Overview

overview

10

Static

static

31a694cd04...56.dll

windows7_x64

10

31a694cd04...56.dll

windows10_x64

10

Analysis

  • max time kernel
    153s
  • max time network
    129s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    26-11-2021 09:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    31a694cd04044831b2125f6cf16bc9dd342aee9ea89181e1aa302c82951cd956.dll

  • Size

    1.3MB

  • MD5

    d6d2b7aa9232eeda14644138ddbc6569

  • SHA1

    6b419ed314f2bc61d236344b4cf302f0e9f2c237

  • SHA256

    31a694cd04044831b2125f6cf16bc9dd342aee9ea89181e1aa302c82951cd956

  • SHA512

    1a8fc090d443475b0a90d5b1aebe0d0e06f3caa3fef851df95070649de7a93c033519afe8df3f56984261b4db46b38b1e008a085e058e78a02ee274d7e45fc14

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\31a694cd04044831b2125f6cf16bc9dd342aee9ea89181e1aa302c82951cd956.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4204
  • C:\Windows\system32\printfilterpipelinesvc.exe
    C:\Windows\system32\printfilterpipelinesvc.exe
    1⤵
      PID:2452
    • C:\Users\Admin\AppData\Local\Wv0Pz\printfilterpipelinesvc.exe
      C:\Users\Admin\AppData\Local\Wv0Pz\printfilterpipelinesvc.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      PID:1020
    • C:\Windows\system32\PasswordOnWakeSettingFlyout.exe
      C:\Windows\system32\PasswordOnWakeSettingFlyout.exe
      1⤵
        PID:792
      • C:\Users\Admin\AppData\Local\qN5uEva2W\PasswordOnWakeSettingFlyout.exe
        C:\Users\Admin\AppData\Local\qN5uEva2W\PasswordOnWakeSettingFlyout.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:816
      • C:\Windows\system32\rstrui.exe
        C:\Windows\system32\rstrui.exe
        1⤵
          PID:1216
        • C:\Users\Admin\AppData\Local\6gDogr\rstrui.exe
          C:\Users\Admin\AppData\Local\6gDogr\rstrui.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1316

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\6gDogr\SRCORE.dll
          MD5

          2178ef19417e49ad87c56bfe720fe71e

          SHA1

          33658c4fcac301a561fd9e9c0ab55e0932e0572c

          SHA256

          31d89ab3ba7b5acf91ec2fb295160c8c30d418f5cb5f9c3188c44ec9200aafa7

          SHA512

          2d9210197d8d7216ba61dde7fbb5f5854d62ba48840d35bf94c813e8d6c4634b3cad8e956df28a794fdde0e6249a97198861a9803258958cd53003f3089320b5

          Download Submit
        • C:\Users\Admin\AppData\Local\6gDogr\rstrui.exe
          MD5

          c0167cf19678a97a78a675ef18b7fc85

          SHA1

          f7589dcdff216ca879dba1d68764b2cf69652d3b

          SHA256

          b1aacd2735f524f8460c031a4f66e78fb09cffbc7350fac5695d448a287fb7cb

          SHA512

          f71ca6d233784312dce0e5867d2710de40c738bb567aac212ccd78804176ac51b9ae82bc2ba0498cdd24893f3d3fa6cfddd0d7a9d2c1bd9148916961d6ee0c44

          Download Submit
        • C:\Users\Admin\AppData\Local\Wv0Pz\XmlLite.dll
          MD5

          460fc7d74f130a1069aaa54a4e207452

          SHA1

          0d6c57c27e667eb9f5a9f7884eb6dadf057ffbe2

          SHA256

          b6f18b96fa29906b7a3066755ec7db26377e5656f401029c9382aedcfa7e066d

          SHA512

          f16818239bf873444a9d29039556608dc1806e6fd4c7b9b6abdb357fa91d50cd888ae45b0fe3f73f016dec58df26fb5ed994c0f17fbf5e73f4fa32f373446c91

          Download Submit
        • C:\Users\Admin\AppData\Local\Wv0Pz\printfilterpipelinesvc.exe
          MD5

          3f759db69d6016c286bd25f10e4b6e0c

          SHA1

          e2243c1e27b9a0b68e550e1775aa75f3bafd5286

          SHA256

          eeb432af61d3157153cc6683ae4ffbb44b306ed0b980911be2891358048dc7c7

          SHA512

          67f0cf128a048139b5ceb0b6fb88498076b60d5822fe807fe1ab0d1856e74096d3625cb824a80066b6a27ae0929c44164fc6e8e56cfc18b04e25ebcd51d948ac

          Download Submit
        • C:\Users\Admin\AppData\Local\qN5uEva2W\DUI70.dll
          MD5

          6aca2ec183e2e854a582922299d23e61

          SHA1

          7062e4d5ec70561dd06b664867be3240a9f8039d

          SHA256

          a69b440fc6357742ab9b7da11cd8c12a343f5971c9bff036a072ea166e76e477

          SHA512

          21cb7096d8812011891e9c6a38aec11d7e80782914bae24ecd5af3572b671f8d51e68b2887b702758cd4ae5076b23c6b4990460fe4241a16316306f71722ca52

          Download Submit
        • C:\Users\Admin\AppData\Local\qN5uEva2W\PasswordOnWakeSettingFlyout.exe
          MD5

          a81fed73da02db15df427da1cd5f4141

          SHA1

          f831fc6377a6264be621e23635f22b437129b2ce

          SHA256

          1afed5b9302a4a4669ac7f966b7cf9fcaab037e94a0b3cabea3631055c97d3a5

          SHA512

          3c4541160f0f69d1c3a9dc4e67643864493eadb0450426f7f323d87fa7b0c81d96ef2201d33b3421a307171274615e90d4ee8bd07107ff4f75beedec0a2bf156

          Download Submit
        • \Users\Admin\AppData\Local\6gDogr\SRCORE.dll
          MD5

          2178ef19417e49ad87c56bfe720fe71e

          SHA1

          33658c4fcac301a561fd9e9c0ab55e0932e0572c

          SHA256

          31d89ab3ba7b5acf91ec2fb295160c8c30d418f5cb5f9c3188c44ec9200aafa7

          SHA512

          2d9210197d8d7216ba61dde7fbb5f5854d62ba48840d35bf94c813e8d6c4634b3cad8e956df28a794fdde0e6249a97198861a9803258958cd53003f3089320b5

          Download Submit
        • \Users\Admin\AppData\Local\Wv0Pz\XmlLite.dll
          MD5

          460fc7d74f130a1069aaa54a4e207452

          SHA1

          0d6c57c27e667eb9f5a9f7884eb6dadf057ffbe2

          SHA256

          b6f18b96fa29906b7a3066755ec7db26377e5656f401029c9382aedcfa7e066d

          SHA512

          f16818239bf873444a9d29039556608dc1806e6fd4c7b9b6abdb357fa91d50cd888ae45b0fe3f73f016dec58df26fb5ed994c0f17fbf5e73f4fa32f373446c91

          Download Submit
        • \Users\Admin\AppData\Local\qN5uEva2W\DUI70.dll
          MD5

          6aca2ec183e2e854a582922299d23e61

          SHA1

          7062e4d5ec70561dd06b664867be3240a9f8039d

          SHA256

          a69b440fc6357742ab9b7da11cd8c12a343f5971c9bff036a072ea166e76e477

          SHA512

          21cb7096d8812011891e9c6a38aec11d7e80782914bae24ecd5af3572b671f8d51e68b2887b702758cd4ae5076b23c6b4990460fe4241a16316306f71722ca52

          Download Submit
        • memory/816-172-0x000001ED747B0000-0x000001ED747B2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/816-164-0x0000000000000000-mapping.dmp
          Download
        • memory/816-168-0x00007FFF30BD0000-0x00007FFF30D63000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/816-173-0x000001ED747B0000-0x000001ED747B2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/816-174-0x000001ED747B0000-0x000001ED747B2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1020-163-0x000001A894E60000-0x000001A894E62000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1020-153-0x0000000000000000-mapping.dmp
          Download
        • memory/1020-162-0x000001A894E60000-0x000001A894E62000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1020-161-0x000001A894E60000-0x000001A894E62000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1020-157-0x00007FFF30C20000-0x00007FFF30D6E000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1316-175-0x0000000000000000-mapping.dmp
          Download
        • memory/1316-183-0x000001CC01B50000-0x000001CC01B52000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1316-184-0x000001CC01B50000-0x000001CC01B52000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1316-185-0x000001CC01B50000-0x000001CC01B52000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2880-132-0x0000000140000000-0x000000014014D000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2880-134-0x0000000140000000-0x000000014014D000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2880-143-0x0000000140000000-0x000000014014D000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2880-148-0x0000000000870000-0x0000000000872000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2880-149-0x0000000000870000-0x0000000000872000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2880-150-0x00007FFF3EAD5000-0x00007FFF3EAD6000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2880-151-0x0000000000870000-0x0000000000872000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2880-152-0x00007FFF3EA20000-0x00007FFF3EA30000-memory.dmp
          Filesize

          64KB

          Download
        • memory/2880-141-0x0000000140000000-0x000000014014D000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2880-139-0x0000000140000000-0x000000014014D000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2880-140-0x0000000140000000-0x000000014014D000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2880-138-0x0000000140000000-0x000000014014D000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2880-137-0x0000000140000000-0x000000014014D000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2880-136-0x0000000140000000-0x000000014014D000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2880-135-0x0000000140000000-0x000000014014D000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2880-142-0x0000000140000000-0x000000014014D000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2880-131-0x0000000140000000-0x000000014014D000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2880-133-0x0000000140000000-0x000000014014D000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2880-122-0x0000000000830000-0x0000000000831000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2880-130-0x0000000140000000-0x000000014014D000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2880-129-0x0000000140000000-0x000000014014D000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2880-128-0x0000000140000000-0x000000014014D000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2880-127-0x0000000140000000-0x000000014014D000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2880-126-0x0000000140000000-0x000000014014D000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2880-125-0x0000000140000000-0x000000014014D000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2880-124-0x0000000140000000-0x000000014014D000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2880-123-0x0000000140000000-0x000000014014D000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/4204-115-0x00007FFF30C20000-0x00007FFF30D6D000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/4204-121-0x000001452B570000-0x000001452B577000-memory.dmp
          Filesize

          28KB

          Download
        • memory/4204-120-0x000001452B580000-0x000001452B582000-memory.dmp
          Filesize

          8KB

          Download
        • memory/4204-119-0x000001452B580000-0x000001452B582000-memory.dmp
          Filesize

          8KB

          Download