Overview

overview

10

Static

static

a5282ab1f0...5d.dll

windows7_x64

10

a5282ab1f0...5d.dll

windows10_x64

10

Analysis

  • max time kernel
    157s
  • max time network
    128s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    26-11-2021 09:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a5282ab1f03b543c5876030240e56ada6e64c2d94f0acea8819d133a5d653d5d.dll

  • Size

    1.2MB

  • MD5

    0d2d32a9d4d31d4448df2902ef9590e2

  • SHA1

    eb31c27903cc0d4bb2a9a4a6760bd0e60416a276

  • SHA256

    a5282ab1f03b543c5876030240e56ada6e64c2d94f0acea8819d133a5d653d5d

  • SHA512

    8a02e7fae0a6829180d69ae4600b9d5006174897a2b5cd09462d81ae64ed1a669908cb3a01d57adca7f0a2c9598074ca680fdbb1c048741ca2f27b64945eb4cd

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\a5282ab1f03b543c5876030240e56ada6e64c2d94f0acea8819d133a5d653d5d.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    PID:3708
  • C:\Windows\system32\UI0Detect.exe
    C:\Windows\system32\UI0Detect.exe
    1⤵
      PID:2732
    • C:\Users\Admin\AppData\Local\3yE\UI0Detect.exe
      C:\Users\Admin\AppData\Local\3yE\UI0Detect.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: GetForegroundWindowSpam
      PID:648
    • C:\Windows\system32\recdisc.exe
      C:\Windows\system32\recdisc.exe
      1⤵
        PID:3444
      • C:\Users\Admin\AppData\Local\2fP\recdisc.exe
        C:\Users\Admin\AppData\Local\2fP\recdisc.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Suspicious behavior: GetForegroundWindowSpam
        PID:3304
      • C:\Windows\system32\Magnify.exe
        C:\Windows\system32\Magnify.exe
        1⤵
          PID:864
        • C:\Users\Admin\AppData\Local\lpgDzQW\Magnify.exe
          C:\Users\Admin\AppData\Local\lpgDzQW\Magnify.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          • Suspicious behavior: GetForegroundWindowSpam
          PID:2740

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\2fP\ReAgent.dll
          MD5

          2333006e32cd1191d27e49d11d57c057

          SHA1

          0991119b8f69413abca789b6378b572eede97831

          SHA256

          64d3a6bf8908f754849c61ef201a27be9165fa8d510708dc1152b02b6091bdc9

          SHA512

          3e4bdec31da1a12f9d2eb055402fd9cd90a3ace97b7da75bc21c9529279fbf0d2042d107bd2cf71cafdbf55c8351d58bb4b1a4363aaec5d7b98a50d3d20b1723

          Download Submit
        • C:\Users\Admin\AppData\Local\2fP\recdisc.exe
          MD5

          d1028c10d2c261d3470df8ff6347981b

          SHA1

          04a99956e99b8dbed380df60e0812e92685b6ca9

          SHA256

          063e57b52257fda4cfa15c98a84f3461a9fb1c9d39e6ab55eae41a793a4d852b

          SHA512

          80922e37cdfe69d5390f8a5bf8f0aab98407d40549c8972c33c6b9ef15b38962887ef4637c81c248ba7ee649bfe20f318358359140d879f7e2820e135e11a9c3

          Download Submit
        • C:\Users\Admin\AppData\Local\3yE\UI0Detect.exe
          MD5

          5a2f610b31cc3fd23d3e20c1d5f1ef52

          SHA1

          2e01843e8c6de9eb2f716b894dd9992296a1bab5

          SHA256

          d470b7c1cae066c2dcdba47001913fb1a7c9cc5b200fb8324db896b641c1a132

          SHA512

          937995e7ca70e523a965348efd72e6e9e8c7d478d4b9050aa87b1d45dcaff6d580da27f6b53800b5bf94c3a51e248ffd89d9056615f000781d6ac005cf9a302e

          Download Submit
        • C:\Users\Admin\AppData\Local\3yE\WTSAPI32.dll
          MD5

          c931e98c3e97d244879a6c5f1bfae34d

          SHA1

          4f56096b53c191a4287e4b16e42db54c0dcd4cc9

          SHA256

          037e04e226a10acbdcc356a33be9ac0e9aff4c463fc7873101bbd774f7ee80a4

          SHA512

          cd4d16708164cb82413036fc7f10ca920d6dbb8322207dba933aa2f5b624f7d5305ac628686141aa97ddb381992262054918a6b6e5ba3a059d53c92559277950

          Download Submit
        • C:\Users\Admin\AppData\Local\lpgDzQW\Magnify.exe
          MD5

          0c3925b9a284f0dd02571d0d2bca19ee

          SHA1

          a73451bb2ddd09397cb7737d36a75c0cdfdf9d51

          SHA256

          41e91d736995628275261aa1adb14158e0783b36c913ef5fc681da105a4272cc

          SHA512

          db02a3211b1b2cf7b10cd70148404106be6cb4a63c7c0c0526256f983c3ad756c157a67848173208e7c0d88a8f34b73c42d37b24f5cc1f9da66731731a534a72

          Download Submit
        • C:\Users\Admin\AppData\Local\lpgDzQW\dwmapi.dll
          MD5

          656e78df37284f3aca21505d04898b9f

          SHA1

          d7892325133b4ed4a828a4d0cc4dec28bc9cd407

          SHA256

          160125000ea124bd5741ff65ee1cc0263dd34ed25996f1f009182e3e73748c38

          SHA512

          d40e339766553df6c5995e3a24830d7125a25093d6521fb31c7b0a12c4570c08265fd617cb1ef392d6c5a63b5898067b56d2247a252ccef88aa4728be7f05e18

          Download Submit
        • \Users\Admin\AppData\Local\2fP\ReAgent.dll
          MD5

          2333006e32cd1191d27e49d11d57c057

          SHA1

          0991119b8f69413abca789b6378b572eede97831

          SHA256

          64d3a6bf8908f754849c61ef201a27be9165fa8d510708dc1152b02b6091bdc9

          SHA512

          3e4bdec31da1a12f9d2eb055402fd9cd90a3ace97b7da75bc21c9529279fbf0d2042d107bd2cf71cafdbf55c8351d58bb4b1a4363aaec5d7b98a50d3d20b1723

          Download Submit
        • \Users\Admin\AppData\Local\3yE\WTSAPI32.dll
          MD5

          c931e98c3e97d244879a6c5f1bfae34d

          SHA1

          4f56096b53c191a4287e4b16e42db54c0dcd4cc9

          SHA256

          037e04e226a10acbdcc356a33be9ac0e9aff4c463fc7873101bbd774f7ee80a4

          SHA512

          cd4d16708164cb82413036fc7f10ca920d6dbb8322207dba933aa2f5b624f7d5305ac628686141aa97ddb381992262054918a6b6e5ba3a059d53c92559277950

          Download Submit
        • \Users\Admin\AppData\Local\lpgDzQW\dwmapi.dll
          MD5

          656e78df37284f3aca21505d04898b9f

          SHA1

          d7892325133b4ed4a828a4d0cc4dec28bc9cd407

          SHA256

          160125000ea124bd5741ff65ee1cc0263dd34ed25996f1f009182e3e73748c38

          SHA512

          d40e339766553df6c5995e3a24830d7125a25093d6521fb31c7b0a12c4570c08265fd617cb1ef392d6c5a63b5898067b56d2247a252ccef88aa4728be7f05e18

          Download Submit
        • memory/648-154-0x0000000000000000-mapping.dmp
          Download
        • memory/648-163-0x000001CEE52E0000-0x000001CEE52E2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/648-162-0x000001CEE52E0000-0x000001CEE52E2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/648-161-0x000001CEE52E0000-0x000001CEE52E2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/648-158-0x0000000140000000-0x0000000140130000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/2740-174-0x0000000000000000-mapping.dmp
          Download
        • memory/2740-181-0x000001E697CC0000-0x000001E697CC2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2740-182-0x000001E697CC0000-0x000001E697CC2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2740-183-0x000001E697CC0000-0x000001E697CC2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/3064-132-0x0000000140000000-0x000000014012F000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/3064-136-0x0000000140000000-0x000000014012F000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/3064-140-0x0000000140000000-0x000000014012F000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/3064-141-0x0000000140000000-0x000000014012F000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/3064-142-0x0000000140000000-0x000000014012F000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/3064-143-0x0000000140000000-0x000000014012F000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/3064-149-0x0000000000F00000-0x0000000000F02000-memory.dmp
          Filesize

          8KB

          Download
        • memory/3064-150-0x0000000000F00000-0x0000000000F02000-memory.dmp
          Filesize

          8KB

          Download
        • memory/3064-151-0x00007FF9C5065000-0x00007FF9C5066000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3064-152-0x0000000000F00000-0x0000000000F02000-memory.dmp
          Filesize

          8KB

          Download
        • memory/3064-153-0x00007FF9C4FB0000-0x00007FF9C4FC0000-memory.dmp
          Filesize

          64KB

          Download
        • memory/3064-138-0x0000000140000000-0x000000014012F000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/3064-137-0x0000000140000000-0x000000014012F000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/3064-139-0x0000000140000000-0x000000014012F000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/3064-135-0x0000000140000000-0x000000014012F000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/3064-134-0x0000000140000000-0x000000014012F000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/3064-133-0x0000000140000000-0x000000014012F000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/3064-124-0x0000000000F20000-0x0000000000F21000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3064-130-0x0000000140000000-0x000000014012F000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/3064-131-0x0000000140000000-0x000000014012F000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/3064-125-0x0000000140000000-0x000000014012F000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/3064-129-0x0000000140000000-0x000000014012F000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/3064-128-0x0000000140000000-0x000000014012F000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/3064-126-0x0000000140000000-0x000000014012F000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/3064-127-0x0000000140000000-0x000000014012F000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/3304-173-0x00000208E4300000-0x00000208E4302000-memory.dmp
          Filesize

          8KB

          Download
        • memory/3304-172-0x00000208E4300000-0x00000208E4302000-memory.dmp
          Filesize

          8KB

          Download
        • memory/3304-171-0x00000208E4300000-0x00000208E4302000-memory.dmp
          Filesize

          8KB

          Download
        • memory/3304-164-0x0000000000000000-mapping.dmp
          Download
        • memory/3708-118-0x0000000140000000-0x000000014012F000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/3708-123-0x0000000000650000-0x0000000000657000-memory.dmp
          Filesize

          28KB

          Download
        • memory/3708-122-0x0000000000670000-0x0000000000672000-memory.dmp
          Filesize

          8KB

          Download
        • memory/3708-121-0x0000000000670000-0x0000000000672000-memory.dmp
          Filesize

          8KB

          Download