83e8c6175a99c472798ef9dbfa45

          SHA256

          5bdd1efc1a7c916c37bc08ca74bde031007c21f74456e1b9d8241557848a7d2c

          SHA512

          c98d7212a7cef142bb49705ecd731a42dd39463bd0992217f5e6741d9869413ced57104c0a9e6f09b2de42c5c70022c64d08ee6775e2a17a1e492bd218a2c50e

          Download Submit
        • \Users\Admin\AppData\Local\lousy\VERSION.dll
          MD5

          7725f5a782dacf9d7b9c631fe135d7de

          SHA1

          fef88b1d30d6b0a34ed1d8206e1ed627eceba0d8

          SHA256

          f78b2e2aeea2276c31b7bdd6f563e701865c775d0d55dfdb4872cfbdb49db8ef

          SHA512

          46d4deab7e94cba09cd8d14477c1e99828a9c52b93892361df2994fcde6acbb53eb23c513f73b3b4492f9f1c636640a13783105dca74c633a6510e6ed21f3dd5

          Download Submit
        • memory/2648-120-0x000002256E130000-0x000002256E137000-memory.dmp
          Filesize

          28KB

          Download
        • memory/2648-119-0x000002256E140000-0x000002256E142000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2648-118-0x000002256E140000-0x000002256E142000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2648-115-0x0000000140000000-0x0000000140154000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2748-177-0x0000020433F80000-0x0000020433F82000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2748-170-0x0000000000000000-mapping.dmp
          Download
        • memory/2748-178-0x0000020433F80000-0x0000020433F82000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2748-179-0x0000020433F80000-0x0000020433F82000-memory.dmp
          Filesize

          8KB

          Download
        • memory/3056-146-0x00000000005C0000-0x00000000005C2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/3056-121-0x00000000005B0000-0x00000000005B1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3056-136-0x0000000140000000-0x0000000140154000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3056-137-0x0000000140000000-0x0000000140154000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3056-138-0x0000000140000000-0x0000000140154000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3056-139-0x0000000140000000-0x0000000140154000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3056-145-0x00000000005C0000-0x00000000005C2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/3056-134-0x0000000140000000-0x0000000140154000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3056-147-0x00007FFFA0495000-0x00007FFFA0496000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3056-148-0x00000000005C0000-0x00000000005C2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/3056-149-0x00007FFFA05D0000-0x00007FFFA05D2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/3056-127-0x0000000140000000-0x0000000140154000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3056-133-0x0000000140000000-0x0000000140154000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3056-132-0x0000000140000000-0x0000000140154000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3056-131-0x0000000140000000-0x0000000140154000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3056-122-0x0000000140000000-0x0000000140154000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3056-123-0x0000000140000000-0x0000000140154000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3056-135-0x0000000140000000-0x0000000140154000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3056-124-0x0000000140000000-0x0000000140154000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3056-130-0x0000000140000000-0x0000000140154000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3056-125-0x0000000140000000-0x0000000140154000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3056-129-0x0000000140000000-0x0000000140154000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3056-128-0x0000000140000000-0x0000000140154000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3056-126-0x0000000140000000-0x0000000140154000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3716-158-0x000002D1DC7F0000-0x000002D1DC7F2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/3716-159-0x000002D1DC7F0000-0x000002D1DC7F2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/3716-157-0x000002D1DC7F0000-0x000002D1DC7F2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/3716-154-0x0000000140000000-0x0000000140155000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3716-150-0x0000000000000000-mapping.dmp
          Download
        • memory/3852-169-0x000002C81DBE0000-0x000002C81DBE2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/3852-168-0x000002C81DBE0000-0x000002C81DBE2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/3852-167-0x000002C81DBE0000-0x000002C81DBE2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/3852-160-0x0000000000000000-mapping.dmp
          Download