Overview

overview

10

Static

static

899cac1d02...fb.dll

windows7_x64

10

899cac1d02...fb.dll

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    26-11-2021 09:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    899cac1d02beb489b43a5aad1ef87609f3783d891def8f5fd122d848c71da5fb.dll

  • Size

    1.3MB

  • MD5

    cd87697a9e2bdfac82d9b7154c3105ce

  • SHA1

    963e78487647a3b7199211154b8fe7f6babe6bbb

  • SHA256

    899cac1d02beb489b43a5aad1ef87609f3783d891def8f5fd122d848c71da5fb

  • SHA512

    ab1617bd35d7f07eb819ae467284985ea241d9e0c019970e5a5f0cd42a8b3eadb0ac3ea16d35a056620784c65f9b9b20410b39aa23c3119b6ddad2cfbe5400db

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\899cac1d02beb489b43a5aad1ef87609f3783d891def8f5fd122d848c71da5fb.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2700
  • C:\Windows\system32\osk.exe
    C:\Windows\system32\osk.exe
    1⤵
      PID:588
    • C:\Users\Admin\AppData\Local\aCPlmDujq\osk.exe
      C:\Users\Admin\AppData\Local\aCPlmDujq\osk.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      PID:2276
    • C:\Windows\system32\ComputerDefaults.exe
      C:\Windows\system32\ComputerDefaults.exe
      1⤵
        PID:3260
      • C:\Users\Admin\AppData\Local\iC8aDOS\ComputerDefaults.exe
        C:\Users\Admin\AppData\Local\iC8aDOS\ComputerDefaults.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:516
      • C:\Windows\system32\recdisc.exe
        C:\Windows\system32\recdisc.exe
        1⤵
          PID:1032
        • C:\Users\Admin\AppData\Local\uBBYj7ihL\recdisc.exe
          C:\Users\Admin\AppData\Local\uBBYj7ihL\recdisc.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:696

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\aCPlmDujq\DUI70.dll
          MD5

          c12ea6d49940d51ddd04ddbeca84e83f

          SHA1

          a747d144eda80d7e817e8cf7cf5d0e2e29b9bba8

          SHA256

          e137e95c010bebd7a27f9d0e566b4df9a440f8e21520dbdebd5b0ac9c570e253

          SHA512

          25b8faf92910db077f460c2900c01065ab02d14ea5302ba1582083ca00aced7206e8bc04fd911c074dee2924cdd520eb01b22cf8fbc03f40066e2a8bfe29b393

          Download Submit
        • C:\Users\Admin\AppData\Local\aCPlmDujq\osk.exe
          MD5

          4a614350289f2f92c6d7c5caccc09eff

          SHA1

          55e6807f31f66120e4798e37a8fb26e583ce1c81

          SHA256

          f259aa7bfb7f18f981d0a08888942f5027766cdcf4d4d60d2540d5eda048fd68

          SHA512

          ddf8fdc5b186ab9a15fa15310356d48cfbe1948fda0f0e624b1a429be11f406e5e3ce1924f48bbb9a9d14ede34a20c55c3e88f1f640e9d7d21f39bfad3c21dfc

          Download Submit
        • C:\Users\Admin\AppData\Local\iC8aDOS\ComputerDefaults.exe
          MD5

          56d03e4218082266a9cdd8600537d891

          SHA1

          c153719f971dcee8f6985d7c79f64fc88dd8663c

          SHA256

          210d5714497505022aa068167f7ed5bb826abcf53cfe741c9860a2c8dce3f54a

          SHA512

          f2c64a4dbab789635bf97b3d615fcc96dfe8c4094b67a464eb34bc84501eb7648e7fa692971e917c1ebfac0548187721ecc552aaad35767f8a40846d922613d3

          Download Submit
        • C:\Users\Admin\AppData\Local\iC8aDOS\appwiz.cpl
          MD5

          d7a03e7e49670fd138157c089cc871c2

          SHA1

          3b5515538ed900550e160ded4c1e80dbc1527d79

          SHA256

          c47c0f5f1d167c0655a05a7b8a2c9d93ff81e177dc2d03cdda7a483f60cf44af

          SHA512

          e302a0d6cb31b272cd7b18ef0e7ca167a270cc1449a6056490b12c6a05ddf8e1fb5fbcd28853fb6fa30b91d51cb4ea5ba7abe8dfb98a890fae8ff5f1a0845ff3

          Download Submit
        • C:\Users\Admin\AppData\Local\uBBYj7ihL\ReAgent.dll
          MD5

          7a8614608bbb17ef1e75a4bc73e7a37d

          SHA1

          bea99990d113812d6034b3ab2c2cd6c536b75ddc

          SHA256

          526445a9fafcca40460fd00989ae8b9b76c79c8d33ade9d0e176b31f699bd3eb

          SHA512

          f8e236744ab5fc28b01194037e996b0a3fdbf43b07e51370d05de131af4f2dd6c4b92fc319e4b0718112b8e00bccf7d6e2f5a160c82858cd70ffd81d6b25037a

          Download Submit
        • C:\Users\Admin\AppData\Local\uBBYj7ihL\recdisc.exe
          MD5

          d1028c10d2c261d3470df8ff6347981b

          SHA1

          04a99956e99b8dbed380df60e0812e92685b6ca9

          SHA256

          063e57b52257fda4cfa15c98a84f3461a9fb1c9d39e6ab55eae41a793a4d852b

          SHA512

          80922e37cdfe69d5390f8a5bf8f0aab98407d40549c8972c33c6b9ef15b38962887ef4637c81c248ba7ee649bfe20f318358359140d879f7e2820e135e11a9c3

          Download Submit
        • \Users\Admin\AppData\Local\aCPlmDujq\DUI70.dll
          MD5

          c12ea6d49940d51ddd04ddbeca84e83f

          SHA1

          a747d144eda80d7e817e8cf7cf5d0e2e29b9bba8

          SHA256

          e137e95c010bebd7a27f9d0e566b4df9a440f8e21520dbdebd5b0ac9c570e253

          SHA512

          25b8faf92910db077f460c2900c01065ab02d14ea5302ba1582083ca00aced7206e8bc04fd911c074dee2924cdd520eb01b22cf8fbc03f40066e2a8bfe29b393

          Download Submit
        • \Users\Admin\AppData\Local\iC8aDOS\appwiz.cpl
          MD5

          d7a03e7e49670fd138157c089cc871c2

          SHA1

          3b5515538ed900550e160ded4c1e80dbc1527d79

          SHA256

          c47c0f5f1d167c0655a05a7b8a2c9d93ff81e177dc2d03cdda7a483f60cf44af

          SHA512

          e302a0d6cb31b272cd7b18ef0e7ca167a270cc1449a6056490b12c6a05ddf8e1fb5fbcd28853fb6fa30b91d51cb4ea5ba7abe8dfb98a890fae8ff5f1a0845ff3

          Download Submit
        • \Users\Admin\AppData\Local\uBBYj7ihL\ReAgent.dll
          MD5

          7a8614608bbb17ef1e75a4bc73e7a37d

          SHA1

          bea99990d113812d6034b3ab2c2cd6c536b75ddc

          SHA256

          526445a9fafcca40460fd00989ae8b9b76c79c8d33ade9d0e176b31f699bd3eb

          SHA512

          f8e236744ab5fc28b01194037e996b0a3fdbf43b07e51370d05de131af4f2dd6c4b92fc319e4b0718112b8e00bccf7d6e2f5a160c82858cd70ffd81d6b25037a

          Download Submit
        • memory/516-160-0x0000000000000000-mapping.dmp
          Download
        • memory/516-168-0x000001E81D920000-0x000001E81D922000-memory.dmp
          Filesize

          8KB

          Download
        • memory/516-170-0x000001E81D920000-0x000001E81D922000-memory.dmp
          Filesize

          8KB

          Download
        • memory/516-164-0x00007FFDC40F0000-0x00007FFDC4239000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/516-169-0x000001E81D920000-0x000001E81D922000-memory.dmp
          Filesize

          8KB

          Download
        • memory/696-179-0x0000024CA6290000-0x0000024CA6292000-memory.dmp
          Filesize

          8KB

          Download
        • memory/696-171-0x0000000000000000-mapping.dmp
          Download
        • memory/696-180-0x0000024CA6290000-0x0000024CA6292000-memory.dmp
          Filesize

          8KB

          Download
        • memory/696-181-0x0000024CA6290000-0x0000024CA6292000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2276-149-0x0000000000000000-mapping.dmp
          Download
        • memory/2276-159-0x000001ED670F0000-0x000001ED670F2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2276-158-0x000001ED670F0000-0x000001ED670F2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2276-157-0x000001ED670F0000-0x000001ED670F2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2276-153-0x00007FFDC40B0000-0x00007FFDC423E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/2700-115-0x00007FFDC40F0000-0x00007FFDC4238000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2700-121-0x000001A9562F0000-0x000001A9562F7000-memory.dmp
          Filesize

          28KB

          Download
        • memory/2700-120-0x000001A956300000-0x000001A956302000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2700-119-0x000001A956300000-0x000001A956302000-memory.dmp
          Filesize

          8KB

          Download
        • memory/3020-130-0x0000000140000000-0x0000000140148000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3020-148-0x00007FFDD2430000-0x00007FFDD2432000-memory.dmp
          Filesize

          8KB

          Download
        • memory/3020-147-0x0000000000820000-0x0000000000822000-memory.dmp
          Filesize

          8KB

          Download
        • memory/3020-146-0x00007FFDD22F5000-0x00007FFDD22F6000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3020-145-0x0000000000820000-0x0000000000822000-memory.dmp
          Filesize

          8KB

          Download
        • memory/3020-144-0x0000000000820000-0x0000000000822000-memory.dmp
          Filesize

          8KB

          Download
        • memory/3020-139-0x0000000140000000-0x0000000140148000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3020-138-0x0000000140000000-0x0000000140148000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3020-137-0x0000000140000000-0x0000000140148000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3020-136-0x0000000140000000-0x0000000140148000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3020-135-0x0000000140000000-0x0000000140148000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3020-134-0x0000000140000000-0x0000000140148000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3020-133-0x0000000140000000-0x0000000140148000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3020-132-0x0000000140000000-0x0000000140148000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3020-131-0x0000000140000000-0x0000000140148000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3020-129-0x0000000140000000-0x0000000140148000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3020-128-0x0000000140000000-0x0000000140148000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3020-127-0x0000000140000000-0x0000000140148000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3020-126-0x0000000140000000-0x0000000140148000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3020-125-0x0000000140000000-0x0000000140148000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3020-124-0x0000000140000000-0x0000000140148000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3020-123-0x0000000140000000-0x0000000140148000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3020-122-0x00000000005E0000-0x00000000005E1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3020-182-0x0000000000820000-0x0000000000822000-memory.dmp
          Filesize

          8KB

          Download