Overview

overview

10

Static

static

248f05930d...7e.dll

windows7_x64

10

248f05930d...7e.dll

windows10_x64

10

Analysis

  • max time kernel
    153s
  • max time network
    126s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    26-11-2021 09:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    248f05930d4cf6075a5e309d4c20c5cf422a750d52a4f7afc31fd983b9cf897e.dll

  • Size

    1.3MB

  • MD5

    a547e2f14c375de73aa013704367f35f

  • SHA1

    c29eededd89c502cb410ecb45540f935aaa3dd5d

  • SHA256

    248f05930d4cf6075a5e309d4c20c5cf422a750d52a4f7afc31fd983b9cf897e

  • SHA512

    8b470f3360dcea76e432641a127c5b487aaee7196f9b821586b8d18958485e84a834552a2ae9c252fcc315328ddca643f6b29c164e7e0f4a4857a8bb041bed4c

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\248f05930d4cf6075a5e309d4c20c5cf422a750d52a4f7afc31fd983b9cf897e.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    PID:3968
  • C:\Windows\system32\InfDefaultInstall.exe
    C:\Windows\system32\InfDefaultInstall.exe
    1⤵
      PID:4420
    • C:\Users\Admin\AppData\Local\9MbA\InfDefaultInstall.exe
      C:\Users\Admin\AppData\Local\9MbA\InfDefaultInstall.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: GetForegroundWindowSpam
      PID:4404
    • C:\Windows\system32\psr.exe
      C:\Windows\system32\psr.exe
      1⤵
        PID:804
      • C:\Users\Admin\AppData\Local\JIkNCL\psr.exe
        C:\Users\Admin\AppData\Local\JIkNCL\psr.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Suspicious behavior: GetForegroundWindowSpam
        PID:632
      • C:\Windows\system32\recdisc.exe
        C:\Windows\system32\recdisc.exe
        1⤵
          PID:3724
        • C:\Users\Admin\AppData\Local\5eB8\recdisc.exe
          C:\Users\Admin\AppData\Local\5eB8\recdisc.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          • Suspicious behavior: GetForegroundWindowSpam
          PID:3728

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\5eB8\ReAgent.dll
          MD5

          6267d6ab8e62597318e2f11688ef4825

          SHA1

          bfe598d8c69e0d7629842c837362c7751f2d1090

          SHA256

          0360cd43f62b886b1d3fbcdbdfc5f8007796b5fd9b8a3e31cd45ba46863eda90

          SHA512

          7c92cee2022e995861238a3a11d1579b2162461125e901a148073ed6da7aba4dd38aa36386d1de58786deeccbf908eeee4a41b95e362a1ef45baf023df40d2cf

          Download Submit
        • C:\Users\Admin\AppData\Local\5eB8\recdisc.exe
          MD5

          d1028c10d2c261d3470df8ff6347981b

          SHA1

          04a99956e99b8dbed380df60e0812e92685b6ca9

          SHA256

          063e57b52257fda4cfa15c98a84f3461a9fb1c9d39e6ab55eae41a793a4d852b

          SHA512

          80922e37cdfe69d5390f8a5bf8f0aab98407d40549c8972c33c6b9ef15b38962887ef4637c81c248ba7ee649bfe20f318358359140d879f7e2820e135e11a9c3

          Download Submit
        • C:\Users\Admin\AppData\Local\9MbA\InfDefaultInstall.exe
          MD5

          f6ae349f1213aea7dfe83b1292e1bb7e

          SHA1

          12023a2d08978dba0c6a701197c249751ee30e1e

          SHA256

          c374b081881eafe94338f12f9bc8288c5fe510a4fb3260cb0fd0135646dd768c

          SHA512

          0a23f91c4f6e4780c4096fae817a6753daa72b5b290f6be0593ef055f4149fc2294e35661adf75f529c5b72801062e8fb46f4fccd83dbea7603f6e6a4aefee74

          Download Submit
        • C:\Users\Admin\AppData\Local\9MbA\newdev.dll
          MD5

          1c3651083aff69064d36bafef35d5ea1

          SHA1

          9b773850f047cbd610268b52f0276882e9d93396

          SHA256

          08f6b695b3eacb88fb11b47813f3745e929507acd6241e29675f2f42e6607d0d

          SHA512

          7c93818630ef5a1bc7ce6ec99982050a0c610f584d995932d20694360154e1a266d492197dfb459b47dbb05bb6b048ca3c70af8d6c224217b8d1568c4297a820

          Download Submit
        • C:\Users\Admin\AppData\Local\JIkNCL\XmlLite.dll
          MD5

          fe28d4bf041b92d64083dd702ea55534

          SHA1

          0f73d4f4cb8d7484af5cf46f4b5cbf658fcd2dd3

          SHA256

          55210dec835f222b06e7acf852340eff8291053769213d3072ac2a83ee2ebf0c

          SHA512

          a7fbadf2d3a5de79f19edd9630303c9689d987b2ed79d06c3ea67251135472c1d5538c0282a89f96ff4b9d0e0ba8ea67b1cd3b5053464e6b5ed0ddd34473690a

          Download Submit
        • C:\Users\Admin\AppData\Local\JIkNCL\psr.exe
          MD5

          264a61b365dd314f3c82d1efba60fe17

          SHA1

          9a778a13f5e85d7c5bf2e21ceb398ae0a4300ffa

          SHA256

          880fafbd4087442964a7780331a0e8dd43b78e2106e9df545f0432d4aa15ce93

          SHA512

          9b26021b49ed0f8cfb05d9c8f5e0cec7beaebe9ee14acfc3237cec1255bb9e6a4f5f7a6b902f3d561bbbac7489f64e5a39f498261eef7e93178be97f9cc15e3c

          Download Submit
        • \Users\Admin\AppData\Local\5eB8\ReAgent.dll
          MD5

          6267d6ab8e62597318e2f11688ef4825

          SHA1

          bfe598d8c69e0d7629842c837362c7751f2d1090

          SHA256

          0360cd43f62b886b1d3fbcdbdfc5f8007796b5fd9b8a3e31cd45ba46863eda90

          SHA512

          7c92cee2022e995861238a3a11d1579b2162461125e901a148073ed6da7aba4dd38aa36386d1de58786deeccbf908eeee4a41b95e362a1ef45baf023df40d2cf

          Download Submit
        • \Users\Admin\AppData\Local\9MbA\newdev.dll
          MD5

          1c3651083aff69064d36bafef35d5ea1

          SHA1

          9b773850f047cbd610268b52f0276882e9d93396

          SHA256

          08f6b695b3eacb88fb11b47813f3745e929507acd6241e29675f2f42e6607d0d

          SHA512

          7c93818630ef5a1bc7ce6ec99982050a0c610f584d995932d20694360154e1a266d492197dfb459b47dbb05bb6b048ca3c70af8d6c224217b8d1568c4297a820

          Download Submit
        • \Users\Admin\AppData\Local\JIkNCL\XmlLite.dll
          MD5

          fe28d4bf041b92d64083dd702ea55534

          SHA1

          0f73d4f4cb8d7484af5cf46f4b5cbf658fcd2dd3

          SHA256

          55210dec835f222b06e7acf852340eff8291053769213d3072ac2a83ee2ebf0c

          SHA512

          a7fbadf2d3a5de79f19edd9630303c9689d987b2ed79d06c3ea67251135472c1d5538c0282a89f96ff4b9d0e0ba8ea67b1cd3b5053464e6b5ed0ddd34473690a

          Download Submit
        • memory/632-167-0x000001AE15CE0000-0x000001AE15CE2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/632-160-0x0000000000000000-mapping.dmp
          Download
        • memory/632-168-0x000001AE15CE0000-0x000001AE15CE2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/632-169-0x000001AE15CE0000-0x000001AE15CE2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2416-132-0x0000000140000000-0x0000000140156000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2416-125-0x0000000140000000-0x0000000140156000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2416-134-0x0000000140000000-0x0000000140156000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2416-136-0x0000000140000000-0x0000000140156000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2416-137-0x0000000140000000-0x0000000140156000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2416-138-0x0000000140000000-0x0000000140156000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2416-139-0x0000000140000000-0x0000000140156000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2416-145-0x0000000000940000-0x0000000000942000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2416-146-0x0000000000940000-0x0000000000942000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2416-147-0x00007FFB741F5000-0x00007FFB741F6000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2416-148-0x0000000000940000-0x0000000000942000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2416-149-0x00007FFB74140000-0x00007FFB74150000-memory.dmp
          Filesize

          64KB

          Download
        • memory/2416-180-0x0000000000940000-0x0000000000942000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2416-133-0x0000000140000000-0x0000000140156000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2416-124-0x0000000000900000-0x0000000000901000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2416-131-0x0000000140000000-0x0000000140156000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2416-135-0x0000000140000000-0x0000000140156000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2416-126-0x0000000140000000-0x0000000140156000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2416-127-0x0000000140000000-0x0000000140156000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2416-128-0x0000000140000000-0x0000000140156000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2416-130-0x0000000140000000-0x0000000140156000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2416-129-0x0000000140000000-0x0000000140156000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3728-177-0x0000018A2DE70000-0x0000018A2DE72000-memory.dmp
          Filesize

          8KB

          Download
        • memory/3728-170-0x0000000000000000-mapping.dmp
          Download
        • memory/3728-178-0x0000018A2DE70000-0x0000018A2DE72000-memory.dmp
          Filesize

          8KB

          Download
        • memory/3728-179-0x0000018A2DE70000-0x0000018A2DE72000-memory.dmp
          Filesize

          8KB

          Download
        • memory/3968-118-0x0000000140000000-0x0000000140156000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3968-123-0x0000027145DB0000-0x0000027145DB7000-memory.dmp
          Filesize

          28KB

          Download
        • memory/3968-122-0x0000027145DC0000-0x0000027145DC2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/3968-121-0x0000027145DC0000-0x0000027145DC2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/4404-158-0x00000177E0F20000-0x00000177E0F22000-memory.dmp
          Filesize

          8KB

          Download
        • memory/4404-157-0x00000177E0F20000-0x00000177E0F22000-memory.dmp
          Filesize

          8KB

          Download
        • memory/4404-154-0x0000000140000000-0x0000000140157000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/4404-159-0x00000177E0F20000-0x00000177E0F22000-memory.dmp
          Filesize

          8KB

          Download
        • memory/4404-150-0x0000000000000000-mapping.dmp
          Download